Josef WidderBooting Clock Synchronization1 The - Model, and how to Boot Clock Synchronization in it...

Josef Widder Booting Clock Synchronization

1

The - Model, and how toBoot Clock Synchronization in it

Josef WidderEmbedded Computing Systems [email protected]

INRIA Rocquencourt, February 10, 2004


2

Good System Engineering

Computational Model

Algorithms proven correctly in CompMod

System Model

Communication LayerHardware

today


3

Roadmap

Basic Concepts of the - Model Why do we need a new timing model ? System Model / Computational Model

Solution to a Specific Problem Booting Clock Synchronization


4

Motivation for the - Model

Weaker models improve coverage

Time(r) free models are weaker than timed ones

Model must be sufficiently strong to solve agreement problems (uniform consensus)


5

Behavior described with

Networks have upper and lower bounds on message transmission (derived from scheduling analysis)

BUT: during high load periods, no message is transmitted with lower bound duration (vice versa) There exists an relation of fast and slow

transmission times


6

Described Behavior (rough sketch)

t


7

System Model

m ... end-to-end comp. + transmission delay +(t) ... longest delay of all messages in transit at

time t

-(t) ... shortest delay of all messages in transit at time t

> +(t) / -(t) at any time t


8

System Model


9

Comparison to other PartSync Models

- Model has no upper bound of message delays

upper bound is replaced by delay ratio

- Model is sufficiently strong to detect failures without HW Clocks [Le Lann, Schmid 03]


10

HW Timers / Watchdogs do not help in detecting faults

A priori knowledge > 2

p

r

q


11

Computational Model

Comp. + transmission end-to-end delay

0 < - + <

uncertainty = + - -

uncertainty ratio = + / -


12

Equivalence

SysMod & CompMod have the same computational power

Analysis of time(r) free algorithms in CompMod

Results apply for the SysMod

Implementation of perfect failure detector in the - Model [Le Lann, Schmid 2003]


13

Algorithms - A Solution to a Special Problem

Clock Synchronization in the - Model

Time(r) free booting

How to prove properties in the - Model


14

Why Considering Booting ?

f out of n processes Byzantine faulty

booting independently at arbitrary times

initially n faulty (not booted) processes

f < n / 3 bound cannot always be assumed

message loss


15

How to cope with booting ?

Synchronous (lock-step) Systems

simultaneous start assumption

Semi-Synchronous (timed) Systems

booting time assumption + local timeouts

Partially Synchronous (and Asynchronous)

no local timing information: What to do ?


16

Booting Model

Processes boot independently at unpredictable times

Messages that reach down processes are lost

Byzantine processes may always be up

passive / active processes; only active ones have to guarantee clock sync


17

Clock Synchronization

Original Usage of algorithm [Srikanth & Toueg 87]


18

Clock Sync in Partial Synchrony

Integer Valued Clocks


19

Booting Clock Synchronization

n > 3f processes required for CS in the presence of f Byzantine faults [DHS 86]

trivial solution: send out (join) after booting answer (join) msgs from others when received msgs from 3f+1 processes,

sufficiently many correct processes are up

BUT: requires n > 4f processes for liveness


20

Weaken Properties during Booting

Precision is always guaranteed Accuracy (progress) only when n–f

correct processes are up


21

The Algorithm0 VAR k := 0;1 if received (init, k) from f+1 p's2 send (echo, k) to all;

3 if received (echo, k) from f+1 p's 4 send (echo, k) to all;

5 if received (echo, k) from 2f+1 p's6 k := k + 1;7 send (init, k) to all;

8 if received (echo, j) from f+1 p's where j > k+1

9 k := j–1;10 send (echo, k) to all;


22

Precision DMCB = ½ + 5/2 … for any n


23

How is precision achieved ?

Progress requires 2f +1 messages

that are f +1 sent by correct processes these messages are received by all processes sufficient to keep clock values close together

Precision achieved by active correct processes passive until sufficient evidence for precision


24

How progress comes into system

after booting send (join) message join message is (echo, 0)

already booted processes answer (join) with clock value … (echo, k)

until 2f+1 processes are up all correct ones wait with clock value 0


25

How progress comes into system (cont.) f +1 correct processes are always within 2

rounds f +1 correct p’s always send (init, k)

as answers from the 2 maximum rounds return go to good clock value after n-f correct p’s are up progress

change to active after reception of f+1 (init, l) msgs


26

Results

Bounded Precision Dmax during whole operation

if less than n-f processes up: no progress more than n-f progress possible

if all (at least n-f) correct processes up: progress within constant time ( 6+)

then all corr. p’s with good precision DMCB


27

What have we seen today ?

- Model (SysMod & CompMod)

How properties are proven (precision)

Solution to the importent problem of booting in time(r) free systems


28

Thanks !

Josef WidderBooting Clock Synchronization1 The - Model, and how to Boot Clock Synchronization in it...

Documents

Transcript of Josef WidderBooting Clock Synchronization1 The - Model, and how to Boot Clock Synchronization in it...