role model analysis of an asynchronous communication mechanism
TRANSCRIPT
Role model analysis of an asynchronous communication mechanism
H.R. Si m pson
Indexing terms: As~nchronous-communication, Four-slot mechanisms, Role-modelling, Atomic register
Abstract: The properties of asynchronous communication mechanisms which use multiple shared memory locations (slots) to transfer data, together with co-ordination of access to these slots by small shared control variables, can be examined by analysing the dynamically changing roles of the slots during asynchronous operation. The paper describes the application of the role modelling technique to a new form of four-slot mechanism, and analyses the correctness of the mechanism with respect to its coherence and freshness properties. It is shown how other aspects, such as data sequencing and the failure modes of faulty implementation, can also be addressed.
1 Introduction
A previous paper [l] set out new algorithms for achiev- ing asynchronous communication between a single writing process and a single reading process, operating concurrently:
writing: dip, w[ip]] := input; il, := ip; w[ip] := VIipl reading: I’ : = w; op := 5; output := sop, v[op]]
Data is passed through a four-slot array d, arranged as two pairs of slots. The control variable ip is a bit indi- cating the pair next to be used for writing. The variable op is a bit used by the reader to select the pair not cur- rently being used for writing. The variables Y and i v are two-bit vectors; elements of Y indicate the slot in each pair which has been committed for reading, and ele- ments of w indicate the slot in a pair which is being written or the slot in a pair which contains the latest data for that pair.
Such algorithms can be embodied in a variety of implementation forms to provide mechanisms for asynchronous communication between a writing process and a reading process. These mechanisms rely on the algorithms to preserve the coherence and freshness properties of the data being transferred. Coherence is guaranteed when a read cannot obtain data which has been (partially) written by more than 0 IEE, 1997 IEE Proceedings online no. 19971219 Paper first received 5th July 1996 and in revised form 4th March 1997 The author is with Matra Bae Dynamics, Executive Technologist, Digital Infomation Processing, PO Box 19, Six Hills Way, Stevenage. Herts SG12DA, UK
one write. Freshness is guaranteed when a read cannot obtain stale data, i.e. data which is not the latest supplied by a write.
The correctness properties of mechanisms incorporat- ing the algorithms are relatively easy to address informally [l], but more rigorous methods can be difficult to understand and apply. For example there are representational and analysis methods based on communicating processes [2, 31, hierarchical composi- tion [4, 51, automaton models [6], and temporal logic [7, 81. An earlier paper [9] concluded that further research would be needed to make use of these meth- ods for all aspects of interest, and it developed an approach supporting the direct modelling of the prop- erties relevant to this class of asynchronous communi- cation mechanism. This approach appears to be less restrictive than others, for example, which specifically exclude direct analysis of shared-memory-to-shared- memory transfers [lo], or which even rest on indivisible shared-memory access [ll]. A major advantage of the approach, known as the role-model method, is that it introduces a degree of abstraction which makes the analysis feasible, while at the same time preserving the possibility of reasoning about the detailed interworking of the algorithms. First the method, particularly the supporting notation, is summarised, before it is applied to the mechanisms based on algorithms set out at the start of this paper.
The important physical phenomenon of metastability [12], which is inescapable in any form of fully asyn- chronous communication, has been considered else- where [1, 91. It has been shown that the impact of the metastability phenomenon can be reduced to a point where it is well below that of other failure modes. This leaves us free to concentrate on the logical properties of the algorithms.
2 Role-model method
The role model method has been developed specifically to deal with the class of asynchronous mechanisms in which small shared control variables are used to co- ordinate access to shared data. The method is fully described in an earlier paper [9] which shows how the analytic power of the method can be expanded progres- sively to cope with mechanisms of progressively increasing complexity. Those wishing to explore the evolution of the concepts and notation should consult this earlier paper. The present paper concentrates on aspects necessary for analysis of the new four-slot mechanism, particularly pointing out features which either simplify application of the method or support a more refined analysis.
