A general framework for architecture composability

Transcription

1 DOI 0.007/s The Author(s) 205. This article is published with open access at Springerlink.com Formal Aspects of Computing Formal Aspects of Computing A general framework for architecture composability Paul Attie, Eduard Baranov 2, Simon Bliudze 2, Mohamad Jaber and Joseph Sifakis 2 American University of Beirut, Beirut, Lebanon 2 École Polytechnique Fédérale de Lausanne, Station 4, 05 Lausanne, Switzerland Abstract. Architectures depict design principles: paradigms that can be understood by all, allow thinking on a higher plane and avoiding low-level mistakes. They provide means for ensuring correctness by construction by enforcing global properties characterizing the coordination between components. An architecture can be considered as an operator A that, applied to a set of components B, builds a composite component A(B) meeting a characteristic property. Architecture composability is a basic and common problem faced by system designers. In this paper, we propose a formal and general framework for architecture composability based on an associative, commutative and idempotent architecture composition operator. The main result is that if two architectures A and A 2 enforce respectively safety properties and 2, the architecture A A 2 enforces the property 2, that is both properties are preserved by architecture composition. We also establish preservation of liveness properties by architecture composition. The presented results are illustrated by a running example and acasestudy. Keywords: Architecture composability, Component-based frameworks, Safety, Liveness, BIP. Introduction Architectures depict design principles: paradigms that can be understood by all, allow thinking on a higher plane and avoiding low-level mistakes. They provide means for ensuring correctness by construction by enforcing global properties characterizing the coordination between components. Using architectures largely accounts for our ability to master complexity and develop systems cost-effectively. System developers extensively use libraries of reference architectures ensuring both functional and non-functional properties, for example fault-tolerant architectures, architectures for resource management and QoS control, timetriggered architectures, security architectures and adaptive architectures. Nonetheless, we still lack theory and methods for combining architectures in principled and disciplined fully correct-by-construction design flows. Correspondence and offprint requests to: S. Bliudze, Simon.Bliudze@epfl.ch

2 P.Attieetal. Informally speaking, an architecture can be considered as an operator A that,appliedto a set of componentsb builds a composite component A(B) meeting a characteristic property. In a design process, it is often necessary to combine more than one architectural solution on a set of components to achieve a global property. System engineers use libraries of solutions to specific problems and they need methods for combining them without jeopardizing their characteristic properties. For example, a fault-tolerant architecture combines a set of features building into the environment protections against trustworthiness violations. These include () triple modular redundancy mechanisms ensuring continuous operation in case of single component failure; (2) hardware checks to be sure that programs use data only in their defined regions of memory, so that there is no possibility of interference; (3) default to least privilege (least sharing) to enforce file protection. Is it possible to obtain a single fault-tolerant architecture consistently combining these features? The key issue here is architecture composability in the integrated solution, which can be formulated as follows: Consider two architectures A and A 2, enforcing respectively properties and 2 on a set of components B. Thatis,A (B) and A 2 (B) satisfy respectively the properties and 2. Is it possible to find an architecture A A 2 such that the composite component (A A 2 )(B) meets 2? For instance, if A ensures mutual exclusion and A 2 enforces a scheduling policy is it possible to find an architecture on the same set of components that satisfies both properties? Architecture composability is a very basic and common problem faced by system designers. Manifestations of lack of composability are also known as feature interaction in telecommunication systems [CKMRM03]. The development of a formal framework dealing with architecture composability implies a rigorous definition of the concept of architecture as well as of the underlying concepts of components and their interaction. The paper proposes such a framework based on results showing how architectures can be used for achieving correctness by construction in a rigorous component-based design flow [Sif2]. The underlying theory of components and their interaction is inspired from BIP [BS07]. BIP is a component framework rooted in well-defined operational semantics. It proposes an expressive and elegant notion of interaction models for component composition. Interaction models can be studied as sets of Boolean constraints expressing interactions between components. BIP has been fully implemented in a language and the supporting toolset, including compilers and code generators [BBB + ]. BIP allows the description of composite components as an expression γ (B), where B is a set of atomic components and γ is an interaction model. Atomic components are characterized by their behaviour specified as transition systems. An interaction model γ is a set of interactions. Each interaction is a set of actions of the composed components, executed synchronously. The meaning of γ can be specified by using operational semantics rules defining the transition relation of the composite component γ (B) in terms of transition relations of the composed components B. Intuitively, for each interaction a γ, γ (B) can execute a transition labelled by a iff the components involved in a can execute the corresponding transitions labelled by the actions composing a, whereas other components do not move. A formal definition is given in Sect. 2 (Definition 2). Given a set of components B an architecture is an operator A such that A(B) =γ (C, B), where γ is an interaction model and C a set of coordinating components, and A(B) satisfies a characteristic property A. According to this definition, an architecture A is a solution to a specific coordination problem, specified by A, by using an interaction model specified by γ and C. For instance, for distributed architectures, interactions are point-to-point by asynchronous message passing. Other architectures adopt a specific topology (e.g. ring architectures, hierarchically structured architectures). These restrictions entail reduced expressiveness of the interaction model γ that must be compensated by using the additional set of components C for coordination. The characteristic property A assigns a meaning to the architecture that can be informally understood without the need for explicit formalization (e.g. mutual exclusion, scheduling policy, clock synchronization). Our contributions. We propose a general formal framework for architecture composability based on a composition operator which is associative, commutative and idempotent. We consider that characteristic properties are the conjunction of safety properties and liveness properties. We show that if two architectures A and A 2 enforce respectively safety properties and 2, the architecture A A 2 enforces 2, that is both properties are preserved by architecture composition. The concept of liveness for architectures derives from the Büchiacceptance condition. We designate a subset of states of each coordinator as idle, meaning that it is permissible for the coordinator to remain in such a state forever. Otherwise, the controller must execute infinitely often. The main result guaranteeing liveness preservation is based on a pairwise non-interference check of the composed architectures that can be performed algorithmically, in the finite-state case.

