2.1. General case

Consider the example depicted in Figure 1. It models two components, C and D. Each component C must have between between m ₁ and m ₂ partners of type D, and each component D must have between n ₁ and n ₂ partners of type C in turn. In UML terminology, C and D are classes, the relationship between them is denoted as an association, and the numerical intervals constraining the association are called multiplicities or cardinalities.

Fig. 1. Two classes, C and D, a binary association between them, and multiplicities restricting the number of allowed links.

Such a diagram already captures our intuition about the desired semantics. However, there are several hidden intricacies.

2.2. Lower bound constraints

Without additional constraints, any formal reasoner will refrain from instantiating any objects at all when searching for minimal models. This is because UML diagrams do not implicitly enforce the existence of individual objects. This can be easily fixed with a constraint stating there needs to be at least one C object, for example, expressed in the Object Constraint Language (OCL; Object Management Group, 2012):

$$\hbox{context C inv\colon \;C.allInstances\lpar \rpar }- \gt \hbox{size\lpar \rpar }\gt 0.$$

2.3. Multiple links

Next, it makes a difference whether we allow multiple links between the same objects or not. In some cases it is desirable, like multiple redundant network cables between two switches, whereas often it is not and an indication of a design error. UML allows us to change this behavior via the multiplicity attribute “(non)unique.” The default is unique, which forbids (or ignores) multiple links between the same objects, and we stay with this convention when not otherwise explicitly stated.

When mixing unique and nonunique on the same association, there are subtleties with the semantics of a valid instance of the UML class diagram. Consider Figure 1 and assume that n ₁ = 1, n ₂ = 2, m ₁ = 3, and m ₂ = 4 and that the end of the association near D is marked as nonunique. Then Figure 2 shows a valid instance with only two D objects (note that m ₁ = 3). This is because c ₁ has three different links to objects of class D and is not necessarily connected with three different objects, corresponding to the nonunique attribute. Consequently, we recommend avoiding mixed associations unless the designer is aware of the underlying semantics of such constructs. Instead, associations with symmetric attributes (i.e., either unique or nonunique on all association ends) can be used to model a broad class of constructs.

Fig. 2. A valid instance of Figure 1 for n ₁ = 1, n ₂ = 2, m ₁ = 3, m ₂ = 4, when the end of the association near D is marked as nonunique.

Besides the basics of managing functional units and their relationships, several additional features are necessary to allow an engineer to model realistic systems for configuration, like handling mutually exclusive components or conflict handling.

2.4. Subclassing

Subclassing relates similar components in a hierarchy, typically with a single superclass and multiple inherited subclasses. When modeling component systems, subclassing is primarily used to express disjunction in either the normal (logical or) or the exclusive (logical xor) form.

Consider Figure 3, which depicts the situation that two (sub)classes, C ₁ and C ₂, share a common structure and are thus related to the common superclass C via a generalization in UML. The idea behind this construct is that either C ₁ or C ₂ can be used when somebody asks for a component of type C. If it is allowed that both C ₁ and C ₂ are instantiated at the same time, we can use the diagram as is. Otherwise, the additional UML constraint {xor} needs to be added (in the form of a dashed line between the associations connecting C ₁ with C and C ₂ with C).

Fig. 3. Generalization with superclass C and two subclasses, C ₁ and C ₂.

2.5. Conflicts

Similarly to the constraint that only one out of multiple components can be chosen, some may be incompatible with others. For example, in an automotive scenario, we may not be allowed to mix tires of different types for safety reasons, or installing two different software libraries providing an overlapping set of files may destroy a working operating system setup.

A possible way to encode such a constraint is depicted in Figure 4. The key feature is the 0..0 multiplicity that states that each C object must have 0 links to objects of class D. This directly corresponds to incompatibility. Alternatively, separate constraints outside of the UML diagram may be used to avoid a blow up in the diagram if many incompatible cases are relevant to an application. For example, the OCL constraint

$$\eqalign{\hbox{context C inv\colon \;C.allInstances\lpar \rpar }- \gt \hbox{size\lpar \rpar } \gt 0 \cr \hbox{implies D.allInstances\lpar \rpar }- \gt \hbox{size\lpar \rpar } =0}$$

states that once there is at least one object of type C, then no object of type D is allowed to be instantiated.

Fig. 4. A binary association modeling a conflict between the two classes, C and D, via a 0..0 multiplicity.

3.1. General case

A binary association as exemplified in Figure 1 is mapped to

$$\eqalign{&m_1\times \vert C \vert \le n_2 \times \vert D \vert\comma \; \cr &n_1 \times \vert D \vert \le m_2 \times \vert C \vert\comma \;}$$

where |C| and |D| denote the number of C and D objects, respectively. The main observation for correctness of the above translation is that the number of links, l, between the two classes, C and D, is bounded by

$$\eqalign{&m_1 \times \vert C \vert \le l \le m_2 \times \vert C \vert\comma \; \cr &n_1 \times \vert D \vert \le l \le n_2 \times \vert D \vert.}$$

Combining these two inequalities results in the above translation.

3.2. Lower bound constraints

Enforcing that individual classes get instantiated at all enforces us to use lower bound constraints. For example, for Figure 1, a valid solution is |C| = 0 and |D| = 0 because all constraints are satisfied (which is easily verified by inserting |C| = |D| = 0 in the inequalities from the previous paragraph). However, normally this is not the desired semantics. Instead, we want to enforce that there is a least one component of type C that maps to the following simple ILP constraint

$$\vert C \vert \ge 1.$$

3.3. Multiple links

Inequalities from the general case hold in the presence of the nonunique UML attribute because their correctness relies on an argumentation of involved links. To ensure uniqueness among objects, we need additional constraints stating that links must end with mutually different partner objects. In Figure 1 the association has no explicit attribute markers and thus defaults to unique on both association ends. We obtain

$$\eqalign{&\vert C \vert \gt 0 \rightarrow \vert D \vert \ge m_1\comma \; \cr &\vert D \vert \gt 0 \rightarrow \vert C \vert \ge n_1.}$$

This ensures that if at least one C or D object gets instantiated, there are enough different (i.e., m ₁ and n ₁) D and C objects available for linking. Note that there is an implication involved in these formula that at first glance is not compatible with standard ILP. However, in our case, we can easily remedy this by solving our ILP and checking the preconditions afterward. Because all preconditions are of the form |X| > 0, this can be instantly checked from the ILP solution, and a new (augmented by the right-hand sides of above formulas) ILP is started with the old solution as its initial starting value. Because the inequalities presented so far form a solution space that can be monotonically processed by increasing variable values, this trick works without backtracking. As a result, the compound running time of the old and new ILP linearly corresponds to an ILP where it is known in advance whether the preconditions fire or not.

The inequalities presented so far can be efficiently solved by mapping them to a directed weighted graph. The variables form its nodes, and each inequality relating two variables induces an edge with a weight proportional to the coefficients of the variables. Over such a weighted directed graph a variant of the Floyd-Warshall (Floyd, Reference Floyd1962) algorithm can be used to compute all shortest paths in the polynomial time of O(V ³), where V stands for the total number of variables of all inequalities. These paths can be used for obtaining rational solutions that in turn can easily be translated into a (not necessarily minimal) integer solution. Note that this is not in contrast to the general NP-hardness of ILP. The reason is that we have no constraints of the form m × |C| + n × |D| ≤ k (with m, n, and k as positive integers) yet in our formulation. Note that the same strategy of building a graph also works for n-ary associations as long as all n ends of the association have the same uniqueness attribute.

Alternatively, any standard ILP solver can be used to obtain the minimal integer solution directly.

3.4. Subclassing

When modeling a generalization as depicted in Figure 3, we first have to decide on the semantics when there is a connection from C to another class, D. One interpretation is that C is a placeholder and D is connected to either C ₁ or C ₂. This means that C does not get instantiated at all (and as such |C| = 0). Alternatively, D can connect to C, and C is connected to either C ₁ or C ₂. Without loss of generality, we stick with the latter convention because we prefer to model associations explicitly (e.g., between D and C ₁ with a separate association if there is a direct correspondence between them without using the generalization). The superclass C can be seen as a virtual coordinator that might ease the actual linking of components considerably. Superclasses can also easily be discarded if there is no need for them in the final solution (e.g., in the hardware domain where only subclasses are likely to be instantiated).

