Introduction to Self-Stabilization

(1)

Introduction to Self-Stabilization

Maria Potop-Butucaru, Franck Petit and Sébastien Tixeuil

LiP6/UPMC

(2)

Self-stabilization 101

(3)

Example

U

₀

= a

U

_n+1

=

^U₂ⁿ

if U

_n

is even

U

_n+1

=

^3Uⁿ₂⁺¹

if U

_n

is odd

(4)

Example

U

₀

= a

U

_n+1

=

^U₂ⁿ

if U

_n

is even

U

_n+1

=

^3Uⁿ₂⁺¹

if U

_n

is odd

n U

_n

0 1 2 3 4 5 6 7 8 9 10 11 12

7 11 17 26 13 20 10 5 8 4 2 1 2

(5)

Example

U

₀

= a

U

_n+1

=

^U₂ⁿ

if U

_n

is even

U

_n+1

=

^3Uⁿ₂⁺¹

if U

_n

is odd

16

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

27

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

Iterations

Values

"Correct"

(6)

Example

(7)

Self-stabilization

Time

Configurations

"Correct"

Time

Configurations

"Correct"

Stabilization Time

Time

Configurations

"Correct"

Stabilization Time Stabilized

(8)

Self-stabilization

Arbitrary Legitimate

f1 f2

f1

(9)

Self-stabilization

(10)

Distributed Systems

a b

c d

l

i

h

j

e

f

g

k

(11)

Distributed Systems

a b

c d

l

i

h

j

e

f

g

k

(12)

Distributed Systems

6 4

5 3

4

6

1

4

6

3

4

(13)

Distributed Systems

• Locality of time

• Locality of information

• Non-determinism

(14)

Distributed Systems

• Configuration: product of the local states of system components

• Execution: interleaving of the local

executions of the system components

(15)

Distributed Systems

• Classical: Starting from a particular initial configuration, the system immediately

exhibits correct behavior

• Self-stabilizing: Starting from any initial configuration, the system eventually reaches a configuration from which its behavior is

correct

(16)

Distributed Systems

• Self-stabilizing: Starting from any initial configuration, the system eventually reaches a configuration from which its behavior is

correct

• Defined by Dijkstra in 1974

• Advocated by Lamport in 1984 to address

fault-tolerant issues

(17)

Configurations

Self-stabilization Hypothesis Composition Proof Techniques Conclusion

Memory Corruption

I

Example of a sequential program:

int x = 0;

...

if( x == 0 ) {

// code assuming x equals 0 }

else {

// code assuming x does not equal 0

}

(18)

Configurations

i j

(19)

Configurations

a b

c d

l

i

h

j

e

f

g

k

(20)

Hypotheses

(21)

Atomicity

• A «stabilizing» sequential program

Atomicity

I Example of “stabilizing” sequential program

int x = 0;

...

while( x == x ) { x = 0;

// code assuming x equals 0

}

(22)

Atomicity

• A «stabilizing» sequential program

Atomicity

I

Example of “stabilizing” sequential program

0 iconst_0 1 istore_1 2 goto 7

5 iconst_0 6 istore_1 7 iload_1 8 iload_1

9 if_icmpeq 5

Problem

(23)

Communications

a b

c e

e

(24)

Communications

a b

c e

e

(25)

Communications

a b

c e

e

(26)

Example

• Shared memory: in one atomic step, read the state of all neighbors and write own state

• Guarded command

Guard ! Action

Predicate on the states of the neighborhood

Executed if

Guard is true

(27)

Token Ring

Specification

 Safety : At most one token in the system

 Liveness : Each process

gets the token infinitely often

top

p = top

TR1 : (v_p =v_l) → v_p:=v_l⊕1 p ≠ top

TR2 : (v_p≠ v_l) → v_p:=v_l

(28)

Token Ring

Specification

TR1

TR2

top

TR2

TR2 TR2

TR2

TR1

TR2

p = top

TR1 : (v_p =v_l) → v_p:=v_l⊕1 p ≠ top

TR2 : (v_p≠ v_l) → v_p:=v_l

Self-

stabilizing?

