Successfully reported this slideshow.

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Pwl rewal-slideshare

  1. 1. Ineluctable modality of the distributed On Joseph Halpern’s work on knowledge in distributed systems Peter Alvaro UC Berkeley
  2. 2. choose-your-own-adventure talk
  3. 3. Last time at PWL… •  The agreement problem(s) •  Impossibility results •  A “weakest” failure detector Today: knowledge  
  4. 4. It’s not just for byzantine stuff I'm not a great fool, so I can clearly not choose the wine in front of you. But you must have known I was not a great fool; you would have counted on it, so I can clearly not choose the wine in front of me.
  5. 5. Why you should care A correct distributed program achieves (nontrivial) distributed property X. Some tricky questions before we start coding: 1.  Is X even attainable? 2.  Cheapest protocol that gets me X? 3.  How should I implement it?
  6. 6. A strong claim about distributed correctness properties   Uncertainty is what makes reasoning about distributed systems difficult. Uncertainty is the abundance of possibilities. Knowledge is the dual of possibility
  7. 7. A strong statement about protocols How: Protocols just describe what actions to take based on local knowledge. Why: Protocols are just mechanisms to ensure that a group has shared knowledge of a fact.
  8. 8. A good paper about bridging the gap between properties and protocols
  9. 9. For example •  Commit protocols – each agent knows the commit/abort decision AND knows that all agents know the decision •  Distributed garbage collection – an agent knows that no remote references exist to a particular object, and that all other agents know
  10. 10. For example •  When the leader has received phase 2b messages for value v and ballot bal from a majority of the acceptors, it knows that the value v has been chosen. [paxos] •  a process takes a checkpoint when it knows that all processes on which it computationally depends took their checkpoints [An Efficient Protocol for Checkpointing Recovery in Distributed Systems, Kim and Park] •  and therefore a cohort with a later viewstamp for some view knows everything known to a cohort with an earlier viewstamp for that view. [viewstamped replication] •  Since each member of Si serves as an arbitrator, the requesting node knows that it is the only node that has been granted mutual exclusion [A sqrt(N) Algorithm for Mutual Exclusion in Decentralized Systems, Maekawa]
  11. 11. Warmup: RPC protocols Hi! Alice Bob
  12. 12. Warmup: RPC protocols Hi! Alice Bob Issue: uncertainty! Uncertain environment è Uncertain outcomes
  13. 13. Warmup: RPC protocols Alice Bob Issue: uncertainty! Uncertain environment è Uncertain outcomes
  14. 14. Warmup: RPC protocols Hi! Retry   Alice Bob
  15. 15. Warmup: RPC protocols Hi! Retry   Alice Bob
  16. 16. Warmup: RPC protocols Hi! Retry   Alice Bob
  17. 17. Warmup: RPC protocols Hi! Retry   Alice Bob
  18. 18. Warmup: RPC protocols Hi! Retry   Alice Bob
  19. 19. Warmup: RPC protocols Hi! Issues: infinite (sender) behavior & state, at-least-once delivery Retry   Alice Bob
  20. 20. Warmup: RPC protocols Hi! Retry with ACKS Hi! Alice Bob
  21. 21. Warmup: RPC protocols Hi! Retry with ACKS Hi!Hi! Alice Bob Hi!
  22. 22. Warmup: RPC protocols Hi! Hi yourself Retry with ACKS Hi! Issues: at-least once delivery Hi! Alice Bob Hi!
  23. 23. Warmup: RPC protocols Hi! Hi yourself Retry with ACKS Hi! Issues: at-least once delivery Hi! Alice Bob
  24. 24. Warmup: RPC protocols Retry with ACKS Issues: at-least once delivery Alice Bob Hi!
