changeset 717:50cf746b5f18

Added documentation on program counters.
author Martin Geisler <>
date Wed, 23 Apr 2008 23:12:33 +0200
parents 760b07b6e6ea
children 2ba503807eda
files doc/implementation.txt doc/program-counters.txt
diffstat 2 files changed, 201 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/doc/implementation.txt	Wed Apr 23 23:12:17 2008 +0200
+++ b/doc/implementation.txt	Wed Apr 23 23:12:33 2008 +0200
@@ -12,4 +12,4 @@
+   program-counters
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc/program-counters.txt	Wed Apr 23 23:12:33 2008 +0200
@@ -0,0 +1,200 @@
+Program Counters
+When two players execute a large computation they need to agree with
+each other on a labelling of the individual operations so that they
+know where each received result belongs. In VIFF we call these labels
+*program counters*. We will try to explain the design of these
+counters in this document and list some ideas for alternative
+The basic setup in VIFF is a set of players who communicate over
+reliable point-to-point links, e.g., TCP or SSL connections. It is
+important to remember that these links guarantee that all transmitted
+messages arrive unchanged at the destination and that they arrive in
+the order sent.
+The naive solution
+The very first version of VIFF network data was numbered in the most
+naive way possible: using a single counter for each player. This
+worked fine most of the time, but once in a while a test would fail to
+give the correct result. It was only when one ran thousands of
+multiplications that the bug appeared, but its cause was quite simple.
+Consider a program like this where we assume that the shares *a*, *b*,
+*c*, and *d* have already been correctly defined::
+  x = mul(a, b)
+  y = mul(c, d)
+Back then, the :func:`mul` function was implemented like this::
+  def mul(share_a, share_b):
+      inc_pc()
+      result = gather_shares([share_a, share_b])
+      result.addCallback(lambda (a, b): a * b)
+      result.addCallback(shamir_share)
+      result.addCallback(recombine, threshold=2*threshold)
+      return result
+where :func:`inc_pc` took care of incrementing the global program
+counter. This simple implementation worked 99.99% of the time with
+three players connected on a LAN, but once in a while it would fail to
+calculate the correct results.
+In our example program, :func:`shamir_share` is called twice: once
+when *a* and *b* are ready, and once when *c* and *d* are ready. Most
+of the time *a* and *b* are ready first on all players, and so they
+all agree on the program counter value for this call to
+:func:`shamir_share`. But when we have bad luck, they one player sees
+*c* and *d* arrive first and so the two calls to :func:`shamir_share`
+are switched for that player.
+The problem is the asynchronous nature of Twisted: all players agree
+on the execution tree, but depending on the exact timing they might
+reach the nodes in the tree in a different order. The tree looks like
+this in our little example:
+.. code-block:: none
+     x       y
+     |       |
+    mul     mul
+    / \     / \
+   a   b   c   d
+and the two :func:`mul` can be called in either order since they do
+not depend on each other.
+The working solution
+The solution used now in VIFF has two ingredients. First, callbacks
+that depend on the program counter (like `func`:shamir_share in our
+example above) are not added with :meth:`addCallback` but instead with
+the special :meth:`viff.runtime.BasicRuntime.schedule_callback`
+method. This method saves the program counter in effect at the time of
+the its call, and ensures that the saved program counter is
+temporarily made active when the callback is called.
+Secondly, the program counter is a *list* of counters. This is
+necessary to ensure that we can allocate new fresh counters at any
+point in the execution tree. The execution tree is never explicitly
+constructed in VIFF, so a simple static numbering is not possible.
+Instead we mark methods that need to increment the program counter
+with the :func:`viff.runtime.increment_pc` decorator. The program
+counter starts at the value ``[0]`` and the decorated method will now
+begin by doing::
+  self.program_counter[-1] += 1
+  self.program_counter.append(0)
+before it executes its body. When the body is finished, the method
+  self.program_counter.pop()
+before it returns. A method :meth:`foo` defined like this::
+  @increment_pc
+  def foo(self):
+      print "foo:", self.program_counter
+is thus turned into this::
+  def foo(self):
+      self.program_counter[-1] += 1
+      self.program_counter.append(0)
+      print "foo:", self.program_counter
+      self.program_counter.pop()
+and when executed starting from the initial program counter of ``[0]``
+we see that it prints ``foo: [1, 0]`` and leaves the program counter
+at ``[1]`` after it returns. It is very important that the program
+counter is left changed like this, for this means that the next call
+to :meth:`foo` will print ``foo: [2, 0]`` and increment the program
+counter to ``[2]``.
+If we have a method :meth:`bar` which calls :meth:`foo` several times::
+  @increment_pc
+  def bar(self):
+      print "bar:", self.program_counter
+      print "bar:", self.program_counter
+      print "bar:", self.program_counter
+then the result of calling :meth:`bar` will be:
+.. code-block:: none
+   bar: [1, 0]
+   foo: [1, 1, 0]
+   bar: [1, 1]
+   foo: [1, 2, 0]
+   bar: [1, 2]
+Notice how each sub-call adds another digit to the counter and how it
+increments the counter used at the level of the caller. This system
+ensures that all program counters are unique.
+We have come up with some alternative solutions, which are detailed
+below. More good ideas are of course welcome!
+History-based labels
+An attractive alternative is to label data sent over the net based on
+its *history*. The idea is that we associate a label ``H(x)`` with
+each variable *x*. The history is defined when new variables are
+defined --- if ``x = a * b``, then we can set ``H(x) = ("mul", H(a),
+H(b))``. To avoid growing the history without bounds we can hash it
+with a cryptographic hash function to bring it down to a fixed size.
+The problem with this idea is that we sometimes need to assign a
+history to a variable that depends on no other variables. An example
+of this is the result of a call to :meth:`prss_share
+<viff.runtime.Runtime.prss_share>` which takes no useful arguments. A
+possible solution would be to add some dummy arguments on which the
+history could be based, even though they wont be used by the method.
+So if you would normally call the function :func:`hat` with no
+arguments to get a :class:`Rabbit` object, you have to change your
+code from this::
+  rabbit = hat()
+to this::
+  rabbit = hat(dummy=locals())
+where the call to :func:`locals` gives you access to the local
+variables. If the use of :func:`locals` could be hidden this might be
+an acceptable solution.
+Using the history of the variables has the big advantage that we label
+each piece of transmitted data with just information that is relevant
+to it: namely its position in the tree formed by the calculation and
+*not* its position in the execution tree formed by the implementation
+in VIFF. This is conceptually cleaner than the current solution.
+Program transformation
+Another idea is to solve the labelling problem by having some external
+tool transform the program into one with explicit labels. Each send
+and each receive operation needs to be labelled and the labels much
+match pair-wise.
+It is not entirely clear how this should work in the presence of loops
+and if it is possible to implement this in an easier way than the
+current program counters.