Distributed Computing (1988) 2:226-241

© Springer-Verlag 1988

Appraising fairness in languages for distributed programming*

Krzysztof R. Apt1, Nissim Francez 2 and Shmuel Katz 2 1 Center for Mathematics and Computer Science, Kruislaan 413, NL-1098SJ Amsterdam, The Netherlands and Department of Computer Science, University of Texas at Austin, Austin TX 78712-1188, USA 2 Department of Computer Science, The Technion, Haifa, Israel

Krzysztof R. Apt was born elude the methodology of programming, specification methods, in 1949 in Poland. Received his program verification and semantics, distributed programming, Ph.D. in 1974 from Polish Aca­ data structures, and programming languages. demy of Sciences in Warsaw in mathematical logic. From 1974 until 1981 worked at various Nissim Francez received his scientific institutions in the B.A. in Mathematics and Phi­ Netherlands and from 1981 un­ losophy from the Hebrew Uni­ til 1987 at C.N.R.S. in Paris, versity in Jerusalem, and his France. Spent 1985 as a visiting M.Sc. and Ph.D. in computer scientist at IBM Research science (1976) from the Weiz­ Centre in Yorktown Heights, mann Institute of Science, Re­ U.S.A. Currently holding an hovot, Israel. In 1976-77 he Endowed Professorship at the spent a postdoctoral year at Department of Computer Sci- Queen's university, Belfast, ences at the University of Texas where he was introduced by at Austin; also a senior research scientist at the Centre for C.A.R. Hoare to CSP. In 1977 Mathematics and Computer Science in Amsterdam, the Nether­ 78 he was an assistant professor lands. His research interests include program correctness and at USC, Los Angeles. From semantics, methodology of distributed computing, use of logic 1978 he is with the Computer as a programming language and non-standard forms of reason­ Science Department at the ing. He has served on editorial boards of a number of journals Technion. In 1982-83 he was on a sabbatical leave at IBM and program committees of numerous conferences in computer T.J. Watson Research Center. He has been a consultant for science. Lectured in a dozen countries on four continents. Also, MCC's software technology program, working on multiparty he has run two marathons and crossed Sumatra on a bicycle. activities in distributed systems. He had summer appointments in Harvard University, IBM T.J. Watson Research Center, Utrecht University, CWI (Amsterdam) and at MCC. He also Shmuel Katz received his served in several program committees. His research interests B.A. in Mathematics and Eng­ include program verification and the semantics of programming lish Literature from U.C.L.A., languages, mainly for concurrent and distributed programming. and his M.Sc. and Ph.D. in Is also interested in logic programming and recursive query Computer Science ( 1976) from evaluation and in compiler constraction. He is the author of the Weizmann Institute in Re­ the first book on Fairness. Unfortunately, he is incapable of hovot, Israel. From 1976 to Marathon running .... 1981 he was a researcher at the IBM Israel Scientific Center. Presently, he is a Senior Lec­ Abstract. The relations among various languages turer in the Computer Science and models for distributed computation and var­ Department at the Technion in ious possible definitions of fairness Haifa, Israel. In 1977 78 he are considered. visited for a year at the Univer­ Natural semantic criteria are presented which an sity of California, Berkeley, and acceptable notion of fairness should satisfy. These in 1984 85 was at the U niversi- are then used to demonstrate differences among ty of Texas at Austin. He has also been a consultant for the the basic models, the added power of the fairness MCC Software Technology Program. His research interests in- notion, and the sensitivity of the fairness notion 0.ffprint requests to: K.R. Apt to irrelevant semantic interleavings of independent *A preliminary version of this work appeared in [AFK] operations. These results are used to show that K.R. Apt et al.: Fairness for distributed programming 227 from the considerable variety of commonly used results linking the criteria and the models. In subse­ possibilities, only strong process fairness is appro­ quent sections the formal definitions are given, and priate for CSP if these criteria are adopted. We the theorems and proofs which lead to these results also show that under these criteria, none of the are presented. commonly used notions of fairness are fully accept­ noted above, any definition of fair­ able for a model with an n-way synchronization Feasibility. As (the "unfair" mechanism. The notion of fairness most often men­ ness excludes some of the executions be legal executions tioned for Ada is shown to be fully acceptable. ones) which otherwise would according to a semantics of the com­ For a model with nonblocking send operations, of a program model. A necessary requirement of any some variants of common fairness definitions are putational for a computational model appraised, and two are shown to satisfy the sug­ definition of fairness remain after gested criteria. is to have some legal computation this exclusion, for every possible program and ini­ Key words: Fairness Distributed computing - tial state. That is, for every legal program and ini­ Communication - Partial order semantics - Se­ tial state some (finite or infinite) fair