IEE ProccComput. Digit. Tech., Vol 144, No. 4, July 1997 232
The method captures the effects arising from asyn- chronous execution of the access-control alg’orithms. Two concepts lie at the heart of the method: ‘events’ and ‘roles’. An event is a time at which there is some possibility of interaction between the two sides arising from the algorithm operations on the shared control variables. A role is a purpose (e.g. ‘being .written’, ‘selected for reading’ etc) which a slot or pair may be fulfilling at any given time. The ‘role state’ of a mecha- nism is the pattern of roles taken up by the sllots and pairs at any given time; it indicates the relative disposi- tion of roles and is not tied to particular physical pairs and slots.
The role state changes at each event, and the nature of this change is expressed by a ‘role transition state- ment’ which defines how the role state is to be modi- fied by adding or removing roles. The complete graph, giving all role states which can occur during asynchro- nous operation, is known as a ‘role model’ and! can be drawn as a ‘role transition diagram’. The role model ex.hibits all reachable role combinations and can there- fore be used to examine the properties of interest. For example, if the role model contains a role state in which the roles ‘being read’ and ‘being written’ are car- ried by the same slot, then coherence is lost; otherwise coherence is preserved.
2. I Events ‘Events’ are regarded as distinct. When events are very close in time, it is in the nature of each controll opera- tion that it will always come to a decision concerning the value to be assigned and, when the value is chang- ing, this uniquely determines the apparent order of events; when the value is not changing, the order of events is immaterial and the events may still be seen as distinct. The significant events for the algorithms are: w p , rcp writer indicates pair, reader chooses pair ris, wcs reader indicates slot, writer chooses slot wis, rcs writer indicates slot, reader chooses slot ‘Indication’ occurs at the end of an assignment opera- tion and recognises the point at which the new value becomes visible (to the other process). ‘Choosing’ occurs at the beginning of an assignment and recog- nises the point at which the operation is committed to the subsequent indication of a particular value. Thus the control events are positioned as follows: wip occurs at the end of ip := @; rcp occurs at the beginning of op := G; ris and rcs occur at the end and beginning of r := w; wis and wcs occur at the end and beginning of w[ip] :=
N o other control event is significant; for example, wcp (writer chooses pair) is only of interest to the writer and does not interact with the reader in any way.
__ rZkJ1.
2.2 Roles ‘Roles’ are identified by a single character thus: E = slot earmarked for writing N = pairhlot next for writing/written C = slot committed for reading S = slot selected for reading Mf = slot being written R = slot being read 0 = no role currently allocated
El? Proc.-Com]~ut. Dizit. Tech., Vol 144, No. 4, July. 1997
These roles are sufficient for an analysis of the coherence properties; further roles are introduced as necessary to investigate other effects. It will be assumed that all role changes take place at the previously identified events, there being no other times when the writer and reader interact in a way which is observable. This means, for example, that the W role is defined as persisting from the end of one write-control sequence (wis) to the beginning of the next (wip). This is a more direct approach than was used previously [9]. The analysis is simplified by removing, from the outset, the specific identification of the events associated with the beginning and end of write and read data transfer operations.
A slot may support more than one role at any given time and the individual role letters are used in combi- nation. The complete ‘role state’ of a mechanism at any given time is represented by a grouping of sets of roles covering all pairs and slots, e.g. thus:
The inner brackets give the role(s) associated with a pair, and the outer braces add in the roles for each slot in the pair. This particular expression indicates that reading is taking place in a slot in the pair not marked for writing, but that the slot being read is also marked as last written (note the use of N to show both marked for writing and marked as last written). The other pair, which is marked for writing, has different slots selected for reading and marked for writing. The role notation has the advantage of preserving a sense of operational purpose while giving some economy of representation. For example, the above expression covers the eight control-variable combinations in which ip * op, r [ ip] *
{ ( N ) , N , ss5 {(a ” 0 )
w[@], r[op] = w[op].
2.3 Transitions The notation for a ‘role transition’ consists of two sets of role indications in square brackets to the left and right of an -. On the left is the role combination which must be present to result in a change, and on the right are roles to be added to (if not already present), or deleted from (if present), the current role state (a bar over the role identifier is used to distinguish deletion). An * on either side means irrelevance (i.e. any roles are allowed).
