Upload File

crash fault detection in celerating environments

  • Home
  • Documents
  • Crash Fault Detection in Celerating Environments
1
Crash Fault Detection in Celerating Environments Srikanth Sastry Scott M. Pike ([email protected] du) ([email protected] ) Implementing ◊P Implementable under (some models of) partial synchrony. Popular model: Unknown bounds on message delay () and relative process speeds (). Round Trip Time (RTT) = Outgoing message delay + message processing time + incoming message delay PING Local ◊P module Outgoing message delay Ack generation Time ≤ f() ≤ f() ACK Incoming message delay RTT ≤ + f() + RTT is bounded above! This bound on RTT can be adaptively estimated. Local Adaptive Estimation of RTT Measuring Time Action Clocks in Accelerating Environments Process Speed Real Time De facto bound on Round-Trip Time (RTT) k action-clock ticks Estimated bound on RTT - k action ticks 2k action-clock ticks Timeout! False suspicion k action-clock ticks New estimate on RTT is now 2k action ticks …. 4k action-clock ticks Timeout! False suspicion And so on, leading to an infinite stream of mistakes! And so on, leading to an infinite stream of mistakes! …. 2k action-clock ticks Faster processes More action-clock ticks per RTT Action clock timer continually times out Two techniques: – Action clocks: Counting the number of actions – Real-time clocks: Independent device to measure time (e.g., hardware clocks, NTP). Either technique works in environments that do NOT accelerate or decelerate arbitrarily But in Celerating environments, where processes can accelerate or decelerate arbitrarily, each technique fails independently. Start timer with some arbitrary (small) value If timer expires without receiving a message, suspect the process If a message arrives after timer expiry, trust the process and increase the timer value. Eventually timer value exceeds the bound on RTT. After which correct processes will never be suspected. Any crashed process is permanently suspected. But how do processes measure time? Crash! Distributed Systems Crash! A collection of autonomous computers (processes) connected through a communication network • But processes can crash! • Maintain correctness despite crashes • Fault tolerance through crash detection • Crash detection determined by synchronism in the system Crash Detection and System Models Failure Detectors Eventually Perfect Failure Detector Failure detectors: Distributed system service to detect process crashes. Failure detector provide (potentially) incorrect information. Still powerful enough to solve important problems. E.g., distributed consensus, leader election, wait-free scheduling, contention management. Failure detector implementations often require partial synchrony. One well known failure detector is ◊P, the eventually perfect failure detector. Live Crashed … Fault Pattern 1 ◊P outputs Crashed … Live Crashed … Live Crashed … Live Fault Pattern 2 ◊P outputs Crashed Live Live Crashed Live Live Partial Synchrony Crash Detection Possible Greater Fidelity to Real World Systems Synchrony Restrictive Model Crash Detection Possible Asynchrony Permissive Model Crash Detection Impossible Real-time Clocks in Decelerating Environments Solving the Celeration Problem Bi-Chronal Timers in Non-Celerating Environments Conclusion Process Step Time Real Time Msg Send Timeout! False suspicion New estimate on Round-trip time is now 2k real-time ticks …. Timeout! False suspicion …. And so on, leading to an infinite stream of mistakes! And so on, leading to an infinite stream of mistakes! Msg Recv Estimate on Round-trip time is k real-time ticks Msg Send Msg Recv Msg Send Msg Recv (Process Speed ) Slower processes Longer duration to generate and process messages Unbounded RTT (in real time) Bi-chronal timer A vectored composition of action timer and real-time timer. Measures time in terms of actions as well as real-time. All processes use separate local bi- chronal timers. Timer expires only when both action timer and the real-time timer expire. The action timer insulates ◊P from deceleration. The real-time timer insulates ◊P from acceleration. Bi-chronal clocks insulate ◊P from transient network behavior. Hardware upgrades often accelerate process speeds Action clocks precipitate ◊P mistakes during acceleration Bi-chronal clocks are immune to acceleration Multiple process crashes (in a server farm), DoS attacks, and such can decelerate processes to a crawl Real-time clocks precipitate ◊P mistakes during deceleration Bi-chronal clocks are immune to deceleration Many existing ◊P implementations are subtly broken Bi-chronal clocks provide a simple solution Additionally, they insulate systems from transient behavior Future work: Properties and behavior of Bi-chronal clocks Use of Bi-chronal clocks in other applications Other approaches to dealing with Celeration Asynchrony: Unbounded message delay and process speeds Synchrony: Known bounds on message delay and process speeds Partial Synchrony: Between synchrony and asynchrony

