Outline. The Leader Election Protocol (IEEE 1394) IEEE 1394 High Performance Serial Bus (FireWire) Motivation. Background. Protocol Descriptions

Similar documents
The Leader Election Protocol (IEEE 1394)

SFM-11:CONNECT Summer School, Bertinoro, June 2011

Qualitative Probabilistic Modelling in Event-B

In the Stone Age. Stephan Holzer. Yuval Emek - Technion Roger Wattenhofer - ETH Zürich

An Algebraic Approach to Network Coding

A Formal Analysis of a Dynamic Distributed Spanning Tree Algorithm

A Brief Introduction to Model Checking

Summary of Event-B Proof Obligations

System Modelling using Event-B

Variations on Itai-Rodeh Leader Election for Anonymous Rings and their Analysis in PRISM

AGREEMENT PROBLEMS (1) Agreement problems arise in many practical applications:

University of Surrey. Bounded Retransmission in Event-B CSP: A Case Study. Steve Schneider, Helen Treharne and Heike Wehrheim

CSE 140 Lecture 11 Standard Combinational Modules. CK Cheng and Diba Mirza CSE Dept. UC San Diego

Clock Synchronization with Bounded Global and Local Skew

Distributed Algorithms

Modelling and Refining Hybrid Systems in Event-B and Rodin

Extensions to the Logic of All x are y: Verbs, Relative Clauses, and Only

Data Gathering and Personalized Broadcasting in Radio Grids with Interferences

Game Theory Lecture 10+11: Knowledge

CS 6112 (Fall 2011) Foundations of Concurrency

Problem. Problem Given a dictionary and a word. Which page (if any) contains the given word? 3 / 26

Time Constraint Patterns for Event B Development

Computational Models #1

1 Introduction. 1.1 The Problem Domain. Self-Stablization UC Davis Earl Barr. Lecture 1 Introduction Winter 2007

Lecture 4 Event Systems

A Lower Bound for the Distributed Lovász Local Lemma

Message Passing and Junction Tree Algorithms. Kayhan Batmanghelich

An Institution for Event-B

Minimal Spanning Tree

EECS 144/244: Fundamental Algorithms for System Modeling, Analysis, and Optimization

Probabilistic model checking with PRISM

Hoare Logic and Model Checking

MAD. Models & Algorithms for Distributed systems -- 2/5 -- download slides at

Minimum spanning tree

Ivy: Safety Verification by Interactive Generalization

Computer Science Technical Report

CS281A/Stat241A Lecture 19

ECE 302: Chapter 02 Probability Model

Distributed Systems Gossip Algorithms

Binary Decision Diagrams. Graphs. Boolean Functions

Modeling & Control of Hybrid Systems. Chapter 7 Model Checking and Timed Automata

CptS 464/564 Fall Prof. Dave Bakken. Cpt. S 464/564 Lecture January 26, 2014

Data Gathering and Personalized Broadcasting in Radio Grids with Interferences

COMPUTER SCIENCE TRIPOS

Time Synchronization

Belief-Propagation Decoding of LDPC Codes

Machine Learning 4771

Secure Multiparty Computation from Graph Colouring

PRISM An overview. automatic verification of systems with stochastic behaviour e.g. due to unreliability, uncertainty, randomisation,

Bounded Retransmission in Event-B CSP: a Case Study

Formal Verification of Mobile Network Protocols

Slides for Chapter 14: Time and Global States

Chapter 8 The Disjoint Sets Class

6.852: Distributed Algorithms Fall, Class 8

Notes. Relations. Introduction. Notes. Relations. Notes. Definition. Example. Slides by Christopher M. Bourke Instructor: Berthe Y.

Is It As Easy To Discover As To Verify?

CSC 411 Lecture 3: Decision Trees

Transition Predicate Abstraction and Fair Termination

COMP2111 Glossary. Kai Engelhardt. Contents. 1 Symbols. 1 Symbols 1. 2 Hoare Logic 3. 3 Refinement Calculus 5. rational numbers Q, real numbers R.

10/12/2016. An FSM with No Inputs Moves from State to State. ECE 120: Introduction to Computing. Eventually, the States Form a Loop

CMPSCI611: The Matroid Theorem Lecture 5

The Liar Game. Mark Wildon

On Equilibria of Distributed Message-Passing Games

Halting and Equivalence of Program Schemes in Models of Arbitrary Theories

Authentication Tests and the Structure of Bundles

Analysis of Algorithms. Outline. Single Source Shortest Path. Andres Mendez-Vazquez. November 9, Notes. Notes