A complete ‘role transition statement’ consists of an event identifier followed by one or more role transi- tions. Where there is more than one transition, they are notionally applied simultaneously, but in the order written, at the time of the event. Use of the role transi- tion-statement notation is best understood by seeing it applied in the analysis of the operation of the new four-slot mechanism; further examples are available in
The role transition notation can be used to express the role changes at significant events. For the writer we have:
191.
wip: [{*$, {*$I - [{(*I> w > PI, I(*)> w> ws1
wcs: [ { ( N ) , s, “3, {*$I wis: [{(*I, E, *}, {*$I + [I(*), E N , NI , {*I1
[ { ( N I , N , *S> {*I1 - [I(*)> w, * }> {*$I These role transition statements illustrate an important general feature of the method. There are three different uses of the * notation: { * } means that the pair roles for
*> *$> {*$I + [{(n *> *$, C(N, *> *)I [{(*I> *, E ) , { * > I
233
~
O?
+ V I S
01 vip + 02 vcs + 03 *IS
i
O? + .VIP
05 iYCS + 06 . A T
i
07 ,v;P + 08 wcs + 09
i lyis
10 wip + 11
wcs + 12
)VIS +
-1
Ti _ ..
. . . . ~ .. .. ____ I I '
: ....... ___
Read Pre Sequence: r I.' *. op . = j p
-
rcs ris rcp
Ke;tdTranitions IIoiimntal J Anticlockwise
T ;!..<: .......
Writc Post Sequence: ip := @: w[ip] := rlipJ' wrp wcs wis
Writc 'Transitions: Vcitical I Clockwise k--
T .. !\<: 1. ....... - _---_I
. . i 'i, .... '.K.: . . . .
__ --c .... .:, .
I I
I i I \.....A . . . . . . . . . . . . .
a pair, and the slot roles within that pair, are irrele- vant; (*) means that the pair roles are irrelevant; * means that the slot roles are irrelevant. An {*I, (*) or * on the left of an - means 'no effect on', and Ion the right of an - means 'not affected by'.
The first transition of w@ shows the W role being removed at the end of write data transfer, and the sec- ond shows the N role being switched from one pair to the other. The wcs statement shows the E role being allocated to the slot not selected for reading within the pair selected for writing. E is a transient role which is used to represent the delay through the ~ [ i p ] ::= v[@] control operation. This delay is significant as the reader might, during that interval, choose to acquire a new w[&] value. The first transition of wis shows the E role being converted lo an N , and the second shows the W role being allocated to the slot selected for writing witlhin the pair selected for writing, at the beginning of write data transfer.
res: [{*I, {*$I -.+ [{(*I, R , R ) , {(*I, R , RI1
~
For the reader we have:
[{(*I> N, * } 3 {(*I, N, *:1 -+ I{(*), C, *:, {("I, IC, *$I I{(*>, C, *:, {("I, c, *$I + [{(*>, cs, Q , {(*I, cs, ris:
9 1 'cp: [{(N), *> * )> {(*I> s, *}I - [{*I, {(*I> R, *)I The first transition of res shows the R role being removed at the end of read data transfer, and the sec- ond shows the C role being allocated to the slot last written and the slot selected for writing. The ris state- ment shows the transient C role being used to deter- mine which slots should carry the S role, and tlhe vcp statement shows the R role being allocated to the slot selected for reading within the pair not allocated for writing. Of course the events determining C and S are really vector events and will not affect all elements at precisely the same time. However, this does not compli- cate the analysis. At the slot level we have the depend- ency sequence: N determines C (via res) determines S (via P i s ) determines E (via wcs) determines N (via wis). It is only the N allocation in one pair which can change (via wcs and wis) each time this loop is traversed, and the C and S vector events can be regarded as locked to the C and S events in that pair (although it is impossi- ble a priori to know which pair that will be).
2.4 Transition diagrams The 'role transition diagram' for the complete role model for a mechanism is constructed by taking ;I suit- able initial role state and applying to it a role transition from each side of the mechanism to generate twlo new states. As this process is continued, it is found that some of the role states so generated are already present and transition paths through the diagram form [closed loops. Eventually, a diagram is obtained which is com- pletely closed and represents all possible states. Where the initial role state does not lie within one of the closed loops (due to an inappropriate initial role com- bination), the role model always transitions to the closed form which represents the stable normal opera- tion [SI. Manual construction of these diagrams is too difficult and error prone, and it is necessary to develop a simple computer program which not only generates a total set of possible states but which also examines the state space for its properties.