3 A general framework for architecture composability This paper extends our previous work [ABB + 4a] with the following additional contributions:. We introduce a notion of partial application of architectures and provide corresponding generalisations of the key results in [ABB + 4a]; 2. We provide an additional example of hierarchical architecture application, enforcing fair mutual exclusion on an arbitrary number of tasks; 3. Finally, we provide full proofs of all the results in the paper. The paper is structured as follows. Section 2 introduces the notions of component and architecture, as well as the corresponding composition operators. Section 3 presents the key results about the preservation of safety and liveness properties. Section 4 illustrates the application of our framework on an Elevator control use case. Some related work is discussed in Sect. 5. Finally, Sect. 6 concludes the paper. 2. The theory of architectures 2.. Components and architectures In order to consider component-based systems, we have to define the notions of components and composition. We use the BIP notions introduced in [BS07]. Definition (Components)Acomponent is a Labelled Transition System B (Q, q 0, P, ), where Q is a set of states, q 0 Q is the initial state, P is a set of ports and Q (2 P \{ }) Q is a transition relation. Each transition is labelled by an interaction a P.WecallP the interface of B. We use the notations q a q, q a a and q as usual. We also denote by Q B, qb 0, P B and B the constituents of a component B. In the rest of the paper, we will simplify the notation by writing pq instead of {p, q} to denote an interaction, whenever the context allows doing so without introducing ambiguity. Component composition in BIP is achieved through a synchronisation operator, parameterized by an interaction model, which is a set of interactions representing allowed synchronisations among the ports of the participating components. Definition 2 (Interaction model)letb {B,...,B n } be a finite set of components with B i (Q i, qi 0, P i, ), such that all P i are pairwise disjoint, i.e. i j, P i P j.letp n i P i.aninteraction model over P is asetγ 2 P. We call the set of ports P the domain of the interaction model. The composition of B with the interaction model γ is given by the component γ (B) (Q, q 0, P, ), where Q n i Q i, q 0 q 0...q n 0 and is the minimal transition relation inductively defined by the rule a P i a γ q i q i (if a P i ) q...q n a q...q n q i q i (if a P i ). () Notice that, although we require transition labels in components to be non-empty, we do allow the empty interaction to be part of an interaction model. According to (), the empty interaction γ does not have any effect on the composed componentγ (B). However, it will be useful for the definitions of architecture application and composition as we will discuss below (Remark on page 6). In the sequel, when speaking of a set of components B {B,...,B n }, we will always assume that it satisfies all the conditions of Definition 2. We are now in position to define the notion of architecture. An architecture can be seen as an operator that transforms a set of components into a new composite component. It generalises BIP interaction models, by introducing stateful coordinating components. The interface of an architecture is a set of ports that comprises both the ports of the coordinating components and additional dangling ports that must belong to operand components, to which the architecture is applied. Here and below, we skip the index on the transition relation, since it is always clear from the context.

4 P.Attieetal. Architecture interface Ports of the coordinating components Operand component ports Fig.. A diagram illustrating the relation between ports of an architecture and of its operand components: the inner circle represents the ports of the coordinating components, the ears represent the ports of operand components, the representation of the architecture interface is delimited by the solid line Definition 3 (Architecture) Anarchitecture is a tuple A (C, P A,γ), where C is a finite set of coordinating components with pairwise disjoint sets of ports, P A is a set of ports, such that C C P C P A,andγ 2 P A is an interaction model over P A. An architecture A can be applied to any set of components B that contains all the dangling ports of A. Intuitively, an architecture enforces coordination constraints on the components in B. The interface P A of an architecture A contains all ports of the coordinating components C and some additional ports, which must belong to the components in B as illustrated in Fig.. In the application A(B), the ports belonging to P A can only participate in the interactions defined by the interaction model γ of A. Ports that do not belong to P A are not restricted and can participate in any interaction. In particular, they can join the interactions in γ (see (2)below). Definition 4 (Application of an architecture)leta (C, P A,γ) be an architecture and let B be a set of components, such that B B P B C C P C and P A P B B C P B.Theapplication of an architecture A to the components B is the component ( ) A(B) γ 2 P\P A (C B), (2) where, for interaction models γ and γ over disjoint domains P and P respectively, γ γ {a a a γ, a γ } is an interaction model over P P. Notice that, when the interface of the architecture covers all ports of the system, i.e. P P A,wehave 2 P\P A { }and the only interactions allowed in A(B) are those belonging to γ. Example (Mutual exclusion) Consider the components B and B 2 in Fig. 2a. In order to ensure mutual exclusion of their work states, we apply the architecture A 2 ({C 2 }, P 2,γ 2 ), where C 2 is shown in Fig. 2b, P 2 {b, b 2, b 2, f, f 2, f 2 } and γ 2 {, b b 2, b 2 b 2, f f 2, f 2 f 2 }. The interface P 2 of A 2 covers all ports of B, B 2 and C 2. Hence, the only possible interactions are those explicitly belonging to γ 2. Assuming that the initial states of B and B 2 are sleep, and that of C 2 is free, neither of the two states (free, work, work) and (taken, work, work) is reachable, i.e. the mutual exclusion property (q work) (q 2 work) where q and q 2 are state variables of B and B 2 respectively holds in A 2 (B, B 2 ). Let B 3 be a third component, similar to B and B 2, with the interface {b 3, f 3 }. Since b 3, f 3 P 2, the interaction model of the application A 2 (B, B 2, B 3 )isγ 2 {, b 3, f 3 }. (We omit the interaction b3 f 3, since b 3 and f 3 are never enabled in the same state and, therefore, cannot be fired simultaneously.) Thus, the component A 2 (B, B 2, B 3 )is the unrestricted product of the components A 2 (B, B 2 )andb 3. The application of A 2 enforces mutual exclusion between the work states of B and B 2, but does not affect the behaviour of B 3.

5 A general framework for architecture composability b f b 2 f 2 b 2 f 2 work work taken b f b 2 f 2 b 2 f 2 B sleep (a) B 2 sleep C 2 free (b) Fig. 2. Component (a) and coordinator (b) for Example (the initial states of the components are shaded) For the proofs of the results provided in the rest of this paper, it will be convenient to assume that an architecture has precisely one coordinating component, i.e. C {C }. In most cases, this can be done without loss of generality by noticing that the proof argument can be repeated for all coordinating components, since an architecture can have only a finite number of such. However, this assumption can be formalized explicitly by the following lemma. Lemma Let A (C, P A,γ) be an architecture and denote by γ C {a PC a γ }, with P C C C P C,the projection of γ onto the ports of the coordinating components of A. Consider an architecture A ({C }, P A,γ), where C γ C (C). For any set of components B, satisfying the conditions of Definition 4, we have A(B) A (B). Proof. First of all, notice that, by Definition 2, P C P C. Hence, the conditions of Definition 3 are satisfied and A is indeed an architecture. Furthermore, B satisfies the conditions of Definition 4 w.r.t. A. Hence, the component A (B) is well defined. Clearly the state spaces, initial states and interfaces of both components coincide. Thus we only have to prove that so do the transition relations. Let us assume that C {C,...,C m } and B {B,...,B n }. We will use q i, q i to denote the states of C i and q i, q i to denote the states of B i. a By Definition 4, a transition q... q m q...q n q... q m q...q n is possible in A(B)iffa and a P Ci. for i [, m], q i q i is possible in C i,ora P Ci and q i q i ; a P Bi 2. for i [, n], q i q i is possible in B i,ora P Bi and q i q i ; 3. a γ 2 P\P A ; where P B B C P B. Similarly, the above transition is possible in A (B)iffa and a P C. q... q m q... q m is possible in C,ora P C and q i q i, for all i [, m]; a P Bi 2. for i [, n], q i q i is possible in B i,ora P Bi and q i q i ; 3. a γ 2 P\P A. If a P C, the transition in condition above is possible in C iff 4. a P C γ C and, a P Ci 5. for i [, m], q i q i is possible in C i,ora P Ci and q i q i. Consider a γ 2 P\P A. Since P C P C P A,wehavea P C a P C (a P A ) P C. Since a P A γ, we have a P C γ C, which concludes the proof.

6 P.Attieetal Composition of architectures As will be further illustrated in Sect. 3, architectures can be intuitively understood as enforcing constraints on the global state space of the system [BS, Weg96]. More precisely, component coordination is realized by limiting the allowed interactions, thus enforcing constraints on the transitions components can take. From this perspective, architecture composition can be understood as the conjunction of their respective constraints. This intuitive notion is formalized by the two definitions below. Definition 5 (Characteristic predicates [BS0]) Denote B {true, false} and let γ 2 P be an interaction model over a set of ports P. Itscharacteristic predicate (ϕ γ : B P B) B[P] is defined by letting ( ) p. ϕ γ a γ p a p p a For any valuation v : P B, ϕ γ (v) true if and only if a v {p P v(p) true} γ.insuchcase,we say that the interaction a v satisfies the predicate ϕ (denoted a v ϕ). A predicate ϕ B[P] uniquely defines an interaction model γ ϕ, such that ϕ γϕ ϕ. 2 Example 2 (Mutual exclusion (contd.)) Consider the interaction model γ 2 { }, b b 2, b 2 b 2, f f 2, f 2 f 2 from Example. The domain of γ 2 is P 2 {b, b 2, b 2, f, f 2, f 2 }. Hence, the characteristic predicate of γ 2 is (omitting the conjunction operator): ϕ γ2 b b 2 b 2 f f 2 f 2 b b 2 b 2 f f 2 f 2 b b 2 b 2 f f 2 f 2 b b 2 b 2 f f 2 f 2 b b 2 b 2 f f 2 f 2 (b b 2 ) (f f 2 ) (b 2 b 2 ) (f 2 f 2 ) (b 2 b XOR b 2 ) (f 2 f XOR f 2 ) (b 2 f 2 ). (3) Intuitively, the implication b b 2, for instance, means that, for the port b to be fired, it is necessary that the port b 2 be fired in the same interaction [BS0]. Definition 6 (Architecture composition)leta i (C i, P Ai,γ i ), for i, 2 be two architectures. The composition of A and A 2 is an architecture A A 2 (C C 2, P A P A2,γ ϕ ), where ϕ ϕ γ ϕ γ2. The following lemma states that the interaction model of the composed component consists precisely of the interactions a such that the projections of a onto the interfaces of the composed architectures (A and A 2, resp.) belong to the corresponding interaction models (γ and γ 2, resp.). In other words, these are precisely the interactions that satisfy the coordination constraints enforced by both composed architectures. In particular, as we will show in Theorem (Sect. 3), this means that, for two architectures A, A 2 and a set of components B,the execution traces allowed by A A 2 on B are those that are allowed by both A and A 2, which guarantees the preservation of safety properties by the composition of architectures. Lemma 2 Consider two interaction models γ i 2 P i,fori, 2, and let ϕ ϕ γ ϕ γ2. For an interaction a P P 2, a γ ϕ iff a P i γ i,fori, 2. Proof. Letv(p) (p a) be a valuation P P 2 B corresponding to a. Wehavea ϕ γ ϕ γ2 iff (ϕ γ ϕ γ2 )(v) true, which is equivalent to ϕ γ (v) true and ϕ γ2 (v) true. Consider a restriction v : P B of v to P, defined by putting p P, v (p) v(p). Since the variables p P 2 \P do not appear in ϕ γ,wehave ϕ γ (v) true iff ϕ γ (v ) true, i.e. a P γ. The same holds for a P 2 γ 2. Remark Every interaction allowed by A A 2 must comprise both an interaction allowed by A and an interaction allowed by A 2. To allow architecture A to progress independently from A 2, one must have γ 2 and vice-versa. 2 Here and below, we use to denote logical equivalence of predicates.

7 A general framework for architecture composability Lemma 3 Consider a set of components B and two architectures A i (C i, P Ai,γ i ),fori, 2.Let q q 2 q a q q 2 q be a transition in (A A 2 )(B), where, for i, 2, q i, q i C C i Q C and q, q B B Q B. Then, for i, 2,if a (P Ai P),then q i q a (P A i P) q i q is a transition in A i (B),whereP B B P B. Proof. By Lemma, we can assume that each of the two architectures has only one coordinating component, i.e. C i {C i },fori, 2. By Definition 6, a (P A P A2 ) ϕ γ ϕ γ2. By Lemma 2, a P A γ. Hence, ã a (P A P) ( a P A ) ( a (P\PA ) ) ( γ 2 P\P A ). By the assumption of the lemma, ã. Furthermore, since q q 2 q a q q 2 q,wehaveby(), { { a P C q q, if a P a P i C, q q q, if a P and, for i [, n], i q i, if a P i, C, q i q i, if a P i. Since P C P A,wehaveã P C a P C. Similarly, for any i [, n], P i P, hence ã P i a P i. Thus, all premises of the instance of the rule () for ã in A (B) are satisfied and we have q q ã q q in A (B). For A 2 (B), the result is obtained by a symmetrical argument. Proposition (Properties of ) Architecture composition is commutative and associative; it is idempotent if all coordinating components are deterministic; A id (,, { } ) is its neutral element, i.e. for any architecture A, we have A A id A. Furthermore, for any component B, we have A id (B) B. Sketch of the proof Commutativity and associativity follow from the corresponding properties of set union and boolean conjunction. Suppose we have two architectures A A. As illustrated by Lemma, this does not necessarily mean that their sets of coordinating components coincide. However, if all the involved coordinating components are deterministic, then, in any state of (A A )(B), both architectures will impose the same restrictions, enabling the same interactions between the coordinating and operand components. Hence, we have (A A )(B) A(B) A (B). Since this holds for any set of components B, we conclude that A A A A. The properties of A id follow immediately from the definitions of architecture application and composition. Notice that, by (2), for an arbitrary set of components B with P B B P B,wehaveA id (B) ( 2 P) (B)(cf. Definition 2). Example 3 (Mutual exclusion (contd.)) Building upon Example,letB 3 be a third component, similar to B and B 2, with the interface {b 3, f 3 }. We define two additional architectures A 3 and A 23 similar to A 2 :fori, 2, A i3 ({C i3 }, P i3,γ i3 ), where, up to the renaming of ports, C i3 is the same as C 2 in Fig. 2b, P i3 {b i, b 3, b i3, f i, f 3, f i3 } and γ i3 { }, b i b i3, b 3 b i3, f i f i3, f 3 f i3. By considering, for ϕ γ3 and ϕ γ23, expressions similar to (3), it is easy to compute ϕ γ2 ϕ γ3 ϕ γ23 as the conjunction of the following implications: b b 2 b 3, f f 2 f 3, b 2 b XOR b 2, f 2 f XOR f 2, b 2 f 2, b 2 b 2 b 23, f 2 f 2 f 23, b 3 b XOR b 3, f 3 f XOR f 3, b 3 f 3, b 3 b 3 b 23, f 3 f 3 f 23, b 23 b 2 XOR b 3, f 23 f 2 XOR f 3, b 23 f 23. Finally, it is straightforward to obtain the interaction model for A 2 A 3 A 23 : {, b b 2 b 3, f f 2 f 3, b 2 b 2 b 23, f 2 f 2 f 23, b 3 b 3 b 23, f 3 f 3 f 23 }. Notice that this interaction model is different from the union of the interaction models of the three architectures. Assuming that the initial states of B, B 2 and B 3 are sleep, whereas those of C 2, C 3 and C 23 are free, one can observe that none of the states (,,, work, work, ), (,,, work,, work) and (,,,, work, work) are reachable in (A 2 A 3 A 23 )(B, B 2, B 3 ). Thus, we conclude that the composition of the three architectures,

8 P.Attieetal. (A 2 A 3 A 23 )(B, B 2, B 3 ), enforces mutual exclusion among the work states of all three components. In Sect. 3., we provide a general result stating that architecture composition preserves the enforced state properties Hierarchical composition of architectures The following proposition establishes a link between the architecture composition as defined in the previous section and the usual notion of functional composition. Proposition 2 (Relation between notions of composition) Let B be a set of components and let A (C, P A,γ ) and A 2 (C 2, P A2,γ 2 ) be two architectures, such that ) P A P B B C P B and 2) P A2 P 2 ( B B C C 2 P B.ThenA 2 A (B) ) is defined and equal to (A A 2 )(B). Proof. Clearly, the state spaces, initial states and interfaces of both components coincide. Thus we only have to prove that so do the transition relations. By Lemma, we assume C {C }, C 2 {C 2 } and B {B,...,B n }. a By Definition 4 a transition q C q C2 q...q n q C q C 2 q...q n is possible in A 2( A (B) ) iff a and a P C2. q C2 q C 2 is possible in C 2,ora P C2 and q C2 q C 2 ; a P 2. q C q...q n q C q...q n is possible in A (B), or a P and q C q...q n q C q...q n ; 3. a γ 2 2 P 2\P A2. If a P, the transition in condition above is possible in A (B)iff a P C 4. q C q C is possible in C,ora P C and q C q C ; a P Bi 5. for i [, n], q i q i is possible in B i,ora P Bi and q i q i ; 6. a P γ 2 P \P A. Similarly, the above transition is possible in (A A 2 )(B)iffa and a P Ci. for i, 2, q Ci q C i is possible in C i,ora P Ci and q Ci q C i ; a P Bi 2. for i [, n], q i q i is possible in B i,ora P Bi and q i q i ; 3. a γ A A 2 2 P 2\(P A P A2 ). Thus, to prove the proposition it is sufficient to show that a γ A A 2 2 P 2\(P A P A2 ) iff a γ 2 2 P 2\P A2 and a P γ 2 P \P A. For a P 2,wehavea γ A A 2 2 P 2\(P A P A2 ) iff a (P A P A2 ) γ A A 2, i.e. a (P A P A2 ) ϕ γ ϕ γ2. By Lemma 2, this is equivalent to a (P A P A2 ) P A a P A γ and a (P A P A2 ) P A2 a P A2 γ 2. Since a P 2,wehavea P A2 γ 2 iff a γ 2 2 P 2\P A2. Finally, since P A P,wehavea P A γ iff a P γ 2 P \P A. The first condition in Proposition 2 states that A can be applied to the behaviours in B (cf. Definition 4). Similarly, the second condition states that A 2 can be applied to A (B). Note that, when P Ai B B C i P B holds for both i {, 2} for i, this is the first condition of Proposition 2 and none of the architectures involves the ports of the other, i.e. P Ai C C j P C,fori j {, 2}, then the two architectures are independent ( and their composition is commutative: A 2 A (B) ) ( (A A 2 )(B) A A2 (B) ). The following proposition shows that the application of an architecture only affects the components that have ports belonging to its interface. Components that do not involve such ports are not affected, even if they interact with the operand components of the architecture. In Proposition 3, such potential interactions are modelled by applying the architecture A 2, which also provides a context for the comparison of the resulting systems. In the special case, where such independent components do not interact with the architecture operands, one can consider A 2 A id.

9 A general framework for architecture composability Proposition 3 (Application of an architecture to independent components) Let B, B 2 be two sets of components, such that B B P B B B 2 P B.LetA (C, P A,γ ) and A 2 (C 2, P A2,γ 2 ) be two architectures, such that ( P A P B B C P B and P A2 P 2 B B B 2 C C 2 P B.ThenA 2 A (B, B 2 ) ) ( ) A 2 A (B ), B 2. Proof. As in the proof of Proposition2, we notice that the sets of states are equal in both composed components, thus we only have to prove the equality of transition relations. By Lemma, we assume C {C } and C 2 {C 2 }. Furthermore, let B {B,...,B k } and B 2 {B k+,...,b n }. We then have P P C k i P B i and P 2 P C P C2 n i P B i. a Assume that we have a transition q C q C2 q...q n q C q C 2 q...q n in A 2( A (B, B 2 ) ). All components can make their corresponding transitions and a can be represented as a a C2 a γ a,wherea C2 P C2, a γ γ and a 2 P \P A.AsP Bi P Bj, for all i j [, n], all the ports of B 2 that belong to a are in a.let a a B2 a 2,wherea B2 a n i k+ P B( i. Then either ) a γ a 2 or it is enabled in A (B ). Hence, interaction a a C2 a γ a 2 a B2 is enabled in A 2 A ( (B ), B 2. ) Assume interaction a is enabled in A 2 A (B ), B 2. It can be represented as a ac2 ( a γ a 2 a B2. Then interaction a γ a 2 a B2 is enabled in A (B, B 2 ) and consequently a is enabled in A 2 A (B, B 2 ) ) in the corresponding state. Intuitively, Proposition 3 states that one only has to apply the architecture A to those components that have ports involved in its interface. Notice that, in order to compare the semantics of two sets of components, one has to compose them into compound components, by applying some architecture. Hence the need for A 2 in Proposition 3. As a special case, one can consider the most liberal identity architecture A id (see Proposition ). A id does not impose any coordination constraints, allowing all possible interactions between the components it is applied to. Example 4 (Mutual exclusion (contd.)) Example 3 can be generalized to an arbitrary number n of components by repeating the architecture application pairwise. However, this solution requires n(n )/2 architectures, and so does not scale well. Instead, we apply architectures hierarchically. Let n 4 and consider two architectures A 2, A 34, with the respective coordination components C 2, C 34, that respectively enforce mutual exclusion between B, B 2 and B 3, B 4 as in Example 3. Assume furthermore, that an architecture A enforces mutual exclusion between the taken states of C 2 and C 34. It is clear that the system A ( A 2 (B, B 2 ), A 34 (B 3, B 4 ) ) ensures mutual exclusion between all four components (B i ) 4 i. Furthermore, by the above propositions, A ( A 2 (B, B 2 ), A 34 (B 3, B 4 ) ) A ( ( A 2 B, B 2, A 34 (B 3, B 4 ) )) A ( ( A 2 A34 (B, B 2, B 3, B 4 ) )) (A A 2 A 34 )(B, B 2, B 3, B 4 ). Example 5 (Fair mutual exclusion) Examples 3 and 4 are not fair: a component can be forever denied access to its work state. We remedy this by adding requests, and modifying the architecture so that a component that has requested access is eventually granted access. Figure 3a shows a basic component B i (with i ranging over some set of indices I B ) which asks for the critical section (a i ), waits to begin its work (b i ), then finishes its work (f i ). We use a hierarchical scheme: a binary tree in which basic components B i are the leaves, and architectures are the internal nodes. Each architecture receives requests from its left and right children and passes them to its parent. Likewise an architecture receives grants from its parent and passes them to its children. The architecture at the root of the tree does not pass requests up and does not need to receive grants from above. The details of the root architecture are straightforward, and are omitted. Each architecture A i (with i ranging over some set of indices I A, such that I A I B ) has two coordinators:. The priority coordinator, C pr i, shown in Fig. 3b, stores requests from the left (ai l)andright(ar i ) subtrees and determines priority based on the order of receiving the requests (FIFO). Priority coordinators enforce the property:

10 P.Attieetal. f i sleep wait a i a i b i f i b i a i a r i r b r i a i a r i b i b r i f i fin_dn idle a i req_up a i b c i b i b i w i a r i b r i b i a i w i f c i b i work (a) Component B i w i w i (b) Priority Coordinator C pr i w i gr_dn b c i gr_up (c) Access Coordinator C acc i f c i f i Fig. 3. Hierarchical and fair mutual exclusion (the initial states of the components are shaded) If the left subtree submits a request to its parent before the right subtree, then the left subtree receives a grant from its parent before the right subtree does (and vice-versa). This is achieved by maintaining a queue of length at most 2, which stores pending requests. In Fig. 3b, the queue is shown labeling each state, with the head of the queue to the left. When there are requests waiting in the queue, the priority coordinator indicates this by enabling the port w i. 2. The access coordinator, Ci acc, shown in Fig. 3c, sends ask requests to the parent architecture (a i ), keeps track and passes the begin and finish actions up (b i and f i ) and down (bi c and f i c ) the hierarchy tree (the superscript c stands for child ). Access coordinators enforce the property: In total, the left and right subtrees have at most one grant at any time. This is achieved as follows. The access coordinator proceeds in a cycle: when the corresponding priority coordinator signals that the request queue is not empty, it sends the request to its parent (a i ) and waits for the parent to return a grant (b i ). It then relays this grant to its children (bi c ), with the priority coordinator ensuring that the grant goes to the higher-priority child in case both children have outstanding requests. Upon receiving a done notification from a child (fi c) the access coordinator relays it to its parent (f i) and returns to the initial state. ( Thus all architectures in the tree are instances of the same parameterized architecture A (i,jl,j r ) pr {C i, Ci acc }, P (i,jl,j r ),γ (i,jl,j r )),wherei IA is the index of the architecture and j l, j r I A I B are, respectively, the indices of its left and right operands. The interface of A (i,jl,j r ) is is P (i,jl,j r ) {ai l, ar i, bl i, br i } {a i, bi c, b i, fi c, f i} {a jl, b jl, f jl } {a jr, b jr, f jr }, it consists of the ports of the two coordinators and the up ports of the two children. The interaction model γ (i,jl,j r ) { a i w i, b i, f i, a l i a j l, a r i a j r, b l i bc i b j l, b r i bc i b j r, f c i f j l, f c i f j r }, where a i w i synchronises the two coordinators, forcing the access coordinator to only send requests to the parent, when there is at least one request from a child waiting; b i and f i are singleton interactions for propagating begin and finish information to the parent architecture; ai la j l and ai r a j r correspond, respectively, to asking by the left and right children, bi lbc i b j l and bi r bc i b j r correspond, respectively, to granting the access to the left or right child; fi cf j l and fi cf j r correspond, respectively, to the left or right child reporting that it has finished working. We can apply this architecture to generate any binary tree that is desired.

11 A general framework for architecture composability Clearly, for any two components B k and B l, to which such an architecture A (,k,l) can be applied (see Definition 4), the mutual exclusion holds in A (,k,l) (B k, B l ) and the access is granted to B k and B l in a fair manner, as discussed above. For more complex systems, correctness can be shown recursively. Notice that having two coordinators for each architecture, as opposed to combining them into a single more complex coordinator, has the following benefits: each coordinator is simpler, hence easier to understand, modify and debug, each coordinator enforces a single primitive property, hence there is a one-to-one correspondence between properties and coordinators. In particular, notice that the behaviour of the access coordinator does not depend on the number of its children. Hence, to change the structure of the overall architecture, we would only need to modify the behaviour of the priority coordinator and adapt accordingly the interaction model. The ability to factor into simple coordinators is a key advantage of our method. In a typical distributed algorithm (e.g. distributed mutual exclusion) where responsibility for enforcement of properties is distributed amongst all the components, such factorization is very difficult Partial application of architectures Notice that the main condition, limiting the application of Propositions 2 and 3, is that the architectures must be applicable, i.e. every port of the architecture interface must belong to some component. Below we lift this restriction by introducing the notion of partial application. We generalize Definition 4 for architectures A (C, P A,γ) applied to sets of components B, such that P A B B C P B. This means that the architecture enforces constraints on some ports which are not present in any of the coordinating or base components. In other words, the system obtained by applying the architecture to the set of components B is not complete. The result can then itself be considered as an architecture where the coordinating component is the one obtained by applying to B C the projection of interactions in γ. Definition 7 (Partial application) LetA (C, P A,γ) be an architecture and B be a set of components. Let P B B C P B.Apartial application of A to B is an architecture A[B] ({C }, P P A,γ 2 P\P A ), where C (γ P 2 P\P A )(C B) with γ P {a P a γ } and the operator as in Definition 4. Notice that an architecture obtained by partial application has precisely one coordinating component C.It is also important to notice that the interaction model in A[B] is not the same as in the definition of C.Onthe other hand, if P A P (as in Definition 4), we have γ P γ and A[B] ( {A(B)}, P,γ 2 P\P A). Lemma 4 Let B be a set of components and A (C, P A,γ) be an architecture, such that P A B B C P B.Then A(B) A[B]( ). Proof. Follows immediately from Definitions 4 and 7. Proposition 4 (Partial application to a subset of components) Let B and B 2 be two sets of components, such that B B 2, and let A (C, P A,γ) be an architecture. Then A[B B 2 ] ( A[B ] ) [B 2 ]. Proof. Clearly the interfaces of both architectures coincide. Furthermore, since the two architectures are obtained by partial application, each has only one coordinating component (see Definition 7). Thus we have to show that the coordinating components and the interaction models of both architectures coincide. Let P B C B P B and P 2 B C B 2 P B. By Definition 7, the interaction models of A[B B 2 ]and ( A[B ] ) [B 2 ] are, respectively γ 2 (P P 2 )\P A and ( ) γ 2 P \P A 2 P 2 \P A. Since 2 P \P A 2 P 2\P A 2 (P P 2 )\P A, we conclude that the interaction models coincide.

12 P.Attieetal. It is also clear that the state spaces, initial states and interfaces of both coordination components coincide. Thus, we only have to show that so do the transition relations. Let us consider the coordinating components of the two architectures. By Definition 7, wehave 3 A[B B 2 ] ( {C 2 }, P A P P 2,γ 2 (P ) P 2 )\P A, with C 2 ( γ P P 2 2 (P ) P 2 )\P A (C B B 2 ), where γ P P 2 {a (P P 2 ) a γ }. (4) Similarly, A[B ] ( {C }, P A P,γ 2 P ) \P A, with C ( γ P 2 P ) \P A (C B ), where γ P {a P a γ }, (5) and (A[B ])[B 2 ] ( {C 2 }, P A P P 2,γ 2 (P ) P 2 )\P A, with C 2 ( γ P P 2 2 (P ) P 2 )\P A ({C } B 2 ). (6) Since the interaction models and the constituent atomic components of C 2 and C 2 coincide, any transition allowed in C 2 is also allowed in C 2.Hence,toprovethatC 2 C 2, we have to show that any interaction allowed in C 2, after projection, is allowed in C. Notice, further, that the interface of C is P, whereas those of C 2 and C 2 are both P P 2. Consider a γ P P 2 2 (P P 2 )\P A. By definition of, a a a 2, with a γ P P 2 and a 2 (P P 2 )\P A. By (4), we have a ã (P P 2 ) with some ã γ. We deduce that a P ã (P P 2 ) P ã P and, therefore a P γ P. Since, a P (a P ) (a 2 P )anda 2 P ((P P 2 )\P A ) P P \P A, we have a P γ P 2 P \P A. Thus, the part of a relevant to the atomic components comprising C belongs to the interaction model in (5). By (), we conclude that any transition labelled by a in C 2 is also a transition of C 2. Proposition 4 generalises Proposition 3. In order to generalize Proposition 2, we first define the application of one architecture to another, by putting A [A 2 ] (A A 2 )[ ]. (7) Lemma 5 For any set of components B and any architectures A and A 2, we have (A A 2 )[B] (A [B] A 2 )[ ] (A A 2 [B])[ ]. Proof. We only prove (A A 2 )[B] (A [B] A 2 )[ ]. The other equality is symmetrical. Let A i (C i, P Ai,γ i ), for i, 2, and A [B] ({C }, P A,γ ). Let P B B C P B and P 2 B B C C 2 P B. Clearly the interfaces of both architectures coincide. Furthermore, since the two architectures are obtained by partial application, each has only one coordinating component (see Definition 7). Thus we have to show that the coordinating components and the interaction models of both architectures coincide. Let us consider the characteristic predicates of the interaction models. Notice, first, that for any two interaction models γ 2 P and γ 2 P, over disjoint sets of ports P P, one has (cf. Definition 4) ϕ γ ϕ γ ϕ γ γ. (8) Denote the interaction model of A [B] byγ γ 2 P \P A. Clearly, ϕ ( ) 2 P \P A true. Hence, by (8), we have ϕ γ ϕ γ ϕ ( ) 2 P \P A ϕγ and, consequently, the characteristic predicate of the interaction model of (A [B] A 2 )[ ]isϕ γ ϕ γ2 ϕ γ ϕ γ2. By a similar argument, we can conclude that the characteristic predicate of the interaction model of (A A 2 )[B] is also ϕ γ ϕ γ2. Since the interfaces of the two architectures coincide, this implies that so do their interaction models. We denote the interaction model in question by γ 2. Recall that ϕ γ2 ϕ γ ϕ γ2. 3 Keep in mind the difference between roman C, denoting a single coordinating component, and calligraphic C, denoting a set of coordinating components.

13 A general framework for architecture composability Let us consider the coordinating components of the two architectures. By Definition 7, wehave 4 (A A 2 )[B] ( {C 2 }, P 2 P A P A2,γ 2 2 P 2\(P A P A2 ) ), with C 2 ( γ P 2 2 2P 2\(P A P A2 ) ) (C C 2 B), where γ P 2 2 {a P 2 a γ 2 }. (9) Similarly, A [B] ( {C }, P P A,γ 2 P ) \P A, with C ( γ P 2 P ) \P A (C B), where γ P {a P a γ }, (0) and (A [B] A 2 )[ ] ( {C 2 }, P 2 P A P A2,γ 2 2 P 2\(P A P A2 ) ), with C 2 ( γ P 2 2 2P 2\(P A P A2 ) ) ({C } C 2 ). () Notice that the interaction models and the constituent atomic components in (9) and () coincide. Therefore, any transition allowed in C 2 is also allowed in C 2.Hence,toprovethatC 2 C 2,wehavetoshowthatany interaction allowed in C 2, after projection, is allowed in C. Notice, further, that the interface of C is P,whereas those of C 2 and C 2 are both P 2. Consider a γ P 2 2 2P 2\(P A P A2 ). By definition of, a a a 2 with a γ P 2 2 and a 2 P 2 \(P A P A2 ) P \P A.By(9), we have a ã P 2 with some ã γ 2. Since ϕ γ2 ϕ γ ϕ γ2, by Lemma 2, wehave ã P A γ and ã P γ P. Notice that P P 2. Hence a P ã P 2 P ã P γ P.We conclude that a P (a P ) (a 2 P ) (a P ) a 2 γ P 2 P \P A. Thus, the part of a relevant to the atomic components comprising C belongs to the interaction model in (0). By (), we conclude that any transition labelled by a in C 2 is also a transition of C 2. As a consequence of Lemma 5, we immediately obtain the following generalisation of Proposition 2. Proposition 5 (Commutativity of the partial application) For any set of components B and any architectures A and A 2, we have A 2 [ A [B] ] A [ A2 [B] ]. Proof. By(7) and Lemma 5, wehave A 2 [ A [B] ] ( A 2 A [B] ) [ ] (A A 2 )[B] ( A A 2 [B] ) [ ] A [ A2 [B] ]. Notice, furthermore, that (7) generalises Definition 7. Indeed, to a given set of components B, we can associate the architecture A B Aid [B] (cf. Proposition ). By (7) and Lemma 5, we obtain, for any architecture A, A[A B ] A [ A id [B] ] (A A id [B])[ ] (A A id )[B] A[B]. Thus, partial application of an architecture to a set of components can be considered a special case of the application of an architecture to another architecture. The results of the last two subsections provide two ways for using architectures at early design stages, by partially applying them to other architectures or to components that are already defined. An architecture restricts the behaviour of its arguments, which can be both components and other architectures. 4 Again, keep in mind the difference between roman C, denoting a single coordinating component, and calligraphic C, denoting a set of coordinating components.

14 P.Attieetal. 3. Property preservation Throughout this section we use several classical notions, which we recall here. Definition 8 (Paths, path fragments and reachable states) Let B (Q, q 0, P, ) be a component. A finite or a a 2 a k infinite sequence q 0 q qk is a path fragment in B. If in addition q 0 q 0, then it is also a path. Astateq Q is reachable iff there exists a finite path in B terminating in q. A path fragment is reachable iff its first state is reachable. a a 2 In the sequel, we use subscripts on states (as above) when we are discussing a path fragment, i.e. q 0 q a k qk,whereq 0 is not necessarily the initial state q 0. We use superscripts on the states when we are discussing a path (i.e. starting in the initial state q 0 ), so that a path is written as q 0 a q a 2 ak q k. In the rest of this section, unless explicitly stated otherwise, we consider a set of architectures A,...,A m and a set of operand components B. For a set of indices I [, m], we will denote by i I A i the composition of all architectures with indices in I. This is well-defined, since is associative and commutative. In particular, m i A i i [,m] A i A A m. We consider that any property can be decomposed as the conjunction of safety and liveness properties, and address both kinds separately in the following two subsections. We show that if two architectures A and A 2 enforce respectively safety properties and 2, the architecture A A 2 enforces 2, that is both properties are preserved by architecture composition. Since the application of an architecture restricts the behaviour of its arguments, liveness properties cannot be preserved in general, because liveness depends on the existence of live extensions for every finite execution. Thus, we have to make a special provision for liveness, by introducing the notion of non-interference. 3.. Safety properties Definition 9 Let B (Q, q 0, P, ) be a component. A safety property (in the rest of this subsection, simply property)ofb is a state predicate : Q B.Wewriteq iff (q) true. A property is initial if q 0 ; it is reachable iff there exists a possibly empty path q 0 a q a 2 an q n, such that q n. The main idea of our approach is that an architecture enforces its characteristic property on the set of its operand components. From this point of view, the set of coordinating components is not relevant, neither are their states. Thus, to talk about properties enforced by architectures, we consider properties on the unrestricted composition of the operand components as formalized by the following definition. Definition 0 (Enforcing properties) LetA (C, P A,γ) be an architecture; let B be a set of components and be an initial property of their parallel composition A id (B) (see Proposition ). We say that A enforces on B iff, for every state q (q b, q c ) reachable in A(B), with q b B B Q B and q c C C Q C,wehaveq b. According to the above definition, when we say that an architecture enforces some property, it is implicitly assumed that is initial for the coordinated components. Below, we omit mentioning this explicitly. Example 6 Consider again the mutual exclusion in Example. Component A 2 (B, B 2 ) is shown in Fig. 4 (we abbreviate sleep, work, free and taken to s, w, f and t respectively). Clearly A 2 enforces on {B, B 2 } the mutual exclusion property 2 (q w) (q 2 w), where q and q 2 are state variables of B and B 2 respectively. Theorem (Preserving enforced properties) Let B be a set of components; let A i (C i, P Ai,γ i ),fori, 2, be two architectures enforcing on B the properties and 2 respectively. The composition A A 2 enforces on B the property 2. Proof. Again, by Lemma, we can assume that each of the two architectures has only one coordinating component, i.e. C i {C i },fori, 2. We also denote, for i, 2, P i P Ci B B P B. The initiality of 2, is trivial: both and 2 are initial, hence q 0 2.

15 A general framework for architecture composability ssf b b 2 f f 2 wst wsf b 2 b 2 sst wwf f 2 f 2 f 2 f 2 b 2 b 2 swt swf f f 2 b b 2 wwt Fig. 4. Component A 2 (B, B 2 ) from Example 6 2 sws b 2 b 2 f 2 f 2 0 sss b b 2 f f 2 wss 4 2 sws b 2 b 23 f 2 f 23 0 sss b 3 b 23 f 3 f 23 ssw f 3 b 3 f 2 f 2 f 3 b 2 b 2 b 3 b 3 f 3 f f 2 f 3 b b 2 b 3 b 3 f 3 f b f 2 f 23 f b 2 b 23 b b f f 3 f 23 f b 3 b 23 b b f sww b 2 b 2 ssw b b 2 wsw wws b 2 b 23 wss b 3 b 23 wsw 3 f 2 f 2 f f f 2 f 23 4 f 3 f 23 5 (a) A 2 (B,B 2,B 3 ) (b) A 23 (B,B 2,B 3 ) 2 sws b 2 b 2 b 23 f 2 f 2 f 23 0 sss b 3 b 23 f 3 f 23 f 3 f 23 f f 2 ssw b b 2 b 3 b 23 b b 2 b b 2 f f 2 f f 2 wss 4 b 3 b 23 f 3 f 23 wsw (c) (A 2 A 23 )(B,B 2,B 3 ) 5 Fig. 5. Projections of reachable states of Example 7 components onto A id (B, B 2, B 3 ) (for ease of reading, we omit the transitions indicated by dotted blue arrows and additionally label each state with a red number, whereof the main label is the binary representation with s 0 and w ) Consider a path q 0 q 2 0q 0 a q q 2 q a 2 a k q k q 2 k q k in (A A 2 )(B), where q 0,...,q k B B Q B and q i 0,..., q i k Q Ci,fori, 2. By Lemma 3, q 0q 0 a P q q a 2 P a k P q k q k is a path in A (B). (If, for some i [, k], a i P, the corresponding transition can be omitted from the path.) Thus the state q k q k is reachable in A (B). Since A enforces on B, this implies that q k. Symmetrically, q k 2, which concludes the proof.

16 P.Attieetal. Example 7 In the context of Example 3, consider the application of architectures A 2 and A 23 to the components B, B 2 and B 3. The former enforces the property 2 (q w) (q 2 w) (the projections of reachable states of A 2 (B, B 2, B 3 ) onto the state-space of the atomic components are shown in Fig. 5a), whereas the latter enforces 23 (q 2 w) (q 3 w) (the projections of reachable states of A 23 (B, B 2, B 3 ) onto the statespace of the atomic components are shown in Fig. 5b). By Theorem, the composition A 2 A 23 enforces 2 23 (q 2 w) ( (q w) (q 3 w) ), i.e. mutual exclusion between, on one hand, the work state of B 2 and, on the other hand, the work states of B and B 3 (see Fig. 5c). Mutual exclusion between the work states of B and B 3 is not enforced. Furthermore, it is easy to check that A 2 A 23 A 3 enforces mutual exclusion between the work states of B, B 2 and B 3 as ( (q w) (q 2 w) ) ( (q w) (q 3 w) ) ( (q w) (q 3 w) ). In [ABB + 4b], we provide a similar result, showing that invariants are also preserved by the architecture composition Liveness properties As mentioned in the previous subsection, the main idea of our approach is that an architecture enforces its characteristic property on the set of its operand components and that the states of the coordinating components are not relevant. Thus, to talk about properties enforced by architectures, we have to abstract away their coordinating components. To this end, below, we introduce the notion of path projection, which allows us to consider the states and paths within A(B), limited to the corresponding states and paths of a subsystem that is obtained by removing some of the architectures. For a state q of m i A i, the projection of q onto i I A i,wherei [, m], is denoted q I and obtained by removing the state components of all C i with i I. Definition (Path projection, ) Letα q 0 q 0 a q q a 2 a k q k q k be a path in ( m i A i) (B), where q 0, q...,q k,... B B Q B and q 0, q,..., q k,... m i C C i Q C.AlsoletI [, m] andp I ( B B P B) ( i I C C i P C ). Then, the projection of α onto the subsystem ( i I A i) (B), denoted α I,is obtained as follows. Start with the path r 0 q 0 a P I r q a 2 P I a k P I r k q k, where r k q k I for all k 0. Then, replace all transitions r k q k a k P I r k q k, such that a k P I,by r k q k, i.e. remove transitions with empty labels (notice that, if a k P I, we necessarily have r k q k r k q k ). Proposition 6 (Path projection) Let α be a path in ( m i A i) (B). Then, for any I [, m], α I is a path in ( i I A i) (B). Proof. Letα q 0 q 0 a q q a 2 ak q k q k. By Definition, α I r 0 q 0 a P I r q a 2 P I a k P I r k q k. Consider an arbitrary transition r k q k a k P I r k q k along α I. By Lemma 3, r k q k a k P I r k q k is a transition in ( i I A i) (B). Also, r 0 q 0 is the initial state of ( i I A i) (B), by Definition. Since r k q k a k P I r k q k was chosen arbitrarily, we conclude that α I is a path in ( i I A i) (B). Our treatment of liveness properties is based on the idea that each coordinator C must be invoked sufficiently often, so that the liveness properties inherent in C are imposed on the system as a whole. So, what does sufficiently often mean? A reasonable initial idea is to require that each coordinator is executed infinitely often (along an infinite path). But that turns out to be too strong. For example, a mutual exclusion coordinator should not be invoked infinitely often if no process that it coordinates requests the critical resource. So, we add idle states, so that it is permitted for a coordinator to remain forever in an idle state. A coordinator not in an idle state must eventually be executed.