IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 41, NO. 9, SEPTEMBER 1996
M. Fu, “Polytopes of polynomials with zeros in a prescribed region,” in Robustness in Identification and Control, M. Milanese, R. Tempo, and A. Vicino, Eds. New York: Plenum, 1988. M. Fu and N. E. Barabanov, “Improved upper bounds of the mixed structured singular value,” Univ. Newcastle, Australia, Tech. Rep. EE9461, 1994; also in Proc. ZEEE Con$ Decision Contr., New Orleans, LA, Dec., 1995, pp. 3115-3120. P. Gahinet and A Nemirovsky, “LMI Lab-A package for manipulating and solving LMI’s,” 1993, preprint. L. Lee and A. Tits, “On continuity/discontinuity in robustness indicators,’’ ZEEE Trans. Automat. Contr., vol. 38, no. 10, pp. 1551-1553, 1993. J. H. Ly, M. G. Safonov,and R. Y. Chiang, “Real/complex multivariable stability margin computation via generalized Popov multiplier-LMI approach,” in Proc. Amer. Contr. Con$, pp. 425429, 1994. Y. Nesterov and A. Nemirovsky, Interior Point Polynomial Methods in Convex Programming. Philadelphia, PA: SIAM, 1993. A. Packard and J. Doyle, “The complex structured singular value,” Automatica, vol. 29, no. 1, pp. 71-109, 1993. S. Poljak and J. Rohn, “Checking robust nonsingularity is np-hard,” Math. Contr., Signals Syst., vol. 6 , pp. 1-9, 1993. V. M. Popov, “Absolute stability of nonlinear systems of automatic control,” Automat. Remote Contr., vol. 22, pp. 857-875, 1962. P. M. Young, “The rank one mixed p problem and ‘Kharitonov-type’ analysis,” Automatica, vol. 30, no. 12, pp. 1899-191 1, 1994. P. M. Young, M. P. Newlin, and J. C. Doyle, “Practical computation of the mixed p problem,” in Proc. Amer. Contr. Cotzf, 1992, pp. 2190-2194.
Design of Transaction Management Protocols P. Kozak and W. M. Wonham Abstruct- The paper shows how transaction management protocols can he designed using discrete-event system control theory. It outlines designs for some well-known protocols: serialization graph testing, twophase locking, and timestamp ordering. These protocols can be obtained as solutions (centralized, fully decentralized, or maximal decentralized) of standard control problems. The results serve to unify the problems considered and suggest the possibility of computer-aided design.
I. INTRODUCTION A transaction (database) system has three main components: a set of data items, transactions (users) acting on these data items, and a manager controlling access of the transactions to the data. The manager’s function includes maintaining data consistency, maximizing throughput, minimizing waiting time, and failure recovery. Transaction systems are discrete-event systems (DES) [I], so the tools of DES control theory [2]-[5] can be applied [l]. This paper discusses the specialized task of concurrency control [6], [7] dealing with data consistency and shows how the managers can be designed as DES controllers. Section I1 formulates the Manuscript received August 27, 1993; revised October 7, 1994. This work was supported in part by Bell Canada under Contract 3-254-188-10(University of Toronto). P. KozAk is with the Czech Academy of Sciences, Institute of Information Theory and Automation, 182 08 Prague 8, Czech Republic (e-mail:
[email protected]). W. M. Wonham is with the Systems Control Group, Department of Electrical Engineering, University of Toronto, Toronto, Ontario, M5S 1A4 Canada. Publisher Item Identifier S 0018-9286(96)06771-2.