IEE ProcComput. Digit. Tech., Vol. 144, No. 4, July 1997
3 Mechanism properties
The position has now been reached where the role- modelling technique can be applied to particular analysis topics. First consider the basic properties of coherence and freshness, before examining the fine detail of data sequencing, and the sort of failure that can arise from faulty implementation.
3. I Coherence The choice of roles and transitions has a very significant impact on the complexity of the resulting role transition diagram. Fig. 1 shows all significant role states for this new four-slot mechanism, obtained by applying the above transition statements, and capturing the resulting states which are relevant to the maintenance of coherence. There are 64 states on this diagram representing steady-state operation, plus two additional transient initial states (shown in dotted outline). No constraints have been placed on relative rates of operation, so the diagram captures all possible event interleavings. Individual states can conveniently be referred to by their row and column positions (e.g.
To economise on presentation, the pair roles have been omitted from Fig. 1 . The diagram has been drawn such that there is an implicit N-pair role associated with the left-hand pair of each state. There is no need for more than this as there are no other roles to be shown at this level. Note that, in this form of the mech- anism, all the complexity is in the slot-role allocations (c.f. the previously known form [9] which has a com- paratively complex pair role structure, but with only 34 states in the model).
The two initial transient states have been included to demonstrate the completeness of the diagram. No par- ticular initial conditions are specified for the algorithm control variables, and the starting state of a mechanism is such that it is ready to receive a write post or read pre sequence. This means that, notionally, the mecha- nism is open for both writing and reading, although at the instant of start up no data transfer can be taking place.
Fig. 2 gives the role states for all possible initial val- ues of the control variables. From any of these initial states excursions can be made to two new states, one for the first read-control event P nd the other for the first write-control event wip. This process is repeated with due regard to the event-sequencing constraints so that there are two exit paths from every state. Loops can be closed when the role states match after a com- plete cycle (three) or cycles (multiples of three) of read andlor write events.
The role states have been laid out so that the reading role is present on states in the shaded columns I , 2, 7, 8 and the writing role is present on states in the shaded rows 01, 04, 07, 10. Potential WR clashes occur where shaded columns and rows intersect. The two possible initial states at 01-1 and 10-7, which are present if the random initial control values so determine, are the only places which show a WR clash. In practical use, read- ing only takes place following the application of a read pre sequence, so the mechanism always moves away from these two states which can never be revisited. The other six shaded intersections show that at no time are the Wand R roles allocated to the same slot. This con- firms that coherence is maintained.
07-2).
235
Control Variable Conditions
ip = op
ip = op
ip = cy
ip = cp
iP * cp iP * op iP * op iP * op
~ ~~~
Full Role State * Co-ordinates
01 - 1
1 0 - 7
04-2
07-1
01 - 2
10-8
04- 1
07-2
* The role states are arranged so that the only pair role, N, is always present in the left hand pair. For compactness it can then be omitted from the role transition diagram (see figure 1).
Fig.2 Initial role states
3.2 Transition-diagram topography Confidence in the validity of Fig. 1 is gained by exam- ining the new role states generated by application of the control events at each point in the diagram. Where two control events do not interact, the role states form a logical square indicating that the order of event occurrence is not significant; but where they do inter- act, there are two possible destination states on the diagonal of the (now broken) square, depending on the order of occurrence. An example of noninteraction is seen in the top left-hand corner of the diagram where the transition from 00-0 to 01-2 can be achieved by either rep wis or by wis rep. Other pairs having this property (with an example of each) are: rcp ivcs (02-0 to 03-l), res ivz@ (01-2 to 02-4), rcs wcs (02-2 to 03-4), ris wip (07-3 to 02-0) and ris ivis (00-4 to 01-0).
The interacting event pair wip rep has an outcome which is always dependent on the order of occurrence. For example, from a starting state of 01-0, rep w@ goes to 02-2, whereas wip rcp goes to 02-1. This arises because wip always changes the visible value of ip. The other two interacting pairs are vis wcs and res ivis; these may or may not result in an order-dependent outcome as it is possible that, in some circumstances, the indi- cating event does not change its associated control-bit value, and so it does not matter whether it occurs before or after the choosing event.
The role transition diagram shows every possible interleaving of the control events as would be representative of an operating environment, say, in which software processes pre-emptively scheduled in different processors communicate through shared memory. In this case it is quite possible for one process to execute many access operations while the other remains suspended within a particular invocation of its control sequence. Other forms of operating environment are more direct and can be such that timing characteristics limit the number of possible states. For example, if the algorithms are implemented in hardware it may be possible to say that the time taken to read or write the data is always greater than the time taken for a control sequence. This interval
236
constraint can be modelled [9] and reduces the steady- state transition model to 36 points. In particular, the block in the bottom right-hand quadrant, and only entered by wis from 06-5, disappears altogether (the transition to 07-5 only exists if a complete write operation (from wis to wip) can be shorter than the interval between the first two events in the read pre sequence (from res to ris)).
3.3 Freshness To analyse the four-slot mechanism for its freshness properties, it is first necessary to define carefully the concept of 'fresh' (i.e. not stale) data. A role F (fresh- est) is allocated at the start of the write post sequence to the slot just written, but at the same time the old F is transformed to a P (previous freshest) to capture the ambiguity which exists while the write post sequence is carrying out its task of making the new data available. P is deleted at the end of this sequence. Both P and F are regarded as acceptable for this short interval.
The reader has to acquire access to valid data within the duration of its pre sequence. This is investigated by attaching p, respectively, to the slots carrying P, F at the start of this sequence; all other slots are set to be invalid at that time. It is possible for new valid data to become available during the read pre sequence and this is assigned a V (valid) role. To check for freshness, it is merely necessary to establish whether the slot assigned an R at the end of a read pre sequence also carries a p , f o r V.
p roles are manipulated by additional role transitions associated with the control events:
The F, P , V,
wip: I{(*>> F, "I, { * > I - [{(*I> P, *)> {*>I
wis: [ { * } , {*$I + [{(*I, p , p > , {(*I, p , PSI [I(*), w, *>, { * > I - [{(*I, VF, F > , I(*)> F , PI1
[{(*I> p , *I> {*)I + [{(*I> P, P ) , {(*I> P , PSI [I(*>, E; *I> {*I1 - [ { ( * > > A f h {(*I> 7, 7>l E { * > > {*)I -+ [{("I, v, V I , {(*I> v, V>l
yes:
These role transition statements make it possible to determine whether the data about to be read was the
IEE Proc.-Con?put. Digit. Tech., Vol. 144, No 4, July 1997
freshest at the start of the read pre sequence, or (in the case of a read pre sequence which starts during a write post sequence) was the previous freshest at the start of the read pre sequence, or has been declared as fresh since the start of the read pre sequence. This is ;I more discriminating analysis than was previously used 191, and it is now possible to distinguish between the three particular ways in which data is adjudged to be fresh; it results in larger role transition models but this is no problem when these are generated automatically. The new form of analysis has been introduced to give added insight to the difficult notion of freshness in this form of asynchronous operation.
Addition of the freshness-role transitions expands the steady-state transition model from 64 to 461 points. The new model shows that fresh data is alwayls read. The slots read carry p , .f’ or V annotations, or some- times Vp or vf‘combinations; these last two annota- tions arise when the writer can complete its write-data operations within a read-control sequence, and so new valid data is generated before the reader starts to read. A imore interesting result is obtained on application of the two interval constraints, where write-data opera- tions are always longer than read-control sequences, and vice versa. This reduces the number of points in the steady-state model to 97, and now only f or V annotations are evident on the slots read.
The f annotations arise wherever the start of a read pre sequence does not overlap a write post sequence, and in these circumstances it is easy to satisfy oneself that the freshest data will be accessed by the reader. The V annotations are not quite so straightforward and it is of interest to examine an example in more detail. Fig. 3 shows a fragment from a role-transition model in which both the freshness transitions and the interval constraints have been applied (such interval constraints can be expressed by using the event identifiers to repre- sent the times of their occurrence 191). Each state on this diagram has been marked with its equivalent posi- tion in Fig. 1. Note that, as in Fig. 1, the wip event moves the N-pair role from one pair to the other so that the slot roles for each pair are swapped over on the diagram to preserve the convention that the implicit N-pair role goes with the left-hand pair. Where a state contains only a single exit path, this is due to an! inter-
val constraint. The effect of the additional freshness roles is to subdivide the original states (64 in Fig. 1) so that the additional role information can be carried around the diagram.