(29)

Token Ring

Specification

top

TR2

TR2 TR2

TR2

p = top

TR1 : (v_p =v_l) → v_p:=v_l⊕1 p ≠ top

TR2 : (v_p≠ v_l) → v_p:=v_l

(30)

Token Ring

Specification

top

TR1

TR2

TR2 TR2

TR2

p = top

TR1 : (v_p =v_l) → v_p:=v_l⊕1 p ≠ top

TR2 : (v_p≠ v_l) → v_p:=v_l

(31)

Token Ring

Specification

top

TR1

TR2

TR2 TR2

TR2

p = top

TR1 : (v_p =v_l) → v_p:=v_l⊕1 p ≠ top

TR2 : (v_p≠ v_l) → v_p:=v_l

(32)

Token Ring

Specification

top

TR1

TR2

TR2 TR2

TR2

p = top

TR1 : (v_p =v_l) → v_p:=v_l⊕1 p ≠ top

TR2 : (v_p≠ v_l) → v_p:=v_l

TR2

(33)

Token Ring

Specification

top

TR1

TR2

TR2 TR2

TR2

p = top

TR1 : (v_p =v_l) → v_p:=v_l⊕1 p ≠ top

TR2 : (v_p≠ v_l) → v_p:=v_l

TR2

(34)

Token Ring

Specification

top

TR1

TR2

p = top

TR1 : (v_p =v_l) → v_p:=v_l⊕1 p ≠ top

TR2 : (v_p≠ v_l) → v_p:=v_l

TR2

(35)

Token Ring

Specification

top

TR1

TR2 TR2

p = top

TR1 : (v_p =v_l) → v_p:=v_l⊕1 p ≠ top

TR2 : (v_p≠ v_l) → v_p:=v_l

TR2

TR2 TR2

(36)

Token Ring

Specification

top

TR1

TR2

p = top

TR1 : (v_p =v_l) → v_p:=v_l⊕1 p ≠ top

TR2 : (v_p≠ v_l) → v_p:=v_l

TR2

TR2 TR2

TR2

(37)

Token Ring

Specification

top

TR2

p = top

TR1 : (v_p =v_l) → v_p:=v_l⊕1 p ≠ top

TR2 : (v_p≠ v_l) → v_p:=v_l

TR2

TR2 TR2

TR2

Idem configuration initiale

(38)

Token Ring

Specification

 Liveness : Each process lets the token infinitely often

p = top

TR1 : (v_p =v_l) → v_p:=v_l⊕1 p ≠ top

TR2 : (v_p≠ v_l) → v_p:=v_l

Exercice : Montrer qu'il se produit la même chose avec un

nombre impair de

processeurs.

(39)

Token Ring

top



Algorithme Auto-stabilisant de circulation de jeton de Dijkstra

p = top

TR1 : (v_p =v_l) → v_p:=v_l⊕_k1 p ≠ top

TR2 : (v_p≠ v_l) → v_p:=v_l

7 5 2

8 3

1 4 6

^TR2

TR2 TR2 TR2

TR2 TR2

TR2

(40)

Token Ring

top Algorithme Auto-stabilisant de

circulation de jeton de Dijkstra

p = top

TR2 : (v_p≠ v_l) → v_p:=v_l

2 5 5

3 1

4 6 7

^TR2

TR2 TR2 TR2

TR2

(41)

Token Ring

p = top

TR2 : (v_p≠ v_l) → v_p:=v_l

5 5 5

1 4

6 7 2

^TR2

TR2 TR2 TR2

TR2

(42)

Token Ring

p = top

TR2 : (v_p≠ v_l) → v_p:=v_l

5 5 5

4 6

7 2 5

TR2 TR2 TR2

TR2

(43)

Token Ring

5 5 5

6 7

2 5 5

TR2 TR2

TR2

p = top

TR2 : (v_p≠ v_l) → v_p:=v_l

(44)

Token Ring

5 5 5

7 2

5 5 5

TR2

p = top

TR2 : (v_p≠ v_l) → v_p:=v_l

(45)

Token Ring

5 5 5

2 5

5 5 5

TR2

p = top

TR2 : (v_p≠ v_l) → v_p:=v_l

(46)

Token Ring

5 5 5

5 5

5 5 5

TR1

Valeur de k ?

p = top

TR2 : (v_p≠ v_l) → v_p:=v_l

(47)

Token Ring

5 0 6

0 1

2 3 4

^TR2

TR2 TR2 TR2

TR2

TR1

TR2

p = top

TR2 : (v_p≠ v_l) → v_p:=v_l

(48)

Token Ring

6 1 0

1 2

3 4 5

^TR2

TR2 TR2 TR2

TR2

TR1

TR2

p = top

TR2 : (v_p≠ v_l) → v_p:=v_l

(49)

Token Ring

0 2 1

2 3

4 5 6

^TR2

TR2 TR2 TR2

TR2

TR1

TR2

p = top

TR2 : (v_p≠ v_l) → v_p:=v_l

(50)

Token Ring

1 3 2

3 4

5 6 0

^TR2

TR2 TR2 TR2

TR2

TR1

TR2

p = top

TR2 : (v_p≠ v_l) → v_p:=v_l

(51)

Token Ring

2 4 3

4 5

6 0 1

^TR2

TR2 TR2 TR2

TR2

TR1

TR2

p = top

TR2 : (v_p≠ v_l) → v_p:=v_l

(52)

Token Ring

3 5 4

5 6

0 1 2

^TR2

TR2 TR2 TR2

TR2

TR1

TR2

p = top

TR2 : (v_p≠ v_l) → v_p:=v_l

(53)

Token Ring

4 6 5

6 0

1 2 3

^TR2

TR2 TR2 TR2

TR2

TR1

TR2

p = top

TR2 : (v_p≠ v_l) → v_p:=v_l

(54)

Token Ring

5 7 6

0 1

2 3 4

^TR2

TR2 TR2 TR2

TR2 TR2

TR2

p = top

TR2 : (v_p≠ v_l) → v_p:=v_l

(55)

Token Ring

6 7 7

1 2

3 4 5

^TR2

TR2 TR2 TR2

TR2

p = top

TR2 : (v_p≠ v_l) → v_p:=v_l

(56)

Token Ring

7 7 7

2 3

4 5 6

^TR2

TR2 TR2 TR2

TR2

p = top

TR2 : (v_p≠ v_l) → v_p:=v_l

(57)

Token Ring

7 7 7

3 4

5 6 7

TR2 TR2 TR2

TR2

p = top

TR2 : (v_p≠ v_l) → v_p:=v_l

(58)

Token Ring

7 7 7

4 5

6 7 7

TR2 TR2

TR2

p = top

TR2 : (v_p≠ v_l) → v_p:=v_l

(59)

Token Ring

7 7 7

5 6

7 7 7

TR2

p = top

TR2 : (v_p≠ v_l) → v_p:=v_l

(60)

Token Ring

7 7 7

6 7

7 7 7

TR2

p = top

TR2 : (v_p≠ v_l) → v_p:=v_l

(61)

Token Ring

7 7 7

7 7

7 7 7

TR1

Temps de Stabilisation : O(n)

p = top

TR2 : (v_p≠ v_l) → v_p:=v_l

(62)

[Dijkstra 74]

B T

Bottom

Top

Middle

Bottom Top Middle

(63)

Bottom

Top

Middle

[Dijkstra 74]

B T

Bottom Top Middle

(64)

Bottom

Top

Middle

[Dijkstra 74]

B T

Bottom Top Middle

(65)

Bottom

Top

Middle

[Dijkstra 74]

B T

Bottom Top Middle

(66)

Bottom

Top

Middle

[Dijkstra 74]

B T

Bottom Top Middle

(67)

Bottom

Top

Middle

[Dijkstra 74]

B T

Bottom Top Middle

(68)

Bottom

Top

Middle

[Dijkstra 74]

B T

Bottom Top Middle

(69)

Bottom

Top

Middle

[Dijkstra 74]

B T

Bottom Top Middle

(70)

Bottom

Top

Middle

[Dijkstra 74]

B T

Bottom Top Middle

(71)

Bottom

Top

Middle

[Dijkstra 74]

B T

Bottom Top Middle

(72)

Bottom

Top

Middle

[Dijkstra 74]

B T

Bottom Top Middle

(73)

[Dijkstra 74]

B T

Bottom

Top

Middle

Bottom Top Middle

(74)

Bottom

Top

Middle

[Dijkstra 74]

Bottom Top Middle

B T

(75)

Bottom

Top

Middle

[Dijkstra 74]

Bottom Top Middle

B T

(76)

Bottom

Top

Middle

[Dijkstra 74]

Bottom Top Middle

B T

(77)

Bottom

Top

Middle

[Dijkstra 74]

Bottom Top Middle

B T

(78)

Bottom

Top

Middle

[Dijkstra 74]

Bottom Top Middle

B T

(79)

Bottom

Top

Middle

[Dijkstra 74]

Bottom Top Middle

B T

(80)

Bottom

Top

Middle

[Dijkstra 74]

Bottom Top Middle

B T

(81)

Bottom

Top

Middle

[Dijkstra 74]

Bottom Top Middle

B T

(82)

Bottom

Top

Middle

[Dijkstra 74]

Bottom Top Middle

B T

(83)

Auto-stabilisation ?

(84)

Bottom

Top

Middle

[Dijkstra 74]

B T

Bottom Top Middle

(85)

Bottom

Top

Middle

[Dijkstra 74]

B T

Bottom Top Middle

(86)

Bottom

Top

Middle

[Dijkstra 74]

B T

Bottom Top Middle

(87)

Bottom

Top

Middle

[Dijkstra 74]

B T

Bottom Top Middle

(88)

Bottom

Top

Middle

[Dijkstra 74]

B T

Bottom Top Middle

Stabilisé !

(89)

Bottom

Top

Middle

[Dijkstra 74]

B T

Bottom Top Middle

Stabilisé !

Temps de stabilisation = O(n)

(90)

R0 : (L_p≠n) et (L_p≠L_F+1) et (L_F≠n) → L_p := L_F+1;

R1 : (L_p≠n) et (L_F=n) → L_p := n;

R2 : Soit q un voisin de p tel que :

(L_p=n) et (L_q<n-1) → L_p := L_q+1; F:=q;

Construction d’arbre couvrant auto-stabilisante

r

0

10 9

2 4

13 1

11 12

4

7 1

1

5

(n=14)

R0

R0 R0

R0 R0 R0

R0 R0

(91)

BFS

true ! Distance

_i

:= M in

_j₂_{N eighbors}_i

{ Distance

_j

+ 1 }

3 3

2 1

2

r

1

2

1

3

(92)

BFS

true ! Distance

_i

:= M in

{ Distance

_j

+ 1 }

3 4

2 2

2

8

r

1

2

7

1

3

(93)

BFS

3 4

2 2

3

8

r

1

2

7

1

3

true ! Distance

_i

:= M in

{ Distance

_j

+ 1 }

(94)

BFS

3 4

2 1

3

1

r

1

2

7

1

3

true ! Distance

_i

:= M in

{ Distance

_j

+ 1 }

(95)

BFS

3 4

2 1

2

1

r

1

2

1

3

true ! Distance

_i

:= M in

{ Distance

_j

+ 1 }

(96)

BFS

3 3

2 1

2

1

r

1

2

1

3

true ! Distance

_i

:= M in

{ Distance

_j

+ 1 }

(97)

Scheduling

• Scheduler (a.k.a. Daemon): the daemon chooses among activatable processes those that will execute their actions

• can be seen as an adversary whose role is

to prevent stabilization

(98)

Spatial Scheduling

true ! color

_i

:= M in \ { color

_j

| j 2 N eighbors

_i

}

=

a b

d

c e

f

a b

a d

c e

f

a b

(99)

Temporal Scheduling

token ! pass token to left neighbor with probability 1

token = no token = 2

(100)