problem. Section 111 presents a centralized solution known as the serialization graph testing protocol. On imposing additional requirements-e.g., decentralization-different solutions can be obtained (Section IV). The locking and timestamp ordering protocols can be found as fully decentralized solutions [5] of a supervisory control problem. Optimistic protocols are discussed in Section V. Section VI draws conclusions. The problem is formulated within the supervisory control framework of the DES [a], [4] and with reference to the database background in [6], [7], and [I]. For the first time in [l], the concurrency problem was formulated within the dynamic system control framework. The main differences between [ 1] and the present paper are: the dynamic mode of information is modeled directly by the transaction model,’ different sets of controllable events are examined, and some protocols are obtained as decentralized controllers in contrast with the centralized controller of [l]. Limited lookahead policies [3] are also considered. 11. PROBLEM FORMULATION
Consider a set of data items D and set of transactions 7. A transaction t E I can execute the following operations: R.,d (read data item d t D ) ,W,d (write into data item d E D ) ?Ct (commit-the transaction has successfully terminated and all changes of data items by the transaction are made permanent), and At (abort-the transaction has terminated, but all changes it made in data items are now considered incorrect and are canceled. The transaction can restart again.). For each t E 7 let Ct = { C t , A t } U {R,dld E D } U {W-fld E D } . The transaction t is modeled as the language Lt = (Ct\{Ct})*Ct, where \ denotes set difference and (Ct\{Ci})* the set of finite sequences over Ct\{Ct}. The model reflects the fact2 that the manager must expect any sequence of operations ending with Ct. Let C = Ult7 C L . The transaction system is the language L C_ C*, defined as the shuffle product of the Lt (t E 7). The strings of L are called schedules. A serial schedule is a schedule without the interleaving of operations of distinct transactions. The main assumption is that each transaction maintains data consistency if it acts alone and if the last executed operation of this transaction is “commit.” The consistency criterion for schedules [6] and [7] is formulated using the concept of a serialization graph. Say that two operations of a schedule form a conjlicting pair if they are executed by distinct transactions which are committed in the schedule, they act on the same data item, and at least one of these operations is “write.” The serialization graph (SC) of a schedule is a labeled directed graph which has the names of committed transactions as nodes and whose edges are defined by the conflicting pairs of the schedule and labeled by the corresponding data items. For each conflicting pair there is a directed edge between transaction names, starting at whichever transaction of the pair occurred earlier. A schedule is serializable3 if there are no cycles in its SG. For consistency it is additionally required: “The results of any committed ‘The performance analysis of different managers of both static and dynamic mode of information presented in [l] uses the static-mode-information transaction model. 2This is referred to as the dynamic mode of information. For the static mode of information, Lt is singleton. This property is sometimes called also “conflict serializable.”
0018-9286/96$05,00 0 1996 IEEE
IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 41, NO. 9, SEPTEMBER 1996
specification languages gives more information about the ways the problem can be solved. A recognizer for Lstrlctcan have the structure shown in Fig. 1, where for each data item d E D
Logical AND {YES, NO}]
Xd
{YES, NO} dl
Subrecognizer dz
.
k + ’ ~*is’ Projection
I
Projection
Transactions
=
U {At, C t , Rtd,Wtd}. tE7
W‘r‘ Subrecognizer
1331
I
Fig. 1. Structure of recognizer for Lstrict.
transaction cannot be undone.” A schedule is strict if no transaction reads or writes a data item until all transactions that have been previously written into this data item are either committed or aborted. The concurrency control problem [6] is to find a transaction manager which allows only schedules satisfying the following two conditions:
1) serializable and strict (“safety” properties); 2) each transaction will eventually be committed (i.e., not blocked forever) (“progress” properties). The manager can disable (postpone) or enable the execution of operations. However, we assume that aborts cannot be disabled, i.e., a transaction can decide to abort by itself. It is not considered that the manager can force a transaction to abort. While forcing of aborts is usual in transaction systems [6], this capability does not give the manager any advantage in our control problem, where only logical consistency is required. However, it influences the performance of the resulting system, because the manager can abort transactions as soon as it is necessary. The decision as to which transaction must be aborted in case of deadlock is left to an external agent; a natural solution is that each transaction waits to enable its operation only a limited time and then aborts by itself. This timeout strategy for deadlock avoidance is described in [6, p. 561. Alternative deadlock handling strategies can be built into the plant model or into the control problem specifications. The concurrency control problem can be formulated as the supervisory control problem (SCP) [2], [ l ] as follows. Let C, = C\{Atlt E I } be the set of controllable events and
L , = {s E Llall transactions are committed in s) L,,, = { s E LIS is serializable} Lstrlct= { s E LIS is strict}. Find a controller S for the plant G = (E, L , E,) such that the closed-loop language C ( S / G ) satisfies the following two conditions:
c
L ( S / G ) L,,, n Lstrlct pref(C(S/G) n L,) = C ( S / G ) . The second condition is automatically satisfied for our specific problem because it is possible at any moment that all uncommitted transactions abort and then execute a serial schedule. The languages L,,, and Lstnct are nonconflicting [ 11 and controllable; therefore, a modular controller can be designed, i.e., subcontrollers for specifications C ( S / G ) C L,,, and C ( S / G ) C Lstnct. The plant possesses a relatively simple structure, being the shuffle product of very small automata. Therefore, the structure of the
Each subrecognizer reports, on its output, “NO’ if the schedule on its input violates the strictness condition and “YES” otherwise. The global output is defined as the logical AND of the subrecognizer outputs. Fig. 2 represents the recognizer for L,,,. The committed edge recognizers report on the edges of the SG. The cycle recognizer reports “YES” if the schedule is serializable (i.e., no cycle) and “NO’ otherwise. The edge recognizers report on the edges of the stored SG (SSG) [6] which is defined similarly to the SG but considers conflicting pairs defined not only using committed transactions but also transactions which have already executed a write or read operation and are not aborted. Figs. 1 and 2 also suggest what events should be controllable. A subrecognizer of Fig. 1 outputs YES only if it has observed a strict schedule. This outcome can be influenced only by control of the events in xd.Detailed checking confirms that the labels R t and W,d for all d E D and t E 7 must be controllable to ensure strictness. Serializability requires that the edges reported by the committed edge recognizers (Fig. 2) be organized in a specific way. Any edge of the SG can be prohibited by a controller such that either at least one of the corresponding transactions is disabled from committing, or the reads and writes related to the given data item are controlled so that the corresponding edge recognizer does not report this edge. There are many possible sets of controllable events ensuring serializability. One possibility is controllability of all reads and writes; another is controllability of all commits. Other possible sets of controllable events can be obtained as supersets of the sets above. 111. CENTRALIZED SOLUTION-SERIALIZATION
GRAPHTESTINGPROTOCOL Consider now the set of controllable events
E,=
U
{R,d,Wtd}.
tEl,dtD
This restriction on control mechanism implies that the only way cycles in the SG can be prevented is by preventing cycles in the SSG. At the moment, when there is a cycle in the SSG the controller cannot disable the transactions from committing and transforming the cycle into a cycle of the SG itself. With automata for the plant and specifications given, the suprema1 controller can be designed using the results [2]. It can be checked that this controller allows the same set of schedules as the SG testing protocol [6]. This protocol disables a read or write operation only if it would introduce a cycle in the SSG or it would violate strictness. If the serializability specification is strengthened to “no cycles in the SSG,” then a limited lookahead implementation considering only one future operation for each transaction and optimistic policy [3]is equivalent to the controller above. IV. DECENTRALIZED SOLUTIONS A decomposition of the event label set of G is an ordered triple D = ( I ,{ E o , z } l{~E~c, , 2 } 2 ~where ~ ) , I is an index set and { C o , z } z t ~ and { C c , 2 } z Eare ~ families of sets such that E, = U , t r E,,,, and for all i E I , E o , c C . Given a decomposition 2) = ( I ,{ E o , t } t E{~E.C , L } l Efor ~ ) all , i E I the (natural) projection [4]
IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 41, NO. 9, SEPTEMBER 1996
1332
Cycle Recognizer I
I
Sets of Committed Edges
Sets of Committed Edges
Sets of Committed Transactions
...
