Knowledge and the ordering of events in distributed systems ... - TARK
Knowledge and the ordering of events in distributed systems Extended Abstract Paul J. Krasucld Dept. of Math. Sciences Rutgers University Camden College Camden, NJ 08102 krasucki ~ crab. rut gers. edu
a. R manuja n The Institute of Mathematical Sciences C.I.T. Campus Madras - 600 113 India jam~imsc.ernet.in
ABSTRACT
In asynchronous distributed systems logical time is usually interpreted as "possible causality", a partial order on event occurrences. We investigate the relationship between passage of time and changes in the knowledge of agents. We show that there is a certain duairy between knowledge transition systems (defined here to model changes in the states of knowledge of agents) and partially ordered sets of event occurrences (the model of nAsynchronously Communicating Sequential Agents).
1
Introduction
Consider a distributed system of n agents acting autonomously. Agents cornrmmicate by passing messages from one to another. Ass-me that every message sent is eventually delivered to the intended recipient and that messages are delivered in the order in which they were sent. Such a model is standard in the theory of distributed computing. Lamport [Lam] discussed the ordering of event occurrences in such systems and argued that each agent 'locally' sees a linear order of event occurrences whereas 'globally', only a partial order consistent with the local linear ones is available. In this discussion, the ordering refers to causal dependency between event occurrences and thus incomparability under the ordering denotes causal independence, and therefore (in a sense) concurrency. If we see concurrency as causal independence, one way of phrasing the assertion "event occurrences el and e2 can be concurrent" is: "no agent in the system knows that el must precede e~ or that e2 must precede el". In a sense, this identifies the states of the system with the states of knowledge of agents in the system. After Halpern and Moses [HM] there has been extensive work done in the study of knowledge states of agents in distributed systems. In particular, looldng at how the occurrence
267
s Kn°wledge ~ tate-transition systems
....
~
•
Partially ordered~ sets of | event occurrenc~
Figure 1: of an event can cause a change in agents' states of knowledge leads to viewing distributed protocols as goal-oriented activity. Such a protocol is then a transformation from the given initial state of knowledge in the system to a desired state where agents know some specific facts.
We wish to study to what extent these notions of agents' knowledge (specified as equivalence relations on states, one relation for each agent) and partial orders on event occurrences are dual. In Figure 1, can we go back and forth without losing information about agents' behavior? In the process, we would also like to understand more precisely assertions like the following ones: "an agent cannot lose knowledge by receiving a message", "an agent cannot gain knowledge by sending a message" and so on. Such statements are commonly used in the analysis of distributed protocols, and do make intuitive sense. Similar questions have been addressed in the literature, but in different contexts: Chandy and Misra [CM] have related chains of messages to change in knowledge of agents, and Parlkb and Krasucki [PK] have precisely characterized levels of knowledge of agents (for a formula) and specified what sequences of messages are required to attain a given level. In the area of knowledge- based protocols there has been extensive work relating states of knowledge of agents and message histories (see [DM], [HZ], [Ma] for some expositions). However, the question we study here is the formal relationship between knowledge structures specified as transition systems and temporal structures specified as partially ordered sets of event occurrences. In a sense, it is closer to the spirit of [Pra], [NPW]. In the following sections we show that there is a simple class of transition systems (Knowledge Transition Systems, KTSs for short) enriched with equivalence relations on states, which corresponds to a natural partial order model of event occurrences in distributed systems (Asynchronously Communicating Sequential Agents, abbreviated ACSAs). This correspondence is precise in the following sense: we associate a KTS with an ACSA and conversely an ACSA with a KTS in such a way that ACSA ~ KTS ~ ACSA is an isomorphism, and KTS ~ ACSA ~ KTS is a simulation.
268
2
ACSAs
In [LRT], a model of distributed systems has been defined in the following m~-neer: assume a coUection of n agents, each of which is sequential, interacting by message passing. Each agent is 'tree-like', in the sense that its behaviour is given as a 'backwards-linear' poset of event occurrences. The formal definition is as follows: D e f I : A system of n-Asynchronously Communicating Sequential Agents (n-ACSA) is a triple E = (E, _ 0, and (1) E is a set of event occurrences, (ii) < c E × E is a partial order called the causality relation, and (iii) ~ : E --~ {1, ..., n} is a naming function such that VeViE {1, ...,n} {erie~ _< e} N ~-x(i)is totally ordered by _ 0, where s0 E 21, and for I , where for j E {1, ...,n},pj is the null sequence if J. e N E j = ¢, a n d otherwise it is lh(e'), where e' is the m a T i m a l / - e v e n t in J. e. Call this tuple t h e / - v i e w at e.
