rules and nite model checking permits to even treat software systems with in nite state space in a exi- ble and .... velopment method to more real life systems.
Modular Development of Correct Meander Programs Holger Giese and Guido Wirtz Institut fur Informatik, Westfalische Wilhelms-Universitat, Einsteinstra�e 62, 48149 Munster, GERMANY
Abstract We describe the modular development
of correct parallel software with the Meander system from high-level speci cations down to a concrete implementation, based on a communicating algebra formalism. We focus on the external behavior of the components and keep the behavioral properties through re nement and abstraction. A combination of a exible set of syntactical metarules and nite model checking permits to even treat software systems with in nite state space in a exible and stepwise modular development process.
Keywords: parallel software design, formal design methods, abstraction, correctness by design, veri cation tools
1 Introduction Developing parallel software is a complex task. A well-founded methodology and adequate development tools are needed to avoid deadlocks and starvations, the anomalies of concurrent systems. In a hierarchical modular development process the embedding of a module speci cation is used to abstract from the module implementation and hide it's details. For sequential systems the syntactical interfaces are used, but in concurrent systems, the corresponding
at model which can have an enormous size must be build and analyzed to detect the relevant properties like deadlocks and starvations. Due to the missing modular analysis of the system, design errors will not be detected during the design process itself, only at it's end. The results of such a nal analysis re ect the system at such a detailed level, that the resulting information depends on the nal implementation and does not indicate the design errors of
earlier development stages. So the modular design of complex systems must support deadlock and starvation analysis in a modular fashion using a more sophisticated kind of abstraction considering the behavior of a module. More precise, for the module speci cation or interface and every valid module implementation, a special form of relation concerning their behavior must hold. In the literature many relations are proposed for behavioral abstraction (see [12] for a detailed comparison of them). Especially for complex software systems the chosen preorder relation should be as weak as possible, but must preserve the relevant properties. The CSP based approach to model checking [10] and a variation to it { the CFFD model (e.g. [11]) { tries to re ect only the possible failures of a module, when comparing two systems. The available veri cation techniques for CFFD and nite models (e.g. [13]) are able to handle complex nite models up to a certain size. But often complex modular software systems can not be treated directly. Common state machine based approaches like [8] and the well known state chart approach [6] can only be used to describe nite speci cations and implementations. A more realistic view of a software system should divide states into nite control states and possibly in nite data states of programs (like in Meander). So specifying such software systems with state machines will lead to a gap between the speci cation and the implementations. Bottom-up development steps are di�cult on that level and the correspondence between states of the specifying state machine and the program of the process are not obvious. So we choose a formalism re ecting this duality of states using the same semantic environment
(e.g. variable names) to support top-down and bottom-up development steps. We decided to use evolving algebras to model systems, which provide a exible mechanism to specify the operational behavior. A exible set of syntactical checkable steps leads systematically to a nite abstraction for in nite systems. Meander and our notion of communicating algebras is explained and the speci cation/re nement preorder is introduced in section 2. We give some examples of the use of our method and describe some possible steps of the development process in section 3. We close with some remarks w.r.t. our approach and future work (section 4).
2 Meander and Communicating Algebras The Meander approach ([14]) is restricted to parallel message passing systems like CSP [7] or systems working with MPI [9] restricted to synchronous communication. It is a hybrid approach based on process graphs annotated with sequential C code describing the system. This takes away some of the inherent complexity of parallel software by allowing to specify the behavior graphically and supplying the synthesis of the necessary underlying communication structures. The processes are modeled using a graphical notation containing sequential blocks (SEQ), communication nodes (SND, RCV), mixed communication and boolean guards (BG, SG, RG, BSG, BRG e.g. Boolean Receive Guard) and bracket like conditional statements (ALT, TLA), loops (DO, OD) and process creation (CC, WC). These elements are connected by thin edges to specify their sequential order. Corresponding communications are connected by fat edges. For the termination of Guarded DO-loops, a special semantic is provided, that ensures that no loop is waiting for a communication guard that cannot communicate any more. This grain structure is re ned using C expressions and code fragments to annotate the graphical nodes. The annotations for guards with boolean expressions (BG, BSG, BRG) are
restricted to "side e�ect free" C expressions to avoid a semantic confusion resulting from their dynamic evaluation order. Fragments of processes are combined to modules as shown in gure 1 and represented by module nodes with the extern visible communication nodes and entry points on the module node frame. Evolving algebras [4] can describe the sequential behavior of a process in a exible and powerful way, using the well understood structure of a static algebra to represent a state. State changes are de ned using special update expressions build with constructs like if, choose and forall. They provide a exible formalism to specify a partial update for a subset of the variables. The algebraic framework ensures, that all updates are restricted to the corresponding universe. We extend this formalism by introducing an unknown element u to model data non-determinism and extending all variable universes and functions preserving f (~x; u; ~y) = z ) 8a f (~x; a; ~y) = z. Our special form of communicating algebra (see [5]) is based on sequential communicating algebras M = (A; S; V; U ) with alphabet A, variables V , control states S and updates U . An update contains a label 'a', a start state s1 , a test expression b (condition), a message expression m for a, a resulting state s2 and a normal update expression f depending on the message expression for �a. A communicating algebra M = (N; A; Se; Sl; MS ; MA; C; fM1; : : :; Mng) has an unique name N , contains an external alphabet A, a set of entry states Se and leave states Sl , mappings MS , MA and connections C for entry and leave states and a set of (sequential) communicating algebras. All updates where the condition evaluates not to false are named active. A step is done by choosing two corresponding active updates or an active � update and perform them. Two corresponding updates are performed by evaluating the messages locally, exchanging the results of the messages and evaluating the update expression with the message of the corresponding update. A � update can be simply evaluated locally. Each statement of a C program can be transformed to an equivalent evolving algebra update (see [3]) which uses the same variable
Figure 1: Overcoming the restrictions of the classical sequential operator names. Evolving algebra can be used to synthesis C-expressions and assertions and data
ow restrictions for sequential code fragments and guards. The preorder we chose is equivalent to the CFFD Model (c.f. [11]). Informally speaking, in terms of our communicating algebra, an implementation Mimpl is a valid implementation for the speci cation Mspec if every possible failure occurring when embedding Mimpl can occur when embedding Mspec too. Based on this extended formalism we can model complex Meander systems in a straight forward way with the bene t that speci cations can be simulated (see [1]) and visualized. The structural composition introduced by declaring a module in Meander can be mapped to the declaration of the corresponding communicating algebra. This construction of a communicating algebra includes parallel and sequential composition of communicating algebras at once, which is monotonous for our abstraction/re nement preorder (see [5]). We can abstract from the phases of computation of an system in total
isolation by avoiding the total synchronization of the standard algebraic sequential operator, as demonstrated in gure 1.
