On the Limits and Practice of Automatically Designing Self-Stabilization

A protocol is said to be self-stabilizing when the distributed system executing it is guaranteed to recover from any fault that does not cause permanent damage. Designing such protocols is hard since they must recover from all possible states, therefore we investigate how feasible it is to synthesize them automatically. We show that synthesizing stabilization on a fixed topology is NP-complete in the number of system states. When a solution is found, we further show that verifying its correctness on a general topology (with any number of processes) is undecidable, even for very simple unidirectional rings. Despite these negative results, we develop an algorithm to synthesize a self-stabilizing protocol given its desired topology, legitimate states, and behavior. By analogy to shadow puppetry, where a puppeteer may design a complex puppet to cast a desired shadow, a protocol may need to be designed in a complex way that does not even resemble its specification. Our shadow/puppet synthesis algorithm addresses this concern and, using a complete backtracking search, has automatically designed 4 new self-stabilizing protocols with minimal process space requirements: 2-state maximal matching on bidirectional rings, 5-state token passing on unidirectional rings, 3-state token passing on bidirectional chains, and 4-state orientation on daisy chains

The Effect of the Specification Model on the Complexity of Adding Masking Fault-Tolerance 1

In this paper, we investigate the effect of the representation of safety specification on the complexity of adding masking fault-tolerance to programs – where, in the presence of faults the program recovers to states from where it satisfies its (safety and liveness) specification and preserves its safety specification during recovery. Specifically, we concentrate on two approaches for modeling the safety specifications: (i) bad transition (BT) model where safety is modeled as a set of bad transitions that should not be executed by the program, and (ii) bad pair (BP) model where safety is modeled as a set of finite sequences consisting of at most two successive transitions. If the safety specification is specified in the BT model then it is known that the complexity of automatic addition of fault-tolerance to high atomicity programs – where processes can read/write all program variables in an atomic step – will be polynomial in the state space of the program. However, for the case where one uses the BP model to specify safety specification, we show that the problem of adding fault-tolerance to high atomicity programs is NP-complete. Therefore, we argue that automated synthesis of fault-tolerant programs is likely to be more successful if one focuses on problems where safety can be represented in BT model. Keywords: Fault-tolerance, Automatic addition of fault-tolerance