Tuesday, April 1, 2008 * Formal definition of consensus * Impossibility of consensus CONSENSUS Model: We have a set of n processes. Process i has an input register x_i and an output register y_i. The input register is read-only. The output register can store a value from {0,1,b} and is write once. Initially, it starts with value b. Each process has an unbounded amount of internal storage. Internal state = registers + internal storage + program counter. A state in which output register is 0 or 1 is a decision state. Process p acts deterministically according to a transition function. Message-passing: Processes communicate by message passing. A message is a pair (p,m), where p is the destination and m is the value of a message. Message buffer is a multiset of messages (sent but not yet delivered). Two abstract operations are supported: send(p,m): places (p,m) in the message buffer; receive(p): deletes some message (p,m) from the buffer and returns m; or returns the special marker NULL. If receive(p) is performed infinitely often, then every message (p,m) is eventually delivered. Configuration: A configuration is the internal state of each process, together with the message buffer. An initial configuration equals initial states plus empty message buffer. A step by a process takes one configuration to another. Let C be a configuration. The step has two phases: first, receive(p) is performed and obtains a new value m. Then, depending on p's internal state, p enters a new internal state and sends a finite number of messages to other processes. Step is thus completely determined by e = (p,m). We denote the resulting configuration by e(C). Note that (p,NULL) can always be applied to C. Schedule: A sequence of events forms a schedule. The associated steps form a run. A configuration C has a decision value if some process p is in a decision state with y_p = v. A consensus protocol is partially correct if (1) No reachable configuration has more than one decision value. (2) For each v in {0,1}, there is some reachable configuration that has decision value v. A process p is nonfaulty in a run if it takes infinitely many steps in the run. A consensus protocol is correct inspite of one fault if it is partially correct and all runs such that at most one process is faulty and all messages to nonfaulty processes are eventually delivered are deciding. IMPOSSIBILITY OF CONSENSUS -------- Impossibility Theorem [Fischer, Lynch, Paterson 1985]: No consensus protocol can be correct inspite of one fault. -------- Proof: We will prove a series of lemmas. ---- Commutativity Lemma: Suppose sigma_1 and sigma_2 lead C to C_1 and C_2. Furthermore, suppose the sets of processes that take steps in sigma_1 and sigma_2 are disjoint. Then sigma_1 can be applied to C_2 and sigma_2 can be applied to C_1 and both lead to the same configuration. Proof: Easy. ----- For the sake of contradiction, assume that P is a consensus protocol that is totally correct inspite of one fault. A config C is 0-valent (1-valent) if the only decision value reachable from C is 0 (1); otherwise C is bivalent. Bivalence Lemma: P has a bivalent initial configuration. Proof: Suppose not. There exist two configs A and B, one leading to decision value 0 and the other to 1. There is a "path" from A to B through initial configurations in which adjacent configs differ in only one process's input. There are two adjacent initial configs one leading to 0 and the other leading to 1, both differ in only p's input. Make p faulty. This run should lead both initial configs to same deciding config. So one of the configs must be bivalent -- a contradiction. End Proof Continuation Lemma: Let C be a bivalent initial configuration. Let e=(p,m) be an event applicable to C. Let X be set of configs that are reachable from C without applying e. Let Y = e(X) = {e(E): E in X}. Then Y contains a bivalent configuration. Proof: Note that e is applicable to every E in X so Y is well defined. Assume Y does not contain a bivalent configuration. We first show that Y contains both a 0- and 1-valent configuration. C is bivalent. C --> E_0 and C --> E_1 where E_0 is 0-valent and E_1 is 1-valent. If E_i is in X, then e(E_i) in Y is i-valent. Otherwise, along the path, there is a config in Y that is i-valent. From the above, it follows that there exist C_0, C_1 in X such that D_0 is 0-valent, D_1 is 1-valent and C_0 -> C_1 or C_1 -> C_0. We have a picture like this. C_0 -> D_0 | v C_1 -> D_1 Suppose C_1 = e'(C_0), where e' = (p',m'). Two cases: Case 1: p' != p. Then, by Commutativity Lemma, there is an arrow from D_0 to D_1, a contradiction. Case 2: p' = p. Consider a finite deciding run in which p does not take any steps. Let sigma be corresponding schedule. Let A = sigma(C_0). By commutativity, sigma is applicable to D_i and leads to i-valent configuration E_i. Again by commutativity, e(A) = E_0 and e'(e(A)) = E_1. Hence A is bivalent, but this is impossible since the run to A is deciding. End Proof Bivalent Run Lemma: There exists a run in which no process is faulty and every configuration is bivalent. Proof: We maintain a queue of processes and the message buffer is ordered according to the time the messages were sent. Let C_0 be a bivalent initial config (exists due to Bivalence Lemma). Execution begins in C_0 and we ensure that every stage begins with a bivalent configuration. C is bivalent and that process p heads the priority queue. Let m be the earliest message in buffer for p and let e = (p,m). Event e is applicable to C. By Continuation Lemma, there is a bivalent config C' reachable from C in which e is the last event applied. Move p to end of process queue and proceed. End Proof The main theorem follows from the Bivalent Run Lemma.