1. No category

Action Systems with Synchronous Communication 1 Introduction

Action Systems with Synchronous Communication
R.J.R. Back
K. Sere
Abo Akademi University
Department of Computer Science
SF-20520 Turku, Finland
FAX: +358-21-654732
e-mail: fbackrj, [email protected]
Abstract
The action system framework for modelling parallel and reactive programs is
extended by adding procedure declarations to action systems. This permits remote
procedure calls to be modelled within the framework. Synchronous message passing
communication, being a special case of remote procedure calls, can therefore also
be handled within this framework. This extension is done almost at no extra cost
in the logical treatment of programs. The renement calculus within which the
renement of action systems is formalized can be used with a minor extension to
reason about action systems with procedures, as the methods are already there.
The treatment of procedures was originally designed with sequential programs in
mind, but is applicable to the remote procedure mechanism proposed here.
1 Introduction
An action system is a parallel or distributed program where parallel activity is described
in terms of events, so called actions. The actions are atomic: if an action is chosen for
execution, it is executed to completion without any interference from the other actions
in the system. Several actions can be executed in parallel, as long as the actions do
not share any variables. Atomicity guarantees that a parallel execution of an action
system gives the same results as a sequential and nondeterministic execution.
The use of action systems permits the design of the logical behaviour of a system
to be separated from the issue of how the system is to be implemented. The decision
whether the action system is to be executed in a sequential or parallel fashion can
be postponed to a later stage, when the logical behaviour of the action system has
been designed. The construction of the program is thus done within a single unifying
framework.
The action systems formalism was proposed by Back and Kurki-Suonio [5]. Later
similar event-based formalisms have been put forward by several other researcher, see
for example the work of Chandy and Misra [9], who describe their UNITY framework
and Francez [12], who develops his IP-language.
1
We will in this paper show that a simple extension of the action systems framework,
adding procedure declarations to action systems, will give us a very general mechanism
for synchronized communication between action systems. Both actions and procedure
bodies are guarded commands. When an action in one action system calls a procedure
in another action system, the eect is that of a remote procedure call. The calling
action and the procedure body involved in the call are executed as a single atomic
entity. We still have the possibility of shared variable communication also. As far as
we know, procedures are not treated as communication mechanisms, as we do here, in
any of the related frameworks.
The action systems approach supports the stepwise renement paradigm for the
construction of parallel and distributed systems. The renement calculus is a formalization of the stepwise renement method of program construction. It was originally
proposed by Back [2] and it has been later studied and extended by several researchers,
see [18, 19] among others. In recent years data renement has been a topic for extensive
research [7].
Originally, the renement calculus was designed as a framework for systematic
derivation of sequential programs only. Back and Sere [6] extended the renement
calculus for the design of action systems and hence, it was possible to handle parallel
algorithms within the calculus. Back [4] made yet another extension to the calculus
showing how reactive programs could be derived in a stepwise manner within it relying
heavily on the work done in data renement. In both cases parallel and concurrent
activity is modelled within a purely sequential framework. We shall here concentrate
on reactive programs.
Procedures were added to the renement calculus independently by Back [3] and
Morgan [17], with slightly dierent ways in which parameter passing is handled. The
basic idea in both cases is that essentially a procedure call is handled by substituting
the procedure body for the call, after having made some necessary adaptions to account
for parameter passing. By putting suitable constraints on the parameter passing mechanisms, procedure calls can be shown to be monotonic with respect to the renement
relation. We show how data renement of reactive action systems as described in [4] is
done in the presence of procedures.
The advantage of a very general communication mechanism, like the one proposed
here, is that it provides us with a high level way of describing the intended behavior
of a parallel system. The concrete behavior can then be derived from the high level
behavior by a sequence of correctness preserving renements within the renement
calculus using the methods for renement of action systems with procedures developed
in this paper.
Overview of the paper We proceed as follows. In section 2, we describe the action systems formalism together with the new extension of action systems that uses
procedures. In section 3, we describe how action systems are composed into parallel
systems. Section 4 is concerned with implementation issues for dierent action systems.
In section 5, we show how action systems with procedures can be treated within the
renement calculus. As a case study we have chosen to stepwise derive a sender-receiver
2
system among a set of processes. This will be treated in section 6. We also describe
how procedures can be understood as CSP/occam communication statements [13, 14].
We end in section 7 with some concluding remarks.
2 Action systems
An action system (with procedures) is a statement of the form
A = j[ var x1
. . . ; xh := x10; . . . ; xh 0;
proc p1 = P1; . . . ; pn = Pn ;
do A1 [] . . . [] Am od
]j: z ; v
;
The identiers x1 ; . . . ; xh are the variables declared in A and initialized to x10; . . . ; xh 0.
The identiers p1 ; . . . ; pn are the procedure names, and Pi is the procedure body of pi ,
i = 1; . . . ; n . Within the loop, A1; . . . ; Am are the actions of A. Finally, z and v are
distinct lists of identiers (z \ v = ;). The list z is the import list, indicating which
variables and procedures are referenced, but not declared in A. The list v is the export
list, indicating which variables and procedures declared in A are accessible from other
action systems. Procedure bodies and actions can be arbitrary statements, and may
contain procedure calls. We consider two dierent parameter passing mechanisms for
procedures, call by value, which is default, and call by result, which is denoted by the
reserved word res. For simplicity, we will here assume that the procedures are not
recursive.
The guard of a program statement S is the condition
:wp (S
;
false )
where wp is the weakest precondition predicate transformer of Dijkstra [11]. The statement S is said to be enabled in a given state when the guard is true in that state. Both
procedure bodies and actions will in general be guarded commands, i.e., statements of
the form
C = g ! S;
where g is a boolean condition and S is a program statement. In this case, the guard
of C is g . We denote the guard of C by gC and the body of C by sC .
The local variables (procedures) of A are those variables xi (procedures pi ) that are
not listed in the export list. The global variables (procedures) of A are the variables
(procedures) listed in the import and export lists. The local and global variables
(procedures) are assumed to be distinct. Hence, x \ z = ; (no redeclaration of variables
is thus permitted). Each variable may be associated with an explicit type. The state
variables consist of the local variables and the global variables.
The behaviour of a single action system is that of the guarded iteration statement
x := x 0; do A1 [] . . . [] Am od
3
on the state variables [11]. The initialization statement is executed rst. After this,
some enabled action is executed, and the loop statement is repeated. The do-loop
terminates when there are no more enabled actions.
Example Action system
A below works as follows:
as long as there are elements
in the global variable S , one of them will be assigned nondeterministically to a local
variable x , as denoted by the nondeterministic assignment statement x := x :(x 2 S )
[2]. Thereafter the element is removed from S and inserted into the global variable R .
The latter is carried out via a call to the local procedure Trans .
0
0
A = j[ var x 2 integer ;
proc Trans (v 2 integer ) = (R := R [ fv g)
do
[] S =
6 ; ! x := x :(x
0
od
0
2 S ); S := S 0 fx g; Trans (x )
]j: S ; R
If a procedure or action contains a call to a procedure that is not declared in
the action system, then the behavior of the action system will depend on the way in
which the procedures are declared in some other action system, which constitutes the
environment of the action system as will be described below.
3 Composing action systems
Consider two action systems A and B,
A
B
j[ var x := x 0; proc p1 = P1; . . . ; p = P ; do A1 [] . . . [] A od ]j : z ; v
j[ var y := y 0; proc q1 = Q1; . . .; q = Q ; do B1 [] . . . [] B od ]j : u ; w
where x \ y = ; and v \ w = ;.
We dene the parallel composition A k B of A and B to be the action system C
C = j[ var c := c 0; proc r = R; do C od ]j : a ; b
=
=
n
n
l
l
m
k
;
where
c := c 0
r =R
C
a
b
=
=
=
=
=
x ; y := x 0; y 0
p1 = P1 ; . . .; pn = Pn ; q1 = Q1; . . . ; ql = Ql
A1 [] . . . [] Am [] B1 [] . . . [] Bk
z [u
v [w
Thus, parallel composition will combine the state spaces of the two constituent action
systems, merging the global variables and global procedures and keeping the local variables distinct. The procedure declarations and the actions in the parallel composition
consists of the procedure declarations and and actions in the original systems.
4
Parallel composition is a way of associating a meaning to procedures that are called
in an action system but which are not declared there, i.e., they are part of the import
list. The meaning can be given by a procedure declared in another action system,
provided the procedure has been declared global, i.e., it is included in the action systems
export list.
The behaviour of a parallel composition of action systems is dependent on how the
individual action systems, the reactive components, interact with each other. We have
for instance that a reactive component does not terminate by itself: termination is a
global property of the composed action system. More on these topics can be found in
[4].