computation mantic criteria does exist. This restriction is closely related to the idea of implementing fairness by means of sche­ dulers. Without it, no scheduler - which must pro­ duce one of the fair computations - could correctly 1 Introduction treat the fairness. Moreover, since any reasonable 'predict' the possible continua­ Fairness is an important concept which naturally scheduler cannot computation, it should arises in the study of nondeterministic systems, in tions at each point of the partial computation particular when dealing with concurrent systems. be possible to extend every criteri­ A very general formulation is a statement of the to a fair one. This is the proposed feasibility the above necessary require­ form: if a certain choice is possible sufficiently of­ on, and it subsumes ment. ten, then it is sufficiently often taken. Depending example of an unfeasible definition on the definitions of a "choice", "possible", and As a simple ( GC) [DJ, consid­ "sufficiently often", different notions of fairness ar­ of fairness for guarded commands fairness definition: all choices (re­ ise. A variety of these fairness notions have been er the following ferred to as directions) which are infinitely often introduced in the literature and studied both from must eventually be chosen equally often. a proof theoretic and a semantic point of view. possible In Figure 1 a nonterminating program P is Semantics is usually introduced by means of a com­ for which there is no computation sequence putational model which defines legal computa­ shown, satisfying the above definition, even though both tions. A two-leveled approach is most often taken are infinitely often possible. Thus no in which first the legal computations are described, directions scheduler can be devised, and the fairness notion and then a fairness notion is used to exclude some is not feasible for that model. (In fact, feasible defi­ additional computations which otherwise would be nitions of such a fairness notion must incorporate legal. An overview, examples, and further refer­ the set of choices which are jointly possible at each ences may be found in [Fr]. stage, as in [GFK !].) For nondeterministic programs some of the fairness notions include weak fairness (also called Equivalence robustness. For concurrent programs, justice), strong fairness, equifairness, and extreme the computational model used induces a depen­ fairness. For CSP [HJ and other models for distrib­ dency relation among actions. For example, an in­ uted computing, at least six reasonable variants put action of a receiving process depends on a cor­ have been defined and investigated. This wide vari­ responding output action of a sending process. The ety of possibilities leads to a confusing situation: computations of asynchronous, distributed systems selection of a particular definition of fairness for are often modeled by interleaving the (atomic) ac­ any particular model or language relies almost ex­ tions of their component processes. However, it clusively on subjective, implicit criteria. is clear that the order of execution of independent In this paper, we suggest three simple semantic actions in such an interleaving is arbitrary. Thus criteria which can aid in determining which notions two execution sequences which are identical up to are appropriate for which computational model. the order of two independent actions should be The criteria we propose are termed feasibility, equivalent. This leads to the second criterion: a equivalence robustness, and livenes!! enhancement. definition of fairness is equivalence robust for a Below we informally explain the criteria and the computational model if it respects the equivalence 228 K.R. Apt et al.: Fairness for distributed programming

P: :x,=1; *[true-> x'=x+ 1 Process Fairness - satisfies all three criteria. The 0 x mod 3=0---+ x:=x+ !]. joint action of CSP involves synchronous commu­ Fig. I nication between a pair of processes. In section 4, we study the case of N-way communication (for induced by that model. That is, for two infinite arbitrary N > 2), i.e., a joint action with synchro­ sequences which differ by a possibly infinite nous communication among N processes. We show number of interchanges of independent actions (i.e., that none of the six common fairness definitions equivalent sequences), either both are fair accord­ we consider satisfy all of the criteria. The difference ing to the given definition, or both are unfair. If between the 2-way and N-way cases lies in a this criterion is not satisfied, then fairness depends greater possibility of "conspiracies" when N > 2. on the particular ratio of processor speeds or on That is, one group of processes may ensure that the location of the observer, which is undesirable. particular actions involving other processes are in­ sufficiently often possible. Liveness enhancement. All distributed models as­ In section 5 fairness for an abstraction of Ada sume a fundamental liveness property that an action is considered, while section 6 defines and appraises will eventually be executed in some process if the fairness notions for a message-passing model with system is not deadlocked. Any additional fairness a nonblocking send operation. The Ada and the requirement complicates the scheduling and may nonblocking send models have in common that the cause difficulties in defining a precise semantics or fairness notions relate to the receipt of a message proving correctness. Thus adding an additional li­ or activation of a rendezvous within a single pro­ veness requirement of some sort of fairness is only cess. As is shown, for this reason all of the fairness justified if some benefit will accrue. That is, there notions considered will be equivalence robust for must be some program which has some liveness these models. In the Conclusions, some implica­ property which it would not have without the addi­ tions of our results are considered regarding proof tional requirement. This criterion is termed liveness rules for termination under a fairness assumption. enhancement in order to emphasize that additional liveness properties will hold for some programs. As shown in the sequel, this also depends on the 2 Formal definitions particular model being considered, and is sensitive to fine details of the model. Some fairness assump­ 2.1 Computational models tions cannot force a communication to occur in a model if it did not have to occur under the basic The models of computation considered here are liveness property. These assumptions are not live­ assumed to have some common structural proper­ ness enhancing for that model. ties. By a distributed program we mean a fixed col­ It is sufficient to consider here the impact of lection of processes. These processes have disjoint fairness assumptions on termination only. This is states and perform atomic actions. The model attri­ true because such assumptions are known not to butes each action either to one process, in which affect partial correctness or, more generally, safety case we refer to it as a local action (of that process), properties, and other liveness properties can be re­ or to two or more processes, in which case we duced to termination for derived programs (see refer to it as a joint action (of those processes). [GFMdR]). A configuration is a pair consisting of a global state and an atomic action to be taken.

Plan of the paper Definition. A computation is a maximal sequence In the sequel, we appraise several fairness defini­ of configurations, where the action in a configura­ tions and computational models under the criteria tion transforms the state of that configuration to suggested above. These are only examples of the the state of the immediately following configura­ application of our approach. Readers are invited tion. to apply these criteria, or any variants and addi­ We also assume that the state determines a tions they prefer, to their favorite fairness defini­ predicate enabled over the possible actions which tions and computational models. may appear in a configuration, as defined below. In the next section we introduce the formal defi­ nitions of the semantics and of the fairness criteria. Definition Then in section 3 the properties of six fairness no­ i) An action is enabled in a configuration if it can tions for CSP are analyzed in detail. We conclude serve as the next action executed (where the exact that only one of these common notions - Strong definition is model dependent). K.R. Apt et al.: Fairness for distributed programming 229 ii) A process is enabled in a configuration if some This affects the definition of when a joint action (possibly joint) action attributed to it is enabled is continuously enabled. The justification for the in the configuration. noninstantaneous readiness assumption is that iii) A process is ready for an action in a configura­ joint (and other) actions take time at the implemen­ tion if its local state is the projection of a state tation level, even though they are considered atom­ in which the action is enabled and the action is ic on the program level. Thus if we wish to equate attributed to that process. The second component "continuously" with "uninterruptedly" (as we do), of a configuration is always one of the actions en­ even the interruption caused by executing one ac­ abled in that configuration and represents the one tion can be enough to make other ijoint) actions chosen to be executed at that point in the computa­ temporarily disabled. As will be indicated in the tion. proofs, this assumption influences the results we obtain regarding liveness enhancement. A more de­ Similar approaches to defining semantics may tailed examination of issues involved in deciding be seen in [P] for CSP, and in [HLP] for a frag­ when a joint action should be considered enabled ment of Ada. However, it is also reasonable, and may be found in [FK]. Some other work in this even attractive to consider a partial order semantics area ([KdR]) assumes that only states where joint (see for example [L 1], [R], or [OM]) expressing actions are possible choices need be considered as only the essential causal relationships among the significant. In that case, it would be possible for atomic actions (both local and joint). In this paper a process which participates in a joint action A we will assume that the underlying partial orders to nevertheless be "continuously" ready to partici­ are total over the local atomic actions of each indi­ pate in some other joint action B. vidual process, so that two local actions of the same The noninstantaneous readiness assumption process are ordered. Clearly, every such partial may be enforced either by assuming that local ac­ order induces a dependency relation among ac­ tions actually appear in the text after every joint tions, and a uniquely defined equivalence over in­ action, or by positing a hidden local state and local terleaved computations of those satisfying the same skip action after every joint action. partial order with the same actions. (2) Uniform choice. A choice between a local and a joint action is never possible. This assumption Definition. Two atomic actions are independent if is motivated by our desire to emphasize the influ­ they are not related by the partial order. ence of fairness assumptions on the execution of Definition. If TC and p are interleaved computations, joint actions, and the fact that many fairness defini­ then TC= p iff TC can be obtained from p by (possibly tions do not relate at all to local actions. This and infinitely many) simultaneous transpositions of two the previous assumption together guarantee that independent atomic actions. the definitions of fairness considered here are im­ mune to additions of local actions, like skip, in Thus we assume a combined semantics where processes. In the terminology of [L2] we might both the collection of interleaved computations say that these definitions are immune to stuttering, and the equivalence relations defined by the under­ i.e., to repetitions of a configuration in a computa­ lying partial order are available. A temporal logic tion. Again, this assumption is crucial to some of assuming this kind of semantics is defined and in­ the results seen in later sections. vestigated in [KP]. (3) Minimal progress [OL]. Every process in a state In this paper, three additional assumptions are with enabled local actions will eventually execute made about the syntax of the programs studied some action. This minimal progress assumption is and the computational models considered: somewhat stronger than the fundamental liveness property mentioned in the introduction. According (J) Noninstantaneous readiness. Every joint action to this stronger assumption, a process will not sim­ is immediately followed by a configuration with ply "stop executing" when it has local actions a state in which each participant process is not which may be chosen. In the sequel, all computa­ ready for any joint action. This means that once tions are assumed to satisfy the minimal progress a process executes a joint action it enters a local property. state in which none of the joint actions in which Note that this property could be itself consid­ it can participate is enabled. The next local action ered to be a fairness assumption, and indeed has could, of course, be a (possibly implicit) skip whose been in the literature. However, in [FdR] it is only effect is to make some joint action become shown not to allow proving the termination of ad­ a possible later choice. ditional programs beyond those which terminated 230 K.R. Apt et al.: Fairness for distributed programming under the fundamental liveness assumption (that Definition. F is equivalence robust iff for every pro­ some atomic action is executed somewhere). In our gram P and every two computations n and p in terminology this means that minimal progress is comp(P), (nEF(P) A n=p)~pEF(P). not liveness enhancing in relation to the fundamen­ tal liveness property. We have chosen to "build-in" Dejinition. F is liveness enhancing iff there is a pro­ this assumption so that the focus of additional fair­ gram P such that comp(P) contains an infinite com­ ness definitions is on joint actions (e.g., interprocess putation, but all computations in F(P) are finite. communication). This assumption is significant for This definition means that P terminates under results on liveness enhancement, since the enhance­ the assumption of F. Because of the possible reduc­ ment is relative to this minimal progress property. tion of liveness properties to termination of a de­ rived program, this is sufficient to express general 2.2 Fairness and appraisal criteria liveness enhancement. By a projection of a computation n on a process Now the possible definitions of fairness and the p, denoted by [n:]P, we mean the result of deleting criteria for their appraisal may be expressed in from n all actions in which p is not involved and terms of the computational models. restricting the states to variables used only in p. Note that in general [n]P need not be a computa­ Dejinition tion. i) Given a (distributed) program P, comp(P) is the The following simple lemma will be useful in set of interleaved computations generated by P the sequel. It is a direct consequence of our as­ under the semantics of the model, assuming only sumption about the totality of the local dependence the minimal progress property. relation within a process. ii) A fairness notion (or fairness definition) F is a Lemma (Projection p, rule for selecting, for any given program P, a subset equality). If n = then for each of computations F(P)s;comp (P) such that F(P) process p, [n]p=[p]P. contains all finite computations in comp(P). Note. The converse of this lemma was proved by Note the indirect dependence of F on the model L. Bouge {private communication) for CSP pro­ of computation, since comp(P) itself depends on grams. We do not need this stronger version here. the model. Actually, an arbitrary selection function would generally not be considered a fairness notion 3 Results for CSP at all since the uniform predicate for deciding whether a computation is fair or not involves the In this section the results concerning the CSP mod­ choices made during the computation. A fairness el are stated. We consider the language as defined definition would be expressed in terms of the predi­ in [HJ except that cates enabled, ready, and other predicates such as (i) nested parallelism is disallowed, executed (true of an action if it has been executed (ii) the distributed termination convention 1s in the previous configuration). However, such re­ not adopted, strictions will not be imposed here formally, since (iii) output commands may appear in guards, in any case we do not intend to precisely character­ (iv) the three additional assumptions given in ize all possible fairness definitions, but rather to the previous section are also imposed. provide criteria for appraising specific examples of The semantics we consider is that of interleaved such definitions. Now we may state these criteria computation sequences as defined in [P]. Accord­ precisely. ing to this semantics the control of a process is A necessary condition for feasibility of F is that identified with the part of the process text still to for all programs P, if comp{P)r' 0, then F(P)# 0. be executed. A configuration is then a vector of As already explained, feasibility should also pre­ control points of the processes and a usual global vent a scheduler from "painting itself into a state. This view can easily be converted into the corner" with no possible continuation. Thus the configuration defined in section 2.1 because the ac­ definition is expanded to cover this difficulty. tion taken can be extracted from the information available in successive control vectors, as may the Dejinition. F is feasible iff for every program P predicate enabled. every finite initial segment of an interleaved com­ In order to satisfy the noninstantaneous readi­ putation in comp(P) can be extended to a computa­ ness assumption, we assume that each i/o com­ tion in F (P). mand or i/o guard is immediately followed by a K.R. Apt et al.: Fairness for distributed programming 231 local action (which as mentioned might be skip). Table 1. Summary of appraisal for CSP To ensure the uniform choice assumption we pos­ alternative and repetitive commands Feasible Equivalence Liveness tulate that in robust enhancing either all guards are boolean or all guards contain an i/o command. Finally, only computations sat­ SP + + + isfying the minimal progress assumption are con­ SCh + + sidered. In the continuation, when the CSP model SC + + is referred to, all of the assumptions above are in­ WP + WCh + + cluded. we + + In the context of CSP, it is reasonable to define fairness so as to guarantee that an action will be taken by each process which satisfies some condi­ tion, or that each communication satisfying a con­ assumptions, no type of Weak fairness is liveness dition will occur, or that one communication will enhancing, and strong communication or channel occur from each group of communications between fairness are not equivalence robust. These results two processes which satisfy a condition. That is, are summarized in Table 1. the "choices" for fairness could be among the pro­ cesses, the pairs of processes which could commu­ Proposition 1. The six notions of fairness defined nicate (i.e., the channels), or the individual commu­ above are all feasible for the CSP model. nications. Once it has been settled what is to be fair, the Proof idea. For each fairness definition an explicit precise interpretation of "sufficiently often" must scheduler is exhibited and it is shown that any pre­ be determined. Two well-known possibilities for fix of a legal computation can be generated by the CSP are weak fairness, in which the choice is possi­ scheduler. Moreover, if a prefix of a computation ble continuously from some point on, or strong fair­ was generated by the scheduler, then the scheduler ness, in which the choice is possible infinitely often. will generate a continuation which satisfies the con­ Taking all of the combinations, six notions are ob­ dition for being in D, i.e., a computation satisfying tained. the fairness notion under consideration. This idea has been used implicitly in [AO] and explicitly Strong process (SP) fairness. An infinite computa­ in [OA]. tion is fair iff each process infinitely often ready As an illustration of this technique, consider to execute some joint atomic actions will infinitely strong communication fairness. Given a CSP pro­ often do so. gram P, associate with each of the atomic actions of P a distinct variable, called a priority variable. Strong channel (SCh)fairness. An infinite computa­ The scheduler can be viewed as a program executed tion is fair iff each pair of processes infinitely often in parallel to P, having access to all variables in capable of communication with each other do in­ P for inspection. It can also determine the control finitely often communicate with each other (so that locations of all processes in P. The scheduler inter­ one of the possible communications between them acts with P by executing the program section SE­ is executed, possibly a different one every time). LECT seen in Fig. 2, which determines the next action in the computation of P. After the execution Strong communication (SCo) fairness. An infinite of the selected action by P, the scheduler regains computation is fair iff each pair of i/o commands control, unless P has terminated or entered a dead­ (i.e., each specific possibility of communication) locked configuration. All priority variables are ini­ which is infinitely often jointly enabled is executed tialized to arbitrary nonnegative integer values. infinitely often. Versions of these schedulers could also be com­ The weak versions, WP, WCh, WCo, respective­ posed so that the conditions apply to superimpose ly, are obtained by substituting" continuously from (in the sense seen in [BF] and [K]) the scheduler some point on" for the first occurrence of "infinite­ on the program P, and so that the result would ly often". Furthermore, it is stipulated that all finite be a legal CSP program. Rather than using the computations are fair w.r.t. all fairness definitions. shared variables in the schedulers described above, The consequences of the following propositions each process in P and the scheduler would be mod­ are that although all six possibilities are feasible, ified so that the values of the control locations and only strong process fairness is both equivalence ro­ of the priority variables are sent as messages to bust and liveness enhancing for CSP: under our the scheduler instead of being read directly. 232 K.R. Apt et al.: Fairness for distributed programming for each atomic action do tion. If it reaches a point at which no event can if it is enabled then decrement its priority be chosen, this can only be because no event was variable by 1; enabled, and the same sequence of events define select for execution an enabled action with a minimal value for its priority variable; an execution which terminates from comp(P), and reset the priority variable of the selected action to thus is fair. Otherwise the scheduler will generate an arbitrary nonnegative integer an infinite computation, which is also fair due to Fig. 2. SELECT part 1 of the theorem. Thus every prefix of a com­ putation has a fair extension, as required. Sche­ Because of the use of random assignments and dulers and faithfulness theorems may be obtained possible nonuniqueness of the minimal priority for the other fairness definitions merely by modify­ variable, the scheduler itself is nondeterministic. ing the conditions for enabledness and for resetting The following faithfulness theorem holds, whose the appropriate priority variables. proof is a variant on abstract results in [OA]. Proposition 2. Weak communication, weak channel, Theorem (Faithfulness) and strong process fairness are equivalence robust 1. Every computation of P generated by the sche­ for the CSP model. duler is SCo fair. 2. Every SCo fair computation of P or any finite Proof idea. It is easiest to show that SP fairness prefix of a computation can be generated by the sche­ is equivalence robust for CSP by considering the duler. unfair computations of an arbitrary program P. If n is strong process unfair, then from some point Proof idea on there is a process P; which is infinitely often 1. Consider a computation of P which is generated enabled for at least one joint action but no joint by the scheduler, and a pair of i/o commands which action involving .P; is ever executed. Thus .P; is con­ form a joint action. Each time this joint action tinuously ready for the communication, since there is enabled in the sequence considered, its priority are no alternative local actions which it could exe­ variable is decremented by 1. One can prove (see cute. Here the Uniform Choice condition, i.e., the [OA]) that given n actions each priority variable restriction to a model where local actions are not is invariantly at least - n + 1. This guarantees that nondeterministic alternatives to communications, every joint action infinitely often enabled is execut­ is essential. Now consider any equivalent computa­ ed infinitely often. tion p. By the Projection Equality lemma, starting Moreover, by the same argument, since local from some point in p, the process .P; is here also atomic actions also have associated priority vari­ continuously ready for a joint action. Again, by ables which are decremented, every process with the same lemma, there are infinitely many states enabled local actions will eventually be activated in which the possible partner of .P; could have com­ so the minimal progress assumption will be met. municated with ~. so the communication is en­ The sequence generated by the scheduler is thus abled. Thus in this case also, p is SP unfair. strong communication fair. For the weak communication case, the assump­ tion of being continuously enabled means that in 2. Consider a SCa fair computation of Pora prefix an unfair computation neither participant of a computation. To show that it can be generated process in a continuously enabled joint communication by the scheduler, it is sufficient to define the appro­ can do anything else. priate values of the priority variables at the point As before, this is also true in any equivalent computation sequence. This where they are reset. We simply assign to each it too will be unfair, establishing the equivalence priority variable the number of times the associated robust­ ness. The WCh fairness is treated similarly. action is enabled before it is taken (if at all). It is straightforward to see that this choice of value