fault-containment in weakly stabilizing systems anurag dasgupta sukumar ghosh xin xiao university of...
TRANSCRIPT
Fault-containment in Weakly Stabilizing Systems
Anurag Dasgupta Sukumar GhoshXin Xiao
University of Iowa
Preview
• Weak stabilization (Gouda 2001) guarantees reachability and closure of the legal configuration. Once “stable”, if there is a minor perturbation, apparently no recovery guarantee exists, let alone “efficient recovery”.
• We take a weakly stabilizing leader election algorithm, and add fault-containment to it.
Our contributions
• An exercise in adding fault-containment to a weakly stabilizing leader election algorithm on a line topology. Processes are anonymous.
• Containment time = O(1) from all single failures
• Lim m∞ (contamination number) is O(1) (precisely 4), where m is a tuning parameter
(Contamination number = max. no. of non-faulty processes that change their states during recovery)
The big picture
Model and NotationsConsider n processes in a line topologyN(i) = neighbors of process iVariable P(i) = {N(i) U ⊥} (parent of i)Macro C(i) = {q ∈ N(i): P(q) = i} (children of i)Predicate Leader(i) ≡ (P(i)=⊥)
Legal configuration:• For exactly one process i: P(i) = ⊥ j ≠ i: P(j) = k P(k) ≠ j
Node i
P(i)
C(i)
Leader
Model and Notations
Shared memory model and central schedulerWeak fairness of the schedulerGuarded action by a process: g AComputation is a sequence of (global) statesand state transitions
Node i
P(i)
C(i)
Leader
Stabilization
A stable (or legal) configuration satisfies a predicateLC defined in terms of the primary variables p that are observable by the application. However, fault-containment often needs the use of secondary variables (a.k.a auxiliary or state variables) s. Thus,
Local state of process i = (pi, si)Global state of the system = (p, s), where p = the set of all pi, and s = the set of all si
(p, s) LC p LCp and s LCs
Definitions
Containment time is the maximum time needed to establish LCp from a 1-faulty configuration
Containment in space means the primary variables of O(1) processes changing their state during recovery from any 1-faulty configuration
Fault-gap is the time to reach LC (both LCp and LCS) from any 1-faulty configuration
LCp restored LCs restored
Fault gap
Weakly stabilizing leader election
We start from the weakly stabilizing leader electionalgorithm by Devismes, Tixeuil,Yamashita [ICDCS 2007], and then modify it to add fault-containment. Here is the DTY algorithm for an array of processes.
DTY algorithm: Program for any process in the array
Guarded actions:
R1 :: not leader ∧ N(i) = C(i)→ be a leader
R2 :: not leader∧ N(i) \ {C(i) U P(i)} ≠ → switch parent
R3 :: leader∧ N(i) ≠ C(i) → parent := k : k C(i)
Effect of a single failure
With a randomized scheduler, the weakly stabilizing system
will recover to a legal configuration with probability 1.
However, If a single failure occurs, the recovery time can be
as large as n (Using situations similar to Gambler’s ruin). For
fault-containment, we need something better.
We bias a randomized scheduler to achieve our goal. The
technique is borrowed [Dasgupta, Ghosh, Xiao: SSS 2007].
Here we show that the technique is indeed powerful enough
to solve a larger class of problems.
Biasing a random scheduler
For fault-containment, each process i uses a secondary variable
x(i). A node i updates its primary variable P(i). when thefollowing conditions hold:
• The guard involving the primary variables is true • The randomized scheduler chooses i• x(i) ≥ x(k), where k N(i)
Biasing a random scheduler
ij k
x(i)=10 x(k)=7x(j)=8
ij k
x(i)=13 x(k)=7x(j)=8
(Let m = 5)
ij k
x(i)=10 x(k)=7x(j)=8
ij k
x(i)=10 x(k)=8x(j)=8
After the action, x(i) is incremented as x(i) := max q ∈N(i) x(q) + m, m ∈ Z+
(call it update x(i), here m is a tuning parameter). When x(i) < x(k) but conditions 1-2 hold, the primary variable P(i) remains unchanged -- onlyx(i) is incremented by 1
UPDATE x(i) INCREMENT x(i)
* * * *
The Algorithm
Algorithm 1 (containment) : program for process i
Guarded actions:
R1 :: (P(i) ≠ ⊥) ∧ (N(i) = C(i)) → P(i) := ⊥
R2 :: (P(i) = ⊥) ∧ (∃k ∈ N(i) \ C(i)) → P(i) := k
R3a :: (P(i) = j) ∧ (∃k ∈ N(i) : P(k) ≠ i or ⊥)∧ x(i) ≥ x(k) → P(i) := k; update x(i)
R3b :: (P(i) = j) ∧ (∃k ∈ N(i) : P(k) ≠ i or⊥) ∧ x(i) < x(k) → increment x(i)
R4a :: (P(i) = j) ∧ (∃k ∈ N(i) : P(k) = ⊥) ∧ x(i) ≥ x(k) → P(i) := k
R4b :: (P(i) = j) ∧ (∃k ∈ N(i) : P(k) = ⊥) ∧ x(i) < x(k) → increment x(i)
R5 :: (P(i) = j) ∧ (P(j) = ⊥) ∧ (∃k ∈ N(i) : P (k) ≠ i or⊥} → P(i) := k
