Self-stabilization

What is Self-stabilization?

• Technique for spontaneous healing after transient failure or perturbation.

• Non-masking tolerance (Forward error recovery).

• Guarantees eventual safety following failures.

Feasibility demonstrated by Dijkstra in his Communications of the ACM 1974 article

Why Self-stabilizing systems?

• Recover from any initial configuration to a legitimate configuration in a bounded number of steps, as long as the codes are not corrupted. The ability to spontaneously recover from any initial state implies that no initialization is ever required.

• Such systems can be deployed ad hoc, and are guaranteed to function properly in bounded time

Two properties

Examples of Self-stabilizing systems

We discussed at least one such system while discussing about clock phase synchronization on an array of clocks that are synchronously ticking.

We will discuss about a couple of others now.

Example 1: Stabilizing mutual exclusion(Dijkstra 1974)

01 62 4 753

N-1

Consider a unidirectional ring of processes. In the legal configuration, exactly one token will circulate in the network (token = enabled guard)

Safety. The number of processes with an enabled guard is exactly one.

Liveness. During an infinite behavior, the guard of each process is enabled

infinitely often.

Stabilizing mutual exclusion on a ring

0

Hand-execute this first, before reading further.Start the system from an arbitrary initial configuration

n = number of processesEach process has k states 0..(k-1)

k > n

1 2 n-1

Correctness Proof

Absence of deadlock

If no process j > 0 has an enabled guard then x[0] = x[1] = x[2]= … x[n-1].

But it means that the guard of process 0 is enabled.

Proof of Closure

When a process executes an action, its own guard is disabled, and at most

one more process becomes enabled. So, the number of tokens never increases.

It means that if the system is in a good configuration, it remains so

(unless, of course a failure occurs)

Correctness Proof (continued)

Proof of Convergence

• By the pigeonhole principle, at least one state should not be the state of

any process. Let x be one of the missing states in the system.

• Processes 1..n-1 acquire their states from their left neighbor

• Eventually process 0 attains the state x

• Eventually, all processes attain the state x before process 0 becomes

enabled again

• This is a legal configuration (only process 0 has a token)

Thus the system is guaranteed to recover from a bad configuration

to a good configuration

To disprove

To prove that a given algorithm is not self-stabilizing to L, it is sufficient

to show that. either

(1)there exists a deadlock configuration, or

(2) there exists a cycle of illegal configurations (≠L) in the history

of the computation.

(3) The systems stabilizes to a configuration L’ ≠ L

Example 2: Stabilizing spanning tree

Problem description

• Given a connected graph G = (V,E) and a root r,

design an algorithm for maintaining a spanning

tree in presence of transient failures that may corrupt

the local states of processes (and hence the

spanning tree) .

• Let n = |V|

Different scenarios

0

1

2

5

4

3

0

1

2

5

4

3

1

2

3 4

5

P(2) is corrupted

Each process i has two variablesL(i) = Distance from the root via tree edges

P(i) = parent of process i

Different scenarios

0

1

2

5

4

3

1

2

3 4

5

0

1

2

5

4

3

1

2

54

5

The distance variable L(3) is corrupted

Definitions

(2)

The algorithm

0

1

2

5

4

3

P(2) is corrupted

0

1

2

3 4

5

The blue labels denote the values of L

Proof of stabilization

Define an edge from i to P(i) to be well-formed, when

L(i) ≠ n, L(P(i)) ≠ n and L(i) = L(P(i)) +1.

In any configuration, the well-formed edges form a

spanning forest. Delete all edges that are not well-

formed. Each tree T(k) in the forest is identified by k,

the lowest value of L in that tree.

Example

In the sample graph shown earlier, the original spanning tree is decomposed into two well-formed trees

T(0) = {0, 1}

T(2) = {2, 3, 4, 5}

Let F(k) denote the number of T(k)’s in the forest.

Define a tuple F= (F(0), F(1), F(2) …, F(n)).

For the sample graph, F = (1, 0, 1, 0, 0, 0) after node 2’s has a transient failure.

Skeleton of the proof

Minimum F = (1,0,0,0,0,0) {legal configuration}

Maximum F = (1, n-1, 0, 0, 0, 0) (considering lexicographic order)

With each action of the algorithm, F decreases lexicographically.

Verify the claim!

This proves that eventually F becomes (1,0,0,0,0,0) and the spanning

tree stabilizes.

What is an upper bound of the time complexity of this algorithm?

Self-stabilizing Algorithm for Graph Coloring

The problem

Graph Coloring Problem: Given a graph, color all the vertices so that two adjacent vertices get different colors.

The real challenge: to use minimum number of colors.

3-colorable

Map Coloring

Theorem (Apple Haken 1977). Every map is 4-colorable.

Can we draw a map that needs 5 colors? NO

Conjecture (1852) Every map is 4-colorable.

“Proof” by Kempe in 1879, an error is found 11 years later.

The proof is computer assisted, some mathematicians are not happy.

A graph is planar if it can be drawn on a

plane so that no two edges cross one

another

Self-stabilizing algorithm for coloring planar graphs

Goal: to color the nodes of a planar graph using at most six colors

Initially an adversary may assign arbitrary colors to the different nodes.Eventually a proper coloring has to be restored.

There is no central coordinator to coordinate the recovery

The main components

Arbitrarily colored planar graph G

DAG where each node has an outdegree ≤ 5

Properly colored G withat most six colors

First component

Second component

Euler’s Polyhedron Formula

Proof by contradiction. Assume the claim is false. Then the degree of every vertex ≥ 6.

This means that the total number of edges e ≥ 3v.Contradiction!

Theorem. If G is a simple planar graph with at least 3 vertices, then

e ≤ 3v-6

Corollary. In a planar graph, there must exist at least one node with degree ≤ 5

Every Planar Graph has a six coloring

Theorem. Every planar graph is 6-colorable.

Let v be a vertex of degree at most 5. Remove v from the

planar graph G. Note that if G-v is 6-colorable then G is

6-colorable (why?)

Now, G-v is still a planar graph. So, you can use

recursion here, since after you remove a node of degree

5 in each step, ultimately there will be a graph with

at most 6 nodes that is trivially 6-colorable

G-v

v

The First Component

The first component

transforms the given planar graph into a directed acyclic graph (dag) for which

. . However, the technique shown in the previous slide

only shows the feasibility, and does not present a distributed algorithm! So, we

have to revisit this, and search for a self-stabilizing distributed algorithm for this

transformation.

Let us jump ahead, and examine the second component.

The Second Component

The second component runs on on a dag where the outdegree of each node is ≤5, and produces the actual 6-coloring. Let sc(i) be the set of colors of the successors of node i

program colorme for node i;

Note. The second component is self-stabilizing. Why?

Stabilizing algorithm for dag generation

This is the self-stabilizing distributed algorithm for the first component. It transforms the given planar graph into a directed acyclic graph (dag) for which holds

program dag process i;do outdegree(i) > 5

reverse the direction of the edgesod

The dag-generation algorithm stabilizes to a configuration in which the

condition holds. Why?

We will discuss it in the class.

The last challenge

Question Who will detect the termination of the first component so that the second component can be launched?

Answer It is not necessary. Run them concurrently. But before that, add the extra predicate

outdegree(i) ≤ 5

to strengthen the guard of the coloring algorithm

From Self-stabilizing to Adaptive Systems

Adaptive systems can be viewed as extensions of self-stabilizing systems

Environment E

system S

A system is expected to adapt to an environment Eby switching its legal configuration

Example if E = 0 then legal state L = L0, else If E = 1 then legal state L = L1

This implies that the system is self-stabilizing to

L = (not E L0) (E L1)⋀ ⋁ ⋀