1. Lecture 3: State, Detection
Anish Arora
CSE 763 1

2. The Stability Detection Problem
A stable property of a distributed system is one that persists: once a stable property is true it remains true thereafter
Examples:
“the computation has terminated”
“the system is deadlocked”
“all tokens in a token ring have disappeared”
Solution
Determine the global state of the system
Test the global state to see if the stable property holds

3. Termination Detection
Processes 0..N-1 arbitrarily connected by channels
Each process either idle or active
An active process can become idle spontaneously
An idle process can become active only upon receiving a message
The Problem :
Detect that all processes are idle and all channels are empty

4. Program and Proof (hand-in-hand) Design
Step 0 : How to count messages in channels.
process j
{send msg}  c.j := c.j + 1 ▯
{receive msg}  c.j := c.j - 1
Proof :
Invariant I1  (Sum j :: c.j) = # of messages in channels

5. Refining the program
Step 1 : How to detect that all processes are idle.
Consider a logical ring 0 -> … N-1 -> … 0 and pass a token
Let t denote the location of the token
process j
{send msg}  c.j := c.j + 1
▯ {receive msg}  c.j := c.j - 1
▯ {propagate token}  t := t – 1
 j  0  t = j  idle.j ; q := q + c.j
▯ {retransmit token}  t := N – 1
 j = 0  t = j  idle.j ; q := 0
  (q + c.0 = 0)

6. Refining the proof
Proof : We begin with an idealized Invariant  I1  Q, where
Q  (j : t<j  j<N : idle.j)  (q = (Sum j : t<j  j<N : c.j))
However Q is not preserved by one of the actions (the receive action for j, t < j  j < N)
But when Q is violated, R becomes true, where
R  q + (Sum j : 0 j  j  t : c.j) > 0
So, we weaken Invariant  I1  (Q  R)
However R is not preserved by one of the actions (the receive action for j, 0  j and j  t)

7. Refining the program again
Step 2 : How to abort a detection when unsure that the token traversal was uninterrupted.
process j
{send msg}  c.j := c.j + 1
▯ {receive msg}  c.j := c.j – 1;
; blacken j
▯{propagate token}  t := t – 1
 j  0  t = j  idle.j ; q := q + c.j
; whiten j
▯{retransmit token}  t := N – 1
 j = 0  t = j  idle.j ; q := 0
(q + c.0 = 0  0 is white) ; whiten j

8. Iterated refinement ▯ {retransmit token}  t := N – 1
Proof : Invariant  I1  (Q  R  S) where S  (j:0  j  jt:j is black)
However S is not preserved by one of the actions (the propagate action at a black node)
So we introduce a color for the token and get the final program
program of process j
{send msg}  c.j := c.j + 1
▯ {receive msg}  c.j := c.j – 1;
; blacken j
▯ {propagate token}  t := t – 1
 j  0  t = j  idle.j ; q := q + c.j
; if black j then blacken token
; whiten j
▯ {retransmit token}  t := N – 1
 j = 0  t = j  idle.j ; q := 0
(q + c.0 = 0  ; whiten token
token is white  0 is white) ; whiten j

9. Termination Detection Predicate
Termination  (j :: idle.j) 
# of msgs sent - # of msgs received = 0
Invariant  (Sum j:: c.j) = # of msgs sent - # of msgs received
 (Q  R  S  T)
Q  (j : t<j  j<N : idle.j)  (q=( j : t<j  j<N : c.j))
R  q + ( j : 0 j  j  t : c.j) > 0
S  (j : 0  j  j  t : j is black)
T  token is black

10. Proof of correctness
Invariant  t=0  O is white  idle.0  q+c.0=0  token is white 
Termination
Invariant  Termination
leads-to
t = 0  0 is white  idle.0  q + c.0 = 0  token is white

11. Termination Detection
Proof of (1):
O is white  t = 0   S
q + c.0 = 0  t = 0   R
token is white   T
Hence the antecedent implies Invariant  Q  q + c.0 = 0
i.e., the antecedent implies Termination
Proof of (2):
If termination has occurred, only the propagation and retransmission actions can execute
After the first complete traversal of the ring by the token, all processes are white and the token is white
At the end of the next traversal, when t = 0, the algorithm detects the termination of the underlying computation