Dynamic Module Replacement in a Distributed Programming System

``Dynamic Module Replacement in a Distributed Programming System'' by Toby Bloom. Ph.D. dissertation, MIT, 1983, 134 pages. Also available as MIT LCS Tech. Report 303.
Annotation: Bloom's thesis describes reconfiguration in Argus, a strongly-typed distributed system composed of modules called ``guardians.'' A guardian resides at a single node and is composed of a set of processes and a set of state variables. State can either be volatile or stable; stable state is guaranteed to survive crashes. A guardian's interface is a set of handlers (i.e., RPCs). Handlers are implemented using atomic actions (i.e., transactions) that guarantee consistency, even across multiple guardians at different nodes. Bloom's work addresses the problem of replacing implementations in this environment. The smallest unit of replacement is a single guardian. Subsystems, which are composed of multiple guardians, may also be replaced atomically. To support this, Bloom defines the interface of a subsystem as a subset of the handlers of the guardians in that subsystem. Bloom also defines a formal model to determine which replacements are legal; these are those replacements that preserve or invisibly extend the replaced subsystem's continuation abstraction. Bloom presents several examples of replacements that seem intuitively legal but that actually violate this condition. For example, replacing a unique ID generator may violate future behavior by repeating an ID. Extending an abstraction by adding a ``delete'' operation may break clients that depend on data existing forever (i.e., that only check for existence once). Bloom also argues that successive replacements can eventually restrict a continuation abstraction until no more replacements are possible. The actual mechanisms used to replace subsystems allow a user to manually locate, add, remove, and restart guardians; get, put, and optionally translate their state; and fetch and rebind handlers. A sequence of these actions compose a replacement transaction; this transaction either may wait until it can acquire exclusive lock on all required guardians or may preempt and abort other clients' transactions. Bloom does not detail an implementation and cites the need for a higher-level user interface to replacement.

BibTeX entry:

   author = {Toby Bloom},
   title = {Dynamic Module Replacement in a Distributed Programming System},
   school = {MIT},
   type = {{Ph.D.}},
   pages = {134},
   year = {1983},
   note = {Also available as MIT LCS Tech. Report 303},
   url = {http://citeseer.ist.psu.edu/bloom83dynamic.html}

Also see software upgrades publications by date.

Sameer Ajmani