Impossibility of Consensus in Asynchronous Systems (FLP) Ali Ghodsi – UC Berkeley / KTH...

Impossibility of Consensus in Asynchronous Systems (FLP)Ali Ghodsi – UC Berkeley / KTH

alig(at)cs.berkeley.edu

Ali Ghodsi, alig(at)cs.berkeley.edu 2

Modified Model

A correct node can always make a “dummy” transition For state s of a node, there exists a transition ss There exists always an applicable event on every

process

There are no inbufs/outbufs, There is one set of messages M, i.e. “network cloud” Message consists of <sender, payload, destination> Messages are unique


Configurations

Each configuration contains the state of each node, and The set of messages in the network, M

Initial config is a config where M is empty and all nodes are in initial state

Configuration

< p1_state,

p2_state,

p3_state,

{m1, m2} >


Events, Applicable, Executions… An event <p,m> is the receipt of

message m After the receipt of m, node p

deterministically updates its state (transition function) and puts sent messages in M

<p,m> applicable in config C iff m is in C.M

Execution is a sequence of configurations An applicable event is applied between

configs


Intuition behind model

receive <tok, y> from qfor x:=1 to 3 dobegin

y:=y+1;send <tok, y> neighp[x];

endreceive <tok, z> from q;print z+y

Receipt event e

Initial state of p

State of p after receipt of e

Deterministic transition: update state, send

messages

Receipt event f

Deterministic transition

State of p after receipt of f


Consensus Correctness (weak) A 1-crash-robust consensus satisfies:

Termination All correct nodes eventually decide

Agreement In every config, decided nodes have decided same value (0

or 1)

Non-triviality (weak validity) There exists one possible input config with outcome decision

0, and There exists one possible input config with outcome decision

1 Example, maybe input “0,0,1”->0 while “0,1,1”->1 Validity implies non-triviality (”0,0,0” must be 0 and ”1,1,1” must

be 1)


Definitions

0-decided configuration A configuration with decide ”0” on some process

1-decided configuration A configuration with decide ”1” on some process

0-valent configuration A config in which every reachable decided configuration is a 0-

decide

1-valent configuration A config in which every reachable decided configuration is a 1-

decide

Bivalent configuration A configuration which can reach a 0-decided and 1-decided

configuration


Definitions Illustrated 1(4)

0-decided configuration A configuration with decide ”0” on some

process0-decided configuration

{ STATE2,

STATE,5

DECIDE-0,

STATE7

{msg1, msg2}

}

At least of them is in

state DECIDE-0msg1

msg

2

P1 state2

P2 state5

P4 state7

P3 decide0


Definitions Illustrated 2(4) 0-valent configuration

No 1-decided configurations are reachable Future determined, means ”everyone will decide 0”

0- valent configuration

{ P1_state,

P2_state,

P3_state,

P4_state,

{msg1}

}

0-valent configuration

{ P1_state,

P2_state2,

P3_state,

P4_state,

{msg1}

}


{ decide-0,

P2_state,

P3_state,

P4_state,

{msg1, msg2}

}


{ decide-0,

P2_state2,

P3_state2,

P4_state,

{msg1, msg2}

}


{ decide-0,

P2_state,

P3_state,

decide-0,

{ msg2}

}


{ decide-0,

P2_state2,

P3_state2,

decide-0,

{ msg2}

}


{ decide-0,

P2_state,

decide-0,

P4_state,

{msg1, msg2}

}


{ decide-0,

P2_state3,

P3_state,

decide-0,

{}

}


Definitions Illustrated 3(4) 1-valent configuration

No 0-decided configurations are reachable Future determined, means ”everyone will decide 1”

1- valent configuration

{ P1_state,

P2_state,

P3_state,

P4_state,

{msg1}

}


{ P1_state,

P2_state2,

P3_state,

P4_state,

{msg1}

}


{ decide-1,

P2_state,

P3_state,

P4_state,

{msg1, msg2}

}


{ decide-1,

P2_state,

P3_state,

decide-1,

{ msg2}

}


{ decide-1,

P2_state2,

P3_state2,

decide-1,

{ msg2}

}


{ decide-1,

P2_state,

decide-1,

P4_state,

{msg1, msg2}

}


{ decide-1,

P2_state3,

P3_state,

decide-1,

{}

}


{ decide-1,

P2_state2,

P3_state2,

P4_state,

{msg1, msg2}

}


Definitions Illustrated 4(4) Bivalent configuration

Both 0 and 1-decided configurations are reachable Future undetermined, could go either way…

Bivalent config.

