PROGRAMMING DISTRIBUTED

SYSTEMS
J. A. Feldman, d. R. Low, and P. D. Rovner

Computer Science Department

The University of Rochester
Rochester, New York 14627

Key words: Distributed computing; programming systems and languages; computer

networks.
1. Introduction
For a number of technical and economic reasons, dis-
tributed computing is increasing rapidly in importance.
The main technical considerations are the. increased
performance of small machines and of communications
systems relative to that of giant computers and the op-
portunity for greater system reliability through redun-
dancy. The economic considerations include all of the
technical ones plus additional aspects including the geo-
graphic dispersal of needs and the organizational advan-
tages of more specialized facilities (cf. Bank of America
article in Datamation [1976]). The Computer Science
Department of the University of Rochester has, from its
inception in 1974, directed much of its research effort
toward a better understanding of distributed computing.
2. RIG, an Intelligent Gateway
The initial laboratory facility of the Department was a
network of five (now six) minicomputers linked into larger
campus and national resources. This was designed to al-
low for very flexible usage of a wide variety of computing
facilities and is called RIG, for Rochester's Intelligent
Gateway (Figure 1).
The term "gateway system" has been coined to describe
a computer system designed primarily to connect users
to other computers and computer networks. An "intelli-
gent gateway" goes beyond the simple function of com-
munication. It plays a central role in the handling of in-
formation, actively translating the intentions of users
into communication forms which can be understood by
other computers. Because a "user" may in fact be another
machine, an intelligent gateway Can serve as a communi-
cation link between the various computers and computer
networks to which it is connected.
The RIG system development effort has been divided
into three major parts:
(1) An operating system kernel, called Aleph, has been
developed. Afeph's primary function is to oversee
the transfer of information and control between
processes running within the system.
(2) Server Processes have been developed to handle
requests for resources available to the system. The
use of independent processes to handle resource
allocation allows RIG to provide intelligent access
to its facilities.
(3) The writing of User Processes has begun. These
are the intelligent agents which translate user de-
sires into requests to Server Processes.
The fundamental design decision in the implementa-
tion of RIG was to allow a strict message discipline with
no shared data structures. All communication among
both user and server processes is through messages
which are routed by the Aleph kernel. This message dis-
cipline has proven to be very flexible and reliable. The
basic system has been described in [Ball et al., 1976],
and more detailed descriptions are available as internal
memos.
There are two other distributed computing projects
that we started shortly after RIG and which were origi-
nally quite separate. The first of these was the develop-
ment of low-level communication protocols for efficient
and reliable transmission of messages within our local
network. This has led to a sophisticated connectionless
protocol [Rovner, 1977] which seems to have significant
advantages over previous proposals; Section 4 contains
a discussion of this work. At some point in the develop-
ment, it occurred to us that we were using very similar
message systems within RIG and externally in the net-
work. We have made some progress in unifying these two
projects with the third project, PLITS.
3. PLITS, a Language for Distributed Computing
The PLITS project originally had no direct relation to
distributed computing, but was concerned with develop-
ing a non-trivially new programming language. There
were two basic underlying assumptions: (1) that program-
ming languages had changed little in the previous decade
despite advances in many related areas and (2) that one
could hypothesize compilers of the sophistication of the
best current artificial intelligence programs. We began
by trying to isolate the most important concepts current-
ly available in programming systems and to see where
they were compatible and incompatible. The project was
called PLITS (Programming Language in the Sky) and,
although it has come down a little closer to the ground,
the name has stuck.
The two fundamental building blocks underlying any
PLITS system are modules and messages. A module is a
self-contained entity, something like a Simula or Small-
talk class, a SAIL process, or a CLU module. It is not im-
portant for the moment which programming language is
used to encode the body of a module; we wish explicitly
to account for the case in which various modules are
coded in different languages on a variety of machines.
For now, let's consider modules to be programmed in
Algol-6O and also assume that there are some modules
available for input, output, and file manipulation.

Permission to copy without fee all or part of this material is granted provided
that the copies are not made or distributed for direct commercial advantage,
the ACM copyright notice and the tide of the publication and its date appear,
and notice is given that copying is by permission of the Association for Com-
puting Machinery, Inc. To copy otherwise, or to republish, requires a fee and/or
specific permission.

