Nancy Lynch, Michael Merritt, William Weihl, and Alan Fekete. Atomic Transactions. Morgan Kaufmann, 1994.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....to Lynch and Vaandrager [LV95, LV96, Lyn96, GSSL93, RV96, LSVW96] The method has already 1. 1 Motivation 3 been successfully applied to the verification of several non trivial case studies, ranging from communication protocols [SLL93] and automated transit systems [DL97] to database applications [LMWF94] Apart from I O automata several further automaton models have been proposed [Har87, HN96, Kur94, Bro97, Kle98, Rum97] I O automata distinguish themselves from them by offering a compositional, but nevertheless remarkably simple semantics. Most closely related to I O automata are probably the ....

Nancy Lynch, Michael Merritt, William Weihl, and Alan Fekete. Atomic Transactions. Morgan Kaufmann Publishers, 1994.

.... tolerance, aside from work based on fail stop failure models, that may not always be appropriate in global computing [10] An example of a local computing language that provided support for fault tolerance is the Argus language [35] Fault tolerance was based on guardians and nested transactions [38, 36]. Similar support for transactions was provided by languages such as Avalan C and Venari ML [19, 29] and is an integral part of various well known distributed computing platforms, including CORBA OTS, COM MTS, and Java Jini and JavaBeans [50, 13, 3] There are two aspects of transactions, as ....

....calculus. Second, conclaves cannot be nested within each other; we do not pursue this complication of the calculus because it is not clear what the motivation for such an extension would be. A desire for such nesting might be motivated by a desire for something analogous to nested transactions [38, 36]. However nested transactions are sufficiently complicated in a global computing environment that we prefer to build them up from simpler notions, as alluded to in Sect. 9. Some operations require examining all of the log entries for a conclave, for example to ensure the absence of a particular ....

[Article contains additional citation context not shown here]

Nancy Lynch, Michael Merritt, William Weihl, and Alan Fekete. Atomic Transactions. Morgan-Kaufman, 1994.

....same time, the framework should be simple enough to use as a basis for distributed algorithm analysis. Static mathematical models like I O automata [7] could be used for this purpose, with the addition of some extra structure (special Boolean ags) for modeling dynamic aspects. For example, in [8], dynamically created transactions were modeled as if they existed all along, but were awakened upon execution of special create actions. However, dynamic behavior has by now become so prevalent that it deserves to be modeled directly. The main challenge is to identify a small, simple set of ....

Nancy Lynch, Michael Merritt, William Weihl, and Alan Fekete. Atomic Transactions. Morgan Kaufmann, 1994.

....the need arises. 2 Related Work Most transaction oriented models enforce a very low level, syntactic notion of consistency, namely serializability with respect to read write conflicts [3] Two separate lines of work have expanded on this notion. The first line is the work on atomic transactions [8, 9, 13, 14, 20, 21]. This line of work is based on ADTs. We also adopt the theory of ADTs to define correctness, but there is a crucial difference in focus. We are interested in achieving more concurrency by expanding the set of correct execution histories such that some transactions need not be atomic. The second ....

Nancy Lynch, Michael Merritt, William Weihl, and Alan Fekete. Atomic Transactions. Morgan Kaufmann Publishers, San Mateo, CA, 1994.

.... library provides undoability and persistence as orthogonal features, however they do not give a semantics for these features (while acknowledging that there is interaction between the features) The transaction model adopted in distributed programming languages is that of nested transactions [34, 37]. This is motivated by considerations of nested remote procedure calls in client server systems. For example, as depicted in Fig. 5, a request from Client A to Server B gives rise to further requests from Server B to Servers C and D. To make transactions scalable in a distributed environment where ....

Nancy Lynch, Michael Merritt, William Weihl, and Alan Fekete. Atomic Transactions. Morgan-Kaufman, 1994.

....We also have uncertain message delivery times, and unknown message ordering with possible failures. For a distributed algorithm we do not try to understand everything about its behavior, but we try to understand certain selected properties of its behavior. 2. I O automaton model I O automaton [2, 3] is a mathematical model for the description of concurrent asynchronous systems. It facilitates a precise description of the interaction among components, and it is used to reason about the system behavior. I O automata can be composed into more complex automata representing concurrent systems. ....