We claim t h a t t h e / - v i e w at e is indeed a n i-event occurrence in/C a n d hence a m e m b e r of EL To see this, observe firstly t h a t for any e' E E, lh(e') is a local j - r u n i n / C where r/(e') = j , a n d Ilh(e')l > 1. We only need t o check t h a t every s u c h / - v i e w is g e n e r a t e d as E(5) for some r u n 5 in/C.
A schedule of a configuration c G C is a sequence ea...e~ such t h a t l ~ rn implies el ~ e,n,c = {el,...,ek}, and if el _< era, t h e n l _< m. Note t h a t every schedule (of any configuration) corresponds to a r u n in K, a n d conversely t h a t every r u n f r o m 0 to a configu r a t i o n e E C defines a schedule of e. Let ex...ek be a schedule of J. e~,~/(e~) ~ j . Suppose J. e~ fl E j ~ 0 a n d ea is t h e m a T i m a l j-event occurrence in J. e~. It can be easily seen t h a t the schedule ei...ez (of J. ez = c', say) is the j-predecessor of ei...e~: since el EJ. et, el a n d eh cannot b e concurrent. This shows t h a t e(5) is exactly the i-view at e~, where 5 = 0{el}...{ex, ..., e~), e~...ek is a schedule of J, e~ a n d r/(e~) = i. We can thus meanlngfully define the m a p F : E ~ E ' : given by F(e) = t h e r/(e)-view at e. To prove t h a t F is injective, suppose ex ~ e2. If~/(el) = ~/(e2) = i, clearly lh(ex) ~ lh(e2) a n d h e n c e / - v i e w at el is distinct f r o m t h e / - v i e w at ez. Otherwise, suppose ~(ex) = i ~ j = r/(e2), b u t t h a t t h e / - v i e w at ea is identical to the j-view at e2. This means t h a t ex is the m a x i m a l / - e v e n t in ~ e2, and t h a t e2 is the m ~ r l m a l j-event in ~ el. T h e n in particular, we get el _< e2, e2 _< ex a n d ex ~ e2, contradicting the a n t i s y m m e t r y of , t h e n p# is of the form p z z ' where there exist c E z, c' E z' such t h a t c' = c @ {ez}, a n d p~ is of the f o r m p'z~z2p"z3z4, where there exist c, E ~z, l E {1, ..4} such t h a t c2 = c~ ~ {e~}, cz _C c3, c4 = c~ ~ {e3}, and e3 is the i-maximal event in J. ez. T h u s we get e~ I. Let 61 = sl ~ 62 = t~ ~ t2 ~ ...t~.Clearly, Sl = t~ = So, the initialstate of the KTS.
82 ~
...sk and
Let m be the latest index of agreement between 61 and 62, i.e. for 1 _< ! _< m, sz = tz and Sm+x ~ t~+l. Since the first state of b o t h runs is So, m > O. Thus 0 < k - m < k. We show t h e result by induction on k - m. The base case, when m = k is trivial, since t h e n the required s = s~ = t~. Now assume by induction hypothesis t h a t the result holds for runs with m _< k. Now consider r , ns 61 a n d 62 such t h a t m < k. To fix notation, let ther let c~. = g(6sm+l) exist is assu~ed by the occurrences. Note t h a t
6 = sls2...sm(= tlt2...t,),d = 9(6),s~ ~ s , + l , s , =~ t,~+l. Fur= c' e {el}, c~ = g(6t=+l) = d l~ {e2}. T h a t such configurations construction of g. Clearly, el and e2 are respectively i and j-event by monotonicity of g, el E c~ C c, e2 E c~ C_ c, thus {el,e2} C_ c.
