Oduction to the Theory of Nested Transactions

A new formal model is presented for studying concurrency and resiliency properties for nested transactions. The model is used to state and prove correctness of a well-known locking algorithm. This paper develops the foundation for a general theory of nested transactions. We present a simple formal model for studying concurrency and resiliency in a nested environment. This model has distinct advantages over the many alternatives, the greatest of which is the unification of a subject replete with formalisms, correctness conditions and proof techniques. The authors are presently engaged in an ambitious project to recast the substantial amount of work in nested transactions within this single intuitive framework. These pages contain the preliminary results of that project-a description of the model, and its use in stating and proving correctness conditions for two variations of a well-known algorithm of Moss [22]. The model is based on I/ 0 automata, a simple formalization of communicating automata. It is not complex-it is easily presented in a few pages, and easy to understand, given a minimal background in automata theory. Each nested transaction and data object is modelled by a separate I/O automaton. These automata, the system primitives, issue requests to and receive replies from some scheduler, which is simply another I/O automaton. Simphe syntactic constraints on the interactions of these automata ensure, for example, that no transaction requests the creation of the same child more than once. One scheduler, in this case the “serial scheduler”, interacts with the transactions and objects in a particularly constrained way. The * The work of this author was supported by the National Science Foundation under Grants DCR-8% 02391 and CCR-8611442, by the Defense Advanced Research Projects Agency (DARPA) under Contract N00014-83-K-0125, by the Office of Naval Research under Contract N00014-85-K-0168, by the Ofice of Army Research under Contract DAAG29-84-K-0058. and by AT&T Be!1 Laboratories, Murray Hilt, NJ 07974. 0304-3975/88/$3.50 @ 1988, Elsevier Science Publishers B.V. (North-Holland) 124 N. Lynch, M. Me,=ritt “serial schedules” of the primitives and the serial scheduler are the basis of our correctness conditions. Specifically, alternative schedulers a* 2 required to ensure that nested transaction automata individually have local schedules which they could have in a serial schedule. In essence, each scheduler must “fool” the transactions into believing that the system is executing in conjunction with the serial scheduler. In the past ten years, an important and substantial body of work has appeared on the design and analysis of algorithms for implementing concurrency control and resiliency in database transaction systems [5,6,10,14,15,25, etc.]. Among this has been a number of results dealing with nested transactions [2, 3, 4, 16, 18, 22, 23, 24, etc.]. The present work does not replace these other contributions, but augments them by providing a unifying and mathematically tractable framework for posi,ig and exploring a variety of questions. This previous work uses behavioral specifications of nested transactions, focusing on what nested transactions do, rather than what they are. By answering the question “What is a nested transaction?‘, I/Q automata provide a powerful tool for understanding and reasoning about them. Some unification is vitally important to further development in this field. The plethora and complexity of existing formalizations is a challenge to the most seasoned researcher. More critically, it belies the argument that nested transactions provide a clean and intuitive tool for organizing distributed databases and more general distributed applications. It is particularly important to provide an intuitive and precise description of nested transactions themselves as, in typical systems, these are the components which the application programmer must implement! The remainder of this paper is organized as follows. The I/O automaton model is described in Section 2. The rest of the paper contains an extended example, which establishes correctness properties for two related lock-based concurrent schedulers. Section 3 contains simple definitions for naming nested transactions and objects, and for specifying the operations (interactions) of these components. Simple syntactic restrictions on the orders of these operations are presented, and then a particular system of I/O automata is presented, describing the interactions of nested transactions and objects with a serial scheduler. The interface between the serial scheduler and the transactions provides a basis for the specification of correctness conditions for alternative schedulers. These schedulers would presumably be more efficient than the serial scheduler. The strongest correctness condition, “serial correctness,” requires that all non-access transactions see serial behavior at their interface with the system. The second condition, “correctness for T,,” only requires that this serial interface be maintained at the interface of the system and the external world. These interfaces also provide simple descriptions of the environment in which nested transactions can be assumed to execute. A particular contribution is the clear and concise semantics of ABORT operations which arises naturally from this formalization. The section closes with a collection of lemmas describing useful properties of serial systems. Next, a lock-based concurrent system is presented. Section 4 contains a description of a special type of object, called a “resilient object,” which is used in the concurrent Introduction to the theory of nested transactions 125 system. Section 5 describes the remainder of the concurrent system, the “concurrent scheduler.” This concurrent scheduler includes “lock manag+ modules for all the objects; lock managers coorainate concurrent accesses. Section 6 defines a system which is closely related to the concurrent system, the “weak concurrent system.” This system preserves serial correctness for those transactions whose ancestors do not abort (i.e., those that are not “orphans”). Since the root of the transaction tree, T,, has no ancestor, weak concurrent systems are correct for To. Section 7 contains complete proofs of correctness of the concurrent and weak concurrent systems; concurrent systems are serially correct, and weak concurrent systems are correct for To. The stronger conditio? is obtained for zoncurrent systems as a corollary to a result about weak concurrent systems. It is interesting that the concurrent system algorithms are described in complete detail (essentially, in “pseudocode”), yet significant formal claims about their behavior can be stated clearly and easily. Although the full presentation involves a large number of lemmas, the ideas described by the lemmas are quite simple and intuitive. ‘Ne think it is remarkable that these interesting properties of concurrent systems can be proved with complete rigor, in full detail, in so short a development. Despite the detailed level of presentation, the underlying model is general enough that the results apply to a wide range of implementations. The style of the correctness proof is also noteworthy. It is a constructive proof, in that for each execution of the weak concurrent system and each non-orphan transaction, an execution of the serial system is explicitly constructed. The transaction’s local “view” in the constructed execution is identical to that in the original weak concurrent execution, establishing the correctness of the weak concurrent system. One may think of the weak concurrent system as maintaining consistent, parallel “world views” within which concurrent siblings execute. As siblings return to their parent, these parallel worlds are “merged” to form a single consistent view. The locking policy prevents collisions between different views at the shared data. This intuition is strongly supported and clarified by the correctness proof, which constructs the parallel views as diff erznt serial schedules consistent with each sibling’? local history. Lemmas illustrate how these serial schedules can be merged as siblings return or abort to their parent. Section 8 contains a discussion of the relationship of this work to previous results, ;and Section 9 contains sn indication of the work that lies ahead.