Nancy Lynch, Michael Merritt, William Weihl, and Alan Fekete. Atomic Transactions. Morgan Kaufmann Publishers, 1994.

....decisive 3 to guaranteeing satisfaction of a targeted property. For example, trusted parties are entrusted with generating fresh keys in authentication protocols to guarantee authentication [71, 74, 81] In some payment protocols [84] they are entrusted with implementing transaction processing [66] to achieve fairness. This notion of trust is a refinement of the definition of trust adopted by the US Department of Defense in the context of secure systems, which states that a trusted component is one which, if it breaks, can compromise system security [1] It is a refinement because it ....

Nancy Lynch, Michael Merritt, William Weihl, and Alan Fekete. Atomic Transactions. Morgan Kaufmann, San Mateo, CA, 1994.

....lost and money atomicity fails. Note, however, that the only party to suffer was the party that failed; there is no loss to the consumer nor the bank. Our failure model for agents, other than banks, will be based upon the notion of commitment points, as used in standard database transactions [7, 16, 8]. We assume that each agent (other than the bank) has a particular point in the protocol at which that agent commits. Before this point is reached, we allow an agent to abort the protocol freely. After the commitment point, we consider only failures in an agent if the failure can potentially ....

Nancy Lynch, Michael Merritt, William Weihl, and Alan Fekete. Atomic Transactions. Morgan Kaufmann, San Mateo, CA, 1994.

....with an associated workspace history. Transaction management support encompasses the private workspaces as well as a common workspace. The model makes use of three semantics based transaction management ideas: backward commutativity [Wei88] compensation [KLS90] and forward commutativity [Wei88, LMWF94] Each of these places requirements on the semantics of the operations of the database schema. Backward commutativity (failure to backward commute) is used to identify operations that depend on each other, for the calculation of consistent units of work (closed subhistories) it concerns ....

Nancy Lynch, Michael Merrit, William Weihl, and Alan Fekete. Atomic Transactions. Morgan Kaufmann Publishers, 1994.

....model [RKT 95, WK96, KTWK97] Conceptually, users work in their own private workspaces, each with an associated workspace history. The model makes use of three semantics based transaction management ideas: backward commutativity [Wei88] compensation [KLS90] and forward commutativity [Wei88, LMWF94] Each of these places requirements on the semantics of the operations of the database schema. Backward commutativity (more precisely, failure to backward commute) is used in the CoAct model to identify operations that depend on each other, for the calculation of consistent units of work; it ....

Nancy Lynch, Michael Merrit, William Weihl, and Alan Fekete. Atomic Transactions. Morgan Kaufmann Publishers, 1994.

....general purpose theorem provers because model checking [4] already provides a successful automatic approach to the verification of finite state systems. IOA were chosen as the vehicle for our study because they have become popular for specifying and verifying distributed algorithms both on paper [8, 2] and with machine assistance [10, 6, 13, 7] The unique aspect of our work is the fact that we have formalized and verified the meta theory of IOA on top of which we carried out our case study. Thus IOA are objects in the logic, just like natural numbers or lists, which can be manipulated by ....

Nancy Lynch, Michael Merritt, William Weihl, and Alan Fekete. Atomic Transactions. Morgan Kaufmann Publishers, 1994.

....key idea of the specification method is the distinction of different kinds of partial orders (causalities) in the execution model, which allows an explicit representation of data flow. There are other approaches to specify and characterize the relation between different transaction protocols (e.g. [LMWF94, CR90]) Our approach is similar to ACTA [CR90] However our approach differs from ACTA in two aspects: 1. ACTA does not distinguish different kinds of causalities. Especially, our newly introduced notion of data causality is left implicit in ACTA. Therefore, ACTA cannot formalize the interplay of ....

Nancy Lynch, Michael Merritt, William Weihl, and Alan Fekete. Atomic Transactions. The Morgan Kaufmann Series in Data Management Systems. Morgan Kaufmann Publishers, 1994.

