Analysis of the Four-slot Mechanism

This paper presents an analysis of an asynchronous communication mechanism due to Simpson [4]. The properties required of an abstract version of the mechanism are discussed. Simpson’s mechanism is described in terms of a process algebraic model. We then use automated techniques to test this mechanism against the properties stated.


Introduction
In concurrent systems, techniques for preventing conflict in reader-writer communication are usually based on mutual exclusion principles [2].
By contrast, Simpson suggests a "fully asynchronous communication mechanism" [4].It is intended to provide one reader and one writer with an efficient communication mechanism.By the use of four data slots and four additional control bits to control the routing of data to and from the slots, it is claimed that the system possesses three properties: asynchrony, coherence, and freshness.

Asynchrony The first of Simpson's requirements is:
"neither process may affect the timing of the other as a direct result of its communication operations."[4] Coherence Simpson also requires that: "data must always be passed as a coherent set, i.e. interleaved access to any [data slot] by the writer and the reader is not permitted."[4] Freshness In his 1990 paper, Simpson required that "the latest complete data record produced by the writer must always be made available for use by the reader."[4] However, his 1992 paper requires that, "the data obtained by the reader is always the most recent (freshest) to have been supplied by the writer."[5] SW = f d : D sw:d g ER = f d : D er:d g POOL = fsr; ewg [ SW [ ER Implicitly, old data may be overwritten by newer data (if the writer is faster than the reader) and data may be read repeatedly (if the reader is faster than the writer).

Structure of this paper
In Section 2 we discuss the formalisation of Simpson's properties, above.Then, in Section 3, we present a model of the four-slot mechanism.In both cases we uses Hoare's CSP [3]; in the former case we use predicates about failures while in the latter case we use the process algebra.
An analysis of the mechanism against the specification is given in Section 4 and some conclusions are offered in Section 5.

Black Box Model
We suppose a writer is sending data to a reader via some intermediary mechanism, which we will call 'POOL'.Interactions with the mechanism, such as 'write a datum' and 'read a datum' are modelled as a pair of events, one denoting the start of the interaction, and one denoting the end of the interaction.This allows us to reason explicitly about overlapping reads and writes.
The alphabet of this mechanism -the atomic events it can synchronise on-are given in Figure 1.The event sw:d denotes the start of a write, and ew denotes that the write has ended, and that the value d 2 D has been written.Similarly, sr and er:d denote the start and end of a read of value d.
It is an important part of our modelling that the datum transferred is fixed at the start of a write and the end of a read.

Specification Style
We now give predicates which POOL is required to satisfy.These predicates are failure specifications, in the style of Hoare's CSP [3].
The pair s; X is a failure of a process P, exactly when the process P may engage in the sequence of events s (s is called a trace of P), and then refuse to do any more, even though the environment is prepared to engage in any event in X (X is called the refusal set of the failure; X is called a refusal set of the process P if hi; X is a failure of P).
A specification of a process is a (collection of) predicate(s) limiting the failures the process may exhibit.In the predicates, 'tr ' is a free variable representing a typical trace and 'rf ' a free variable representing a refusal set coupled with tr in a failure tr ; rf .Other notations used in this paper are: s#A means the number of occurrences of elements of the set A in the sequence s s j A denotes the restriction of the sequence s to members of the set A front s returns s without its last element, where s is a nonempty sequence; returns the empty sequence otherwise last s returns the last element of the nonempty sequence s BCS-FACS Northern Formal Methods Workshop, 1996 READING = tr #fsrg tr#ER = 1 NOTREADING = tr #fsrg tr#ER = 0 WRITING = tr #SW tr#fewg = 1 NOTWRITING = tr #SW tr#fewg = 0 ALTERNATE = READING _ NOTREADING ^WRITING _ NOTWRITING

Alternation
It is reasonable to expect that the writer engages in start and end events alternately (and similarly for the reader).The predicate ALTERNATE, presented in Figure 2, captures this requirement.This is defined in terms of four further predicates, READING, NOTREADING, WRITING and NOTWRITING.

Asynchrony
It is required that The reader may start to read if it is not already reading.
The reader may end a read if it is already reading.The writer may start to write if it is not already writing.
The writer may end a write if it is already writing.This is easily specified by limiting the process's capacity to refuse.The relevant predicate, ASYNCH , is presented in Figure 3. ASYNCH says: When a read is not in progress the process may not refuse to allow a read to start, when a read is in progress the process may not refuse to allow the read to end, when a write is not in progress the process may not refuse to allow a write to start, and when a write is in progress the process may not refuse to allow the write to end.
The phrase "may not refuse to allow" is, here, equivalent to the phrase "must allow", but is a more literal rendering of the predicate. -

Coherence
Coherence, as Simpson defines it (see Section 1), is a property that is not directly visible outside the mechanism.Hence we do not give predicates for it in terms of external events, and instead model the failure of coherence when we describe the four-slot mechanism itself.
It does have implications for the observable behaviour, however, but these are dealt with under the head of "Freshness", below (Section 2.5).

