1 Formal Models for Distributed Negotiations The 2PC in an Extended Pi-Calculus Roberto Bruni Dipartimento di Informatica Università di Pisa XVII Escuela de Ciencias Informaticas (ECI 2003), Buenos Aires, July

Formal Models for Distributed Negotiations2 Towards the End What should have emerged from this course? Dealing with distributed systems is not an easy task Current interests: Coordination, orchestration, choreography of concurrent and distributed processes/data Negotiations, contracts, agreements, committed choices (transactions in disguise) Formal models are essential to support rigorous analysis, specifications and proofs to support efficient implementations to develop new concepts to compare approaches

Formal Models for Distributed Negotiations3 One More Example To conclude our excursus 2PC in pi-calculus [Berger, Honda 2000] some extensions are needed to cover all the aspects of the protocol message loss sites local timers site failures persistence Atomicity can be formally expressed and proved Here main ideas are just sketched

Formal Models for Distributed Negotiations4 2PC (Again!) Informally 2PC protocol distributed faulty processes communicating on faulty channels unique TM (coordinator) finitely many participants (statically fixed) atomicity as far as outside observers are concerned with, it looks as if all participants commit/abort together

Formal Models for Distributed Negotiations5 2PC: Core Protocol Assuming the absence of failures: The coordinator sends vote requests to all participants Each participant sends its vote (abort/commit) back to the coordinator if the message is abort, the participant aborts immediately otherwise, the participant waits for the decision of the coordinator the coordinator itself can decide to vote commit/abort When all votes are collected if all voted commit, the coordinator tells all to commit otherwise, the coordinator tells all to abort All participants that voted commit were waiting for the decision and must behave accordingly

Formal Models for Distributed Negotiations6 2PC: Timers Since messages can be lost in transit, the core protocol is augmented with timeouts The coordinator sets a timer before waiting for votes if the times expires, the coordinator votes abort Each participant that voted commit sets a timer before waiting for the decision if the timer expires, the participant can assume that the message carrying the decision was lost and will request the coordinator to send the decision again (centralized version), setting up another timer

Formal Models for Distributed Negotiations7 2PC: Savepoints Systems/processes can crash all crashed systems will eventually restart to allow consistent restarting, savepoints are added to the protocol persistent datum S if P crashes it will restart as S The initial savepoint of the coordinator is such that, after restart, it will order participants to abort (crashed coordinators are not trustworthy) After the coordinator has received all votes and they are all for commit, the coordinator updates its savepoint to order commit if restarted, then sends the decision The initial savepoint of each participant is to abort After voting commit, the savepoint is updated to vote commit again and wait the decision, then sends its vote

Formal Models for Distributed Negotiations8 Pi-Calculus with Branching I Asynchronous pi-calculus (y abbreviates y 1,…,y n ) P ::= 0 | x  y  | x(y).P | ( x)P | P|P | !x  y  | !x(y).P Augmented with branching (to deal more conveniently with binary abort/commit decisions) P ::= … | x[(y).P,(z).P] | x-left  y  | x-right  y  Structural rules alpha-renaming of bound names _|_ is associative, commutative, with unit 0 ( x)( y)P  ( y)( x)P P|( x)Q  ( x) (P|Q) when x  fn(P) P|!P  !P

Formal Models for Distributed Negotiations9 Pi-Calculus with Branching II Reductions allowed in any context, unless under prefix defined up-to structural equivalence x(y).P | x  v   P{v/y} x[(y).P,(z).Q] | x-left  v   P{v/y} x[(y).P,(z).Q] | x-right  v   Q{v/z} Abbreviations x[P,Q], x-left, x-right (in absence of name passing) P  Q = ( c)(c.P|c.Q|c  ) (internal sum) P  Q  P’ ~ P and P  Q  Q’ ~ Q

Formal Models for Distributed Negotiations10 Pi-Calculus: Core Protocol 2PCP = ( vote self )( vote)( dec)( C | P 1 | … | P n ) C = ( c) ( c self ) ( a)( C wait | C commit | C abort | C self ) C wait = vote 1 [c 1 ,a  ] | … | vote n [c n ,a  ] | vote self [c self ,a  ] C self = vote self -left  vote self -right C commit = c 1. ….c n.c self.(dec 1 -left | … | dec n -left ) C abort = a.(dec 1 -right | … | dec n -right ) P i = Pc i  Pa i Pc i = vote i -left | dec i [!commit i , !abort i  ] Pa i = vote i -right | !abort i  Proposition 2PCP  Abort  Commit where Abort =  i !abort i  and Commit =  i !commit i 

Formal Models for Distributed Negotiations11 Modeling Message Loss Reduction x  y   0 ? unrealistic: not all messages can be lost only those traveling between different sites Two kinds of channels (lossy/reliable)? It is not the channel, it is the message that matters (local/remote) Augment the calculus with the notion of a site clear separation between internal and external message passing N ::= 0 | ( x)N | N|N | [P] A site ready to receive from channels in A

Formal Models for Distributed Negotiations12 Access Points [P] A as a LAN connected to the Internet A is the set of IP-addresses owned by hosts in the LAN [P] A as a host A is the set of sockets serviced by P In general A is the set of access points of [P] A ap(0) =  ap(( x)N ) = ap(N) - {x} ap(N|M) = ap(N)  ap(M) ap([P] A ) = A

Formal Models for Distributed Negotiations13 Well-Formed Sites Local processes Given P=x(y).Q x occurs in P as input subject free occurrences of y in Q are said input-bound P is local if no input subject is input bound Well-formed sites (written |- N ) |- 0 |- ( x)N if |- N |- N|M if |- N and |- M and ap(N)  ap(M)=  |- [P] A if P is local and each free input subject of P is in A

Formal Models for Distributed Negotiations14 More on Sites We consider well-formed sites only Overloaded operators 0, ( x) and | obey the same structural rules as those for processes In addition we assume [( x)P] A  ( x)[P] A  {x} Reductions usual reductions are all allowed intra sites [P|x  v  ] A  [P] A if x  A (message loss) [P|x(y).P’] A | [Q|x  v  ] B  [P|P’{v/y}] A | [Q] B (network communication) … (network branching)

Formal Models for Distributed Negotiations15 Modeling Timers If messages can vanish, then the core protocol can easily deadlock (e.g. loss of a decision message) Timers are fundamental for preventing infinite wait Augment the calculus with the notion of a timer P ::= … | timer t (R,Q) where t ranges over integers greater than 0 represents the clock ticks left before the timer expires R is input-guarded time-in continuation Q is the time-out continuation

Formal Models for Distributed Negotiations16 Timer Stepper Function  (P) ticks each timer in P by one discrete unit  (timer t+1 (R,Q)) = timer t (R,Q) if t  1  (timer t (R,Q)) = Q if t  1  (R|Q) =  (R)|  (Q)  (( x)R) = ( x)  (R)  (P) = P otherwise Note that timers under guarding prefixes (and replication) Each site has its local time When time advance, it progresses for all timers in a site In different sites, time can advance separately

Formal Models for Distributed Negotiations17 Time Passing Reductions timer t+1 (x(y).P,Q) | x  v   P{v/y} (time-in) P   (P) (idle tick) we can no longer freely reduce under | P|R  Q|  (R) if P  Q (local time)

Formal Models for Distributed Negotiations18 Modeling Savepoints In centralized systems there is no notion of partial failure If the system crashes, the whole computation ends In distributed systems, partial failure is a key characteristic Persistent memory, unaffected by failures to store savepoints to recover computations We allow processes themselves to be savepoints We assume failures cannot take place during an interaction failures occur either before or after the action of receiving a message is atomic

Formal Models for Distributed Negotiations19 Pi-Calculus with Savepoints Augment processes P ::= … | save  P .Q Augment sites N ::= … | [P] A,Q | [*] A,Q [P] A,Q is a site containing P with latest savepoint Q [*] A,Q is a crashed site with latest savepoint Q Well-formed sites |- [P] A,Q if P and Q are local and each free input subject of P and Q is in A |- [*] A,Q if Q is local and each free input subject of Q is in A

Formal Models for Distributed Negotiations20 Saving and Restarting Reductions [P|save  Q .R] A,S  [P|R] A,Q (save) [P] A,Q  [*] A,Q (stop) [*] A,Q  [Q] A,Q (restart) Weak and strong bisimilarities are suitably extended they are congruences for networks, but not for processes See the paper for the whole protocol

Formal Models for Distributed Negotiations21 Recap We have seen Modeling 2PC in PDL pi-calculus Useful extensions Advantages

Formal Models for Distributed Negotiations22 References The two-phase commitment protocol in an extended pi-calculus (Proc. EXPRESS’00, ENTCS 39) M. Berger, K. Honda Towards abstractions for distributed systems (PhD Thesis, Imperial College, Department of Computing) M. Berger