Our method relies on using EventML. EventML cooperates with the Nuprl interactive theorem prover at every stage of program development to help programmers ensure correctness, document the code, and support modifications and improvements.
See Mark's Correct-by-Construction slides from May 2012.
More about EventML is at http://www.nuprl.org/software/ and for additional examples see the EventML Tutorial
In this example we will look at Paxos consensus, focusing on specifying the Scout protocol.
Using EventML's interface with Nuprl, we generate the ILF. If there are any issues with the proof we revise the specification and reiterate the process with the ILF.
Using EventML's correct-by-construction synthesizer we generate code from the specification.
Engaging our diversity in classes and state machines we generate multiple verified versions of the code. Then the final step before deployment is to test the code in the EventML simulator.
ShadowDB is a replicated database we created on top of a synthesized consensus core. The primary defines the order in which transaction updates are applied. When crashes occur, consensus is used to reconfigure the set of replicas and agree on a prefix of executed transactions.