ANALISIS DE LA COMPETENCIA DIRECTA 69

Such systems (with what is quite aptly called “distributed control”) have been designed, but all such designs I was familiar with were not “self-stabilizing” in the sense that, when once (erroneously) in an illegitimate state, they could – and usually did! – remain so forever. (Dijkstra in [Dij74]) In 1974, Dijkstra introduced the notion of self-stabilization. As the quote above shows, he was not satisfied with the degree of fault-tolerance that distributed algorithms of his time provided. Following this motivation, he introduced the notion of self-stabilization.

Self-stabilizing distributed algorithms provide non-masking fault-toler- ance, i.e., they provide liveness but no safety. In case of self-stabilization, liveness means that regardless of the initial configuration, the output of a self-stabilizing algorithm A is eventually correct (convergence) and it re- mains correct thereafter (closure). A Boolean predicate LA identifies con-

figurations for which the output of A is considered correct. If a configura- tion satisfies LA, then it is called legitimate. The following formalizes the

definition of self-stabilization:

Definition 3.1. A distributed algorithm A is called self-stabilizing with

respect to predicate LAif any execution of A satisfies the following:

• Convergence: A legitimate configuration is reached within a finite number of steps.

• Closure: LA is stable, i.e., any configuration subsequent to a legiti-

mate configuration is also legitimate.

Note that convergence and closure must hold for any execution. This includes any initial configuration and any choices of the scheduler model that is used. As an example of an algorithm that has the convergence prop- erty but not the closure property, consider the algorithm AZ that assigns

protocol Zero as defined in Figure 3.1 to every node v ∈ V . We define that LA_Z is true if any only if all variables v.s with v ∈ V have the same value.

Protocol Zero

Nodes: v is the current node Variables: v.s ∈ {0, 1} do

v.s 6= 0 −→ v.s := 0

od

Figure 3.1: An algorithm satisfying convergence but not closure

Clearly, AZconverges to a configuration where the local state of all nodes

is zero. However, if the local state of all nodes is equal to 1 in the initial configuration, a move of a single node u ∈ V sets u.s to zero. So while LA_Z

is true for the initial configuration, it becomes false due to the move of u. Note that for any silent algorithm A that has the convergence property with respect to LA, a predicate L0Acan be constructed such that A is self-

stabilizing with respect to L0A and L0A⇒ LA for all configurations c ∈ ΣA.

The predicate L0Ais defined to be true if and only if A has terminated. A

terminating in a configuration that does not satisfy LA would contradict

the convergence property of A.

For measuring the time- and space-complexity of a self-stabilizing algo- rithm A, the following two notions are used in this thesis:

Definition 3.2. The stabilization time of A is the worst-case number of

rounds that any execution of A needs to reach a legitimate configuration. The stabilization space of A is the worst-case number of bits per node that instances of A consume in a legitimate configuration.

Alternatively, we will also refer to the termination time, which denotes the worst-case number of rounds until any execution of A terminates. This notion applies only if A is silent. The stabilization and termination time may also be measured in steps or moves. The choice to measure the space required in legitimate configurations only, is motivated by the fact that the space required during stabilization may heavily depend on the initial configuration.

By guaranteeing to converge to a legitimate configuration from any ini- tial configuration, self-stabilizing algorithms provide non-masking fault- tolerance with respect to all transient faults, regardless of their scale or nature. Also, it is well known that they converge to a legitimate configu-

ration after any permanent topology change. As discussed in Section 3.1, a topology change may also be regarded as a state corruption.

Under the unfair central scheduler, the algorithm that assigns the protocol shown in Figure 2.1 to each node v ∈ V is in fact self-stabilizing with respect to the following predicate:

∀v ∈ V : v.s = Out ⇔ inNeighbor(v)

where inNeighbor (v) is defined in Figure 2.1. A proof for this will be dis- cussed in Section 4.1. As pointed out in Section 2.3, the algorithm may oscillate under the distributed scheduler. A variant of the algorithm that is self-stabilizing under the distributed scheduler is discussed in Section 4.6.4. Designing self-stabilizing distributed algorithms is non-trivial. One possi- ble formalization of how to design a self-stabilizing algorithm A is discussed in [APSV91]. The proposed technique is to first choose the set of variables per node and a Boolean predicate LA, such that LA is true only for con-

figurations that are solutions to the problem at hand and such that LAis

locally checkable. A predicate LAis locally checkable if it can be expressed

as a conjunction of local predicates, where each local predicate is defined over the variables within N [v] with v ∈ V . The second step is to design a set of rules that adjust the local states of the nodes in such a way that the local predicates are stable and gradually more and more local predicates become true. This is called local correction.