....avoiding the cost of rollback. The work on the reordering of executions based on commutativity can be traced to Lipton[12] or even to Church and Rosser[5] There have been several extensions and variations by Lamport and Schneider [11] Weihl [21] Steele [20] and Misra [17] See Lynch et al. [14] for a thorough study of the two most important notions of commutativity, forward and backward commutativity. The compatibilty definition used in this paper seems similar to backward commutativity. However, compatibility introduces asymmetry between guarded and unguarded procedures, and ....

....notions of commutativity, forward and backward commutativity. The compatibilty definition used in this paper seems similar to backward commutativity. However, compatibility introduces asymmetry between guarded and unguarded procedures, and commutativity is a symmetric notion. Lynch et al. [14] have used i o automata as a basis for studying concurrency control in databases. Each automaton in their model resembles a box and a transaction resembles a chain of procedure invocations. Their goal, much like ours, is to ensure that interleaved executions of transactions correspond to some ....

Nancy Lynch, Michael Merritt, William Weihl, and Alan Fekete. Atomic Transactions. Morgan Kaufmann, 1994.

....Section 2, include composition, superposition, atomic shared memory, dynamic process creation, and timeconstrained automata. Finally, we have chosen the I O automaton model because it has been used successfully for describing a wide variety of nontrivial distributed algorithms (for examples, see [2, 3, 4, 11, 16, 21, 31, 47]) providing evidence that the model could be quite useful to designers of practical systems. In spite of the fact that the shared action semantics of the model is well suited for the separation of structure and function, the same features of the model that provide its expressive power also ....

....processes only if that other process is somehow logically related to the first. This logical relationship would be captured naturally in the configuration in a way that would result in the necessary seed being on the fringe. For example, in a nested transaction system, such as those described in [31], transactions are created dynamically in a tree structure that unfolds from the root; transactions create sub transactions that are their immediate children, as opposed to transactions that are several levels below them in the nesting structure. We use an example configuration for a nested ....

Nancy Lynch, Michael Merritt, William Weihl, and Alan Fekete. Atomic Transactions. In progress.

....in this way, dynamic process creation not only yields efficient programs that are easier to understand, but also provides a useful mechanism for masking failures in a distributed system. This kind of nesting can be seen in systems such as ISIS [8] and Argus [25] and has been studied formally [26]. In addition to the work in programming languages supporting dynamic process creation, there has also been a great deal of interest in developing models and proof systems to support reasoning about systems with dynamic process creation. For example, CCS is a mathematical model of concurrent ....

....and constructing careful correctness proofs. However, our primary reason for choosing the I O automaton model is that it allows us to build upon previous work in the area of hierarchical proof techniques for distributed algorithms [27, 34, 13] as well as work on modeling dynamic process creation [24, 26], that has been carried out within that model. We emphasize, though, that the methodology we describe is not necessarily limited to the context of this particular model. In fact, any model that supports dynamic process creation, supports both message passing and shared memory, and is amenable to ....

Nancy Lynch, Michael Merritt, William Weihl, and Alan Fekete. Atomic Transactions. In progress.

....coin is effectively lost and money atomicity fails. Note, however, that the only party to suffer was the party that failed; there is no loss to the consumer nor the bank. Our failure model for non agents will be based upon the notion of commitment points, as used in standard database transactions [6, 14, 7]. We assume that each agent (other than the bank) has a particular point in the protocol at which that agent commits. Before this point is reached, we allow an agent to abort the protocol freely. After the commitment point, we consider only failures in an agent if the failure can potentially ....

Nancy Lynch, Michael Merritt, William Weihl, and Alan Fekete. Atomic Transactions. Morgan Kaufmann, San Mateo, CA, 1994.

....of the transactional transfer. The only secure RAM contents not erased are the unique authentication and public key. This is required if the secure coprocessor is to be reused, since new code could not be loaded otherwise. Dyad uses a simplified version of the traditional two phase commit protocol [33, 53], since only two parties are involved and the write locks can be implicit. 42 The secure coprocessor transfer commit protocol requires an acknowledgement message from the target coprocessor after the source secure coprocessor (the transaction coordinator) sends the commit (or abort ) message, ....

