Reversibility and beyond

1

Summarizing work of INRIA teams Sardes and Focus

Reversibility and beyond

Ivan LaneseComputer Science Department

Focus research groupUniversity of Bologna/INRIA

Bologna, Italy

Roadmap

Directions

Rhopi

Roll-pi

Crop

What next?

Roadmap

Directions

Rhopi

Roll-pi

Crop

What next?

Reversibility and beyond

We summarize here the thread of research done on reversibility by INRIA teams Sardes and Focus

1) Rhopi: making HOpi reversible

2) Roll-pi: introducing an operator for controlling reversibility

3) Crop: adding compensations

Reversibility and beyond

We summarize here the thread of research done on reversibility by INRIA teams Sardes and Focus

1) Rhopi: making HOpi reversible• Extending reversibility techniques from CCS to more

expressive calculi

• Preserving structural congruence

2) Roll-pi: introducing an operator for controlling reversibility

3) Crop: adding compensations

Reversibility and beyond

We summarize here the thread of research done on reversibility by INRIA teams Sardes and Focus

1) Rhopi: making HOpi reversible

2) Roll-pi: introducing an operator for controlling reversibility

• To model checkpointing and rollbacking techniques

• Exploiting and constraining reversibility

3) Crop: adding compensations

Reversibility and beyond

We summarize here the thread of research done on reversibility by INRIA teams Sardes and Focus

1) Rhopi: making HOpi reversible

2) Roll-pi: introducing an operator for controlling reversibility

3) Crop: adding compensations • Only preliminary ideas

• Keeping trace of past failures

• Avoiding repeating the same errors

• Going towards long running transactions

The small-step approach

We start from a basic calculus: Rhopi We add to it the smallest mechanism we can think of

going in the desired direction– Rollback primitive

– Compensating messages

We study how far we can go with these mechanisms

Roadmap

Directions

Rhopi

Roll-pi

Crop

What next?

HOpi fundamentals

P;Q ::= ahP i message

j a(X ) . P trigger

j (P j Q) parallel composition

j ºa:P new name

j X variable

j 0 null process

ahQi j (a(X ) . P ) ! P f Q=X g

Rhopi syntax

P;Q ::= ahP i j (a(X ) . P ) j (P j Q) j ºa:P j X j 0

M ;N ::= con̄ gurations

· : P thread

j [m;k] memory

j (M j N ) parallel

j ºu:M restriction

j 0 null con̄ guration

· ::= k j hh;~hi ¢k tags

m ::= ((· 1 : ahP i) j (· 2 : a(X ) . Q)) action record

Rhopi semantics

A forward rule similar to HOpi– Creating a fresh tag for the continuation

– Creating a memory storing the consumed message and trigger

A backward rule undoing a step (up to garbage collection)

Forwar d:m = (· 1 : ahP i) j (· 2 : a(X ) . Q)

(· 1 : ahP i) j (· 2 : a(X ) . Q) ³ ºk:(k : Qf P =X g) j [m;k]

Backwar d: (k : P ) j [m;k] Ã m

Rhopi example

k3 : b(X ) . ch0i j Xk1 : ahP i k2 : a(X ) . bhdh0ii

Rhopi example

k3 : b(X ) . ch0i j X

[k1 : M j k2 : N ;k]

k : bhdh0i i

k1 : ahP i k2 : a(X ) . bhdh0ii

Rhopi example

k3 : b(X ) . ch0i j X

[k1 : M j k2 : N ;k]

k : bhdh0i i

[k : bhdh0i i j k3 : N1;k4]

k4 : (ch0i j dh0i)

k1 : ahP i k2 : a(X ) . bhdh0ii

Rhopi example

k3 : b(X ) . ch0i j X

[k1 : M j k2 : N ;k]

k : bhdh0i i

k1 : ahP i k2 : a(X ) . bhdh0ii

Rhopi example

k3 : b(X ) . ch0i j Xk1 : ahP i k2 : a(X ) . bhdh0ii

Rhopi structural congruence

Used for ensuring each thread has a unique tag– Needed if the continuation of a trigger is a parallel

composition

Here τ is either a message or a trigger Other structural congruence rules are standard

(E.TagP) k :nY

i=1

¿i ´ º~h:nY

i=1

(hhi ;~hi ¢k : ¿i ) ~h = fh1; : : : ;hng

Rhopi properties

Rhopi is an extension of HOpi Rhopi satisfies the Loop lemma

– If P Q then Q P and viceversa

All states reachable from P are weak barbed equivalent to P itself

Rhopi satisfies causal consistency

Essentially the same properties of RCCS

³ Ã

Roadmap

Directions

Rhopi

Roll-pi

Crop

What next?

Limits of Rhopi

In Rhopi reversibility is wild– Forward and backward actions always enabled

– Each result can always be annulled

– Impossible to make a result final

We want a mechanism to control reversibility

Roll-pi approach

Normal computation is forward Backward computation on demand, to backtrack in case

of errors We use an explicit roll operator to this end Question: how far back should we go?