  25. 25. a  good  paper  about  principled  distributed  GC  
  26. 26. Warmup: RPC protocols Hi! Issues: infinite receiver state Receiver buffers, dedups Alice Bob
  27. 27. Warmup: RPC protocols Issues: infinite receiver state Hi! Receiver buffers, dedups Alice Bob
  28. 28. Warmup: RPC protocols Hi! ACK-ACKing Hi! Alice Bob
  29. 29. Warmup: RPC protocols Hi! Hi yourself ACK-ACKing Hi! Issue: uncertainty Alice Bob
  30. 30. Warmup: RPC protocols Hi! Hi yourself ACK-ACKing Hi! Alice Bob
  31. 31. Warmup: RPC protocols ACK-ACKing Hi! Alice Bob Ahoy  
  32. 32. Warmup: RPC protocols ACK-ACKing Hi! Alice Bob Ahoy  
  33. 33. Warmup: RPC protocols ACK-ACKing Alice Bob
  34. 34. Warmup: RPC protocols ACK-ACKing Issue: uncertainty Alice Bob
  35. 35. Warmup: RPC protocols Issues: infinite hot potato Alice Bob
  36. 36. Warmup: RPC protocols Issues: infinite hot potato Alice Bob
  37. 37. Warmup: RPC protocols Issues: infinite hot potato Alice Bob
  38. 38. Warmup: RPC protocols Issues: infinite hot potato Alice Bob
  39. 39. what does this remind me of? Refresher: the two generals problem
  40. 40. Logic time
  41. 41. (propositional) logic ϕ ϕ if ϕ is atomic ϕ ∧ ψ true if both ϕ and ψ are true ¬ϕ true if ϕ is false Sweet duality: ϕ ∨ ψ = ¬(¬ϕ ∧ ¬ψ) ϕ ⇒ ψ= ¬(ϕ ∧ ¬ψ) q ⇒ p p = “the write is stable” q = “the write is acknowledged”
  42. 42. modality, duality ∃xϕ === ¬∀x ¬ϕ ¯ϕ === ¬£¬ϕ Symbol   Temporal   Deon/c   Epistemic   ¯   Some8mes   Is  permi:ed   Is  possible   £   Always   Is  obligatory   Is  known   Knowledge is the dual of possibility
  43. 43. Epistemic modal logic ϕ = “the write is stable” Kaliceϕ = “alice knows ϕ” KaliceKbobϕ = “alice knows bob knows ϕ” KaliceKbobKcarolϕ = “alice knows bob knows carol knows ϕ” […]
  44. 44. Epistemic modal logic ϕ = “the write is stable” Eϕ = “everyone* knows ϕ” EEϕ = “everyone knows everyone knows ϕ” […] A driver will not feel safe going when he sees a green light unless he knows that everyone else knows and follows the rules.
  45. 45. Common knowledge ϕ = “the write is stable” Eϕ = “everyone* knows ϕ” EEϕ = “everyone knows everyone knows ϕ” […] Eiϕ = “(everyone knows * i) ϕ” Cϕ = E∞ϕ = “it is common knowledge that ϕ”
  46. 46. Distributed knowledge ϕ = “the write is stable” Dϕ = “ϕ is implicitly known by the group” Sϕ = “someone knows ϕ”
  47. 47. Protocols  climb  the  hierarchy   Cϕ […] Ek+1ϕ […] Eϕ Sϕ Dϕ ϕ  
  48. 48. Protocols  climb  the  hierarchy   Cϕ […] Ek+1ϕ […] Eϕ Sϕ Dϕ ϕ   Deadlock detection ϕ is distributed knowledge   Someone knows ϕ
  49. 49. Protocols  climb  the  hierarchy   Cϕ […] Ek+1ϕ […] Eϕ Sϕ Dϕ ϕ   Reliable broadcast Someone knows ϕ ϕ is distributed knowledge   Everyone knows ϕ
  50. 50. Protocols  climb  the  hierarchy   Cϕ […] E3ϕ E2ϕ Eϕ Sϕ Dϕ ϕ   Uniform Reliable broadcast Someone knows ϕ ϕ is distributed knowledge   Everyone knows ϕ Everyone knows everyone knows ϕ
  51. 51. Protocols  climb  the  hierarchy   Cϕ […] E3ϕ E2ϕ Eϕ Sϕ Dϕ ϕ   Someone knows ϕ ϕ is distributed knowledge   Everyone knows ϕ Everyone knows everyone knows ϕ Some crazy BFT protocol (Everyone knows)k ϕ
  52. 52. Protocols  climb  the  hierarchy   Cϕ […] E3ϕ E2ϕ Eϕ Sϕ Dϕ ϕ   Knowledge  Highway   E10ϕ          10   E100ϕ                    100   Cϕ  ∞  
  53. 53. Applications of knowledge A correct distributed program achieves (nontrivial) distributed property X. Some tricky questions before we start coding: 1.  Is X even attainable? 2.  Cheapest protocol that gets me X? 3.  How should I implement it?