We observe the property that in Figure 3 each C can have zero or one C ₁ partner objects, but a single C ₁ (if it exists) must have exactly a single distinct C object. The same argument holds for C with C ₂. The property is formalized to

$$\eqalign{&0 \times \vert C \vert \le 1 \times \vert C_1 \vert\comma \; \cr &1 \times \vert C_1 \vert \le 1 \times \vert C \vert \comma \; \cr &0\times \vert C \vert \le 1 \times \vert C_2 \vert\comma \; \cr &1 \times \vert C_2 \vert \le 1 \times \vert C \vert\comma \;}$$

which simplifies to

$$\vert C_i \vert \le \vert C \vert\comma \;$$

for i = 1, 2. This directly corresponds to our intuition that we need at least as many C coordinator objects such that there are no “useless” C ₁ or C ₂ objects that do not take part in the generalization.

Note that the sharing of a single C object by both an object of class C ₁ and an object of class C ₂ is allowed. This property models nondisjoint classification of individuals within a conceptual hierarchy, like a disjunction in classical propositional logic.

Thus far we have only ensured that there are enough “coordinators” of class C. This does not suffice because we have to provide enough subclasses (either C ₁ or C ₂) that can be used in the generalization for the superclass C. The following constraint models (summing up over all C _i and C objects) that we can use C ₁, C ₂, or both together as a subclass for C:

$$\vert C_1 \vert + \vert C_2 \vert \ge \vert C \vert.$$

If we restrict the setting to exclusive or ({xor} in UML terminology), then either C ₁ or C ₂ must exactly match with a single C. Consequently, we obtain

$$\vert C_1 \vert + \vert C_2 \vert = \vert C \vert\comma \;$$

stating that we need enough C _i for matching C objects but not more. This forbids object sharing and thus models disjunction in exclusive form.

We can easily generalize this setting to multiple subclasses C _i with i > 2 by considering the additional objects in the sums on the left-hand sides of the above (in)equalities.

3.5. Conflicts

If we model conflicts as outlined in Figure 4 and translate this directly via our standard approach, we obtain

$$\eqalign{&0 \times \vert C \vert \le n_2 \times \vert D \vert\comma \; \cr &n_1\times \vert D \vert \le 0 \times \vert C \vert.}$$

The first inequality is a tautology because we only allow nonnegative multiplicities (i.e., n ₂ ≥ 0) and nonnegative numbers of classes (|D| ≥ 0), which thus can be removed without side effects.

The second inequality forbids any D object if n ₁ > 0. This is semantically correct because when n ₁ = 0 then there are isolated D objects allowed that need not be related to C objects at all. For the more typical case when a D object must a have connection to a C object (i.e., n ₁ > 0), then instantiating a D object would mean we also need a C object. This in turn would violate our initial constraint that a C object must not be linked to a D object.

A subtle modification of the desired semantics could be that we want to allow D objects without connection to C objects, but as soon as there exists a single C object, we forbid Ds at all. This models a situation where we want to use parts of category C or D throughout our whole configuration but never allow them to occur together. Such a constraint can be expressed via

$$\vert C \vert \gt 0 \rightarrow \vert D \vert =0.$$

To avoid the implication, we might be tempted to use

$$\vert C \vert \times \vert D \vert =0\comma \;$$

which enforces that once we use parts of one category no objects of the other class are allowed. Unfortunately, this is a nonlinear constraint that we will not use because we restrict our theory to linear integer programming for performance reasons.

Fortunately, we know that C is only included in a minimal solution if absolutely necessary (as otherwise minimality is violated). The same argument holds for D. Consequently, we know that a solution containing both C and D is invalid and can be instantly rejected. This observation allows us to handle the implication efficiently, with a similar argument as when dealing with the UML “unique” attribute for multiple links.

4.1. Debian package configuration

The Debian GNU/Linux operating system (http://www.debian.org) is one of the most prominent free and open source distributions in the Linux ecosystem. With its more than 29,000 packages, it provides a vast amount of available software out of the box that allows the user to set up individually customized package collections or even new distributions like Ubuntu (http://www.ubuntu.com). The variability (i.e., the number of possible combinations of interacting packages) is very high, and consequently a sophisticated packaging system (like the Advanced Packaging Tool available at http://packages.qa.debian.org/a/apt.html) managing all packages and their interdependencies in an installation is necessary.

Each Debian package typically has metadata providing the following information:

• • Package: a unique name of the package.

• • Version: a unique string identifying the version.