{ P1_state,

P2_state,

P3_state,

P4_state,

{msg1}

}

0-valent config.

{ P1_state,

P2_state2,

P3_state,

P4_state,

{msg1}

}

1-valent config.

{ decide-1,

P2_state5,

P3_state6,

P4_state5,

{msg1, msg3}

}

0-valent config.

{ decide-0,

P2_state2,

P3_state2,

P4_state,

{msg1, msg2}

}

1-valent config.

{ decide-1,

P2_state5,

P3_state6,

decide-1,

{ msg2}

}

0-valent config.

{ decide-0,

P2_state2,

P3_state2,

decide-0,

{ msg2}

}

0-valent config.

{ decide-0,

P2_state,

decide-0,

P4_state,

{msg1, msg2}

}

1-valent config.

{ decide-1,

P2_state9,

P3_state6,

decide-1,

{}

}

FLP Impossibility Without Proofs


Bivalent Initial Configuration

Initial Bivalency Lemma (Lemma 1)

Any algorithm that solves the 1-crash consensus has an initial bivalent configuration


Main lemma: Staying Bivalent

Bivalency Preservation Lemma (Lemma 2) Given any bivalent config and any event e

applicable in There exists a reachable config where e is

applicable, and e() is bivalent

Bivalent …e

Bivalent …

e

…

…

eBivalent

Lemma 2 Illustration

(= possible)


FLP Impossibility Theorem

No deterministic 1-crash-robust consensus algorithm exists for the asynchronous model

Proof1. Start in a initial bivalent config (Lemma 1)2. Given the bivalent config, pick the event e that has

been applicable longest Pick the path taking us to another config

where e is applicable (might be empty) Apply e, and get a bivalent config (Lemma 2)

3. Repeat 2.

Termination violated

FLP Impossibility Proofs


Bivalent Initial Configuration

Initial Bivalency Lemma (Lemma 1)

Any algorithm that solves the 1-crash consensus has an initial bivalent configuration


Proof 1/(10)

We know that the algorithm must be non-trivial There should be some initial configuration

that will lead to a 0-decide There should be some initial configuration

that will lead to a 1-decide

Take two such configuration i1 and i2 E.g. 4 processes

initial values (0,1,0,1,1) lead to 1 Initial values (0,0,1,0,0) lead to 0


Proof 2/(10)

We know there exists inputsp1, p2, p3, p4, p5

(0,1,0,1,1) leading to 1

(0,0,1,0,0) leading to 0

Lets look at other initial configurations by flipping the inputs

transforming the upper input to the lower input


Proof 3/(10)


(0,1,0,1,1) leading to 1 (0,0,0,1,1) leading to ?

(0,0,1,0,0) leading to 0

Lets look at other initial configurations by

flipping the inputs transforming the upper

input to the lower input


Proof 4/(10)


(0,1,0,1,1) leading to 1 (0,0,0,1,1) leading to ? (0,0,1,1,1) leading to ?

(0,0,1,0,0) leading to 0





Proof 5/(10)


(0,1,0,1,1) leading to 1 (0,0,0,1,1) leading to ? (0,0,1,1,1) leading to ? (0,0,1,0,1) leading to ? (0,0,1,0,0) leading to 0





Proof 6/(10)


(0,1,0,1,1) leading to 1 (0,0,0,1,1) leading to ? (0,0,1,1,1) leading to ? (0,0,1,0,1) leading to ? (0,0,1,0,0) leading to 0

There must exist two neighboring

configurations here, with two

different outcomes





Proof 7/(10)


(0,1,0,1,1) leading to 1 (0,0,0,1,1) leading to 1 (0,0,1,1,1) leading to 1 (0,0,1,0,1) leading to 0 (0,0,1,0,0) leading to 0

Assume the following two

Lets look at other initial configurations by flipping the inputs


Proof 8/(10)


(0,1,0,1,1) leading to 1 (0,0,0,1,1) leading to 1 (0,0,1,1,1) leading to 1 (0,0,1,0,1) leading to 0 (0,0,1,0,0) leading to 0


Identical configurations except for

process p4


Proof 9/(10)


(0,0,1,1,1) leading to 1 (0,0,1,0,1) leading to 0

The consensus algorithm should tolerate if p4 crashes! (0,0,1,X,1), leads to ? (either 0 or 1)



Proof 10/(10)

We know there exists inputs p1, p2, p3, p4, p5

(0,0,1,1,1) leading to 1 (0,0,1,0,1) leading to 0

The consensus algorithm should tolerate if p4 crashes! (0,0,1,X,1), leads to ? (either 0 or 1)

If it leads to 1, then depending on whether p4 crashes or not (0,0,1,0,1) either leads to 0 or 1 (bivalent)

If it leads to 0, then depending on whether p4 crashes or not(0,0,1,1,1) either leads to 0 or 1 (bivalent)



Initial Bivalence

Intuition Given any algorithm, we can find some start state, that

depending on the failure of one process, will either lead to a 0-decide or a 1-decide

Bivalent Initial Config

{ P1_state,

P2_state,

P3_state,

P4_state,

{msg1}

}


{ P1_state,

P2_state2,

P3_state,

P4_state,

{msg1}

}


{ P1_state,

P2_state,

P3_state,

P4_state,

{msg1, msg2}

}


{ decide-1,

P2_state2,

P3_state2,

P4_state,

{msg1, msg2}

}


{ decide-0,

P2_state,

P3_state,

P4_state,

{ msg2}

}


{ P1_state,

P2_state,

decide-1,

P4_state,

{msg1, msg2}

}


{ decide-0,

decide-0,

P3_state,

decide-0,

{}

}


Order of events

Intuition The order in which two applicable events are

executed is not important!

Order Theorem Let ep and eq be two events on two different

nodes p and q which are both applicable in config C, then ep can be applied to eq(C), eq can be applied to ep(C), and ep(eq(C)) = eq(ep(C) ).


Definitions

A schedule is a sequence of events <e1, e2,…,ek>

A schedule =<e1, e2,…,ek> is applicable in config C iff e1 is applicable in C, e2 is applicable in e1(C) e3 is applicable in e2(e1(C)) ...

If the resulting config is D we write (C)=D


Order of sequences

Diamond Theorem Let sequences 1 and 2 be applicable in

configuration C, and let no node participate in both 1 and 2, then: 2 is applicable in 1(C)

1 is applicable in 2(C), and 1(2(C))=2(1(C))

Proof By induction using the order theorem


Illustration of Diamond Theorem

C

1 2

1(C) 2(C)

D

2 1

D =2(1(C))=1(2(C))


Bivalent Configuration

Any configuration of the 1-robust consensus algorithm is exactly one of these three Bivalent 0-valent 1-valent

Why? Any configuration leads to a decide (termination) We know bivalent configurations exist If it is not bivalent, it must lead to either 0-decide or

1-decide, so it is either 0-valent or 1-valent


Bivalent Configurations

In any bivalent config , either one applicable event goes to a bivalent config,

or there exists two applicable events, leading to

a 0-valent and 1-valent configurations (respectively)

1-valent

0-valent

Case 1 Case 2

BivalentBivalent

Bivalent


Main lemma: Staying Bivalent

Bivalency Preservation Lemma Given any bivalent config and any event e

applicable in There exists a reachable config where e is

applicable, and e() is bivalent

Bivalent …e

Bivalent …

e

…

…

eBivalent


(= possible)


Proof definitions

Assume e involves process p

Let C be all possible configs reachable from without applying e is in C as well

Apply event e to all configs in C and call the resulting configs D

Bivalent

…

e


…

…

…

…

……

…

e

e…

…

e

…eC D

…

e


Proof intuition

We will prove that D contains a bivalent config by contradiction

That is, assume there is no bivalent config in D, show that this will lead to a contradiction

Bivalent

…

e


…

…

…

…

……

…

…

e

e

e

…

…

e

…e

C

D


Proof Map

Assume there is no bivalent config in D

Then all configs in D are 0-valent or 1-valent

Show that exists a 0-valent and 1-valent config in D

Show exists two neighboring configs c1=f(c0), in C d0=e(c0) and d1=e(c1) d0 is 0-valent, d1 is 1-valent

Show this is a contradiction

Assumption must be incorrectD must contain a bivalent configuration

fc0 c1

d0 d1

e e

C

D


Proof

Assume D contains no bivalent configs i.e. all configs in D are either 0-valent or 1-

valent

We next show that there exists a 0-valent config in D, and there

exists a 1-valent config in D


Proof We can reach a 0- and 1-valent config from (bivalency of

) Call the 0-valent one 0 and the 1-valent one 1

If 0 is in C, then e(0) is in D and is 0-valent

If 0 not in C, then exists 0 on the path to 0 such that 0 is in C,e(0) is in D and is 0-valent (NB: assumed no bivalent D)

Symmetric argument shows there is a 1-valent config in D

Bivalent

…

e

0

…

…

…

……

…

…

e

e

e

…

…

e

…e

C

1 is in C

Bivalent

…

e

0

…

…

…

…

0

…

e

e

e

…

…

e

…e

C

1 is not in C


Reflection

Now we know D must contain a 0-valent and a 1-valent config

Call the 0/1-valent configs in D: d0 and d1


f

Deriving the contradiction

There must exist two configs c0 and c1

in C such that c1=f(c0), and d0=e(c0)

and d1=e(c1)

c0 c1

d0 d1

e e

C

D

Let’s see why!


Proofing two neighbors exist 1(4) We know is bivalent, and e() is in D and is either 0-

valent or 1-valent, assume 0-valent

0-valent

e

C

D




There is a reachable 1-valent config in D

f0 1

0-valent

e e

C 2 … m

1-valent

D





e is applicable in each i, and must be 0-valent or 1-valent

1

0-valent 1-valent

e e

C 2 … m

x-valent y-valent z-valent

D

e e e

f0


There exists two neighbors, one

1-valent and one 0-valent

Proofing two neighbors exist 4(4)

1

0-valent 1-valent

e e

C 2 … m

0-valent 1-valent z-valent

D

e e e

f0 f1 f2 f3

We know is bivalent, and e() is in D and is either 0-valent or 1-valent, assume 0-valent


e is applicable in each i, and must be 0-valent or 1-valent







e is applicable in each i, and is 0/1-valent

f1C 2

0-valent 1-valent

D

e e




Neighbors lead to contradiction 1(3)

Either events e & f happen on same node or not both cases will lead to contradictions

f1C 2

0-valent 1-valent

D

e e


Neighbors lead to contradiction 2(3) We now know there exist two configs c0 and c1 in C such

that c1=f(c0), and d0=e(c0) and d1=e(c1)

Assume e and f happen on two different processes p and q Then, the order of their execution can be exchanged (diamond

thm) fc0 c1

d1

e e

C

D

0-valent 1-valentf

d0

Contradiction as d0 is 0-valent, but it leads to a 1-valent config, hence d0 must be bivalent, but

we assumed no bivalent configs exist in D


Neighbors lead to contradiction 3(3) We know there exist two configs c0 and c1 in C s.t. c1=f(c0), and

d0=e(c0) and d1=e(c1)

Assume e and f happen on the same node p. If p is silent, then algo must still terminate correctly

fc0 c1

d1e e

C

0-valent 1-valentd0

Contradiction as all nodes in A decided, A cannot be bivalent

fx ee A

If p is silent, algo should terminate

with everyone deciding in a config A

0

by diamond thm

1

by diamond thm

0-valent 1-valent


FLP Impossibility Theorem

No deterministic 1-crash-robust consensus algorithm exists for the asynchronous model

Proof1. Start in a initial bivalent config (Lemma 1)

2. Given the bivalent config, pick the event e that has been applicable longest

Pick the execution taking us to another config where e is applicable

Apply e, and get a bivalent config (Lemma 2)3. Repeat 2.


Summary

We have proved that a 1-crash resilient deterministic consensus algorithm does not exist

Hence, there exists always an execution which stays in bivalent configs and still keeps applying all applicable events in a fair order!

All correct nodes execute infinite number of events, messages delivered, and still leads to no decision!

Circumventing FLP impossibility Probabilistically Randomization Partial Synchrony (e.g. failure detectors)

Impossibility of Consensus in Asynchronous Systems (FLP) Ali Ghodsi – UC Berkeley / KTH...

Documents

Transcript of Impossibility of Consensus in Asynchronous Systems (FLP) Ali Ghodsi – UC Berkeley / KTH...