A Verified High-Performance Composable Object Library for Remote Direct Memory Access (Extended Version)
Guillaume Ambal, George Hodgkins, Mark Madler, Gregory Chockler, Brijesh Dongol, Joseph Izraelevitz, Azalea Raad, Viktor Vafeiadis
TL;DR
The paper tackles the challenge of building verifiable, high-performance RDMA-based libraries by introducing LOCO, a library of composable, distributed objects, and Mowgli, a modular framework for formal verification across weak memory models. LOCO demonstrates how simple primitives (shared variables, barriers, and ring buffers) can be composed to implement higher-level services such as a linearisable key-value store and a distributed DC/DC controller, all with formal correctness proofs. The rdmawait memory model provides a robust foundation for reasoning about inter-node synchronization, while Mowgli enables locality-based proofs and compositional reasoning across multiple libraries and clients. Empirical results show LOCO can match or exceed OpenMPI performance in certain scenarios (notably ring buffers) while offering verified safety guarantees, underscoring the practical impact of combining formal methods with RDMA-based designs.
Abstract
Remote Direct Memory Access (RDMA) is a memory technology that allows remote devices to directly write to and read from each other's memory, bypassing components such as the CPU and operating system. This enables low-latency high-throughput networking, as required for many modern data centres, HPC applications and AI/ML workloads. However, baseline RDMA comprises a highly permissive weak memory model that is difficult to use in practice and has only recently been formalised. In this paper, we introduce the Library of Composable Objects (LOCO), a formally verified library for building multi-node objects on RDMA, filling the gap between shared memory and distributed system programming. LOCO objects are well-encapsulated and take advantage of the strong locality and the weak consistency characteristics of RDMA. They have performance comparable to custom RDMA systems (e.g. distributed maps), but with a far simpler programming model amenable to formal proofs of correctness. To support verification, we develop a novel modular declarative verification framework, called Mowgli, that is flexible enough to model multinode objects and is independent of a memory consistency model. We instantiate Mowgli with the RDMA memory model, and use it to verify correctness of LOCO libraries.