Freshness
Freshness is a tricky property to tie down.A full analysis probably needs a notion of real time, and the use of a model such as Timed CSP [1].
Simpson knows that his mechanism allows a just-read datum to be other than the most recently written datum [5].His belief is that, at worst, the second most recent datum is read.Later (Section 4.4) we show that this belief is not justified.
Some problems with the definition of freshness arise because it is not clear what is meant by 'this read occurs after this write'.Consider Figure 4, which shows all ways in which reads and writes can overlap.Should we take the starts or ends of actions, or a mixture?Our solution is to define the predicate FRESH .The definition is given in Figure 5, and is in terms of another predicate RECENTd.RECENTd expresses the fact that datum 'd' has been recently written.
Four variants of the latter predicate are given, each differing in the way it compares the starts and ends of reads and writes.These variants are presented in Figure 7 (conjoining comparisons 1,2 and 3 of Figure 4), Figure 8 (comparison 1 of Figure 4), Figure 9 (comparisons 1-5 of Figure 4), and Figure 10 (comparisons 1-4 of Figure 4).
Each version of RECENTd is in terms of a predicate WRCX; d; s ('write-read comparison'; see Figure 6) that gives the part of the write the read is compared against.The first part of the disjunction in WRCX; d; s allows the default value d 0 to be read if there has been at most one write.The second disjunct allows for the case when only one write has occurred in the trace.The third disjunct permits the second most fresh data to be returned.
Data that is not fresh (i.e. the 'freshest' or 'previous freshest') is called stale.

Four-slot Model
We now discuss Simpson's mechanism, which is presented in Figure 11 in its original pseudo-code form, with minor typographic changes.'data[,]' holds the actual data.'slot[]' and 'latest' are only written by procedure write, and reading is only written by procedure read.
Figure 12 is a block diagram of the mechanism.The mechanism consists of the data slots and control bits mentioned above, and a protocol.The protocol is represented by the processes WRITER and READER.
A process writes by sending the data to the WRITER component of the mechanism.This communicates with the READER component (and hence the reading process) via four data slots (data::), and four control bits (comprising: reading, latest, and two slot bits).These components correspond to the variables and algorithms in Simpson's pseudocode.
We now define each component in turn, and describe the assumptions underlying our model.

Data slots
As for external reads and writes, interactions with the data slots are modelled as two events, one denoting the start of the interaction, and one denoting the end of the interaction.
We define a process DS to model the internal data slots.The event sw denotes the start of a write, and ew:d denotes that the write has ended, and that the value d 2 D has been written.Similarly, sr and er:d denote the start and end of a read of value d.Note that this definition allows multiple readers and multiple writers.However, a collision (two processes carrying out overlapping operations) between two writers, or between a reader and a writer will result in the COLLISION process.This is pessimistic; there is no recovery from error.If the protocol works with these slots, then it will work with real slots.This discharges our requirements for modelling coherence.

BCS-FACS Northern
Figure 13 describes the process DS, where d 0 is the initial value held by the DS.Control bits We define a process BIT in Figure 14.These interactions are considered to be atomic, so we model them as single events.
We define the mechanism comprising the data slots and control bits in Figure 15.
Writer This process engages in the two external events: sw:d and ew.See Figure 16.B is defined as f0; 1g, and b denotes 1 b for b 2 B. Reader Similarly, the reader can engage in the external events sr and er:d (Figure 17).Mechanism We define the overall mechanism, FOURSLOT, in Figure 18.The only events visible outside the mechanism are sr, er:d; d 2 D, sw:d; d 2 D and ew.
Simpson has described a wide range of variants; some return pointers to the data slots ('data-visibility mechanisms').Others have only 'read pre-sequences' and write 'post-sequences' [4,5].
What we would like to test is the claim that FOURSLOT satisfies each of ASYNCH, ALTERNATE, and each variety of FRESH .

Analysis of the Four-slot Model 4.1 A Model Checker
Hand analysis of a mechanism even as small as FOURSLOT is tedious.We performed an analysis using several tools, as described below.24: FDR process for checking start write-start read freshness When using FDR, we devised processes for each of the four variants of freshness.The process for the start writestart read variant, FDRFSWSR, is defined in Figure 24.(We omit the processes for the remaining three variants for reasons of brevity.)

BCS-FACS
We discovered the same result as above in all four cases.

Conclusions
Simpson's four-slot mechanism satisfies the given requirements for asynchrony and coherence, but does not satisfy freshness, as given here.This result was determined by a model checking program written specifically for this investigation, and confirmed with FDR.Simplistic attempts to adjust the freshness predicate fail: for example, we may allow the reader to return any of the three most recent reads.The trace in Figure 23 can easily be extended to demonstrate a lack of this more lax freshness.Note that these failed traces generally rely on a relatively long sequence from the writer or reader uninterrupted by the other process.In many circumstances, this is unrealistic.(However, Simpson did claim that there should be no timing constraints.) This leads us to consider exactly what property we are trying to describe when discussing 'freshness'.Exactly when is data fresh?Do we need to consider the start and end of writes and reads in some relatively complicated expression?Is it particularly important in all circumstances -perhaps reading a value that has at some time in the past been written is acceptable.Freshness may be something more vague; data may more usefully become 'fresher' as the write progresses.
Alternatively, we could consider that the black box model of the mechanism is flawed.The stale traces presented generally rely on interleaving, say, internal reader events between the last writer internal event and its (black box) external event.A formulation where the external events are 'fixed' to the first and last internal events respectively may give more realistic results.
However, this then defeats the objective of determining abstract properties about the mechanism as a whole.Ideally, we would like to use the mechanism without having to reason about its internal structure.(Preliminary investigation of this 'fixing' suggests that stale traces can still be found unless most of the events are fixed to each other.) The addition of timing to the model would broaden the range of plausible behaviours.(An extensive body of work exists on Timed CSP [1].)We may insist that any read that starts t time units after a write has ended must return the value of that write, or a subsequent write.However, the addition of timing to the model may render automated checking difficult.

Figure 4 :
Figure 4: What is a fresh read?

Figure 5 :
Figure 5: Definition of FRESH

Figure 11 :
Figure 11: The four-slot mechanism in pseudo-code form

Figure 12 :
Figure 12: Block diagram of the four-slot model