Now suppose i = j . If el = e~, t h e n [sm+l]i = [t,,+l]i, and we have s~ ~ ~,n+l,sm t,,+l and S~+l . ~ t,,+~, therefore sm+l = t , + ~ , contradicting the fact t h a t the latest index of agreement is m < k. Therefore el ~ e2. But t h e n el and e2 are in i m m e d i a t e conflict in E, contradicting the fact t h a t {el, e2} _C c. Thus we find t h a t i ~ j . Let p be the smallest index such t h a t tp ~ tp+l. Clearly, m < p < k. Now for each l : m < l _< p + 1, let g(6t,+~..,tz) = ca and let c~+~ = c~ ~ {e~}. By definition of KTSs, we can find a sequence of states (see Figure 9) U=+l...u~ such that for every l : m < l _< p, t~ ~ u~. Further Sm+l ~ u,,+l and for all rn < l < p, u~ ~ U~+l itf t~ ~ u~+l. Now, for m < l _< p, let d~ = g(~s,+~u,+~...u~). F r o m the fact t h a t s,, ~ t,,+l ~ ... ~ tp and s,,+l ~ u,~+l ~ ... ~ up, we get, for all m < l < p, d~ = c~ • {el}. Now let e' = %+~ - %. Thus we have t w o / - e v e n t occurrences e~, e' enabled at %. If et ~ e', t h e y are in (immediate) conflict, and hence el ~ d, for every configuration d : %+1 C_ d. But by m o n o t o n i c i t y o f 9, we have %+1 C_ g ( ~ ) = c and e~ ~ c, a contradiction. Therefore el : e' imp]ying up ~ t~+l which is possible only if up = t~+l.
279
N o w let ~ = ~18m+lUm÷1...Ztptp÷2...tk. Since g(61Sm+lUm+l...1~p) = g(~tm+ l...tpzLp ), we also have g(~) = g(6~) = c. But n o w consider the two runs 81, 6~: their g-image is the same, and their latest index of agreement is rn + 1; but then by induction hypothesis, sk = tk, which is what we set out to prove, c~
C o r o l l a r y 1 : Suppose c E C. T h e n there exists ~ E R such t h a t g(~) : c. P r o o f ~ If c : 0, then g(So)= c. Inductively assume that for every configuration c such t h a t JcJ < k, there exists 5 such t h a t g(5) = c. Now suppose c E C, IcJ =/~, k > 0. There exists a configuxation c' and e E c such t h a t c = d ~ {e}. By inductive assumption, there exists P such t h a t g ( P ) = c'. Let e = e(8), 6 = 5zss'. But t h e n g(51s) = c', hence b y the previous proposition, 5t is of the form 5s. Thus g(6ss') : c, as required, cl
Theorem
12 : Let/C be a KTS. Then/Ctg is a simulation of/C.
P r o o f : Let IC = (S, ~ , So, Eq,~) , ~Jc = ( E , _
a. R manuja n The Institute of Mathematical Sciences C.I.T. Campus Madras - 600 113 India jam~imsc.ernet.in
ABSTRACT
In asynchronous distributed systems logical time is usually interpreted as "possible causality", a partial order on event occurrences. We investigate the relationship between passage of time and changes in the knowledge of agents. We show that there is a certain duairy between knowledge transition systems (defined here to model changes in the states of knowledge of agents) and partially ordered sets of event occurrences (the model of nAsynchronously Communicating Sequential Agents).
1
Introduction
Consider a distributed system of n agents acting autonomously. Agents cornrmmicate by passing messages from one to another. Ass-me that every message sent is eventually delivered to the intended recipient and that messages are delivered in the order in which they were sent. Such a model is standard in the theory of distributed computing. Lamport [Lam] discussed the ordering of event occurrences in such systems and argued that each agent 'locally' sees a linear order of event occurrences whereas 'globally', only a partial order consistent with the local linear ones is available. In this discussion, the ordering refers to causal dependency between event occurrences and thus incomparability under the ordering denotes causal independence, and therefore (in a sense) concurrency. If we see concurrency as causal independence, one way of phrasing the assertion "event occurrences el and e2 can be concurrent" is: "no agent in the system knows that el must precede e~ or that e2 must precede el". In a sense, this identifies the states of the system with the states of knowledge of agents in the system. After Halpern and Moses [HM] there has been extensive work done in the study of knowledge states of agents in distributed systems. In particular, looldng at how the occurrence
267
s Kn°wledge ~ tate-transition systems
....
~
•
Partially ordered~ sets of | event occurrenc~
Figure 1: of an event can cause a change in agents' states of knowledge leads to viewing distributed protocols as goal-oriented activity. Such a protocol is then a transformation from the given initial state of knowledge in the system to a desired state where agents know some specific facts.
We wish to study to what extent these notions of agents' knowledge (specified as equivalence relations on states, one relation for each agent) and partial orders on event occurrences are dual. In Figure 1, can we go back and forth without losing information about agents' behavior? In the process, we would also like to understand more precisely assertions like the following ones: "an agent cannot lose knowledge by receiving a message", "an agent cannot gain knowledge by sending a message" and so on. Such statements are commonly used in the analysis of distributed protocols, and do make intuitive sense. Similar questions have been addressed in the literature, but in different contexts: Chandy and Misra [CM] have related chains of messages to change in knowledge of agents, and Parlkb and Krasucki [PK] have precisely characterized levels of knowledge of agents (for a formula) and specified what sequences of messages are required to attain a given level. In the area of knowledge- based protocols there has been extensive work relating states of knowledge of agents and message histories (see [DM], [HZ], [Ma] for some expositions). However, the question we study here is the formal relationship between knowledge structures specified as transition systems and temporal structures specified as partially ordered sets of event occurrences. In a sense, it is closer to the spirit of [Pra], [NPW]. In the following sections we show that there is a simple class of transition systems (Knowledge Transition Systems, KTSs for short) enriched with equivalence relations on states, which corresponds to a natural partial order model of event occurrences in distributed systems (Asynchronously Communicating Sequential Agents, abbreviated ACSAs). This correspondence is precise in the following sense: we associate a KTS with an ACSA and conversely an ACSA with a KTS in such a way that ACSA ~ KTS ~ ACSA is an isomorphism, and KTS ~ ACSA ~ KTS is a simulation.
268
2
ACSAs
In [LRT], a model of distributed systems has been defined in the following m~-neer: assume a coUection of n agents, each of which is sequential, interacting by message passing. Each agent is 'tree-like', in the sense that its behaviour is given as a 'backwards-linear' poset of event occurrences. The formal definition is as follows: D e f I : A system of n-Asynchronously Communicating Sequential Agents (n-ACSA) is a triple E = (E, _ 0, and (1) E is a set of event occurrences, (ii) < c E × E is a partial order called the causality relation, and (iii) ~ : E --~ {1, ..., n} is a naming function such that VeViE {1, ...,n} {erie~ _< e} N ~-x(i)is totally ordered by _ 0, where s0 E 21, and for I , where for j E {1, ...,n},pj is the null sequence if J. e N E j = ¢, a n d otherwise it is lh(e'), where e' is the m a T i m a l / - e v e n t in J. e. Call this tuple t h e / - v i e w at e.
We claim t h a t t h e / - v i e w at e is indeed a n i-event occurrence in/C a n d hence a m e m b e r of EL To see this, observe firstly t h a t for any e' E E, lh(e') is a local j - r u n i n / C where r/(e') = j , a n d Ilh(e')l > 1. We only need t o check t h a t every s u c h / - v i e w is g e n e r a t e d as E(5) for some r u n 5 in/C.
A schedule of a configuration c G C is a sequence ea...e~ such t h a t l ~ rn implies el ~ e,n,c = {el,...,ek}, and if el _< era, t h e n l _< m. Note t h a t every schedule (of any configuration) corresponds to a r u n in K, a n d conversely t h a t every r u n f r o m 0 to a configu r a t i o n e E C defines a schedule of e. Let ex...ek be a schedule of J. e~,~/(e~) ~ j . Suppose J. e~ fl E j ~ 0 a n d ea is t h e m a T i m a l j-event occurrence in J. e~. It can be easily seen t h a t the schedule ei...ez (of J. ez = c', say) is the j-predecessor of ei...e~: since el EJ. et, el a n d eh cannot b e concurrent. This shows t h a t e(5) is exactly the i-view at e~, where 5 = 0{el}...{ex, ..., e~), e~...ek is a schedule of J, e~ a n d r/(e~) = i. We can thus meanlngfully define the m a p F : E ~ E ' : given by F(e) = t h e r/(e)-view at e. To prove t h a t F is injective, suppose ex ~ e2. If~/(el) = ~/(e2) = i, clearly lh(ex) ~ lh(e2) a n d h e n c e / - v i e w at el is distinct f r o m t h e / - v i e w at ez. Otherwise, suppose ~(ex) = i ~ j = r/(e2), b u t t h a t t h e / - v i e w at ea is identical to the j-view at e2. This means t h a t ex is the m a x i m a l / - e v e n t in ~ e2, and t h a t e2 is the m ~ r l m a l j-event in ~ el. T h e n in particular, we get el _< e2, e2 _< ex a n d ex ~ e2, contradicting the a n t i s y m m e t r y of , t h e n p# is of the form p z z ' where there exist c E z, c' E z' such t h a t c' = c @ {ez}, a n d p~ is of the f o r m p'z~z2p"z3z4, where there exist c, E ~z, l E {1, ..4} such t h a t c2 = c~ ~ {e~}, cz _C c3, c4 = c~ ~ {e3}, and e3 is the i-maximal event in J. ez. T h u s we get e~ I. Let 61 = sl ~ 62 = t~ ~ t2 ~ ...t~.Clearly, Sl = t~ = So, the initialstate of the KTS.
