Composite programs: hierarchical construction, circularity, and ...

320

IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. 17, NO. 4, APRIL 1991

Composite Programs: Hierarchical Construction, Circularity, and Deadlocks Waleed A. Muhanna

presumed to be known apriori and to remain static. At run-time, each link behaves as a bounded first-in-first-out (FIFO) queue carrying data items from an output port of a producer process to an input port of a consumer process. It turns out, for instance, that most programs designed to implement mathematical models for decision support fall into this class.' A composite program is constructed by specifying its constituent component programs together with their coupling structure. The result is a finite directed multigraph whose nodes represent the individual instances of component programs and whose arcs depict how the outputs of one component program are fed to the inputs of others. When this graph (communication Index Terms- Deadlock prediction, deadlock prevention, distributed structure) is acyclic, the sequencing (i.e., execution order) can systems, hierarchical design, model management systems, modularity, be automatically determined by the system from the input/output safety. dependencies of the component programs using a simple topological sorting procedure [l].Operationally, it is not even necessary to perform a topological sort, as automatic sequencing is achieved I. INTRODUCTION T has been recognized for some time that many algorithms by a simple data availability rule which can be implemented in a variety of scheduling strategies based on the mode of execution and systems are often more elegantly and easily expressed by concurrent programs. A concurrent program is composed of two (e.g., parallel or quasiparallel) [20]. A difficulty arises when cycles are present in the graph, as or more sequential programs that may be executed concurrently this means that the component program instances (processes) as parallel processes cooperating to achieve a common goal are not partially ordered by their input/output dependencies. The [2]. A distributed program is a concurrent program in which separate processes may execute on physically separate computing presence of cycles also means that a group of processes may get elements. In order that concurrent programs be designed in involved in a communication deadlock. There are two situations reasonable time, a structured design methodology should be in which a communication deadlock can occur. The first is one employed. We consider an approach that involves the use of in which each member process of the group is waiting for some other member to communicate with it, but that other member is multiple levels of abstraction, where at each level the system is not attempting to do so. The second situation occurs when the viewed as a network of processes cooperating (i.e., communicating and synchronizing) by passing messages. With this view, communication mode is neither synchronous nor asynchronous, many of the simplifying concepts used in the design of sequential but rather between these two extremes. This communication programs, such as stepwise refinement and data abstraction [7], mode is called buffered message passing [2], in which the buffer can be brought to bear in the design of concurrent and distributed has finite bounds, allowing the sender to get ahead of the receiver, but not arbitrarily ahead. When buffered message passing is programs. This paper concerns the process of concurrent program as- used, a deadlock may occur in which all processes in a cycle sembly and the capabilities that must be supported to facilitate are waiting for message buffers in their respective links to this process. We envision a graph-oriented, nonprocedural, de- become available. The effort reported in this paper aims largely velopment environment where novice and occasional users who at addressing these two types of communication deadlock. In are not programmers may construct new concurrent programs by particular, the goal is to find methods for automatic treatment of simply coupling a collection of existing component programs. cyclic composite programs. Such methods would form an integral We focus on a restricted class of concurrent programs, hence- part of an environment for composite program construction. Deadlock is a phenomenon that has received much attention forth termed composite programs, in which component programs communicate with each other by passing messages through one- in the operating systems and database literature. A deadlock is way communication channels called links. It is assumed that generally defined as the permanent blocking of two or more each component program has a static set of input and output processes in a system because of requirements that can never ports. In addition, the intercomponent communication structure is 'The problems associated with the development and management of mathematical models have given rise to the concept of Model Management Manuscript received August 1, 1989;revised November 12, 1990.Recom- Systems (MMS) [3],[9]-[ll],[21],1251.A MMS is to models what a DBMS mended by N. A. Habermann. is to data. The primary objective of an MMS is not only to provide for The author is with the Faculty of Management Information Systems, Ohio the storage, retrieval, and manipulation of models, but also to facilitate their State University, 1775 College Road. Columbus, OH 43210. construction, usage, and maintenance. The efforts reported herein are directly IEEE Log Number 9042423. applicable-but not limited t-MMS in a decision support environment.

Abstract-This paper considers a graph-oriented, nonprocedural, development environment where new composite programs are constructed by coupling a collection of existing component programs, each of whose interface is defined by a fixed number of input ports and output ports. When the coupling graph is cyclic there is the possibility of a deadlock. The intent of this paper is to present a system that permits hierarchical construction of programs, while testing (via a simple algebraic procedure) the resulting composite programs for communication deadlocks. Specifically, the paper: 1) describes a decomposition-based approach to cycle enumeration; 2) presents a formal, graph-theoretic, model of communication behavior for a class of atomic programs. The model is then used to derive necessary and sufficient conditions for a deadlock to arise in a cycle; and 3) describes techniques for dealing with a special class of deadly cycles, once identified.

I

0098-5589/91/040(M320$01.00 01991 IEEE

MUHANNA: COMPOSITE PROGRAMS

be satisfied. Policies for coping with deadlock generally fall into three categories [6]: prevention, detection and recovery, and avoidance. Prevention methods are based on denying at least one of four conditions, all of which are necessary for deadlock to occur [ 181, [22]: mutual exclusion, resource nonpreemption, resource waiting, and partial allocation. The second category of deadlock policies is detection and recovery. Numerous algorithms have been proposed for deadlock detection in both centralized and distributed environments [5], [19], [23]. A third class of deadlock policies, called avoidance, refers to methods that rely on some knowledge of future process behavior to constrain the pattern of resource allocation, the most well-known example of which is the banker's algorithm [8], [16]. If deadlock is ignored during a composite program design process, it must later either be prevented from occurring or detected and recovered from by some mechanism. Various schemes for preventing communication deadlocks in store-and-forward networks have been proposed [14], [15]. While these schemes effectively prevent deadlocks in the transport layer of the underlying network, they do not (nor are they intended to) address communication deadlocks between processes comprising a distributed system. (These schemes are needed, however, to prevent a buffer deadlock between two or more processes from propagating into the data transport system of the network and causing permanent blockage of other, completely unrelated processes in the net.) It is therefore not clear how prevention techniques can be applied to communication deadlocks in composite programs. Detection or avoidance strategies do remain as viable options. By itself, a detection strategy is inadequate for an environment designed to effectively support the composite-program development process. First, it says nothing about the source of the problem and how to deal with it. Second, executing a composite program just to determine if it will run to completion could be very expensive, since the components may run for a long time before they deadlock (e.g., if one is a large, computationally intensive simulation model). Third, we wish to make it easier for both programmers and nonprogrammers to compose new programs. A deadlock in a composite program may arise due to design errors. Such errors should be detected whenever possible, and warning messages, identifying the source of each error, should be generated without having to execute the program. In essence, deadlock avoidance in this context reduces to deadlock prediction. The intent of this paper is to present a system which employs a graph-oriented approach for constructing composite programs hierarchically, while testing (via a simple algebraic procedure) the resulting composite program for communication deadlocks. Formal, more abstract, models known as Petri nets [26] have been used in the past to model concurrent programs hierarchically and then analyze the resulting model for properties such as liveness and safeness [12], [30]. The analysis in general requires knowledge of the reachability set of the Petri net, a problem which (except for special cases) is known to have exponential time and space complexity [26]. Compared to Petri nets, the graph model presented here is more concrete but less descriptive, in that it is intended to represent a restricted form of communication behavior for processes involved in cycles: each component process starts with an initialization section and then enters a loop section, where it iteratively reads messages from a subset of its input ports and generates output messages which are sent through a subset of its output ports. Communication activities are asynchronous and data-independent. Despite these restrictions, we show that

321

the model can be used to represent many problems. More importantly, however, we analyze the model and derive necessary and sufficient conditions for communication deadlocks to occur in cyclic composite programs. Based on these conditions, a simple algebraic test is developed for predicting such deadlocks. The rest of this paper is structured as follows. Section I1 furnishes some terminology which are necessary for later discussion. It illustrates the notions of coupling and hierarchical construction both via some simple examples and a mathematical formalism. Section 111 presents a comprehensive approach for automatic cycle treatment. More specifically, we: 1) propose a decompositionbased techniques for cycle enumeration; 2) present a formal, graph-theoretic, model for the description and analysis of a special class of composite programs (briefly described above) and use it to derive necessary and sufficient conditions for a deadlock to arise in a cycle; and 3) describe techniques for dealing with deadly cycles, once identified, and for improving the efficiency of their execution, once the cycles have been resolved. Finally, our conclusion as well as few comments about our approach and further research questions are given in Section IV. Standard terminologies from graph theory are used throughout this paper (Appendix A).

11. HIERARCHICAL CONSTRUCTION OF COMPOSITE PROGRAMS In this section, we describe the problem first informally through a set of simple examples. A formal characterization of composite programs is then presented to set the stage for a formal treatment of the problem of deadlock prediction.

A . Examples Intuitively, a cyclic' composite program is one where the input of one of its component programs is determined by a set of other component programs that take some output of that component as their input. Some might consider this to be a condition that would only arise in ill-defined programs. In this section, three examples of cyclic composite programs are given. Our aim is to illustrate two points: 1) cycles in composite programs are in fact quite useful and sometimes necessary for modeling or implementing distributed systems; and 2) there are situations where cycles, in a composite program coupling graph, are in fact benign (i.e., they do not give rise to a deadlock situation). The three examples below are all of programs that implement simple mathematical models relating some output variables to given input variables. The reasons behind this choice of examples are: 1) these are simple programs which can readily illustrate the issue at hand; and 2) the deadlock prediction and resolution technique to be presented in Section 111 is directly applicable to this class of composite programs. Consider programs that model decision-making processes in decentralized organizations. In such programs, cycles are needed to represent the passing of information between organizational subsystems (units) to achieve coordination. As an example, models for resource allocation in decentralized organizations commonly appear in the management science/economics literature. These models are typically formulated with a central unit coordinating the activities of the organization by allocating resources based on prices generated by the subordinate organizational units. Fig. 1 depicts a composite cyclic program that models this decision-making process in a decentralized organization. The central unit first communicates an initial resource allocation *We use the term cycle to refer to elementary circuits in a graph (Appendix A).

IEEE TRANSACTIONS ON SOFIWARE ENGINEERING, VOL. 17, NO. 4, APRIL 1991

322

+ L

MARKET 01 Dist 02

-+

.Volmes

I

v There are m reswrces IO be allocaled U, n operamg u n m R = v e ~ U l rof maximum quantities available of the m u ~ c c s . L = [lix I. whue /,k represents the optimum allocationof resource # to unit k

Unit t‘s problem: MAX cx sr.

Supply

Demand

P

P

+

Ax < Lx

c is the profit margin of product I , and o,, reswrcei t h a t i s q u d mproduc’eone unitofproduct1.j (a production mix problem where

IS

the amount of

02

Cenval unit’s problem: MAX

CD k L k

Sf.

L I S R. ( D k

ISa vector of dual pricer (bids)

t

.

Dist

-

+-

lor unil k j

k=I

(b)

Fig. 1. Cycles representing repetition. Fig. 2. Cycles representing simultaneity. decision to its subordinate organizational units. Each subordinate unit chooses how to best utilize the resources allocated to it by the central unit. They also determine values for the dual variables (shadow prices) in their subproblems and transmit these economic indicators to the central unit so that the latter can improve the resource allocation decision. A dual price transmitted to the central planning unit can be interpreted as a bid price (value) for one extra unit of resource by a subordinate unit. Such bids reflect the marginal increase in the profitability of the corresponding subordinate units for each additional unit of resource at the given resource levels. The central unit iteratively improves the allocation of the scarce resource in response to these bid prices. Of course, each subordinate unit may represent management units with control over a number of operating units. Other planning decisions in hierarchical multilevel organizations can be modeled in a similar manner. Fig. 2 depicts a second situation where cycles may arise in a composite program. It shows the familiar supply and demand economics models being used to construct a composite model to analyze the determination of prices and outputs in a market. The demand model determines the quantities of commodities demanded by consumers at particular prices of these commodities (as determined by the supply model of the producers). The supply model, therefore, outputs a set of prices at which the producers will find it economical to supply given quantities of the commodities. The state where a set of prices is determined such that the supply of commodities is equal to the demand at these prices is known as market equilibrium. We now give a simple example to show that a set of “simultaneous” models may have inputs that are determined exogenously and may produce outputs that are to be made available to the outside environment. The example is an extended version of a similar one presented in [4]. Fig. 3(a) depicts a program, called CORP, which computes the net income ( N ) based on unit production cost ( U ) and a price mark-up ( M ) . Fig. 3(b) suggests that model CORP can be constructed by coupling the following programs (models) each relating its outputs to its inputs (for the purpose of illustration, we have chosen simple formulas to represent these relationships; there are, however, no restrictions on the complexity of these

@)

Fig. 3. Composite program CORP.

relationships): 1) a marketing demand model which computes the expected sales volume (V) at a given price (P). MKT: V = 800000 - 44000 *P. 2) a pricing model which calculates a price ( P )given a markup ( M ) ,total expense ( E ) ,and the sales volume ( V ) .PRI: P = M * E/V. 3) a manufacturing cost model which can compute total expenses ( E ) based on volume (V) and unit cost (U). MFG: E = 1000000 U * V . 4) a financial model which relates the net income ( N ) to the price ( P ) , volume (V), and expenses (E). FIN: N =

+

P*V-E. The graphs depicting the topology of the three examples above are all cyclic. Operationally, when a component program is realized by a computational process, the fact that a cycle exists in the coupling graph means that a process consumes directly or indirectly its own output. It is, therefore, possible that such a process might find itself waiting (directly or indirectly) for itself to produce data. A process in such a situation is deadlocked.

323


It is important to observe that the presence of cycles in a coupling graph does not always mean that a deadlock will occur. This is evident from the above three examples; the composite program whose coupling graph is shown in Fig. 1 will not deadlock, while the programs depicted in Figs. 2 and 3 will. Indeed, we will see that when dealing with programs that implements numerical mappings that have certain properties, a deadly cycle can be resolved (made benign) not by eliminating the cycle but rather by simply introducing a "program" component implementing a fixed-point algorithm into that cycle.

B. Hierarchical Construction of Composite Programs This section shows how composite programs can be specified in a hierarchical and modular fashion. One advantage of this view is that it is consistent with the structure of many of the problems or reference systems being implemented. Thus, a physical system defined in terms of a network of interacting component subsystems can be represented by an isomorphic network of interacting component programs (logical system), thereby preserving its structure. Another advantage, which will become clear in Section 111, is that the the use of hierarchy and levels of abstractions can be exploited to reduce the size of the problem of deadlock prediction. Definition 1: A program M ' s specification is a pair . The type specification is a pair < IPM,OPh' >, where IP"' and O P A f are, respectively, finite sets of input ports and output ports, with a port being a three-tuple , specifying the port's structure, the set of values it can take on, and their semantic interpretation. Programs implemented by a coupling of component logical subsystems are called composite, while programs without components are called atomic. Atomic programs are sequential programs implemented procedurally, whereas the implementation of a composite program is described by a pair < CS"',{M,10 5 i 5 n - 1) >, where CS"' is a configuration scheme specifying how M can be realized by coupling a set of instances of component programs3 A configuration scheme (CS) consists of two parts: a coupling subschema (CSS) and an interface subschema (ISS). The coupling subschema specifies the topology of the network of component programs, and it may be represented by a directed multigraph, where nodes represent instances of component programs and edges correspond to communication links from output ports to input ports. The interface subschema, on the other hand, specifies how the coupling subschema graph can be abstracted into a single node corresponding to the composite program. This way, a program constructed by coupling component programs may itself be employed (nested) as a component in a higher level program. Hierarchical program construction is made possible by repeatedly nesting instances of programs as components in higher level programs. A trace of the decomposition/composition process may be represented by a tree with a root corresponding to the composite program, leaves corresponding to the low level instances of atomic component programs, and where each node is a program instance resulting from the coupling of its descendant nodes. Since the decomposition/composition process is finite, the tree will also be finite. To formalize this notion of hierarchical construction, we present the concept of a composition tree (adapted from [31]). Precise characterization of a configuration scheme has been presented in [25], a summary of which is included in Appendix B for completeness.

Definition 2: A composition tree is a hierarchical structure S =< T , I , B , C S , m >, where T is a finite tree where the root node is labeled by the name of the composite system, which the tree is intended to specify, and the successors of any one interior node (including the root) are uniquely labeled by the names of instances of its direct component programs; I is the class of program type (interface) specifications (Definition l), B is the class of program behavior (procedural) specifications, CS is the class of configuration schemata, and m is a mapping which assigns attributes to the nodes of the tree, such that m : leaves (T) -+I x B m

:

interior-nodes(T)

-+

I x CS.

The rules governing the mapping m are given in the following definition. Definition 3: Well-formed programs. A program is said to be well-formed if and only if its composition tree is well-formed. The definition is recursive and contingent on whether the program is composite (an interior node) or atomic (a leaf node): 1) A composite program M constructed by coupling n > 1 component programs MO,MI,.. . , M n p l , is said to be well-formed if and only i f a) all M,(0 5 i 5 n - 1) are well-formed; and b) its implementation is given by a complete and consistent configuration scheme. (Appendix B). 2 ) An atomic program (one-node tree) is well-formed if its procedural implementation given by a source module is consistent with (i.e., satisfies) its type specification. Henceforth, we assume we are dealing with well-formed programs. Now, recall that the leaves of a composition tree correspond to distinct instances of atomic programs. These instances of the atomic programs are the ultimate constituents of the composition, and hence it is possible to specify any composite program as a direct coupling of atomic programs. This composition is called the flattened composition associated with the composition tree. Two composite programs are said to be isomorphic if their flattened composition trees are identical, or stated differently, if they are realized by identical networks of processes. Proposition 1: Any well-formed composition tree can be flattened. That is, for each well-formed composite program there exists an isomorphic, flat, well-formed composite program. Proof: By simple induction on h, the height of the tree, where the leaves are considered to be at level 0 and the root is 0 at level h. Graphically, the proof can be interpreted as follows: the interface subschema specifies how the coupling subschema graph can be abstracted into a single node corresponding to the composite program. Whenever that node appears in some graph (i.e., the composite program is itself used as a component of another program), the node can be replaced by splicing the subgraph (abstracted by it) into the incoming and outgoing edges of the that node. This is how a hierarchical program composition tree might be flattened, so that the composite program is realized directly in terms of the atomic programs at the leaves. Definition 4: Let CSS"f denote the coupling subschema associated with the flattened composition of a composite program M . Let GAff be the dimgraph representing CSSMf. M is said to be cyclic if and only if is cyclic.

