Self-stabilization

From HandWiki
Short description: Concept of fault-tolerance

Self-stabilization is a concept of fault-tolerance in distributed systems. Given any initial state, a self-stabilizing distributed system will end up in a correct state in a finite number of execution steps.

At first glance, the guarantee of self stabilization may seem less promising than that of the more traditional fault-tolerance of algorithms, that aim to guarantee that the system always remains in a correct state under certain kinds of state transitions. However, that traditional fault tolerance cannot always be achieved. For example, it cannot be achieved when the system is started in an incorrect state or is corrupted by an intruder. Moreover, because of their complexity, it is very hard to debug and to analyze distributed systems. Hence, it is very hard to prevent a distributed system from reaching an incorrect state. Indeed, some forms of self-stabilization are incorporated into many modern computer and telecommunications networks, since it gives them the ability to cope with faults that were not foreseen in the design of the algorithm.

Many years after the seminal paper of Edsger Dijkstra in 1974, this concept remains important as it presents an important foundation for self-managing computer systems and fault-tolerant systems. As a result, Dijkstra's paper received the 2002 ACM PODC Influential-Paper Award, one of the highest recognitions in the distributed computing community.[1] Moreover, after Dijkstra's death, the award was renamed and is now called the Dijkstra Award.

History

E.W. Dijkstra in 1974 presented the concept of self-stabilization, prompting further research in this area.[2] His demonstration involved the presentation of self-stabilizing mutual exclusion algorithms.[3] It also showed the first self-stabilizing algorithms that did not rely on strong assumptions on the system. Some previous protocols used in practice did actually stabilize, but only assuming the existence of a clock that was global to the system, and assuming a known upper bound on the duration of each system transition. It was only ten years later when Leslie Lamport pointed out the importance of Dijkstra's work at a 1983 conference called Symposium on Principles of Distributed Computing that researchers [4] directed their attention to this elegant fault-tolerance concept. In his talk, Lamport stated:

I regard this as Dijkstra's most brilliant work - at least, his most brilliant published paper. It's almost completely unknown. I regard it to be a milestone in work on fault tolerance... I regard self-stabilization to be a very important concept in fault tolerance and to be a very fertile field for research.[3]

Afterwards, Dijkstra's work was awarded ACM-PODC influential paper award, which then became ACM's (the Association for computing Machinery) Dijkstra Prize in Distributed Computing given at the annual ACM-PODC symposium.[5]

Overview

A distributed algorithm is self-stabilizing if, starting from an arbitrary state, it is guaranteed to converge to a legitimate state and remain in a legitimate set of states thereafter. A state is legitimate if, starting from this state, the algorithm satisfies its specification. The property of self-stabilization enables a distributed algorithm to recover from a transient fault regardless of its nature. Moreover, a self-stabilizing algorithm does not have to be initialized as it eventually starts to behave correctly regardless of its initial state.

Dijkstra's paper, which introduces the concept of self-stabilization, presents an example in the context of a "token ring"—a network of computers ordered in a circle. Here, each computer or processor can "see" the whole state of one processor that immediately precedes it and that this state may imply that the processor "has a token" or it "does not have a token."[5] [6]One of the requirements is that exactly one of them must "hold a token" at any given time. The second requirement prescribes that each node "passes the token" to the computer/processor succeeding it so that the token eventually circulates the ring.[5][6]

  • Not holding a token is a correct state for each computer in this network, since the token can be held by another computer. However, if every computer is in the state of "not holding a token" then the network altogether is not in a correct state.
  • Similarly, if more than one computer "holds a token" then this is not a correct state for the network, although it cannot be observed to be incorrect by viewing any computer individually. Since every computer can "observe" only the states of its two neighbors, it is hard for the computers to decide whether the network altogether is in a correct state.

The first self-stabilizing algorithms did not detect errors explicitly in order to subsequently repair them. Instead, they constantly pushed the system towards a legitimate state. Since traditional methods for detecting an error[7] were often very difficult and time-consuming, such a behavior was considered desirable. (The method described in the paper cited above collects a huge amount of information from the whole network to one place; after that, it attempts to determine whether the collected global state is correct; even that determination alone can be a hard task).

Efficiency improvements

More recently, researchers have presented newer methods for light-weight error detection for self-stabilizing systems using local checking.[8][9] and for general tasks.[10]

The term local refers to a part of a computer network. When local detection is used, a computer in a network is not required to communicate with the entire network in order to detect an error—the error can be detected by having each computer communicate only with its nearest neighbors. These local detection methods simplified the task of designing self-stabilizing algorithms considerably. This is because the error detection mechanism and the recovery mechanism can be designed separately. Newer algorithms based on these detection methods also turned out to be much more efficient. Moreover, these papers suggested rather efficient general transformers to transform non self stabilizing algorithms to become self stabilizing. The idea is to,

  1. Run the non self stabilizing protocol, at the same time,
  2. detect faults (during the execution of the given protocol) using the above-mentioned detection methods,
  3. then, apply a (self stabilizing) "reset" protocol to return the system to some predetermined initial state, and, finally,
  4. restart the given (non- self stabilizing) protocol.

The combination of these 4 parts is self stabilizing (as long as there is no trigger of fault during the correction fault phases, e.g.,[11]). Initial self stabilizing protocols were also presented in the above papers. More efficient reset protocols were presented later, e.g.[12]

Additional efficiency was introduced with the notion of time-adaptive protocols.[13] The idea behind these is that when only a small number of errors occurs, the recovery time can (and should) be made short. Dijkstra's original self-stabilization algorithms do not have this property.

A useful property of self-stabilizing algorithms is that they can be composed of layers if the layers do not exhibit any circular dependencies. The stabilization time of the composition is then bounded by the sum of the individual stabilization times of each layer.[6]

New approaches to Dijkstra's work emerged later on such as the case of Krzysztof Apt and Ehsan Shoja's proposition, which demonstrated how self-stabilization can be naturally formulated using the standard concepts of strategic games, particularly the concept of an improvement path. [14] This particular work sought to demonstrate the link between self-stabilization and game theory.

Time complexity

The time complexity of a self-stabilizing algorithm is measured in (asynchronous) rounds or cycles.

  • A round is the shortest execution trace in which each processor executes at least one step.
  • Similarly, a cycle is the shortest execution trace in which each processor executes at least one complete iteration of its repeatedly executed list of commands.

To measure the output stabilization time, a subset of the state variables is defined to be externally visible (the output). Certain states of outputs are defined to be correct (legitimate). The set of the outputs of all the components of the system is said to have stabilized at the time that it starts to be correct, provided it stays correct indefinitely, unless additional faults occur. The output stabilization time is the time (the number of (asynchronous) rounds) until the output stabilizes.[8]

Definition

A system is self-stabilizing if and only if:

  1. Starting from any state, it is guaranteed that the system will eventually reach a correct state (convergence).
  2. Given that the system is in a correct state, it is guaranteed to stay in a correct state, provided that no fault happens (closure).

A system is said to be randomized self-stabilizing if and only if it is self-stabilizing and the expected number of rounds needed to reach a correct state is bounded by some constant [math]\displaystyle{ k }[/math].[15]

Design of self-stabilization in the above-mentioned sense is well known to be a difficult job. In fact, a class of distributed algorithms do not have the property of local checking: the legitimacy of the network state cannot be evaluated by a single process. The most obvious case is Dijkstra's token-ring defined above: no process can detect whether the network state is legitimate or not in the case where more than one token is present in non-neighboring processes. This suggests that self-stabilization of a distributed system is a sort of collective intelligence where each component is taking local actions, based on its local knowledge but eventually this guarantees global convergence at the end.

To help overcome the difficulty of designing self-stabilization as defined above, other types of stabilization were devised. For instance, weak stabilization is the property that a distributed system has a possibility to reach its legitimate behavior from every possible state.[16] Weak stabilization is easier to design as it just guarantees a possibility of convergence for some runs of the distributed system rather than convergence for every run.

A self-stabilizing algorithm is silent if and only if it converges to a global state where the values of communication registers used by the algorithm remain fixed.[17]

Related work

An extension of the concept of self-stabilization is that of superstabilization.[18] The intent here is to cope with dynamic distributed systems that undergo topological changes. In classical self-stabilization theory, arbitrary changes are viewed as errors where no guarantees are given until the system has stabilized again. With superstabilizing systems, there is a passage predicate that is always satisfied while the system's topology is reconfigured.

References

  1. "PODC Influential Paper Award: 2002", ACM Symposium on Principles of Distributed Computing, http://www.podc.org/influential/2002.html, retrieved 2009-09-01 
  2. "Self-stabilizing systems in spite of distributed control", Communications of the ACM 17 (11): 643–644, 1974, doi:10.1145/361179.361202, http://www.cs.utexas.edu/~EWD/ewd04xx/EWD426.PDF .
  3. 3.0 3.1 Dolev, Shlomi (2000). Self-stabilization. Cambridge, MA: The MIT Press. pp. 3. ISBN 978-0262041782. 
  4. "Solved problems, unsolved problems, and non-problems in concurrency", ACM Special Interest Group Operating Systems Review 19 (4): 34–44, 1985, doi:10.1145/858336.858339, http://research.microsoft.com/en-us/um/people/lamport/pubs/solved-and-unsolved.pdf .
  5. 5.0 5.1 5.2 Chaudhuri, Soma; Das, Samir; Paul, Himadri; Tirthapura, Srikanta (2007). Distributed Computing and Networking: 8th International Conference, ICDCN 2006, Guwahati, India, December 27-30, 2006, Proceedings. Berlin: Springer. pp. 108. ISBN 978-3540681397. 
  6. 6.0 6.1 6.2 Shlomi Dolev, Shlomo Moran, Amos Israeli: Self-Stabilization of Dynamic Systems Assuming only Read/Write Atomicity. Distributed Computing, volume 7, pages3–16(1993).
  7. Katz, Shmuel; Perry, Kenneth J. (1993), "Self-stabilizing extensions for meassage-passing systems", Distributed Computing 7 (1): 17–26, doi:10.1007/BF02278852 .
  8. 8.0 8.1 "Self-stabilization by local checking and correction", Proc. 32nd Symposium on Foundations of Computer Science (FOCS), 1991, pp. 268–277, doi:10.1109/SFCS.1991.185378, ISBN 978-0-8186-2445-2 .
  9. "The local detection paradigm and its applications to self-stabilization", Theoretical Computer Science 186 (1–2): 199–229, 1997, doi:10.1016/S0304-3975(96)00286-1, http://iew3.technion.ac.il/~kutten/aky.ps .
  10. Shlomi Dolev, Yehuda Afek: Local Stabilizer. Journal of Parallel and Distributed Computing Volume 62, Issue 5, May 2002, Pages 745-765.
  11. Baruch Awerbuch, Boaz Patt-Shamir, George Varghese, Shlomi Dolev. Self-Stabilization by Local Checking and Global Reset. WDAG 1994: 326-339.
  12. [Baruch Awerbuch, Shay Kutten, Yishay Mansour, Boaz Patt-Shamir, George Varghese. Time optimal self-stabilizing synchronization. ACM STOC 1993: 652-661.]
  13. Shay Kutten, Boaz Patt-Shamir: Stabilizing Time-Adaptive Protocols. Theor. Comput. Sci. 220(1): 93-111 (1999).
  14. de Boer, Frank; Bonsangue, Marcello; Rutten, Jan (2018). Apt. Cham: Springer. pp. 22. ISBN 9783319900889. 
  15. Self-Stabilization, MIT Press, 2000, ISBN 978-0-262-04178-2 .
  16. > The Triumph and Tribulation of System Stabilization, Proceedings of the 9th international workshop on distributed algorithms., 1995, http://www.cs.utexas.edu/users/gouda/papers/book%20chapters/11-whole.pdf> .
  17. Shlomi Dolev, Mohamed G. Gouda, and Marco Schneider. Memory requirements for silent stabilization. In PODC '96: Proceedings of the fifteenth annual ACM Symposium on Principles of Distributed Computing, pages 27--34, New York, NY, USA, 1996. ACM Press. Online extended abstract.
  18. "Superstabilizing protocols for dynamic distributed systems", Chicago Journal of Theoretical Computer Science 3: 1–40, 1997, doi:10.4086/cjtcs.1997.004 , article 4.

External links

  • libcircle - An implementation of self-stabilization using token passing for termination.