Com

Group David Powell, Guest Editor

G
roups are ubiquitous in human groups could be limited to the convenience of collec-

society. We often use collective tively designating a set of processes1 using a common

names for groups of people as a name or address. Such facilities are already offered in

convenient means for referring many local-area networks (LANs), and we are all

to or addressing some part of the population as if it accustomed to using Internet news groups or mailing

were a single entity, like a school class, an age group, lists. The full benefits of the group concept, however,

or a social category. People get together in groups can be reaped only if we know how to set up and coor-

whenever concerted action can be expected to pro- dinate groups of processes that work together to ful-

vide gains in efficiency or to improve the chances of fill a common purpose, like sharing a computational

success in some endeavor, like a road crew, a military load, increasing performance, or providing a fault-

platoon, or a research team. tolerant service. This special section presents some of

Similarly, groups can be used in distributed com- the current ideas on how such groups can be created

Illustration: Will Terry

puting systems to help master the complexity of large and managed.

applications or to help provide non-functional prop- 1

The term “process” is used here for simplicity of expression. Of course,
many different sorts of computing entities can be considered in groups, such
as physical processors, database servers, and sub-networks of a larger com-
erties, such as availability or security. Computation munication network.
munication
What facilities or semantics a group management model is appropriate if the probability of less well-

or group communication service should provide is behaved failures can be neglected. A crash failure

still the subject of much debate within the research model might be appropriate, for example, for a gen-

community. The ease with which a given group’s ser- eral-purpose computing network in which the most

vice semantics can be provided or, indeed, whether or common problem is the unavailability of certain sites.

not such a service can be implemented at all, depends In such an environment, any service that can tolerate

heavily on what can be said or assumed about the process crash failures provides a useful improvement

computation environment in which the service is to be in dependability over one that cannot tolerate any fail-

provided. The most important assumptions concern ures at all. A crash failure model can also be appro-

how processes can fail and how well they communi- priate for ultra-dependable distributed systems if

cate with each other. nodes have extensive built-in self-checking.

The strongest and most common assumption At the other end of the failure spectrum is the arbi-

about process failures is the crash failure model—a trary failure model in which no restrictive assumptions

process acts in full accordance with its specification are made about the way processes can fail. For exam-

until it suddenly ceases all activity. A crash failure ple, they could fail by sending erroneous messages, by
saturating the network, or even by colluding with
other faulty processes to bring down the system. This
is a “worst-case” failure model that frees the system
designer of any obligation to justify the realism of a
more restrictive assumption. It is particularly appro-
priate for building ultra-dependable systems or for
dealing with processes under the control of a mali-
cious intruder. Unfortunately, protocols that can tol-
erate such arbitrary failures require more redundancy
and more messages than if they were designed to tol-
erate only crash failures; they are also much more dif-
ficult to design and validate.
The strongest assumption that can be made about
inter-process communication is that any message sent
by a correct process to another correct process is
always received within a given delay—the so-called syn-
chronous communication assumption. The nice thing
about this assumption is that one process can reliably
detect whether another process is alive just by sending
it a query and waiting a known bounded time for a
response. Unfortunately, in a system where processes
must communicate over a shared network, such per-
fection is guaranteed only with a certain probability,
by using multiple communication paths and/or mes-
sage retransmissions. Often, however, it is impossible
to give even a probabilistic guarantee, since the actual
load on the network may be totally unpredictable.
The opposite approach is to consider that there is
no known limit on the time it takes for a message to
reach its destination. Protocols designed without
knowledge of time limits could easily be ported from
one environment to another, since they would oper-
ate correctly whatever the performance of the net-
work. Unfortunately, with such totally asynchronous
communication, a process cannot decide whether
another process has crashed or whether its query or
the expected response is still on its way across the net-
work. In practice, it is essential to introduce some
notion of time so that processes know how long to wait
for an expected response before suspecting that the
originator of the response might have failed.
Note, however, that suspicion of a crash is not the
same as detection of a crash; the suspected process
might still be perfectly healthy. It is easy to see, there-
fore, that it is impossible to achieve any sort of deter-
ministic agreement between correct processes. The
best that can be done in such an environment is to
ensure that certain safety properties are guaranteed
whatever the communication delays or safety proper-
ties, and that useful progress is made whenever the
network performs well enough for processes to com-
municate with each other in a timely manner.
It might be instructive at this point to draw a few
analogies between groups of processes and groups of
In practice, it is essential to
introduce some notion of time so that processes
how long to wait for an expected response.
52 April 1996/Vol. 39, No. 4 COMMUNICATIONS OF THE ACM
people. Imagine that a committee meeting is con-
vened and attendees gather round a table in a meet-
ing room. It’s a long meeting, so the attendees get
very tired, and some of them doze off now and again.
However, when they are awake they can easily see
who else is awake, since all are sitting round the same
table. With a little organization (a protocol), those
that stay awake can (for example) take turns to
address the meeting, and they should all know who
else is awake, what they heard, and what they should
have learned.
This analogy illustrates several points:
• There are at least three sorts of groups to be con-
sidered: the people eligible to attend the meeting
(the committee); those who attend the meeting
(the attendees); and those who participate in the
committee’s work at a given instant because they
were awake (the participants).
• The meeting room setting is analogous to the syn-
chronous communication model discussed earlier
in which communication is reliable and timely, and
it is easy for people (processes) to detect whether
some of them have fallen asleep (crashed). Thus,
they can make strong statements about who is
awake (the current membership of the group of
participants), what they have heard (the messages
delivered), and what they have all learned
(changes to internal state resulting from the order
of message delivery).
• It shows that we must also worry about how new
attendees (people who join the meeting after it has
started) and recovered attendees (participants who
fall asleep and later awaken) are brought up to
date with what has been decided while they were
absent or asleep.
Now let us consider another setting for the com-
mittee meeting. Let us suppose that, instead of meet-
ing round a table in a quiet room, the committee tries
to conduct its business in a large and very busy hotel
lobby. Because of the hustle and bustle, the attendees
cannot always see or talk directly to one another. Even
when one attendee can see another attendee, it’s not
certain that the latter is looking at the former. Some
of the attendees could fall asleep or go home without
the others ever noticing. It’s quite plain that in this
setting the committee has a much harder job to
process its agenda in some consistent way. We can sup-
pose that the attendees try to gather together to get
some work done, but to do so they also have to reach
some sort of agreement about who they all think are
in their particular gathering (for example, to decide
who will act as chair).
know

As people drift in and out of one anoth-
er’s sight, they have to successively reach
new decisions about who is in their gather-
ing. Furthermore, there could be many
such gatherings in different parts of the
lobby at the same time. In this case, differ-
ent gatherings of attendees could end up
making conflicting decisions. The only way
to avoid such conflicts is to impose a rule
stating, for example, that only gatherings with a
majority of committee members are allowed to make
any decisions. Alternatively, the committee could
attempt to reconcile conflicting decisions whenever
two or more gatherings are able to merge and form a
new gathering.
This meeting-in-a-crowded-lobby scenario is analo-
gous to the asynchronous communication model dis-
cussed earlier. It illustrates several points:
• Since people (processes) cannot reliably detect
whether some of them are absent or, equivalently,
have fallen asleep (crashed), they cannot decide
exactly who is attending the meeting.
• It is impossible to prevent the attendees from split-
ting into separate sub-meetings (gatherings). Such
gatherings or groups of participants are sometimes
called “views” of the meeting, since the participants
consider that their gathering is the meeting. This
logical partitioning of “meetings” is unavoidable in
asynchronous settings, so asynchronous group pro-
tocols must be able to deal with it.
• When an attendee joins an existing gathering (and
thus forms a new, larger gathering), the partici-
pants have to work out what this new participant
already knows about the committee’s work and
bring him or her up to date. This reporting has to
be done either if the new participant just woke up
from a nap (recovered from a crash) or if he or
she lost touch with an earlier gathering (became
disconnected). In an asynchronous setting, it’s dif-
ficult to tell the difference. If the participants are
not going to have to constantly tell “new” partici-
pants everything they have done since the begin-
ning of time, they have to remember (keep on
stable storage) what they did in earlier gatherings,
and the protocol has to ensure that all work done
in successive gatherings is done in some consistent
fashion.
* * * Diego, compares the properties of group communica-
Over about the last decade, there has been consider-
able research into the management of process groups
and protocols for communication within and between
such groups. The articles in this special section pre-
sent some of the prototype systems and current
research activities typical of the prevalent ideas in this
fascinating area.
The article by Louise Moser, Michael Melliar-
Smith, and their team at the University of California,
Santa Barbara, describes the Totem system, which
[email protected]
Communication
Group
provides a totally ordered multicast service
to application process groups. It is partic-
ularly suitable for supporting fault-toler-
ant soft real-time applications. Totem is a
scalable system built using a hierarchy of
group communication protocols for
groups of processors on a LAN, for groups
of interconnected LANs, and for groups
of application processes.
In their article on the Transis system, Danny Dolev
and Dalia Malki from the Hebrew University of
Jerusalem consider some of the difficult problems that
arise in diverse network settings. The authors discuss
how different components of a partitioned network
can operate autonomously and then merge operations
when they become reconnected (such partitioned
operation is of special interest in mobile applications).
They also consider the need for different protocols for
fast local communication and for the unavoidably slow-
er communication between local clusters.
Most articles in this special section assume that
processes fail only by crashing or by just being slow.
The exception is the short article by Mike Reiter from
AT&T Bell Laboratories, sketching some of the novel
group communication ideas embodied in the Rampart
system to provide tolerance for malicious intrusion.
Here, faulty processes can collude and fail in quite
arbitrary fashion, and groups are used to mask the
malicious actions of a minority of the group members.
There are many different ways of defining and
using process groups. Features that may be useful in
one setting may be impediments in others. The Horus
system, described in the article by Robbert van
Renesse, Ken Birman, and Silvano Maffeis of Cornell
University, aims to provide a very flexible environ-
ment for system programmers to configure group pro-
tocols specifically adapted to the problem at hand.
The last two articles do not describe specific sys-
tems but address instead the fundamentals of group
communication. André Schiper (EFPL, Switzerland)
and Michel Raynal (IRISA, France) trace some inter-
esting directions for future research into various sorts
of process groups. In particular, they consider the dif-
ferences between groups for replicated, fault-tolerant
objects and groups for implementing atomic transac-
tions. They propose a multicast primitive for carrying
out a specific class of transactions on a set of replicat-
ed, fault-tolerant objects.
Flaviu Cristian of the University of California, San
tion protocols for the synchronous and asynchronous
communication models. This comparison underlines
the advantages and drawbacks of both models and
should be considered essential reading for anyone
interested in group communication. C
DAVID POWELL is Directeur de Recherche CNRS at the Labora-
toire d’Analyse et d’Architecture des Systèmes where he works in
the Dependable Computing and Fault Tolerance Research Group.
Current Address: LAAS-CNRS, 7 Avenue du Colonel Roche, 31077
Toulouse, France; email:
COMMUNICATIONS OF THE ACM April 1996/Vol. 39, No. 4 53