290 Distributed Systems: An Algorithmic Approach

the action remaining unchanged. The nal version is shown below:

{program for node i}
do {Component B: coloring action}
(|succ(i)| 5) j succ(i) : c(i) = c(j) c(i) := b : b {\ sc(i)}
{Component A: dag generation action}
|succ (i)| > 5 x(i) := max sx(i) + 1
od
It is easy to show that the predicates P =i : outdegree(i) 5 and Q=(i, j) E : c(i) =c(j) are
closed under the action of A and B, so the concurrent execution of these actions will lead to a
conguration that satises Q and is stable.
Adrawback of the above solution is the unbounded growth of x. On the positive side, the solution
works with ne-grain atomicity [GK93].
17.5 STABILIZING SPANNING TREE PROTOCOL
Spanning trees have important applications in routing and multicasts. When the network topo-
logy is static, a spanning tree can be constructed using the probe-echo algorithm from Section
10.3.1 or a similar algorithm. However, in real life, network topology constantly changes as
nodes and links fail or come up. Following such events, another spanning tree has to be
regenerated to maintain service. In this section, we present a stabilizing algorithm for construct-
ing a spanning tree, originally proposed by Chen et al. [CYH91]. The algorithm works on a
connected undirected graph G=(V, E) and assumes that failures do not partition the network.
Let |V| =n.
Adistinguished process r is chosen as the root of the spanning tree. Each process picks a neighbor
as its parent P, and we denote it by drawing a directed edge from i to P(i). By denition, the root
does not have a parent. The corruption of one or more P-values can create a cycle. To detect a cycle
and restore the graph to a legal conguration, each process uses another variable L{0 n}. L is
called the level of a process, and denes its distance from the root via the tree edges. By denition,
L(r) =0. We will designate the set of neighbors of process i by N(i). In a legitimate conguration
i V: i =r :: L(i) <n, L(P(i)) <n 1, and L(i) =L(P(i)) +1.
The root r is idle. All other processes execute actions to restore the spanning tree. One
action preserves the invariance of L(i) =L(P(i)) +1 regardless of the integrity of P. However,
if L(P(i)) n 1 (which reects something is wrong) then process i sets its L(i) to n, and look
for neighbor j :L(j) <n 1 as its choice for a new parent. Note that L(i) =n is possible either
due to a corruption of some L, or due to the directed edges connecting nodes with their parents
forming a cycle. Figure 17.5a shows a spanning tree, and Figure 17.5b shows the effect of a cor-
rupted value of P(2). There now exists a cycle consisting of the nodes 2, 3, 4, 5 and the edges
joining their parents. Because of this cyclic path, when each node updates its L to L(P) +1, the
values of L(2), L(3), L(4), L(5) will soon reach the maximum value n =6. For recovery, each
node will look for a neighbor with level <5, and designate it as its parent. Let node 2 choose node
1 as its parent (since L(1) =1). Following this, nodes 3, 5, 4 redene L, and the stabilization is
complete.
Stabilizing spanning tree algorithm of Chen, Yu, and Huang
{Program for each node i = r}
do (L(i) =n) (L(i) =L(P(i))+1) (L(P(i) = n) L(i) := L(P(i))+1 (0)
(L(i) =n) (L(P(i))=n) L(i):= n (1)
(L(i) = n) ( k N(i):L(k) < n-1) L(i) := L(k)+1; P(i):=k (2)
od
2007 by Taylor & Francis Group, LLC
Self-Stabilizing Systems 291
1
2
3 5
1
2
3
4
5 4
0
1
2
3 5
1
2
3
4
5 4
(a) (b)
FIGURE 17.5 (a) A spanning tree. The node numbers appear inside the circle, and their levels are specied
outside the circle. (b) P(2) is corrupted.
Correctness Proof
We will follow the arguments from [CYH91]. Dene an edge from i to P(i) to be well formed, when
L(i) =n, L(P(i)) =n, and L(i) =L(P(i)) +1. In any conguration, the nodes and well-formed
edges form a spanning forest. Delete all edges that are not well formed, and designate each tree in
the forest byT(k) where kis the smallest value of a node inthe tree. Asingle node withnowell-formed
edge incident on it represents a degenerate tree. Thus in Figure 17.5b, there are two trees:
T(0) = {0, 1}
T(2) = {2, 3, 4, 5}
We now examine how these multiple trees combine into a single spanning tree via the actions of the
algorithm. Dene a tuple F=(F(0), F(1), F(2), . . . , F(n)) such that F(k) is the count of T(k)s in
the spanning forest. In Figure 17.5b, F=(1, 0, 1, 0, 0, 0). A lexicographic order (>) on F is dened
as follows: F1 >F2 j >0: i <j : F1(i) =F2(i) (F1(j) >F2(j)). With n nodes, the maximum
value of F is (1, n 1, 0, 0, , 0) and the minimum value is (1, 0, 0, , 0) that represents a single
spanning tree rooted at 0.
With each action of the algorithm, F decreases lexicographically. With action 0, node i combines
with an existing tree, so F(i) decreases, and no component F(j), j <i decreases. With action 1, node
i becomes a singleton set (i.e., a tree with a single node), F(n) increases, but F(i) decreases, and no
other component F(j), j <i, is affected. Therefore F decreases. Finally, with action 2, the singleton
set T(n) combines with an existing well-formed component, hence F(n) decreases, and all other
components of F remain unchanged. So F decreases.
This implies that with the repeated application of the three actions, F decreases monotonically
until it reaches the minimum value (1, 0, 0, , 0) which represents a single spanning tree rooted at
node 0.
17.6 DISTRIBUTED RESET
Reset is a general technique for restoring a distributed systemto a predened legal conguration from
any illegal conguration caused by data corruption or coordination loss. As processes or channels can
fail while the reset is in progress, the reset subsystem itself must be fault-tolerant. While distributed
snapshot correctly reads the global state of a system, distributed reset correctly updates the global
state to a designated value, without halting the application. Reset can be used as a general tool for
2007 by Taylor & Francis Group, LLC