GB2470970A - Control of concurrency in real time systems by claiming and testing semaphores - Google Patents

Abstract

The invention concerns concurrent operations and providing methods of detecting when all are complete. The invention provides symmetrical methods of detecting completion, avoiding the need for one thread to await the completion of another. Operations may proceed concurrently generating information — a semaphore —which, when tested, indicates whether all operations within the set of run to completion at that time. The invention extends to equipment to perform a set of operations, an operation within said set to claim and to test a semaphore to determine whether said operation is the last to claim said semaphore, the outcome of the test applied within said operation to select the subsequent course of said operation. The semaphore may contain a count of the number of operations which remain incomplete. A semaphore may be held in memory accessible to all operations, each set of operations employing its own semaphore to test completion. Conditional execution of programs, within a concurrent set, is supported, completion identified only when initiation of programs is complete. One set of concurrent programs may also be used as a program within another set. The invention is based on a theoretical model descriptive of knowledge generation in physical systems.

Description

Control of concurrency in real time systems.

Introduction to the invention.

The invention concerns equipment in which logical operations are perfornied concurrently, providing niethods of detecting when all are complete. Current niethods employ cooperative communication between processing threads, one thread chosen in advance to be the last to terminate and required to await completion of all others; instead the invention provides symmetrical methods of detecting when all concurrent operations (threads) are complete, the need for waiting avoided. It also extends methods of concurrency control claimed in the inventor's British patent number GB2398 140; priority is claimed from an electronic application 0909701.5 made by the inventor on June 8 2009. The invention forms part of an approach to software engineering founded on a theoretical model descriptive of knowledge generation in physical systems and impacting on all phases of projects. Claims embrace both methods and equipment.

A paper, which now follows, sets out the theoretical model, identifying some key implications for software engineering. The theory is shown to justify the methods claimed.

1. Introduction.

The long-established technology of signalling, in which meaning is assigned to physical signals according to a chosen convention, provides the sole means of communication within physical systems. A theoretical model, descriptive of knowledge-generating systems and based on that observation, is advanced; in that model signalling theory, in extended form, provides a foundation for information science and technology. A description of physical behaviour is interpreted using a map connecting identifiers, which are the abstract components of the model, to phenomena which are its sole physical components. The model applies to all physical sources of knowledge including those controlled by software; it implies inescapable constraints which in turn imply a need to reform software engineering methods. The author appears to be alone in exploring this form of physics-based model; however the entity life history model [Sandon and Zalewski 2006] has described the histories of "entities" in terms of the sequences of events occurring within their lives.

The model is explained according to Newtonian physics, the author not qualified to assess the relationship to its successors. The data flow architecture [Dennis 2008] is consistent with the proposals, some of which were published in an earlier paper by this author [Young 2009]. The scientific method is adopted, the author proposing the model for appraisal by others; if accepted it will, like other scientific models, be treated as valid while its predictions remain consistent with experience. The relationship, of the model to current thinking, is outside the intended scope of the paper and is touched on only to aid explanation.

The hypothesis reflects experience in the physical design of knowledge-generating mechanisms: such a mechanism can acquire information only by testing physical signals. Where a binary convention is in use the level of a particular physical signal represents either a "one" or a "nought"; other conventions allow signal levels to be measured more precisely. In compifiers the signals are, during measurement, either well above or well below the threshold level used to distinguish "ones" from "noughts", thus avoiding errors. A physical test, performing measurement and computation, employs the levels of its input signals to generate the levels of its output signals; as generation cannot occur instantaneously testing, of the level of any input signal. must last for a finite period of time thus imposing limits on computation speed. Another factor, the unwanted thermal noise inherent in signalling systems, also suggests that test-duration must be finite; noise power tends to infinity as duration tends to zero. Thus in any mechanism knowledge is represented only by physical signals each of which must last for a finite period of time; events, thought of as occurring without the passage of time, cannot be sensed by direct, instantaneous physical testing and cannot therefore form part of any physical model.

Sensing, of physical signals generated by a test, can be achieved only by a further test or tests. Since a signal can be tested only while it exists it follows that a test must provide, for each set of signals communicating a fact true of the tested behaviour, a physical signal to indicate whether that signal-set has yet become accessible to testing; a potential reader must be able to determine whether the physical preconditions, necessary for valid reading, have yet occurred. Signalling conventions must provide for this information to be signalled by tests.

2. Theory.

2.1 Tests.

According to the model proposed, human knowledge of physical behaviour originates only from physical tests applied through the human sensory system, the identity of a successful test serving to classify the tested behaviour. The success of a test f indicates the past occurrence of a physical phenomenon of a class f.

phenomena occupying space and time. Identifiers such as fare assigned by human observers according to a chosen convention or language. Behaviour thus observed may itself include phenomena which perform tests, their classes serving to classify behaviour which the human observer has not observed directly: thus the class of a meter reading may indicate the class of a voltage. An observer's existing knowledge of behaviour may also be extended by inferences based on rules known, by the observer, to govern the outcomes of tests. Facts and inferences are the only logical components of the model, each of them having a physical counterpart which is a phenomenon occupying space and time. Inferences are the logical counterparts of tests.

Thus a thunderstorm is a physical phenomenon of class "thunderstorm" where the English language is the applied naming convention. A human observer, observing the onset of a thunderstorm or observing a sample of its life, infers from it the occurrence of the entire thunderstorm. An observation is a test of the physical environment; a model, describing how reasoning about physical behaviour is performed, is proposed under 2.3 below.

A phenomenon (of class) f may also be of some other class w, a test w succeeding when applied to that phenomenon f, the phenomenon now said to be of class (f, w), the phenomenon further described by the identifier w. One phenomenon p is said to "contain" another of class q if and only if at any time which may be chosen within the life of the contained phenomenon q the space, occupied by that contained phenomenon, is contained within that occupied by the containing phenomenon p at that time. The physics here is Newtonian, the phenomenon now of class p and also of a class containing a phenomenon q. Where a phenomenon p contains more than one phenomenon of known class the time order of termination of the contained phenomena may also be specified in the description as will be explained later in this section. The space-time occupied by a phenomenon may consist of unconnected regions. as where a phenomenon is a set of physical objects or a series of incidents.

A test is a phenomenon which contains phenomena of classes which communicate its input and its output information. Thus the existence of a computer system throughout a period of mn-time constitutes a phenomenon which contains phenomena which communicate data to and from that system. Human beings exist within a phenomenon which contains all the phenomena they can test and which provides a frame of reference within which phenomena are classified and thus identified.

A test is assigned two classes: a generic class g, independent of the outcome of the test but tnie of all instances of it, and a specific class s which identifies the outcome of a particular instance of the test. The generic class identifies the class of equipment and of procedure essential to perform a test of that generic class. These two classes together constitute the fact (g, s) generated by that instance. A human observer will find the specific class of a test meaningful only when aware of the generic class. Designers design in terms of generic classes, creating equipment (often controlled by software) which operates on phenomena representing specific classes.

Where the identifier s is a set of identifiers then any subset of s may also serve as a specific class of that instance of the test, a single test then having a number of specific classes each indicating the truth of a fact.

A test can be applied only to describe in greater detail a phenomenon of a specified class, the model providing no other way of specifying the physical behaviour which is to be described. A test can validly be initiated only at a time when the phenomenon, to be tested, will be accessible to it; a test, generating a phenomenon which signals a fact, must also signal a boolean to indicate that this phenomenon, identifying this fact, is now accessible. Any reader must be equipped to recognise that the boolean has become true and to initiate a test, the test of a generic class applicable, by convention, when that boolean becomes true. Experience of physical design is consistent with this requirement, testing of signals permitted, or initiated, only when relevant physical preconditions have been satisfied: thus an electronic signal may be sampled only after it has come into existence; equally a measurement may validly be taken only when the necessary physical preconditions have occurred. Timing indicators or other signals, necessary to communicate this information, are seen as generated within the test phenomenon. Where signals are short-lived (volatile) testing must be initiated as soon as the boolean becomes true.

This paragraph illustrates the application of the model to repetitive mechanisms, choosing to regard such a mechanism as performing a succession of tests in which each test is a phenomenon which contains another, this latter signalling the truth of a boolean, its end marking the end of one test and the beginning of the next. In a clock the truth of each boolean may be signalled by a "tick"; it may also indicate that the current time reading has become accessible as a fact also generated by that test, each test advancing the time by one unit. A similar chain can describe the behaviour of any physical system which includes a clock, reflecting methods commonly applied by physicists in deriving successive states of systems; successive instructions, when obeyed in a

I

computer, can also be represented as a succession of tests, the outcome of one test again dependent on the outcomes of earlier tests. A digital communications channel may also be regarded as performing a similar succession of tests, each test applied to an incoming message and yielding an output message.

A test may itself be a structure in which tests are interconnected. The mapping performed by a test may or may not be functional: within a test the state of a boolean may be sensed as it is changing or the test may contain a generator of random noise, the outcome of a specific test not uniquely determined by its sensed inputs.

The generic class of a test may specify the conditions, if any, under which tests may be applied to a phenomenon concurrently. A fact, accessible when a generic test of a first class is applied to a phenomenon, may also be accessible in whole or in part when a generic test of some different second class is applied to it, the success of this latter test implying restrictions on the outcome of the former.

2.2 Descriptions of phenomena.

A fact may contain booleans each indicating whether another fact has yet become accessible through it, booleans originating only in this way. These booleans are false when the fact containing them first becomes accessible to other tests; they provide the sole mechanism by which existing knowledge of a phenomenon may be extended, an existing fact extended to embody new facts. Such a boolean indicates, on becoming true, that tests, of the generic class controlled by that boolean, can henceforth be initiated, the boolean identified by the class of generic test by which it may be accessed.

A description, of a phenomenon of a given class, will then be a structure of the form shown in fig 1. In the figure only booleans are shown, other parts of facts not represented. The figure shows booleans as squares, white-filled when false, black-filled when true; it portrays a value of such a structure obtained by identifying, during some arbitrary period of time, the extremities of the structure -booleans which remain false when tested and facts which contain no boolean. Arrows point from each boolean to the booleans contained iii the fact to which it gives access. A "path" through such a structure is any chain of booleans in which each boolean gives access to a fact containing its successor. RefelTing to fig 1 the list [S, A, B, C, D, E] identifies a path: all paths start with the "source" boolean S; any pair of booleans appearing in a given order in any one path will occur in the same order in any other in which both appear. These are the sole constraints on the structure. Time order is defined only within a path; the duration, of a test used to access a fact, may take any value. The truth of the boolean S indicates that the phenomenon, to be described, has begun.

A boolean, on becoming true, indicates that a particular test has been applied and that a fact describing its outcome in whole or in part has become accessible, to tests of generic class associated with that boolean. The data structure must include data to control the interpretation of the physical signals conveying it; knowledge can be acquired only as an extension of existing knowledge.

The Prolog language and notation are now used to express the rules governing such data structures and to provide a means of assigning names to facts. According to these rules a fact is within the structure, and therefore readable, if and only if it has at least one name assigned according to the convention now given. Each name identifies a fact uniquely. The convention specifies that the list [FIG] is a name of a fact now accessible to tests of generic class G, if another fact, having a name F, contains a boolean uniquely identified within F by G, the boolean G now true. This boolean is also identified, uniquely within the structure, by the name [FIG], the boolean assigned the same name as the fact to which it gives access. A fact, here named s, is declared to exist and is the fact from which the structure grows. This "initial fact" s will be accessible through a boolean s which reports the start of the phenomenon described; the fact describes the "initial state" of the phenomenon.

name([FIG]):= narne(F), true(G).

name(s).

The names of facts will then be lists each of the form [s, a, b, .. , r] where a, b, .. , r are the generic classes of tests by which facts, in a path specified by the name, are accessible. A boolean of a given name indicates, when true, that a fact of that name is now accessible. This naming convention will be adopted henceforth.

A second nile states that a fact which has a name F will not also have a different name [RH] since this would imply that the facts, identified in the list H, initially became accessible both before, and after, the fact F initially became accessible. Facts become accessible in an order common to all the paths in which they appear. Each name of a fact identifies a path to it.

A name [Fl J is said to contain a name F, the symbol -denoting an unspecified value, here a list which may or may not be empty. The time order, in which two facts became accessible, is defined only if a name of either contains a name of the other, the fact with the longer name said to occur after that with the shorter name.

According to the model a run, of any knowledge-generating system, is then a test occurring in the system and in phenomena accessible to it during the run. It is a self-describing phenomenon, current knowledge of its class expressed in its run-time data (fig 1). A run is initiated when the phenomenon is initiated, for example by switching on; a period of initialisation may follow in which the system is readied for use and is then released from its "initial state", the system allowed to run, an initial boolean now true. Booleans within the initial fact are false initially, becoming true as new facts become accessible within the structure. Testing is adaptive, facts and booleans generated to identify the outcome.

2.3 Inference.

A description of a phenomenon is then a value of a structure of the form set out under 2.2 above and illustrated by fig 1, the value acquired during some arbitrary period of time and bounded by facts which contain no boolean and by booleans which remain false. A method of describing a phenomenon is then specified by a set containing all values of the descriptive structure permitted by that method; the truth set is the set containing every such value capable of describing behaviour of a phenomenon of the described class, and is a subset of those permitted values. It is proposed that ability to reason about the course of physical behaviour requires knowledge of relevant truth sets. A scientific experiment is seen as a phenomenon of a particular class described according to a particular method. Inferences are performed only by tests.

A person can often infer the class of a phenomenon from knowledge that a sample of it has occurred; thus on seeing a bicycle a person can infer the past and future existence of that bicycle, the life of the bicycle. In many cases the beginning of a phenomenon is another phenomenon which, in occurring, implies to a person that the first has begun; thus the start of a period of run-time implies the occurrence of that entire period. A designer will ensure that a mechanism, to describe a phenomenon according to a method appropriate to the class of that phenomenon, starts in response to the beginning of the phenomenon.

2.4 Hierarchy.

Because one phenomenon may contain others a description of behaviour may take a hierarchic structure. In a non-hierarchic description the initial classification is extended to embody values of physical variables as they become available; thus values of such variables as temperature, pressure, colour and population level may be included, each test generating a set of such values which extends knowledge of the class of the phenomenon described. In an hierarchic description the described phenomenon contains a time-varying population of phenomena each requiring its own individual description; thus one phenomenon -a region of air-space existent throughout some period of time -may contain others -a time-varying population of groups of aircraft each with its own identity, position and velocity, oups entering or leaving the airspace region. At this level the population may also vary because groups merge to form one, or because some may split up to form others, each groip recognised, while it exists, as constituting a phenomenon to be further described. At the next level of the hierarchy a further description of the group might include the identities of the aircraft present in it. each aircraft a phenomenon to be described further.

A description of a phenomenon of this kind will be expressed as a hierarchy, phenomena with non-hierarchic descriptions occupying its lowest levels. This theory of hierarchy will, if accepted, offer designers an explicit method of formulating logical models on which to base requirement definition and high-level design.

2.5 Real time systems.

2.5.1 Lists and hierarchy.

A real time system is now defined to be a system in which at least one test, of a particular generic class, is repeated indefinitely. Such a system can run for ever, performing a test of unlimited duration. This definition distinguishes real time systems from calculators. A "run" of a real time system is a phenomenon which occurs in that system and in the phenomena accessible to it as it runs. Run-time data are structures according to fig 1; however it is usual to discard those facts which are no longer needed, conserving memory. Such a structure describes past behaviour, the phenomenon self-describing, its tests chosen to meet the requirement. Where inferences of a particular generic class or classes are repeated indefinitely the facts they generate will form lists each accessed oniy through its "latest entry", as 2.5.2 explains further. Every entiy must then be accessible to tests of which the generic classes are common to all entries since until an entry is accessed only its address is known. This requirement does not restrict the derivation of entries; rather it requires entries, thus accessed within a given list, to be readable using tests applicable to all of them.

These lists of entries are the main features of data structures generated in real time systems. Some may report past and present membership of a time-varying population, these occupying the higher levels of a hierarchy; at the lowest levels lists will report other time-varying physical properties of phenomena, only.

Each entry within a list is a data structure of the form set out under 2.2 above. The naming convention, adopted there, is now extended to accommodate lists: within a list named (s, g) the (n+ 1)th entry, its initial fact and the boolean controlling access to its content, are all assigned the name (s. g. n). The name (s, g, n) is then an abbreviation of the name [s, g,.., g] in which a generic class g appears n times. A fact named s may contain booleans named (s, g, 0), (s, h, 0) ... from which lists named (s, g), (s. h) ... grow.

Fig 2 is in two parts: on the left ellipses represent phenomena. Areas represent regions of space-time, one phenomenon "containing" another where the corresponding ellipse contains that representing the other. The phenomenon s contains phenomena (s, g, 1), (s, g, 2), (s, g, 3) and (s, g, 5) each of which contains further phenomena. Thus the phenomenon s might occur in a region of airspace throughout a period of time; the four phenomena (s, g, 1), ... (s, g, 5) might again consist of groups of aircraft flying through that region within that time, the phenomena within these consisting of individual aircraft within a group.

The right-hand part of fig. 2 shows a part of a data structure which might constitute a particular description of a phenomenon s, a description which may subsequently be extended. Here the boolean marked s is true showing that the phenomenon s has begun; each entry in the list (s, g) reports that a particular phenomenon has entered, or has left, the population, each value of the list giving knowledge of the population during some period of time. The phenomenon (s. g, 1) is described further by a list ((s, g, 1). p); the entry (s, g, 4) might report that another phenomenon. such as (s, g, 2), is now known to have terminated. this knowledge also communicated by the fact [(s, g, 2), j] iii a form which may be more convenient though less precise.

2.5.2 Structure in lists.

In order to access the latest entry of a list rapidly it is necessary to record some part of it in a location fixed for that list, a location here defined to be within its first entry. In current designs each new entry normally overwrites its predecessor, each entry written, in its entirety, in a fixed location; an alternative, suggested by the model proposed, is to include, in the entry, the address of its main body, that address kept in the first entry of the list. Entry-bodies can then be kept in lists until no longer needed, remaining accessible within the entry using addresses which identify them uniquely. The boolean, giving access to the latest entry and contained in the first entry, is invisible to software, the hardware identifying the boolean and thus the entry; access may be delayed slightly by the hardware to allow a new entry to become accessible. This structure may represent the latest value of the entire list, each entry-body accessible through its successor as shown in the right-hand part of fig. 3.

Referring to the left-hand part of fig. 3 any (n+ 1)th entry, within a list accessed in this way, is accessible through an nth boolean contained in its first entry (s, g), the truth of the boolean signalled only while that (n+ 1)th entry is the latest entry. Assigning the name t(n) to that period of time the boolean, and the fact accessible through it. can be assigned the additional name (s, g, t('n)), the time at which a test is applied determining which fact it will return. This value may extend as shown in the right-hand part of fig. 3; here rectangles represent entry-bodies and arrows represent access paths.

Any period (t(n+ 1)) must, it first appears, begin a finite time after the period t(n) ends, to allow changes in the data to which the booleans give access. However where these data are accessed through a Gray-coded counter giving the address of their entry-point, the counter advanced by changing only one binary digit which represents the boolean at that time, then the address may remain valid continuously provided that no more than one digit may change during a reading of it.

A list may be accessible to tests of many generic classes, some giving access to facts which exist in some entries but not in others. A test, chosen from these, may be used to access a fact ((s, g, j, G) within the list where G is a list of generic classes, the test reporting whether a value of the fact was found within the entry and applicable to all entries. Thus an entry, within a list, may be assigned many different names of the form (s, g, n), each name identifying that entry uniquely; alternatively the generic class g might be defined to embrace all these tests.

2.6 Concurrency.

Tests, and thus inferences, may produce false conclusions if allowed to proceed concurrently. In a real time system two rules must be observed: the first requires that only one inference may at any time be capable of creating a fact with a particular name. This rule is necessary to avoid an uncontrolled outcome. Various defects may result from failure to observe it: concurrent inferences may generate different values whether or not their generic classes are identical as their determinations, of the current content of a given list of entries, may return different values. One inference may also mutilate facts previously published by another. Defects may also arise fi-om errors in naming entries: where a new entry is to be derived using the previous value or list of values -for example where the next value of a counter is to be derived from a list containing its previous values -concurrent inferences may yield a list in which multiple new entries are created, rather than just one, or in which a valid entry is assigned an invalid name, another entry previously assigned the name which would have been valid. In these cases only one inference may be permitted to identify the latest value of the list for use in generating and attaching the next entry, these operations, to identify the latest value of a given list and to extend it, performed serially.

The second rule requires time order information to be used correctly: there is often a requirement that a fact y, occurring in a data structure after a fact x, should be derived from a value of the structure which includes all facts used in deriving x. In generating a new fact the system should not appear to "forget" information used in generating an earlier fact. Within a list the rule governs only the initial facts within entries, other facts within different entries having no defined time order unless a designer chooses to impose one. The author has not been able to specify precisely the conditions under which this second rule should apply; for example a first list might properly include initial facts derived from another list using tests of two different generic classes of which one introduces a significant delay. The rule should perhaps apply only to the initial facts of those entries, within a list, which contain data to distinguish them from other entries, the data identifying the derivation of these entries alone.

2.7 Consistency in descriptions.

Where the occurrence of a particular phenomenon may be reported in more than one list a reader, reading the latest values of those lists, may find the occurrence already reported in one but not yet in another. Thus if one list reports the history of an elevator and another that of passengers waiting at a floor then a passenger might be reported by the first as having boarded the elevator while the second, not yet up-dated, reports that the passenger is still waiting at the floor. Where such inconsistencies must be avoided it is necessary to read the reports through a single list only, a list in which an entry contains both reports either directly or by reference to values of other lists.

3. Application.

3.1 Control of concurrency.

Methods of observing the rules stated under 2.6 above are now addressed.

3.1.1 First rule.

The first rule requires that a test should claim sole access to a boolean before setting it true and before writing any part of the fact of the same name. Where a fact named (s, g, n+ 1) is to be written, creating a new entry of that name then the entire list (s, g) must first be claimed, the semaphore named (s, g) and held in its first entry.

Where the new fact is to be derived using a current value of that list then the value must be identified only after the claim has succeeded since the new entry must, for consistency, be attached directly to that value. the latest entry within that value named (s, g, n). Claims may not be released until the new fact exists; they ensure monopoly control of its content.

When applying the nile to facts, other than the initial fact, within an entry, similar precautions may be needed. A protective semaphore named [(s, g, n), G]) may be held within the fact (s, g, n) where G is a list of generic classes; this allows different entries, within the list (s, g), to be extended concurrently and different facts, named by different values of G and extending a single entry named (s, g, n), to be generated concurrently.

Where a set of phenomena may merge and/or split it may be necessary to describe how phenomena, existent after merging and splitting, relate to those existent before it; for example a description might state that four groups of aircraft were formed, two identified as formed from one identified group and two from another. For this purpose the test must operate on lists describing current participant phenomena, lists created, terminated or extended as found necessary. In such situations all relevant lists, already existent, must be claimed before any description is changed, concurrent claiming actions protected against deadlock.

3.1.2 Second Rule.

Where the second rule is to apply, for all n, to facts named (s, g, n), that is to the initial facts within entries within a list (s, g), and where these facts are derived using values of a list (c. Ii) then a semaphore named ((s, g), (c, h)), held in the first entry of either list. may be used to serialise operations in which a value of (c, h) is identified and used in creating a new fact extending the hst (s, g). Where that list can be identified only by reading from (c, h), as where an entry in (c, h) identifies the destination (s, g) to which a message must be sent, then the semaphore, held in the first entry of (c, h), must protect the entire set of lists from which (s, g) will be drawn, this protection maintained until the list (s. g) has been claimed according to the first rule.

3.1.3 Choice of semaphores, and deadlock.

In some applications a single semaphore may be used in place of a number of semaphores of the scope described above. Deadlock may occur if two inferences are permitted to claim a given pair of lists in different orders.

3.1.4 An example.

Seat-reservation systems are a particular case where a method, here proposed, has already been adopted. The behaviour of each seat is described by a list, each entry relating to a session and containing a boolean to indicate whether the seat is yet reserved for that session. A semaphore controls access to the boolean and thus to any fact accessed through it.

3.1.5 Detecting completion of concurrent inferences.

Where concurrent inferences are used to derive one or more facts a semaphore may be used to count the number of these inferences currently in progress, its content increased by one before an inference is initiated and reduced by one after it has completed. Where the inference, initiating other inferences, is treated as one of the concurrent inferences then the semaphore will return to zero only after the initiating inference, and all inferences initiated by it, are complete. A structure, designed in this way, may contain similar structures each with its own semaphore; inferences may also be obeyed conditionally. There is then no need for an inference to await the completion of others, each inference terminating on completion and thus allowing hardware to be redeployed. In applications where the number of inferences, to be initiated, is known at design-time then the semaphore can be set to that number initially. counted down as each inference becomes complete. The semaphore may be held in workspace accessible to the inferences using it, or in the data structure.

Use of this method, in place of cooperative communication between concurrent threads, avoids the need for one inference to wait for another and allows each inference to be specified as a self-contained module. Unlike cooperative commjnication it is symmetrical, any inference permitted to terminate last.

3.1.6 Resource management.

The work-load of a system consists now of inferences, each inference requiring a resource, a period of processor-time. At this level requests may be held in one or more queues; a processor, on becoming idle, performs a new inference in response to a queued request, that request marked as answered and later as completed. Access to a queue must first be claimed. Requests generated within the system may be processed to form the queues. At the next level time-slicing may also be used, performance interrupted at intervals to allow processors to respond to revised queues, the performance of some inferences suspended to accommodate more urgent requests. Inferences may equally be implemented as procedures called by an operating system which manages resources; one processor may send an interrupt signal to another. redeploying it.

These mechanisms ensure that each requested inference is performed no more than once.

3.2 Other aspects of methods.

An inference is implemented as a program initiated to operate on lists named to it, the program appending, where required, new entries to some of these lists. Each list is generated by repeated initiation of its generative program or programs. A physical processor, having performed an inference, becomes idle, available to perform others.

Provided that programs employ semaphores to protect against malfunction due to concurrency they may be initiated, to describe a current phenomenon, at times chosen arbitrarily. Response time performance is then determined by the times at which programs are initiated and by the rapidity with which they are performed, the facilities independent of response-time. A program may therefore be initiated whenever a new entry appears in any list within a set chosen by a designer; one program may also initiate others. Thus initiation may occur whenever a relevant fact becomes known, or through the occurrence of an "external interrupt" signal; timing signals may also serve to generate time-keeping lists used for initiation. A program may be interrupted provided that the resulting delay remains acceptable; an operating system may also intervene to optimise response-time performance. This arrangement allows the number of requests. for a specific operation. to be counted, the count increased as each request is generated and reduced as each request is answered; thus one request may be generated for each incoming message awaiting processing. However in many situations a single initiation will suffice to satisfy all outstanding requests for a particular inference, each initiation generating the

latest-available description.

A project starts by identifying the generic class of the test to be performed whenever the system rims.

identifying the classes, and hierarchy, of phenomena which are to be tested at mn-time, as set out under2.4 above, establishing a high-level model. A requirement for a test, whether simple or complex, may then be specified in a functional language such as Prolog, identifying the lists to be employed and the i-tiles governing their content. Restrictions on concurrency must be taken into account iii such a specification. Response-time specifications are then stated; modelling, if used, is based on approximate estimates of the time durations of inferences, these times chosen freely. Tests are implemented as programs, controlling concurrency using the techniques set out above. The approach to formal methods is simplified, logical design and response-time performance treated independently.

Designers may choose to combine lists to form a lesser number or to form one list only; however combination imposes increased constraints on concurrency, limiting response-time performance and making the hierarchic structure less transparent; they may also hide hierarchic structure by providing a number of lists sufficient to meet all eventualities, each list marked to show whether it is in use and if so what role it is fulfilling.

3.3 Recycling memory.

An approach to this problem is now summarised.

Any set of facts may be deleted when it no longer forms part of the mn-time data structure and when it is no longer in use in any current inference. In a non-hierarchic list (2.4 above) all data, required by a new reader, may be held in the latest entry, only this entry remaining within the structure and thus accessible to new readers; a message, within a list of messages awaiting processing, remains within the structure only while accessible through the latest entry in a list of pointer-values. In a hierarchic list each entry may be removed from the structure when the phenomenon, identified by that entry, has become complete or when some other condition, specific to the application, is satisfied. A set of facts, accessible by reference as in 2.7 above, must also be retained until it becomes inaccessible to new readers. Any set of facts is deleted only after becoming inaccessible to new readers.

Each set of facts may then have a semaphore which counts its current users, deletion performed only when this number has fallen to zero. Some sets of facts will have no users when they have been inaccessible to new readers for some particular period of time. In a list of successive pointer-values, the list used to control processing of the entries of another list, only the latest pointer-value is ever needed, other entries discarded.

4. Discussion and conclusions.

Applying the scientific method a model has been set out to explain how information originates in physical systems. The model appears consistent with experience, explaining why human knowledge of physical behaviour is selective and how inference may be performed, the model consistent with the widely-held belief that intelligence may have evolved through natural selection; the model also explains why the behaviour of a real time system is not uniquely predictable and why constraints, on concurrency in performing logical operations, are needed. Since the physical sciences relate to knowledge originating from human observation the work may have a broader relevance. The concept that one phenomenon may "contain" another may not be adequate to describe phenomena of very small scale in which quantum theory and superposition become significant.

The author's study of this subject was motivated by experience in managing real time computer projects; recognising that the methods of that time had no foundation in physics he adopted the traditional approach of returning to first principles. Since then methods have been elaborated rather than revised, complex projects still hazardous. The proposals explain this experience and offer remedies, the first an hierarchic approach to structure recognition, the resulting model serving as a base for requirement definition, for performance simulation and for high-level design, the second an approach to concurrency in which the conventional use of cooperative communication between concurrent threads is discarded, The proposals are intended to apply consistently to all phases of projects and to reflect scientific understanding.

REFERENCES

SANDEN B AND ZALEWSKI J, 2006. Designing state-based systems with entity life modelling, in J. Syst.

and Softw. Vol. 79 Issue 1 Jan pp 69-78.

DENNIS J B, 1980. Data Flow Supercomputers. in IEEE Comp. Vol. 18 No. 11, pp 48-56.

YOUNG A P, 2009. Inforniation science and technology as applications of the physics of signalling.

The technical paper ends at this point.

The invention.

The invention claims equipment and methods in which a set of operations, such as the obeying of computer programs, may proceed concurrently generating information a semaphore which, when tested, indicates whether all operations within the set have run to completion at that time. The semaphore might, for example, contain a count of the number of operations which remain incomplete. A semaphore may be held in memory accessible to all operations, for example in workspace, each set of operations employing its own semaphore to test completion.

Where the number of operations in the set is known at design-time the semaphore may be set, initially, to that number. In the general case each operation may claim the semaphore initially, advancing and then releasing it, and may end by claiming the semaphore again, reducing it, then releasing it and testing whether the operation is the last to test the semaphore, the outcome of each test selecting the course of the operation in which it occurs.

Where an operation is performed conditionally the same mechanism can be used as operations. when not performed, do not advance, nor reduce nor test, the semaphore. An operation may itself consist of a set of operations which may proceed concurrently. using its own semaphore to identify the last operation, within the set, to become complete. In this way a set of operations, proceeding concurrently, becomes equivalent to a single operation; conditional performance of operations is also permitted.

An operation, within a set of operations proceeding concurrently, may initiate other operations within the set, the semaphore now used to ensure that initiation is complete before any test, of the semaphore by an operation within the set, can be satisfied. These methods allow concurrency to be used simply and freely in the design of software, avoiding the need for one operation to await the completion of another. One set of concurrent operations may contain others, operations obeyed conditionally or unconditionally, a test succeeding only after all operations, within the set, have been initiated.

The invention also claims equipment and methods in which detection, of completion of concurrent operations, is used in conjunction with technology which was disclosed in my British patent number GB2398 140; this technology comprises a method of ensuring that facts, extending a data structure, are created tinder the sole control of a single operation, and a method of ensuring that values of a first list, used in deriving entries within a second list, are obtained in a controlled time order.

Examples of the application of the method are given in this description; other implementations. within the scope of the Claims, are possible.