  54. 54. Applications: impossibility “in a system in which communication is not guaranteed, common knowledge of initially-undetermined facts is not attainable in any run of any protocol.” Corollary: the 2 generals problem is unsolvable
  55. 55. Let’s use knowledge to prove it! But first… lots of formalism to get through L
  56. 56. Road map for the proof: 1.  Semantics of modal logic 2.  Distributed system model 3.  A quick and easy lemma 4.  Big theorem: Common knowledge is not attainable via protocol 5.  Lemma 2: if the generals attack, they have common knowledge of the attack. 6.  Corollary: 2 generals is unsolvable
  57. 57. Semantics
  58. 58. Semantics: structures Formulae are well-formed, meaningless strings of symbols Structures give meaning to formulae (in the very narrow sense of making them all either true or false) S |= ϕ
  59. 59. Semantics: propositional structures Propositional formula: S |= p ∧ q Need: 1.  a map S from variable names to T/F 2.  rules; e.g. S |= ϕ ∧ ψ iff S |= ϕ and S |= ψ
  60. 60. Semantics: first-order structures First-order formula: S |= ∀x, dog(x) ⇒ big(x) ∧ likes(x, me) Need: 1.  S assigns “records” to dog, big and likes. 2.  Rules; e.g. S |= ∀xφ iff for all d ∈  |S|,  S[x  :=  d]  |=  φ  
  61. 61. Semantics: first-order structures •  First-order logic: S |= ∀x, dog(x) ⇒ big(x) ∧ likes(x, me) dog   Rex   Fido   Rover   big   Rex   Fido   me   likes   Rex   me   Fido   me   Rover   me   me   me  
  62. 62. couple good papers about using FO logic to program distributed systems
  63. 63. Semantics – modal logic S |= (£¬p) ∧ (q ⇒ ¯r) Need: a structure that can interpret the propositional formulae under different modalities Kripke structure: (W, π, R) •  W is a set of worlds •  For each element of W, π is a propositional structure •  R is an accessibility relation among elements of W S1   S3  
  64. 64. Semantics – modal logic Temporal logic S |= (£¬p) ∧ (q ⇒ ¯r)  q      r   r  q   S1   S3   S2   Kripke structure: (W, π, R)  
  65. 65. Semantics – modal logic Epistemic logic S |= r ∧ ¬Kir ∧ Ki(Kjr or Kj¬r) ∧ Kjr ∧ ¬Kj¬Kir  q      r   r  q   S1   S3   S2   i   j   Kripke structure: (W, π, Ri)  
  66. 66. a model of distributed systems (r,t) p1 p2 p3 p4 Idealized time }h(p4,r,t) A run r ∈ R
  67. 67. Knowledge-based interpretations Knowledge interpretation: I = (R, π, {v1,v2,[..]}) Knowledge point: (I, r, t) R – a set of runs π – assigns a truth assignment to propositions for each point in R vi – A view function for R for some agent i (determined by h) Kripke structure: (W, π, R)  
  68. 68. Truth in a knowledge interpretation (I,r,t) |= φ iff π(r,t)(φ) = true (If φ is a ground formula) (I,r,t) |= ¬φ iff (I,r,t) |= φ (I,r,t) |= φ ∧ ψ iff (I,r,t) |= φ and (I,r,t) |= ψ (I,r,t) |= Kiφ iff (I,r’,t’) |= φ for all (r’,t’) in R satisfying v(pi,r,t) = v(pi,r’,t’)   (I,r,t) |= Eφ iff (I,r’,t’) |= Kiφ for all pi (I,r,t) |= Cφ iff (I,r’,t’) |= Ekφ for all k
  69. 69. choose-your-own-adventure •  If you’d like to gloss over the proof and skip to other applications of knowledge, turn to page 62 •  If you’d like to dive into the weeds, turn to page 54.
