XVII Escuela de Ciencias Informaticas ECI 2003 Buenos
XVII Escuela de Ciencias Informaticas (ECI 2003), Buenos Aires, July 21 -26 2003 Formal Models for Distributed Negotiations The 2 PC in an Extended Pi-Calculus Roberto Bruni Dipartimento di Informatica Università di Pisa 1
Towards the End n What should have emerged from this course? n n Dealing with distributed systems is not an easy task Current interests: n n n Coordination, orchestration, choreography of concurrent and distributed processes/data Negotiations, contracts, agreements, committed choices (transactions in disguise) Formal models are essential n n to to support rigorous analysis, specifications and proofs support efficient implementations develop new concepts compare approaches Formal Models for Distributed Negotiations 2
One More Example n To conclude our excursus n 2 PC in pi-calculus [Berger, Honda 2000] n some extensions are needed to cover all the aspects of the protocol n n n message loss sites local timers site failures persistence Atomicity can be formally expressed and proved n Here main ideas are just sketched Formal Models for Distributed Negotiations 3
2 PC (Again!) Informally n 2 PC protocol n distributed n n faulty processes communicating on faulty channels unique TM (coordinator) finitely many participants (statically fixed) atomicity n as far as outside observers are concerned with, it looks as if all participants commit/abort together Formal Models for Distributed Negotiations 4
2 PC: Core Protocol n Assuming the absence of failures: n n The coordinator sends vote requests to all participants Each participant sends its vote (abort/commit) back to the coordinator n n When all votes are collected n n n if the message is abort, the participant aborts immediately otherwise, the participant waits for the decision of the coordinator itself can decide to vote commit/abort if all voted commit, the coordinator tells all to commit otherwise, the coordinator tells all to abort All participants that voted commit were waiting for the decision and must behave accordingly Formal Models for Distributed Negotiations 5
2 PC: Timers n Since messages can be lost in transit, the core protocol is augmented with timeouts n The coordinator sets a timer before waiting for votes n n if the times expires, the coordinator votes abort Each participant that voted commit sets a timer before waiting for the decision n if the timer expires, the participant can assume that the message carrying the decision was lost and will request the coordinator to send the decision again (centralized version), setting up another timer Formal Models for Distributed Negotiations 6
2 PC: Savepoints n Systems/processes can crash n all crashed systems will eventually restart n to allow consistent restarting, savepoints are added to the protocol n n n persistent datum S if P crashes it will restart as S The initial savepoint of the coordinator is such that, after restart, it will order participants to abort (crashed coordinators are not trustworthy) After the coordinator has received all votes and they are all for commit, the coordinator updates its savepoint to order commit if restarted, then sends the decision The initial savepoint of each participant is to abort After voting commit, the savepoint is updated to vote commit again and wait the decision, then sends its vote Formal Models for Distributed Negotiations 7
Pi-Calculus with Branching I n Asynchronous pi-calculus (y abbreviates y 1, …, yn) n n Augmented with branching (to deal more conveniently with binary abort/commit decisions) n n P : : = 0 | x y | x(y). P | ( x)P | P|P | !x y | !x(y). P P : : = … | x[(y). P, (z). P] | x-left y | x-right y Structural rules n n n alpha-renaming of bound names _|_ is associative, commutative, with unit 0 ( x)( y)P ( y)( x)P P|( x)Q ( x) (P|Q) when x fn(P) P|!P !P Formal Models for Distributed Negotiations 8
Pi-Calculus with Branching II n Reductions n n n allowed in any context, unless under prefix defined up-to structural equivalence x(y). P | x v P{v/y} x[(y). P, (z). Q] | x-left v P{v/y} x[(y). P, (z). Q] | x-right v Q{v/z} Abbreviations n n x[P, Q], x-left, x-right (in absence of name passing) P Q = ( c)(c. P|c. Q|c ) (internal sum) n P Q P’ ~ P and P Q Q’ ~ Q Formal Models for Distributed Negotiations 9
Pi-Calculus: Core Protocol n 2 PCP = ( voteself)( vote)( dec)( C | P 1 | … | Pn ) n C = ( c) ( cself) ( a)( Cwait | Ccommit | Cabort | Cself ) n n n Pi = Pci Pai n n n Cwait = vote 1[c 1 , a ] | … | voten[cn , a ] | voteself[cself , a ] Cself = voteself-left voteself-right Ccommit = c 1. …. cn. cself. (dec 1 -left | … | decn-left ) Cabort = a. (dec 1 -right | … | decn-right ) Pci = votei-left | deci[!commiti , !aborti ] Pai = votei-right | !aborti Proposition n 2 PCP Abort Commit n where Abort = i !aborti and Commit = i !commiti Formal Models for Distributed Negotiations 10
Modeling Message Loss n Reduction x y 0 ? n n n Two kinds of channels (lossy/reliable)? n n unrealistic: not all messages can be lost only those traveling between different sites It is not the channel, it is the message that matters (local/remote) Augment the calculus with the notion of a site n n clear separation between internal and external message passing site ready to receive from channels in A N : : = 0 | ( x)N | N|N | [P]A Formal Models for Distributed Negotiations 11
![Access Points n [P]A as a LAN connected to the Internet n n [P]A](http://slidetodoc.com/presentation_image_h2/0fa032190228a38df5dc59b2f1384835/image-12.jpg "Access Points n [P]A as a LAN connected to the Internet n n [P]A")
Access Points n [P]A as a LAN connected to the Internet n n [P]A as a host n n A is the set of IP-addresses owned by hosts in the LAN A is the set of sockets serviced by P In general A is the set of access points of [P]A n n ap(0) = ap(( x)N ) = ap(N) - {x} ap(N|M) = ap(N) ap(M) ap([P]A) = A Formal Models for Distributed Negotiations 12
Well-Formed Sites n Local processes n Given P=x(y). Q n n x occurs in P as input subject free occurrences of y in Q are said input-bound P is local if no input subject is input bound Well-formed sites (written |- N ) n n ||||- 0 ( x)N if |- N N|M if |- N and |- M and ap(N) ap(M)= [P]A if P is local and each free input subject of P is in A Formal Models for Distributed Negotiations 13
More on Sites n n We consider well-formed sites only Overloaded operators 0, ( x) and | obey the same structural rules as those for processes n n In addition we assume [( x)P]A ( x)[P]A {x} Reductions n n usual reductions are allowed intra sites [P|x v ]A [P]A if x A (message loss) [P|x(y). P’]A | [Q|x v ]B [P|P’{v/y}]A | [Q]B (network communication) … (network branching) Formal Models for Distributed Negotiations 14
Modeling Timers n n n If messages can vanish, then the core protocol can easily deadlock (e. g. loss of a decision message) Timers are fundamental for preventing infinite wait Augment the calculus with the notion of a timer n P : : = … | timert(R, Q) n where t ranges over integers greater than 0 n n R is input-guarded n n represents the clock ticks left before the timer expires time-in continuation Q is the time-out continuation Formal Models for Distributed Negotiations 15
Timer Stepper Function n (P) ticks each timer in P by one discrete unit n n n n (timert+1(R, Q)) = timert(R, Q) if t 1 (timert(R, Q)) = Q if t 1 (R|Q) = (R)| (Q) (( x)R) = ( x) (R) (P) = P otherwise Note that timers under guarding prefixes (and replication) Each site has its local time n n When time advance, it progresses for all timers in a site In different sites, time can advance separately Formal Models for Distributed Negotiations 16
Time Passing n Reductions n n n timert+1(x(y). P, Q) | x v P{v/y} (time-in) P (P) (idle tick) we can no longer freely reduce under | n P|R Q| (R) if P Q (local time) Formal Models for Distributed Negotiations 17
Modeling Savepoints n In centralized systems there is no notion of partial failure n n If the system crashes, the whole computation ends In distributed systems, partial failure is a key characteristic n Persistent memory, unaffected by failures n n to store savepoints to recover computations We allow processes themselves to be savepoints We assume failures cannot take place during an interaction n n failures occur either before or after the action of receiving a message is atomic Formal Models for Distributed Negotiations 18
Pi-Calculus with Savepoints n Augment processes n n P : : = … | save P. Q Augment sites n N : : = … | [P]A, Q | [*]A, Q n n n [P]A, Q is a site containing P with latest savepoint Q [*]A, Q is a crashed site with latest savepoint Q Well-formed sites n n |- [P]A, Q if P and Q are local and each free input subject of P and Q is in A |- [*]A, Q if Q is local and each free input subject of Q is in A n Formal Models for Distributed Negotiations 19
Saving and Restarting n Reductions n n Weak and strong bisimilarities are suitably extended n n [P|save Q. R]A, S [P|R]A, Q (save) [P]A, Q [*]A, Q (stop) [*]A, Q [Q]A, Q (restart) they are congruences for networks, but not for processes See the paper for the whole protocol Formal Models for Distributed Negotiations 20
Recap n n We have seen Modeling 2 PC in PDL n n n pi-calculus Useful extensions Advantages Formal Models for Distributed Negotiations 21
References n The two-phase commitment protocol in an extended pi-calculus (Proc. EXPRESS’ 00, ENTCS 39) n n M. Berger, K. Honda Towards abstractions for distributed systems (Ph. D Thesis, Imperial College, Department of Computing) n M. Berger Formal Models for Distributed Negotiations 22
- Slides: 22