Nancy Lynch, Michael Merritt, William Weihl, and Alan Fekete. Atomic Transactions. Morgan Kaufmann, San Mateo, CA, 1994.

No context found.

Nancy Lynch, Michael Merritt, William Weihl, and Alan Fekete. Atomic Transactions. Morgan Kaufmann, 1994.

....same time, the framework should be simple enough to use as a basis for distributed algorithm analysis. Static mathematical models like I O automata [7] could be used for this purpose, with the addition of some extra structure (special Boolean ags) for modeling dynamic aspects. For example, in [8], dynamically created transactions were modeled as if they existed all along, but were awakened upon execution of special create actions. However, dynamic behavior has by now become so prevalent that it deserves to be modeled directly. The main challenge is to identify a small, simple set of ....

Nancy Lynch, Michael Merritt, William Weihl, and Alan Fekete. Atomic Transactions. Morgan Kaufmann, 1994.

....been proposed. We discuss only the two most popular ones: locking and timestamps. We refer the reader to the textbook by Bernstein, Hadzilacos, and Goodman [BHG87] for a more complete survey of concurrency control algorithms and an exposition of some of the underlying theory, and to Lynch et al. [LMWF88, LMWF90] for a general theory of concurrency control algorithms. Locking The concurrency control method used most often in commercial systems is locking. A locking algorithm requires a transaction to obtain a lock on each data item before accessing it, preventing conflicting operations on the item by ....

Nancy A. Lynch, Michael Merritt, William Weihl, and Alan Fekete. Atomic Transactions. Morgan-Kaufmann, 1990(?). In preparation.

....software tools, verification, theorem proving, simulation, code generation, model checking. 1 Introduction I O automata [58, 59] have been used to model and verify many distributed algorithms and distributed system designs, and also to express many impossibility results. See, for example, [50, 52, 40, 10, 13, 25, 26, 16, 71, 72]. The model has many features that make it suitable for such tasks: its fundamental concepts are mathematical (rather than linguistic) it is simple; it includes a notion of external behavior based on simple linear traces; it includes a notion of composition based on synchronized external actions; ....

....from higher level formal descriptions. Many other toolsets for manipulating distributed programs exist. In this section, we will only mention what we think is the closest work. The IOA language evolved from pseudo languages used in research papers and books on distributed algorithms (see, e.g. [50, 52]) These pseudo languages are based on named, parameterized transition definitions with preconditions and effects (that is, guarded commands) The effects code is either operational (an imperative program) or assertional (a predicate relating pre and post states) A similar precondition effect ....

[Article contains additional citation context not shown here]

Nancy Lynch, Michael Merritt, William Weihl, and Alan Fekete. Atomic Transactions. Morgan Kaufmann Publishers, San Mateo, CA, 1994.

....systems, I O automata, software tools, verification, model checking, simulation, code generation. 1 Introduction I O automata [26, 27] have been used to model and verify many distributed algorithms and distributed system designs. and also to express many impossibility results. See, for example, [22, 23, 2, 3, 16, 35]. The model has many features that make it suitable for such tasks: its fundamental concepts are mathematical (rather than linguistic) it is simple; it includes a notion of external behavior based on linear traces; it includes a notion of composition based on synchronized external actions; and it ....

....operational style is easiest to translate into real code. We need a language that (somehow) satisfies both sets of requirements. Design of IOA. The starting point for our design is the pseudocode used to describe I O automata. This pseudocode has evolved in two distinct forms: an axiomatic style [23] and an operational style [22] To convert this pseudocode into a real programming language, we made several key design decisions. 1) We chose to define data types axiomatically. This provides a sound semantics and facilitates translation into the input languages of theorem provers. 2) We chose ....

Nancy Lynch, Michael Merritt, William Weihl, and Alan Fekete. Atomic Transactions. Morgan Kaufmann Publishers, San Mateo, CA, 1994.

No context found.

Nancy Lynch, Michael Merritt, William Weihl, and Alan Fekete. Atomic Transactions. Morgan Kaufmann Publishers, San Mateo, CA, 1994.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC