Formal Models for Distributed Negotiations Transactions in Linda

1
Formal Models forDistributed NegotiationsTransac
tions in Linda
XVII Escuela de Ciencias Informaticas (ECI 2003),
Buenos Aires, July 21-26 2003
Roberto Bruni Dipartimento di Informatica
Università di Pisa
2
Zero-Safe Approach

• Zero-Safe nets are based on a two-level
  classification of resources
• Stable Observable Persistent
• Zero Temporary Volatile
• This idea can be easily exported from Petri nets
  to other formalisms whenever
• States are multisets
• Elementary actions can fetch and release
  resources
• Outcome
• Express transactions in a concurrent scenario
• Related refined / abstract views of the same
  system

3
Adding Transactions to Linda

• We have already seen net models for Linda
• Places model messages and processes
• We can apply the Zero-Safe approach
• Get some insights on a choice of language
  primitives for expressing transactions
• Surprisingly, concurrent semantics is more
  natural than interleaving semantics
• Refined / abstract views
• Problem
• Linda requires contextual arcs

4
Zero-Safe Nets with Read Arcs

• The combined use of zero-safe places and read
  arcs is not problematic
• Crucial point is
• whether to forbid or not that a stable token is
  read (possibly many times) and then also fetched
  during the same transaction
• We consider the semantics that forbids these
  behaviors
• Regarding read arcs on zero safe places
• can be dealt with
• for simplicity and uniformity (see why in a few
  slides) read arcs on zero safe places are not
  considered here

5
Zero-Safe Nets with Inhibitor Arcs

• The combined use of zero-safe places and
  inhibitor arcs is not completely straightforward
• We would like to keep consistent refined /
  abstract views
• the example above has apparently two independent
  transactions (s followed by r / just t)
• they are not really independent because tokens
  flow in z
• not reflected in the abstract view
• Ambiguity solved by restricting inhibitor arcs to
  stable places only

6
Operational Semantics

• No read arcs on zero safe places (can be relaxed)
• No inhibitor arcs on zero safe places (avoid
  ambiguity)
• (Fix the positive/negative context and do the
  transaction)

x?u?x ?w?NBv?y
x?(u,?) ?w?B(v,?)
underlying steps
commit
x?(u,x) ?w?B(v,y)
x?u ?w?Bv
x?(u?w,x) ?w?B(v?w,x) x?(u?w,x)
?w?B(v?w,y)
?x?x??(u?u?w,x) ?w?B(v?v?w,y)
horizontal composition
if (x?x)?(u?u?w?w?v?v) ?
7
From Linda to TraLinda

• Main ideas
• distinguish between low-level and high-level
  messages
• Typing relation a? with ??L,H
• atomic prefixing ?_C
• Execute ? if the concurrent program C can
  complete the transaction
• stable guards only!
• solve ambiguity in the semantics

8
Syntax

• Messages
• M ?a??
• Action Prefixes
• ? out(a?) rd(aH) in(a?) !in(a?)
• Predicates
• ? rdp(aH) inp(aH)
• Sequential Programs
• S 0 ?.C ??CC ?_C
• Concurrent Programs
• C S CC
• Processes
• P M C PP

can be relaxed
cannot be relaxed
9
Examples

• in(aH)_(out(bH).0 in(cH).0)
• can input the message ?aH? provided that also
  inputs ?cH? and outputs ?bH?
• P1 Pn Qn
• Pi in(aiH)_out(zL).0
• Q0 Q (generic process)
• Qi1 in(zL)_Qi
• can start a task Q after consuming the messages
  ?a1H? ?anH? (regardless of the order)
• in(aH)_0
• deadlock (always abort) should we allow it?

10
Truly Concurrent Semantics for TraLinda

• Straightforward adaptation of truly concurrent
  semantics for Linda
• We must carefully distinguish zero safe places
  from stable ones
• Messages
• ?aH? is stable
• ?aL? is zero safe
• Sequential Processes
• Two versions
• P is stable
• _P is zero safe (due to atomic prefixing)
• Correspondingly, there are two versions of
  transitions

11
Decomposition Function

• dec(P) is defined as usual, plus
• dec(?_P) ?_P
• In general dec(P) P1,,Pn,M1,,Mm
• We let _dec(P) _P1,,_Pn,M1,,Mm

12
Some Transitions

• See Bruni, Montanari 2003 for full list and
  technicalities
• IN(a,?,P) ? ? ?a?? ? in(a?).P ??? dec(P)
• ATIN(a,?,P) ? ? ?a?? ? in(a?)_P ??? _dec(P)
• OUT(a,?,P) ? ? out(a?).P ??? ?a?? ? dec(P)
• ATOUT(a,?,P) ? ? out(a?)_P ??? ?a?? ? _dec(P)
• _IN(a,?,P) ? ? ?a?? ? _in(a?).P ??? dec(P)
• _ATIN(a,?,P) ? ? ?a?? ? _in(a?)_P ??? _dec(P)
• _OUT(a,?,P) ? ? _out(a?).P ??? ?a?? ? dec(P)
• _ATOUT(a,?,P) ? ? _out(a?)_P ??? ?a?? ?
  _dec(P)

13
Example Message Typing
out(aH).P in(aH).Q
out(aH).P
in(aH).Q
?aH?
dec(P)
14
Example Message Typing
out(aL).P in(aL).Q
out(aL).P
in(aL).Q
?aL?




dec(P)
dec(Q)
15
Example Prefixing
in(aL).out(bH).P
?aL?

out(bH).P
?bH?


dec(P)
16
Example Prefixing
in(aL)_out(bH).P
?aL?