Upload: auryon

Post on 05-Jan-2016

38 views

Category:

Documents


0 download

Report

DESCRIPTION

Real Time. And so on, leading to an infinite stream of mistakes!. Msg Send. Msg Recv. 4k action-clock ticks. Conclusion. Implementing ◊P. Failure Detectors. Measuring Time. Estimate on Round-trip time is k real-time ticks. Eventually Perfect Failure Detector. …. - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Crash Fault Detection in Celerating Environments

Crash Fault Detection in Celerating EnvironmentsSrikanth Sastry Scott M. Pike

([email protected]) ([email protected])

Implementing ◊P

• Implementable under (some models of) partial synchrony.• Popular model: Unknown bounds on message delay ()

and relative process speeds ().

Round Trip Time (RTT) = Outgoing message delay + message processing time + incoming message delay

PINGLocal

◊P module

Outgoing message delay ≤

Ack generationTime ≤ f()

≤ f()ACKIncoming message delay ≤

RTT ≤ + f() + RTT is bounded above!This bound on RTT can be adaptively estimated.

Local Adaptive Estimation of RTT Measuring Time Action Clocks in Accelerating Environments

Pro

cess

Spe

ed

Real Time

De facto bound on Round-Trip Time (RTT)k action-clock ticks

Estimated bound on RTT - k action ticks

2k action-clock ticks

Timeout! False suspicion

k action-clock ticks

New estimate on RTTis now 2k action ticks

….

4k action-clock ticks

Timeout! False suspicion

And so on, leading to an infinite stream of mistakes!And so on, leading to an infinite stream of mistakes!

….

2k action-clock ticks

Faster processes More action-clock ticks per RTT Action clock timer continually times out• Two techniques:

– Action clocks: Counting the number of actions– Real-time clocks: Independent device to

measure time (e.g., hardware clocks, NTP).

• Either technique works in environments that do NOT accelerate or decelerate arbitrarily

• But in Celerating environments, where processes can accelerate or decelerate arbitrarily, each technique fails independently.

• Start timer with some arbitrary (small) value• If timer expires without receiving a message, suspect

the process• If a message arrives after timer expiry, trust the

process and increase the timer value.• Eventually timer value exceeds the bound on RTT.• After which correct processes will never be

suspected.• Any crashed process is permanently suspected.

But how do processes measure time?

Crash!

Distributed Systems

Crash!

A collection of autonomous computers (processes) connected through a communication network

• But processes can crash!• Maintain correctness despite crashes• Fault tolerance through crash detection• Crash detection determined by synchronism in the system

Crash Detection and System Models Failure Detectors Eventually Perfect Failure Detector

• Failure detectors: Distributed system service to detect process crashes.

• Failure detector provide (potentially) incorrect information.

• Still powerful enough to solve important problems.

• E.g., distributed consensus, leader election, wait-free scheduling, contention management.

• Failure detector implementations often require partial synchrony.

• One well known failure detector is ◊P, the eventually perfect failure detector.

