Model-based Testing of Practical Distributed Systems in Actor Model
Ilya Kokorin, Evgeny Chernatskiy, Vitaly Aksenov
TL;DR
The paper addresses the gap between formal specifications and real-world distributed system implementations by introducing an actor-model, model-based testing framework that exhaustively covers all state transitions. It generates a finite transition graph from a TLA+-specified model using TLC, then computes a minimal set of paths that cover every edge, enabling deterministic replay and thorough correctness checks via a ToModel mapping. The authors provide a polynomial-time test-suite generation algorithm (including a BFS-based upper bound and flow-based reductions to minimum-cost circulation) and validate the approach on a VK.com Viewstamped Replication-based system, achieving high test-throughput and scalable verification for practical distributed systems.
Abstract
Designing and implementing distributed systems correctly can be quite challenging. Although these systems are often accompanied by formal specifications that are verified using model-checking techniques, a gap still exists between the implementation and its formal specification: there is no guarantee that the implementation is free of bugs. To bridge this gap, we can use model-based testing. Specifically, if the model of the system can be interpreted as a finite-state automaton, we can generate an exhaustive test suite for the implementation that covers all possible states and transitions. In this paper, we discuss how to efficiently generate such a test suite for distributed systems written in the actor model. Importantly, our approach does not require any modifications to the code or interfering with the distributed system execution environment. As an example, we verified an implementation of a replication algorithm based on Viewstamped Replication, which is used in a real-world system.