Outline. The Leader Election Protocol (IEEE 1394) IEEE 1394 High Performance Serial Bus (FireWire) Motivation. Background. Protocol Descriptions

Transcription

1 Outline The Leader Election Protocol (IEEE 1394) Thai Son Hoang (inspired by the slides of Jean-Raymond Abrial) Department of Computer Science Swiss Federal Institute of Technology Zürich (ETH Zürich) System Development in Event-B, 25th November, 2010 Background Protocol Descriptions Formal Development Formalizing Trees Initial Model First Refinement Second Refinement Conclusion Motivation Modelling a distributed protocol: IEEE 1394 Firewire. Formalise some mathematical concepts: graph, tree. IEEE 1394 High Performance Serial Bus (FireWire) - It is an international standard - There exists a widespread commercial interest in its correctness - Sun, Apple, Philips, Microsoft, Sony, etc involved in its development - Made of three layers (physical, link, transaction) - The protocol under study is the Tree Identify Protocol - Situated in the Bus Reset phase of the physical layer

2 The Problem (1) - The bus is used to transport digitized video and audio signals - It is hot-pluggable - Devices and peripherals can be added and removed at any time - Such changes are followed by a bus reset The Problem (2) - After a bus reset: all nodes in the network have equal status - A node only knows to which nodes it is directly connected - The network is connected - The network is acyclic - The leader election takes place after a bus reset in the network - A leader needs to be chosen to act as the manager of the bus Informal Abstract Properties of the Protocol - We are given a connected and acyclic network of nodes - Nodes are linked by bidirectional channels - We want to have one node being elected the leader in a finite time - This is to be done in a distributed and non-deterministic way - Next are two distinct abstract animations of the protocol

3

4

5

6

7 Development Strategy - Formal definition and properties of the network - A one-shot abstract model of the protocol - Presenting a (still abstract) loop-like centralized solution - Introducing message passing between the nodes (delays) - Modifying the data structure in order to distribute the protocol Let N be a set of nodes Let g be a graph built on N

8 g is a graph built on N Basic Graph Properties g N N g is symmetric g is irreflexive g = g 1 g id = g is symmetric and irreflexive A Little Detour Through Trees - A tree is a special graph - A tree has a root - A tree has a, so-called, father function - A tree is acyclic - A tree is connected from the root g is connected and acyclic

9 the root the root A tree t built on a set of nodes t is a function on N except at the root the root Avoidind cycles BAD A cycle Its inverse image The nodes of a cycle are included in their inverse image

10 - Given - a set N - a subset p of N - a binary relation t built on N - The inverse image of p under t is denoted by t 1 [p] - p is included in its inverse image: p t 1 [p] - Notice that the empty set enjoys this property t 1 [ ] - The property of having no cycle is thus equivalent to: The only subset p of N s.t. p t 1 [p] is the EMPTY SET p N p t 1 [p] p p = The constant function tree N (N N) BOOL r is a member of N t is a function tree(r, t) = TRUE if and only if r N t N \ {r} N t is acyclic p p N p t 1 [p] p = p t is acyclic: equivalent formulations p N p t 1 [p] p = q q N r q t 1 [q] q N q This gives an Induction Rule q q N r q x N q x N \ {r} t(x) q x q

11 The constant function tree N (N N) BOOL tree(r, t) = TRUE if and only if DEMO r is a member of N r N t is a function t N \ {r} N t is acyclic q q N r q t 1 [q] q N q Given a graph g NODE NODE, define the constant function spanning NODE (NODE NODE) BOOL spanning (r, t, g) = TRUE if and only if r, t is a tree tree (r, t) t is included in g t g A spanning tree t of the graph g

12 g is acyclic: Back to Graph g h, S h g h h 1 = S h 1 [S] S = (Note: g is symmetric, h is any asymmetric sub-graph of g) g is connected: S S g[s] S N S which correspond to an induction rule S S ( y ( x x S x y g) y S) N S Constants of Initial Model (1) carrier set: N constant: g, tree, spanning axm0_1: finite(n) axm0_2: g N N axm0_3: g = g 1 axm0_4: g id = axm0_5: h, S h g h h 1 = S h 1 [S] S = axm0_6: S S g[s] S N S Constants of the Initial Model Variables of Initial Model axm0_7 : axm0_8 : tree N (N N) BOOL r, t. tree(r t) = TRUE t N \ {r} N q r q t 1 [q] q N q variables: l, t inv0_1: inv0_2: l N t N N axm0_9 : spanning N (N N) BOOL axm0_10 : r, t spanning(r t) = TRUE tree(r t) = TRUE t g

