A Formally Veri ed Algorithm for Clock Synchronization Under a Hybrid Fault Model

A small modi cation to the interactive convergence clock synchronization algorithm allows it to tolerate a larger number of simple faults than the standard algorithm, without reducing its ability to tolerate arbitrary or \Byzantine" faults. Because the extended caseanalysis required by the new fault model complicates the already intricate argument for correctness of the algorithm, it has been subjected to mechanically-checked formal veri cation. The fault model examined is similar to the \hybrid" one previously used for the problem of distributed consensus: in addition to arbitrary faults, we also admit symmetric (i.e., consistent) and manifest (i.e., detectable) faults. With n processors, the modi ed algorithm can withstand a arbitrary, s symmetric, and m manifest faults simultaneously, provided n > 3a+ 2s+ m. A further extension to the fault model includes link faults with bound n > 3a + 2s + m + l where l is the maximum, over all pairs of processors, of the number of processors that have faulty links to one or other of the pair. The mechanically-checked formal veri cation of the modi ed algorithm was achieved by extending one for the classical Interactive Convergence algorithm, and was accomplished relatively easily. A mechanicallychecked formal speci cation and veri cation is a reusable intellectual resource whose initial cost is amply repaid by the support it provides for inexpensive and reliable investigation of modi ed assumptions and algorithms such as those reported here. This work was supported by the National Aeronautics and Space Administration, Langley Research Center, under contract NAS1-18969.