Hiding Given an action system A : z ; v of the form above, where v = v1 ; v2; v3, we
can hide some of its exported global variables (v1 ) and procedure names (v2) by making
them local. This is achieved by the block construct,
A
0
= j[ A ]j : z ; v3 ;
where the declarations for v1 and v2 appear in A. Hiding the variables v1 and procedure names v2 makes them inaccessible from other actions outside A in a parallel
composition. Hiding thus has an eect only on the variables and procedures in the
export list.
0
Example Consider a producer-consumer system
j[ var S
;
R 2 set of integer ; P rod
k S nd k Rec k C ons ]j
with four action systems P rod ; S nd ; Rec , and C ons executing in parallel. The variable
S denotes a set of messages to be transmitted between the producer P rod and the
consumer C ons . Similarly, the variable R denotes the set of messages received by the
consumer action system C ons . The producer uses the services of the sender S nd for
the actual communication. These two systems communicate through the variable S .
The consumer receives the messages via the receiver process Rec . The receiver and the
consumer communicate via the variable R .
We study next the action systems S nd and Rec more carefully:
S nd = j[ var x 2 integer ;
do
[] S =
6 ; ! x := x :(x
0
od
]j: S ; Trans ;
0
2 S ); S := S 0 fx g; Trans (x )
<>
Rec = j[ proc Trans (v 2 integer ) = (R := R [ fv g)
]j: R ; Trans
The action system S nd communicates with the receiver Rec via the global procedure
Trans , which is in the import list of S nd and in the export list of Rec . The two action
5
systems S nd and Rec are examples of reactive components. Therefore for instance the
action system S nd does not terminate locally when S becomes empty, but rather it
waits for new elements to appear in S .
The parallel composition of S nd and Rec , T = S nd k Rec , is according to the rule
above as follows:
T = j[ var x 2 integer ;
proc Trans (v 2 integer ) = (R := R [ fv g)
do
[] S =
6 ; ! x := x :(x
0
0
od
2 S ); S := S 0 fx g; Trans (x )
]j: S ; R ; Trans
We can now hide the procedure Trans , as it is only called by S nd . This gives us the
system T :
T = j[ var x 2 integer ;
proc Trans (v 2 integer ) = (R := R [ fv g)
0
0
do
[] S =
6 ; ! x := x :(x
0
0
od
2 S ); S := S 0 fx g; Trans (x )
]j: S ; R ; <>
Finally, we can remove the procedure by substituting the procedure body in place of
the procedure call and the actual parameter for the formal parameter of the procedure.
This gives us the action system T :
T = j[ var x 2 integer ;
00
00
do
[] S =
6 ; ! x := x :(x
0
od
0
2 S ); S := S 0 fx g; R := R [ fx g
]j: S ; R ; <>
Hence, we can rewrite the producer-consumer system as
j[ var S
;
R 2 set of integer ; P rod
k T k C ons ]j
00
;
which has the same behaviour as the original system.
Enabledness We permit procedure bodies to have guards that are not identically
true. Hence, it is possible that an action which is enabled, calls a procedure in another
action system, which then turns out not to be enabled in the state in which it is called.
This situation is then the same as if the calling action had not been enabled at all, and
had therefore never initiated the call. In other words, the enabledness of an action is
determined by the enabledness of the whole statement that is invoked when the action
is executed, including enabledness of all procedures that might be invoked.
The following is an example of this situation: Assume that the set R of the producerconsumer action system is bounded above by an integer L. This is reected in the action
system Rec as follows:
6
Rec
0
= j[ proc Trans (v 2 integer ) = (jR j < L ! R := R [ fv g)
]j: R ; Trans
We now have for the sending action in S nd that
S 6= ; ! x := x :(x 2 S ); S := S 0 fx g; Trans (x )
fdenition of Trans g
S 6= ; ! x := x :(x 2 S ); S := S 0 fx g; (jR j < L ! R := R [ fx g)
fthe sender does not access Rg
S 6= ; ^ jR j < L ! x := x :(x 2 S ); S := S 0 fx g; R := R [ fx g
=
=
0
0
0
0
0
0
Hence, the parallel composition of S nd and Rec is the action system T :
0
T
000
= j[ var x
do
2 integer ;
[] S =
6 ; ^ jRj < L ! x := x :(x
0
od
]j: S ; R ;
000
0
2 S ); S := S 0 fx g; R := R [ fx g
<>
Here the sending action is only enabled if S =
6 ; and jRj < L both hold.
Decomposing action systems Given an action system
C = j[ var v := v 0; do C1 []
. . . [] Cn od ]j : z ; u ;
we can decompose it into smaller action systems by parallel composition and hiding.