The loop around the top row of Fig. 3 corresponds to repeated reads while the writer is busy writing new data; in this case the reader repeatedly gets the same last complete data record. If the writer invokes wz& between YCS and the next rcp, and if the reader then invokes ~ c p before wis, Fig. 3 shows that the reader will get the new data before the write post-sequence is com- plete. Effectively, the reader will have moved from reading at the top left-hand corner to reading in the middle or bottom of the right-hand column. This result is unsurprising but it does confirm that the-role model- ling technique is behaving properly.
The reading of data carrying a V role can be regarded as ‘a better than to be expected’ performance. In contrast, the reading of data carrying a P role can be regarded as ‘a worse than to be hoped for’ perform- ance. A more refined investigation of the need to accommodate the P role in any freshness definition can be carried out by removing the P role at wcs rather than wis. This does not ~ seem unreasonable, as it would appear that w[@] := 4471 is purely concerned with selec- tion of the next slot for the next write. However, role modelling with no interval constraints shows that a freshness failure is only avoided if the P role persists until wis. This indicates the dual purpose of w[ip] := r[ip]: first to select a slot for writing, and then to reveal it to the reader at wip. A specific example is given in Section 3.4.
~
3.4 Data sequencing An interesting corollary of the freshness requirement is that data items would be expected to be read in the order that they have been written. Data items may be lost when reading is less frequent than writing, or they may be repeated when reading is more frequent than writing, but ideally at no time should the order be inverted such that data is read in the sequence new-old- new 113, 51. Section 3.3 has shown that there is some variability in the precise moment at which new data becomes available, and it is therefore important to investigate whether the new-old-new phenomenon can occur.
r . O i l 4 01-0
WCI, wcs wcs 4
[NSPf,E],[NSFV,O) ) 4 [NSPf,E],[NSRFV,O] ] 03-0 03-1
1 wis 1 wis I wis
Write event sequence: wlp wcs WIS
Read event sequence.
rcs r6 rcp
Interval constraints: wip - wis > rcp - rcs
rcs - rcp =- WIS - wip
Fig. 3 Fseshnes.s role tsmsitions
IEE Proc.-Comput. Digit. Tech , Vol. 144, No. 4, .July 1997 231
Some additional roles are introduced to allow data sequencing to be tracked around a role transition model. Digits 1, 2, 3, 4 are used to indicate the order in which the slots have been written, 1 being the most recently written. X is used to indicate that a slot con- tains old data, i.e. that newer data has already been read, and x indicates that a slot containing old data is to be read. These roles only apply at the slot level and any pair roles are irrelevant. Consequently, in this case, the role transition notation can be simplified to work entirely in terms of a four-element set, one element for each slot regardless of its pairing.
The roles indicating the order of writing are deter- mined by the following role transition statement: 14ip: [w2, 1, *, *I - [ i ~ , 27, *, *I
[w3, 1, 2, *I - [i3, 2i, 32, *I [w4, 1, 2, 31 - [14, 2T, 32, 471
This statement allocates role 1 to the slot containing the newest data, and moves roles 2 and 3 down as necessary.
The old data roles are determined by the following role transition statements: wip: [WX, *, *, *] + [X, *, *, *]
[Rl , *, *, *] - [ X , x, x, x] [R2, 1, *, *I - [F, x, x, x] [R3, 1, 2, *I - [X, x, x, x] [*, *, *, *] - [.U, x, x, x]
rcp: [XR, *, *, *] 4 [x, *, *, *]
[R4, 1, 2, 31 - [x, x, 2, x] I‘cs: The statement at wip ensures that new data is not regarded as old. The first transition at rcp notes that the new-old-new phenomenon has occurred; subse- quent transitions mark (with an x) those slots contain- ing old data. The statement at rcs deletes x if present.
Introduction of these additional roles and role transi- tion statements (each of which is applied after the cor- responding primary transition identified in Section 2.3) increases the number of points in the steady-state tran- sition model from 64 to 205. It is found that there is,
03-1
WIS
indeed, a set of role transitions where order inversion can occur. This phenomenon can be observed at 05-2, and at any role state that can be reached from 05-2 by write events alone.
