Here is a brief overview of the files of interest in this repository. One central
convention is that all trusted specification files end in .s.dfy. Everything else
should be a .i.dfy file and will be verified for correctness.
SConstructSCons build file for verifying and compiling everythingsrcIronLockServerC# solution and project files for building the lock server.IronRSLKVServerC# solution and project files for building a key-value store replica that uses IronRSL to coordinate with other replicas. This directory includes the fileService.csdefining the key-value service.IronRSLKVClientUnverified C# client for the key-value service replicated by IronRSL.IronRSLCounterServerC# solution and project files for building a counter service replica that uses IronRSL to coordinate with other replicas. This directory includes the fileService.csdefining the counter service.IronRSLCounterClientUnverified C# client for the counter service replicated by IronRSL.IronSHTServerC# solution and project files for building the IronSHT (sharded hash table) server.IronSHTClientUnverified C# client for IronSHT.DafnyLibrariesBasic library support for various tasks, particularly for dealing with non-linear operations that Z3 struggles with. These libraries were inherited from the IroncladApps project.DistributedThe core IronFleet codeCommonCode shared across our services for various core taskesCollectionsUseful definitions, lemmas, and methods for dealing with Sets, Maps, and Sequences.FrameworkThis is the trusted framework that forms the core portion of each service's specification. Each service further adds service-specific specifications insrc/Dafny/Distributed/Services.LogicOur encoding of TLA in Dafny.NativeOur trusted interface to C# for networking, time, command-line arguments and other functionality that Dafny does not expose.
ImplCommonUseful libraries shared across services. Includes command-line parsing, generic marshalling and parsing, end-point identities, and a UDP client.RSLThe core implementation of IronRSL. These files define concrete versions of the types specified by the protocol. For each role, e.g., the Acceptor, we have a fileAcceptorState.i.dfywhich defines the basic datatype and predicates on it, and a fileAcceptorModel.i.dfywhich defines the actions that can be performed on the data type. ReplicaModel is the top-level role that combines all of the others, and ReplicaImpl interfaces with the external world to send and receive packets. ReplicaModel and ReplicaImpl are split into multiple files to increase the file-level parallelism of our build tool.SHTThe core implementation of IronSHT (sharded hash table).LiveSHTSHT's scheduler and functionality for sending and receiving packets.LockThe core implementation for IronLock. This includes the command line parser, the message definitions, parsing and marshalling, a simple scheduler, etc.
ProtocolCommonCommon files shared by all of our protocolsRSLDefines the protocol layer of our RSL systemRefinementProofProof of safety, in the form of a proof that the implementation refines the specification given that it refines the protocol.LivenessProofProof of liveness, specifically that if a client submits a request repeatedly he eventually receives a reply. It requires various assumptions codified in Assumptions.i.dfy, e.g., a quorum of replicas is live and the network eventually delivers packets among the client and the live quorum in bounded time. The ultimate liveness proof, in LivenessProof.i.dfy, is a proof by contradiction: if those assumptions hold and the client never gets a reply, thenfalse.
SHTDefines the protocol layer of our SHT systemRefinementProofProof of safety, in the form of a proof that the implementation refines the specification given that it refines the protocol.
LiveSHTDefines a small additional layer that adds a scheduler to SHT and maps the low level Environment to SHT's notion of a Network. +RefinementProofProof that LiveSHT is a refinement of SHT +LivenessProofProof of liveness of the reliable-delivery layer, specifically that if a message is submitted to the reliable-delivery component then its intended recipient eventually receives it and queues it for processing. This proof requires various assumptions codified inAssumptions.i.dfy, e.g., a message sent infinitely often is eventually delivered. The ultimate liveness proof is inLivenessProof.i.dfy.LockDefines the protocol layer of our Lock serviceRefinementProofProof that the implementation refines the specification. The proof uses two intermediate layers of states beyond the implementation and the specification. TheLS_Statelayer represents the protocol states, while theGLS_Statelayer augments each protocol state with a history variable, which is used to prove refinement to the high-level specification.
ServicesThese directories tie the implementation, protocol, and specifications together. Each service has a directory with.s.dfyfiles that define the service-specific specifications (e.g. that RSL should be a state machine or that SHT should be a hash table). The fileMain.i.dfyin each directory instantiates the abstract host with the concrete implementation and supplies a proof that refinement holds from the implementation all the way up to the abstract specification. Seesrc/Dafny/Distributed/Common/Frameworkfor the guarantees this provides.