This means that we split the variables, actions and procedures of C into disjoint sets
so that
C = j[ var w := w 0; proc r = R; A k B ]j : z ; u
where
A
B
j[ var x := x 0; proc p = P ; do A1 [] . . . [] A od ]j : a1; a2
j[ var y := y 0; proc q = Q ; do B1 [] . . . [] B od ]j : b1; b2
The reactive components A and B interact with each other via the global variables and
=
=
m
k
:
procedures included in the lists a1 ; a2; b1; b2.
In the process of decomposing the action system C into parallel reactive components, it may also be necessary to introduce some new procedures r , to handle situations
where an action aects program variables in both x and y . As these variables are local
in the decomposed action system, no procedure or action can access both. Hence, one
needs to introduce auxiliary procedures that have access to the local variables, and in
terms of which the original procedure/action can be expressed.
7
4 Implementation issues
Consider a parallel composition of action systems
A1 k . . . k A
n
: z; v:
Identify each action system with a process with the local variables of the action system
as being local to the process. A global variable that is referenced in two or more action
systems is shared between these systems. Actions that do not refer to shared variables
are private. Two actions in dierent action systems are independent if they do not
share variables.
A parallel execution of an action system is any execution where only independent
actions are executed in parallel. As independent actions do not have any variables
in common, the eect of executing two independent actions in parallel is the same
as executing them sequentially, in either order. The enabledness of two independent
actions is also not aected by the order in which they are executed. This means that a
parallel execution cannot produce any results that cannot be produced by a sequential
execution.
Synchronous communication We may also have action systems without shared
variables. Each state variable is then local to some action system. In that case, the
only means for communication is by remote procedure calls. Synchronous message
passing is a special case of remote procedure calls, and can hence also be handled in
this framework.
Shared variable model Another special case is to have action systems without
procedures. In that case, the only means of communication is by shared variables. This
gives us a concurrent system with shared variables, where the shared global variables
may only be accessed under mutual exclusion of actions. Asynchronous message passing
is a special case of the shared variable model, where the communication channels are
the only shared variables.
Combined models We are thus able to describe dierent kinds of parallel execution
models with action systems. The way in which these models are implemented may of
course be very dierent depending on the view taken. A distributed implementation
requires that the synchronizing handshakes are implemented, while a shared variable
implementation requires some locking mechanism. Also, mixed formalisms where we
combine shared variables and message-passing are possible. We can thus model, e.g.,
light-weight processes, processes executing on one processor in such a way that communication within the processor is done using shared variables, while processes on dierent
processors communicate by synchronous message-passing or remote procedure calls.
Implementation problem The model for communication proposed here is very gen-
eral. In fact, it is so general that real implementations will have to put rather strong
8
restrictions on the mechanisms, in order to make them practical. A major source of
ineciency is that a remote procedure call can only succeed if the called procedure
is enabled also. This is similar to the ADA rendezvous mechanism [10]. Because we
postulate that the eect of an action should be atomic, a failed attempt at a communication may not change the state. Hence, an implementation either has to restrict the
language in such a way that enabledness of the whole action can already be detected by
the calling procedure, that no state changes are made by a calling action before calling
a remote procedure (so that it can wait for the procedure to become enabled), or that
the eect of an action can be undone if it turns out that the procedure in fact is not
enabled. The most general solution would be some commit-protocol, like the two-phase
protocol [20]. All these approaches have been tried in practical implementations.
5 Renement of action systems
The methods for renement of action systems with parallel composition that are proposed in [4] carry over almost as such to the renement of action systems with procedure
calls. These methods are mainly based on data renement of action systems. We will
here
extend the procedure renement of [3] to data renement of procedures and
extend data renement of action systems of [4] to data renement of action systems with procedures
by giving the necessary proof rules for these. The main addition is that when we make
a data renement of an action system, the procedure bodies of the action system have
to be data rened also, in addition to data rening the actions.
Data renement Let S be a statement on the variables x ; z , denoted S : x ; z , and
S a statement on the variables x ; z . Then statement S is data rened by statement
S , denoted S R S , if there exists a relation R (x ; x ; z ), the abstraction relation, on
the involved variables such that
0
0
0
0
0
8Q (R ^ wp(S
:
;
Q ) ) wp(S
0
;
9x R ^ Q ))
:
;
where 9x :R ^ Q denotes a predicate on the variables x ; z .
For two guarded commands A : x ; z and A : x ; z we have that A R A , if there
exists a relation R (x ; x ; z ) such that
0
0
0
0
0
(i) Renement of guards: R ^ gA
) gA and
Renement of bodies: 8Q (R ^ gA ^ wp(sA Q ) ) wp(sA 9x R ^ Q )).
0
(ii)
:
0
;
9
0
;
:
Data renement of procedures Let T : x ; z ; f and T : x ; z ; f be procedure bodies
0
0
such that z denotes the global variables of the procedures and f denotes the formal
parameters. Let R (x ; x ; z ; f ) be the abstraction relation on the involved variables such
that
T R T :
0
0
We then have that
proc p = T
proc p = T
R
0
:
This result holds for both of the parameter passing mechanisms, call by value and call
by result, considered in this paper.
Data renement of action systems Let A and A be the two action systems
0
A
A
0
=
=
j[ var z
j[ var z
x := z 0; x 0; proc p = P ; w = W ; do A od ]j : u ; v ; z ; w and
; x := z 0; x 0; proc q = Q ; w = W ; do A [] H od ]j : u ; v ; z ; w
;
0
0
0
0
on the import variables u , import procedures v , export variables z , and export procedures w . Further,
p=P
q =Q
w =W
w =W
A
A
w
0
0
=
=
=
=
=
=
=
p1 = P1 ; . . . ; ph = Ph
q1 = Q1; . . . ; qj = Pj
w1 = W1 ; . . .; wk = Wk
w1 = W1 ; . . . ; wk = Wk
gA1 _ . . . _ gAl ! if gA1 ! sA1 [] . . . [] gAl
gA1 _ . . . _ gAl ! if gA1 ! sA1 [] . . . [] gAl
w1 ; . . . ; wk
0
0
0
0
0
0
0
! sA ! sA l
0
l
for some h ; j ; k ; l . Similarly as the main action A, the auxiliary action H may also
denote a combination of several actions, so called stuttering actions, see [1, 4, 15]
among others.
We have the following theorem:
Theorem 1 Let A and A be as above. Then A R A if there exists an abstraction
relation R (x ; x ; u ; z ; f ) on the local variables x and x , global variables u and z , and
formal parameters f of the procedures w such that
0
0
0
0
(i) Initialization: R (x 0; x 0; u ; z ; f ).
0
W for each W
(iii) Procedure guards: R ^ gW ) gW _ gH
(iv) Main actions: A A .
(v) Exit condition: R ^ gA ) gA _ gH .
(ii) Procedure bodies: Wi
0
R
i
i
0
i
R
i
0
0
10
in w = W .
for each Wi in w = W .
(vi) Auxiliary actions: skip R H .
(vii) Termination of auxiliary computation: R ) wp(do H od; true ):
Note: (1) Each procedure has its own formal parameters, so there need not exist a
common relation R . (2) We say nothing about the local procedures p = P and q = Q
in the above rule. The correctness of the renement of these is shown in item (iv) when
considering the main actions using the rule of data renement of procedures above.
Context invariant The requirements above are sucient to guarantee correct data
renement between action systems that are executed in isolation. When the action
system A occurs in a parallel composition with other action systems, we have to take
this context into account and add one more condition on the data renement.
Let A and A be two action systems such that A R A for some abstraction
relation R (x ; x ; c ). Let A occur in a parallel composition with another action system
B, A k B. Let I (c ) be a predicate, the context invariant, on the global variables and
formal parameters c of the composed system, i.e., the invariant I is preserved by both
A and B. Then we have that A k B R I A k B if the following holds:
0
0
0
;
0
(viii) Context invariant: R (x ; x ; c ) ^ I (d ) ) R (x ; x ; d ).
0
0
This condition allows us to rene the individual action systems in a parallel composition separately. The only assumption we make about the components is that they all
preserve the context invariant I .
6 Case study
As a case study we consider a more realistic version of the earlier sender-receiver system.
Initially we have three action systems, a sender S nd , a receiver Rec , and a buer
system Buf . The sender communicates with the buer by making a (remote) call to
the procedure Insert in Buf . Similarly, the receiver extracts a messages from the buer
by making a call to the procedure Delete in Buf .
We rst show how the above system is described as an action system. Thereafter
the action system is rened so that the single buer process Buf is replaced with two
buers working in parallel. Finally, we rewrite the system using CSP notation for the
procedure calls.
Initial specication The three action systems S nd ; Buf , and Rec are as follows:
S nd = j[ var x 2 integer ;
do
[] S =
6 ; ! x := x :(x
0
od
]j: S ; Insert ;
0
2 S ); S := S 0 fx g; Insert (x )
<>
11
Buf
= j[ var B 2 set of integer ;
proc Insert (v 2 integer ) = (B := B [ fv g)
proc Delete (res v 2 integer ) = (B 6= ; ! v := v :(v
B := ;;
]j:<> ; Insert ; Delete
0
0
2 B ); B := B 0 fv g)
Rec = j[ var x 2 integer ;
do
[] true ! Delete (x ); R := R [ fx g
od
]j: R ; Delete ;
<>
The action systems execute in parallel, S nd k Buf k Rec , communicating through
the global procedures Insert and Delete . All the activity in this system is sequentialized
by the access to the shared resource B in the buer process Buf . Recall that only
independent actions, i.e., actions that do not share variables either directly or indirectly
through procedure calls, can be executed in a parallel fashion.
A renement step We next rene the buer process Buf so that parallel activity
becomes possible. We have that the renement of Buf by Buf below is a correct data
renement:
Buf = j[ var B 1; B 2 2 set of integer ; x 2 integer ;
proc Insert (v 2 integer ) = (B 1 := B 1 [ fv g)
proc Delete (res v 2 integer ) = (B 2 6= ; ! v := v :(v 2 B 2); B 2 := B 2 0 fv g)
B 1; B 2 := ;; ;;
0
0
0
do
[] B 1 6= ; ! x := x :(x
0
od
0
0
2 B 1); B 1 := B 1 0 fx g; B 2 := B 2 [ fx g
]j:<> ; Insert ; Delete
Here the buer B has been implemented by two buers B 1 and B 2.
Let us now prove that the renement Buf R Buf is correct. We rst have to
choose an abstraction relation. We have replaced the set B with the two sets B 1 and
B 2, so an appropriate abstraction relation is
0
R (B ; B 1; B 2; Insert :v ; Delete :v ) =def B = B 1 [ B 2:
We prex the formal parameters with the corresponding procedure names in order to
keep them distinct.
Following Theorem 1 we have to show the following:
(i) Initialization: R (B 0; B 10; B 20; Insert :v ; Delete :v ) is ; = ;[; which clearly holds.
(ii) Procedure bodies: There are two global procedures declared in Buf , Insert and
Delete :
12
(1) For Insert we have to show that
(B := B [ fInsert :v g) R (B 1 := B 1 [ fInsert :v g):
Using R we observe that when we insert an element in B it is the same as
inserting an element in B 1 [ B 2. Hence, we can as well insert an element in
B 1.
(2) For Delete we have to show that
R
(B 6= ; ! Delete :v := v :(v 2 B ); B := B 0 fDelete :v g)
(B 2 6= ; ! Delete :v := v :(v 2 B 2); B 2 := B 2 0 fDelete :v g):
0
0
0
0
We rst have that
(B = B 1 [ B 2) ^ B 2 6= ; ) B =
6 ;
which is seen to hold. Secondly, we show that the statement part is correctly
data rened. This is also clear, as relying on R if an element is removed from
B , it is the same as removing an element from B 1 [ B 2. If B 2 is nonempty,
i.e., the guard B 2 6= ; is enabled, an element can be removed from B 2.
(iii) Procedure guards: We have the following: for Insert we have that
(B = B 1 [ B 2) ^ true
) true
and for Delete we have that
(B = B 1 [ B 2) ^ B =
6 ; ) B 2 6= ; _ B 1 6= ;
both of which hold.
(iv) Main actions: There are no actions in Buf , so the fourth proof obligation holds
trivially.
(v) Exit condition: The exit condition is handled correctly, as
(B = B 1 [ B 2) ^ false ) B 1 6= ;:
There are no actions in Buf , therefore we have false in the antecedent (do false !
S od = skip ).
(vi) Auxiliary actions: Now we must show that the new action in Buf is a renement
of skip :
0
skip R B 1 6= ; ! x := x :(x
0
0
2 B 1); B 1 := B 1 0 fx g; B 2 := B 2 [ fx g
:
This clearly holds as there are no global variables involved and the guard guarantees that the action body is executed in a proper initial state.
13
(vii) Termination of auxiliary computation: Finally, we have to show that if the loop
do B 1 6= ; ! x := x :(x
2 B 1); B 1 := B 1 0 fx g; B 2 := B 2 [ fx g od
is executed in isolation in an initial state where B = B 1 [ B 2 holds, the execution
0
0
will necessarily terminate. This is easily seen to hold, as at each iteration one
element is removed from B 1, which eventually becomes empty so falsifying the
action guard.
Hence, Buf R Buf is a correct data renement.
As Buf occurs in a parallel composition with other action systems, we must check
that the abstraction relation R is not sensitive to the values of the global variables
and formal parameters (item (viii)). This is immediatly seen to be the case as R only
mentions local variables of Buf and Buf . Therefore we have that
0
0
S nd k Buf k Rec S nd k Buf k Rec
R
0
;
where the context invariant is true .
Decomposition We will now decompose the action system Buf into two separate
0
action systems Buf 1 and Buf 2 in such a way that B 1 becomes local to Buf 1 and B 2
becomes local to Buf 2. This forces us rst to introduce a new procedure Forward ,
through which Buf 1 will access the local variable B 2 of Buf 2:
j[ var B 1 B 2 2 set of integer ; x 2 integer ;
proc Insert (v 2 integer ) = (B 1 := B 1 [ fv g)
proc Delete (res v 2 integer ) = (B 2 =
6 ; ! v := v
proc Forward (v 2 integer ) = (B 2 := B 2 [ fv g)
B 1 B 2 := ; ;;
;
do
;
0
(v
:
0
2 B 2); B 2 := B 2 0 fv g)
;
[] B 1 6= ; ! x := x :(x
0
0
od
2 B 1); B 1 := B 1 0 fx g; Forward (x )
]j:<> ; Insert ; Delete
We also have to make the procedure Forward global. The systems Buf 1 and Buf 2 are
as follows:
Buf 1 = j[ var B 1 2 set of integer ; x 2 integer ;
proc Insert (v 2 integer ) = (B 1 := B 1 [ fv g)
B 1 := ;;
do
[] B 1 6= ; ! x := x :(x
0
od
0
2 B 1); B 1 := B 1 0 fx g; Forward (x )
]j: Forward ; Insert
14
Buf 2 = j[ var B 2 2 set of
integer ;
proc Delete (res v 2 integer ) = (B 2 6= ; ! v := v :(v
proc Forward (v 2 integer ) = (B 2 := B 2 [ fv g)
B 2 := ;;
]j:<> ; Delete ; Forward
0
0
2 B 2); B 2 := B 2 0 fv g)
We have now established that the action system S nd k Buf k Rec is rened by
the action system S nd k Buf 1 k Buf 2 k Rec . In the new system, insertions into B 1
and removals from B 2 can go on in parallel as the corresponding actions do not share
variables anymore.
A CSP-version We can rewrite the action systems S nd ; Buf , and Rec using CSP-
like notation for communication, turning the procedure names into channel names as
follows:
S nd = var x 2 integer ;
3[S 6= ; ! x := x :(x 2 S ); S := S 0 fx g; Insert !x ]
0
Buf
0
= var v 2 integer ;
B := ;;
3[Insert ?v ! B := B [ fv g
[] B 6= ;; Delete ! v := v :(v
0
0
2 B ); B := B 0 fv g; Delete !v ]
Rec = var x 2 integer ;
3[Delete ?x ! R := R [ fx g]
In the above Delete is the probe of Martin [16]. It works as follows: the value of Delete
is true i there is a pending communication request for channel Delete . Otherwise the
value of Delete is false.
The two buer processes Buf 1 and Buf 2 are given below
Buf 1 = var B 1 2 set of integer ; v 2 integer ;
B 1 := ;;
3[Insert ?v ! B 1 := B 1 [ fv g
[] B 1 =
6 ;; Forward ! v := v (v 2 B 1); B 1 := B 1 0 fv g; Forward !v ]
0
0
:
Buf 2 = var B 2 2 set of integer ; v 2 integer ;
B 2 := ;;
3[Forward ?v ! B 2 := B 2 [ fv g
[] B 2 =
6 ;; Delete ! v := v (v 2 B 2); B 2 := B 2 0 fv g; Delete !v ]
We have that the CSP process S nd k Buf k Rec is rened by the CSP process
S nd k Buf 1 k Buf 2 k Rec . We are thus able to rene CSP processes within our
0
:
0
action systems framework. Renement of CSP processes is also proposed in [8], where
CSP-like communication primitives are added into an action systems framework. The
approach in [8] is based on CSP, and hence is dierent from ours.
15
7 Concluding remarks
In this paper we have shown how the action systems framework can be extended to designing parallel systems with remote procedure calls and synchronous communication.
The advantage of this approach is that we can talk about mixed formalisms, like shared
variables and message passing, within a unifying framework. Such formalisms are of
interest, as it is often of practical value to be able to use shared variable communication among processes sharing a processor and message-passing communication between
processes executing on dierent processors. Such light-weight processes could be very
useful for instance in occam, where several processes are allowed to share a transputer.
Examples of such processes were the producer and sender as well as the receiver and
consumer in our earlier example.
The extension was done at allmost zero additional overhead in the renement
calculus-action systems framework. The only extension was that we added procedure
declarations to action systems, and permitted procedure calls in actions. The methods
for handling procedure calls and action systems already developed within the renement calculus needed only minor modications in order for them to be applicable to
the extended framework.
The general mechanism for communication that we propose here gives rise to some
interesting implementation issues, where eciency of implementation has to be traded
against generality of the mechanism. The main problem here is to detect enabledness
of an action. This problem is similar to the problem of guaranteeing atomicity of transactions in distributed data bases. The advantage of such a communication mechanism
is that it provides us with a high level way of describing the intended behavior of a
parallel or reactive system. The concrete behavior can be derived within the renement
calculus as proposed here.
Acknowledgements
The work reported here was carried out within the IRENE-project supported by the
Academy of Finland. The authors would like to thank Bengt Jonsson, Joachim Parrow,
and the Programming methodology group at Abo Akademi University for comments
on the topics treated here.
References
[1] M. Abadi and L. Lamport. The existence of renement mappings. In Proc. of the
3rd Annual IEEE Symp. on Logic In Computer Science, Edinburgh, pp. 165{175,
1988.
[2] R. J. R. Back. On the Correctness of Renement Steps in Program Development.
PhD thesis, Department of Computer Science, University of Helsinki, Helsinki,
Finland, 1978. Report A{1978{4.
16
[3] R. J. R. Back. Procedural abstraction in the renement calculus. Department of
Computer Science, Abo Akademi University, Turku, Finland, 1987. Report A{55.
[4] R. J. R. Back. Renement calculus, part II: Parallel and reactive programs. In
J. W. de Bakker, W.{P. de Roever, and G. Rozenberg, editors, Stepwise Renement of Distributed Systems: Models, Formalisms, Correctness. Proceedings. 1989,
volume 430 of Lecture Notes in Computer Science. Springer{Verlag, 1990.
[5] R. J. R. Back and R. Kurki-Suonio. Decentralization of process nets with centralized control. In Proc. of the 2nd ACM SIGACT{SIGOPS Symp. on Principles of
Distributed Computing, pages 131{142, 1983.
[6] R. J. R. Back and K. Sere. Stepwise renement of parallel algorithms. Science of
Computer Programming 13, pages 133{180, 1989.
[7] R. J. R. Back and J. von Wright. Renement calculus, part I: Sequential nondeterministic programs. In J. W. de Bakker, W.{P. de Roever, and G. Rozenberg,
editors, Stepwise Renement of Distributed Systems: Models, Formalisms, Correctness. Proceedings. 1989, volume 430 of Lecture Notes in Computer Science,
pages 42{66. Springer{Verlag, 1990.
[8] M. Butler. Renement and decomposition of value-passing action systems. To be
presented at CONCUR'93, Hildesheim, Germany, 1993.
[9] K. Chandy and J. Misra. Parallel Program Design: A Foundation. Addison{
Wesley, 1988.
[10] A. Charlesworth. The multiway rendezvous. ACM Transactions on Programming
Languages and Systems, 9(2):350{366, July 1987.
[11] E. W. Dijkstra. A Discipline of Programming. Prentice{Hall International, 1976.
[12] N. Francez. Cooperating proofs for distributed programs with multiparty interactions. Information Processing Letters, 32:235{242, 1989.
[13] C. A. R. Hoare. Communicating sequential processes. Communications of the
ACM, 21(8):666{677, August 1978.
[14] INMOS Ltd. occam Programming Manual. Prentice{Hall International, 1984.
[15] B. Jonsson. Compositional Specication and Verication of Distributed Systems.
PhD thesis, Department of Computer Science, University of Uppsala, Uppsala,
Sweden, 1987.
[16] A. J. Martin. The probe: An addition to communication primitives. Information
Processing Letters, 20(3):125{130, 1985.
[17] C. Morgan. Procedures, parameters, and abstraction: Separate concerns. Science
of Computer Programming, 11(1):17{28, 1988.
17
[18] C. C. Morgan. The specication statement. ACM Transactions on Programming
Languages and Systems, 10(3):403{419, July 1988.
[19] J. M. Morris. A theoretical basis for stepwise renement and the programming
calculus. Science of Computer Programming, 9:287{306, 1987.
[20] A. S. Tanenbaum. Modern Operating Systems. Prentice{Hall International, 1992.
18

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz