power point (.ppt)

1

Formal Models forDistributed NegotiationsThe 2PC in an Extended Pi-Calculus

Roberto BruniDipartimento di Informatica Università di Pisa

XVII Escuela de Ciencias Informaticas (ECI 2003), Buenos Aires, July 21-26 2003

Formal Models for Distributed

Negotiations 2

Towards the End What should have emerged from this course?

Dealing with distributed systems is not an easy task

Current interests: Coordination, orchestration, choreography of concurrent

and distributed processes/data Negotiations, contracts, agreements, committed choices

(transactions in disguise) Formal models are essential

to support rigorous analysis, specifications and proofs to support efficient implementations to develop new concepts to compare approaches


Negotiations 3

One More Example To conclude our excursus

2PC in pi-calculus [Berger, Honda 2000] some extensions are needed to cover all the

aspects of the protocol message loss sites local timers site failures persistence

Atomicity can be formally expressed and proved

Here main ideas are just sketched


Negotiations 4

2PC (Again!) Informally 2PC protocol

distributed faulty processes communicating on faulty

channels unique TM (coordinator) finitely many participants (statically fixed)

atomicity as far as outside observers are concerned

with, it looks as if all participants commit/abort together


Negotiations 5

2PC: Core Protocol Assuming the absence of failures:

The coordinator sends vote requests to all participants

Each participant sends its vote (abort/commit) back to the coordinator

if the message is abort, the participant aborts immediately otherwise, the participant waits for the decision of the

coordinator the coordinator itself can decide to vote commit/abort

When all votes are collected if all voted commit, the coordinator tells all to commit otherwise, the coordinator tells all to abort

All participants that voted commit were waiting for the decision and must behave accordingly


Negotiations 6

2PC: Timers Since messages can be lost in transit, the

core protocol is augmented with timeouts The coordinator sets a timer before waiting

for votes if the times expires, the coordinator votes abort

Each participant that voted commit sets a timer before waiting for the decision

if the timer expires, the participant can assume that the message carrying the decision was lost and will request the coordinator to send the decision again (centralized version), setting up another timer


Negotiations 7

2PC: Savepoints Systems/processes can crash

all crashed systems will eventually restart to allow consistent restarting, savepoints are added to the

protocol persistent datum S if P crashes it will restart as S

The initial savepoint of the coordinator is such that, after restart, it will order participants to abort (crashed coordinators are not trustworthy)

After the coordinator has received all votes and they are all for commit, the coordinator updates its savepoint to order commit if restarted, then sends the decision

The initial savepoint of each participant is to abort After voting commit, the savepoint is updated to vote

commit again and wait the decision, then sends its vote


Negotiations 8

Pi-Calculus with Branching I

Asynchronous pi-calculus (y abbreviates y1,…,yn) P ::= 0 | xy | x(y).P | (x)P | P|P | !xy | !x(y).P

Augmented with branching (to deal more conveniently with binary abort/commit decisions) P ::= … | x[(y).P,(z).P] | x-lefty | x-righty

Structural rules alpha-renaming of bound names _|_ is associative, commutative, with unit 0 (x)(y)P (y)(x)P P|(x)Q (x) (P|Q) when xfn(P) P|!P !P


Negotiations 9

Pi-Calculus with Branching II

Reductions allowed in any context, unless under prefix defined up-to structural equivalence x(y).P | xv P{v/y} x[(y).P,(z).Q] | x-leftv P{v/y} x[(y).P,(z).Q] | x-rightv Q{v/z}

Abbreviations x[P,Q], x-left, x-right (in absence of name passing) PQ = (c)(c.P|c.Q|c) (internal sum)

PQ P’ ~ P and PQ Q’ ~ Q


Negotiations 11

Modeling Message Loss Reduction xy 0 ?

unrealistic: not all messages can be lost only those traveling between different sites

Two kinds of channels (lossy/reliable)? It is not the channel, it is the message that matters

(local/remote) Augment the calculus with the notion of a site

clear separation between internal and external message passing

N ::= 0 | (x)N | N|N | [P]A

site ready to receive from channels in A


Negotiations 12

Access Points [P]A as a LAN connected to the Internet

A is the set of IP-addresses owned by hosts in the LAN

[P]A as a host A is the set of sockets serviced by P

In general A is the set of access points of [P]A

ap(0) = ap((x)N ) = ap(N) - {x} ap(N|M) = ap(N)ap(M) ap([P]A) = A


Negotiations 13

Well-Formed Sites Local processes

Given P=x(y).Q x occurs in P as input subject free occurrences of y in Q are said input-bound

P is local if no input subject is input bound Well-formed sites (written |- N )

|- 0 |- (x)N if |- N |- N|M if |- N and |- M and ap(N)ap(M)= |- [P]A if P is local and each free input subject of P is

in A


Negotiations 14

More on Sites We consider well-formed sites only Overloaded operators 0, (x) and | obey the

same structural rules as those for processes In addition we assume [(x)P]A (x)[P]A{x}

Reductions usual reductions are all allowed intra sites [P|xv]A [P]A if xA (message loss) [P|x(y).P’]A | [Q|xv]B [P|P’{v/y}]A | [Q]B (network

communication) … (network branching)


Negotiations 15

Modeling Timers If messages can vanish, then the core protocol

can easily deadlock (e.g. loss of a decision message)

Timers are fundamental for preventing infinite wait

Augment the calculus with the notion of a timer P ::= … | timert(R,Q)

where t ranges over integers greater than 0 represents the clock ticks left before the timer expires

R is input-guarded time-in continuation

Q is the time-out continuation


Negotiations 16

Timer Stepper Function (P) ticks each timer in P by one discrete unit

(timert+1(R,Q)) = timert(R,Q) if t 1 (timert(R,Q)) = Q if t 1 (R|Q) = (R)|(Q) ((x)R) = (x)(R) (P) = P otherwise Note that timers under guarding prefixes (and

replication) Each site has its local time

When time advance, it progresses for all timers in a site

In different sites, time can advance separately


Negotiations 17

Time Passing Reductions

timert+1(x(y).P,Q) | x v P{v/y} (time-in) P (P) (idle tick) we can no longer freely reduce under |

P|R Q|(R) if PQ (local time)


Negotiations 18

Modeling Savepoints In centralized systems there is no notion of

partial failure If the system crashes, the whole computation ends

In distributed systems, partial failure is a key characteristic Persistent memory, unaffected by failures

to store savepoints to recover computations

We allow processes themselves to be savepoints We assume failures cannot take place during an

interaction failures occur either before or after the action of receiving a message is atomic


Negotiations 19

Pi-Calculus with Savepoints

Augment processes P ::= … | saveP.Q

Augment sites N ::= … | [P]A,Q | [*]A,Q

[P]A,Q is a site containing P with latest savepoint Q [*]A,Q is a crashed site with latest savepoint Q

Well-formed sites |- [P]A,Q if P and Q are local and each free input subject of

P and Q is in A |- [*]A,Q if Q is local and each free input subject of Q is in A


Negotiations 20

Saving and Restarting Reductions

[P|saveQ.R]A,S [P|R]A,Q (save) [P]A,Q [*]A,Q (stop) [*]A,Q [Q]A,Q (restart)

Weak and strong bisimilarities are suitably extended they are congruences for networks, but not

for processes See the paper for the whole protocol


Negotiations 21

Recap We have seen Modeling 2PC in PDL

pi-calculus Useful extensions Advantages


Negotiations 22

References The two-phase commitment protocol

in an extended pi-calculus (Proc. EXPRESS’00, ENTCS 39) M. Berger, K. Honda

Towards abstractions for distributed systems (PhD Thesis, Imperial College, Department of Computing) M. Berger

power point (.ppt)

Documents

p xlefty x

xfnp p

q xleftv p

free input subject of

p xp pp

q picalculus

q xrightv q

qc internal sumpq p