– In a concurrent scenario the number of steps is not meaningful

Answer: we go back to undo a communication stored in a specified memory– Memory keys allows to individuate the target memory

Roll-pi syntax

Extends Rhopi syntax Adds the primitive roll γ for triggering rollback Adds a γ label to triggers The idea: roll γ takes the system back to the state before

the trigger labelled by γ has been consumed More precisely: undoes all the steps caused by the

interaction involving the trigger labelled by γ

P;Q ::= 0 j X j ºa:P j (P j Q) j ahP i j a(X ) . ° P j roll °

M ;N ::= 0 j ºu:M j (M j N ) j · : P j [¹ ;k]

Giving semantics: naïve try

The forward rule uses the key k to replace the placeholder γ

A rule for roll N ►k verifies that all the elements in N are related to k Complete checks that the term is closed under the causal

relation contains the elements in N not related to k

(Com)m = (· 1 : ahP i) j (· 2 : a(X ) . ° Q)

(· 1 : ahP i) j (· 2 : a(X ) . ° Q) ³ ºk:(k : Qf k;P =° ;X g) j [m;k]

(Naive)N I k compl ete(N j [m;k] j (· : roll k))

N j [m;k] j (· : roll k) Ã m j N & k

N & k

Naïve semantics example

k3 : b(X ) . ch0i j Xk1 : ah0i k2 : a(X ) . ° bhroll °i

Naïve semantics example

k3 : b(X ) . ch0i j X

[k1 : M j k2 : N ;k]

k1 : ah0i

k : bhroll ki

k2 : a(X ) . ° bhroll °i

Naïve semantics example

k3 : b(X ) . ch0i j X

[k1 : M j k2 : N ;k]

k1 : ah0i

k : bhroll ki

[k : M1 j k3 : N1;k4]

hh1;~hi ¢k4 : ch0i hh2;~hi ¢k4 : roll k

k2 : a(X ) . ° bhroll °i

Naïve semantics example

k3 : b(X ) . ch0i j X

[k1 : M j k2 : N ;k]

k1 : ah0i

k : bhroll ki

[k : M1 j k3 : N1;k4]

hh1;~hi ¢k4 : ch0i hh2;~hi ¢k4 : roll k

k2 : a(X ) . ° bhroll °i

Naïve semantics example

k3 : b(X ) . ch0i j Xk1 : ah0i k2 : a(X ) . ° bhroll °i

The concurrency anomaly

k k1

roll k roll k1

The concurrency anomaly

k k1

roll k roll k1

The concurrency anomaly

k1

The concurrency anomaly

k k1

roll k roll k1

The concurrency anomaly

k

The concurrency anomaly

Intuitively, I have rolls for undoing every action… …but I am not able to go back to the starting state I miss the possibility of performing rollbacks

concurrently– Forcing this sequential behavior in a distributed

implementation would not be easy

Can I write a semantics capturing concurrent rollbacks?

Giving semantics: taming concurrency

The rollback has been splitted in two steps– Tagging the memory

– Executing the rollback of a tagged memory

(Com)m = (· 1 : ahP i) j (· 2 : a(X ) . ° Q)

(· 1 : ahP i) j (· 2 : a(X ) . ° Q) ³ ºk:(k : Qf k;P =° ;X g) j [m;k]

(Start ) (· 1 : roll k) j [m;k] Ã (· 1 : roll k) j [m;k]²

(Rol l )N I k compl ete(N j [m;k])

N j [m;k]² Ã m j N & k

Concurrent rollback

k k1

roll k roll k1

Concurrent rollback

k k1

roll k roll k1

Concurrent rollback

k k1

roll k roll k1

Concurrent rollback

k1

Concurrent rollback

Properties of concurrent semantics

Correct– If I go backward from M, I reach a state able to go forward to

M

Complete– I can execute any number of concurrent rollbacks

Good as abstract specification

if M Ã ¤ M 0 then M 0³ ¤ M , with M and M 0 unmarked

Going towards an implementation

The concurrent semantics is very high-level Includes atomic steps involving an unbounded number

of participants– Concurrently executing

– Possibly distributed

Can we refine the semantics to a more distributed one?– Giving the same final result

Yes! But technicalities are quite complex…

Low level semantics

k

roll k

Low level semantics

k

roll k

Low level semantics

k

roll k

Low level semantics

k

roll k

Low level semantics

k

Low level semantics

Low level semantics

Based on local checks and asynchronous notifications In two phases

– Top-down notification of rollback request

– Bottom-up rollback

Equivalent to the concurrent one– Weak barbed congruent

– Fully abstract

A good starting point for a concurrent and distributed implementation

Writing a low level semantics equivalent to the naïve one would be more difficult

Roadmap

Directions

Rhopi

Roll-pi

Crop

What next?

Limits of roll-pi

If I go back, I may redo the same steps infinitely many times– No trace of previous attempts

– No possibility to learn from errors

– Perfect rollback

– Every program that may rollback may diverge

We want a compensation mechanism

Crop idea

Some messages include compensations When rallbacked they are replaced by different

messages– Disabling past computations

– Enabling new computations

Is it enough for implementing compensation policies?

Crop syntax

Extends roll-pi syntax Adds compensating messages ahPi¥C for triggering

rollback C is the message left after rollback in place of ahPi ahPi¥ ? is a message whose compensation is

itself

P;Q ::= 0 j X j ºa:P j (P j Q) j ahP i¥C j a(X ) . ° P j roll °

M ;N ::= 0 j ºu:M j (M j N ) j · : P j [¹ ;k]

C ::= ahP i ¥ C j ?

Idea of crop semantics

Very similar to the semantics of roll-pi Messages are transformed during rollback to their

compensations The compensation mechanism has no effect on the keys

One can write semantics corresponding to naïve, concurrent and low level roll-pi semantics

Comments on crop

Just started work-in-progress A small difference in the syntax and semantics w.r.t.

roll-pi We hope a large difference in the expressive power

Roadmap

Directions

Rhopi

Roll-pi

Crop

What next?

Summary

A reversible HOpi A basic operator for controlling reversibility

– Related to checkpointing

A basic mechanism for compensations

All on topic for WP2

Future work

Testing the expressive power of crop w.r.t. existing techniques for programming dependable systems– Speculative parallelism

– Hennessy communicating transactions

– Transactional memories

What about other mechanisms for controlling reversibility?– Relations with RCCS irreversible actions

What about more efficient ways for storing memories? … and much more

Finally