Live Crashed …Fault Pattern 1

◊P outputs

Crashed …Live Crashed …

Live Crashed …

LiveFault Pattern 2

◊P outputs

CrashedLive

Live CrashedLive

Live

Partial SynchronyCrash Detection Possible

Greater Fidelity to Real World Systems

SynchronyRestrictive Model

Crash Detection Possible

AsynchronyPermissive Model

Crash Detection Impossible

Real-time Clocks in Decelerating Environments Solving the Celeration Problem Bi-Chronal Timers in Non-Celerating Environments Conclusion

Pro

cess

Ste

p T

ime

Real TimeMsg Send

Timeout! False suspicion

New estimate on Round-trip time is now 2k real-time ticks…

.

Timeout! False suspicion

….

And so on, leading to an infinite stream of mistakes!And so on, leading to an infinite stream of mistakes!

Msg Recv

Estimate on Round-trip time is k real-time ticks

Msg Send Msg Recv

Msg Send Msg Recv

(Pro

cess

Spe

ed

)

Slower processes Longer duration to generateand process messages Unbounded RTT (in real time)

• Bi-chronal timer– A vectored composition of action timer and real-

time timer.– Measures time in terms of actions as well as real-

time.– All processes use separate local bi-chronal timers.– Timer expires only when both action timer and the

real-time timer expire.

• The action timer insulates ◊P from deceleration.

• The real-time timer insulates ◊P from acceleration.

• Bi-chronal clocks insulate ◊P from transient network behavior.

• Hardware upgrades often accelerate process speeds– Action clocks precipitate ◊P mistakes during

acceleration– Bi-chronal clocks are immune to acceleration

• Multiple process crashes (in a server farm), DoS attacks, and such can decelerate processes to a crawl– Real-time clocks precipitate ◊P mistakes during

deceleration– Bi-chronal clocks are immune to deceleration

• Many existing ◊P implementations are subtly broken

• Bi-chronal clocks provide a simple solution• Additionally, they insulate systems from

transient behavior• Future work:

– Properties and behavior of Bi-chronal clocks– Use of Bi-chronal clocks in other applications– Other approaches to dealing with Celeration

• Asynchrony: Unbounded message delay and process speeds

• Synchrony: Known bounds on message delay and process speeds

• Partial Synchrony: Between synchrony and asynchrony

CRASH DATABASE Download Crash Documentation FULL Extract Layout … · CRASH DATABASE Download Crash Documentation FULL Extract Layout Revised: 10/03/2012 Information Technology Office

aboutphilippines.org Riveri ault Sysfem Divalacan Fault Casiguran Fault Philippine Fault Zone (PFZ): Digdig Fault PFZ: Infanta Fault FZ: Guinyangan Fault Central OMarinduque Fault

Arc Fault + Ground Fault -

Introduction Classical Fault Simulation Modern Fault ...eecs.ceas.uc.edu/~jonewb/Fault-simu.pdf · Fault simulation.10 Parallel Fault Simulation • Taking advantage of inherent parallel

SECTION 2. CRASHES & PERSONS IN CRASHES...crash report form, every driver in a crash is assigned a contributing factor for the crash. If a driver is not at fault, ^No Improper Action

CY 2550 Foundations of Cybersecurity · •Usually, this just causes a program crash •The infamous “segmentation” or “page” fault •To an attacker, every bug is an opportunity

Crash Avoidance Needs and Countermeasure … Avoidance...crash problem with vehicle-to-pedestrian (V2P) communication crash avoidance technology. It describes 5 priority pre-crash

Fault surfaces and fault throws from 3D seismic imagesinside.mines.edu/~dhale/papers/Hale12FaultSurfacesAndFaultThrowsC... · Fault surfaces and fault throws from 3D seismic ... fault

Multiparty Protocol-Induced Recoverymrg.doc.ic.ac.uk/talks/2017/06/opct-2/slides.pdf · 2020-07-02 · Organise your processes in supervision trees Let it crash: Erlang’s fault

Tesla Crash 05/07/16 Crash Scene - Princeton Universityorfe.princeton.edu/~alaink/.../TeslaCrash050716/... · Tesla Crash 05/07/16 Crash Scene. ... to final location) occurs ... (Tesla