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

EDA045F: Program Analysis LECTURE 10: TYPES 1. Christoph Reichenbach

Binary Decision Diagrams

CS Lecture 4. Markov Random Fields

Causal Consistency for Geo-Replicated Cloud Storage under Partial Replication

Minimal Spanning Tree

The Weakest Failure Detector to Solve Mutual Exclusion

S15 MA 274: Exam 3 Study Questions

Dijkstra s Single Source Shortest Path Algorithm. Andreas Klappenecker

Lecture 10: Mechanisms, Complexity, and Approximation

Spiking Neural P Systems with Anti-Spikes as Transducers

EE291E Lecture Notes 3 Autonomous Hybrid Automata

CHAPTER 1. Relations. 1. Relations and Their Properties. Discussion

Logic Design II (17.342) Spring Lecture Outline

Maximizable Routing Metrics

Robustness of stochastic discrete-time switched linear systems

Index coding with side information

Fault-Tolerant Consensus

Algorithms, Probability, and Computing Fall 08 Exam

Relations Graphical View

cs/ee/ids 143 Communication Networks

Causal Broadcast Seif Haridi

Abstract Interpretation II

Markov properties for directed graphs

Computational Models - Lecture 1 1

Probability Propagation

Lecture 16: Roots of the Matching Polynomial

Verifying Properties of Parallel Programs: An Axiomatic Approach

The Tree Evaluation Problem: Towards Separating P from NL. Lecture #6: 26 February 2014

Controlo Switched Systems: Mixing Logic with Differential Equations. João P. Hespanha. University of California at Santa Barbara.

Fast self-stabilizing k-independent dominating set construction Labri Technical Report RR

Section 6 Fault-Tolerant Consensus

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

Failure Detectors. Seif Haridi. S. Haridi, KTHx ID2203.1x

Transcription:

Outline The Leader Election Protocol (IEEE 1394) Thai Son Hoang (inspired by the slides of Jean-Raymond Abrial) Department of Computer Science Swiss Federal Institute of Technology Zürich (ETH Zürich) System Development in Event-B, 25th November, 2010 Background Protocol Descriptions Formal Development Formalizing Trees Initial Model First Refinement Second Refinement Conclusion Motivation Modelling a distributed protocol: IEEE 1394 Firewire. Formalise some mathematical concepts: graph, tree. IEEE 1394 High Performance Serial Bus (FireWire) - It is an international standard - There exists a widespread commercial interest in its correctness - Sun, Apple, Philips, Microsoft, Sony, etc involved in its development - Made of three layers (physical, link, transaction) - The protocol under study is the Tree Identify Protocol - Situated in the Bus Reset phase of the physical layer

The Problem (1) - The bus is used to transport digitized video and audio signals - It is hot-pluggable - Devices and peripherals can be added and removed at any time - Such changes are followed by a bus reset The Problem (2) - After a bus reset: all nodes in the network have equal status - A node only knows to which nodes it is directly connected - The network is connected - The network is acyclic - The leader election takes place after a bus reset in the network - A leader needs to be chosen to act as the manager of the bus Informal Abstract Properties of the Protocol - We are given a connected and acyclic network of nodes - Nodes are linked by bidirectional channels - We want to have one node being elected the leader in a finite time - This is to be done in a distributed and non-deterministic way - Next are two distinct abstract animations of the protocol

Development Strategy - Formal definition and properties of the network - A one-shot abstract model of the protocol - Presenting a (still abstract) loop-like centralized solution - Introducing message passing between the nodes (delays) - Modifying the data structure in order to distribute the protocol Let N be a set of nodes Let g be a graph built on N

g is a graph built on N Basic Graph Properties g N N g is symmetric g is irreflexive g = g 1 g id = g is symmetric and irreflexive A Little Detour Through Trees - A tree is a special graph - A tree has a root - A tree has a, so-called, father function - A tree is acyclic - A tree is connected from the root g is connected and acyclic

the root the root A tree t built on a set of nodes t is a function on N except at the root the root Avoidind cycles BAD A cycle Its inverse image The nodes of a cycle are included in their inverse image

- Given - a set N - a subset p of N - a binary relation t built on N - The inverse image of p under t is denoted by t 1 [p] - p is included in its inverse image: p t 1 [p] - Notice that the empty set enjoys this property t 1 [ ] - The property of having no cycle is thus equivalent to: The only subset p of N s.t. p t 1 [p] is the EMPTY SET p N p t 1 [p] p p = The constant function tree N (N N) BOOL r is a member of N t is a function tree(r, t) = TRUE if and only if r N t N \ {r} N t is acyclic p p N p t 1 [p] p = p t is acyclic: equivalent formulations p N p t 1 [p] p = q q N r q t 1 [q] q N q This gives an Induction Rule q q N r q x N q x N \ {r} t(x) q x q

The constant function tree N (N N) BOOL tree(r, t) = TRUE if and only if DEMO r is a member of N r N t is a function t N \ {r} N t is acyclic q q N r q t 1 [q] q N q Given a graph g NODE NODE, define the constant function spanning NODE (NODE NODE) BOOL spanning (r, t, g) = TRUE if and only if r, t is a tree tree (r, t) t is included in g t g A spanning tree t of the graph g

g is acyclic: Back to Graph g h, S h g h h 1 = S h 1 [S] S = (Note: g is symmetric, h is any asymmetric sub-graph of g) g is connected: S S g[s] S N S which correspond to an induction rule S S ( y ( x x S x y g) y S) N S Constants of Initial Model (1) carrier set: N constant: g, tree, spanning axm0_1: finite(n) axm0_2: g N N axm0_3: g = g 1 axm0_4: g id = axm0_5: h, S h g h h 1 = S h 1 [S] S = axm0_6: S S g[s] S N S Constants of the Initial Model Variables of Initial Model axm0_7 : axm0_8 : tree N (N N) BOOL r, t. tree(r t) = TRUE t N \ {r} N q r q t 1 [q] q N q variables: l, t inv0_1: inv0_2: l N t N N axm0_9 : spanning N (N N) BOOL axm0_10 : r, t spanning(r t) = TRUE tree(r t) = TRUE t g

Events of Initial Model init l : N t : N N elect any x, s where spanning(x s) then l := x t := s end First Refinement (1) - t corresponding to the "tree" in construction - Being precise about event progress: How the tree is constructed. - Defining the invariant - Back to the animation : Observe the construction of the tree progress status anticipated begin t : N N end

- The green arrows correspond to the t function - The blue nodes are the domain of t - The function t is a forest (multi-tree) on nodes - The red nodes are the roots of these trees

The State of the First Refinement inv1_1: t b N variables: l, t, b, r inv1_2: t g inv1_3: r = N \ b b, r: set of blue/red nodes, respectively. b contains the non-root elements of the trees of forest t. Nodes that are not blue are red. Being Precise about Progressing When a red node x is connected to AT MOST one other red node y, then event "progress" can take place progress any x, y where x r y r g[{x}] = t 1 [{x}] {y} then t := t {x y} b := b {x} r := r \ {x} end progress is convergent (reducing r)

When there is only a single red node x then event "elect" can take place Refinement Proof for elect (1) elect any x where r = {x} then l := x end (abs_)elect any x, s where spanning(x, s) then l := x t := s end (conc_)elect any x where r = {x} with s = t then l := x t := t end This amounts to proving guard strengthening (GRD):... r = {x} spanning(x t) = TRUE Refinement Proof for elect (2)... t b N r = N b t g r = {x} spanning(x t) = TRUE definition... t b N r = N b t g r = {x} tree(x t) = TRUE t g Refinement Proof for elect (3) Instead of proving q x q t 1 [q] q N we can prove p p t 1 [p] p = Recall axiom state that g is acyclic...... t b N r = N \ b t g r = {x} t N \ {x} N q x q t 1 [q] q N q h, S h g h h 1 = S h 1 [S] S = Additional invariant t t 1 =.

Second Refinement - Nodes are communicating with their neighbors - This is done by means of messages - Discovering the problem of contention - Next is a local animation Message Transfer Receiving Sending the a message Mt g Second Refinement: the State inv2_1: m g variables:..., m inv2_2: m r r - Variable m denotes the channel between nodes - x y in m means x wants y to be its parent - m is functional between red nodes. Second Refinement: Events send_msg any x, y where x r y r x / dom(m) g[{x}] = t 1 [{x}] {y} then m := m {x y} end (abs_)progress any x, y where x r y r g[{x}] = t 1 [{x}] {y} then... end inv2_3 : receive_msg refines progress any x, y where x y m y / dom(m) then... m := m \ {x y} end x, y x y m g[{x}] = t 1 [{x}] {y}

Second Refinement: The problem of contention - Explaining the problem - Proposing a partial solution - Towards a better treatment - Back to the local animation

Problem of Contention Sending Recovery Receiving Discovering another from a contention message Discovering the Contention (1) - Node y discovers the contention with node x because: - It has sent a message to node x - It receives a message from node x Mc t g Mc Discovering the Contention (2) - Node x also discovers the contention with node y - Assumption: The time between both discoveries IS SUPPOSED TO BE BOUNDED BY t ms - The time t is the maximum transmission time between 2 connected nodes Contention Discovery 0 ms t δ ms t ms 2 t δ ms

A Partial Solution - Each node waits for t ms after its own discovery - After this, each node thus knows that the other has also discovered the contention - Each node then retries immediately - PROBLEM: This may continue for ever A Better Solution (1) - Each node waits for t ms after its own discovery - Each node then choses with equal probability: - either to wait for a short delay - or to wait for a large delay - Each node then retries A Better Solution (2) - Question: Does this solves the problem? Extending the State: Introducing the Contention "Channel" - Are we sure to eventually have one node winning? - Answer: Yes, according to a simple law of probabilities variables:..., m, c - The law of great numbers inv2_5: c N N

discover_contention any x, y where x y m y dom(m) dom(c) then m := m \ {x y} c := c {x y} end Contention Events solve_contention any x, y where c = {x y, y x} then c := end Summary Axiomatize some data structures: connected graphs, trees. Reasoning about these data structure using induction rules. A systematic approach for modelling distributed systems. Establishing the mathematical framework Resolving the mathematical problem in one shot Resolving the same problem on a step by step basis Involving communication by means of messages Towards the localization of data structures (which we skipped in this lecture).

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback