Tranquillity: A Low Disruptive
Alternative to Quiescence for
Ensuring Safe Dynamic Updates
Yves Vandewoude
Peter Ebraert, yolande Berbers, Member, IEEE
Theo D’Hondt, Member, IEEE
Abstract
Kramer and Magee: Placing a system in a
consistent state before and after runtime
changes. Quiescence as a necessary and
sufficient condition.
 Tranquillity: A weaker condition easier to
obtain and less disruptive for the running
application but still a sufficient condition.

Content
The Concept of Quiescence
 The Concept of tranquillity
 Reachability of the Tranquillity Condition
 Implementation of Component
Middleware

Quiescence
Nodes - System entities
 Arcs – Connection between entities
Active Status: A node can initiate, accept,
and service transactions.
Passive Status: A node must continue to
accept and service transactions but,
1. It is not currently engaged in a
transaction that it initiated and
2. It will not initiate new transaction.

Quiescence cond…
Definition (Quiescence): A node has a quiescence status if,
1. It is not currently engaged in a transaction that it initiated,
2. It will not initiate new transaction,
3. It is not currently engaged in servicing a transaction, and
4. No transaction have been or will be initiated by other nodes
that require service from this node.
The node to be updated should be put in passive status.
 But, also this is the case for all node that is directly or
indirectly capable of initiating transaction on this node.

Tranquillity
Definition (Tranquillity): A node N is in a tranquil status if,
1. It is not currently engaged in a transaction that it initiated,
2. It will not initiate new transaction,
3. It is not actively processing request, and
4. None of its adjacent nodes are engaged in a transaction in
which it has both already participated and might still
participate and might still participate in the future.
Quiescence is a stronger concept than tranquillity.
Tranquillity has the distinct advantage that it is much less
disruptive than quiescence.
Reachability of Tranquillity
Condition
Tranquillity does not always occur in
bounded time. In such case the tranquillity
condition must implement a fallback
mechanism to quiescence.
 When node N is in tranquil state, all
interactions between that node must be
blocked. This is not the case with
quiescence.

Implementation of Component
Middleware

A prototype implementation was
developed as an extension to a generalpurpose component middleware platform:
DRACO
The DRACO Component
Methodology
In DRACO, components are units of
functionality that are implemented as a
highly cohesive group of Java classes.
 Interconnection between components is
achieved by means of connectors.
 Components are considered as nodes and
connectors are arcs of the directed graph.

Extensible Middleware Platform
The DRACO middleware offers an extensive API
that can be used by extension modules to change
the behavior of the core system.
5 core modules:
1. Component manager, loading and instantiating
component instances
2. The Message manager, message delivery
3. The scheduler, scheduling messages
4. The Connector manager, (dis)connecting ports
5. The Module manager, adding extension module
Message Delivery

Achieved in 3 stages
Message is transmitted by originating
components. The message passes through
a sequence of message handlers until it is
handed to the scheduler
 The message awaits its execution inside a
message queue from the scheduler

Message Delivery cond….

The scheduler’s worker threads
continuously fetch messages, pass through
handler chain and finally deliver. The order
of message is preserved and delivered
sequentially.
Live Update Extension
Module(LUM)
An extension of the core DRACO system
that allows components to be replaced by a
new version at runtime.
 The following steps are done to bring the
module back to quiescence if tranquillity is
not attained.
1. Enforcing Passivity
2. Ensuring the additional tranquillity
constraint
3. Fallback to quiescence

LUM cond….
Fallback to Quiescence
LUM keeps an internal timer. If tranquillity
has not been reached for component C,
the system falls back to quiescence.
Definition(Dependent Transaction): A
dependent transaction is a two-way party
transaction whose completion may
depend on the completion of other
consequent transaction.
Fallback to Quiescence cond…
Definition(Generalized Passive status): A
component in the generalized passive
status must accept and service
transaction and initiate consequent
transaction, but
1. It is not currently engaged in a
(nonconsequent) transaction that it
initiated
2. It will not initiate new (nonconsequent)
transaction
Algorithm

Algorithm 1 Receive(m)

if tag(m) part of InitialList then

messageThread

outId

struct

Execute(m)

Rebuild InitialList

if InitialList is empty then

Quiescence Reached

end if

else //Not part of an ongoing transaction

Queue(m) at the deliveryMessageHandler

end if
current thread
0
< messageThread;C; tag(m); outId >
Conclusion
Tranquillity has a much more smaller
disruption than quiescence.
 Tranquillity allows the replacement of
nodes at times when it is semantically to
do so, even when the quiescence
condition does not hold.
