a refinement of communicating processes

Computers and Arti cial Intelligence, Vol. 13, 1996, ??{14

A REFINEMENT OF COMMUNICATING PROCESSES Sylvie Damy Guy-Rene Perrin

LIB, University of Franche-Comte, F-25030 Besancon, France ICPS, University Louis Pasteur, Strasbourg, F-67400 Illkirch, France email: [email protected]

Abstract. The programming of MIMD multiprocessors requires to design processes to be

mapped on the nodes of the architecture and communicating by message passing. The aim of this paper is to give a contribution for a rationalized design of such programs from formal speci cations. We introduce a re nement calculus of parallel speci cations in which processes re ne the safety properties and communications re ne the liveness ones. Rules and the stepwise technique is illustrated by the shortest path problem.

Keywords. Parallel Programing Methodology, Communicating Processes, Speci cation and Proof, Re nement, Communication.

1 INTRODUCTION The programming of MIMD multiprocessors requires to design processes to be mapped on the nodes, communicating by message passing along the links of the architecture. The aim of this paper is to give a contribution for a rationalized design of such programs from formal speci cations. Going from a formal speci cation of some problem to an implementation of some solution, requires to take good care to introduce some convenient formalisms and development techniques, confer Chandy K.M. and Misra J. [3]. Looking at the target machines, either in terms of program transformations as automatic parallelizations in compilers, or in terms of parallel programmation, the common techniques are based on the expression of data dependencies. In the rst case these dependencies are deduced from a semantical data ow analysis of a given

2

S. Damy and G.-R. Perrin

program. An abstract expression level to express data and dependencies may be used in terms of recurrence equations such as x[z] = f (:::; x[z0]; :::) which de nes some occurrence z of a variable x depending on some other occurrence z0. Such functional formalisms are used in most works about transformation, implementation or synthesis of algorithms, specially for systolic ones ([6], [13], [16], [4], etc). In these studies, statements de ne ane recurrence relations between some variable occurrences, running on integral convex domains: x[z] = f (:::; x[r(z)]; :::) From such data de nitions, synthesis methods consist in de ning a valid schedule of the calculations in a synchronous parallelism model, with respect to the data dependencies they induce. Such an interpretation consists in de ning some injective mapping D !ST where D is the initial variable domain, S is the surface of the target array, and T some time domain. In the context we are concerned with in this paper, we can consider that in an asynchronous parallelism model, data dependencies may be less constrained and depend on the problem terms and on the computation circumstances. Moreover, in such a modelling, domains are supposed to describe on one hand the indices set U of some array of variables and, on the other hand a recurrence ordering (expressed by an integer index). The array of variables will lead to the array S of processes and the recurrence de nitions will de ne the process computations and comunications. Then to design communicating processes we have to specify and construct the required data dependencies for the algorithm correctness, and possibly the algorithm eciency. So, equations should not entirely de ne data and their dependencies, but only invariant properties to be satis ed: Definition : x[u; k] = f (:::; x[v; k0]; :::) u; v 2 U Z p; k; k0 2 N Invariant : k and k0 satisfy some property: In other words, a problem speci cation de nes in a descriptive style (for example by using a rst order predicates language) the property the result satis es. Conversely, a program de nes in a functional or imperative style, the way a computation leads to a correct result. In the design process, some intermediate statement may then be composed on one hand by some computation de nitions, in terms of equations, and on the other hand by some properties to be satis ed by data dependencies for the eective implementation to be correct. This process goes on until all needed operational aspects are de ned, according to some eective architecture. Such re nement techniques, used since many years to design sequential programs (see [17] or [7]), have been more widely developed in later works, like those of Back R., Morris J., or Morgan C. (see [1], [14] and [15]). These works point out the notion

A Re nement of Communicating Processes

3

of re nement relation as the basic element of any re nement calculus. Dierent works are concerned with the use and the extension of these re nement techniques to design parallel programs. Let us recall particularly the works of Knapp E., Back R., and Gribomont P. (see [11], [2], [8] and [9]). In this paper we illustrate a re nement technique [5] for the design of parallel programs. These programs are expressed as arrays of asynchronous communicating processes a la CSP [10]. The technique proposes a strategy which mixes the dierent re nement calculi presented above. Moreover the technique is based on an original treatment of the communication. It is taken into account from the speci cation step by means of speci c statements called cooperation properties. The next section presents the notations for programming with equations. In section 3, we introduce the notion of parallel speci cation and de ne the re nement. Following sections deal with re nement rules and their application to derive communicating processes.

