CS 425 / ECE 428

Distributed Systems
Fall 2016
Indranil Gupta (Indy)
Oct 13, 2016
Lecture 16-A: Impossibility of Consensus
All slides © IG
Give it a thought

Have you ever wondered why distributed

server vendors always only offer solutions
that promise five-9’s reliability, seven-9’s
reliability, but never 100% reliable?

The fault does not lie with the companies

themselves, or the worthlessness of
humanity.

The fault lies in the impossibility of consensus

2
What is common to all of these?
A group of servers attempting:
• Make sure that all of them receive the same
updates in the same order as each other
• To keep their own local lists where they know
about each other, and when anyone leaves or
fails, everyone is updated simultaneously
• Elect a leader among them, and let everyone
in the group know about it
• To ensure mutually exclusive (one process at a
time only) access to a critical resource like a
file
3
What is common to all of these?
A group of servers attempting:
• Make sure that all of them receive the same updates
in the same order as each other [Reliable Multicast]
• To keep their own local lists where they know about
each other, and when anyone leaves or fails,
everyone is updated simultaneously
[Membership/Failure Detection]
• Elect a leader among them, and let everyone in the
group know about it [Leader Election]
• To ensure mutually exclusive (one process at a time
only) access to a critical resource like a file [Mutual
Exclusion] 4
So what is common?
• Let’s call each server a “process” (think of the
daemon at each server)
• All of these were groups of processes attempting
to coordinate with each other and reach
agreement on the value of something
• The ordering of messages
• The up/down status of a suspected failed process
• Who the leader is
• Who has access to the critical resource
• All of these are related to the Consensus problem
5
 What is Consensus?
Formal problem statement
• N processes
• Each process p has
input variable xp : initially either 0 or 1
output variable yp : initially b (can be changed only once)
• Consensus problem: design a protocol so that at the end,
either:
1. All processes set their output variables to 0 (all-0’s)
2. Or All processes set their output variables to 1 (all-1’s)

6
What is Consensus? (2)
• Every process contributes a value
• Goal is to have all processes decide same (some) value
• Decision once made can’t be changed
• There might be other constraints
• Validity = if everyone proposes same value, then that’s
what’s decided
• Integrity = decided value must have been proposed by
some process
• Non-triviality = there is at least one initial system state
that leads to each of the all-0’s or all-1’s outcomes
7
Why is it Important?
• Many problems in distributed systems are
equivalent to (or harder than) consensus!
• Perfect Failure Detection
• Leader election (select exactly one leader, and every
alive process knows about it)
• Agreement (harder than consensus)

• So consensus is a very important problem, and

solving it would be really useful!

• So, is there a solution to Consensus? 8

Two Different Models of Distributed Systems

• Synchronous System Model and

Asynchronous System Model
• Synchronous Distributed System
• Each message is received within bounded
time
• Drift of each process’ local clock has a known
bound
• Each step in a process takes lb < time < ub
E.g., A collection of processors connected by a
communication bus, e.g., a Cray
supercomputer or a multicore machine 9
Asynchronous System Model

• Asynchronous Distributed System

• No bounds on process execution
• The drift rate of a clock is arbitrary
• No bounds on message transmission delays
E.g., The Internet is an asynchronous distributed
system, so are ad-hoc and sensor networks
 This is a more general (and thus challenging)
model than the synchronous system model. A
protocol for an asynchronous system will also
work for a synchronous system (but not vice-
versa)
10
 Possible or Not
• In the synchronous system model
• Consensus is solvable

• In the asynchronous system model

• Consensus is impossible to solve
• Whatever protocol/algorithm you suggest, there is always a
worst-case possible execution (with failures and message
delays) that prevents the system from reaching consensus
• Powerful result (see the FLP proof elsewhere in this course)
• Subsequently, safe or probabilistic solutions have become quite
popular to consensus or related problems.
11
Let’s Try to Solve Consensus!
• Uh, what’s the system model? (assumptions!)
• Synchronous system: bounds on
• Message delays
• Upper bound on clock drift rates
• Max time for each process step
e.g., multiprocessor (common clock across processors)
• Processes can fail by stopping (crash-stop or
crash failures)
12
Consensus in Synchronous Systems
- For a system with at most f processes crashing
- All processes are synchronized and operate in “rounds” of
time. Round length >> max transmission delay.
- the algorithm proceeds in f+1 rounds (with timeout), using
reliable communication to all members
- Valuesri: the set of proposed values known to pi at the
beginning of round r.

Round 1 Round 2 Round 3

13
Consensus in Synchronous System
Possible to achieve!

- For a system with at most f processes crashing

- All processes are synchronized and operate in “rounds” of time
- the algorithm proceeds in f+1 rounds (with timeout), using reliable communication
to all members. Round length >> max transmission delay.
- Valuesri: the set of proposed values known to pi at the beginning of round r.
- Initially Values0i = {} ; Values1i = {vi}
for round = 1 to f+1 do
multicast (Values ri – Valuesr-1i) // iterate through processes, send each a message
Values r+1i  Valuesri
for each Vj received
Values r+1i = Values r+1i  Vj
end
end 14
f+1
 Why does the Algorithm work?
• After f+1 rounds, all non-faulty processes would have received the
same set of Values. Proof by contradiction.
• Assume that two non-faulty processes, say pi and pj , differ in their final
set of values (i.e., after f+1 rounds)
• Assume that pi possesses a value v that pj does not possess.
 pi must have received v in the very last round
 Else, pi would have sent v to pj in that last round
 So, in the last round: a third process, pk, must have sent v to pi, but then crashed
before sending v to pj.
 Similarly, a fourth process sending v in the last-but-one round must have
crashed; otherwise, both pk and pj should have received v.
 Proceeding in this way, we infer at least one (unique) crash in each of the
preceding rounds.
 This means a total of f+1 crashes, while we have assumed at most f crashes can
occur => contradiction. 15
Consensus in an Asynchronous System

• Impossible to achieve!

• Proved in a now-famous result by

Fischer, Lynch and Patterson, 1983
(FLP)
• Stopped many distributed system designers
dead in their tracks
• A lot of claims of “reliability” vanished
overnight
16
 Recall
Asynchronous system: All message delays and processing delays can
be arbitrarily long or short.
Consensus:
• Each process p has a state
• program counter, registers, stack, local variables
• input register xp : initially either 0 or 1
• output register yp : initially b (undecided)
• Consensus Problem: design a protocol so that either
• all processes set their output variables to 0 (all-0’s)
• Or all processes set their output variables to 1 (all-1’s)
• Non-triviality: at least one initial system state leads to each of the
above two outcomes
17
 Proof Setup
• For impossibility proof, OK to consider
1. more restrictive system model, and
2. easier problem
• Why is this is ok?

18
Network
p p’

send(p’,m)
receive(p’)
may return null

Global Message Buffer

“Network”

19
 States
• State of a process
• Configuration=global state. Collection of states,
one for each process; alongside state of the global
buffer.
• Each Event (different from Lamport events) is
atomic and consists of three steps
• receipt of a message by a process (say p)
• processing of message (may change recipient’s state)
• sending out of all necessary messages by p
• Schedule: sequence of events
20
 Configuration C
C
C
Event e’=(p’,m’)

Schedule s=(e’,e’’)
C’
C’’
Event e’’=(p’’,m’’)

C’’

Equivalent 21
 Lemma 1
Disjoint schedules are
commutative
C
s2
Schedule s1

s1 and s2 involve C’
disjoint sets of
receiving processes, Schedule s2
and are each applicable s1
on C C’’
22
Easier Consensus Problem

Easier Consensus Problem:

some process eventually
sets yp to be 0 or 1
Only one process crashes –
we’re free to choose
which one

23
Easier Consensus Problem
• Let config. C have a set of decision values V
reachable from it
• If |V| = 2, config. C is bivalent
• If |V| = 1, config. C is 0-valent or 1-valent, as is
the case

• Bivalent means outcome is unpredictable

24
What the FLP proof shows
1. There exists an initial
configuration that is bivalent

2. Starting from a bivalent

config., there is always
another bivalent config. that
is reachable
25
 Lemma 2 Some initial configuration is bivalent

•Suppose all initial configurations were either 0-valent or 1-valent.

•If there are N processes, there are 2N possible initial configurations
•Place all configurations side-by-side (in a lattice), where adjacent
configurations differ in initial xp value for exactly one process.

1 1 0 1 0 1

•There has to be some adjacent pair of

1-valent and 0-valent configs.
26
 Lemma 2 Some initial configuration is bivalent

•There has to be some adjacent pair of 1-valent and 0-valent configs.

•Let the process p, that has a different state across these two configs., be
the process that has crashed (i.e., is silent throughout)

Both initial configs. will lead to

the same config. for the same
1 1 0 1 0 1 sequence of events

Therefore, both these initial

configs. are bivalent when there
is such a failure
27
What we’ll show
1. There exists an initial
configuration that is bivalent

2. Starting from a bivalent

config., there is always
another bivalent config. that
is reachable
28
Lemma 3 Starting from a bivalent config., there is always
another bivalent config. that is reachable

29
Lemma 3

A bivalent initial config.

let e=(p,m) be some event
applicable to the initial config.

Let C be the set of configs. reachable

without applying e

30
Lemma 3

A bivalent initial config.

let e=(p,m) be some event
applicable to the initial config.

Let C be the set of configs. reachable

without applying e
e e e e e
Let D be the set of configs.
obtained by applying e to some
config. in C
31
Lemma 3

bivalent

[don’t apply
C event e=(p,m)]

e e e e e

D
32
Claim. Set D contains a bivalent config.
Proof. By contradiction. That is,
suppose D has only 0- and 1- valent
bivalent
states (and no bivalent ones)
• There are states D0 and D1 in D, and
C0 and C1 in C such that C [don’t apply
event e=(p,m)]
– D0 is 0-valent, D1 is 1-valent e e e e e
– D0=C0 foll. by e=(p,m)
– D1=C1 foll. by e=(p,m)
– And C1 = C0 followed by some event D
e’=(p’,m’)
(why?)
33
Proof. (contd.) C0 e’
e

• Case I: p’ is not p D0 C1

• Case II: p’ same as p e’ D1

e

Why? (Lemma 1)
But D0 is then bivalent!
bivalent

C [don’t apply
event e=(p,m)]
e e e e e

D 34
Proof. (contd.) C0
e’
e
• Case I: p’ is not p C1 e
D0
sch. s
• Case II: p’ same as p D1
sch. s sch. s
A
bivalent e
(e’,e)
E1
E0
C [don’t apply sch. s
event e=(p,m)] • finite
e e e e e • deciding run from C0
• p takes no steps

D But A is then bivalent! 35

Lemma 3 Starting from a bivalent config., there is always
another bivalent config. that is reachable

36
 Putting it all Together
• Lemma 2: There exists an initial configuration that is
bivalent
• Lemma 3: Starting from a bivalent config., there is
always another bivalent config. that is reachable

• Theorem (Impossibility of Consensus): There is

always a run of events in an asynchronous distributed
system such that the group of processes never reach
consensus (i.e., stays bivalent all the time)

37
Summary
• Consensus Problem
• Agreement in distributed systems
• Solution exists in synchronous system model (e.g.,
supercomputer)
• Impossible to solve in an asynchronous system (e.g.,
Internet, Web)
• Key idea: with even one (adversarial) crash-stop process
failure, there are always sequences of events for the system
to decide any which way
• Holds true regardless of whatever algorithm you choose!
• FLP impossibility proof
38
• One of the most fundamental results in
 Announcements
• Midterm Statistics (on-campus students only)
min, max, median, average, stdev

undergrad: 52, 100, 85, 83.2, 10.6

grad: 57, 100, 86, 84.4, 9.8

• Survey: Most students found the exam “Alright” (48%) to “Difficult” (33%)
• 9% thought it was super-difficult, and 10% thought easy or super-easy
• MP3, HW3 out today
• Start early!

39
Collect your Midterms and MP2
Reports

40