-I + Projection
I
Transactions ~
Fig. 2. Structure of recognizer for L,,, there is no supremal ~ o l u t i o n ,and ~ the infimal solution is the trivial solution (i.e., all controllable events are permanently disabled). Also, the fully decentralized solution [5] equals the infimal one, i.e., no standard solution presented so far in the control literature is suitable. However, design of the protocol can proceed by formulation of new and P i ( € )= e , where E is the empty sequence (word). The projection specifications which are subsets of the old ones. is extended to languages IC C C* according to P, (IC) = { P, ( U ) E For the given decomposition, strictness causes no problem. SerialIC}. A decentralized controller [4] w.r.t. a decomposition D = izability (i.e., avoiding cycles) can be replaced by a restriction on the ( I ,{ C o , z } z {t ~ Z c, , z } i e r )is of the form S d = (G.D. { ? / z } z ~ ~ ) , orientation of edges in the SG. Denote by I x 7 x D the set of all where for each i E 1 , ~P,(L) ~ : i F’(Ccbz).F‘(Zc,t) is the power possible edges, where the first element is the transaction executing its operation earlier, for the given conflicting pair, and the third element set of Ec,i.The decentralized controller Sd consists of subcontrollers S,( i E I ) . Each subcontroller S,observes only events having labels gives the data item of the conflicting pair causing the edge. Define . all i E I in Zo,t and controls only events with labels in Z c b LFor Llo& = {s E LIS satisfies LC}. and U E P L ( L the ) value y z ( v ) represents the events disabled by the subcontroller S,after observation of U . LC: For all edges ( t ,t’. d ) E 7x I x D of 3 the transaction t A fully decentralized controller [5] for the given control problem commits earlier than t’. I ) , for each The ordering of edges in Llocliis given by the “age” of transactions. is a decentralized controller Sd = (G, D , { Y ~ } ~ ~ where i E I the feedback mapping 7%: F‘%(L)i ?(E,,,)is defined Fig. 3 displays a recognizer for Ll,,&. Each local recognizer tests the edges of the SG related to one data item. It reports “YES” if no edge according to of the SG fails to satisfy the condition LC and “NO” otherwise. - Y ~ ( ’ u= ) L,~n Y(W) Fig. 4 displays an automaton recognizing schedules satisfying LC WEL (for only two transaction names, 1 and 2) but related to only one P, (U;)=U data item, i.e., corresponding to the local recognizer. It reports “YES” for all CI E P, ( L ) :where y ( w ) is the control action of the minimally unless the state “BAD” is reached. For simplicity, simplified labeling restrictive centralized controller S = (G, 7). is used with superscripts denoting the data item omitted. The new SCP has the first condition replaced by C ( S / G ) C A. Locking Protocol Llock fl Lstrlct; otherwise it i s the same as in Section 11. Again Consider the decomposition D = ( I ,{ C o , z } t t {Cc,t}tEr), ~. where the supremal centralized controller can be designed. The controller I = D and for each data item d E D there is one subcontroller with disables an operation if it would violate strictness or introduce an edge ( t , t ’ , d ) of the SSG such that t is not committed. Lloclcis defined {At.Ct,R,d,W-f}. C c d = {R,d.W;}, E o , d = using the SG. The SSG comes in during the synthesis process due
P,: C*
i
E:>z is defined inductively as follows:
IU
U
U
U
tt7
t€T
It i s known 141, [5] that there exists no supremal (infimal) decentralized solution of the SCP in general. In the present case,
4The strict two-phase locking and timestamp ordering protocols allow sets of schedules which are not comparable using set inclusion. Their union is not
a solution.
IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 41, NO. 9, SEPTEMBER 1996
1333
I
Logical AND I
I
{YES, NO}
{YES, NO}
Sets of Committed Transactions
I
I
I
Local Recognizer
Local Recognizer
Sets of Edges
Sets of Edges
,
Projection
II
Projection
II
Projection
I
T
I Fig. 3. Structure of recognizer for
Llock.
to the uncontrollability of commits. The resulting controller action is such that no edge recognizer ever reports an edge because each edge of the SSG can be converted uncontrollably into an edge of the SG. It can be shown that for this problem, the fully decentralized solution exists and has behavior equal to the supremal centralized solution. The structure of Pilock (Figs. 3 and 4) admits decomposition of the first condition of SCP into a set of conditions for each data item d E D
Pd(C(S/G))
I
Transactions
Llock,d
n Lstnct.
Llo&,d is the language recognized by the automaton of Fig. 4. For each of these conditions, a separate subcontroller can be designed. Reaching state “BAD’ must be prevented. As commits are uncontrollable, states “12” and ‘‘21’’ cannot be reached either. Consequently, “W2” and “R2” must be disabled at state “E,” “W2” at states “B” and “C,” “Wl” and “Rl” at “F,” and “Wl” at “C” and “D.” The controllers above allow the same set of schedules as the strict two-phase locking protocol5 [6] except that the lock and unlock operations are not implemented explicitly. The “locks” are not imposed by the transactions themselves but by the manager after the first successful read or write of a transaction. Also, the locks are not released by the transactions but again by the manager when a transaction aborts or commits. This replaces the well-known two-phase condition.