1978 ACM 0-89791-000-1/78/0012/0~J0 /$00.75

310
 1,01
Figure 1, RIG Hardware Configuration
Modules communicate with one another solely through
messages. In order to have communication, there must
be something that is understood by both communicating
modules. The common element in PLITS iS a name
which may be thought of as an uninterpreted string of
characters. A message is a set of (name~value) pairs
called slots. The value portion of a slot will be an element
of some primitive domain (think of integers) whose rep-
resentation is also generally understood.
The modules of any PLITS system will have to be able
to compose, send, receive, and decompose messages.
For this purpose, we must add some data types and op-
erations to ALGOL or any other body language. In this
case, the primitive data types of ALGOL will have to be
extended to include module and message. Each modu;e
also will contain an explicit declaration (Public) of every
slot name that it can deal with along with the data type
of that slot. There is a process analogous to link-editing
that insures that public slot names are used consistently.
For a first example, suppose there were s module,
Fibonacci, which provided the service of supplying con-
secutive positive Fibonacci numbers, and a module,
George, which wanted to make use of this service. The
code for this would be something like that shown in Ex-
ample 1 (George and Fibonacci are actual constant
named modules, not module prototypes or class defini-
tions}.
We see that George and Fibonacci both know the slot
names "Object" and "Recipient" and thus can commu-
nicate. At the appropriate time, George composes a mes-
sage with one slot, having as a value the system identifier
for the module George itself. After sending the message
to Fibonacci, George is suspended until a message from
Fibonacci is received, i,e., this is essentially a subroutine
call. The Fibonacci module simply waits for a request
and fulfills it. The syntax for accessing and modifying
messages treats them like the records of, e.g., Pascal
[Hoare, 1973].
Starting from a survey of the "powerful ideas" of pro-
gramming systems, we attempted to see if there were in-
herent incompatibilities among them. It was immediate-
ly clear that one could not combine all Of the useful
language primitives in a consistent way--so PLITS had
to include different languages. Networking was clearly
311
here to stay and had to be accounted for. Structured
programming seemed to be attacking the right problem
with unreasonable methods. Messages were known to
be a very good control primitive and were the coin of
networking. The experience with RIG convinced us that
messages also seemed to be a good mechanism for pro-
ducing reliable yet still flexible software.
The message-module paradigm became established
quickly as the fundamental solution for PLITS.
The decision to have public names as the basis of com-
munication seems obvious in retrospect, but was difficult
to arrive at. By sharing names rather than variables or
sequential positions in some structure, modules could be
written in a way that was clear, but did not have the
problems of shared storage.
It was apparent from work in automatic programming
and verification that more declarative information was
needed--hence we included the general notion of asser-
tions. Although many difficult questions remain, enough
clean solutions have been found to convince us that
there is something fundamentally sound in the PLITS
world view.
Example 1 is basically bad PLITS code; the module
Fibonacci contains no error checking. Let us consider an
expanded but still weak version which will not cause in-
teger overflow (Example 2).
The first new notion occurs on line 4, where a public
slot name of type "problem_type" is declared. The type
problem_type is a fixed sequence of uninterpreted sym-
bols exactly like the Pascal "enumeration" type. There
will be several public enumerations in a PLITS system.
In lines 9-11, a prepackaged message is assembled and
stored in the message variable, My_Complaint. The other
new code is in lines 21-27; the Recipient slot of My_Com-
plaint is filled in from the Request. If there is a Com-
plainLDept slot in this request, the module which is its
value will be sent the complaint. Otherwise, some default
complaint handler, City_Hall, will hear about it. The
name of the Recipient module (which may have been
awaiting an answer) is passed along to the Complaint-
Dept, because there might be some appropriate response
to the problem. For example, there could be some double
precision Fibonacci module which would be able to re-
turn an appropriate value if George were prepared to
 1 Begin "George" Begin "Fibonacci"
2 Public Integer Object; Public Integer Object;
3 Public module Recipient; Public module Recipient;

4 Begin Comment George's thing; Message Request;

5 Integer I,J,NexLFib; Integer This, Last, Previous;
6 MessageMess1, Mess2; Last'O; This-l;

While true do
Begin
7 Send {Recipient~Me} to Fibonacci; Request-Receive from Any;

8 Mess2-Recelve from Fibonacci; Previous-Last;

Last-This;
9 NexLFib-Mess2.Object; This-Last+Previous;

Send {Object~Thisl to Request-Recipient;

10 End End
11 End "George" End "Fibonacci"
Example 1

1 Begin "Fibonacci"
2 Public Integer Object; 1 Begin "Fibonacci"
3 Public module Recipient, ComplainLDept, Complainer; 2 Public integer Object;
4 Public problem_type Problem; 3 Public module Recipient;
4 Public action type Action;
5 message Request, My_Complaint;
6 module Complainee; 5 message Request;
7 integer This, Last, Previous, Biggest;
6 map This[trecsection} =>integer;
8 Last-0; This-l; Biggest-23~ ~1 ; 7 map Last[transaction) => integer;

9 My_Complaint- {Problem~Overflow, 8 Integer Biggest,Previous,ActiveCount;

10 Complainer~Me 9 transaction ThisTrans;
11 } tO transaction set Active;

12 While True do 11 Biggest-23~ - 1;

13 Begin 12 ActiveCount-O;
14 Request-Receive from any; 13 Active-{Start NewSequence};
15 Previous-Last;
16 Last-This; 14 While true do
15 Begin
17 If Biggest - Last> Previous 16 Request-receive from any about Active;
18 then Begin This-Last+Previous; 17 case Request.Action of
19 Send {Object~This} to Request. Recipient 18 Begin
20 End 19 [Start[
21 else Begin 20 Begin
22 Put (Recipient~Request. Recipient) In My_Comptaint; 21 ThisTrans-new transaction;
23 Complainee-lf Present Request.ComplainLDept then 22 ActiveCou nt -ActiveCount +
Request. ComplainLDept else City_Hall; 23 If ActiveCount = MaxCount then
24 remove StartNewSequence from Active;
24 Send My_Complaint to Complainee 25 put ThisTrans in Active;
25 End 26 Last[ThisTrans]-l;
26 End While Loop 27 This[ThisTrans)-l;
27 End "Fibonacci" 28 send {Object~This[ThisTrans}} to Request.Recipient
Example 2 about ThisTrans;
29 End;
30 [Generate]
31 Begin
32 ThisTrans-Request.About
33 Previous-Last {ThisTrans);
34 Last[ThisTranS} -This[ThisTrans};
35 This[ThisTrans] -Last[ThisTrans}+ Previous;
36 send IObject~This[ThisTrans}} to Request.Recipient
about ThisTrans;
37 End;
38 [Terminate]
39 Begin
40 if ActiveCount = MaxCount then
41 put StartNewSequence in Active;
42 ActiveCount-ActiveCount - 1;
43 destroy This[Request.About];
Last[Request.Aboutl;
44 remove Request.About from Active;
45 End;
46 End;
47 End;
48 End "Fibonacci"
Example 3

312
accept it. This would require that George handle double-
size integers: that is not hard to arrange, for example, by
an extra slot for the high order part.
There is a more interesting problem in the control dis-
cipline used in the coding of the module George given in
Example 1. The statement on line 8 is:
Mess2-Recelve from Fibonacci.
But we saw in the expanded Fibonacci module of Exam-
ple 2 that there might be an error recovery module that
would supply the answer if Fibonacci could not. The
coding style of line 8 requires that the answer be con-
veyed back to Fibonacci and then to George, but there is
nothing to be gained by retracing our steps. To solve this
and a number of other control problems, we will add one
more ~:onstruct, transaction, to PLITS. Intuitively, a trans-
action is a key which can be used in the regulation of
message traffic. We could replace 8 with:
8' Mess2-Receive about Key4 ;
where Key4 is a transaction which is identified with the
generation of this sequence of Fibonacci numbers. Selec-
tive receives based on transaction keys allow a receiving
module to be programmed without regard to which mod-
ule will ultimately send it the message. Yet the receiving
module is still able to keep separate "conversations"
distinct.
This leads us to the use of transactions as tags for
different streams of communication to and from multi-
plexing modules, In Example 3, we have a new Fibonacci
module ~,hich can simu}taneously maintain several dif-
ferent streams of Fibonacci sequences for one or many
users.
In the example, "map" (lines 8-7, 28, 27, 34, ;35, etc.)
indicates a data structure which maps a transaction key
into an integer. Think of it as an integer array indexed by
transaction keys. "Action_type" is an enumeration type
consisting of SMART, GENERATE, and TERMINATE.
MaxActive is a constant which is the maximum number
of active sequences allowed.
Every PLITS message contains two slots placed there
by the system. The "From" slot contains the source of the
message. The "About" slot contains the transaction key
associated with the message. (A dummy key is supplied
if the user has not provided one.)
To obtain a Fibonacci stream, a user module will send
a message with Action field equal to "Start" and with the
globally known constant transaction key "StartNew-
Sequence." The Fibonacci module sends the first element
of a new sequence back along with a new transaction
key, which will be used by the user module in each future
request.
Note the power of the selective receive in line 16. The
Fibonacci module has complete control over what it
responds to. Originally (line 16), it is listening for any
request for service. When a stream is opened, it adds that
stream to its set (line 28). When the maximum allowable
number of active streams is reached, it turns deaf to new
requests for service (line 24). Finally, when a stream dies,
it turns deaf to that stream and again allows new re-
quests for service (lines 40-44).
4. DSYS--A Distributed System
With the PLITS style of programming as background
and a source of examples, we are developing an experi-
mental system (DSYS) to support high-level distributed
computing. DSYS will run on the seven computers in our
laboratory: four ALTOs, two Eclipses, and a PDP/10. It
will provide facilities for defining and running PLITS dis-
tributed jobs (DJOBs).
The remainder of this section outlines both our progress
to date and our present design ideas for DSYS. The dis-
cussion in Sections 4.10 and 4.11 summarizes our goals
and states some questions that we find useful for DSYS
planning.
313
4.1 System Overview
Even on a single machine, there will have to be some
underlying programs which handle messages. We will
call this collection of programs the kernel for a PLITS site.
The kernel is a conventional multi-programming monitor
which sequences through the modules on its "ready"
queue. The kernel also maintains data structures describ-
ing modules which are "suspended," waiting tO Receive
a message of a specified sort. These data structures, to-
gether with analogous ones for messages which result
from Send statements, suffice to implement the PLITS
message primitives.
A problem arises if the modules are written in different
body languages. It may be the case that languages differ
in their representation of primitive data types (e.g., real).
We require that the representation of primitive data
types be uniform within a site. This, as well as other con-
siderations, may give rise to the situation where there is
more than one site on a given machine involved in an in-
dividual distributed job (D JOB). Figure 2 is a graphic
representation of the breakdown of functions and termi-
no)ogy which we have adopted. It is convenient to divide
the PLITS support functions into two subsets carried OUt
by the site kernel and by the DSYS Host Control Program
(DHCP) respectively. In the example, there are two
DJOBs, A and B, which have no connection but happen
to be both distributed over Machines 1 and 2. DJOB A
consists of three sites: $11 and $12 on Machine 1 and $21
on Machine 2. Each site has a kernel associated with it
as described above. The kernel performs the following
functions:
(1) distributes messages within the site;
(2) forwards messages to and from other sites;
(3) carries out needed representation shifts for inter-
site messages;
(4) allocates resources within the site;
(5) generates unique (world-wide) names;
(6) checks for errors and assertion violations.
We have briefly discussed the first three functions. The
fourth function, resource allocation within the site, is
concerned with storage allocation and reclamation, sched-
uling of ready modules, etc. The fifth function is the
generation of unique names for modules and transaction
keys (see Section 4.6). Error and assertion checking is
discussed in Section 4.8.
Each DHCP is an extension of its machine's operating
system. It performs four main functions (see Section 4.5
for more detail):
(1) distributes messages among sites local to this ma-
chine;
(2) forwards messages to and from other machines;
(3) starts and stops D JOBs, and provides access to
other operating system services;
(4) checks for errors and assertion violations,
Let us first consider the problem of setting up a DJOB.
If there are two sites on the same machine with the same
representations, the DHCP only has to check that the use
of public slot names is compatible--essentially the same
process as combining the externals of two load modules.
If there are several machines involved and there is an
incompatibility in representation of a primitive data type,
then some conversion routines will have to be automati-
cally invoked. The ARPA network voice protocol [Cohen,
1976] presents a good model of a scheme in which a
dialog between machines is used to reconcile representa-
tion differences before messages containing data are
sent. All of this is fairly messy, but should only be neces-
sary when a new PLITS language processor is brought
up on a machine. In the usual case, the standard conver-
sions between sites will have been established and the
negotiations between machines will be simple.
When a PLITS message is sent by a module in a site, its
destination is checked. If it is within a site, the site kernel
handles it; if not, it is given to the local DHCP. If the
destination is within another site on the same machine, it
is given to the kernel for that site; if not, the DHCP has it
forwarded to the appropriate machine. This is the job of
DHCP functions 1 and 2 above. To do this effectively re-
quires quite a lot of mechanism beneath the surface.
Problems faced include reliable transmission, flow con-
trol, error handling, and providing user services in a dis-
tributed operating system.
 D job A
> Link
<
Djob B
Machine 1
Figure 2. Example Overview of PUTS DJOBs
4.2 Implicit Connections
Our desire to allow free collaboration among modules
has led to a design in which there are no explicit "con-
nections." Modules that want to communicate do not
need to explicitly establish a communication path (i.e.,
connection) before communicating. All a module needs
in order to send a message to another module is its name
(see Section 4.6). If Module 1 receives Module 2's name
in a message from Module 3, Module 1 can send a mes-
sage to Module 2 without opening a connection first, or
checking to see if a (1-2) connection already exists. Also,
Module 1 does not have to close the connection when it
finishes. Thus, programs can deal with intra-site com-
munication and inter-site communication uniformly. It is
the responsibility of the DHCP to route messages to for-
eign receivers, and to arrange for flow control and reli-
able transmission over a machine-to-machine communi-
cation network if necessary. From the point of view of the
high-level logic of its task, the user program is not con-
cerned with the location of modules.
Traditional communication systems (e.g., ARPANET)
use connections as loci for strategies that do resource
management (e.g., buffer space allocation, flow control)
and error handling. The need to develop such facilities
for our scheme has provided an opportunity to take a
fresh look at these issues. Some of our present ideas are
outlined below.
4.3 Resource Management
Resource management is the central design problem
for any operating system. In a multi-processing, message-
based system such as RIG, the basic resources to be
managed include: buffer space for messages end system
data structures; and processor cycles. By controlling the
allocation of these resources, RIG controls the rate of
message flow between senders and receivers. DSYS uses
similar methods to manage resources in a distributed
computing environment.
An operating system that provides services (e.g,, disk
files, ARPANET, printer, terminal I/O, text editor, facili-
ties for running user programs) for multiple users must
keep track of which services are in use by which users.
That is, another aspect of the resource management prob-
lem is the provision of such services to user jobs, and the
ability to recover a job's resources when it finishes.
4.4 DJOBs
A distributed job (D JOB) which uses the facilities of
the distributed system (DSYS) will in general use re-
sources on more than one computer. A D JOB might con-
sist of sites on several computers and use the services of
several computers. For example, a distributed vision ap-
plication might consist of an image processing site on the
PDP/IO, an interactive site on an ALTO, a site on the
Eclipse for managing the Grinnell color display, and file
system services on the PDP/10 and on the Eclipse. One
of the sites in each D JOB is the "controlling site" for the
DJOB. In the example, the controlling site might be the
one on the ALTO. The controlling site for a D JOB is re-
sponsible for initializing and terminating the D JOB and
for taking appropriate action when one of the other sites
of the D JOB fails. A D JOB is uniquely identified in DSYS
by the "name" of its controlling site (see Section 4.6).
314
!
/
Machine 2
4.5 OSYS Organization
DSYS is distributed among the operating systems in
our network. We refer to the DSYS component of each
operating system as the DSYS Host Control Program
(DHCP). Each DHCP has two parts, a "DSYS Job Mana-
ger" (for distributed jobs) and a "DSYS Communications
Manager" (DCM). This organization reflects the two
separate facilities of DSYS: operating system support
and services for PLITS DJOBs, and basic message com-
munication in the PLITS style. The former facility is actu-
ally an application of the letter. That is, each local Job
Manager uses a message communication protocol with
the other Job Managers in the network to get its work
done. The DCM provides the same communication ser-
vices for the local Job Manager as it does for local PLITS
(user) sites.
4.5.1 The DSYS Job Manager
Each Job Manager:
(1) provides services for D JOBs (i.e., start, stop, access
to operating system services [see Section 4.7]);
(2) remembers which services are allocated to which
D JOBs, and which site is the controlling site for
each D JOB;
(3) arranges to recover resources used by such services
when a D JOB finishes.
In addition, each Job Manager keepstrack (for each D JOB
whose controlling site is local) of the other computers
that are involved with the D JOB. That is, the Job Mana-
ger for the controlling site of a D JOB knows which other
DHCPs to notify when the D JOB finishes (or dies).
4.5.2 The DSYS Communications Manager (DCM)
The DCM on each computer is responsible for forward-
ing messages to and from modules on other computers.
The DCM accepts messages for forwarding to foreign
modules from local site kernels, and passes messages
being forwarded from other DCMs to local site kernels.
In addition to dealing with communications I/O de-
vices, the DCM controls the flow of messages from local
senders on the basis of the rate of acceptance by intended
receivers ("back pressure") and the availability of local
buffer space. The DCM also provides a "reliable trans-
mission" service.
Like the site kernel, the DCM allocates buffer space for
messages on a "destination" basis. Each (receiving mod-
ule, transaction) pair is considered a "destination" for
messages, and DSYS maintains a data structure (the
"destination descriptor") for it. Each such destination
has its own allotment of buffer space for messages. This
space is not committed a priori, but is rather an estimate
(changeable) of how much of a backlog of messages
should be allowed for the destination. The basic flow
control mechanism is this: a sending module is kept sus-
pended by its site kernel until space on the destination's
primary input queue becomes available. If the destina-
tion is local, the site kernel does the queue management
and flow control. If the destination is foreign, the DCM
(i.e., the forwarder) does the queue management and
flow control.
 A destination descriptor is a distributed data structure.
The destination's site kernel has a portion, and each
computer upon which there is at least one module send-
ing messages to the destination has a portion (maintained
by its DCM). One can view the portions on foreign com-
puters as queue extensions. The primary job of the DCM
is to maintain this distributed data structure to support
module-to-module c o m m u n i c a t i o n across c o m p u t e r
boundaries.
Flow Control
The DCM extends the basic flow control strategy that
is used by site kernels to include flow control for mes-
sages to foreign modules. This is done by providing
(limited) local queue space for each foreign destination,
a mechanism for forwarding messages to foreign site
kernels, and a mechanism for communicating state in-
formation about a destination from its site kernel to
(forwarding) DCMs. Thus, for message communication
to a foreign module, the DCM acts as (an agent for) the
foreign site kernel. That is, the DCM makes it appear to
the sending site kernel as if it (the DCM) were the foreign
site kernel. From the point of view of the sending module,
its site kernel responds uniformly to messages sent to a
local module or to a foreign one: the SENDMESSAGE call
returns (perhaps after a delay) with a code that specifies
either an error condition (see Section 4.8 below) or that
the message was posted for delivery.
Renable Transmlsslon
One of the special problems of network communica-
tion is "reliable transmission." In general, messages sent
over a communication line may be lost, garbled, or du-
plicated, and may arrive in a different order than they
were sent. A communication system can provide a reli-
able transmission service in any of several ways, all of
which depend on feedback from the receiver to the
sender. DSYS provides reliable transmission on an "end-
to-end" basis, rather than between each pair of com-
puters along the way. The sending end is a (forwarding)
DCM, and the receiving end is a destination, i.e., a (mod-
ule, transaction) pair. It is the responsibility of the
receiving site kernel to remember for each of its destina-
tions the state (i.e., message sequence number) of the
message stream from each foreign D C M A "positive-
acknowledgment, retransmission" protocol for reliable
transmission is used between receiving site kernels and
forwarding DCMs. This is exactly the communication
path needed for end-to-end flow control! It turns out that
the mechanisms for end-to-end flow control can be used
(with very small additional cost) for reliable transmission
as well. If the transmission line error rate is low enough
(our experience indicates that it is), the expense of an
(occasional) end-to-end retransmission is offset by the
advantages of a simple and flexible low-level (i.e., com-
puter-to-computer) protocol.
Computer-to-Computer Flow Control
A separate (but related) issue is flow control between
adjacent computers. If a receiving computer cannot keep
up with a sending one, it can either discard information
when buffer space is exhausted or somehow ask the
sender to "wait a while." The former strategy has the
advantage of simplicity, but causes information to be
lost, thus effectively increasing the communication line
error rate. It is usually a bad idea to increase the effec-
tive line error rate to compensate for too simple a design.
DSYS uses a straightforward version of the "wait a while"
idea to control flow between computers. The basic strat-
egy is the same for computer-to-computer flow control
as it is for end-to-end flow control on DSYS connections:
when the receiver finds that its remaining buffer space is
.critically low, it sends a "stop sending" request to the
sender. As soon as enough buffer space becomes avail-
able, it sends a "continue sending" request. Enough extra
space at the receiver is allocated to accommodate data
that arrives while the "stop sending" message is in tran-
sit. A sender that has been stopped will resume sending
after a time if no "continue" message is received (it may
have been lost). In pathological cases, data will be lost,
and end-to-end retransmission will be necessary. Once
again, we assume that this will happen very infrequently,
and that the parameter values for the space and time
thresholds can be adjusted for an acceptable trade-off
between minimal expected Iossage and efficient normal
operation.
315
4.6 Names
There is a question of how to generate unique names
in a distributed system. If there were a central source of
names, it might take a long time to get one, and the cen-
tral source might be sometimes inaccessible. If each site
created its own, there would either have to be a lot of
handshaking or there would be a danger of duplications.
Our solution is simple and quite general: a name (in the
present design) is a 32-bit number, composed of four
fields--a computer number, an "incarnation number," a
site number, and a "local module number." The com-
puter number uniquely identifies one of the computers
in our network. The incarnation number is used to dis-
tinguish old incarnations of the operating system on the
indicated computer from the most recent one. DSYS uses
this information to trap references to defunct operating
system incarnations (see the discussion on error handling
in Section 4.8). The site number identifies a site on the
indicated computer, and the local module number identi-
fies a module at the site. Thus, a DSYS module name
uniquely identifies a module in the distributed system.
One consequence of these definitions is that a given
module instance always resides on the same machine,
somewhat contrary to current fantasies about distributed
computing. In our view, a module will be compiled to
take full advantage of the hardware and software re-
sources of its machine. There will be equivalent modules
on various machines, and programs will be able to choose
between them, but each will have a distinct unique
name and machine of residence.
DHCPs and site kernels have names too. If the site
number in a name is zero, the name identifies the DHCP
on the indicated computer. If the site number is non-zero
but the local module number is zero, the name identifies
the indicated site kernel on the indicated computer.
The system uses the names of DHCPs and site kernels
in its protocols for connections, flow control, and reliable
transmission. That is, the distributed system uses mes-
sages to get its work done, just as a user DJOB does.
4.7 Access to Services
One of the tasks of the DSYS Host Control Program
(OHCP) on each computer is to provide D JOBs with ac-
cess to the services that the local operating system
provides. Typical services include file system access,
ARPANET, printer, TELNET, text editor, and facilities
for creating and running a site as part of a D JOB. Each
DHCP is equipped with a built-in module called "Request-
Fielder" which provides D JOBs with such access. There
is a DSYS call that allows any module to find the name
of the "RequestFielder" module at any DHCP. This is one
application of a general "name service" facility within
DSYS (not described here). A special message protocol is
used to arrange with a DSYS RequestFielder for a service.
4.8 Error Handling
Many of the speciai problems of distributed computing
relate to handling errors. In a conventional program-
ming style (i.e., not message-based), subroutines are
used as the primary structuring mechanism. The usual
assumption about subroutines is that they are available
when called, and that they function properly. The analog
of a subroutine call in a message-based programming
style is the "handshake": send a message, wait for a
reply. In general, of course, message activity can be pipe-
lined or multiplexed, and the relationships between in-
coming and outgoing messages can be much richer than
a direct response to each query.
4.8.1 Errors Unlque to Distributed Computing
In addition to all of the ways in which a subroutine can
fair (bugs, bad specifications, name conflicts, etc.), mes-
sages can fail in (at least) the following other ways:
1. "Synchronous" errors
Synchronous errors are those that can be detected
when a module executes a system call to send or
receive a message. Synchronous errors arise because
call parameters are bad in some way. Such errors
can be reported as "failure" of the system call, Ex-
amples:
(a) Specified site (or module) does not exist.
(b) Specified computer is down.
(c) Incarnation number of specified computer oper-
ating system is out of date.
 2. "Asynchronous" errors
Asynchronous errors are not immediately de-
tectable as problems with the parameters to a sys-
tem call, and can occur at any time. Examples:
(a) A message that was previously queued for de-
livery couldn't be delivered after all (because of
a, b, or c above).
(b) A "demon" has discovered a problem. A "de-
mon" is a service provided by DSYS whereby a
module can request explicit (asynchronous) noti-
fication (via an EMERGENCY message) when a
specified (other) module ceases to exist.
(c) A foreign site or service that was being used by
this D JOB terminated abnormally.
Unfortunately, there are more opportunities for errors
to occur in systems for distributed computing than in
conventional systems. The programmer of a distributed
computation must therefore give more thought to the
problem of dealing with errors and "exceptional condi-
tions" to provide an adequately robust program. Sys-
tematic conventions for how to deal with such errors
should help, and we are developing some ideas along
these lines for DSYS.
4.8.2 Emergency Messages
The present DSYS design provides "emergency" mes-
sages as the mechanism that the system uses to report
asynchronous errors to a module. If a module has an
emergency message on its input queue, the system will
include a notice that there is a pending emergency mes-
sage as part of the normal response to any call that sends
or receives a message. This is only an initial attempt at
providing a uniform mechanism for errors and other
asynchronous conditions.
4.9 Implementation
An experimental version of DSYS is up and working in
our local network. There are experimental DHCPs for
the ALTOs and for the PDP/IO, and the Eclipse DHCP is
in the final stages of debugging. Each DHCP has most of
a Communications Manager, a name server, and a rudi-
mentary Job Manager (presently a RequestFielder that
provides file service).
4.10 Summary
There is a rapidly growing awareness [Hoare, 1977]
that the paradigm of a collection of communicating se-
quential processes is a useful and powerful concept for
solving problems and for developing computer systems.
In the usual way, progress requires the development Of
concrete systems which both test ideas and lead to new
ones.
What can be done to provide systematic conventions
for dealing with the errors and exceptional conditions
that occur in distributed computations? In particular,
how can such a system be made robust? What can be
done to maintain the integrity of a distributed system
(and of innocent user jobs) when either a user job or a
part of the system fails?
How should "user job" be defined? What services
should the distributed system provide, and how should
user jobs deal with the distributed system? What are the
special problems of user jobs in such an environment,
and how can the distributed system help?
4.11.2 Longer-Range Questions
HOW can performance be monitored and distributed
computations (and systems) be tuned? In general, how
should the programmer think about an execution of his
computation? What tools can the system provide to help
in this regard? Such tools should also be helpful to the
system designer.
How can such a system be made reliable? Are there
practical descriptive techniques for the protocols of real
distributed computations? How can such a description
be used effectively to uncover design problems or gen-
erate tests? How much of this can be automated?
References
Ball, et al., "RIG, Rochester's Intelligent Gateway: Sys-
tem Overview," TR5, Computer Science Department,
University of Rochester, April 1976; also appeared in
IEEE Transactions on Software Engineering, Vol. SE-2,
No. 4, December 1976.
Cohen, D., "Specifications for the Network Voice Proto-
col," ISI/RR-75-39, Information Sciences Institute,
University of Southern California, March 1976.
Foster, John D., "Distributive Processing for Banking,"
Datamation, July 1976.
Hoare, C. A. R., "Communicating Sequential Processes,"
Computer Science Department, Queen's University,
Belfast, March 1977.
Hoare, C. A. R. and Wirth, N., "An Axiomatic Definition of
the Programming Language Pascal," ACTA Informatica,
Vol. 2, 1973.
Rovner, P. D., working paper, to appear as TR22, Com-
puter Science Department, University of Rochester,
1977.

Our work on DSYS is motivated by the requirements

of PLITS and by our experience with RIG. Our desire
to provide flexible communication facilities for user jobs
in a distributed operating system has led us to take a
fresh look at some of the problems of distributed com-
puting. In particular, we are developing a scheme th~tt
provides both a uniform user view of inter-module com-
munication and a flexible system view of resource man-
agement.
Further, we are developing the idea of a distributed
user job, and designing mechanisms for handling errors
and exceptional conditions in distributed systems. At the
low level, we are working on communication protocols
that use end-to-end flow control and reliable transmis-
sion, allow fine control over buffer space allotments for
arriving messages, and provide detailed feedback for in-
telligent flow control when such information is available.

4.11 DSYS Research Questions

TO help guide the work on DSYS, we find it useful to
express design goals as questions. The present collection
of such questions is outlined below.

4.11.1 Medium-Range Questions

What kind of a system is required to support a program-
ming methodology in which sequential processes ("mod-
ules") communicate via messages? How can such a
system be designed to present a uniform user view of
inter-module communication, independent of whether
the communicating modules run on the same computer?

316