_out(bH).P
?bH?


dec(P)
17
Example Prefixing
in(aL)_out(bH)_P
?aL?

_out(bH)_P
?bH?


_dec(P)
18
Example Reading

• Take the process P P1 P2 ?aH? ?bH?
• P1 rd(aH)_in(bH)_out(cH).0
• P2 rd(bH)_in(aH)_out(cH).0
• Either P1 or P2 can be executed successfully, but
  not both
• because the messages ?aH? and ?bH? cannot be
  first read and then consumed during the same
  transaction
• Compare against Q Q1 Q2 ?aH? ?bH?
• Q1 rd(aH).in(bH).out(cH).0
• Q2 rd(bH).in(aH).out(cH).0

19
Example Reading
P1



?aH?
?bH?
?cH?
0



P2
20
Some Results

• For each process P we can construct a finite zero
  safe net zsnet(P)
• If P does not contain atomic prefixing
• The only zero safe places in zsnet(P) are those
  associated with messages
• all transactions in zsnet(P) consist of two
  events at most
• If P is a Linda process, then zsnet(P)net(P)

21
A Note on Ordered and Unordered Semantics I

• Ordered and unordered semantics for Linda have
  different expressive power
• (deadlock is decidable in the unordered)
• In their corresponding net semantics, netO(P) and
  netU(P), the main difference relies in the
  atomicity of emission and rendering
• Take ??a?? as stable or zero safe
• We can translate unordered processes in ordered
  processes via a transformation div(.)
• div(out(a).P) out(_a).div(P) in(_a).out(a).0
• div(.) is the identity for the rest

22
A Note on Ordered and Unordered Semantics II

• Proposition
• netU(P) is deadlock equivalent to netO(div(P))
• (the proof exploits a third net equivalent to
  both)
• Atomicity is essential, take
• div(out(a).P) out(_aL).div(P)
  in(_aL)_out(aH).0
• div(.) is the identity for the rest
• Proposition
• netO(P) is deadlock equivalent to (the abstract
  net of) zsnet(div(P))

23
An Alternative Approach

• In the context of coordination middlewares
• JavaSpaces (Sun Microsystem)
• TSpaces (IBM)
• Both borrowing features from generative
  communications of Linda (data-driven
  coordination)
• Also event notification (control-driven
  coordination)
• Transaction mechanisms
• Interest on serializability
• JavaSpaces specifications were not enough
  precise!
• Busi, Zavattaro 2001

24
Sketch of the Alternative Approach

• PDL similar to that of Linda
• New prefixes for transactions
• create(x)
• commit(x)
• New processes
• ?a?T
• xP
• Interleaving semantics
• suitable observations
• Limitations
• No nesting, ad-hoc interleaving semantics,
  monolitic view

25
Principles

• Data produced within a transaction x will be
  accessible outside only after the commit of x
• Data consumption or test for presence within a
  transaction can operate on local and global items
• Data tested for presence during a transaction x
  cannot be consumed by processes outside x
• Concerning test for absence in a transaction x,
  if the only occurrences of matching data have
  been consumed by another transaction, the
  operation will wait for the commit before
  reporting the absence of data

26
Improving the Specification

• When read, an entry is added to the set of
  entries read by the provided transaction. Such an
  entry may be read in any other transaction to
  which the entry is visible, but cannot be taken
• Ok if we do not have conditionals in the language
• Otherwise, this is not enough for guaranteeing
  serializability
• A further lock policy is proposed
• After a test for absence is performed inside a
  transaction on a certain kind of data, no data of
  that kind can be introduced in the shared
  dataspace before the end of the transaction
• New processes needed xPR,A
• to keep track of data removed (R) and tested for
  absence (A) by x

27
Recap

• We have seen
• Transaction primitives for Linda
• Inspired from zero safe nets
• Truly concurrent semantics
• Refined / abstract views
• Examples
• Sketch of an alternative approach

28
References

• Concurrent models for Linda with transactions
  (Mathematical Structures in Computer Science,
  2003, to appear)
• R. Bruni, U. Montanari
• On the serializability of transactions in
  JavaSpaces (Proc. ConCoord01, ENTCS 54)
• N. Busi, G. Zavattaro