Are Expert Witnesses Necessary to Prove Fault In a Texas Truck Accidents: A Guide for Crash Victims

Tutorial: An In-Depth Look at BFT Consensus in Blockchains ... · 2.Distributed fully-replicated systems: CAP Theorem. 3.Crash tolerance versus Byzantine fault tolerance. 4.Consensus,

CELERATING 2 YEARS Medical & Surgical INSTRUMENT …

Pre-Crash Scenario Typology for Crash Avoidance Research

Road Departure Crashes & High Crash Corridors/High Crash Locations · 2013-10-28 · High-Crash Corridors/High Crash Locations 18 HC-3: High Crash Corridor Sign Evaluation (On-going)

FCatch: Automatically Detecting Time-of-fault Bugs in ...shanlu/paper/asplos18_fcatch.pdf · system for small time windows where a particular node’s crash is improperly handled

CELERATING 2 YEARS Medical & Surgical INSTRUMENT … · 2013-10-08 · medical & surgical instrument catalogue issue 4 april 2008 description size lawton theatre instruments theatre

CRASH ANALYSIS...• Crash types • Manner of collision • Contributing factors • Main directions • By frequency • By severity • By crash rate • By crash type . The Crash

Introduction · Web viewPlace the pagefile on a drive that is not fault-tolerant. Note that, if the disk fails, a system crash is likely to occur. If you place the pagefile on a fault-tolerant

Thesis Map - Sierra Bacha 30k · Bacha Fault Bacha Fault Pozo Coyote Fault Coyote Fault Pozo Pozo Coyote Fault Noriega Fault San Ignacio Fault? Amado-Libertad Fault A A’ B’ B

Fault Attacks Overview - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/hwre-spring2014/Fault-Attacks-short.pdfattacks often cause the operating system to crash •Power

The geological evolution of the Arnhem Province ... · Gali Fault Fault Fault Fault Fault Fault Fault Fault Fault Fault Fault Range Coast Range Lela Mitchell Ranges o Gwakura k. a

µProbes for Monitoring and Troubleshootingin case of hardware fault or monitoring application crash. • Compulsory for traffic enforcement applications, desirable for passive. monitoring

A Crash Course on the d.school Virtual Crash Course

Wisconsin Crash Data Resources FAQ - University of …transportal.cee.wisc.edu/services/crash-data/crash-data... · 2010-11-08 · Wisconsin Crash Data Resources FAQ ... November

CRaSH Portal Team. 2 Agenda Introduction to CRaSH Deployment and connection Using the CRaSH command Develop the CRaSH commands yourself

around the world PAM-CRASH 2G - aysplm.com PAM-CRASH 2G Virtual Testing for Crash CRASH & SAFETY & Safety Professionals B-CRASH-01 - Copyright ESI Group 2006 PAM-SYSTEM and all PAM-product

Living in the Anthropocene : Crash or Crash Through

crash - Univerzita Karlovad3s.mff.cuni.cz/teaching/crash_dump_analysis/slides/09-crash.pdf · extend log rd task crash version: 7.1.0 ... Crash Dump Analysis 2014/2015 Linux - crash

Eastern Fault Futaba Fault Sendai Japan Tsubonuma Fault

CONNECTICUT TRAFFIC CRASH FACTS 2012 · crash report to determine crash dynamics, causal factors and crash location prior to entering the data into its traffic crash database. The

North Carolina Pedestrian Crash Facts · North Carolina Pedestrian Crash Facts, 2012-2016 3 General NC Pedestrian Crash Trends This report provides a summary of crash trends and crash

Identifying Crash Location from Chicago Traffic Crash Data

ANALISA RISIKO KECELAKAAN MOTOR VEHICLE ......i ANALISA RISIKO KECELAKAAN MOTOR VEHICLE CRASH (MVC) DAN INJURY DI PROYEK PT. “X” DENGAN METODE FAULT TREE Nama mahasiswa : Murdiyono

Crash N' Burn: Writing Linux application fault handlers