  70. 70. Truth in a knowledge interpretation (I,r,t) |= Cφ iff (I,r’,t’) |= Ekφ for all k Fixed point axiom: Cφ = E(φ ∧ Cφ) Induction rule: From φ ⇒ E(φ ∧ ψ) infer φ ⇒ Cψ
  71. 71. communication is not guaranteed   NG1: For all runs r and times t, there exists a run r’ extending (r,t) such that […] no messages are received in r’ at or after time t. NG2: If in run r processor pi does not receive any messages in the interval (t’,t), then there is a run r’ extending (r,t’) such that […] h(pi,r,t’’) = h(pi,r’,t’’) for all t’’ < t, and no processor pj != pi receives a message in r’ in the interval (t’,t).  
  72. 72. Lemma 1 If, in two different runs (r and r’) of the same protocol, some h(p, r, t) = h(p, r’, t), then (I, r, t) |= Cφ iff (I, r’, t) |= Cφ Sorry, no proof today!
  73. 73. Common knowledge is not attainable in a system in which communication is not guaranteed Take runs r and r- in R, with the same initial configuration, s.t. no messages are received in r- up till time t. Then (I,r,t) |= Cφ iff (I,r-,t) |= Cφ. Proof (by induction on d(r)*):   •  Base case: d(r)=0. h(p1,r,t) = h(p1,r-,t). By Lemma 1, (I,r,t) |= Cφ iff (I,r-,t) |= Cφ. *  d(r)  is  the  number  of  messages  received  in  run  r.  
  74. 74. Common knowledge is not attainable in a system in which communication is not guaranteed Inductive case: d(r) = k+1. Let:   •  t’ < t -- the latest time a message is received in r before t. •  pj -- a processor that received a message at t’ •  pi –a processor (!= pj) By NG2, there is a run r’ extending (r,t’) s.t. h(pi,r,t’’)=h(pi,r’,t’’) for all t’’ <= t, and all processors (besides pi) receive no messages in the interval (t’, t). By construction, d(r’) <= k, so by the IH (I,r’,t) |= Cφ iff (I,r-,t) |= Cφ. But since h(pi,r,t) = h(pi,r’,t), by Lemma 1 (I,r’,t) |= Cφ iff (I,r,t) |= Cφ. So (I,r,t) |= Cφ iff (I,r-,t) |= Cφ. QED
  75. 75. Common knowledge is not attainable in a system in which communication is not guaranteed Review: we showed that common knowledge cannot be gained (or lost) by exchanging messages. Corollary: the 2 generals will never attack. But we still need to prove one more lemma: Any correct protocol for coordinated attack has the property that whenever the generals attack, it is common knowledge that they are attacking.
  76. 76. Lemma 2: coordinated attack requires common knowledge Let ψ = the generals are attacking Assume the generals (A and B) attack at (r*, t*) – we show that (I,r*,t*) |= Cψ. Pick an arbitrary point (r,t). We show ψ ⇒ Eψ is valid in R. •  If (I,r,t) |= ψ, then the generals attack at (r,t). Consider (r’,t’), in which A has the same history at (r,t). Since the protocol is deterministic (assumption), A must also attack in (r’,t’); since the protocol is correct, B does also, and so (I,r’,t’) |= ψ. It follows that (I,r,t) |= Eψ, so ψ ⇒ Eψ is valid in R. •  If (I,r,t) |= ¬ψ, then trivially ψ ⇒ Eψ is valid in R. By the induction rule, ψ ⇒ Cψ is valid in R
  77. 77. Coup de grace ψ = the generals are attacking 1.  By assumption, Cψ does not hold if no messages are exchanged. 2.  By theorem 1, Cψ will never hold. 3.  By lemma 2, the generals cannot attack unless Cψ.  
