Hwajung Lee

Technique for spontaneous healing. Forward error recovery. Guarantees eventual safety following

failures.

Feasibility demonstrated by Dijkstra (CACM 74)

Recover from any initial configuration to a legitimate configuration in a bounded number of steps, as long as the codes are not corrupted.

Transient failures perturb the global state. The ability to spontaneously recover from any initial state implies that no initialization is ever required.

Such systems can be deployed ad hoc, and are guaranteed to function properly in bounded time

Self-stabilizing systems exhibits non-masking fault-tolerance. It satisfies the following two criteria fault

1. Convergence2. Closure

Not L Lconvergence

closure

System behavior spontaneously changes when the environment changes

A traffic control system

Thus the legal configuration is L = (E L1) (E L2)

Environment E = morning (0) / afternoon (1)

Let the morning invariant be L1 andThe afternoon invariant be L2

01 62 4 753

N-1

Consider a unidirectional ring of processes. In the legal configuration, exactly one tokenwill circulate in the network

0

{Process 0} do x[0] = x[N-1] x[0] := x[0] + 1 od{Process j > 0} do x[j] ≠ x[j -1] x[j] := x[j-1] od

The state of process j is x[j] {0, 1, 2, K-1}

(TOKEN = ENABLED GUARD)

Hand -execute this first, before reading further.Start the system from an arbitrary initial configuration

Why will it work?As long as K > N, there is at least one value x (O≤ x ≤K-1) that is NOT the initial state of any node (pigeonhole principle)

• There is no deadlock• Number of tokens never increases (closure)• Processes 1..N-1 acquire their states from their left side• Eventually process 0 attains the state x• Thereafter in N-1 steps, all processes attain the state x.• This is a legal configuration (only process 0 has a token) (convergence).• So the system stabilizes.

Given a connected graph G = (V,E) and a root r, design an algorithm for maintaining a spanning tree in presence of transient failures that may corrupt the local states of processes.

Let n = |V|

Each process i has two variables:L(i) = Distance from the root via tree edgesP(i) = parent of process iN(i) denotes the neighbors of i

By definition L(r) = 0, and P(r) is undefined. 0 ≤ L(i) ≤ n. In a legal state

i V: i ≠ r:: L(i) ≠ n and L(i) = L(P(i)) +1.

0

1

2

5

4

3

0

1

2

5

4

3

1

2

3 4

5

P(2) is corrupted

do (L(i) ≠ n) (L(i) ≠ L(P(i)) +1) (L(P(i)) ≠ n)

L(i) :=L(P(i)) +1 (0)

(L(i) n) (L(P(i)) =n) L(i):=n (1) (L(i) =n) (k N(i):L(k) < n-1)

L(i) :=L(k)+1; P(i):=k (2)

od

Define an edge from i to P(i) to be well-formed, when L(i) ≠ n, L(P(i) ≠ n and L(i) = L(P(i)) +1. In any configuration, the well-formed edges form a spanning forest. Delete all edges that are not well-formed. Designate each tree T(k) in the forest by the lowest value of L in it.

In the sample graph shown earlier.T(0) = {0, 1}T(2) = {2, 3, 4, 5}

Let F(k) denote the number of T(k) in the forest.Define a tuple F= (F(0), F(1), F(2) …, F(n)). For the sample graph, F = (1, 0, 1, 0, 0, 0) afternode 2 has a transient failure.

Minimum F = (1,0,0,0,0,0) {legal configuration}

Maximum F = (1, n-1, 0, 0, 0, 0).

With each action of the algorithm, F decreases

lexicographically. Verify the claim!

This proves that eventually F becomes (1,0,0,0,0,0)

and the spanning tree stabilizes.

What is the time complexity of this algorithm?