Showing papers in "IEEE Transactions on Software Engineering in 1979"
TL;DR: This work proposes a distributed solution where processes communicate only through messages with their neighbors; there are no shared variables and there is no central process for message routing or process scheduling.
Abstract: The problem of system simulation is typically solved in a sequential manner due to the wide and intensive sharing of variables by all parts of the system. We propose a distributed solution where processes communicate only through messages with their neighbors; there are no shared variables and there is no central process for message routing or process scheduling. Deadlock is avoided in this system despite the absence of global control. Each process in the solution requires only a limited amount of memory. The correctness of a distributed system is proven by proving the correctness of each of its component processes and then using inductive arguments. The proposed solution has been empirically found to be efficient in preliminary studies. The paper presents formal, detailed proofs of correctness.
1,005 citations
TL;DR: In this paper, the most critical step is the design of a software structure called the " uses" relation, and some criteria for design decisions are given and illustrated using a small example.
Abstract: Designing software to be extensible and easily contracted is discussed as a special case of design for change. A number of ways that extension and contraction problems manifest themselves in current software are explained. Four steps in the design of software that is more flexible are then discussed. The most critical step is the design of a software structure called the " uses" relation. Some criteria for design decisions are given and illustrated using a small example. It is shown that the identification of minimal subsets and minimal extensions can lead to software that can be tailored to the needs of a broad variety of users.
838 citations
TL;DR: The purposes of this paper are to cast k-D trees in a database framework, to collect the results on k-d trees that have appeared since the structure was introduced, and to show how the basic data structure can be modified to facilitate implementation in large (and very large) databases.
Abstract: The multidimensional binary search tree (abbreviated k-d tree) is a data structure for storing multikey records. This structure has been used to solve a number of "geometric" problems in statistics and data analysis. The purposes of this paper are to cast k-d trees in a database framework, to collect the results on k-d trees that have appeared since the structure was introduced, and to show how the basic data structure can be modified to facilitate implementation in large (and very large) databases.
463 citations
TL;DR: In this article, the authors present algorithms for ensuring the consistency of a distributed relational data base subject to multiple concurrent updates and mechanisms to correctly update multiple copies of objects and to continue operation when less than all machines in the network are operational.
Abstract: This paper contains algorithms for ensuring the consistency of a distributed relational data base subject to multiple, concurrent updates. Also included are mechanisms to correctly update multiple copies of objects and to continue operation when less than all machines in the network are operational. Together with [4] and [12], this paper constitutes the significant portions of the design for a distributed data base version of INGRES.
342 citations
TL;DR: This paper delineates the programs representable by an acyclic call graph and presents an algorithm for constructing it using the property that its nodes may be linearly ordered and proves the correctness of the algorithm.
Abstract: The proliferation of large software systems written in high level programming languages insures the utility of analysis programs which examine interprocedural communications. Often these analysis programs need to reduce the dynamic relations between procedures to a static data representation. This paper presents one such representation, a directed, acyclic graph named the call graph of a program. We delineate the programs representable by an acyclic call graph and present an algorithm for constructing it using the property that its nodes may be linearly ordered. We prove the correctness of the algorithm and discuss the results obtained from an implementation of the algorithm in the PFORT Verifier [1].
304 citations
TL;DR: Three software complexity measures (Halstead's E, McCabe's u(G), and the length as measured by number of statements) were compared to programmer performance on two software maintenance tasks and correlated with both the accuracy of the modification and the time to completion.
Abstract: Three software complexity measures (Halstead's E, McCabe's u(G), and the length as measured by number of statements) were compared to programmer performance on two software maintenance tasks. In an experiment on understanding, length and u(G) correlated with the percent of statements correctly recalled. In an experiment on modification, most significant correlations were obtained with metrics computed on modified rather than unmodified code. All three metrics correlated with both the accuracy of the modification and the time to completion. Relationships in both experiments occurred primarily in unstructured rather than structured code, and in code with no comments. The metrics were also most predictive of performance for less experienced programmers. Thus, these metrics appear to assess psychological complexity primarily where programming practices do not provide assistance in understanding the code.
294 citations
TL;DR: It is shown why locking mechanisms lead to correct operation, it is shown that two proposed mechanisms for distributed environments are special cases of locking, and a new version of lockdng is presented that alows more concurrency than past methods.
Abstract: An arbitrary interleaved execution of transactions in a database system can lead to an inconsistent database state. A number of synchronization mechanisms have been proposed to prevent such spurious behavior. To gain insight into these mechanisms, we analyze them in a simple centralized system that permits one read operation and one write operation per transaction. We show why locking mechanisms lead to correct operation, we show that two proposed mechanisms for distributed environments are special cases of locking, and we present a new version of lockdng that alows more concurrency than past methods. We also examine conflict graph analysis, the method used in the SDD-1 distributed database system, we prove its correctness, and we show that it can be used to substantially improve the performance of almost any synchronization mechanisn.
248 citations
TL;DR: The integration of a query processing subsystem into a distributed database management system is discussed and simple algorithms are presented that derive distribution strategies which have minimal response time and minimal total time, for a special class of queries.
Abstract: Query processing in a distributed system requires the transmission f data between computers in a network. The arrangement of data transmissions and local data processing is known as a distribution strategy for a query. Two cost measures, response time and total time are used to judge the quality of a distribution strategy. Simple algorithms are presented that derive distribution strategies which have minimal response time and minimal total time, for a special class of queries. These optimal algorithms are used as a basis to develop a general query processing algorithm. Distributed query examples are presented and the complexity of the general algorithm is analyzed. The integration of a query processing subsystem into a distributed database management system is discussed.
216 citations
TL;DR: The various models of exception handUlng, the syntax and semantics of the CLU mechanism, and methods of implementing the mechanism and integrating it in debugging and production environments are discussed.
Abstract: For programs to be reliable and fault tolerant, each program module must be defined to behave reasonably under a wide variety of circumstances. An exception handling mechanism supports the construction of such modules. This paper descnbes an exception handling mechanism developed as part of the CLU programming language. The CLU mechanism is based on a simple model of exception handling that leads to well-structured programs. It is engineered for ease of use and enhanced program readability. This paper discusses the various models of exception handUlng, the syntax and semantics of the CLU mechanism, and methods of implementing the mechanism and integrating it in debugging and production environments.
206 citations
TL;DR: A simple language independent concept is put forward as a measure of control flow complexity in program text and is then developed for use as a measures of unstructuredness.
Abstract: This paper discusses the need for measures of complexity and unstructuredness of programs. A simple language independent concept is put forward as a measure of control flow complexity in program text and is then developed for use as a measure of unstructuredness. The proposed metric is compared with other metrics, the most notable of which is the cyclomatic complexity measure. Some experience with automatic tools for obtaining these metrics is reported.
203 citations
TL;DR: In this article, two protocols for the detection of deadlocks in distributed data bases are described: a hierarchically organized one and a distributed one based on a graph model which depicts the state of execution of all transactions in the system is used.
Abstract: This paper descrbes two protocols for the detection of deadlocks in distributed data bases–a hierarchically organized one and a distributed one. A graph model which depicts the state of execution of all transactions in the system is used by both protocols. A cycle in this graph is a necessary and sufficient condition for a deadlock to exist. Nevertheless, neither protocol requires that the global graph be built and maintained in order for deadlocks to be detected. In the case of the hierarchical protocol, the communications cost can be optimized if the topology of the hierarachy is appropriately chosen.
TL;DR: The approximate stationary state probabilities are identified with the solution of a nonlinear system and are applicable to a larger class of queueing networks (dependent routing matrix, stations with fimite capacity, etc.).
Abstract: In this paper, we present an approximate solution for the asymptotic behavior of relatively general queueing networks. In the particular case of networks with general service time distributions (i.e., fixed routing matrix, one or many servers per station, FIFO discipline), the application of the method gives relatively accurate results in a very short time. The approximate stationary state probabilities are identified with the solution of a nonlinear system. The proposed method is applicable to a larger class of queueing networks (dependent routing matrix, stations with fimite capacity, etc.). In this case, the structure of the network studied must satisfy certain decomposability conditions.
TL;DR: It is shown that network flow algorithms may be used to find a dynamic assignment that minimizes the sum of module execution costs, module residence costs, intermodule communication costs, and module reassignment costs.
Abstract: The problem of finding an optimal dynamic assignment of a modular program for a two-processor system is analyzed. Stone's formulation of the static assignment problem is extended to include the cost of dynamically reassigning a module from one processor to the other and the cost of module residence without execution. By relocating modules during the course of program execution, changes in the locality of the program can be taken into account. It is shown that network flow algorithms may be used to find a dynamic assignment that minimizes the sum of module execution costs, module residence costs, intermodule communication costs, and module reassignment costs. Techniques for reducing the size of the problem are described for the case where the costs of residence are negligible.
TL;DR: In this paper various path cover problems, arising in program testing, are discussed and it is shown that rmding a minimum path cover for a set of required pairs is NP-hard.
Abstract: In this paper various path cover problems, arising in program testing, are discussed. Dilworth's theorem for acyclic digraphs is generalized. Two methods for fmding a minimum set of paths (minimum path cover) that covers the vertices (or the edges) of a digraph are given. To model interactions among code segments, the notions of required pairs and required paths are introduced. It is shown that rmding a minimum path cover for a set of required pairs is NP-hard. An efficient algorithm is given for findng a minimum path cover for a set of required paths. Other constrained path problems are contsidered and their complexities are discussed.
TL;DR: Deductive techniques are presented for deriving programs systematically from given specifications and have been incorporated in a running program-synthesis system, called DEDALUS.
Abstract: Deductive techniques are presented for deriving programs systematically from given specifications. The specifications express the purpose of the desired program without giving any hint of the algorithm to be employed. The basic approach is to transform the specifications repeatedly according to certain rules, until a satisfactory program is produced. The rules are guided by a number of strategic controls. These techniques have been incorporated in a running program-synthesis system, called DEDALUS.
TL;DR: Two naive tree drawers are surveyed, formalize aesthetics for tidy trees, and two algorithms which draw tidy trees are discussed, one of which may be shown to require the minimum possible paper width.
Abstract: Trees are extremely common data structures, both as internal objects and as models for program output. But it is unusual to see a program actually draw trees for visual inspection. Although part of the difficulty lies in programming graphics devices, most of the problem arises because naive algorithms to draw trees use too much drawing space and sophisticated algorithms are not obvious. We survey two naive tree drawers, formalize aesthetics for tidy trees, and descnbe two algorithms which draw tidy trees. One of the algorithms may be shown to require the minimum possible paper width. Along with the algorithms proper, we discuss the reasoning behind the algorithm development.
TL;DR: An experiment in software error data collection and analysis was conducted in order to study relationships between complexity measures and error charateristics under conditions where the error data could be carefully defined and collected.
Abstract: The propensity to make programming errors and the rates of error detection and correction are dependent on program complexity. Knowledge of these relationships can be used to avoid errorprone structures in software design and to devise a testing strategy which is based on anticipated difficulty of error detection and correction. An experiment in software error data collection and analysis was conducted in order to study these relationships under conditions where the error data could be carefully defined and collected. Several complexity measures which can be defined in terms of the directed graph representation of a program, such as cyclomatic number, were analyzed with respect to the following error characteristics: errors found, time between error detections, and error correction time. Signifiant relationships were found between complexity measures and error charateristics. The meaning of directed grph structural properties in terms of the complexity of the programming and testing tasks was examined.
TL;DR: A symbolic evaluator uses conditional expressions to represent the uncertainty that arises from branching and develops and attempts to solve recurrence relations that describe the behavior of loop variables.
Abstract: Symbolic evaluation is a form of static program analysis in which symbolic expressions are used to denote the values of program variables and computations. It does not require the user to specify which path at a conditional branch to follow nor how many cycles of a loop to consider. Instead, a symbolic evaluator uses conditional expressions to represent the uncertainty that arises from branching and develops and attempts to solve recurrence relations that describe the behavior of loop variables.
TL;DR: A method for detecting a data flow anomaly in a program iB an indication that a programming error might have been committed by means of program instrumentation is described.
Abstract: A data flow anomaly in a program iB an indication that a programming error might have been committed. This paper descibes a method for detecting such an anomiay by means of program instrumentation. The method is conceptually simple, easy to use, easy toimplement on a computer, and can be applied in conjunction with a conventional program test to achieve increased error-detection capability.
TL;DR: This paper presents a method for automatically analyzing loops, and discusses why it is a useful way to look at loops and the relationship between the structure building methods presented and programming language constructs.
Abstract: This paper presents a method for automatically analyzing loops, and discusses why it is a useful way to look at loops. The method is based on the idea that there are four basic ways in which the logical structure of a loop is built up. An experiment is presented which shows that this accounts for the structure of a large class of loops. The paper discusses how the method can be used to automatically analyze the structure of a loop, and how the resulting analysis can be used to guide a proof of correctness for the loop. An automatic system is described which performs this type of analysis. The paper discusses the relationship between the structure building methods presented and programming language constructs. A system is described which is designed to assist a person who is writing a program. The intent is that the system will cooperate with a programmer throughout aUl phases of work on a program and be able to communicate with the programmer about it.
TL;DR: This paper presents a specification language, implementation mechanism, and proof techniques for problems involving the arbitration of concurrent requests to shared protected resources whose integrity must be preserved through the serializer.
Abstract: This paper presents a specification language, implementation mechanism, and proof techniques for problems involving the arbitration of concurrent requests to shared protected resources whose integrity must be preserved. This mechanism is the serializer, which may be described as a kind of protection mechanism, in that it prevents improper orders of access to a protected resource. Serializers are a more structured form of the monitor mechanism of Brinch Hansen and Hoare.
TL;DR: The maximum throughput for a virtual memory operating system and for a node-to-node protocol in a computer network are obtained and are used for the performance evaluation of computer systems.
Abstract: A tandem queueing system with blocking due to finite waiting room is considered. Maximum throughput is studied by an approximation for several cases. The service time can depend on the number of customers; intermediate arrivals can also be allowed. Some special models with two stations in sequence and blocking are examined. These models are used for the performance evaluation of computer systems. In particular, the maximum throughput for a virtual memory operating system and for a node-to-node protocol in a computer network are obtained.
TL;DR: The following analysis techniques are presented: finding the probability distribution of execution time, deriving bounds on mean execution time using order statistics, finding asymptotic mean speedup, and using approximations.
Abstract: Efficient algorithms for asynchronous multiprocessor systems must achieve a balance between low process communication and high adaptability to variations in process speed. Algorithms that employ problem decomposition may be classified as static (in which decomposition takes place before execution) and dynamic (in which decomposition takes place during execution). Static and dynamic algorithms are particularly suited for low process communication and high adaptability, respectively. For static algorithms the following analysis techniques are presented: finding the probability distribution of execution time, deriving bounds on mean execution time using order statistics, finding asymptotic mean speedup, and using approximations. For dynamic algorithms the technique of modeling using a queueing system is presented. For each technique, an example application to parallel sorting is given.
TL;DR: A model to estimate the number of bugs remaining in a system at the beginning of the testing and integration phases of development, based on software science metrics, is presented.
Abstract: A major portion of the problems associated with software development might be blamed on the lack of appropriate tools to aid in the planning and testing phases of software projects. As one step towards solving this problem, this paper presents a model to estimate the number of bugs remaining in a system at the beginning of the testing and integration phases of development. The model, based on software science metrics, was tested using data currently available in the literature. Extensions to the model are also presented which can be used to obtain such estimates as the expected amount of personnel and computer time required for project validation.
TL;DR: The ability to objectively assess the clarity of a program is essential in order to rationally develop useful engineering guidelines for efficient software production and language development.
Abstract: The sharply rising cost incurred during the production of quality software has brought with it the need for the development of new techniques of software measurement. In particular, the ability to objectively assess the clarity of a program is essential in order to rationally develop useful engineering guidelines for efficient software production and language development.
TL;DR: This paper presents a mechanism which allows a type manager to authenticate and reinstantiate migrated objects and solves some problems stemming from the hierarchical structure of the system itself.
Abstract: When typed objects migrate in virtual memory, onto off-ine storage, or among the nodes of a network, the type managers must relinguish control over the object representation and state. In this paper we present a mechanism which allows a type manager to authenticate and reinstantiate migrated objects. This mechanism also solves some problems stemming from the hierarchical structure of the system itself. The mechanism is based on a combination of cryptographic techniques using (nondistributable) centralized, secret keys, and data redundancy which characterizes the object representation and state.
TL;DR: A system to systematically compare the performance of various methods (software modules) for the numerical solution of partial differential equations to obtain confidence in the results and its portability allows others to check or extend the measurements.
Abstract: This paper describes a system to systematically compare the performance of various methods (software modules) for the numerical solution of partial differential equations. We discuss the general nature and large size of this performance evaluation problem and the data one obtains. The system meets certain design objectives that ensure a valid experiment: 1) precise definition of a particular measurement; 2) uniformity in defimition of variables entering the experiment; and 3) reproducibility of results. The ease of use of the system makes it possible to make the large sets of measurements necessary to obtain confidence in the results and its portability allows others to check or extend the measurements. The system has four parts: 1) semiautomatic generation of problems for experimental input; 2) the ELLPACK system for actually solving the equation; 3) a data management system to organize and access the experimental data; and 4) data analysis programs to extract graphical and statistical summaries from the data.
TL;DR: This paper examines Hoare's concepts in greater detail by concentrating on the following two issues: 1) allowing both input and output commands to appear in guards, 2) sinple abstract implementation of the input andoutput constructs.
Abstract: Recent advances in technology have made the construction of general-purpose systems out of many small independent microprocessors feasible. One of the issue's concerning distributed systems is the question of appropriate language constructs for the handling of communication and synchronization. In his paper, "Communicating sequential processes," Hoare has suggested the use of the input and output constructs and Dijkstra's guarded commands to handle these two issues. This paper examines Hoare's concepts in greater detail by concentrating on the following two issues: 1) allowing both input and output commands to appear in guards, 2) sinple abstract implementation of the input and output constructs.
TL;DR: This paper results from an attempt to unify several different file system design theories and shows that for both partial and best match queries, the file systems exhibit a common characteristic: similar records are grouped together.
Abstract: This paper results from an attempt to unify several different file system design theories. We define a term "partial match pattern" and show that in order to produce file systems optimal with respect to partial match patterns, both the multikey hashing (MKH) method [16] and the multidimensional directory (MDD) method [11] must be in such a form that the number of subdivisions is the same for all domains of keys. We show the conditions for the string homomorphism hashing (SHH) method [15], the MKH method, and the MDD method to be equivalent to one another. We define the so-called Cartesian product files and show that if all records are present, the records in a Cartesian product file form a shortest spanning path in which the Hamming distance between every pair of consecutive records is 1. Thus the SHH method, the MKH method, the MDD method, and the multikey sorting (MKS) method [10] are linked together. Finally, we show that for both partial and best match queries, the file systems exhibit a common characteristic: similar records are grouped together.
TL;DR: In this paper, a capability propagation graph is maintained in memory spaces associated with subjects that make copies of the respective capability; the graph remains inaccessible to those subjects, however parallel processes of the operating system update the graph as the system runs.
Abstract: The problems of review and revocation of access privileges are presented in the context of the systems that use capabilities for the long-term distribution of access privileges An approach that solves both of these problems in their-most general form is presented in this paper The approach requires that a capability propagation graph be maintained in memory spaces associated with subjects (eg, domains, processes, etc) that make copies of the respective capability; the graph remains inaccessible to those subjects, however Parallel processes of the operating system update the graph as the system runs