• • Depends: a list of packages that must be installed for proper functionality. Alternatives are allowed such that, for example, only one of multiple packages must be installed providing some core functions.

• • Conflicts: a list of packages that must not be installed at the same time.

• • Description: a short (up to several lines) text description of the package and its main functionality.

The following excerpt shows an example for the Debian package emacs23-nox (Emacs without support for graphical environments), listing the individual metadata entries:

• Package: emacs23-nox

• Version: 23.3+1–1

• Depends: emacs23-bin-common (= 23.3+1–1), libasound2 (> 1.0.18), libc6 (>= 2.3.6–6~), libdbus-1–3 (>= 1.1.1), libgpm2 (>= 1.20.4), libncurses5 (>= 5.5–5~)

• Suggests: emacs23-common-non-dfsg

• Conflicts: emacs23, emacs23-gtk, emacs23-lucid

• Description: The GNU Emacs editor (without X support) GNU Emacs is the extensible self-documenting text editor. This package contains a version of Emacs compiled without support for X.

4.1.1. ILP formulation

Given a Debian package, we extract its metadata and generate an integer linear program modeling the interrelationships between packages as outlined in the metadata:

• • Package is mapped to a variable in the ILP and corresponds to a class in our UML representation. If and only if the package is part of the input specification by the user, we enforce a lower bound of 1 (assuming we consider package C at the moment):

$$\vert C \vert \ge 1.$$

In addition, we disallow multiple installation of the same package with the same version. That is, we need a Boolean range, either the package is installed or not:

$$\eqalign{&\vert C \vert \ge 0\comma \; \cr &\vert C \vert \le1.}$$

• • Version is used together with the package name if the package name alone is ambiguous. Versioned dependencies (i.e., when a dependency requires certain versions of a package) are not natively supported in our formulation.

• • Depends means all package dependencies will introduce new variables (if not already present) of the Boolean range as modeled above. Note that we do not enforce a lower bound because otherwise this would include all packages irrelevant of their necessity (alternatives may allow for only one choice out of multiple packages).

Next the dependencies are represented by 0..1―1..1 associations in our UML class diagram, which directly correspond to following ILP (assuming that C depends on D):

$$\vert C \vert - \vert D \vert \le0\comma \;$$

which follows by inserting n ₁ = 0 and n ₂ = m ₁ = m ₂ = 1 in our general case inequalities. In cases where we deal with alternatives (e.g., assuming that C depends either on D or E whereas D and E may be both installed at the same time as long as no explicit conflict relation is stated), we obtain

$$\vert C \vert - \vert D \vert - \vert E \vert \le 0.$$

Virtual packages (i.e., packages that are logical placeholders for packages with common functionality) could be modeled using subclassing with the virtual package as superclass and the concrete packages as subclasses.

• • Conflicts are expressed by the following inequality (assuming C conflicts with D):

$$\vert C \vert + \vert D \vert \le 1.$$

This encoding works as we operate only on the Boolean range. No packages at all would be correct, also either C or D, but not both together. This models exactly our desired semantics in this setting.

Finally, we glue all of these inequalities together by an objective function including all classes, which gets minimized:

Minimize

$$\vert C \vert + \vert D \vert + \vert E \vert.$$

A main advantage of this objective function and ILP in general is that we can easily add coefficients (weights) that model the importance of the individual variables. For example, for package management we could use the package size (e.g., rounded to MB) as a weighting coefficient, which would mean that smaller packages get preferred over bigger ones.

For the example of the emacs23-nox package, this yields (only one or two inequalities of each category are shown for compact presentation):

Minimize

$$\displaystyle{\hbox{emacs23-nox}+{\hbox {emacs23-bin-common}+{\hbox {libasound2}+\cdot \cdot \cdot$$

such that

$$\matrix{&\hbox{emacs23-nox}-\hbox{emacs23-bin-common} \le0\comma \; \cr &\hbox{emacs23-nox}-\hbox{libasound2} \le 0\comma \; \cr &\hbox{emacs23-nox}+{\hbox {emacs23}} \le 1\comma \; \cr &\hbox{emacs23-nox}+{\hbox {emacs23-gtk}} \le1\comma \; \cr &0\le \hbox{emacs23-nox} \le 1\comma \; \cr &\hbox{emacs23-nox} \ge 1.}$$

The first and second side condition models the dependencies, the third and forth models the conflicts, the fifth states the Boolean range, and the sixth one enforces the selected package to be installed.

4.2. Linux kernel configuration

The configuration of a Linux kernel is mainly done by choosing whether certain drivers are directly included in the kernel, are loaded when necessary as modules, or are excluded. This somehow resembles a tristate logic (yes, module, no) inherent to Linux kernel configuration. The whole set of dependencies (i.e., which drivers or modules depend on others, which conflict with others, etc.) is written down in a set of so-called Kconfig files. Several hundred of them exist, typically with a single one in each subdirectory of the kernel source code. Normally each subdirectory contains a specific driver or system architecture, and basically all Kconfig files could be merged to a single large one containing the whole metadata representing constraints of the kernel configuration.

In its full form, Kconfig files are quite complex because they allow different syntax for the same semantics. For example, dependencies might be included because of encapsulating menu entries or may be rewritten with conditional if statements. Conceptually, all these constructs can be broken down to a basic set of primitive operations as follows:

• • Config: This defines a configuration option.

• • Tristate/string: This defines the type of the configuration option. We are mainly interested in Boolean and/or tristate conditions.

• • Depends: This is a set of dependent configuration options. It is noteworthy that dependencies can be combined with expressions like conjunction (&&), disjunction (‖), or even negation (!). That is, conflicts can be implicitly encoded in the dependencies section.

• • Selects: These are reverse dependencies. That is, the dependency is in the opposite direction and enforces the existence of a configuration option that is selected.

Besides these constructs, there are input prompts that are mainly useful for graphical configuration tools to decide which options are shown to the user, default values if the user does not make a decision on a specific option, numerical ranges for input values, help texts, comments, and whole menus that allow hierarchies and encapsulation of config options.

The following excerpt shows an example of a Kconfig file for the configuration option X86_VSMP from the x86 architecture (arch/x86/Kconfig) subdirectory:

• config X86_VSMP

• bool “ScaleMP vSMP”

• select PARAVIRT_GUEST

• select PARAVIRT

• depends on X86_64 && PCI

• depends on X86_EXTENDED_PLATFORM

• —help—

Support for ScaleMP vSMP systems. Say “Y” here if this kernel is supposed to run on these EM64T-based machines. Only choose this option if you have one of these machines.

4.2.1. ILP formulation

We translate primitive Kconfig entries as shown before to the following inequalities, which form the side conditions of the generated ILP:

• • Config: Each configuration option corresponds to a class in our UML representation or a variable in the underlying ILP. We enforce a minimal bound of 1 for entries chosen by the end user (e.g., for a config option C):

  $$\vert C \vert \ge 1.$$
  Clearly, the lower bound must not be used for automatically chosen options that are not enforced by direct user input.

• • Tristate/string: To simplify our experiment, we only consider Boolean options. That is, we map tristate logic to Boolean by assigning yes and module to yes and no to no. This corresponds to the idea that we want to build a minimal kernel in the sense that it is complete (i.e., no dynamic loading of modules necessary) but it does not use more drivers than absolutely necessary for correct operation:

  $$0\le \vert C \vert \le 1.$$
  Tristate options could be implemented via subclassing, with a superclass representing a state for inclusion in the solution and two subclasses for yes and module.

• • Depends: We mainly distinguish between the three cases: conjunction, disjunction, and negation. Normal dependencies and those formed by conjunction can be expressed in the same way as we did with Debian packages (assuming C depends on both D and E):

$$\eqalign{&\vert C \vert - \vert D \vert \le 0\comma \; \cr &\vert C \vert - \vert E \vert \le 0.}$$

For disjunction, we reuse

$$C \vert - \vert D \vert - \vert E \vert \le 0\comma \;$$

whereas negation maps to (assuming C conflicts with D)

$$\vert C \vert + \vert D \vert \le 1.$$

The latter works because for the Linux kernel configuration it does not make sense to include the same driver multiple times.

Note that, in principle, arbitrary complex expressions (mainly due to the existence of subexpressions that may be layered) may exist. Consequently, expressions need to be flattened out first to fall into the above categories.

• • Selects: Analogous to classical dependencies, we model reverse dependencies by

  $$\vert D \vert \le \vert C \vert\comma \;$$
  assuming that C selects D in this example. The correctness is immediate again by using m ₁ = 0 and n ₁ = n ₂ = m ₂ = 1 for the general case inequalities.