Fig. 4 gives a fragment from the full role state model showing how the old data condition can occur when the reader is able to catch the latest data value availa- ble at 02-1 or 03-1. On the left of the diagram it can be seen that the very latest data is being read (role R coin- cident with role 1); the reader gets this data even though the relevant write post sequence is incomplete. On the right of the diagram it can be seen that the next read uses the other pair (rcp after wip), but cannot see the latest data (res before wis). As a specific example of this phenomenon, consider the following sequence of mechanism operations: w[l] := 0; Y := (0, 0); 41, 01 := input; ip := 0; op := 1; output := 4 1 , 01; I’ := (0, 0); w[0] := 1; 40, 11 := input; ip := 1; op := 0; output := 40, 01 The first line of these operations gives a possible sequence prior to entering the states illustrated in Fig. 4. The first operation of the second line is associated with the ~ c p on entry to the top row of Fig. 4, and progress then continues across the top row. The state transition trajectory is then vertically downwards before op := 0 (rcp event) causes a transition to the bottom right-hand state where old data is read. This is also an example of previous freshest data being read, where the write post and read pre sequences just overlap {wis in w[0] := 1 just after rcs in r := (0, 0)}
Fig. 4 also shows that the bottom right-hand corner cannot be reached if the write-data operation is always longer than the read control sequence: wip ~ ,vis If this condition holds, then exit from Fig. 4 is by the horizontal path on the right of the third row. The full role state model shows that all states exhibiting the new-old-new property are reached through role model
rcp - rcs
03-L 03-0
WIS WIS 4
[ N W 3 X , S Z m ) ~
I 01-L I OL-0
1 wcs 1 wcs 1 w c s
Write event sequence Read event sequence Interval Constmints. wlp wcs WIS rcs ris rcp none
Fig. 4 oldness vole tracking
IEE Proc -Comput Digit Tech., Vol. 144, No. 4, July 1997 238
fragments having an identical event pattern to that shown in Fig. 4, so application of this timing coiistraint entirely eliminates this possibility.
It must be stressed that, in these circumstances, the data read is always fresh (role state P ) within tlhe defi- nition of freshness given here; it is only the sequence order which is affected. Thus the operation of the algo- rithms is satisfactory for the intended purpose, i.e. for the presentation of data which is at least the freshest declared to be available (at the end of a write post sequence) when requested (at the beginning of a read presequence). Note also that no order inversion occurs if data transfers are always longer than control sequences.
3.5 Faulty implementation The analysis thus far has confirmed that the new algo- rithms provide a sound basis for the implementation of asynchronous communication mechanisms. It is implicit in any application that the order of the algo- rithm operations is as specified, and that each opera- tion completes before the next is started. ‘This is obviously necessary in the writing algorithm, where the result from the first operation, ip := F , is used in the second, w[ip] := r[ip]. However, on the reading side there is no dependency between the two operations, r := w and op := ill. It is important, therefore, to con- sider the possibility of starting the second read-.control operation early, as this would reduce the time required to execute the read pre sequence. Here the effects of overlapping the two read control operations will be investigatcd. This amounts to saying that rcp occurs between rcs and r is.
The role transition model for overlapped read-con- trol operations shows a loss of coherence but no loss of freshness. Application of the interval constraints (write- data operations always take longer than read-control sequences, and vice versa) still leaves one role state in which coherence is lost. A fragment of the full role transition diagram is shown in Fig. 5 including, in the
bottom right-hand corner, the state in which coherence is lost. It has been necessary to introduce the pair role C (committed for reading) to allow the effects at rcp to be carried through to p i s to select the slot to be read, and the role transition statements on the reading side have been adjusted to reflect the changed order of events. This diagram must now include the pair roles (c.f. Fig. 1) as the relationship between C and N at the pair level is significant.
Fig. 5 shows that this form of four-slot mechanism could move from the satisfactory state in the top left- hand corner to the unsatisfactory state in the bottom right-hand corner, if the event order rcs rcp wip has occurred and then wcs occurs before ris. It follows that this possibility can be removed by application of the following additional timing constraint: tvcs - tvip > ris - rcp
This means that, by increasing the interval between operations on the writing side, it is possible to compen- sate for the reduction in interval on the reading side [9]. This is not really a satisfactory answer, as it introduces timing constraints between the two sides within the control operations. Implementations should therefore ensure that they reflect precisely the form of the algo- rithms given at the start of this paper; in particular the second operation of the read pre sequence should only be started after the result of the first operation is visible to the writer.
