Group membership protocol: specification and verification

According to the Evolving Algebra thesis [3], evolving algebras should allow one to specify succinctly any algorithm. There exists substantial evidence con rming this thesis in the case of sequential algorithms (see the annotated bibliography in [3]). In other papers, e.g., [1, 5], evolving algebras are used to specify distributed algorithms. For this paper, we wanted to look at a time-constrained algorithm that does something useful and poses some challenge to specify and verify. Our colleague Farnam Jahanian brought Cristian's article on group membership protocols [2] to our attention. In this paper, we specify and verify one of the protocols presented in that article. It is an interesting protocol to verify as we need to specify and prove both timing as well as functional properties. Group membership protocols [2, 6, 7] are used mainly to provide fault tolerance for distributed computing services. One possible way of ensuring service availability in a distributed system despite processor failures is to have several servers cooperate to provide the service (each such set of servers is termed a server group) and to replicate information relevant to the service (this is termed service state information) at all the sites in the network. For example, if the service in question is a C compiler then the state information may include a list of servers o ering this service that are currently alive and information regarding how heavily loaded each of these servers is. The purpose of group membership and other related protocols is to ensure that the state information stored at each group member remains up-to-date and that in the steady state, all group members see the same state information { despite information propagation delays and server failures. Central to the problem of server-group membership is processor-group membership which, to put it brie y, is the problem of achieving global agreement about the set of all correctly functioning processors in the system. Given a solution for the processor group membership problem, it is possible to use it to construct a solution to the server-group membership problem. The protocol we consider in this paper is a solution to the processor-group membership problem in synchronous systems.