A formally verified algorithm for clock synchronization under a hybrid fault model
PODC '94 Proceedings of the thirteenth annual ACM symposium on Principles of distributed computing
Report Dagstuhl Seminar on Time Services SchloßDagstuhl, March 11. – March 15. 1996
Real-Time Systems - Special issue on global time in large scale distributed real-time systems, part III
An Overview of Formal Verification for the Time-Triggered Architecture
FTRTFT '02 Proceedings of the 7th International Symposium on Formal Techniques in Real-Time and Fault-Tolerant Systems: Co-sponsored by IFIP WG 2.2
Verification of an optimized fault-tolerant clock synchronization circuit
DCC'96 Proceedings of the 3rd international conference on Designing Correct Circuits
Hi-index | 0.00 |
A critical function in a fault-tolerant computer architecture is the synchronization of the redundant computing elements. The synchronization algorithm must include safeguards to ensure that failed components do not corrupt the behavior of good clocks. Reasoning about fault-tolerant clock synchronization is difficult because of the possibility of subtle interactions involving failed components. Therefore, mechanical proof systems are used to ensure that the verification of the synchronization system is correct. In 1987, Schneider presented a general proof of correctness for several fault-tolerant clock synchronization algorithms. Subsequently, Shankar verified Schneider''s proof by using the mechanical proof system EHDM. This proof ensures that any system satisfying its underlying assumptions will provide Byzantine fault-tolerant clock synchronization. This paper explores the utility of Shankar''s mechanization of Schneider''s theory for the verification of clock synchronization systems. In the course of this work, some limitations of Shankar''s mechanically verified theory were encountered. With minor modifications to the theory, a mechanically checked proof is provided that removes these limitations. The revised theory also allows for proven recovery from transient faults. Use of the revised theory is illustrated with the verification of an abstract design of a clock synchronization system.