2 PROGRAMMING WITH EQUATIONS 2.1 Objects and functions A recurrence equation de nes any occurrence z of a variable x from a function f on other variable occurrences such as x[z] = f (:::; x[z0]; :::)

Example 2.1. The shortest path problem.

This problem consists in determining the shortest path from any vertex to any other one, in a weighted directed graph, with n vertices. Bellman's algorithm is expressed by mean of the following recurrence equations: d[i; j; 0] = wi;j d[i; j; k] = d[i; p; k ? 1] + wp;j if d[i; p; k ? 1] + wp;j < d[i; j; k ? 1] 8i; j 2 [1; n] [1; n]; 8p 2 predecessor(j ) The semantics of such an equation which links two expressions says that they may be substituted one for the other. A function is a composition of operations, which are de ned in its argument types. The semantics of a variable is a mapping which de nes a possible in nite set of values, in a set V speci ed by the variable type. Each element of this set, called a variable occurrence, can be selected by an index which runs over some domain of Z p+1. In the particular context we are interested in, we assume that these domains are the cartesian product of on one hand, a bounded indices set U Z p de ning an array of variables and, on the other hand, a recurrence ordering expressed by an integer index: x: U N !V


4

Any occurrence of such a variable x will be denoted as x[u; k], u 2 U Z p and k 2 N . Then a recurrence equation will have the following general form: x[u; k] = f (:::; x[v; (u; v;k)]; :::) u; v 2 U; k 2 N; 2 U U N ! N

2.2 Computing equations The interpretations we are concerned with are asynchronous ones, which could model non deterministic temporal behaviours of algorithms running on some MIMD architecture. Such an interpretation may be presented as a straightforward generalization of the preceding equation form, such as: x[u; k] = f (:::; x[v; k0]; :::) u; v 2 U; k; k0 2 N k and k0 satisfy some relation R Suppose you apply the substitution rule, you may rename arguments by introducing local variables, as following: x[u; k] = f (:::; y[u; k];:::) y[u; k] = x[v; k0] u; v 2 U; k; k0 2 N k and k0 satisfy some relation R This last x-point equation system speci es communications between processes. For the occurrence indices run over an inductive domain and assuming that the function f and the relation R (in some sense) are monotonic, such a system has a minimal solution which can be computed by a recurrence path. The next section presents a stepwise re nement technique applied on such statements. It proceeds from a speci cation of the problem to distributed processes, on statements called parallel speci cations.

3 PARALLEL SPECIFICATIONS AND REFINEMENT We consider the speci cation of a problem as a statement de ned from any rst order predicate P : x such that P (x):


Let us consider the calculation of the shortest path in a graph composed by n vertices. The speci cation is: d such that d(i; j ) = Minp2M wp 8i; j 2 [1; n] [1; n] where wp is the weigth of a path p Mi;j is the set of paths from the vertex i to the vertex j: i;j


5

3.1 Parallel speci cations The transition from such a speci cation to a solution involves the de nition of variables whose some occurrence values must satisfy P . Let us introduce some conventions and notations to express the solutions. Let x : U N ! V be a variable in an asynchronous parallel model of computations. By currying its arguments we express it as x : U ! N ! V . So, with any u 2 U we can associate a variable xu : N ! V and then consider x as an array of variables |leading to a future array of processes, whose integral occurrence indices de ne recurrence orderings |leading to the future computations and communications. From now on we will speak of arrays when considering objects such as x, and speak of variables when considering any xu. This presentation allows to put dierent occurrences of the variables in evidence, to express the asynchronous computation behaviors. A set of occurrences of every variable of an array will be called a multi-occurrence of the original variable x. For any x : U ! N ! V , de ning an array of variables xu : N ! V , we note any multi-occurrence of x as a t-uple (xu[ku]; u 2 U ). We note as X the set of multi-occurrences of x: X = (xu [ku]; u 2 U ); ku 2 N; u 2 U For sake of simplicity we note Xk any multi-occurrence of x if no more detail is needed, or Xk to stipulate a multi-occurrence whose index of xu is ku. We note X0 the initial multi-occurrence (xu[0]; u 2 U ). u

De nition 3.1. We call parallel speci cation any statement S composed by two elements (x; R), where x is an array of variables and R a set of properties.