82 ~
...sk and
Let m be the latest index of agreement between 61 and 62, i.e. for 1 _< ! _< m, sz = tz and Sm+x ~ t~+l. Since the first state of b o t h runs is So, m > O. Thus 0 < k - m < k. We show t h e result by induction on k - m. The base case, when m = k is trivial, since t h e n the required s = s~ = t~. Now assume by induction hypothesis t h a t the result holds for runs with m _< k. Now consider r , ns 61 a n d 62 such t h a t m < k. To fix notation, let ther let c~. = g(6sm+l) exist is assu~ed by the occurrences. Note t h a t
6 = sls2...sm(= tlt2...t,),d = 9(6),s~ ~ s , + l , s , =~ t,~+l. Fur= c' e {el}, c~ = g(6t=+l) = d l~ {e2}. T h a t such configurations construction of g. Clearly, el and e2 are respectively i and j-event by monotonicity of g, el E c~ C c, e2 E c~ C_ c, thus {el,e2} C_ c.
Now suppose i = j . If el = e~, t h e n [sm+l]i = [t,,+l]i, and we have s~ ~ ~,n+l,sm t,,+l and S~+l . ~ t,,+~, therefore sm+l = t , + ~ , contradicting the fact t h a t the latest index of agreement is m < k. Therefore el ~ e2. But t h e n el and e2 are in i m m e d i a t e conflict in E, contradicting the fact t h a t {el, e2} _C c. Thus we find t h a t i ~ j . Let p be the smallest index such t h a t tp ~ tp+l. Clearly, m < p < k. Now for each l : m < l _< p + 1, let g(6t,+~..,tz) = ca and let c~+~ = c~ ~ {e~}. By definition of KTSs, we can find a sequence of states (see Figure 9) U=+l...u~ such that for every l : m < l _< p, t~ ~ u~. Further Sm+l ~ u,,+l and for all rn < l < p, u~ ~ U~+l itf t~ ~ u~+l. Now, for m < l _< p, let d~ = g(~s,+~u,+~...u~). F r o m the fact t h a t s,, ~ t,,+l ~ ... ~ tp and s,,+l ~ u,~+l ~ ... ~ up, we get, for all m < l < p, d~ = c~ • {el}. Now let e' = %+~ - %. Thus we have t w o / - e v e n t occurrences e~, e' enabled at %. If et ~ e', t h e y are in (immediate) conflict, and hence el ~ d, for every configuration d : %+1 C_ d. But by m o n o t o n i c i t y o f 9, we have %+1 C_ g ( ~ ) = c and e~ ~ c, a contradiction. Therefore el : e' imp]ying up ~ t~+l which is possible only if up = t~+l.
279
N o w let ~ = ~18m+lUm÷1...Ztptp÷2...tk. Since g(61Sm+lUm+l...1~p) = g(~tm+ l...tpzLp ), we also have g(~) = g(6~) = c. But n o w consider the two runs 81, 6~: their g-image is the same, and their latest index of agreement is rn + 1; but then by induction hypothesis, sk = tk, which is what we set out to prove, c~
C o r o l l a r y 1 : Suppose c E C. T h e n there exists ~ E R such t h a t g(~) : c. P r o o f ~ If c : 0, then g(So)= c. Inductively assume that for every configuration c such t h a t JcJ < k, there exists 5 such t h a t g(5) = c. Now suppose c E C, IcJ =/~, k > 0. There exists a configuxation c' and e E c such t h a t c = d ~ {e}. By inductive assumption, there exists P such t h a t g ( P ) = c'. Let e = e(8), 6 = 5zss'. But t h e n g(51s) = c', hence b y the previous proposition, 5t is of the form 5s. Thus g(6ss') : c, as required, cl
Theorem
12 : Let/C be a KTS. Then/Ctg is a simulation of/C.
P r o o f : Let IC = (S, ~ , So, Eq,~) , ~Jc = ( E , _
