A Model Checking Method for Verifying the Fault Tolerance of Distributed Protocol Liveness Properties

Cloud computing is a new mode that provides users with computing resources charged on demand through a communication network as a service. At present, enterprises are gradually transferring business deployment and data processing to cloud computing platforms. Because of various requirements such as scalability and performance, cloud platforms are deployed on distributed systems. Since the distributed system uses a large number of commodity machines to build through a complex structure, technicians cannot guarantee that these machines will work correctly all the time. Therefore, component failures in the distributed system are unavoidable. In order to improve the reliability of the distributed system, the technicians designed fault-tolerant mechanisms for them when developing the distributed system. In order to ensure that the fault-tolerant mechanisms can really work correctly when there is a failure in the distributed system, fault injection is one of the most effective ways to test the fault-tolerant mechanism, observing the behavior of the system and verifying whether the fault-tolerance mechanism is working correctly, by artificially injecting specific faults into the system under test. Due to the concurrent nature of distributed systems, it is very difficult for traditional software testing methods to fully test such systems. In recent years, technicians have increasingly used more systematic model checking techniques to verify distributed systems. However, existing model checking technology focuses on the checking of the safety properties and liveness properties of distributed systems, and ignores the checking of fault-tolerant mechanisms, especially liveness properties fault-tolerant mechanisms. As a result, how to verify the liveness properties fault-tolerant mechanism of the distributed system is currently a challenge. The use of abstract model checking method will introduce the problem of mismatch between the model and the actual system because of human error. At the same time, the use of implementation-level model checking method will aggravate the state space explosion problem. As a result, in this paper we propose an implementation-level model checking tool LTMC (Liveness Properties Fault Tolerance Model Checker), which combines fault injection technology to verify the liveness properties with their fault tolerance mechanisms and safety properties of the distributed protocols in the distributed systems. At the same time, based on the role of distributed system nodes, this paper proposes a PRP strategy (Peer Reduction Policy) to reduce the state space that LTMC needs to search, alleviating the problem of space explosion. LTMC can purposefully inject specific faults at specific moments when the system to be verified is running, instead of relying on random fault injection strategies; when the system to be verified changes, only slight modifications to the model checker are required; LTMC can systematically discover all bugs of the specified types in the distributed protocols. In addition, LTMC prioritizes the exploration of more practical execution paths of events by introducing a logic clock mechanism. At the end of this article, we apply LTMC to several protocols of ZooKeeper and Cassandra which are the most popular distributed systems on the market, and compare LTMC with depth-first exploration. LTMC has a state space reduction rate of 3.7-594.4 times. © 2021, Science Press. All right reserved.