13 Events of Initial Model init l : N t : N N elect any x, s where spanning(x s) then l := x t := s end First Refinement (1) - t corresponding to the "tree" in construction - Being precise about event progress: How the tree is constructed. - Defining the invariant - Back to the animation : Observe the construction of the tree progress status anticipated begin t : N N end

14

15 - The green arrows correspond to the t function - The blue nodes are the domain of t - The function t is a forest (multi-tree) on nodes - The red nodes are the roots of these trees

16 The State of the First Refinement inv1_1: t b N variables: l, t, b, r inv1_2: t g inv1_3: r = N \ b b, r: set of blue/red nodes, respectively. b contains the non-root elements of the trees of forest t. Nodes that are not blue are red. Being Precise about Progressing When a red node x is connected to AT MOST one other red node y, then event "progress" can take place progress any x, y where x r y r g[{x}] = t 1 [{x}] {y} then t := t {x y} b := b {x} r := r \ {x} end progress is convergent (reducing r)

17 When there is only a single red node x then event "elect" can take place Refinement Proof for elect (1) elect any x where r = {x} then l := x end (abs_)elect any x, s where spanning(x, s) then l := x t := s end (conc_)elect any x where r = {x} with s = t then l := x t := t end This amounts to proving guard strengthening (GRD):... r = {x} spanning(x t) = TRUE Refinement Proof for elect (2)... t b N r = N b t g r = {x} spanning(x t) = TRUE definition... t b N r = N b t g r = {x} tree(x t) = TRUE t g Refinement Proof for elect (3) Instead of proving q x q t 1 [q] q N we can prove p p t 1 [p] p = Recall axiom state that g is acyclic t b N r = N \ b t g r = {x} t N \ {x} N q x q t 1 [q] q N q h, S h g h h 1 = S h 1 [S] S = Additional invariant t t 1 =.

18 Second Refinement - Nodes are communicating with their neighbors - This is done by means of messages - Discovering the problem of contention - Next is a local animation Message Transfer Receiving Sending the a message Mt g Second Refinement: the State inv2_1: m g variables:..., m inv2_2: m r r - Variable m denotes the channel between nodes - x y in m means x wants y to be its parent - m is functional between red nodes. Second Refinement: Events send_msg any x, y where x r y r x / dom(m) g[{x}] = t 1 [{x}] {y} then m := m {x y} end (abs_)progress any x, y where x r y r g[{x}] = t 1 [{x}] {y} then... end inv2_3 : receive_msg refines progress any x, y where x y m y / dom(m) then... m := m \ {x y} end x, y x y m g[{x}] = t 1 [{x}] {y}

19 Second Refinement: The problem of contention - Explaining the problem - Proposing a partial solution - Towards a better treatment - Back to the local animation

20 Problem of Contention Sending Recovery Receiving Discovering another from a contention message Discovering the Contention (1) - Node y discovers the contention with node x because: - It has sent a message to node x - It receives a message from node x Mc t g Mc Discovering the Contention (2) - Node x also discovers the contention with node y - Assumption: The time between both discoveries IS SUPPOSED TO BE BOUNDED BY t ms - The time t is the maximum transmission time between 2 connected nodes Contention Discovery 0 ms t δ ms t ms 2 t δ ms

21 A Partial Solution - Each node waits for t ms after its own discovery - After this, each node thus knows that the other has also discovered the contention - Each node then retries immediately - PROBLEM: This may continue for ever A Better Solution (1) - Each node waits for t ms after its own discovery - Each node then choses with equal probability: - either to wait for a short delay - or to wait for a large delay - Each node then retries A Better Solution (2) - Question: Does this solves the problem? Extending the State: Introducing the Contention "Channel" - Are we sure to eventually have one node winning? - Answer: Yes, according to a simple law of probabilities variables:..., m, c - The law of great numbers inv2_5: c N N

22 discover_contention any x, y where x y m y dom(m) dom(c) then m := m \ {x y} c := c {x y} end Contention Events solve_contention any x, y where c = {x y, y x} then c := end Summary Axiomatize some data structures: connected graphs, trees. Reasoning about these data structure using induction rules. A systematic approach for modelling distributed systems. Establishing the mathematical framework Resolving the mathematical problem in one shot Resolving the same problem on a step by step basis Involving communication by means of messages Towards the localization of data structures (which we skipped in this lecture).