Analysis of containment
Consider six cases
1. Fault at the leader
2. Fault at distance-1 from the leader
3. Fault at distance-2 from the leader
4. Fault at distance-3 from the leader
5. Fault at distance-4 from the leader
6. Fault at distance-5 or greater from the leader
Case 1: fault at leader node
0 1 72 6543
0 1 72 6543
0 1 72 653 4
R1 applied by node 5
R1 applied by node 4: node 4 is the new leader
**
R1 :: (P(i) ≠ ⊥) ∧ (N(i) = C(i)) → P(i) := ⊥
Case 2: fault at distance-1 from the leader node
0 1 72 6543
0 1 72 6543
R1: node 3
0 1 72 6543
R2: node 5
* *
**
*
R2 :: (P(i) = ⊥) ∧ (∃k ∈ N(i) \ C(i)) → P(i) := k
Case 5: fault at distance-4 from the leader node
0 1 72 6543
* *0 1 72 6543
**
R4a(2): x(2)>x(1)
0 1 72 6543 R5 (4)
* *
*R2(5)
*
R3a(3): x(3)>x(2)
0 1 72 6543
0 1 72 6543 stable
Non-faulty processes up to distance 4 from the faulty node being affected
R4a :: (P(i) = j) ∧ (∃k ∈ N(i) : P(k) = ⊥) ∧ x(i) ≥ x(k) → P(i) := k
Case 6: fault at distance ≥ 5 from the leader node
0 1 72 6543
* *0 1 72 6543
**
R4a(2): x(2)>x(1)
0 1 72 6543 R3a (3); R5 (2)
* *
*R2 (1)
*
R3a(3): x(3)>x(2), x(4)
0 1 72 6543
With a high m, it is difficult for 4 to change its parent, but 3 can easily do it
Recovery complete0 1 72 6543
Current leader
Fault-containment in space
Theorem 1. As m∞ , the effect of a single failure is restricted
within distance-4 from the faulty process i.e., algorithm is spatially
fault-containing.
Proof idea. Uses the exhaustive case-by-case analysis. The worst
case occurs when a node at distance-4 from the leader node fails
as shown earlier.
Fault-containment in time
Theorem 2. The expected number of steps needed to contain
a single fault is independent of n. Hence algorithm containment is
fault-containing in time.
Proof idea. Case by case analysis. When a node beyond distance-4
from the leader fails, its impact on the time complexity remains
unchanged.
Fault-containment in time
0 1 72 6543
* *
Recovery completed in a single move regardless of whether node 3 or 4 executes a move.
Case 1: leader fails
Case 2: A node i at distance -1 from the leader fails.
• P(i) becomes :⊥ recovery completed in one step
• P(i) switches to a new parent: recovery time = 2 +∑∞n=1 n/2n = 4
Fault-containment in time
Summary of expected containment times
Fault at leader - 1
Fault at dist-1 1 4
Fault at dist-2 2 151/108
Fault at dist-3 131/54 115/36
Fault at dist-4 10/9 29/27
Fault at dist ≥ 4 33/32 115/36
P(i) ⊥ P(i) switches
Thus, the expected containment time is O(1)
Another proof of convergence
Theorem 3. The proposed algorithm recovers from all single faultsto a legal configuration in O(1) time.
Proof (Using martingale convergence theorem)
A martingale is a sequence of random variables X1, X2, X3, … s.t. ∀n•E(|Xn|) < ∞, and•E(Xn+1|X1 … Xn) = Xn (for super-martingale use ≤ for =, and
for sub-martingale, use ≥ for =)
We use the following corollary of Martingale convergence theorem:
Corollary. If Xn ≥ 0 is a super-martingale then as n → ∞, Xn converges to X with probability 1, and E(X) ≤ E(X0).
Proof of convergence (continued)
Let Xi be the number of processes with enabled guards in step i.After 0 or 1 failure, X can be 0, 2, or 3 (exhaustive enumeration).
When Xi = 0, Xi+1 = 0 (already stable) When Xi = 2, E(Xi+1)= 1/2 x 1 + 1/2 x 2 = 1 ≤ 2When Xi = 3, E(Xi+1)= 1/3 x 0 + 1/3 x 2 + 1/3 x 4 = 2 ≤ 3
Thus X1, X2, X3, … is a super-martingale. Using the Corollary, as n → ∞, E(Xn) ≤ E(X0). Since X is non-negative by definition, Xn
converges to 0 with probability 1, and the system stabilizes.
Proof idea of weak stabilization
DTY algorithm Our algorithm
R1
R2
R3
R1
R2
R3
R4
R5Weakly stabilizing
Executes the same action (P(i) :=k) as in DTY, but the guards are biased differently
Weakly stabilizing
Stabilization from multiple failures
Theorem 3. When m → ∞, the expected recovery time from multiple
failures is O(1) if the faults occur at distance 9 or more apart.
Proof sketch. Since the contamination number is 4, no non-faultyprocess is influenced by both failures.
4 4
FaultFault
Conclusion
1. With increasing m, the containment in space is tighter, but
stabilization from arbitrary initial configurations slows down.
2. LCs = true, so the systems is ready to deal with the next single
failure as soon as LCp holds. This reduces the fault-gap and
increases system availability.
• The unbounded secondary variable x can be bounded using the
technique discussed in [Dasgupta, Ghosh, Xiao SSS 2007] paper.
• It is possible to extend this algorithm to a tree topology (but
we did not do it here)