  78. 78. Phew. but…? Common knowledge is a prerequisite for agreement. Common knowledge is not attainable via protocol.
  79. 79. Halpern: These results may seem paradoxical.
  80. 80. Reality check Fragile assumptions on which the proofs rest: •  Deterministic protocol •  Simultaneous agreement is necessary •  “Communication not guaranteed” •  Lack of useful a priori common knowledge
  81. 81. Bootstrapping common knowledge •  The ``weakest failure detector’’ •  Spanner’s global clock •  Sequence wraparound
  82. 82. Applications of knowledge A correct distributed program achieves (nontrivial) distributed property X. Some tricky questions before we start coding: 1.  Is X even attainable? 2.  Cheapest protocol that gets me X? 3.  How should I implement it?
  83. 83. lower bounds for protocols [Hadzilacos, PODS’87]: A knowledge-theoretic analysis of atomic commitment protocols 1.  All of the variants of 2pc ((de-)centralized, linear/nested, etc) are identical from a knowledge perspective 2.  All 2PC variants attain the minimum level of knowledge needed to commit 3.  3PC attains the minimum needed to commit without blocking 4.  Lower bound for messages: nested 2PC.
  84. 84. A good paper about automatically choosing cheap coordination mechanisms
  85. 85. Applications of knowledge A correct distributed program achieves (nontrivial) distributed property X. Some tricky questions before we start coding: 1.  Is X even attainable? 2.  Cheapest protocol that gets me X? 3.  How should I implement it?
  86. 86. protocol implementation / synthesis •  Halpern and Fagin: knowledge-based programming [PODC’95]   case  of      K(Msg)  and  (KE(AckedMsg))  do  deliver(Msg)    K(Msg)  and  !KE(AckedMsg)  do  relay(Msg)       end   •  Matteo interlandi [Datalog2.0’11]: Knowlog: knowledge-enriched Dedalus  log(Tx_id,"abort")@next  :-­‐  Dvote(Vote,Tx_id),Vote=="no",                    par8cipants(X),transac8on(Tx_id,State),State=="vote-­‐req".    
  87. 87. A good paper about Dedalus
  88. 88. Monotonicity and knowledge Monotonic: the more you know, the more you know. Cϕ […] E3ϕ E2ϕ Eϕ Sϕ Dϕ ϕ  
  89. 89. A good paper about monotonicity and distributed consistency
  90. 90. Remember •  Knowledge is the dual of possibility •  Local knowledge dictates protocol behavior •  The purpose of protocols is obtaining a particular level of distributed knowledge •  Deep connections between semantic structures and system behavior •  Common knowledge is unattainable via protocol (but there is still hope)
  91. 91. Protocols  climb  the  hierarchy   Cϕ […] E3ϕ E2ϕ Eϕ Sϕ Dϕ ϕ   Knowledge  Highway   E10ϕ          10   E100ϕ                    100   Cϕ  ∞  

Editor's Notes

  • Protocols are so very often just mechanisms to ensure that a group has shared knowledge of a fact.
  • State FLP.
    Today we’ll revisit these ideas. Find a common basis for a large family of impossibility results, lower bounds, and the raison d’etre of protocols: changing the state of distributed knowledge
  • When I talk about DS in terms of what I know about what you know about what, the first thing you may think of is adversaries and byzantine systems. But forget about that for now. We’ll study non-byzantine protocols. Inconceivable? Hold on tight
  • Due to the abundance of possible network behaviors and failures, it’s incredible hard to reason about program correctness.
    As we’ll see in a moment, KDP – the more we think is possible, the less we know. Knowing something is realizing that it’s impossible that it’s not so.
    Reasoning about Knowledge can give us unique insights into what’s fundamental about DS, protocols, etc.
  • Now, this is only interesting if “knowledge” is a subtle thing…
  • First example is trivial – knowledge is a NOOP.
    But it gets richer…
  • Flat knowledge, global knowledge
    Intesection of knowledge across groups
    Global knowledge in ME
  • But how deep does it go? It turns out it goes all the way.
