Distributing concurrent Ada programs by source translation

This paper tackles the practical aspects of obtaining a distributed version of an Ada program. It proposes the use of an adapter, which can be a methodology or an automatic translator. The adapter accepts source of a concurrent Ada program, adds communication and control tasks, and produces source for a single distributed Ada program, which can then be compiled and run on a multi-processor computer. The original program can consist of packages and tasks, and both of these can be classed as virtual nodes. The process of adaption does not alter the contents of any package in the original program, so that the method is directly applicable to systems that make use of library and generic packages. The communication between virtual nodes, which would normally reside as one per processor, is via messages on a ring, but the protocols are kept as simple as possible, and the messages are fully checked Ada types, rather than byte strings. The method has been applied to programs of the client-server model, and could be adapted for other rendezvous-based languages such as occam.     

A comparative study of task communication in ada

A previous paper compared the mechanisms for process communication in Hoare's communicating sequential processes and in Brinch Hansen's distributed processes, by both qualitative and quantitative analyses. This paper extends these analyses to the corresponding features for communication between tasks in Ada. The similarity between Ada's features and Hoare's proposals is confirmed, but some limitations on non-determinism in Ada are noted.     

Domain semantics of possibility computations

The purpose of this paper is to introduce a kind of computational model, called possibility computation, to deal with non-determinism. Both its denotational and logical semantics in the framework of domain theory are established and their equivalence is verified. In this approach, the denotational semantics will be set up by assigning to programs possibility state transformers, i.e., Scott-continuous functions from the domain of input states to the possibility powerdomain of the codomain of final states. This possibility powerdomain of a dcpo will consist of all possibility valuations, ordered pointwise, of this dcpo. The logical semantics will be given by fuzzy predicate transformers introduced by the first author and Jung following Dijkstra’s predicate transformers. Two semantics equivalence will be verified in terms of the integration of fuzzy predicates with respect to possibility valuations. The categorical monad of the possibility powerdomain will be investigated.     

Diagnosability of Discrete Event Systems with Modular Structure

The diagnosis of unobservable faults in large and complex discrete event systems modeled by parallel composition of automata is considered. A modular approach is developed for diagnosing such systems. The notion of modular diagnosability is introduced and the corresponding necessary and sufficient conditions to ensure it are presented. The verification of modular diagnosability is performed by a new algorithm that incrementally exploits the modular structure of the system to save on computational effort. The correctness of the algorithm is proved. Online diagnosis of modularly diagnosable systems is achieved using only local diagnosers. *Olivier Contant is now working at Microsoft Corporation.     

ARTK-M2: A kernel for Ada tasking requirements: An implementation and an automatic generator

A run-time kernel, ARTK-M2, supporting Ada tasking semantics is discussed; full support for task creation, synchronization, communication, scheduling, and termination is provided, together with all options of the Ada rendezvous. An implementation in Modula-2 is presented and a method for automatically translating Ada programs into semantically equivalent Modula-2 programs with corresponding kernel calls is introduced. A parser generator and an attribute grammar were used for the automatic translation. A subset of the Ada Compiler Validation Capability was processed to test the implementation and to illustrate the translation mechanism. The kernel is applicable to the study of real-time control systems; it can also serve as a baseline for studying implementation alternatives of Ada concepts, such as new scheduling algorithms, and for analysing new language constructs. Work is under way to implement some of the changes to the Ada tasking model being proposed as a result of the language revision (Ada9X). Finally, through proper extensions, ARTK-M2 can form an integral part of programming tools such as an Ada compilation system and a distributed kernel for multi-processing environments.     

The distributed ada run-time system darts

A distributed Ada run-time system, DARTS, is presented. DARTS is used with a source code transformation method for pre-partitioning, and it also allows a late configuration. A single program can be partitioned to run on a loosely coupled multiprocessor system. The distributed units are tasks, task objects, packages, variables, procedures and functions. Task objects can by dynamically distributed. High fault tolerance is assured by unit redistribution. Design decisions, implementation details and ideas are presented.     

Two implementation relations and the correctness of communicating replicated processes

This paper studies the correctness of distributed systems made up of replicated processes that communicate by message passing. Processes are described within the divergence model of CSP. The notion of correctness introduced is based on a relation that formally expresses the conformance of an implementation process with the target process it is intended to implement. A weak and a strong version of the relation are introduced, aimed at treating acyclic and cyclic process networks respectively. Both allow the study of (total) correctness and may cope with non-deterministic targets and implementations.We then show how a target process may be implemented (in the formal sense introduced) by replicating it in a set of copies, a majority of which is non-faulty.     

A Mechanical Analysis of Program Verification Strategies

We analyze three proof strategies commonly used in deductive verification of deterministic sequential programs formalized with operational semantics. The strategies are (i) stepwise invariants, (ii) clock functions, and (iii) inductive assertions. We show how to formalize the strategies in the logic of the ACL2 theorem prover. Based on our formalization, we prove that each strategy is both sound and complete. The completeness result implies that given any proof of correctness of a sequential program one can derive a proof in each of the above strategies. The soundness and completeness theorems have been mechanically checked with ACL2.     

Experience with modularity in consul

The use of modularity in the design and implementation of complex software simplifies the development process, as well as facilitating the construction of customized configurations. This paper describes our experience using modularity in Consul, a communication substrate used for constructing fault-tolerant distributed programs. First, Consul is presented as a case study of how modularity is feasible in both the design and the implementation of such systems. Secondly, general lessons about modularity in fault-tolerant systems based on our experience with Consul are given. Issues that are addressed include deciding how the system is divided into various modules, dealing with problems that result when protocols are combined, and ensuring that the underlying object infrastructure provides adequate support. The key observation is that the modularization process is most affected by dependencies between modules, both direct dependencies caused by one module explicitly using another's operation and indirect dependencies where one module is affected by another without direct interaction. Although our observations are based on designing and implementing Consul, the lessons are applicable to any fault-tolerant distributed system.     

A differential semantics for jointree algorithms

A new approach to inference in belief networks has been recently proposed, which is based on an algebraic representation of belief networks using multi-linear functions. According to this approach, belief network inference reduces to a simple process of evaluating and differentiating multi-linear functions. We show here that mainstream inference algorithms based on jointrees are a special case of the approach based on multi-linear functions, in a very precise sense. We use this result to prove new properties of jointree algorithms. We also discuss some practical and theoretical implications of this new finding.     

基于Agent的Ada95分布计算调度算法

为实现Ａｄａ９５的分布并行计算,本语文探讨了如何利用Ａｇｅｎｔ实现分 计算的基本模型,提出了一个综合考虑计算量、通讯量的预分配算法和基于Ａｇｅｎｔ的动态负载平衡算法,预分配算法旨在均匀分配计算量的减少分布单元间的通讯开销,基于Ａｇｅｎｔ的动态负载平衡算法是为了弥补静态分配的不足,根据各工作站完成的计算量来进行均衡调度。     

Distributed speculative execution for reliability and fault tolerance: an operational semantics

This paper examines the use of speculations, a form of distributed transactions, for improving the reliability and fault tolerance of distributed systems. A speculation is defined as a computation that is based on an assumption that is not validated before the computation is started. If the assumption is later found to be false, the computation is aborted and the state of the program is rolled back; if the assumption is found to be true, the results of the computation are committed. The primary difference between a speculation and a transaction is that a speculation is not isolated—for example, a speculative computation may send and receive messages, and it may modify shared objects. As a result, processes that share those objects may be absorbed into a speculation. We present a syntax, and an operational semantics in two forms. The first one is a speculative model, which takes full advantage of the speculative features. The second one is a nonspeculative, nondeterministic model, where aborts are treated as failures. We prove the equivalence of the two models, demonstrating that speculative execution is equivalent to failure-free computation.     

Remote rendezvous

BNR Pascal is a systems programming language intended for the implementation of the systems software of distributed computing systems. It supports the Ada Rendezvous model of tasking and communication, uniformly extended to support communications between tasks distributed over the computing nodes of a system. BNR Pascal was designed and implemented in 1980, and has since been used to implement the operating systems and real-time applications software for Northern Telecom's Meridian family of products. In total, more than 2 million lines of BNR Pascal exist. This paper describes the BNR Pascal remote rendezvous: the extension of rendezvous to interprocessor communication. It discusses the implementation of remote rendezvous, describing the advantages and disadvantages of several options. Finally, it details BNR's experience in using remote rendezvous in building substantial, practical distributed systems used in products.     

Causal Message Sequence Charts

Scenario languages based on Message Sequence Charts (MSCs) have been widely studied in the last decade. The high expressive power of MSCs renders many basic problems concerning these languages undecidable. However, several of these problems are decidable for languages that possess a behavioral property called “existentially bounded”. Unfortunately, collections of scenarios outside this class are frequently exhibited by systems such as sliding window protocols. We propose here an extension of MSCs called causal Message Sequence Charts and a natural mechanism for defining languages of causal MSCs called causal HMSCs (CaHMSCs). These languages preserve decidable properties without requiring existential bounds. Further, they can model collections of scenarios generated by sliding window protocols. We establish here the basic theory of CaHMSCs as well as the expressive power and complexity of decision procedures for various subclasses of CaHMSCs. We also illustrate the modeling power of our formalism with the help of a realistic example based on the TCP sliding window feature.     

A modular drinking philosophers algorithm

Summary A variant of the drinking philosophers algorithm of Chandy and Misra is described and proved correct in a modular way. The algorithm of Chandy and Misra is based on a particular dining philosophers algorithm and relies on certain properties of its implementation. The drinking philosophers algorithm presented in this paper is able to use an arbitrary dining philosophers algorithm as a subroutine; nothing about the implementation needs to be known, only that it solves the dining philosophers problem. An important advantage of this modularity is that by substituting a more time-efficient dining philosophers algorithm than the one used by Chandy and Misra, a drinking philosophers algorithm withO(1) worst-case waiting time is obtained, whereas the drinking philosophers algorithm of Chandy and Misra hasO(n) worst-case waiting time (forn philosophers). Careful definitions are given to distinguish the drinking and dining philosophers problems and to specify varying degrees of concurrency. Jennifer L. Welch received her B.A. in 1979 from the University of Texas at Austin, and her S.M. and Ph.D. from the Massachusetts Institute of Technology in 1984 and 1988 respectively. She has been a member of technical staff at GTE Laboratories Incorporated in Waltham, Massachusetts and an assistant professor at the University of North Carolina at Chapel Hill. She is currently an assistant professor at Texas A&M University. Her research interests include algorithms and lower bounds for distributed computing.Much of this work was performed while this author was at the Laboratory for Computer Science, Massachusetts Institute of Technology, supported by the Advanced Research Projects Agency of the Department of Defense under contract N00014-83-K-0125, the National Science Foundation under grants DCR-83-02391 and CCR-86-11442, the Office of Army Research under contract DAAG29-84-K-0058, and the Office of Naval Research under contract N00014-85-K-0168. This author was also supported in part by NSF grant CCR-9010730, an IBM Faculty Development Award, and NSF Presidential Young Investigator Award CCR-9158478This author was supported by the Office of Naval Research under contract N00014-91-J-1046, the Advanced Research Projects Agency of the Department of Defense under contract N00014-89-J-1988, and the National Science Foundation under grant CCR-89-15206. The photograph and autobiography of Professor N.A. Lynch were published in Volume 6, No. 2, 1992 on page 121     

A Space-Aware Bytecode Verifier for Java Cards

The bytecode verification is a key point of the security chain of the Java Platform. This feature is optional in many embedded devices since the memory requirements of the verification process are too high. In this paper we propose a verification algorithm that remarkably reduces the use of the memory by performing the verification during multiple specialized passes. The algorithm reduces the type encoding space by operating on different abstractions of the domain of types. The results of the experiments show that this bytecode verification can be performed directly on small memory systems.