4 Conclusion
The role modelling technique has been applied success- fully in exploring and proving the coherence and freshness properties of a four-slot asynchronous com- munication mechanism based on a new set of algo- rithms. It has been shown that the representation of role state within a model can be refined and adapted to investigate quite subtle effects. Thus the difficult notion of freshness has been analysed in some detail, as has
I wis
I w‘p I
Write went sequence Read went sequence Interval Constraints. wlp wcs WIS rcs rcp ris wip-wis > Tis-rcs
rcs - ris > wis -wip
Fig. 5 Fnully inzplementalion
IEE Proc.-Conzput Dig{/. Tech., Vol. 144, No. 4, Ju l j 1997 239
the sequencing of the data values as they pass through a mechanism. In all cases it has been found that the new four-slot algorithms provide a sound solution to the asynchronous communication problem, and one that is free from the temporal interference and tempo- ral constraints found in most other methods.
The role modelling analysis technique, as applied to this form of asynchronous communication mechanism, casts new light on the traditional atomic register [5] for communication between concurrently operating processes. By separating out the release (by the writer) and selection (by the reader) from the overall writing and reading of data, the true essence of the shared data-communication problem is exposed, namely: shared data which has been written by one process can only be revealed to another by specific data release; shared data which is to be read by one process can only be protected from another by specific data selection. Thus attention is shifted from the data itself to the control of access to the data, a more appropriate concern when considering the mechanics of shared data communication.
5 Acknowledgment
I am grateful to Eric Campbell, Len Griffiths, Jim Armstrong, Stephen Paynter and the referees for the help they have given in the difficult task of deciding on
the level of detail necessary for a clear explanation of the method and notation used in this paper.
6
1
2
3
4
5
6
7
8
9
References
SIMPSON, H.R.: ‘New algorithms for asynchronous communica- tion‘, IEE Proc. Comput. Digit. Tech., 1997, 144, pp. 227-231 HOARE, C.A.R: ‘Communicating sequential processes’ (Pren- tice-Hall, International, 1985) MILLNER, A.J.R.G.: ‘A calculus of communicating systems’ (Prentice Hall International, 1989) LAMPORT, L.: ‘On interprocess communication Part I: Basic formalism’, Distrih. Coniput., 1986, 1, (2), pp. 77-85 LAMPORT, L.: ‘On interprocess communication Part 11: Algo- rithms’, Distrib. Cumput., 1986, l , (2) , pp. 86-101 LYNCH, N.A., and TUTTLE, M.R.: ‘Hierarchical correctness proofs for distributed algorithms‘. Proceedings of the Sixth Annual ACM Symposium on the Princiyles of distributed comput- ing, 1987, pp. 137-151 MANNA, Z., and PNUELI, A.: ‘Verification of concurrent pro- grams: the temporal framework’ in ‘The correctness problem in computer science’ (Academic Press, 1981), pp. 215-273 MANNA, Z., and PNUELI, A.: ‘Verification of concurrent pro- grams: temporal proof principles’ in ‘Lecture notes in computer science. 131’ isnringer-Verlae. 19811. on. 200-252 SIMPSON, H.R.: ‘Correctness analys‘is‘ for class of asynchronous communication mechanisms’, IEE Proc. E, Coniput. Digit. Tech., 1992: 139, ( l ) , pp. 35-49
10 ANDERSON, J.H., and GOUDA, M.G.: ‘A criterion for atomic- ity’, Form. Asp. Comput., 1992, 4, (3 ) , pp. 273-289
11 OWICKI, S. , and CRIES, D.: ‘An axiomatic proof technique for parallel programs 1’, Acta Inform., 1976, 6, (4), pp. 319-340
12 CHANEY, T.J., and MOLNAR, C.E.: ‘Anomalous behavior of synchronizer and arbiter circuits’, ZEEE Truns., 1973, C-22, (4), pp. 421422
13 PETERSON, G.L.: ‘Concurrent reading while writing’, ACM Trans. Program. Syst. Lung., 1983, 5 , (l), pp. 46-55
240 IEE Proc.-C‘omput. Digit. Tech., Vol. 144, No 4, July I997