  • But how deep does it go? It turns out it goes all the way.
  • But how deep does it go? It turns out it goes all the way.
  • When could the sender clean up her buffer? When she knows that the receiver knows the message.
  • When could the sender clean up her buffer? When she knows that the receiver knows the message.
  • When could the sender clean up her buffer? When she knows that the receiver knows the message.
  • When could the sender clean up her buffer? When she knows that the receiver knows the message.
  • When could the sender clean up her buffer? When she knows that the receiver knows the message.
  • When could the sender clean up her buffer? When she knows that the receiver knows the message.
  • When could the sender clean up her buffer? When she knows that the receiver knows the message.
  • When could the sender clean up her buffer? When she knows that the receiver knows the message.
  • When could the sender clean up her buffer? When she knows that the receiver knows the message.
  • When could the sender clean up her buffer? When she knows that the receiver knows the message.
  • When could the sender clean up her buffer? When she knows that the receiver knows the message.
  • But how deep does it go? It turns out it goes all the way.
  • But how deep does it go? It turns out it goes all the way.
  • When could the sender clean up her buffer? When she knows that the receiver knows the message.
  • When could the sender clean up her buffer? When she knows that the receiver knows the message.
  • When could the sender clean up her buffer? When she knows that the receiver knows the message.
  • When could the sender clean up her buffer? When she knows that the receiver knows the message.
  • When could the sender clean up her buffer? When she knows that the receiver knows the message.
  • When could the sender clean up her buffer? When she knows that the receiver knows the message.
  • When could the sender clean up her buffer? When she knows that the receiver knows the message.
  • But how deep does it go? It turns out it goes all the way.
  • But how deep does it go? It turns out it goes all the way.
  • But how deep does it go? It turns out it goes all the way.
  • But how deep does it go? It turns out it goes all the way.
  • Pause here. The first great and obvious application is proving impossibility results. We’ll spend a bunch of time here if you like!
  • Wat is semantics?
  • Wat is semantics?
  • We “hold up” a formula to a structure too see if it’s truthy. The structures need (should) conform to our intuitions about real things.
    “semantics” are the rules that tell us (precisely) how to tell if a formula is true in a structure
  • S needs to give us a domain (a universe of discourse) and relations over the domain (also, fussily, some constant & variable symbols, and sugaring in the form of functions.
    (this starts to seem like real life. The structure N of the natural numbers, along with the constant 0 and arithmetic functions is a nice structure) (S is essentially a database)
  • S needs to give us a domain (a universe of discourse) and relations over the domain (also, fussily, some constant & variable symbols, and sugaring in the form of functions.
    (this starts to seem like real life. The structure N of the natural numbers, along with the constant 0 and arithmetic functions is a nice structure)
  • “The system is deadlock-free, and every request eventually gets a response”
    This model does NOT satisfy the formula.
  • “The system is deadlock-free, and every request eventually gets a response”
    This model does NOT satisfy the formula.
    The stroke of genius – to associate a kripke structure with a transition system – got emerson and clarke their 2007 turing award.
  • The system is deadlock-free, and every request eventually gets a response
    This model does NOT satisfy the formula.
    Show a REAL kripke structure
  • introduce (r,t). – a point in idealized time that cuts all the process lines.
    Sometimes we talk about R, the set of all runs for a DS, or for a protocol protocol in a model
  • To make things simpler, let’s just say that v = h – ie, agents have infinite memory and are logically omniscient, in the sense that they “know” everything that follows from what they know.
  • We have the structure – now we just need the precise rules.
    CHECK ME!!!!
  • A processor knows something
  • NG1: at some point, messages could stop being received forever.
    NG2: for any run in which some processor P receives no messages during some interval i-j there is another run in which no other processor does either.
    NG2 is broken.
  • This is easy to show. Processor’s knowledge is just their initial state and their history. If even one processor can’t tell the difference btw two runs, then the formula holds – any state of group knowledge must be the same, since it involves her knowledge.
  • ×