3 Abstraction, Re nement and Veri cation Abstraction and re nement should be used to develop a system in a modular fashion. To abstract from possibly in nite data spaces or simply minimize a state space, we provide a set of meta-rules to abstract from arbitrary sets of variables locally by partitioning their universes. For neglecting the behavior depending on a variable totally, we can simply map this variable to fug. After determining an area and de ning partitions for a variable set, the expressions and update expressions are simpli ed using symbolic evaluation realized with a term rewriting process (see [2]). Equivalent subexpressions are detected and the best simpli cation found after a restricted amount of time is used. Otherwise an update set all possibly e�ected variables to u can always be used.
Consider variable partitionings data ! fug and i !map fodd; even; ug and an update (a; s1; (i%2 = 0); data[i]; s2; i = i + 1; ). The resulting update is (a; s1; (i = even); u; s2 ; i = odd; ) using precondition (i%2 = 0) and rules for modulo arithmetics. Re nement can be done by re ning variable universes or using adequate substitutions not o�ending against the non-deterministic cover.
4 Conclusion We have sketched how to develop correct parallel programs with the Meander framework in a modular fashion. The exible mechanism of communicating algebras allows us to do this even for in nite systems based on a exible set of syntactical meta-rules and nite model checking. Current and future work is involved in making the automated support more comfortable and stable as well as applying the development method to more real life systems.
References
Figure 2: Mapping to a "lts" To verify the preorder, relevant properties or additional constraints given by temporal logic formulas, we map the resulting evolving algebras to "labeled transition systems". This can be done in a very e�cient way, by using the high level knowledge of our evolving algebra speci cation and preorder to nd a representation as small as possible. This is done by reachability analysis for nite evolving algebras. In gure 2 we show how structures with alternative guards can be mapped very e�cient to a corresponding "labeled transition system". The arcs annotated with #fa; b; : : :g are needed to model the termination mechanism for the loops. That the resulting veri cation task is based on "labeled transition systems" is totally invisible for the designer, who only works with the evolving algebra interface.
[1] B. Beckert and J. Posegga. leanEA: A lean Evolving Algebra Compiler. Proc. CSL'95, 1995. [2] N. Dershowitz and J.-P. Jouannaud. Rewrite Systems. In J. van Leeuven, editor, Formal Models and Semantics, chapter 6. Elsevier, 1990. [3] Yuri Gurevich and James K. Huggins. The Semantics of the C Programming Language. In E. Borger et al., editors, Proc. CSL'92, LNCS 702, Errata: CSL 93, LNCS 832. Springer, September 1993. [4] Yuri Gurevich. Evolving Algebra 1993: Lipari Guide. In E. Borger, editor, Speci cation and Validation Methods, Oxford University Press, 1994. [5] H. Giese. Modularization and Abstraction in Meander. report, University of Siegen, 1996. [6] D. Harel. Statecharts: A Visual Formalism for Complex Systems. Science of Computer Programming, 3(8), 1987. [7] C. A. R. Hoare. Communicating Sequential Processes. Prentice Hall, 1985. [8] N. Leveson, H. Hildreth, M. P. E. Heimdahl, and J. D. Reese. Requirements Speci cation for Process-Control Systems. IEEE Transaction on Software Engineering, 20(9), 1994. [9] MPI Forum. MPI: A Message{Passing Interface Standard, June 1995. [10] A. W. Roscoe. Model-Checking CSP. Prentice-Hall International, 1994. [11] A. Valmari. Compositionality in State Space Veri cation Methods. In J. Billington et al., editors, Proc. PN'96, LNCS 1091. Springer, 1996. [12] R. J. van Gladbeck. The Linear Time - Branching Time Spectrum II. In E. Best, editor, Proc. CONCUR'93, LNCS 715. Springer, August 1993. [13] A. Valmari et al. Putting Advanced Reachability Techniques Together: the "ARA" Tool. In J. C. P. Woodcock and P. G. Larsen, editors, Proc. FME'93, LNCS 670. Springer, April 1993. [14] Guido Wirtz. A Visual Toolset for MessagePassing Parallel Programming. In H.R. Arabnia, editor, Proc. PDPTA'96. CSREA, August 1996.
