ViewCentric Reasoning in Modern Computing Systems

1
View-Centric Reasoning in Modern Computing Systems

• Marc L. Smith (Colby College)
• Rebecca J. Parsons (ThoughtWorks, Inc.)
• Charles E. Hughes (U. of Central Florida)
• Third International Conference on
• Communications in Computing
• June 24-27, 2002

2
The greatest problem with communication is the
illusion it has been accomplished. - George
Bernard Shaw
3
Divide and Conquer

• Traditional Domains
• algorithm design
• system decomposition
• Traditional Assumptions
• sequential computation
• one step at a time
• Traditional Role of Communication
• Interprocess? Program I/O (only one thread of
  execution)
• Intraprocess? parameter passing, global/instance
  variables
• No additional need for coordination
• But, nothing to preclude

4
Concurrent Divide and Conquer

• DC imposes no sequential restrictions
• Could have concurrently computing sub-processes!
• parallel / distributed computing
• P2P / n-Tier / Middleware - based architectures
• i.e., Modern Computing Systems
• But, consequences of concurrency include
• nondeterminism (what might happen)
• need for true interprocess communication (and
  coordination)
• communication events are observable behavior
• possibility of simultaneously occurring events

5
View-Centric Reasoning(VCR)

• Observation-based model
• reasoning via observation
• For a Modern Computing System
• sub-processes represent the observers of a
  computation
• communications represent the events of a
  computation
• observers may each see a different view
• observers might not be perfect (why?)
• In VCR, represent
• what might happen (nondeterminism)
• what did happen (history)
• what appeared to happen (views)

6
VCR Inspired by CSP

• Communicating Sequential Processes (CSP)
• seminal work by Hoare 1985, demonstrated
  reasoning about computation via trace
• process described by its observable events
• observer records the history of a computation
• what about event simultaneity?
• synchronization? (record one event in trace)
• otherwise record arbitrary interleaving of all
  events
• history is a sequentialized trace of events

7
Reasoning about what?

• Properties of computation Andrews 2000
• a program property is an attribute that is true
  for every possible execution of that program
• Categories of program properties
• safety nothing bad ever happens
• program never enters a state in which some
  variables have undesirable values (e.g., partial
  correctness)
• liveness something good eventually happens
• program will enter a state in which variables
  have desirable values (e.g., termination)
• combination of both (e.g., total correctness)

8
VCR about what?

• Questions that do not arise in sequential
  computation
• critical sections
• mutual exclusion
• race conditions
• deadlock
• finite postponement

9
VCR Abstractions

• Events and un-events
• Two new event aggregates
• parallel event (unordered)
• ROPE (Randomly Ordered Parallel Event)
• Event aggregates
• serve as trace primitives
• provide context for event simultaneity
• Two new types of traces
• history (sequence of parallel events)
• view (sequence of ROPEs)

10
VCR Implications

• One history may have many corresponding views!
• History and views permit us to reason about
  properties we couldnt with sequentialized traces
• we can generate all possible views from a history
• the reverse is not true
• Consider sequentialized trace A, A, A, A
• assume perfect observation, and that this trace
  represents all possible interleavings
• possible histories ltA,A,A,Agt or
  ltA,A,A,Agt or other parallel event traces?

11
Linda and Tuple Space

• Pioneered by Gelernter 1985
• Distinct from shared memory and message passing
• Exhibits communication orthogonality. Decoupled
  in
• destination (anonymous senders and receivers)
• space (heterogeneous architectures / OSs)
• time (processes need not run at same time to
  communicate)
• Tuple Space (the container)
• chalkboard architecture
• a shared, associative memory
• contains tuples

12
Linda and Tuple Space

• Tuples (the contents)
• sequences of values / value-yielding computations
• may be active or passive
• matched, not addressed
• Linda (the language)
• primitives augment an existing computational
  language
• rd(template), in(template) //synchronous
• out(tuple), eval(tuple)
  //asynchronous
• rdp(template), inp(template) //trouble

