Layer correctness
abstract FIFO
network spec
abstract Total
Order network
spec
Hickey, Lynch, Van
Renesse, TACAS’99
network + layer == network++
Token layer on each CPU
Once you have an implementation, you can prove it correct, as we’ve done for a particular implementation of total order.
We found a subtle bug!
