Proofs

Before describing the proofs, we must first define some properties of the systems in the Supersystem (i.e. the nodes of the tree) which will aid in the process of proving the lock-free property of the Universal Construction. We state that, at any time, ∀ System S ∈ Θ, either:

1. leaf (S) = true where childset(S) = ∅ (i.e. S has no child Systems); 2. parent(S) = true where ∀ System X ∈ childset(S) • leaf (X);

3. gparent(S) = true where ∀ System X ∈ childset(S) • leaf (X)∨parent(X); 4. ancestor(S) = true where neither leaf (X), parent(X) nor gparent(X)

hold ∀ System X ∈ childset(S).

To prove that the Universal Construction is lock-free, we need first to prove that the Max process is lock-free because this is the only process where the progression of one process is dependent on another. Specifically, we must show that the Max process will always complete within a finite number of operations, and to demonstrate this we present five Lemmas which show that the Supersystem tree will always reduce to a form consisting only of leaf-nodes and parent-nodes (i.e. leaf(S) or parent(S)). The Lemma 3.6.6 shows that the Max process will always complete within a finite number of operations, and finally we prove that the Universal Construction is lock-free.

Lemma 3.6.1 ∀ Wkr w ∈ WkrPool, if the history stack of w contains m elements and m > 1, then element m must be a descendant system of element m − 1.

Proof 3.6.1 The first element {X, i} pushed onto any history stack is such that X equals the root system and any further elements pushed onto the history stack are determined by first calling the DFSearch process. By definition of the DF- Search process, the search always begins with the head of the history stack, therefore any system Y that is acquired, must be a descendant of the head of the history stack.

Lemma 3.6.2 If ∀ System S ∈ T • leaf (S) then every call to Max(T ) will complete in a single invocation (where T ∈ Θ).

Proof 3.6.2 In this case T contains a single system and as Max iterates for every child node, by definition of the Max process, Max(T ) will complete in a single invocation.

Lemma 3.6.3 If ∀ System S ∈ T • parent(S) then Max(T ) will complete in at most n iterations (where n = size(childset(T )) and T ∈ Θ).

Proof 3.6.3 As Max iterates for every child node, by definition of the Max process, for n child nodes Max(T ) will complete in n iterations.

Lemma 3.6.4 For any system X, if gparent(X) is true, then after a finite number of operations, parent(X) must become true.

Proof 3.6.4 If gparent(X) is true, then by definition of gparent, ∀ Y ∈ childset(X), either parent(Y ) or leaf (Y ) is true. Furthermore, there must be at least 1 worker process whose history stack contains {Y, i} as the head element. When these workers call DoCmp, it will terminate in a single invocation because by defini- tion of DoCmp, calling Cprs({Y, i}, m) terminates in a single invocation when parent(Y ) or leaf (Y ) is true. By definition of DoCmp, the history stack of these workers will be popped, and by Lemma 3.6.1, there must be one or more workers whose new head of the history stack is {X, i}.

When Cprs({X, i}, m) is called, by definition of Cprs, Max is called with a parent(Y ) which will terminate in at most n steps (by Lemma 3.6.3) and the con- tract function will be invoked on system X. After a finite number of contract(X) invocations, parent(X) must be true.

Lemma 3.6.5 For any system X, if ancestor(X) is true then after a finite number of operations, gparent(X) must become true.

Proof 3.6.5 We refer to A as the set of all systems in Θ where ancestor(S) is true. There must be a subset of A, let’s say A0, where each member X ∈ A0 is the direct parent of a System S, such that gparent(S) is true. By Lemma 3.6.4 we have shown that for all S where gparent(S) is true, after a finite number

of operations, parent(S) must become true. Therefore, after a finite number of operations, each member of A0 must become the parent of a parent system, or in other words, gparent(X) must become true. Furthermore, each ancestor system which is a parent of X, now belongs to the set A0. After a finite number of operations, A0 must contain the root system at which point every ancestor system will become a grand-parent system.

Lemma 3.6.6 The Max process is lock-free.

Proof 3.6.6 Lemma 3.6.6 shows that any ancestor system must become a grand- parent system after a finite number of operations and Lemma 3.6.4 shows that grand-parent systems must become parent systems after a finite number of oper- ations. As every System in Θ must satisfy either parent(S) or leaf (S) after a finite number of operations, by Lemma 3.6.3 and Lemma 3.6.2, the Max process must terminate in a finite number of operations.

Lemma 3.6.7 The Universal Construction is lock-free.

Proof 3.6.7 To show that the Universal Construction is lock-free we need to prove that the Wkr and Mgr processes are lock-free. The Wkr process consists of the DoExp and DoCmp processes. For the DoExp process to be lock-free we need to show that the DFSearch and Aqr processes are lock-free. Firstly, assuming the number of application processes is at most n and the number of worker processes is m, the number of possible child states from any system is at most min(n,m), (with n decreasing with the creation of every child system). Hence the DFSearch must terminate after a finite number of operations. At each system during the search, the Aqr process is called by the worker using the ncas function to acquire an observable event. The ncas function must terminate after at most min(n,m) calls, i.e the number of possible child states from any system. Finally, to show that the DoCmp process is lock-free requires first proving that the Cmprs process is lock-free. By definition of the Cmprs process, Cmprs is lock-free given Lemma 3.6.6, which proves that the Max process is lock-free.

The Mgr process consists of the Tmr and Update processes. By definition, the Tmr process will always terminate after t iterations. Assuming that the assign and sched functions are lock free, it is trivial to show that Update process is lock-free by Lemma 3.6.6, which proves that the only remaining process used by the Update process (namely Max), is lock-free.

3.7

Properties

We now consider the appropriateness of Many Systems Concurrency Control via a number of properties that may be inferred from the Model as presented.

3.7.1

Containment

Containment describes the ability to deterministically restrain computation com- plexity during execution. This is a property that traditionally is present in all correct programs and is lost only in erroneous programs (e.g., memory leaks). In the Many Systems model, the size of the execution environment (the size of expansion) is unknown beforehand and can only be predicted for the worst case. Therefore the Universal Construction of Section 3.6 allows expansion to be con- trolled and contained deterministically. Specifically, the Universal Construction can regulate expansion by controlling the size of the worker pool and the value of the timer used by the Mgr process. Ultimately, at each stage of expansion, the number of child Systems is limited by the minimum of the number of worker pro- cesses m and the number of possible events from a system state n (i.e. min(m,n)).

3.7.2

Isolation

Isolation describes an interaction with shared state that is equivalent to an in- teraction without interference. This is the most important property concurrency control seeks to satisfy. The Many Systems model has this property because Θ is a directed tree. It is impossible for Systems on different paths of Θ to interact (see Definition 3.2.7) while System Processes within a single System may only produce observable events to shared state in new Systems.

3.7.3

Liveness

Liveness is a property that fundamentally describes the usefulness of a concurrent system. More specifically, liveness in a system x indicates that one or more processes in x will eventually progress x as requested by a programmer. The no- wait and deadlock free properties of our model (Corollary 3.4.1) always guarantee

theoretical liveness in that all processors will eventually execute all their steps in a causality preserving manner (Theorem 3.2.1). Due to the nature of the model (rather than any synchronization construct utilized by the programmer), non- deadlocked executions can progress in Θ (Lemma 3.4.1), even in the presence of the logical representations of failed execution paths existing concurrently in Θ (Corollary 3.4.1).

The Lock-Free property of the Universal Construction of Section 3.6 signifies that the state updates generated by the expansion of the Supersystem can be pro- vided to application processes in a bounded number of executions (Lemma 3.6.7). In addition to the general liveness property of the Many Systems Model, concur- rently consistent results can be provided to application processes in a timely manner.

3.7.4

Scalability

Scalability in concurrency control can be described as the ability to maintain per- formance when contention rises on a shared state. In the Universal Construction of Section 3.6, an increase in resources (i.e. worker processes) allows an increase in the exploration of Θ in parallel which, probabilistically, will reduce the time to find a correct system. Conversely, there is sparse opportunity to vary scalability to improve performance (by increasing parallel resources) in existing concurrency control techniques.