Temporal Scheduling

token ! pass token to left neighbor with probability 1

token = no token = 2

(101)

Composition Schemes

(102)

Fair Composition

• ^{Basic idea}

• Compose several self-stabilizing

algorithms such that their results can be resused by

• can not detect whether algorithms have stabilized, but behaves as if

A

₁

, A

₂

, . . . , A

_k

A

_k+1

A

_k+1

(103)

Fair Composition

• Example with k=2

• Two simple algorithms server and client

are combined to obtain a more complex algorithm

• The server algorithm ensure that some

properties (used by the client) will be

eventually satisfied

(104)

Fair composition

• Definition: is a fair composition of and if, in , every process alternatively executes actions of and

A A

₁

A

₂

A

₁

A

₂

(105)

Fair Composition

• Theorem: If is self-stabilizing for

given , and if is self-stabilizing for , then the fair composition of and is self-stabilizing for

A

₁

A

₂

T

₂

T

₁

T

₁

A

₁

A

₂

T

₂

A

₁

T

₁

A

₂

T

₂

(106)

Example

• We are given two self-stabilizing

algorithms, one for constructing a tree in a general network, one for mutual exclusion on a unidirectional ring

3 3

2 1 2

1

r

1

2

1

3

3 3

2 1 2

1

r

1

2

1

3

a b

c d

l

i

r

j

e

f

g

k

(107)

Example

d

c a c b c d e

d r g

f k f

g r

j r

i

l

i

r

a b

c d

l

i

r

j

e

f

g

k

(108)

Crossover Composition

• ^{Basic idea}

• Algorithm is correct under daemon

• is more restrictive than

• We want to run under

• produces , and is executed when produces activation

A

₁

A

₂

D

₁

D

₂

D

₂

D

₁

A

₂

D

₁

A

₁

D

₂

A

₂

A

₁

(109)

Example

• Uniform unidirectionnal ring

• Each node has a variable

• Each node has a token if

• Each node passes a token by executing v

_i

v

_i

6 = v

_i ₁

mod SND

_n

v

_i

:= v

_i ₁

+ 1 mod SND

_n

(SND

_n

: smallest non divisor of n)

(110)

Example

0 0 1

0 1

Changes

to 0 ⁰

0 0

0 1

Changes

0 to 1

1 0

0 1

Changes to 1

1 1 0

0

1

(111)

Example

• Algorithm 1

• A node with a token is activatable

• An activated node always transmits the token

• Algorithm 1 solves the token passing

problem with arbitrary daemon

(112)

Example

• Algorithm 2

• A node with a token is activatable

• An activated node transmits the token with probability 1/2

• Algorithm 2 solves mutual exclusion if

daemon is bounded (in time)

(113)

Example

• Crossover Composition

• A node may have up to two tokens (one deterministic and one probabilistic)

• A node with a deterministic token is activatable

• An activated node passes the deterministic token and (if it has it) the probabilistic

token with probability 1/2

(114)

Example

Probabilistic Deterministic

(115)

Example

• Algorithm 2 composed with Algorithm 1 solves mutual exclusion with an arbitrary daemon

• The solved problem does not change, but

the daemon is less restrictive

(116)

Proof Techniques

(117)

Transfer function

• ^{Basic idea}

• Used to prove convergence

• Convenient to compute stabilization time

Transfer Function

Basic Idea

I

c

₁

! c

₂

! c

₃

! c

₄

! · · · ! c

_i

I

FP ( c

₁

) > FP ( c

₂

) > FP ( c

₃

) > . . . > FP ( c

_i

) = bound

I

Used to prove convergence

I

Can be used to compute the number of steps to reach

a legitimate configuration

(118)

Transfer Function

Time

Configurations

"Correct"

Time

Configurations

"Correct"

(119)

Attractors

Arbitrary Attractor

Legitimate

d

(120)

Attractors

Arbitrary Legitimate

f1 f2

f1

(121)

Attractors

Arbitrary

Attractor

Legitimate

f

f f

f

f f

f f f

f f

(122)

Conclusion

(123)