This de nition could easily be expanded to consider a set of arrays fx; y; :::g. The componants of the property R can be expressed in dierent ways, according they characterize the whole domain of the variables, or some variable occurrences, or a relation between some variable occurrences. We present these kinds of properties:

Safety properties { They are expressed in terms of rst order formulaes on all the multi-occurrences of the array. They are of the form: 8k = (ku ; u 2 U ) P (Xk ) Liveness properties { They are expressed in terms of rst order formulaes which characterize a subset of multi-occurrences. They are of the form: 9k = (ku ; u 2 U ) P (Xk ) Cooperation properties { They de ne a relation between variable occurrences. Let xu and yv two variables of some arrays x and y. These properties are any predicate of the form: 8k 2 N 9k0 2 N xu [k] = yv [k0] ^ P (k; k0)


6

An initial parallel speci cation whose set of properties R has the following form: R = SAFE ^ LIV E with SAFE : 8k Q(Xk ) LIV E : 9k term(Xk ) The partial correctness property SAFE is expressed by a predicate Q, characterizing the value of each occurrence of the variables xu, and in particular the result one. This property is an invariant. It allows to precise how we determine an occurrence value from another one. The property LIV E is expressed by a predicate term de ned on the variable occurrences. The design of a such a speci cation, from the problem one, involves rst the de nition of the array of variables |the processes of the future program, and then the choice of both predicates Q and term. It is a re nement of the problem statement if these properties verify: 8k (Q(Xk ) ^ term(Xk )) ) P (Xk )


Let mi;j be a path from i to j , P (mi;j ) the weigth of this path, and DUi;j [k] the set of paths (i; j ) used for the calculation of di;j [k]. V ariables : fdi;j ; mi;j ; wi;j ; DUi;j ; Mi;j j (i; j ) 2 [1; n] [1; n]g SAFE : 8k 2 N di;j [k] = Minm 2DU [k]P (mi;j ) ^ DUi;j [k] Mi;j LIV E : 9k = fki;j 2 N j (i; j ) 2 [1; n] [1; n]g DUi;j [ki;j ] = Mi;j i;j

i;j

3.2 Re nement de nition From such statements, re nement steps lead to de nitions which explicit the calculations to be achieved on each variable, and to cooperation properties, which specify dependencies between these variables. These re nements are founded on the following de nition.

De nition 3.2. Let S = (x; R) and S 0 = (x0; R0) be two parallel speci cations. We say that S is re ned by S 0, denoted as S v S 0, if and only if x x 0 ^ R0 ) R Note { In this de nition, if x : U ! N ! V and x0 : U 0 ! N ! V , x x0 means U U 0. Any proposed re nement then consists in the replacement of a set of properties by a new one, which can contain new variables. Then it must be shown that it is logically stronger than the previous one. So, we use the same kind of re nement that one proposed in [11] for the design of UNITY programs.


7

4 STEPWISE REFINEMENT RULES The rst step consists in precising the property LIV E in a such way that the predicate term is stable. For this purpose we use the induction on well-founded sets. A well-founded set is a set F with an order relation such that any decreasing sequence is stationary. Intuitively, for the property term to be eventually true, it is sucient to de ne an ordered set of multi-occurrences. Hence we associate some element in a well-founded set with each multi-occurrence and we show that the de ned sequence decreases. SAFE : 8k Q(Xk ) LIV E : 8k 8k0 k k0 ) (Xk ) (Xk ) ^ term(Xk ) _ (9k0 k < k0 ^ (Xk ) < (Xk )) with : X ! F = u2U Fu; where the Fu are well-founded sets. 0

0

Note { In this statement, k k 0 or k < k 0 denote the classical orders on t-uples of integers.

This leads to the following re nement rule.

Rule R1 { Re nement of the liveness property Let S = (x; R) be a parallel speci cation of the following form: R = SAFE ^ LIV E with SAFE : 8k Q(Xk ) LIV E : 9k term(Xk ) The substitution of the property LIV E 0: 8k 8k0 k k0 ) (Xk ) (Xk ) ^ term(Xk ) _ (9k0 k < k0 ^ (Xk ) < (Xk )) with : X ! F = u2U Fu; where the Fu are well-founded sets for the property LIV E de nes a parallel speci cation which re nes S and whose predicat term is stable. 0

0


By de ning the function (DUi;j [ki;j ]) = Mi;j ? DUi;j [ki;j ], we obtain the following parallel speci cation: SAFE : 8k 2 N di;j [k] = Minm 2DU [k]P (mi;j ) ^ DUi;j [k] Mi;j LIV E : 8k = fki;j j (i; j ) 2 [1; n] [1; n]g 8k0 = fki;j0 j (i; j ) 2 [1; n] [1; n]g k k0 ) di;j [ki;j ] di;j [ki;j0 ] ^ 8(i; j ) 2 [1; n] [1; n] di;j [ki;j ] = Minp2M wp _ 9k0 k k0 ^ di;j [ki;j ] > di;j [ki;j0 ] i;j

i;j

i;j


8

We now introduce particular forms of safety predicates, called guarded de nitions, to progress towards process de nitions.

De nition 4.1. Let x be an array of variables, we call guarded de nition any rst order formula of the form xu[k] 2 ffu (:::; xv[k0]; :::) j Cu(:::; xv[k0]; :::)g. The variable xu appearing in the left part of the formula is de ned as a function of the variables appearing in the right part of the equation. The occurrences of the argument variables of the function fu must satisfy the boolean guard Cu. The introduction of such guarded de nitions is realized by re nement of the safety property SAFE . It must satisfy the following re nement rule.

Rule R2 { De nition of the calculations

Let S = (x; R) be a parallel speci cation of the following form: R = SAFE ^ LIV E with SAFE : 8k Q(Xk ) LIV E : 8k 8k0 k k0 ) (Xk ) (Xk ) ^ term(Xk ) _ (9k0 k < k0 ^ (Xk ) < (Xk )) 0

0

The substitution of the property SAFE 0: Q(X0) ^ 8u 2 U 8ku xu[ku + 1] 2 ffu (Xk ) j Cu (Xk )g for the property SAFE , and the substitution of the weaker property LIV E 0: 8k term(Xk ) _ 9k0 k < k0 ^ (Xk ) < (Xk )) for the liveness one, de ne a re nement of S if 8u 2 U 8ku ((Q(Xk ) ^ Cu (Xk )) ) Q(Xk +1)) ^ (Xk +1) (Xk ) u

u

0

u

u


u

u

u

Here we can propose dierent kinds of solutions. First we can de ne the kth occurrence of a variable di;j by using the paths composed of the vertices inferior or egal to k. This solution leads to Warshald-Floyd's algorithm. We propose below a solution inspired with Bellman's algorithm in which the kth occurrence of a variable di;j is de ned from the value of di;p where p is a predecessor vertex of the vertex j . V ariables : fdi;j ; mi;j ; wi;j ; DUi;j ; Mi;j j (i; j ) 2 [1; n] [1; n]; j 6= ig SAFE : 8(i; j ) 2 [1; n] [1; n]; j 6= i di;j [0] = Minm 2DU [0]P (mi;j ) ^ DUi;j [0] Mi;j ^ 8ki;j 2 N di;j [ki;j ] 2 fdi;p[ki;p] + wp;j j di;p[ki;p] + wp;j < di;j [ki;j?1]g LIV E : 8k = fki;j j (i; j ) 2 [1; n] [1; n]g 8(i; j ) 2 [1; n] [1; n] di;j [ki;j ] = Minp2M wp _ 9k0 9(i; j ) k0 < k ^ di;j [ki;j ] > di;j [ki;j0 ] i;j

i;j

i;j


9

5 REFINEMENT RULES TO DISTRIBUTE PROCESSES In order to design abstract parallel solutions, in terms of communicating processes satisfying such a speci cation, we introduce new re nement rules. The stepwise technique they yield consists in de ning an abstract array topology by introducing local variables and cooperation properties, that reinforce the property LIV E .

De nition 5.1. We call abstract architecture any set A included in U U . Every variable of an array x is a model of a process of the abstract architecture. Then any guarded de nition of the form xu[ku + 1] 2 ffu(Xk ) j Cu(Xk )g de nes a process such that in the case where no multi-occurrence satis es the boolean guard Cu the de nition of any (ku + 1)th occurrence of the variable xu is delayed until the de nition of a multi-occurrence set satisfying Cu. In order to design such a process, we introduce a local array yu of variables yu;v (v 2 U such that (v; u) 2 A) and a classical guard notation of the form Cu(xu [ku]; Yu;k ) ! xu [ku + 1] = fu(xu[ku ]; Yu;k ) where Yu;k is a multi-occurrence of the array of variables yu , in wich the occurrence index of any yu;v is ku . The variables xv and yu;v are linked by cooperation properties of the form 8ku 2 N 9kv 2 N yu;v [ku ] = xv [kv ] ^ Pu;v (ku ; kv ) Such a transformation is founded on the following re nement rules. u

u

u

u

u

Rule R3 { Distributing variables Let S = (x; R) be a parallel speci cation of the following form: R = SAFE ^ LIV E with SAFE : Q(X0) ^ 8u 2 U 8ku xu [ku + 1] 2 ffu(Xk ) j Cu (Xk )g LIV E : 8k term(Xk ) _ (9k0 k < k0 ^ (Xk ) < (Xk )) and S 0 = (fx; yu j u 2 U g; R0) be the following parallel speci cation: R0 = SAFE 0 ^ COOP ^ LIV E with SAFE 0 : - de nition of an initial multi-occurrence X0 such that Q(X0) - 8u 2 U 8ku Cu (xu[ku]; Yu;k ) ! xu [ku + 1] = fu(xu[ku ]; Yu;k ) COOP : 8(v; u) 2 A 8ku 2 N 9kv 2 N yu;v [ku] = xv [kv ] S 0 is a re nement of S . u

u

0

u

u


10

Rule R4 { Transformation of the cooperation properties Let S = (fx; yu j u 2 U g; R) be a parallel speci cation of the following form: R = SAFE ^ COOP ^ LIV E with SAFE : - de nition of an initial multi-occurrence X0 such that Q(X0) - 8u 2 U 8ku Cu (xu[ku]; Yu;k ) ! xu [ku + 1] = fu(xu[ku ]; Yu;k ) COOP : 8(v; u) 2 A 8ku 2 N 9kv 2 N yu;v [ku] = xv [kv ] LIV E : 8k term(Xk ) _ 9k0 k < k0 ^ (Xk ) < (Xk )) u

u

0

and let S 0 = (fx; yu; u 2 U g; R0) be an other parallel speci cation de ned as: R0 = SAFE 0 ^ COOP 0 ^ LIV E with SAFE 0 : - de nition of an initial multi-occurrence X0 such that Q(X0) - 8u 2 U 8ku Cu0 (xu[ku]; Yu;k ) ! xu [ku + 1] = fu(xu[ku ]; Yu;k ) COOP 0 : 8(v; u) 2 A 8ku 2 N 9kv 2 N yu;v [ku ] = xv [kv ] ^ Pu;v (ku; kv ) If the predicates R and R0 satisfy 8(v; u) 2 A yu;v [ku] = xv [kv ] ^ Pu;v (ku; kv ) ^ Cu0 (xu[ku]; Yu;k ) ) Cu(Yu ; ku ) then S 0 is a re nement of S . u

u

u

Example 5.1. The shortest path problem. In the previous statement we can substitute ai;j;p variables for the di;p ones, in an abstract architecture A = f((i; p); (i; j )) j (i; j ) 2 [1; n] [1; n]; p 2 predecessor(j )g. The boolean guards are then ai;j;p[k] + wp;i < di;j [k ? 1] and the predicates of the cooperation properties Pi;j;p is true. We obtain then: V ariables : fdi;j ; ai;j;p; wi;j ; Mi;j j (i; j ) 2 [1; n] [1; n]; j 6= i; p 2 predecessor(j )g SAFE : 8(i; j ) 2 [1; n] [1; n]; j 6= i di;j [0] = wi;j ^ 8k 2 N 8p 2 predecessor(j ) ai;j;p[k] + wp;j < di;j [k ? 1] ! di;j [k] = ai;j;p[k] + wp;j COOP : 8(i; j ) 2 [1; n] [1; n]; j 6= i 8ki;j 2 N 9p 2 predecessor(j ) 9ki;p 2 N ai;j;p[ki;j ] = di;p[ki; p] By reinforcing the cooperation properties and grouping the variables ai;j;p, we obtain the following parallel speci cation: V ariables : fdi;j ; ai;j ; wi;j ; Mi;j j (i; j ) 2 [1; n] [1; n]; j 6= ig SAFE : 8(i; j ) 2 [1; n] [1; n]; j 6= i di;j [0] = wi;j ^ 8k 2 N 8p 2 predecessor(j ) true ! di;j [k] = ai;j [k] + wp;j COOP : 8(i; j ) 2 [1; n] [1; n]; j 6= i 8ki;j 2 N 9p 2 predecessor(j ) 9ki;p 2 N ai;j [ki;j ] = di;p[ki; p] ^ ai;j [ki;j ] + wp;j < di;j [ki;j ? 1]


11

Next re nement steps may consist in introducing time in the parallel speci cation and in reinforcing the cooperation properties. Such reinforcements restrain the possible target solutions. Then reinforcing the cooperation properties in a functional way allows to implement the solutions. De ning the properties Pu;v may require some expression about the computation circumstances. This asynchronous parallelism modeling can be easily expressed by associating some time stamp with any variable occurrence.

De nition 5.2. A time stamp may be considered as a value in an in nite, ordered discrete set as N to handle time.

For any variable x and any occurrence k, we note t(x[k]) its time stamp. Examples of very used relations to reinforce a cooperation property may be:

{ Pu;v (ku ; kv ) i kv = leastfk0 j t(xv [preu;k ]) < t(xv [k0]) t(yu;v [ku ])g, where

preu;k is the last occurrence of xv used to de ne some previous occurrence of yu;v . This function de nes a very common asynchronous fo communication policy, { Pu;v (ku ; kv ) i kv = greatestfk0 j t(xv [preu;k ]) < t(xv [k0]) t(yu;v [ku])g. This relation de nes an other communication primitive where messages can be lost. Such relations are called communication relations.

Rule R5 { Introduction of communication relations Let S = (fxu; yu;v j (v; u) 2 Ag; R) be a parallel speci cation of the form: R = SAFE ^ COOP ^ LIV E with COOP : 8(v; u) 2 A 8ku 2 N 9kv 2 N yu;v [ku ] = xv [kv ] ^ Pu;v (ku ; kv ) The substitution of communication relations COOP 0 : 8(v; u) 2 A 8ku 2 N 9kv 2 N yu;v [ku] = xv [kv ] ^ Pu;v (ku ; kv ) ^ t(yu;v [ku ]) t(xv [kv ]) for the property COOP de nes a re nement of S .

Rule R6 { De nition of the communication relations Let S = (fxu; yu;v j (v; u) 2 Ag; R) be a parallel speci cation of the form: R = SAFE ^ COOP ^ LIV E with COOP : 8(v; u) 2 A 8ku 2 N 9kv 2 N yu;v [ku ] = xv [kv ] ^ Pu;v (ku ; kv )

12


Let S 0 = (fxu; yu;v j (v; u) 2 Ag; R0) be an other parallel speci cation of the same form: R0 = SAFE ^ COOP 0 ^ LIV E 0 (ku ; kv ) with COOP 0 : 8(v; u) 2 A 8ku 2 N 9kv 2 N yu;v [ku] = xv [kv ] ^ Pu;v 0 ) Pu;v then S 0 is a re nement of S . If (v; u) 2 A Pu;v


We can propose the following parallel speci cation: V ariables : fdi;j ; ai;j ; wi;j ; Mi;j j (i; j ) 2 [1; n] [1; n]; j 6= ig COOP : 8(i; j ) 2 [1; n] [1; n]; j 6= i 8ki;j 2 N 9p 2 predecessor(j ) 9ki;p 2 N ai;j [ki;j ] = di;p[ki; p] ^ ai;j [ki;j ] + wp;j < di;j [ki;j ? 1] ^ t(di;p[k0]) t(ai;j [ki;j ]) ) t(di;p[k0]) t(di;p[ki;p])

6 CONCRETE IMPLEMENTATIONS From such functions which reinforce cooperation properties, we can easily deduce an operational expression of convenient communication primitives. For the last example we give the pre-post de nition of such a communication operation, from an abstract data set X , representing the values possibly used: fpre :: not empty?(X )g value :: last(X ) fpost :: [ ]g Last steps consist in expressing convenient data structures and processes in a CSP style on which syntactical transformations can be applied.

Example 6.1. The shortest path problem. PATH = [ k D(i : 1::n; j : 1::n; i 6= j ) :: V ERTEX ] V ERTEX = [ d; a : integer; w : array [ predecessor(j )] of integer; send : array [1::n] of boolean; d := initi;j ; [ (k : 1::n) send[k] := true ]; [ (p : predecessor(j )) D(i; p) ? a ; a + w[p] < d ! d := a + w[p]; [ (k : 1::n) send[k] := true ] [ ] (k : successor(j )) send[k]; D(i; k) ! d ! send[k] := false ] ]


13

7 CONCLUSION This paper was an attempt to progress in the general problem of designing communicating processes to be mapped on MIMD architectures. While some particular target solutions receive good answers, specially in synchronous computations, for other ones related with asynchronous computations the studies are just at the beginning. The main points we have put forward in this paper concern some technical re nement steps to go from a given problem speci cation to some operational parallel solutions. The intermediate statements, called parallel speci cations, re ne two kinds of properties: the safety one and the liveness one. Mainly, the safety one leads to de ne processes. The liveness one leads to de ne an abstract architecture and communications. This last point is the most original we introduced in this re nement calculus.

REFERENCES [1] Back, R. J.: A calculus of Re nements for Program Derivations. Acta Informatica, Vol. 25, 1988, pp. 593{624. [2] Back, R. J.|Sere, K.: Stepwise Re nement of Actions Systems. Lect. Notes in Computer Sc., Vol. 375, Springer-Verlag 1989, pp. 115{138. [3] Chandy, K.M.|Misra, J: Parallel Program Design: A Foundation. Prentice Hall 1988. [4] Clauss, Ph.|Perrin, G.-R.: Synthesis of Process Arrays. CONPAR'88, Manchester, 1988. [5] Damy, S.|Perrin, G.-R.: Techniques for the Design of Communicating Processes. Sixth International Workshop on Software Speci cation and Design, Como, 1991. [6] Delosme, J.M.|Ipsen, I. C. F.: An Illustration of a Methodology for the Construction of Ecient Systolic Architectures in VLSI. Second Int. Symposium on VLSI technology systems and applications, 1985. [7] Dijkstra, E. W.: A Discipline of Programming. Prentice-Hall 1976, Englewood Clis. [8] Gribomont, P. E.: Stepwise Re nement and Concurrency: The Finite-State Case. Research Report, Philips, 1989, Brussels. [9] Gribomont, P. E.: Development of Concurrent Systems by Incremental Transformation. Research Report, Philips, 1990, Brussels. [10] Hoare, C. A. R.: Communicating Sequential Processes. Communication of the ACM, Vol. 21, 1978, No. 8. [11] Knapp, E.: An Exercise in the Formal Derivation of Parallel Programs: Maximum Flows in Graphs. ACM Transactions on Programming Languages and Systems, Vol.12, 1990, No. 2, pp. 203{223. [12] Kung, H. T.: The Structure of Parallel Algorithms. Advances in Computer, Vol. 15, 1979, No. 1. [13] Mongenet, C.|Perrin, G.-R.: Synthesis of Systolic Arrays for Inductive Problems. Int. Conf. PARLE, Eindhoven, Lect. Notes in Computer Sc., Vol. 259, Springer-Verlag 1987. [14] Morgan, C. C.: Types and Invariants in the Re nement Calculus. Lect. Notes in Computer Sc., Vol. 375, Springer-Verlag 1989, pp. 363{378. [15] Morris, J. M.: A Theorical Basis for Stepwise Re nement and the Programming Calculus. Science of Computer Programming, Vol. 9, 1987, No. 3, pp. 298{306. [16] Quinton, P.: Mapping Recurrences on Parallel Architectures. Third Int. Conf. on Supercomputing, Boston, 1988. [17] Wirth, N.: Program Development by Stepwise Re nement. Communications of the ACM, Vol. 14, 1971, No. 4.

14


8 BIOGRAPHY Sylvie Damy received her PhD in 1991 on a methodology for deriving Communicating Processes. Since 1992 she his an assistant professor in Computer Science at the University of Besancon (France). She is currently engaged in research on speci cation and parallel program re nement.

Guy-Rene Perrin received his PhD in 1976 and his higher doctorate in 1985. Since this date he has been a professor in Computer Science at the University of Besancon (France) where he was head of the Computer Science Department and of the Postgraduate Research Courses. Since 1994 he is a professor at the University Louis Pasteur at Strasbourg, where he is head of the ICPS research team. He is currently engaged in research on automatic parallelization techniques and data parallel programming.