View
216
Download
0
Tags:
Embed Size (px)
Citation preview
Josef Widder Booting Clock Synchronization
1
The - Model, and how toBoot Clock Synchronization in it
Josef WidderEmbedded Computing Systems [email protected]
INRIA Rocquencourt, February 10, 2004
Josef Widder Booting Clock Synchronization
2
Good System Engineering
Computational Model
Algorithms proven correctly in CompMod
System Model
Communication LayerHardware
today
Josef Widder Booting Clock Synchronization
3
Roadmap
Basic Concepts of the - Model Why do we need a new timing model ? System Model / Computational Model
Solution to a Specific Problem Booting Clock Synchronization
Josef Widder Booting Clock Synchronization
4
Motivation for the - Model
Weaker models improve coverage
Time(r) free models are weaker than timed ones
Model must be sufficiently strong to solve agreement problems (uniform consensus)
Josef Widder Booting Clock Synchronization
5
Behavior described with
Networks have upper and lower bounds on message transmission (derived from scheduling analysis)
BUT: during high load periods, no message is transmitted with lower bound duration (vice versa) There exists an relation of fast and slow
transmission times
Josef Widder Booting Clock Synchronization
6
Described Behavior (rough sketch)
t
Josef Widder Booting Clock Synchronization
7
System Model
m ... end-to-end comp. + transmission delay +(t) ... longest delay of all messages in transit at
time t
-(t) ... shortest delay of all messages in transit at time t
> +(t) / -(t) at any time t
Josef Widder Booting Clock Synchronization
8
System Model
Josef Widder Booting Clock Synchronization
9
Comparison to other PartSync Models
- Model has no upper bound of message delays
upper bound is replaced by delay ratio
- Model is sufficiently strong to detect failures without HW Clocks [Le Lann, Schmid 03]
Josef Widder Booting Clock Synchronization
10
HW Timers / Watchdogs do not help in detecting faults
A priori knowledge > 2
p
r
q
Josef Widder Booting Clock Synchronization
11
Computational Model
Comp. + transmission end-to-end delay
0 < - + <
uncertainty = + - -
uncertainty ratio = + / -
Josef Widder Booting Clock Synchronization
12
Equivalence
SysMod & CompMod have the same computational power
Analysis of time(r) free algorithms in CompMod
Results apply for the SysMod
Implementation of perfect failure detector in the - Model [Le Lann, Schmid 2003]
Josef Widder Booting Clock Synchronization
13
Algorithms - A Solution to a Special Problem
Clock Synchronization in the - Model
Time(r) free booting
How to prove properties in the - Model
Josef Widder Booting Clock Synchronization
14
Why Considering Booting ?
f out of n processes Byzantine faulty
booting independently at arbitrary times
initially n faulty (not booted) processes
f < n / 3 bound cannot always be assumed
message loss
Josef Widder Booting Clock Synchronization
15
How to cope with booting ?
Synchronous (lock-step) Systems
simultaneous start assumption
Semi-Synchronous (timed) Systems
booting time assumption + local timeouts
Partially Synchronous (and Asynchronous)
no local timing information: What to do ?
Josef Widder Booting Clock Synchronization
16
Booting Model
Processes boot independently at unpredictable times
Messages that reach down processes are lost
Byzantine processes may always be up
passive / active processes; only active ones have to guarantee clock sync
Josef Widder Booting Clock Synchronization
17
Clock Synchronization
Original Usage of algorithm [Srikanth & Toueg 87]
Josef Widder Booting Clock Synchronization
18
Clock Sync in Partial Synchrony
Integer Valued Clocks
Josef Widder Booting Clock Synchronization
19
Booting Clock Synchronization
n > 3f processes required for CS in the presence of f Byzantine faults [DHS 86]
trivial solution: send out (join) after booting answer (join) msgs from others when received msgs from 3f+1 processes,
sufficiently many correct processes are up
BUT: requires n > 4f processes for liveness
Josef Widder Booting Clock Synchronization
20
Weaken Properties during Booting
Precision is always guaranteed Accuracy (progress) only when n–f
correct processes are up
Josef Widder Booting Clock Synchronization
21
The Algorithm0 VAR k := 0;1 if received (init, k) from f+1 p's2 send (echo, k) to all;
3 if received (echo, k) from f+1 p's 4 send (echo, k) to all;
5 if received (echo, k) from 2f+1 p's6 k := k + 1;7 send (init, k) to all;
8 if received (echo, j) from f+1 p's where j > k+1
9 k := j–1;10 send (echo, k) to all;
Josef Widder Booting Clock Synchronization
22
Precision DMCB = ½ + 5/2 … for any n
Josef Widder Booting Clock Synchronization
23
How is precision achieved ?
Progress requires 2f +1 messages
that are f +1 sent by correct processes these messages are received by all processes sufficient to keep clock values close together
Precision achieved by active correct processes passive until sufficient evidence for precision
Josef Widder Booting Clock Synchronization
24
How progress comes into system
after booting send (join) message join message is (echo, 0)
already booted processes answer (join) with clock value … (echo, k)
until 2f+1 processes are up all correct ones wait with clock value 0
Josef Widder Booting Clock Synchronization
25
How progress comes into system (cont.) f +1 correct processes are always within 2
rounds f +1 correct p’s always send (init, k)
as answers from the 2 maximum rounds return go to good clock value after n-f correct p’s are up progress
change to active after reception of f+1 (init, l) msgs
Josef Widder Booting Clock Synchronization
26
Results
Bounded Precision Dmax during whole operation
if less than n-f processes up: no progress more than n-f progress possible
if all (at least n-f) correct processes up: progress within constant time ( 6+)
then all corr. p’s with good precision DMCB
Josef Widder Booting Clock Synchronization
27
What have we seen today ?
- Model (SysMod & CompMod)
How properties are proven (precision)
Solution to the importent problem of booting in time(r) free systems
Josef Widder Booting Clock Synchronization
28
Thanks !