Tranquillity: A Low Disruptive Tranquillity: A Low Disruptive Alternative to Quiescence Alternative to Quiescence for Ensuring Safe Dynamic for Ensuring Safe Dynamic UpdatesUpdates

Yves Vandewoude Peter Ebraert, yolande Berbers, Member, IEEETheo D’Hondt, Member, IEEE

AbstractAbstractKramer and Magee: Placing a

system in a consistent state before and after runtime changes. Quiescence as a necessary and sufficient condition.

Tranquillity: A weaker condition easier to obtain and less disruptive for the running application but still a sufficient condition.

ContentContentThe Concept of QuiescenceThe Concept of tranquillityReachability of the Tranquillity

ConditionImplementation of Component

Middleware

QuiescenceQuiescenceNodes - System entitiesArcs – Connection between entitiesActive Status: A node can initiate,

accept, and service transactions.Passive Status: A node must

continue to accept and service transactions but,

1.It is not currently engaged in a transaction that it initiated and

2.It will not initiate new transaction.

Quiescence cond…Quiescence cond…Definition (Quiescence): A node has a quiescence

status if, 1. It is not currently engaged in a transaction that

it initiated,2. It will not initiate new transaction,3. It is not currently engaged in servicing a

transaction, and4. No transaction have been or will be initiated by

other nodes that require service from this node.

The node to be updated should be put in passive status.

But, also this is the case for all node that is directly or indirectly capable of initiating transaction on this node.

TranquillityTranquillityDefinition (Tranquillity): A node N is in a tranquil status

if,1. It is not currently engaged in a transaction that it

initiated,2. It will not initiate new transaction,3. It is not actively processing request, and4. None of its adjacent nodes are engaged in a

transaction in which it has both already participated and might still participate and might still participate in the future.

Quiescence is a stronger concept than tranquillity. Tranquillity has the distinct advantage that it is much

less disruptive than quiescence.

Reachability of Tranquillity Reachability of Tranquillity ConditionConditionTranquillity does not always occur

in bounded time. In such case the tranquillity condition must implement a fallback mechanism to quiescence.

When node N is in tranquil state, all interactions between that node must be blocked. This is not the case with quiescence.

Implementation of Implementation of Component Middleware Component Middleware A prototype implementation was

developed as an extension to a general-purpose component middleware platform: DRACO

The DRACO Component The DRACO Component Methodology Methodology In DRACO, components are units of

functionality that are implemented as a highly cohesive group of Java classes.

Interconnection between components is achieved by means of connectors.

Components are considered as nodes and connectors are arcs of the directed graph.

Extensible Middleware Extensible Middleware PlatformPlatformThe DRACO middleware offers an extensive

API that can be used by extension modules to change the behavior of the core system.

5 core modules:1.Component manager, loading and

instantiating component instances2.The Message manager, message delivery3.The scheduler, scheduling messages4.The Connector manager, (dis)connecting

ports5.The Module manager, adding extension

module

Message DeliveryMessage DeliveryAchieved in 3 stages

Message is transmitted by originating components. The message passes through a sequence of message handlers until it is handed to the scheduler

The message awaits its execution inside a message queue from the scheduler

Message Delivery cond….Message Delivery cond….The scheduler’s worker threads

continuously fetch messages, pass through handler chain and finally deliver. The order of message is preserved and delivered sequentially.

Live Update Extension Live Update Extension Module(LUM)Module(LUM)An extension of the core DRACO

system that allows components to be replaced by a new version at runtime.

The following steps are done to bring the module back to quiescence if tranquillity is not attained.

1.Enforcing Passivity2.Ensuring the additional tranquillity

constraint3.Fallback to quiescence

LUM cond….LUM cond….

Fallback to QuiescenceFallback to Quiescence

LUM keeps an internal timer. If tranquillity has not been reached for component C, the system falls back to quiescence.

Definition(Dependent Transaction): A dependent transaction is a two-way party transaction whose completion may depend on the completion of other consequent transaction.

Fallback to Quiescence Fallback to Quiescence cond…cond…Definition(Generalized Passive

status): A component in the generalized passive status must accept and service transaction and initiate consequent transaction, but

1. It is not currently engaged in a (nonconsequent) transaction that it initiated

2. It will not initiate new (nonconsequent) transaction

AlgorithmAlgorithm Algorithm 1 Receive(m) if tag(m) part of InitialList then messageThread current thread outId 0 struct < messageThread;C; tag(m); outId > Execute(m) Rebuild InitialList if InitialList is empty then Quiescence Reached end if else //Not part of an ongoing transaction Queue(m) at the deliveryMessageHandler end if

ConclusionConclusionTranquillity has a much more

smaller disruption than quiescence.

Tranquillity allows the replacement of nodes at times when it is semantically to do so, even when the quiescence condition does not hold.