by J. Burns and J. Pachl Presented by: Irina Shapira Julia Mosin February1999 February 1999 Uniform Self-Stabilization
Self-Stabilizing System: S = (G, R, , ) G = (V,E) G = (V,E) = 0 1 n-1 - set of configurations where i is a finite set of states of processor P i = 0 x 1 x... x n-1 - set of configurations where i is a finite set of states of processor P i R - orientation of G specifies a total ordering on the neighbors for each v in V R - orientation of G specifies a total ordering on the neighbors for each v in V = 0 1 n-1 - sequence of transition relations where i is a transition relation of processor P i from i v1 vk to i ( R(i) = (v 1,..., v k )) = 0, 1,..., n-1 - sequence of transition relations where i is a transition relation of processor P i from i x v1 x... x vk to i ( R(i) = (v 1,..., v k ))
For configuration ( s 0, s 1, …, s n-1 ) where s j is a state of P j (for all j). s j is a state of P j (for all j). Self-Stabilizing System: S = (G, R, , ) x - possible next state of P i, x - possible next state of P i, i.e. if R(v i ) = (v 1,..., v k ) then ( s i,s v1, …, s vk, x ) i i.e. if R(v i ) = (v 1,..., v k ) then ( s i,s v1, …, s vk, x ) i we define i ( ) as a set of all configurations ’ such that ’ s 0,s 1, …, s i-1, x, s i+1, …, s n-1 ) (for all possible values of x)
P i is enabled (privileged) at if i ( ) is not empty P i is enabled (privileged) at if i ( ) is not empty i ’ is a step of P i if ’ i ( ) ’ is a step of P i if ’ i ( ) ’ is a step of P i for some i ’ is a step of P i for some i is a computation of the system where j-1 j for all j is a computation of the system where j-1 j for all j Only one processor takes a step at a time - central demon Self-Stabilizing System: S = (G, R, , )
P0P0 is a system S = (G, R, , ) where An n-processor uniform ring G is a cycle G is a cycle processors are denoted by 0,1, …, n-1 in order around the cycle processors are denoted by 0,1, …, n-1 in order around the cycle R(i) = ( (i-1) mod n, (i+1) mod n ) R(i) = ( (i-1) mod n, (i+1) mod n ) 0 1 n-1 0 = 1 =... = n-1 0 1 n-1 0 = 1 =... = n-1 P1P1 P2P2 P3P3 P4P4 P5P5
Definition 1: A system S = (G, R, , ) is self-stabilizing iff there is a set , called the legitimate configurations of S, such that: For every there is a ‘ such that ’ For every there is a ‘ such that ’ (1) No Deadlock (1) No Deadlock For every , every ’ such that ’ is in For every , every ’ such that ’ is in (2) Closure (2) Closure Every infinite computation of S contains a configuration in Every infinite computation of S contains a configuration in (3) No Livelock (3) No Livelock For every , exactly one processor is enabled For every , exactly one processor is enabled (4) Mutual Exclusion (4) Mutual Exclusion For every processor P i, every infinite computation consisting of configurations in contains an infinite number of steps by P i (5) Fairness (5) Fairness
Theorem 1: There is no uniform n-processor self-stabilizing ring if n is composite. Proof: P0P0 P1P1 P2P2 P3P3 P4P4 P5P5 [ [i] = {Pj | j = i mod p} S Sym() all the Pj in [i] are in the same state in i if Sym(0) holds, we can construct an infinite computation for which Sym(i) holds for every i 0:0:0:0: s0s0 s0s0 s0s0 s0s0 s0s0 s0s0 1:1:1:1: s1s1 s1s1 s1s1 s2s2 s2s2 s2s2 2:2:2:2:
Theorem 2: There is a uniform 2-processor self-stabilizing ring. 0 1 {0, 1, 2} 0 = 1 = {0, 1, 2} Proof: s i is a state of P i s i is a state of P i { (0,1), (2,1), (2,0), (1,0), (1,2), (0,2 ), (0,0), (1,1), (2,2) } = { (0,1), (2,1), (2,0), (1,0), (1,2), (0,2 ), (0,0), (1,1), (2,2) } { (0,1), (2,1), (2,0), (1,0), (1,2), (0,2 ) } = { (0,1), (2,1), (2,0), (1,0), (1,2), (0,2 ) } For legitimate configurations : For the rest : (0,1) -> (2,1) -> (2,0) -> (1,0) -> (1,2) -> (0,2) -> (0,1) (1,0) (0,1) (2,1) (1,2) (2,1) (1,2) (0,2) (2,0)
If the size of the ring is prime: no distinguished processor no distinguished processor ( n 2 ) states ( n 2 ) states deterministic algorithm deterministic algorithm central demon central demon
The Protocol: d deterministic u unidirectional (the value of i(si, si-1, si+1) depends only on si and si-1) si-1 si -> x means that x i(si,si-1,si+1) for any si+1
A First Attempt 0 = 1 =... = n-1 = { 0, 1, …, n-2 } a arithmetic modulo n-1 The rule: if si si-1+1 then si-1 si si-1+1
P0P0 P2P2 P3P3 P4P4 P1P P1P1 P2P P 0 P 1 P 2 P 3 P P2P2 2 P3P P3P3 P4P P4P4 0 P0P P0P0 P1P The cycle of the intended legitimate configurations The rule: if s i s i then s i- 1 s i s i The rule: if s i s i then s i- 1 s i s i- 1 +1
P2P2 P3P3 P4P P 0 P 1 P 2 P 3 P The cycle which does not intersect the cycle of the legitimate configurations P1P1 P0P0 P3P P3P3 P0P0 P4P P0P0 2 P1P1 P4P P4P4 P0P0 P1P P0P0 P1P1 3 P2P P0P0 1 P1P1 P2P P1P1 P2P2 0 P3P P1P1 2 P2P2 P3P P2P2 P3P3 1 P4P P0P0 1 2 P2P2 P3P3 0 P4P4 1 livelock The rule: if s i s i then s i- 1 s i s i The rule: if s i s i then s i- 1 s i s i- 1 +1
A Second Attempt 0 = 1 =... = n-1 = { 0, 1, …, n-2 } a arithmetic modulo n-1 The rule: if sisi-1+1 and (si0 or si-1=0) then si-1 si si-1+1
P 0 P 1 P 2 P 3 P legitimate configurations P 0 P 1 P 2 P 3 P not legitimate configurations But Deadlock The rule: if s i s i and (s i 0 or s i- 1 =0) then s i- 1 s i s i The rule: if s i s i and (s i 0 or s i- 1 =0) then s i- 1 s i s i- 1 +1
The Protocol: n n 3 s states are label.tag (Li.Ti) l labels range over { 0, 1, …, n-2 } t tags range over { 0 } U { 2, 3, …, n-2 } Rule A: if Li Li-1+1 and (Li0 or Ti-1=0 or Ti-1Li-Li-1 or Ti-1<Ti) then Li-1.Ti-1 Li.Ti (Li-1+1).(Li-Li-1) Rule B: if Li = Li-1+1 and Li 0 and Ti-1 Ti then Li-1.Ti-1 L L L Li.Ti Li.Ti-1
The Proof of Self-Stabilization: Let be the set of all cyclic permutations of configurations of the form … a-1.0 a.0 a.0 a+1.0 … n … a-1.0 a.0 a.0 a+1.0 … n-2.0 for a=0, 1, …, n-2 Theorem 3: Theorem 3: If n is prime, then the ring is self-stabilizing (and is a set of legitimate configurations) S = (G, R, , ) Rule A: if L i L i and (L i 0 or T i- 1 = 0 or T i- 1 L i -L i- 1 or T i- 1 < T i ) then L i- 1.T i- 1 L i.T i (L i- 1 +1).(L i -L i- 1 ) Rule B: if L i = L i and L i 0 and T i- 1 T i then L i- 1.T i- 1 L i.T i L i.T i- 1
Definition 2: Let be a configuration if L i+ 1 L i +1 (mod n-1), then P i and P i+ 1 form a gap of if L i+ 1 L i +1 (mod n-1), then P i and P i+ 1 form a gap of the gap size (of P i and ) g(i, L i+ 1 - L i (mod n-1) the gap size (of P i and ) g(i, L i+ 1 - L i (mod n-1) a segment of is a maximal cyclically contiguous sequence s=(P i, P i+ 1, …, P j- 1, P j ) which contains no gaps a segment of is a maximal cyclically contiguous sequence s=(P i, P i+ 1, …, P j- 1, P j ) which contains no gaps the gap size of s g(s, is the gap size of its right end (g(j, )) the gap size of s g(s, is the gap size of its right end (g(j, )) P i is the left end of s, P j is the right end of s P i is the left end of s, P j is the right end of s a segment is zero based if its left end is 0 (L i = 0) a segment is zero based if its left end is 0 (L i = 0) Example : (P 6 P 0 P 1 P 2 ) zero based segment gap of size 2 gap of size 5 P 0 P 1 P 2 P 3 P 4 P 5 P 6 P 0 P 1 P 2 P 3 P 4 P 5 P P 0 P 1 P 2 P 3 P 4 P 5 P 6 P 0 P 1 P 2 P 3 P 4 P 5 P
P 0 P 1 P 2 P 3 P 4 P1P1 P0P0 P3P3 P2P P4P4 Rule A: if L i L i and (L i 0 or T i- 1 = 0 or T i- 1 L i -L i- 1 or T i- 1 < T i ) then L i- 1.T i- 1 L i.T i (L i- 1 +1).(L i -L i- 1 ) Rule B: if L i = L i and L i 0 and T i- 1 T i then L i- 1.T i- 1 L i.T i L i.T i P0P0 P1P P1P1 P4P P4P4 P3P P3P3 P4P P4P4 P2P P2P2 P3P P3P3 P4P P4P4 P0P P1P P1P1 2.0 P2P P2P2 3.0 P3P P3P3 P4P P4P4 P0P0 P0P0
Definition 1: A system S = (G, R, , ) is self-stabilizing iff there is a set , called the legitimate configurations of S, such that: (1) No Deadlock (1) No Deadlock (2) Closure (2) Closure (3) No Livelock (3) No Livelock (4) Mutual Exclusion (4) Mutual Exclusion (5) Fairness (5) Fairness
Lemma 1: Conditions 2 (Closure), 4 (Mutual Exclusion), and 5 (Fairness) of Definition 1 hold for and S. Proof: a all configurations in are cyclic permutations of the form = … a-1.0 a.0 a.0 a+1.0 … n-2.0 T Ti = Tj for all i and j, hence rule B does not apply r rule A applies to exactly one processor - Mutual Exclusion ’ bbbby rule A ’ = … a-1.0 a.0 a+1.0 a+1.0 … n-2.0 ’ ---- Closure i if Pi is enabled in ,,,, then Pi+1(mod n) will be enabled in ’’’’ ---- Fairness Rule A: if L i L i and (L i 0 or T i- 1 = 0 or T i- 1 L i -L i- 1 or T i- 1 < T i ) then L i- 1.T i- 1 L i.T i (L i- 1 +1).(L i -L i- 1 ) Rule B: if L i = L i and L i 0 and T i- 1 T i then L i- 1.T i- 1 L i.T i L i.T i- 1
Lemma 2: Proof: Proof: If n is prime, then some processor is enabled for every configuration in , and therefore Condition 1 (No Deadlock) holds i if rule A doesn’t apply, then all the segments are zero-based C Case 1: one zero-based segment of length n if Ti-1 = 0 rule A applies else Ti-1 0 and so Ti-1 Li - Li-1 and again rule A applies … L i-1.T i-1 … L i-1.T i-1 0.T i. … … 0.T i-1 0.T i... Rule A: if L i L i and (L i 0 or T i- 1 = 0 or T i- 1 L i -L i- 1 or T i- 1 < T i ) then L i- 1.T i- 1 L i.T i (L i- 1 +1).(L i -L i- 1 ) Rule B: if L i = L i and L i 0 and T i- 1 T i then L i- 1.T i- 1 L i.T i L i.T i- 1
Case 2: there is more than one segment Case 2: there is more than one segment 0.k 1.k … m.k... all the gaps and all the segments have the same size Since n is prime, all the segment length must be and rule A applies for every gap Rule A: if L i L i and (L i 0 or T i- 1 = 0 or T i- 1 L i -L i- 1 or T i- 1 < T i ) then L i- 1.T i- 1 L i.T i (L i- 1 +1).(L i -L i- 1 ) Rule B: if L i = L i and L i 0 and T i- 1 T i then L i- 1.T i- 1 L i.T i L i.T i- 1 k = 0 - m r ule B is not applicable - all tags within each segment are equal ule A doesn’t apply - Ti-1= Li- Li-1 Ti, i.e Ti = Ti-1= k for each gap
Lemma 3: Proof: Proof: In every infinite computation of S, every processor takes a step by rule A infinitely many times suppose that there is no such P i suppose that there is no such P i if someP i takes an infinite number of steps by rule A, so do all if some P i takes an infinite number of steps by rule A, so do all all labels are fixed and so are all segments all labels are fixed and so are all segments the left end of the segment cannot take a step by rule B the left end of the segment cannot take a step by rule B P i which is not the left end can take at most one step more than P i-1 P i which is not the left end can take at most one step more than P i-1... P i P i- 1 P i … Rule A: if L i L i and (L i 0 or T i- 1 = 0 or T i- 1 L i -L i- 1 or T i- 1 < T i ) then L i- 1.T i- 1 L i.T i (L i- 1 +1).(L i -L i- 1 ) Rule B: if L i = L i and L i 0 and T i- 1 T i then L i- 1.T i- 1 L i.T i L i.T i- 1
Lemma 4: Proof: Proof: For any computation of S, the number of segments is nonincreasing. r rule B does not change the number of segments ule A cannot increase the number of segments PiPi … P i-1 P i … P i-1 P i P i+1 … P i+1 … … P i-1 P i+1 … … P i-1 P i Rule A: if L i L i and (L i 0 or T i- 1 = 0 or T i- 1 L i -L i- 1 or T i- 1 < T i ) then L i- 1.T i- 1 L i.T i (L i- 1 +1).(L i -L i- 1 ) Rule B: if L i = L i and L i 0 and T i- 1 T i then L i- 1.T i- 1 L i.T i L i.T i- 1
Definition: A computation in which the number of segments is constant is called quiet. Rule A: if L i L i and (L i 0 or T i- 1 = 0 or T i- 1 L i -L i- 1 or T i- 1 < T i ) then L i- 1.T i- 1 L i.T i (L i- 1 +1).(L i -L i- 1 ) Rule B: if L i = L i and L i 0 and T i- 1 T i then L i- 1.T i- 1 L i.T i L i.T i- 1
Definition : Definition : Let C = 0 1 … be a quiet computation a dynamic gap is a function z from indices of computation into indices of processors, satisfying the following: (1) processor z(0) is the right end of the segment in 0 (1) processor z(0) is the right end of the segment in 0 (2) if j-1 -> j is a step of P i by rule A and z(j-1) = i-1 then z(j) = i, else z(j)=z(j-1) (2) if j-1 -> j is a step of P i by rule A and z(j-1) = i-1 then z(j) = i, else z(j)=z(j-1)... P i-1... P i-1 z(j-1) j-1 : P i P i P i-1 P i... P i-1 P i z(j) j:j:j:j: P i+1... Rule A: if L i L i and (L i 0 or T i- 1 = 0 or T i- 1 L i -L i- 1 or T i- 1 < T i ) then L i- 1.T i- 1 L i.T i (L i- 1 +1).(L i -L i- 1 ) Rule B: if L i = L i and L i 0 and T i- 1 T i then L i- 1.T i- 1 L i.T i L i.T i- 1
Definition (cont): Definition (cont): a dynamic segment is a function s z from indices of computation into segments, such that s z (j) is a segment in j whose right end is z(j).... P i... P i s z (j) z(j) j:j:j:j: Rule A: if L i L i and (L i 0 or T i- 1 = 0 or T i- 1 L i -L i- 1 or T i- 1 < T i ) then L i- 1.T i- 1 L i.T i (L i- 1 +1).(L i -L i- 1 ) Rule B: if L i = L i and L i 0 and T i- 1 T i then L i- 1.T i- 1 L i.T i L i.T i- 1
Lemma 5: Proof: Proof: Let C = 0 1 … be a quiet computation and z a dynamic gap of C. Then g(z(j-1), j-1 ) = g(z(j), j ) for 0 < j < length(C). P i =z(j-1)+1 takes a step P i = z(j-1)+1 takes a step... P i-1... P i-1 z(j-1) j-1 : P i P i P i-1 P i... P i-1 P i z(j) j:j:j:j: P i+1... length > 1 P i z(j-1)+1takes a step - does not affect the gap P i z(j-1)+1 takes a step - does not affect the gap Rule A: if L i L i and (L i 0 or T i- 1 = 0 or T i- 1 L i -L i- 1 or T i- 1 < T i ) then L i- 1.T i- 1 L i.T i (L i- 1 +1).(L i -L i- 1 ) Rule B: if L i = L i and L i 0 and T i- 1 T i then L i- 1.T i- 1 L i.T i L i.T i- 1 P i = z(j-1)takes a step - the segment disappears-contradiction P i = z(j-1) takes a step - the segment disappears-contradiction PiPiPiPi z(j-1) g =L i -L i-1 L’ i+1 = L i +1 L’ i =L i-1 +1
Lemma 6: Proof: Proof: Let C = 0 1 … be an infinite quiet computation and z a dynamic gap of C. Then there is j 0, such that the state of processor z(j) in j is 0.g(z) and there is j 0, such that the state of processor z(j) in j is 0.g(z) and there is k 0, such that the state of processor z(k) +1 in k is 0.u for some u there is k 0, such that the state of processor z(k) +1 in k is 0.u for some u... a.*... a.* szsz j1:j1:j1:j1: a.* (a+1).g(z)... a.* (a+1).g(z) z(j 1 ) j2:j2:j2:j2: z(j 2 ) … 0.g(z) … 0.g(z) j:j:j:j: z(j)... at most n-1 times Rule A: if L i L i and (L i 0 or T i- 1 = 0 or T i- 1 L i -L i- 1 or T i- 1 < T i ) then L i- 1.T i- 1 L i.T i (L i- 1 +1).(L i -L i- 1 ) Rule B: if L i = L i and L i 0 and T i- 1 T i then L i- 1.T i- 1 L i.T i L i.T i- 1
Lemma 6 (b): Proof: Proof: Let C = 0 1 … be an infinite quiet computation and z a dynamic gap of C. Then Let C = 0 1 … be an infinite quiet computation and z a dynamic gap of C. Then there is j 0, such that the state of processor z(j) in j is 0.g(z) and there is j 0, such that the state of processor z(j) in j is 0.g(z) and there is k 0, such that the state of processor z(k) +1 in k is 0.u for some u there is k 0, such that the state of processor z(k) +1 in k is 0.u for some u szsz j:j:j:j: … P i 0.g(z’) … P i 0.g(z’)... P i... P i z’(j)=P i+1 k:k:k:k: 0.g(z’)... z(k) s z’ P i+1... szsz s z’ Rule A: if L i L i and (L i 0 or T i- 1 = 0 or T i- 1 L i -L i- 1 or T i- 1 < T i ) then L i- 1.T i- 1 L i.T i (L i- 1 +1).(L i -L i- 1 ) Rule B: if L i = L i and L i 0 and T i- 1 T i then L i- 1.T i- 1 L i.T i L i.T i- 1
Definition: A segment is well formed if all its tags are equal to its gap size. Rule A: if L i L i and (L i 0 or T i- 1 = 0 or T i- 1 L i -L i- 1 or T i- 1 < T i ) then L i- 1.T i- 1 L i.T i (L i- 1 +1).(L i -L i- 1 ) Rule B: if L i = L i and L i 0 and T i- 1 T i then L i- 1.T i- 1 L i.T i L i.T i- 1
Lemma 7: Proof: Proof: Let C = 0 1 … be an infinite quiet computation. Then there is j 0 0, such that for all j j 0 all segments in j are well formed... 0.g(z)... 0.g(z) szsz j1:j1:j1:j1:... 0.g(z) 1.g(z)... 0.g(z) 1.g(z) z(j 1 )=P i j’ 1 : z(j’ 1 )=P i+1 … 0.g(z) 1.g(z) … m.g(z) … 0.g(z) 1.g(z) … m.g(z) j’ m :... j2:j2:j2:j2: 0.g(z) 1.g(z) … *.g(z) z(j’ m )=P i+m z(j 2 ) Rule A: if L i L i and (L i 0 or T i- 1 = 0 or T i- 1 L i -L i- 1 or T i- 1 < T i ) then L i- 1.T i- 1 L i.T i (L i- 1 +1).(L i -L i- 1 ) Rule B: if L i = L i and L i 0 and T i- 1 T i then L i- 1.T i- 1 L i.T i L i.T i- 1
Rule A: if L i L i and (L i 0 or T i- 1 = 0 or T i- 1 L i -L i- 1 or T i- 1 < T i ) then L i- 1.T i- 1 L i.T i (L i- 1 +1).(L i -L i- 1 ) Rule B: if L i = L i and L i 0 and T i- 1 T i then L i- 1.T i- 1 L i.T i L i.T i- 1 Lemma 8: Proof: Proof: There is a point in every infinite computation of S after which every configuration has exactly one segment. If for all dynamic gaps of C’ g(z) were 0, then there would be only one segment … a.0 a.0... If there is some dynamic gap of C’ such that its size is greater than 0: szsz z(j 1 )=P i s z’ P i+1 g(z) g(z’) and g(z) 0 a.g(z) a.g(z) 0.g(z’) C’ - quiet computation with well formed segments - rule B is void Pi+1 can make a step only after Pi, but such a step would destroy sz contradiction
Conclusion: Proof: Proof: The system never livelocks. … a-1.0 a.0 a.0 a one well formed segment, g(z) = 0, all tags are 0 After finitely many step the system reaches the following configuration : Hence, is a legitimate configuration Recall: the set of legitimate configurations is the set of all cyclic permutations of configurations of the form … a-1.0 a.0 a.0 a+1.0 … n-2.0 for a=0, 1, …, n … a-1.0 a.0 a.0 a+1.0 … n-2.0 for a=0, 1, …, n-2 :::: Rule A: if L i L i and (L i 0 or T i- 1 = 0 or T i- 1 L i -L i- 1 or T i- 1 < T i ) then L i- 1.T i- 1 L i.T i (L i- 1 +1).(L i -L i- 1 ) Rule B: if L i = L i and L i 0 and T i- 1 T i then L i- 1.T i- 1 L i.T i L i.T i- 1