Josef Widder1 Why, Where and How to Use the  - Model Josef Widder Embedded Computing Systems Group INRIA Rocquencourt, March 10, 2004

Josef Widder2 Work in Progress  Motivation  Ideas  Our Approach  First Results in certain types of networks

Josef Widder3 Overview  Why: Because classic results are straight forward but have drawbacks  Where: A glance at synchrony in real networks  How: Transfer of algorithm to real systems

Josef Widder4 Consensus  Dwork, Lynch, Stockmeyer 88  Chandra, Toueg 96  There exist algorithmic solutions if  holds   is the upper bound on end-to-end message delays  What remains: Show that your system ensures 

Josef Widder5 Diverse assumptions on    is known/unknown   hold always/from some time one/sufficiently long   holds for all/some (FD) msgs … [DLS88] / [CT96]   holds eventually somewhere … [ADFT03] These are weak assumptions, still  is in there

Josef Widder6 By the way... upper bounds look like this

Josef Widder7 Upper bounds do not look like this  Let’s assume  = 8s and test it for a week  Approaches like [MF02]  delay of a protocol is 5   delay should be at most 5s  let’s define  = 1s

Josef Widder8 Can upper bounds be derived properly ?  Guarantees are (NP) hard to derive (scheduling, queuing)  problem must be simplified  simplification leads to incomplete guarantees

Josef Widder9 What do I have to analyze to ensure   local delays sender (processor load, task preemption, blocking factors)  outbound queues  net contention  inbound queues  local delays receiver (processor load, task preemption, blocking factors) This is hard, yet only delivers  at some probability.

Josef Widder10 Assumption Coverage The probability that our assumptions hold during operation Our Starting Point: We can improve coverage by means of system models

Josef Widder11 The Model  (t)... Upper envelope of message delays at time t  (t)... Lower envelope of message delays at time t Since  (t) is unbounded, local HW timers cannot timeout messages  time(r) free algorithms

Josef Widder12 Described Behavior (rough sketch) t end-to-end delays  

Josef Widder13 Coverage of   wc sender delays wc outbound queues wc net contention wc inbound queues wc receiver delays bc (no other tasks, no blocking…) queue empty empty channel queue empty bc (no other tasks, no blocking…) C  = 1C  < 1

Josef Widder14 Coverage of the  - Model How large is states(    ) ? And why is this interesting anyway ?

Josef Widder15 Consensus in Real Networks From FLP follows: Any solution to Consensus on a real network is a probabilistic solution pure asynchrony probabilistic solutions some synchrony correct solutions C model = 1 p solution < 1 C model < 1 p solution = 1 … not even talking about coverage of fault models

Josef Widder16 How large is coverage improvement ?  Coverage cannot be worse than in  assumption  if relation of  and  exists, improvement is large.  But even in networks without relation of  and  (if such exist?)  If by chance there exists just one case where  holds while  does not, coverage is improved

Josef Widder17 termination times often look like hence: How large is  ?  Step 1  timing uncertainty of networks  Step 2  establish , , and  on given networks, for a given system model for given algorithms Performance

Josef Widder18 Benchmark for Timing Uncertainty in clock synchronization the best precision one can reach is  =  -  [LL84] …  (1-1/n) comparison of two approaches in Ethernet  clock sync  their results  conclude where to use our model

Josef Widder19 Clock Sync in Ethernets  NTP [Mills]  Accuracy of ~1ms  SynUTC [ ]  Accuracy of ~100ns Why is there a difference of 4 orders of magnitude?

Josef Widder20 Wherefrom comes the difference ?  NTP runs at application level  SynUTC runs low level  current clock value is directly copied onto the bus  upon message receipt, receiver’s clock value is written in the received message as well  interval based clock sync algorithms [SS03]

Josef Widder21 Conclusions from this comparison  low level clock sync  high level applications use tightly synchronized clocks  But how does this help us in solving Consensus?  Fast Failure Detector Approach [HLL02] ([CT96]: just FD messages must satisfy timing assumptions)

Josef Widder22 Fast Failure Detectors  low level failure detection  high priority FD messages … n = 16…1024

Josef Widder23 Performance (after Step 1)  Timing uncertainty differs in same network depending on the layer the algorithm runs in   should be reasonable good in lower levels  Step 2: establish , , and  on given networks, for a given system model running given algorithms

Josef Widder24 Algorithms in Networks end-to-end delays ,  1.Leader Election 2.Token Circulation (1x) 3.1.  2.

Josef Widder25 Theoretical Analysis  Leader Election  bc(leader) = ... wc(leader) =   one Token Circulation  bc(token) = 3 ... wc(token) = 3   Leader  Token  bc(comb) = 4 ... wc(comb) = 4 

Josef Widder26 Establish Time Bounds  end-to-end delays  from decision to send a message until receiver makes its decision   = t s + trans + t r   = 2t s + trans + 2t r …message arrival laws rate of transmission to one p

Josef Widder27 Termination Times Leader Election Token Circulation

Josef Widder28 Termination Times (2) Leader Election  Token Round... by adding... by examination

Josef Widder29 Conclusions of Step 2a  during operation ,  do not only depend on the system  algorithms must be accounted as well  how many messages are sent  network load  this was a toy example BUT

Josef Widder30 Deterministic Ethernet … CSMA/DCR  bus  only one message on the medium at a time  deterministic collision resolution  upper bound on physical message transmission (i.e. trans not the end-to-end delay)  if a station wants to send a message at t 1 and sends it at t 2 (collision) then every station can at most send one message between t 1 and t 2

Josef Widder31 Hot: First Results in Deterministic Ethernet  =  -  … is only relevant for one broadcast in fact the time difference for receiving n - f msgs

Josef Widder32 First Results (2)... how many messages transferred during any message is in transit in deterministic Ethernet: but we require f+1 msgs:

Josef Widder33 First Results in Deterministic Ethernet (3)  n = 1024 and f = 511 … crash faults, hence n > 2f  derive properties which are equivalent to   2 in the system model  results apply in TDMA networks as well (due to inefficiency of the bus arbitration  might be even smaller)

Josef Widder34 Conclusions   - Model reaches higher assumption coverage  small timing uncertainty in lower network levels  , , , and  are related to  real network  algorithm   remains within reasonable bounds

Josef Widder35  anks !