Upload
chastity-lester
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
1
Formal Models forDistributed NegotiationsThe 2PC in an Extended Pi-Calculus
Roberto BruniDipartimento di Informatica Università di Pisa
XVII Escuela de Ciencias Informaticas (ECI 2003), Buenos Aires, July 21-26 2003
Formal Models for Distributed
Negotiations 2
Towards the End What should have emerged from this course?
Dealing with distributed systems is not an easy task
Current interests: Coordination, orchestration, choreography of concurrent
and distributed processes/data Negotiations, contracts, agreements, committed choices
(transactions in disguise) Formal models are essential
to support rigorous analysis, specifications and proofs to support efficient implementations to develop new concepts to compare approaches
Formal Models for Distributed
Negotiations 3
One More Example To conclude our excursus
2PC in pi-calculus [Berger, Honda 2000] some extensions are needed to cover all the
aspects of the protocol message loss sites local timers site failures persistence
Atomicity can be formally expressed and proved
Here main ideas are just sketched
Formal Models for Distributed
Negotiations 4
2PC (Again!) Informally 2PC protocol
distributed faulty processes communicating on faulty
channels unique TM (coordinator) finitely many participants (statically fixed)
atomicity as far as outside observers are concerned
with, it looks as if all participants commit/abort together
Formal Models for Distributed
Negotiations 5
2PC: Core Protocol Assuming the absence of failures:
The coordinator sends vote requests to all participants
Each participant sends its vote (abort/commit) back to the coordinator
if the message is abort, the participant aborts immediately otherwise, the participant waits for the decision of the
coordinator the coordinator itself can decide to vote commit/abort
When all votes are collected if all voted commit, the coordinator tells all to commit otherwise, the coordinator tells all to abort
All participants that voted commit were waiting for the decision and must behave accordingly
Formal Models for Distributed
Negotiations 6
2PC: Timers Since messages can be lost in transit, the
core protocol is augmented with timeouts The coordinator sets a timer before waiting
for votes if the times expires, the coordinator votes abort
Each participant that voted commit sets a timer before waiting for the decision
if the timer expires, the participant can assume that the message carrying the decision was lost and will request the coordinator to send the decision again (centralized version), setting up another timer
Formal Models for Distributed
Negotiations 7
2PC: Savepoints Systems/processes can crash
all crashed systems will eventually restart to allow consistent restarting, savepoints are added to the
protocol persistent datum S if P crashes it will restart as S
The initial savepoint of the coordinator is such that, after restart, it will order participants to abort (crashed coordinators are not trustworthy)
After the coordinator has received all votes and they are all for commit, the coordinator updates its savepoint to order commit if restarted, then sends the decision
The initial savepoint of each participant is to abort After voting commit, the savepoint is updated to vote
commit again and wait the decision, then sends its vote
Formal Models for Distributed
Negotiations 8
Pi-Calculus with Branching I
Asynchronous pi-calculus (y abbreviates y1,…,yn) P ::= 0 | xy | x(y).P | (x)P | P|P | !xy | !x(y).P
Augmented with branching (to deal more conveniently with binary abort/commit decisions) P ::= … | x[(y).P,(z).P] | x-lefty | x-righty
Structural rules alpha-renaming of bound names _|_ is associative, commutative, with unit 0 (x)(y)P (y)(x)P P|(x)Q (x) (P|Q) when xfn(P) P|!P !P
Formal Models for Distributed
Negotiations 9
Pi-Calculus with Branching II
Reductions allowed in any context, unless under prefix defined up-to structural equivalence x(y).P | xv P{v/y} x[(y).P,(z).Q] | x-leftv P{v/y} x[(y).P,(z).Q] | x-rightv Q{v/z}
Abbreviations x[P,Q], x-left, x-right (in absence of name passing) PQ = (c)(c.P|c.Q|c) (internal sum)
PQ P’ ~ P and PQ Q’ ~ Q
Formal Models for Distributed
Negotiations 10
Pi-Calculus: Core Protocol 2PCP = (voteself)(vote)(dec)( C | P1 | … | Pn )
C = (c) (cself) (a)( Cwait | Ccommit | Cabort | Cself ) Cwait = vote1[c1,a] | … | voten[cn,a] | voteself[cself,a] Cself = voteself-left voteself-right Ccommit = c1. … .cn.cself.(dec1-left | … | decn-left ) Cabort = a.(dec1-right | … | decn-right )
Pi = Pci Pai Pci = votei-left | deci[!commiti, !aborti] Pai = votei-right | !aborti
Proposition 2PCP Abort Commit
where Abort = i !aborti and Commit = i !commiti
Formal Models for Distributed
Negotiations 11
Modeling Message Loss Reduction xy 0 ?
unrealistic: not all messages can be lost only those traveling between different sites
Two kinds of channels (lossy/reliable)? It is not the channel, it is the message that matters
(local/remote) Augment the calculus with the notion of a site
clear separation between internal and external message passing
N ::= 0 | (x)N | N|N | [P]A
site ready to receive from channels in A
Formal Models for Distributed
Negotiations 12
Access Points [P]A as a LAN connected to the Internet
A is the set of IP-addresses owned by hosts in the LAN
[P]A as a host A is the set of sockets serviced by P
In general A is the set of access points of [P]A
ap(0) = ap((x)N ) = ap(N) - {x} ap(N|M) = ap(N)ap(M) ap([P]A) = A
Formal Models for Distributed
Negotiations 13
Well-Formed Sites Local processes
Given P=x(y).Q x occurs in P as input subject free occurrences of y in Q are said input-bound
P is local if no input subject is input bound Well-formed sites (written |- N )
|- 0 |- (x)N if |- N |- N|M if |- N and |- M and ap(N)ap(M)= |- [P]A if P is local and each free input subject of P is
in A
Formal Models for Distributed
Negotiations 14
More on Sites We consider well-formed sites only Overloaded operators 0, (x) and | obey the
same structural rules as those for processes In addition we assume [(x)P]A (x)[P]A{x}
Reductions usual reductions are all allowed intra sites [P|xv]A [P]A if xA (message loss) [P|x(y).P’]A | [Q|xv]B [P|P’{v/y}]A | [Q]B (network
communication) … (network branching)
Formal Models for Distributed
Negotiations 15
Modeling Timers If messages can vanish, then the core protocol
can easily deadlock (e.g. loss of a decision message)
Timers are fundamental for preventing infinite wait
Augment the calculus with the notion of a timer P ::= … | timert(R,Q)
where t ranges over integers greater than 0 represents the clock ticks left before the timer expires
R is input-guarded time-in continuation
Q is the time-out continuation
Formal Models for Distributed
Negotiations 16
Timer Stepper Function (P) ticks each timer in P by one discrete unit
(timert+1(R,Q)) = timert(R,Q) if t 1 (timert(R,Q)) = Q if t 1 (R|Q) = (R)|(Q) ((x)R) = (x)(R) (P) = P otherwise Note that timers under guarding prefixes (and
replication) Each site has its local time
When time advance, it progresses for all timers in a site
In different sites, time can advance separately
Formal Models for Distributed
Negotiations 17
Time Passing Reductions
timert+1(x(y).P,Q) | x v P{v/y} (time-in) P (P) (idle tick) we can no longer freely reduce under |
P|R Q|(R) if PQ (local time)
Formal Models for Distributed
Negotiations 18
Modeling Savepoints In centralized systems there is no notion of
partial failure If the system crashes, the whole computation ends
In distributed systems, partial failure is a key characteristic Persistent memory, unaffected by failures
to store savepoints to recover computations
We allow processes themselves to be savepoints We assume failures cannot take place during an
interaction failures occur either before or after the action of receiving a message is atomic
Formal Models for Distributed
Negotiations 19
Pi-Calculus with Savepoints
Augment processes P ::= … | saveP.Q
Augment sites N ::= … | [P]A,Q | [*]A,Q
[P]A,Q is a site containing P with latest savepoint Q [*]A,Q is a crashed site with latest savepoint Q
Well-formed sites |- [P]A,Q if P and Q are local and each free input subject of
P and Q is in A |- [*]A,Q if Q is local and each free input subject of Q is in A
Formal Models for Distributed
Negotiations 20
Saving and Restarting Reductions
[P|saveQ.R]A,S [P|R]A,Q (save) [P]A,Q [*]A,Q (stop) [*]A,Q [Q]A,Q (restart)
Weak and strong bisimilarities are suitably extended they are congruences for networks, but not
for processes See the paper for the whole protocol
Formal Models for Distributed
Negotiations 21
Recap We have seen Modeling 2PC in PDL
pi-calculus Useful extensions Advantages
Formal Models for Distributed
Negotiations 22
References The two-phase commitment protocol
in an extended pi-calculus (Proc. EXPRESS’00, ENTCS 39) M. Berger, K. Honda
Towards abstractions for distributed systems (PhD Thesis, Imperial College, Department of Computing) M. Berger