I

I

1


324

111. AUTOMATIC TREATMENT OF CYCLICCOMPOSITE PROGRAMS Providing system capabilities for automatic treatment of cyclic programs requires developing techniques that address three major issues: 1) the identification of cycles; 2) the classification of cycles into benign and deadly cycles; and 3) the resolution of deadly cycles whenever possible. We shall deal with each issue in turn.

A. Identification of Cycles It is well known that finding all cycles in a graph is a hard problem since the problem of finding a Hamiltonian cycle is NPhard [13]. Finding all cycles in a graph can always be achieved by an exhaustive search method; the complexity of such a method, however, is exponential. If the out-degree of each vertex is 5 d, the complexity of the determination of a cycle of length 1 approaches d'. Transforming the coupling scheme multigraph into a graph (by merging parallel edges into one) may reduce the bound on the out-degrees. Furthermore, all source and sink nodes may be recursively removed from the graph, since they cannot be involved in a cycle. With both measures, however, finding all cycles remains exponentially prohibitive for graphs with a large number of nodes. The systems view of composite programs suggests a natural and viable approach for reducing the size of the problem that has to be solved. The approach capitalizes on the fact that large composite programs are constructed hierarchically from other programs; rather than directly in terms of atomic programs. (Recall the discussion and definitions in Section 11-B.) This composition hierarchy is an effective way to decompose the problem of finding cycles in the flat network, into smaller, more manageable subproblems, as the following proposition shows. Proposition 2: A composite program is cyclic only if (a necessary but not sufficient condition) for some interior node (including the root) d in its composition tree, C S S d is cyclic. Proof: (Necessity) The proof is by induction on h, the height of the composition tree (root at level h and leaves at level 0). Base Case: ( h = 1) is obvious; d is precisely the root. Induction Step: Suppose that the proposition is valid for h 5 k . That is, if a program with composition tree of height h 5 k is cyclic, then it has an interior node d with cyclic CSS assigned to it. Let M =< IP',OPM,CSM,{M,10 5 i 5 n - 1) > be a program with a composition tree of height Lf 1.By definition, M is cyclic means that G M Jis cyclic. As a corollary of Proposition 1, each GMf is a subgraph of GMf. Let C be a cycle in G M J , then one of the following cases must be true. for some i E { 0, 1, . . . . n (Case 1) If C is contained in Gf' l}, then we are done (by the induction hypothesis). (Case 2) Otherwise, C must contain nodes in two or more of these subgraphs and must have been introduced in CSS'. To show that the condition is not sufficient, a counterexample is given in Fig. 4,which depicts a composite program M1 having a composition tree of height 2. Althou h C S S M tis cyclic, M1 is acyclic since (by Definition 4) GM1 is acyclic. U This result and the fact that the composition tree is actually a trace of the composition process suggest a way to decompose a problem into smaller, more manageable subproblems, each corresponding to some (direct or indirect) component compositeprogram. That is, the problem of identifying cycles can be reduced from a large problem for a given composite program into a set of smaller problems for the component programs. Furthermore, these subproblems are not solved all at one particular time;

B

M l ..........................

MI2

Fig. 4. Counterexample for Proposition 2.

rather each is solved only once before the corresponding composite program is stored in the software library. Hence, before a composite program is stored, the program is checked to ensure its safeness (i.e., freedom from communication deadlocks). Then, whenever a safe composite program is used as a component in a larger composite program, it is treated (at least initially) as a single node in the graph corresponding to the latter program's CSS, thereby reducing a whole subgraph into one node. Further reduction in the size of the problem can be attained by partitioning a program's CSS graph into subgraphs corresponding to the strong components of the graph (Appendix A). Note that this partitioning problem will be relatively small in size, as we are dealing with the graph of the CSS at the root of the tree and not with the flattened CSS. Furthermore, computing the strong components of a directed graph is a relatively cheap operation; based on a variant of depth-first search, Tarjan [29] gives an algorithm that requires O(n,e ) space and time when applied to a directed graph with n vertices and e edges. Since we do not allow self-loops in a CSS, trivial strong components (i.e., those having only one node) cannot give rise to a cycle, and hence warrant no further analysis. Eliminating these trivial components from consideration is like removing entire subgraphs from the flat composition graph. More importantly, observe that this unique partition of the graph into its strong components is also a unique partition of the cycles in the graph; each nontrivial strong component consists of cycles that are members of an equivalence class defined as follows: two cycles are in the same class if and only if both are contained in some nonelementary circuit. Fig. 5 shows the strong components of the graph corresponding to the coupling scheme of the composite program in Fig. 3. In using the results of Proposition 2 and the partitioning of a CSS graph into its strong components, we must keep in mind our ultimate goal, namely, testing and (if necessary) resolving cycles. To that end, the following definitions are useful. Definition 5: A cycle C is said to be benign if it cannot result in a deadlock. It is called deadly, otherwise. Definition 6: An atomic program is said to be safe (i.e., communication-deadlocks free) if and only if it is well-formed. Definition 7: A composite program M is said to be safe if and only if the following conditions hold: 1) it is well-formed; and 2) either it is acyclic or all cycles in G M Jare benign. Proposition 3: A well-formed composite program M =< IPM,0PM,CSSM,{M,105i5n-1} > issafeifandonly if the following conditions hold: 1) all M,(O 5 i 5 n - 1) are safe; and 2) all new cycles, if any, which are introduced in the graph GM corresponding to CSS', are benign.

325

MUHANNA COMPOSITE PROGRAMS

I

(a) Trivial strong component

s V

m

P

(b) Non-trivial strong component containing two cycles

Fig. 5. Strong components.

B. Description of the Algorithm In this section, an outline of a hierarchical algorithm for the automatic treatment of cyclic programs is presented. The algorithm incorporates the ideas and results presented thus far and provides a framework for the discussions in the next sections. Problem: Given a well-formed composite program M =< I P M ,OP', C S S M ,{Mz10 5 i 5 n - 1) >, such that all its component programs M,, (0 5 i 5 n - 1) are safe, we want to determine if M is safe, and if not, identify all deadly cycles and see if they can be resolved. Method: Perform the following steps. Step 1: Construct a graph G" from the information in C S S M . Step 2: If GM is acyclic then M is safe (Proposition 3), and we are done; otherwise continue with Step 3. Step 3: GM is cyclic. Partition GM into its strong components. Ignore all trivial components, as they cannot introduce any new cycles, and are already safe by assumption. For each nontrivial component subgraph, G,, perform Steps 3.1-3.3. Step 3.1: G, must contain at least one cycle. However, Proposition 2 tells us that this does not necessarily mean that G,f (the graph obtained by substituting each node M , in G, with its flattened graph, G M r )will be cyclic. Note, also, that G{ may actually contain cycles which are entirely contained within some GMf. Such cycles need not be examined since by assumption they have been examined before M , was stored in the program library, and they are known to be benign. Hence, we need to generate all new atomic cycles (i.e., cycles in which each node corresponds to an instance of an atomic component) in G,f, but we would like to avoid generating cycles which are already known to be benign. This we perform as follows. Let C, denote the set of new atomic cycles in GL. C, is initially empty. Find the set of all cycles in G,; call it C,. Since hierarchical construction is possible, the coupling of only a few (3-10) components at each level should be encouraged as a "good" construction practice. If this practice is adhered to, G, will in general be a small graph since it is a subgraph of G M ,which in turn consists of a small number of nodes corresponding to the immediate components of M . Remove one cycle, call it C, from the set C,. If C is atomic, add it to Ca.Otherwise, perform the following.

Pick a node in C which corresponds to some composite program K . Let i p E IP" and op E OP" be the input port and the output port of K which are respectively bound to the incoming link and the outgoing link in C. Let P be the set of all elementary paths in G" from ip to op. The time taken to generate the first m paths between two nodes in a n vertex graph is O(mn3)[17]. Moreover, here the number of nodes in G" is likely to be small, since K is constructed hierarchically. For each path p E P, create a new cycle cp by augmenting C with path p (i.e., replacing the node K in C with path p ) . Add each new cp to C,. Repeat the procedure in (3)-(6) until C, is empty. This process must stop since the composition tree of M is finite. Step 3.2: If the set C , is empty, then G , is safe; otherwise test each cycle C E C, to see if it is benign or deadly. (A test to determine this will be presented in the next section.) Step 3.3: If all cycles in C, are benign or can be resolved automatically (conditions to determine if a cycle can be automatically resolved and methods to do it will be given in the next sections), then G, can be declared safe; otherwise, messages identifying the deadly cycles are generated at this point. Step 4: If all nontrivial components G, are found to be safe, then M can be declared safe. Otherwise, the user is requested to correct all deadly cycles which have been identified in Step 3.

C. Cycle Testing Having found a cycle, the next step is to determine whether it is deadly (and hence must be resolved) or benign. An initial examination of the three examples given in Section 11-A suggests that what matters is not that a program consumes (directly or indirectly) its own output but rather how it depends on its own output, or more precisely when it needs to consume that input. For example, in Fig. 1, the computation of the allocation vector for the subordinate units by the central coordinating unit begins with some initial value and is dependent on the previously computed value thereafter. In other words, the output feuds the input by at most one value, so that the input will eventually be available when it becomes needed, and hence, deadlock cannot occur. All programs intended to model an iterative procedure have this temporal property. On the other hand, for programs in Figs. 2 and 3 which are involved in cycles, the outputs of these programs which form one end of each arc (link) in the cycle are dependent not on previous values of themselves but on current values. This should be clear from the equations corresponding to the components of program CORP; for example, variable P is defined implicitly in terms of itself (i.e., P = P R I ( E ,M , V ) = P R I ( E ,M , M K T ( P ) )). These observations suggest that we need a general way to describe the dependency between the input and output variables in a program and then to use this information to somehow test the safeness of the dependencies in the cycles. It should also be clear that the topology information contained in a CSS is inadequate for assessing the safeness of a cycle. This is a natural consequence of the fact that a deadlock is an operational concept that depends on the the patterns of interactions of the programs (systems) involved. Thus, in formulating the problem of cycle testing, we must develop a model for describing the operational environment in which deadlocks may arise. Such a model is presented next. The Behavior Model: The behavior model given here is graphtheoretic and is designed to capture the semantics of interprocess

I

I

1

326

IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. 11, NO. 4, APRlL 1991

communication and the patterns of interactions between processes. It prescribes a method to characterize the communication activity on links involved in cycles. Based on this characterization, we then derive an algebraic test procedure to be used in assessing the safeness of cycles in composite programs. A network of interacting instances of atomic programs can be realized by means of an isomorphic network of communicating processes, where one way communication channels (i.e., links) interconnect processes and buffer their outputs. Thus, an atomic program is an atomic representation of a system, and a process is a realization of an instance of that program for computation purposes. Since a deadlock is an operational concept that occurs during execution, we will use the term process to refer to an execution of an instance of q~atomic program. The deadlocks at issue here are communication related. Hence, a precise characterization of the semantics of interprocess communications is central to the understanding and modeling of such deadlocks. The following paragraphs describe these semantics. Coupling links are one-way communication channels which interconnect processes and buffer their communications. Each link behaves as a bounded first-in-first-out (FIFO) queue carrying data items from an output port of a producer process to an input port of a consumer process. A link (alternatively an input port) can be in either of two states: empty or nonempty. A nonempty link which has reached its capacity is said to be full. When a process requires some input data from one of its input ports, it performs a GET operation on that port. The procedure call GET (ip,D-area) stores the next datum, arriving on the link bound to the input port ip, into an area of memory referenced by D-area. If the link associated with that input port is empty, the process must stop and wait until the data is sent through the link channel by the producer on the other end. A PUT operation on an output port can be used by the process to send a datum along the link bound to that port, and it has the following syntax: PUT (op, D-area). If that link is filled, the process is blocked until it becomes unfilled. This provides a flow control mechanism allowing a channel to apply back pressure on its producer whenever that producer produces output faster than it can be absorbed by the corresponding consumer. To preclude any time-dependent input/output operations, primitives to test the availability of data on a channel (i.e., to check its status) are not made available to program implementors. No assumption is made about the relative execution speed of the various processes in the network. We only require that the scheduler employed is fair, in the sense that if a process is ready to execute it will eventually be allowed to do so. Processes which are not blocked on PUT or GET operations run concurrently and may execute in parallel, if parallel hardware is available. What we have presented so far does not yet enable us to determine whether a cycle will result in a deadlock or not. We need to examine the communication behavior of the programs (processes) involved in the cycle. To this end, we give a model of the programs behavioral characteristics. The model does not capture every kind of behavior possible. However, it is sufficient for characterizing the behavior of a large class of programs. In particular, programs implementing mathematical models such as those shown in Figs. 1-3 fall within this class. Moreover, the restrictions we place on the communication behavior apply only to atomic programs which are involved in cycles, and more specifically to their input and output ports which are bound to links in those cycles. First, we formally define the objects we wish to test, namely atomic cycles. Definition 8: An atomic cycle is a graph C =< P, L >, where

\:: L--A

Version 1:

BEGIN

Ic---4

::::/ L..>

Version 2:

BEGIN

dnilializaliot~

dni~ializalion>

PuT(0l)

PUT(o2) ...

....

PU7 (02) ...

LOOP CET(1I) ... CET(i1)

___

LOOP GET(i1) .._ GET (i2) ._.

GETIiZJ , , ... PUT (01) ..

PUT(o1) ...

PU7(02) ..,

UNTIL END.

Fig. 6.

PUT(O2) ...

UNTIL END.

Sample two-phased loop sections.

P is a set of n > 1 nodes each corresponding to a distinct instance of an atomic programs, Po,P l , ' . . ,Pn-l, and L is a set of arcs (coupling links) Z0, ZI, + . ,lnW1such that 1, is directed from P, to Pz+l,i = O , 1 , . . . , n We consider a class of atomic programs (processes) whose communication behavior with respect to ports involved in cycles satisfies the following two basic conditions. First, all communication operations on those ports are deterministic, time-independent, and data-independent. The issue of timeindependence has already been discussed and includes behavior where the availability of data on a particular port is tested. Dataindependence precludes behavior where a PUTIGET operation is performed only if some data-related condition holds. Clearly, it is necessary to exclude all three types of communication behavior, since the inclusion of any one of those types would preclude the possibility of determining the safeness of a cycle without having to execute the cyclic composite program. The second condition requires that the code of an atomic program, which is involved in a cycle, consists of an initialization and a loop section. The initialization section optionally contains PUT operations on a subset of the output ports. In this section, GET operations on input ports, which are associated with cycles, may not be preformed. The loop section is required to satisfy the two-phase assumption with respect to each cycle in which an instance of the program is a component. Assume an atomic program instance T is a node in a cycle C. Let ip E I P T and op E OPT be the input and output ports of T which are respectively bound to the incoming link and the outgoing link in C. The loop section in T is said to be two-phased with respect to C, if it can be divided into a read and a write phase. During the read phase, a finite number of GET operations can be performed on ip. The beginning of the write phase is signaled by the first PUT operation on op, after which no GET'S are done on ip until the next iteration of the loop. More formally, if we characterize the communication behavior in each iteration of the loop section by a sequence S = (st):=, of n communication operations, then the loop section is two-phased with respect to C , if for some j < n, i < j implies s, # PUT(op),i = j implies s, = PUT(op), and i > j implies s, # GET(ip). With respect to C , operations 4Arithmetics in the subscripts of nodes and links involved in a cycle are modulo R .

M U H A ” A COMPOSITE PROGRAMS

321

. ,sj-l comprise the reading phase in the loop section of T , and operations s J ,. . . , s, make up the write phase. For example, consider the program instance T shown in Fig. 6. T is a node involved in a maximum of foCr cycles which correspond to the the following four pairs of ports: (21,ol),(il,0 2 ) , ( i 2 , 0 2 ) , and (i2,ol).The communication behavior of version l satisfies the above conditions with respect to each of the four cycle. The behavior of version 2, however, is not two-phased with respect to the fourth cycle. We note that no restrictions are placed on operations involving ports that are not bound to links of cycles. For the class of programs whose behavior is captured by our model, we have developed techniques for classifying and assessing the safeness of cycles in a composite program’s configuration scheme without having to execute those programs. We will first show a syntactic procedure by which we can characterize the communication activity on the coupling links. This characterization is then used to derive necessary and sufficient conditions for the deadliness of a cycle. By scanning the code for an atomic program T , we can abstract its communication behavior as follows: 1) we associate with each zp E IPT a parameter r whose value is equal to the number of GET operations involving that input port in the loop section; 2) we associate with each op E OPT an ordered pair (U,w), where U and w are equal to the number of PUT operations involving that output port in the initialization section and the loop section, respectively; and 3) we determine whether the two-phase condition holds for each (ip,op) pair.5 To illustrate this procedure, consider the sample code version 1 in Fig. 6. The input behavior on T ’ s input ports 21 and 22 can be respectively characterized by the values and for parameter r. Also, the (u,w) pairs associated with T’s output ports 01 and 02 have the values and ,respectively. The other ports, namely 23 and 03, can be characterized in a similar manner, if applicable. Now, consider a cycle C with nodes and links as numbered in Definition 8. Let 1, be a link from the output port op of process P, to the input port ip of process P,+l.1, may be characterized by the parameters associated with its terminals op and ip, namely, < U,,w,, r, >. These parameters may be interpreted as follows: U , gives the number of data items that are written to (sent on) I , during the initialization phase of P,; w, gives the number of data items written to I , during the write phase associated with op in P,; and r , gives the number of data items read from 1, during the read phase associated with ip in Pt+l.For example, the values < 0 , 1 , 1 > can be associated with each coupling link in Fig. 3. Similarly, in Fig. 1, the communication activity on the links labeled 1,(1 5 z 5 n ) can be characterized by assigning the parameter values < 1,1,1> to each link. If r, = 0, no data are read from 1,. Similarly, if w,= 0, no data are written to I, during the loop section. Either condition suggests a design error that would lead to a deadlock. Henceforth, we will consider cycles in which the values of the parameters r and w are positive for all links. Let z,+,(t) denote the number of times the read phase in P,+lhas been completed up to time t. We assume that t is a discrete quantity maintained by some virtual global clock which is incremented by one whenever one of the processes in the cycle completes its read phase. For a given time t, the number of data items PUT to link l,, call it S(l,, t),cannot exceed U , w,*x,(t). sl,.

+

+

’This syntactic procedure need only be applied once before an atomic program code is stored in the software library for later reuse. Ports for which the procedure is not applicable could be noted.

Similarly, the number of data items GOT (read) from l,, call it D ( l l , t ) ,cannot exceed T , * (zz+l(t) 1).The latter quantity can be interpreted as the number of data items demanded by P,+l before it can enter its write phase. If this demand exceeds the supply (by Pt) at time t, P,+,will be blocked on a GET waiting for P, to start a new iteration of its loop section and PUT data on 1 , . Such blocking will therefore occur if

+

U,

+ w 2 x 2 ( t-) r,(x,+l(t)+ 1) < 0.

(1)

Likewise, if the supply exceeds the amount consumed so far by an amount greater than the capacity (buffer size), z,, of link l,, then P, will be blocked on a PUT waiting for P,+lto start a new iteration of its loop section and GET data items from 1,. That is, the following condition must hold:

We are now in a position to revise Definition 5 in order to give a better characterization of the notions of deadlocks and deadly cycles. Definition 9: A cycle C =< P, L > is said to be deadly if and only if when it is considered by itself as a graph of a CSS, all processes in P can become simultaneously blocked during execution, waiting for each other. Proposition 4: Given a deadly cycle C, when a deadlock occurs during its execution one of two situations must be true: 1) each process in P is blocked on a GET operation on its input port participating in the cycle, or 2) each process is blocked on a PUT operation on its output port. Proof: All processes in P are blocked. Choose any P, in P. If P, is blocked on a PUT, then the process at the receiving end of I , , P,+l,cannot be blocked on a GET; hence, P,+]must also be blocked on a PUT. Repeated application of this process for each link in the cycle completes the proof for part 2). Part 1) 0 can be proved in a similar manner. Accordingly, when a deadlock arises in a cycle C , either all processes have (1)holding, or else all have (2) holding. Rewriting (1) for each process in G results in the following system of inequalities (the subscript t was removed for simplicity):

for i = O , l , . . . , n - l

.

(3)

The system of inequalities (3) can be stated in the following matrix form: 1

0

’

0

-Pn

0

.

.

.

. . 1

0

.

.

0 -P*

-2

0 1

or

Ax 2 b,

(4)

+

where p , = w,/r,,and b, = ( u , - ~- r,-1 l)/r,-l,z’ = 0,1, , n - 1 (modulo n). rewriting (2) for each process in gives rise to the following system of inequalities (subscripts are modulo n):

328

X,+l


, n - 1. ( 5 )

-

From the induction hypothesis, we have x z ( N ) which imply the following:

r c x c + l ( N5)

The system of inequalities (5) can be stated in the following matrix form:

Ax 5 c,

5 x,

and

X , + ~ ( N5)

W,Z, + U ,

- z,

- 1.

(12)

Combining (12) and (10) yields the following:

(6)

where A is defined as in (4), and where c, = ( u , - ~- z , - ~ 1 ) / ~ ~i -=~0,, 1 , . . . , n - 1 (modulo n). The following proposition forms the basis of our test. Proposition 5: A cycle C is deadly if and only if either a) the system of (4) has a nonnegative integer solution, or b) the system of (6) has a nonnegative integer solution. Proof: (Necessity) The proof follows immediately from Definition 9, Proposition 4, and the construction of systems (4) and (6) above. (Sufficiency) We want to show that if x is a nonnegative integer solution of a) or b), then x(t) 5 x for all discrete time t. That is, for each process in C , the number of completions of its read phase in the loop section is bounded above by the nonnegative solution x, indicating a deadlock. We first show that a) implies x(t) 5 x for all t, by induction on t. Base Case: For t = 0, x(t) = 0 5 x. Induction Hypothesis: Assume it holds for t = N ; x(N) I x. We will show it holds for t = N+1. For all i , either x , ( N + l ) = x t ( N ) ;hence x , ( N 1) I x,,or z , ( N 1) = xt(N) 1. The latter case implies that at time N , there must have been sufficient data on link l , - , (from Pz-l to P z ) for a new pass through the read phase of P, to complete. This means that P, was not blocked on a GET operation, and by Proposition 4,

+

+

+

But since w,is a positive integer, and since both x , ( N ) and z1 are integral, we can say that xt(N + 1) = xt(N) 1 5 2,. This 0 completes the proof for the second part. Corollary 5.1: A cycle C is deadly if b 5 0 or if c 2 0 . Proof: This is a special case where x = 0 (the trivial solution) is a solution to the corresponding system of inequalities in Proposition 5. 0 The systems of linear inequalities (4) and (6) have some interesting characteristics that can (in virtually all cases) be used to determine if a cycle is deadly without attempting to solve them for a nonnegative integer solution. The following analysis will reveal a number of properties that will prove valuable in deriving more basic necessary and sufficient conditions for a deadlock to arise in a cycle.

+

Proposition 6: The determinant of A is equal to 1 -

n

n-1

pz.

=O

I

Proof: Using the Laplace expansion of the determinant of the matrix A along the first row, we see that the cofactor matrices are triangular. Then, using the result that the determinant of triangular matrix is the product of the diagonal elements, we obtain

det (A) = 1

+ (-l)"+l(-l)npupl ...pn-l

n-1

= 1-

pz.

0

1=0

If we define the gain of a process in a cycle to be the ratio of its output to its input in its loop section (i.e., (w of its output link) I ( r of its input link)), then the net cycle gain, denoted by g , is equal to the product of the gains of the nodes involved in the cycle.

but from a), we have

I

x, and

+rZpl

1. (9)

From the induction hypothesis, we have x , ( N ) e t P l ( N5 ) x,-~.Substituting into (8) results in wL-lzt-l(N)

5 wt-lxt-l 5

+

T,-~z,

-

Combining (9) and (7) yields r,-lx,

-

1 - r z - l z z ( N2 ) 0.

& +

Thus we have z , ( N ) + 5 2,. But since T , - ~ is assumed to be a positive integer, and since both x z ( N )and z, are integral, then we can say that x , ( N 1) = z z ( N ) 1 5 x,.This completes the proof for the first part. Using the base case and the induction hypothesis appearing above, we now show that b) implies x(t) 5 x for all t. For all i , either x t ( N 1) = z z ( N ) ;hence x 2 ( N 1) 5 z l , or z , ( N 1) = z , ( N ) 1. The latter case implies that at time N , the capacity of the link 1, (from P, to Pt+l) has not been exceeded; otherwise a new completion of the read phase in P, could not be possible. In other words, P, was not blocked on a PUT operation, and by Proposition 4,

+

+ +

+

U,

+ wz,(N)

+

-

T,z*+l(N)I 2,.

(10)

But, from b), we have T,x,+l

I w*x, + U , - 2 , - 1.

(11)

n -1

n-I

Hence, det(A) = 1- g. This implies that A is invertible (i.e., A-' exists) whenever g # 1. It turns out that the adjoint matrix A" corresponding to the matrix A has the following interesting structure. A a zz 1

PIPZ..'Pn-l

1 PI

PZP3"'Pn-1

'

P2PJ"'Pn-IPO

.

'

'

'

1

Pn-iPnPi

I : ~ p o p l . . ~ . p n - 2 P1P2..'.Pn--2

Pn-1

Pn-iPn

1 '

'

Pn-2

Pn-1PO

'

'

'Pn-3

1

The matrix A" has two interesting properties which will prove useful. Property 1: A" is a positive matrix (i.e., each of its elements has a positive value). Property 2: A simple matrix multiplication will verify that A"A = (1 - g)I, where I denotes the identity matrix of the appropriate order. (The property MaM = Det(M)I is actually true for any square matrix M.)

329


In using the results of the above analysis, we focus on the value of the cycle net gain g. In particular, we consider three distinct cases: g < 1, g > 1, and g = 1. (Note that g is, by definition, always positive.) Case (g < 1): Intuitively, this is a sufficient condition for a deadlock to arise in a cycle, since it indicates that a loss of data items occurs as data items are cycled during execution. Such a loss eventually results in a deadlock due to lack of data items on the links. This result is proved more rigorously in the following proposition. Proposition 7: A cycle with g < 1 is deadly. Proof: Consider the system (4). Since g < 1, A-' exists. Furthermore, A-' = (1 - g)-lA" is a positive matrix since A" is positive (Property 1).Thus, a solution to the following system is also a solution to (4).

x

2 A-'b.

For any vector d E R" (the n-dimensional Euclidean vector space) such that d 2 0, the following is a solution to (4):

x = A-'b

+ d.

By proper choice of the vector d, a nonnegative integer solution to (4) can be obtained, implying (by Proposition 5 ) that the cycle must be deadly. 0 Case (g > 1): This is also a sufficient condition for eventual deadlock in a cycle. Intuitively, this condition suggests that the number of data items on the cycle's links will be increasing. Thus, unless the processes deadlock initially on GET operations, the capacity of the links will eventually be exceeded, resulting in a deadlock on PUT operations. This argument is proved more rigorously in the following proposition. Proposition 8: A cycle with g > 1 is deadly. Proof: The proof is similar to that for Proposition 7, except that we consider the system (6) here, instead. Since g > 1, A-' exists. Furthermore, A-' = (1 - g)-lA" is a negative matrix, since A" is positive (Property 1). Thus, a solution to the following system is also a solution to system (6).

x

2 A-'c.

links sufficiently, in conservative cycles, to preclude a solution to system (6). We first derive a necessary, but not sufficient, condition for deadlocks to arise in conservative cycles. By the necessity of this condition, conservative cycles for which the condition does not hold can be readily declared benign. Proposition 9: If a conservative cycle is deadly then either 1) A"b 5 0, or 2) A"c 2 0. Proof: If the cycle C is deadly, then (by Proposition 5 ) one of the following systems has a nonnegative integer solution:

A x 2 b or A x L c But since A" > 0 (Property 1), we have a solution to

A"Ax 2 A"b or A"Ax 5 A"c. Our additional knowledge that A"A = (1- g)I (Property 2 ) and 0 that g = 1 completes the proof. The class of conservative cycles can be partitioned into two subclasses: locally conservative and globally conservative. Definition 11: A conservative cycle is said to be locally conservative if and only if T , = w,= 1, for i = 0,1, ..., n - 1; otherwise it is said to be globally conservative. The significance of the class of locally conservative cycles, to which we will devote the rest of this subsection, can be seen in light of the following- facts: Locally conservative cycles tend to arise often in cyclic composite programs. In the case of programs implementing mathematical models, they seem to be the norm rather than the exception. Indeed, every cycle in each of the three examples presented in Section 11-A is locally conservative. As we shall see shortly, we have a simple necessary and sufficient condition for the deadliness of locally conservative cycles. As will become clear from the discussion in Section 111-C, locally conservative cycles which are found deadly can, in some cases, be resolved (i.e., made benign) automatically by the system with little or no user involvement. Proposition-10: A locally conservative cycle C with length n is deadly if and only if 1) U , = 0, for i = 0 , 1 , . . . , n - 1; or n-1

For any vector d E Rn such that d solution to (6):

2 0,

the following is a

x = A-'C + d. By proper choice of the vector d, a nonnegative integer solution to (6) can be obtained, implying (by Proposition 5 ) that the cycle must be deadly. 0 Case (g = 1): A gain equal to one implies a stable situation (relative to other values for the cycle gain) in the sense that as execution continues, there is neither a loss nor an overproduction of data in the cycle. Definition 10: A cycle with g = 1 is said to be conservative. Conservation in a cycle does not guarantee the safeness of that cycle; it merely suggests that if the "wheel gets rolling," a deadlock will not occur thereafter. That is, a deadlock may still arise before each process completes one iteration in its loop section. In other words, if each process in the cycle completes its read phase in its loop section at least once then a deadlock will not occur. Furthermore, since the cycles in this case are conservative, there exists some lower bound on the number of buffers that must be allocated to links in order to prevent a deadlock on output operations. Therefore, we can always increase the capacity of the

2)

c

(Uz

- 2,)

2

72.

,=O

Proof: (Necessity) If C is locally conservative, then (by definition) T , = w,= l ( 0 5 i 5 n - l ) , implying that pc = 1 for all such i . This means that A" corresponding to C is precisely 1 (i.e., an n x n matrix with all elements equal to one). Now, if C is deadly, then (by Proposition 9) either n-1

n-1

b, =

5 0 or

,=O

1=0

n-I

n-1

U,

(ut - z , - 1) 2 0;

c, = ,=O

,=O

hence, either 1) or 2 ) must hold. (Sufficiency) If T , = w, = 1, and if condition 1) holds, then b = 0 and (by Corollary 5.1) C is deadly with x = 0 being a solution to (4). n-1

Similarly, if 2 ) holds (i.e., if

c,

2 0), then for a sufficiently

t=O

large integer value for the parameter d, the following is a nonnegative integer solution to (6): 2,

=d

+

ck,

for i = 0 , 1 , . . . , n - 1.

k=O

A nonnegative integer solution to either system (4) or ( 6 ) , for a cycle C , implies (by Proposition 5 ) that C is deadly. U


330

N

In Proposition 10 above, condition 1) has an interesting interpretation. Earlier we stated that the presence of a cycle in a coupling scheme means that a process (program) consumes directly or indirectly its own output. We also suggested that when it comes to deadlocks, what matters is not that a program consumes its own output, but rather how it depends on its own output for continued execution. From this perspective, condition 1) in Proposition 10 may be viewed as a temporal dependency condition that measures the availability of data items in the

t

,-1

cycle. A nonpositive value for

71,

may be interpreted as

2=o

a reflection of a situation where the present execution of one program in the cycle is dependent on present or future outputs of that program; hence, a deadlock will arise. Conversely, a positive value suggests that the present executions of a programs in the cycle depend on past outputs of these programs; hence, the cycle is immune from this type of deadlock.

D. Resolving Deadly Cycles Once all deadly cycles have been identified, they must be resolved (i.e., made benign) to prevent deadlocks. Cycles with g > 1 or g < 1 are (by Propositions 7 and 8) deadly, and they are most likely unintended and are due to possible errors in the configuration of the composite program. Naturally, the system cannot (and should not) make any attempt to resolve these types of cycles; it should simply assist the user by identifying such cycles and indicating the nature of the deadlock. Deadly conservative cycles, on the other hand, can be resolved in two cases; otherwise, they are handled in a way similar to nonconservative cycles. The first situation relates to the case where where condition 2), in Propositions 9 and 10, holds for a conservative cycle C. Such a situation indicates the inadequacy of the number of buffers allocated to the links in C (i.e., insufficient link capacities, zt). An obvious way to remedy this situation (and thereby make C benign) is to allocate more buffers (i.e., increase the 2 , ’ s ) until the condition no longer holds. For avoiding deadlocks due to link saturation, it may not even matter which link gets its buffers increased; however, distributing the additional buffers among the various links is likely to permit more concurrency. The second type of deadly conservative cycles which can be automatically resolved is locally conservative cycles having U , = 0, for i = 0,1, ...,n - 1 (Condition 1) in Proposition 10). If the nodes in these cycles correspond to instances of mathematical models, these cycles are called simultaneous, since each corresponds to a set of “simultaneous” instances of programs, with the goal being to arrive at a set of equilibrium values that are consistent with the inputs and outputs of all participating instances at the same time. The composite programs depicted Figs. 2 and 3 contain cycles that are of the simultaneous type. The approach to executing a set of simultaneous programs is generally based on iterative fixed-point techniques [28] which are essentially variations of iterative methods for the solution of simultaneous equations (e.g., the Gauss-Seidel method). In the context of this paper, these techniques can be summarized in the following steps: 1) Identify a minimal set of arcs that can be removed in order to eliminate all simultaneous-locally-conservative deadly cycles in the strong component under consideration (Section 111-C). Such a set is often called the stationary set. Finding a stationary set amounts to finding the cover for a set, a problem known to be generally NP-hard [13]. Fortunately, in this case, the problem is likely to be very

I

-

-~

Fig. 7. New CORP program with benign cycles.

small in size. Moreover, a polynomial-time algorithms for finding a stationary set is available for the class of reducible (flow) graphs [27]. 2) Provide an initial guess for the values of the variables corresponding to the arcs in the stationary set. Let the vector a, denote these initial guess values. 3 ) Using a,, and the values of the exogenous variables, initiate the execution of the constituent programs. The execution is guaranteed to terminate by the action of step 1. Upon termination, a new vector of values for the stationary variables become available; call this al. 4) Use alto update a,, and perform step 3 again if the criteria provided to stop the iterative process are not satisfied. Fig. 7 depicts a configuration implementing the process described above to resolve the (deadly) simultaneous cycles in Fig. 3. Note that the stationary arc chosen is the one corresponding to the variable P as it is an edge in both simultaneous cycles (which can result in deadlocks) that are present in the graph. Most importantly, notice that the fixed-point algorithm is itself realized by a program, and as such it can be coupled with the other four components in a network realizing an executable (deadlock free) CORP program. Note that we resolved the cycles in Fig. 3 not by eliminating them from the configuration scheme but rather by introducing a new node, FIXP, into the cycle, where FIXP is a process realizing the fixed-point algorithm above. Proposition 11: Introducing FIXP into a simultaneous cycle C makes C benign. Proof: Without loss of generality, we may assume that C is of length n, and that the stationary arc is lnP1 from P,-l to Po. Introducing FIXP into C as node n by: 1) connecting to the corresponding stationary the final (consumer) end of input port of FIXP; and 2) introducing a new link, call it l,, from the stationary output port of FIXP to the previous final end of l,z-l. Let C,,,,,, be the resulting cycle. By the specification of the algorithm for FIXP, we know that the following must hold: T , , = w?, = U,, = 1. The latter equality holds because FIXP starts by outputting an initial guess for the stationary variable. These changes preserve the local conservation property of C (i.e., n-1

C,,,,. is locally conservative). Now, since

U,

*=o

= 0 (as C is

I,

simultaneous), then for C,,,, ,

U* ,=O

= 1. Hence, by Proposition

0 10, Cy,,,,, must be benign. As an example, consider the new program CORP in Fig. 7; it

331


II

V

II

V

I

1

Fig. 8. Stationary-set arcs for two cycles involving distinct sets of programs.

is immune to deadlock despite the fact that it is cyclic. Contrast this with the deadly cycles in the old program CORP in Fig. 3. The difference is that in the new version we have introduced, in both cycles, a new arc Po + P , which has its corresponding parameter U equal to one. This action effectively makes both cycles benign (by Proposition 11). E. Improving the Efficiency of the Cycles Resolution Technique

When more than one arc (variable) is present in the stationary set, the technique described above can be inefficient. One source of inefficiency is that the iteration continues until all variables converge, even if some variables correspond to distinct cycles (each involving a distinct set of programs). In such cases, we should take advantage of the fact that some variables will converge faster than others. If two arcs in the stationary set belong to two cycles involving two distinct sets of nodes as in Fig. 8, it may be beneficial to deal with each individually by using two instances of the fixed-point program to resolve them. If the two arcs belong to two cycles that involve a common program, we can treat each individually but nest one resolved cycle into the other as shown in Fig. 9. This can be viewed as nested loops, where the outer loop, corresponding to the outer resolved cycle, fixes some values and then executes the inner loop corresponding to the inner resolved cycle. Further improvement can be gained by having the fixedpoint program (or for that matter any computationally expensive program) perform its computation only when its inputs change. Thus, when a program receives its exogenous inputs, they are compared with previous values. If they are the same, a second execution is avoided by simply outputting the previous results again. This is especially critical for all computationally expensive programs that are to be executed repeatedly as part of a resolved cycle.

IV. CONCLUDING REMARKS This paper has focused on the process of hierarchical construction of composite program and the capabilities that should be supported to facilitate this process. First, a formal characterization of this process was presented. A number of examples were given to illustrate the usefulness and necessity of cyclic

Fig. 9.

Stationary-set arcs for two cycles involving one common program.

composite programs, and hence, the possibility of deadlocks during their execution. Second, a comprehensive approach for the automatic treatment of cycles in the configuration schemata of composite programs was presented. The approach involved three steps: cycle identification, cycle testing, and cycle resolution. These capabilities have been implemented as part of a prototype system for the management of mathematical models [24]. Although the problem of finding all cycles in a graph is NPhard, we have proposed what can be a viable and practical solution for our purposes. The solution aims at reducing the size of the problem that has to be solved (i.e., the size of the graph). It is based on two ideas: 1) decomposing the problem by capitalizing on the fact that within our hierarchical, modular approach, most composite programs will be constructed hierarchically using few components at each level; and 2 ) further decomposition is achieved by partitioning a graph into its strong components. A major goal was to be able to test the safeness of cycles which have been found without having to actually execute the composite program. To make this possible, it was necessary to exclude from consideration atomic programs exhibiting input/output behavior that is nondeterministic, time-dependent, or data-dependent. We presented a behavior model of the communication behavior of a class of atomic programs whose code consists of an initialization section and a loop section, and whose loop section is twophased with respect to each cycle in which an instance of the atomic program is a node. Analysis of the model revealed properties which were used to: 1) provide a taxonomy of cycles; and 2 ) derive simple necessary and sufficient conditions for the deadliness of cycles in each class. This taxonomy and the test condition are based on an easily computed measure called the cycle net gain. It should be noted, however, that we were careful to define the deadliness of a cycle to mean that a deadlock will eventually arise in that cycle if no process exits its loop section (e.g., if the conditions at the bottom of the loop sections are always true). Finally, for a class of deadly cycles, called simultaneous cycles, we described a technique for resolving these cycles by augmenting them with a program implementing a fixedpoint algorithm. We also described how this cycle resolution process might be optimized. We must emphasize, however, that in using the fixed-point techniques there is no guarantee that a

IEhk

332

solution exists or that the fixed-point algorithm will converge if some solution exists. The questions of existence, uniqueness, and convergence have been the subject of much research by mathematicians (see [28] for example). These questions are outside the scope of this paper. There is another important issue that must be emphasized. Our focus in this paper has been on a particular kind of deadlock, namely, communication deadlock. There exists another kind of potential deadlock which we have thus far ignored. This form of deadlock is the traditional resource deadlock on resources other than buffers in the communication links, in which some process (an execution of a program) is waiting directly or indirectly for resources held by some other process that is in turn blocked waiting for a resource held by the first process. Policies for dealing with resource deadlocks (i.e., prevention, detection, and resolution) have long been the subject of considerable research in the areas of database and operating systems.

two distinct vertices U, and u J , there is at least one path going from U, to u J . Given any property P to characterize a graph, a maximal subgraph Gs of a graph G with respect to that property, is a subgraph which has this property, and there is no other subgraph Gs with V, IIV, and which also has the property. Thus, if the property is strong-connectedness, then a maximal strong subgraph of G is a strongly connected subgraph which is not contained in any other strong subgraph. Such a subgraph is called a strong component of G. Any graph may be partitioned into a set of strong components. Furthermore, this partition is unique, and some components may be one-vertex subgraphs.

APPENDIX B CONFIGURATION SCHEMATA Let M be a composite program version to be constructed by coupling a set S = {MO, MI,. . . , M,-l}(n > I)) of instances of

component programs. In the collection of components, a port is uniquely identified by a pair < m,p >, where m is an identifier for the unique program instance to which the port belongs, and p Standard graph theory terminologies [l],[17] have been used is the name of the port. For a program instance T , let I P T and throughout this paper. For the purpose of clarity and complete- OPT denote two disjoint sets whose elements are the names of ness, the following terms are repeated. A graph G = ( V , E ) T’s input ports and output ports, respectively. Define PT to be consists of a finite nonempty set of vertices V and set of edges the set formed by their union. E joining some or all of the vertices in V . If the edges have a A configuration scheme (CS) consists of two parts: a coudirection, they are called arcs and the resulting graph is called a pling subschema (CSS) and an interface subschema (ISS). Each directed graph. A graph with multiple (parallel) edges between subschema is a finite collection of links. A link is a pair of any of its vertices is called a multigraph. port identifiers (pids). Conceptually, the idea of a configuration In a directed multigraph (dimgraph), E consists of a collection scheme is simple. It describes how a composite program is of arcs uo,a l , . . . , unPl. Associated with each arc is an ordered realized by interconnecting a collection of instances of compair of initial and final vertices (U,w) indicating its direction. ponent programs. Such a linkage, however, should be done The number of arcs which have a vertex U, as their initial vertex in a disciplined manner to insure a valid configuration of the is called the outdegree of vertex u z , and similarly the number composite program. To this end, we impose a set of conditions to of arcs which have U, as their final vertex is called the indegree govern the nature of a valid configuration. These restrictions are of vertex U,. formalized in the following definitions. Most of the restrictions A path in a dimgraph is a sequence of arcs such that the are self-explanatory. Some, however, seem to warrant some final vertex of one arc in the sequence is the initial vertex of explanation. They are actually conventions adopted to add clarity the next arc. The length of a path is taken to be the number and discipline, as they do not result in any loss of generality. of arcs comprising it. A simple path is a path which does not For example, an output of some program is not to be fed as an use the same arc more than once. An elementary path is a path input to the same program, as this will be inconsistent with the which does not pass through the same vertex more than once. conceptual view of an input as an “exogenous” variable which (Obviously, an elementary path is also simple but the reverse is is determined by elements external to the program. One can get not necessarily true.) around this restriction only by explicit means involving the use A circuit is a path lo, I,, . . . , 1,-, in which the initial vertex of an intermediate program which simply passes, unchanged, the of lo coincides with the final vertex of &-,.A circuit is said data from its input port to its output port. to be simple or elementary if the path describing it is simple Also, we do not allow a port of some program to be directly or elementary, respectively. An elementary circuit which passes connected to more than one other port. In this way a coupling through all the vertices of a graph is known as a Hamiltonian scheme can be represented by a directed graph with each node circuit. Two circuits whose edge sequences are cyclic permuta- corresponding to a program instance, and having an indegree tions of each other are regarded as identical. In this paper, the and outdegree equal to that program’s number of input ports and terms cycle and elementary circuit are used interchangeably. (In output ports, respectively. standard terminology, a cycle is the nondirected counterpart of a Besides making a configuration scheme mirror a directed circuit.) A graph is said to be acyclic if it has no cycles. multigraph, this restriction has a more profound reason behind it. If G and H are graphs, H is a subgraph of G if all vertices and The arbitrary interleaving of one input from a number of sources edges of N are vertices and edges of G. Tho directed graphs G may lead to unintended nondeterministic behavior. Clearly, an and F are isomorphic if there exists a one-to-one correspondence explicit program acting as a “multiplexer” can be used to between their vertices which preserves their arcs. That is, G and indirectly link a number of output ports to a single input port. F are isomorphic if they have the same number p of vertices This, however, will not eliminate an existing nondeterministic and if one can order their points, respectively, u l . u2,. . . , up and behavior, since the output of such multiplexer, which is an u1,u2,... , u p so that for any i and j , there is a one-to-one arbitrary interleaving of its inputs, cannot be reproduced without correspondence between arcs from U, to 21, in G and arcs from making assumptions about the relative speeds of the sources U , to uj in F . generating its input. In contrast, linking one output port to many A directed graph is said to be strongly connected if for any input ports is less problematic; an output of one system can be

APPENDIX A GRAPHS-DEFINITIONS

MUHANNA COMPOSITE PROGRAMS

333

delivered indirectly to other systems by means of a “distributor” program. Theoretically, it is sufficient to define one standard distributor program which has One input port and two Output ports, all of the same type. The program (system) delivers two copies, one at each output port, for each datum received through its input port. A one to many mapping can be accomplished by simply coupling a number of distributor programs. Definition 1 : A link IC is a pair of end points (< m, p >, < m, , q >). IC is said to be well-formed if and only if the following hold: 1) m, and m3 are distinct; 2 ) p E P”., and q E P”’J; and 3 ) the two ports are data type compatible. There are two categories of well-formed links: coupling links and interface links. A coupling link is a one-directional communication link specifying a connection between an output port of one component program to an input port of another. An interface link associates the interface ports of the composite program M with the ports of its component programs’ instances. Definition 2: A link IC in CS is a coupling link if, and only i f 1) it is well-formed; 2 ) m,,m3 E S ; and 3) p E OP’”1, and q E IP”J. Definition 3: A link I; in CS is an interface link if, and only i f 1) it is well-formed; 2 ) m, = M . and m, E S ; and 3) either p E OP”. and q E O P ” J , or p E IP”‘. and q E IP“J . Definition 4: A coupling subschema (CSS) is a finite set of coupling links: CSS = { 1, , 1 2 , .... l k }. It is said to be consistent if and only if no port appears in more than one link. That is, CSS is a one-to-one partial function from the set of components’ output ports to the set of components’ input ports. C S S : S x OP’ + ~

n-1

S x I P S , where O P s =

U OP“.,

n-1

and I P S =

U IP’’..

2=0

Definition 5: A n interfacl subschema (ISS) is a finite set of interface links. It is said to be consistent if and only if no port identifier appears in more than one link. It said to be complete if each port identifier p i d E M x P” appears in at least one link. Definition 6: A configuration scheme CS is defined as follows: CS = C S S U I S S . A configuration scheme is said to be consistent if and only if no p i d appears in more than one link. It is therefore said to be complete if and only if each pzd E M x P.‘* U S x P s appears in at least one link. It is said to be complete and consistent if each such p i d appears in and only one link.

REFERENCES A. V. Aho, J. E. Hopcroft, and J. D. Ullman, The Design and Analysis of Computer Algorithms. Reading, MA: Addison-Wesley, 1974. G.R. Andrews and F.B. Schneider, “Concepts and notations for concurrent programming,” ACM Comput. Surveys, vol. 15, no. 1, pp. 3-43, Mar. 1983. R. W. Blanning, “Issues in the design of relational model management systems,” in Proc. Nut. Computer Conf, 1983, pp. 359-401. -, “A relational framework for join implementation in model management systems,” Decision Support Syst., vol. 1, no. 1, pp. 69-81, Jan. 1985. K.M. Chandy, J. Misra, and L.M. Haas, “Distributed deadlock detection,”ACM Trans. Comput. Syst., vol. 1, no. 2, pp. 144-156, May 1983. E.G. Coffman, Jr., M.J. Elphick, and A. Shoshani, “System deadlocks,” ACM Comput. Surveys, vol. 3, no. 2, pp. 67-78, June 1971. T. DeMarco, Structured Analysis and System Specification. Englewood Cliffs, NJ: Prentice-Hall, 1979. E. W. Dijkstra, “Cooperating sequential processes,” in Programming Languages, F. Genuys, Ed. New York: Academic, 1968, pp. 43-112. D. R. Dolk and B. R. Konsynski, “Knowledge representation for model management systems,” ZEEE Trans. Software Eng., vol. SE-10, no. 6, pp. 619-628, Nov. 1984.

[IO] A. Dutta and A. Basu, “An artificial intelligence approach to model management in decision support systems,” Computer, vol. 17, no. 9, pp. 89-97, Sept. 1984. [11] J. J. Elam, J. C. Henderson, and L. W. Miller, “Model management systems: An approach to decision support in complex organizations,” in Proc. 1st Int. Conf Information Systems, Dec. 1980, pp. 98-110. G. Estrin, R. S. Fenchel, R. R. Razouk, and M. K. Vernon, “SARA (system architects apprentice): Modeling, analysis, and simulation support for design of concurrent systems,” IEEE Trans. Software Eng., vol. SE-12, no. 2, pp. 293-311, Feb. 1986. M. R. Garey and D. S. Johnson, Computers and Intractability: A Guide to the Theory of NP-Completeness. San Francisco, CA: Freeman, 1979. I. S. Gopal, “Prevention of store-and-forward deadlock in computer networks.” IEEE Trans. Commun.. vol. COM-33, no. 12, pp. 1258-1264, Dec. 1985. [15] K. D. Gunther, “Prevention of deadlocks in packet-switched data transuort svstems.” IEEE Trans. Commun., vol. COM-29, no. 4, pp. i12-554, Apr. 1981. 1161 A. N. Habermann. “Prevention of system deadlocks,” Commun. ACM, vol. 12, no: 7, pp. 373-377, july 1969. [17] F. Harary, Graph Theory. Reading, MA: Addison-Wesley, 1969. -1181 - J. W. Havender, “Avoiding deadlock in multitasking systems,” IBM Syst. J . , vol. 7, no. 2, p p 74-84, 1968. [I91 R. C . Holt, “Some deadlock properties of computer systems,”ACM Comput. Surveys, vol. 4, no. 3, pp. 179-196, Sept. 1972. [20] G. Kahn, “The semantics of a simple language for parallel programming,” in Proc. IFIP 74. Amsterdam, The Netherlands: North-Holland, Aug. 1974, pp. 471 -475. [21] T.-P. Liang, “Integrating model management with data management in decision support systems,” Decision Support Syst., vol. 1, no. 3, pp. 221-232, 1985. [22] M. Maekawa, A.E. Oldehoeft, and R.R. Oldehoeft, Operating Systems: Advanced Concepts. Menlo Park, CA: Benjamin/Cummings, 1987. [23] F. Mattern, “Algorithms for distributed termination detection,” Distributed Comput., vol. 2, pp. 161- 175, 1987. [24] W.A. Muhanna, “A systems framework for model management in organizations,” Ph.D. dissertation, Univ. Wisconsin-Madison, Dec. 1987. [25] W. A. Muhanna and R. A. Pick, “Composite models in SYMMS,” in Proc. 21stAnnu. Hawaii Int. Conf System Sciences, Jan. 1988, pp. 418-427. [26] J.L. Peterson, Petri Net Theory and the Modeling of Systems. Englewood Cliffs, N J : Prentice-Hall, 1981. [27] V. Ramachandran, “Finding a minimum feedback arc set in reducible flow graphs,” J. Algorithms, vol. 9, pp. 299-313, 1988. [28] H.E. Scarf, The Computation of Economic Equilibria. New Haven, CT: Yale University Press, 1973. [29] R. E. Tarjan, “Depth-first search and linear graph algorithms,” SIAM J . Comput., vol. 1, no. 2, pp. 146-160, 1972. [30] S . S . Yau and M. U. Caglayan, “Distributed software system design representation using modified Petri nets,” IEEE Trans. Software Eng., vol. SE-9, no. 6, pp. 733-745, Nov. 1983. [31] B. P. Zeigler, Multifaceted Modelling and Discrete Event Simulation. London: Academic, 1984.

__

L

1

Waleed A. Muhanna received the B.S. degree

(with University Honors) in computer science from the University of Tulsa, Tulsa, OK, in 1981, and the M.S. degree in computer science and the Ph.D. degree in management information systems from the University of Wisconsin-Madison, in 1985 and 1987, respectively. He is now an Assistant Professor of Information Systems at The Ohio State University, Columbus. His current research interests are in the areas of distributed computing systems, decision support systems, model and database management systems, scheduling, and performance modeling. Dr. Muhanna is a member of the Association for Computing Machinery, the IEEE Computer Society, TIMS, and ORSA.

Composite programs: hierarchical construction, circularity, and ...

Composite programs: hierarchical construction, circularity, and ...

Suggest Documents

Construction programs and residential mobility

Hierarchical MoS2-Coated V2O3 composite

Composite construction

Level Circularity

Morphology-controlled construction of hierarchical

Construction and evaluation of fibrillar composite

Lecture 1.1: Composite Construction General

Hierarchical Composite Structures Prepared by Electrophoretic ...

Composite Hierarchical Anti-Disturbance Control with ... - MDPI

Hierarchical Li4Ti5O12-TiO2 composite microsphere consisting of

performance improvement programs and lean construction - IGLC

mapping parallel programs into hierarchical distributed computer

Hierarchical Pointer Analysis for Distributed Programs

Computer Programs for Performing Hierarchical - CiteSeerX

Computer Programs for Performing Hierarchical - CiteSeerX

Hierarchical Tracing of Concurrent Programs 1 ... - CiteSeerX

Improving Sustainability and Circularity of European ...

ScienceDirect Estimation of circularity, cylindricity and ...

Parallel BVH Construction using Progressive Hierarchical ... - DCGI

Optimal Hierarchical Adaptive Mesh Construction ...

AXIOMATIC CONSTRUCTION OF HIERARCHICAL CLUSTERING IN ...

Construction of a Hierarchical]Â¥ anslation Memory

Automated Hierarchical POMDP Construction through ... - CiteSeerX

Autonomous Construction of Hierarchical Voronoi ... - Semantic Scholar