13
JavaSpaces

• From Sun Microsystems, Inc.
• a service provided by the Jini architecture
• an implementation of Linda and tuple space
• for more information, see Freeman, et al 1999
• Provides predicate versions of rd() and in()
• JavaSpaces Service Specification
• includes section on Operation Ordering
• Operations on a space are unordered.
• example given is our case study

14
Case Study Linda predicate ambiguity(an
interaction point in tuple space)
15
Nondeterminism

• Two levels
• Success or failure of the predicates
• Observers order of interleaving
• First level
• Suppose process U and Vs predicate operations
  fail.
• Parallel event inp(t), rdp(t), out(t)
• Second level
• six possible interleavings!
• assuming perfect observation

16
Sequentialized Trace Possibilities

• , inp(t), rdp(t), out(t),
• , inp(t), out(t), rdp(t),
• , rdp(t), inp(t), out(t),
• , rdp(t), out(t), inp(t),
• , out(t), inp(t), rdp(t),
• , out(t), rdp(t), inp(t),
• What can we say about the state of TS immediately
  after a failed predicate operation?
• What is the meaning of a failed predicate
  operation?
• ambiguous Jensen 1994
• the two levels of nondeterminism are entangled

17
As the ith ROPE in a View

• ROPEi-1, inp(t),rdp(t), out(t) ,
  ROPEi1
• ROPEi-1, inp(t), out(t), rdp(t),
  ROPEi1
• ROPEi-1, rdp(t),inp(t), out(t) ,
  ROPEi1
• ROPEi-1, rdp(t), out(t), inp(t),
  ROPEi1
• ROPEi-1, out(t), inp(t),rdp(t),
  ROPEi1
• ROPEi-1, out(t), rdp(t),inp(t),
  ROPEi1
• What is the meaning of a failed predicate
  operation now?
• not ambiguous
• ROPEs detangle the two levels of nondeterminism
• all six orderings preserve the same meaning

18
Conclusions

• Reasoning about event simultaneity
• difficult using interleaved traces
• higher level of abstraction desired
• View-Centric Reasoning introduces
• event aggregates
• parallel events (unordered)
• ROPEs (ordered)
• two types of traces
• history (perfect, one per computation)
• views (possibly imperfect, multiple per history)

19
Conclusions

• View-Centric Reasoning provides
• a new framework for reasoning about properties of
  modern computing systems
• Demonstrated usefulness of VCR
• by disambiguating the meaning of Linda predicate
  operations
• Reasoning about meaning of Linda predicate
  operations is relevant due to
• commercial TS implementations by Sun, IBM,
  GigaSpaces, and others

20
Formal Work / Future

• VCR instantiated for
• Actors (message passing)
• Linda (generative communication)
• Equivalence proofs (via bisimulation)
• restricted VCR instances (transition density 1)
• vs. Actor Theories Mason and Talcott, 1997
• vs. TSspec Jensen, 1994
• Next VCR instantiation?
• publish / subscribe metaphor
• reason about DES (e.g., HLAs RTI)

21
Formal Work / Future

• Composition
• Flipside of divide and conquer
• build new systems by composing existing systems
• How?
• parameter of VCRs operational semantics
• trees, graphs to represent
• grammars to generate
• So far, for multiple tuple spaces
• In general, heterogeneous systems

22
References

• Smith, M. L. (2000). View-centric Reasoning about
  Parallel and Distributed Computation. Ph.D.
  thesis, University of Central Florida.
• Gelernter, D. (1985). Generative Communication in
  Linda. ACM Transactions on Programming Languages
  and Systems, 7(1).
• Freeman, E., Hupfer, S., and Arnold, K. (1999).
  JavaSpaces Principles, Patterns, and Practice.
  The Jini Technology Series. Addison Wesley.
• Hoare, C. (1985). Communicating Sequential
  Processes. Prentice Hall International Series in
  Computer Science.
• Andrews, G. R. (2000). Foundations of
  Multithreaded, Parallel, and Distributed
  Programming. Addison-Wesley.
• Jensen, K. K. (1994). Towards a Multiple Tuple
  Space Model. Ph.D. thesis, Aalborg University.
• Mason, I., and Talcott, C. (1997). A Semantics
  Preserving Actor Translation. LNCS, 1256369-378.