A Renement Relation Supporting the Transition from
Unbounded to Bounded Communication Buers
Ketil Stlen
Fakultat fur Informatik
Technische Universitat Munchen
Postfach 20 24 20, D-80290 Munchen
Abstract
This paper proposes a renement relation supporting the transition from unbounded to
bounded communication buers. Employing this renement relation, a system specication
based on purely asynchronous communication can for example be rened into a system
specication where the components communicate purely in terms of hand-shakes. First a
weak version called partial renement is introduced. Partial renement guarantees only the
preservation of safety properties. This renement relation is then strengthened into total
renement which preserves both safety and liveness properties. Thus a total renement is
also a partial renement. The suitability of this renement relation for top-down design is
discussed and some examples are given.
1 Introduction
During the nal phases of a system development many implementation dependent constraints
have to be taken into consideration. This is not a problem as long as the introduction of these
constraints is supported by the renement relation being used | supported in the sense that
the specications in which these constraints have been embedded can be understood as renements of the earlier more abstract system specications where these implementation dependent
constraints did not occur. Unfortunately this is not always the case.
One important class of such implementation dependent constraints, which (in general) is not
supported by standard renement relations like behavioral renement and interface renement,
is the class of requirements imposing upper-bounds on the memory available for a communication
channel. Such a requirement may for example characterize the maximum number of messages
which at one point can be stored in a certain channel without risking malfunction because of
channel overow. Clearly this number may vary from one channel to another depending on the
type of messages that are sent along the channel, and the way the channel is implemented.
Of course one way to treat such channel constraints is to introduce them already at the most
abstract level. However, this solution is not very satisfactory because these rather trivial constraints may considerably complicate the specications and the whole renement process. The
other alternative is to introduce them rst in the nal phases of a development. However, as
already pointed out, this requires a renement relation supporting the introduction of such
constraints.
This work is supported by the Sonderforschungsbereich 342 \Werkzeuge und Methoden f
ur die Nutzung
paralleler Rechnerarchitekturen".
1
Consider a network consisting of two specications S1 and S2 communicating purely asynchronously via an internal channel y, as indicated by Network 1 of Figure 1.
Network 1
Network 2
q?
S1
q ? ?J
?
J
S~1
S~2
J
w JJ z
s
?
S2
y
s
?
?
Figure 1: Introducing Synchronization
We want to rene Network 1 into a network of two specications S~1 and S~2 communicating in a
synchronous manner | in other words into a network of the same form as Network 2 of Figure
1.
That Network 2 is a renement of Network 1 in the sense that any external behavior of Network 2 is also a behavior of Network 1 is only a necessary requirement, because we may still
instantiate S~1 and S~2 in such a way that the communication via w is completely independent
of the communication along z . Thus that Network 2 is a renement of Network 1 does not
necessarily mean that we have managed to synchronize the communication. It is still up to the
developer to formulate S~1 and S~2 in such a way that they communicate in accordance with the
synchronization protocol the developer prefers.
Nevertheless what is needed is a renement relation supporting this way of introducing feedback
loops. Clearly this renement relation must allow for the formulation of rules which do not
require the proof eorts already invested at the earlier abstraction levels to be repeated. For
example, if it has already been proved that Network 1 has the desired overall eect, then it
should not be necessary to repeat this proof when Network 1 is rened into Network 2. The
formulation of such a renement relation is the objective of this paper.
The close relationship between specication formalisms based on hand-shake communication and
purely asynchronous communication is well-documented in the literature. For example HJH90]
shows how the process algebra of CSP can be extended to handle asynchronous communication
by representing each asynchronous communication channel as a separate process. A similar technique allows dierent types of synchronous communication to be introduced in an asynchronous
system specication: each asynchronous channel is rened into a network of two components
which internally communicate in a synchronous manner, and which externally behave like the
identity component.
Network 3
q?
S1
y
Network 4
I
6
x?
S2
s
q?
S1
?
?J
? x?
I1 JJ I2
y 6w JJ z
S2
s
?
Figure 2: Naive Transformation
In fact with respect to the two networks of Figure 1, using this strategy, we may move from
2
Network 1 to Network 2 in three steps, employing the usual relation of behavioral renement,
which basically says that a specication S is a renement of a specication S i any behavior
of S is also a behavior of S :
0
0
Step 1: Insert an identity specication I between S1 and S2 of Network 1, as indicated by
Network 3 of Figure 2. The soundness of this renement step is obvious.
Step 2: Rene the identity specication into two subspecications I1 and I2 which communicate in accordance with the desired protocol. We then get Network 4 of Figure 2.
Step 3: Rene the network consisting of S1 and I1 into S~1 and the network consisting of
S2 and I2 into S~2, in which case we get Network 2 of Figure 1.
Unfortunately, this strategy is rather tedious, and more importantly: it can only be employed to
internal channels. To handle external channels accordingly, a more general renement relation
than behavioral renement is needed | namely a renement concept which allows the more
concrete specications to have additional input and output channels.
One might expect that some sort of interface renement would be sucient. However, the
principles of interface renement known to us either are not suciently general or do not have
the desired compositionality properties. The principle of (interaction) interface renement proposed in Bro93] allows a channel to be rened into a pair of channels, but only as long as the
channels are all of the same direction. Thus the renement of a channel into two channels of
opposite directions is not supported. On the other hand, renement principles in the tradition
of Hoa72], Jon87], AL88], where the concrete state is related to the abstract state via a renement function, seems to allow for this type of renement only if the external interface is kept
constant. (In our context the state can be understood as a mapping from channel identiers to
their communication histories.)
Below we attempt to deal with this problem by introducing two generalizations of behavioral
renement | one for partial correctness, and one for total correctness | referred to as partial
and total renement, respectively. Partial renement is sucient when only safety properties
are considered. Total renement preserves both safety and liveness properties. Thus a total
renement is also a partial renement.
Total renement allows for the introduction of both acknowledgement based and demand driven
synchronization. However, it is mainly suited for synchronization protocols which do not distinguish between dierent types of acknowledgements or demands. For example, in certain demand
driven algorithms like AvT87] it is important that the demands sent along a channel are fairly
distributed over a set of demand types. Such synchronization protocols are not supported.
The investigations are conducted in the context of dataow networks modelled by sets of continuous functions. The proposed relation can easily be restated in the context of other models
for reactive systems.
The paper is organized as follows: Section 2 introduces the basic concepts what we mean by
specication and renement is formalized in Section 3 then partial and total renement are
the subjects of Sections 4 and 5 nally, Section 6 contains a summary and discusses a possible
generalization.
2 Basic Notations
N denotes the set of positive natural numbers. A stream is a nite or innite sequence of actions.
It models the communication history of a directed channel. Each action represents one message
3
sent along the channel. Throughout the paper D denotes the set of all streams. We do not
distinguish between dierent types of streams (streams of naturals etc.). However all our results
can easily be generalized to such a setting.
Let d be an action, r and s be streams, and j be a natural number, then:
denotes the empty stream
ft(r) denotes the rst element of r if r is not empty
#r denotes the length of r
rjj denotes the prex of r of length j if j < #r, and r otherwise
d & s denotes the result of appending d to s
r _ s denotes r if r is innite and the result of concatenating r with s, otherwise
r v s holds if r is a prex of s.
A named stream-tuple is a mapping from a nite set of identiers to the set of streams. It can be
thought of as an assignment of channel histories to channel identiers. Given a set of identiers
I , then I ! denotes the set of all named stream tuples of signature I ! D. Moreover, I 7! denotes the element of I ! which for each identier in I returns the empty stream I denotes
the subset of I ! which maps every identier to an innite stream I denotes the subset of I !
which maps every identier to a nite stream.
The prex ordering v is also used to order named stream-tuples. Given two named streamtuples 2 I ! and 2 O! , then v i I = O and for all i 2 I : (i) v (i). We also overload
the concatenation and length operators: _ denotes the named stream tuple in (I O)! such
that:
1
i 2 I n O ) ( _ )(i) = (i)
i 2 O n I ) ( _ )(i) = (i)
i 2 I \ O ) ( _ )(i) = (i) _ (i):
# denotes minf#(i) j i 2 I g. Finally, =O denotes the projection of on O, namely the
named stream tuple 2 (I \ O)! such that for all i 2 I \ O, (i) = (i).
By a chain of named stream tuples we mean an innite sequence of named stream tuples ordered
by v. Since streams may be innite any such chain has a least upper bound denoted by t.
When convenient named stream tuples are represented as sets of maplets. For example, the set
0
0
fa 7! a
^ b 7! ^bg
denotes the named stream tuple 2 fa bg! , where (a) = a^ and (b) = ^b.
Following BD92] components are modelled by sets of functions mapping named stream tuples
onto named stream tuples. Each such function
f : I ! ! O!
is required to be monotonic:
4
for all named stream tuples : v ) f () v f ( )
and continuous:
for all chains of named stream tuples : f (t) = tff (j ) j j 2 Ng:
In the sequel we refer to such functions as stream processing functions.
To reduce the use of the projection operator and thereby simplify the presentation, each function
f 2 I ! ! O! is overloaded to any domain Q! ! O! where I Q, by requiering that for any
2 Q! , f () def
= f (=I ).
Given two stream processing functions
f 2 I ! ! O! f~ 2 I~! ! O~ ! where I \ I~ = O \ O~ = , then f k f~ is a function of signature
~
I I~ ! O O
such that f k f~() = f () _ f~(). If in addition I \ O = I~ \ O~ = , then f f~ and f ^ f~ are
functions of signatures
(I n O~ ) (I~ n O) ! (O n I~) (O~ n I )
~
(I n O~ ) (I~ n O) ! O O
respectively, such that
f f~() = =(O n I~ O~ n I )
f ^ f~() = given that f k f~( _ ) = is the least xpoint solution with respect to v. In Figure 3, Network
1 represents composition by and Network 2 represents composition by ^ . Thus diers from
^ in that it hides the feedback channels.
Network 1
I O~
O~ I
n
?
O I~ ?
n
O I~
\
f
?J
I~ O
\
J
J
?
J
J
Network 2
I O~
n
f~
?
?O
~
n
O~ I
n
I
?
O I~ ?
n
O I~
\
f
?J
J
J
?
?
J
J
Figure 3: Networks Relating the Operators and ^
Given n > 1 stream processing functions
5
I~ O
\
?
n
f~
?
?O
~
n
I
fj 2 Ij! ! Oj!
1 j n
such that Ij \ Oj = and l 6= k imply Il \ Ik = Ol \ Ok = , then nj=1 fj is a short-hand for
f1 : : : fn. Note that the restrictions imposed on the identier sets imply that is associative
| thus the bracketing is unimportant. ^ and k are generalized accordingly.
3 Specication and Renement
A specication is represented by a triple
(I O R)
where I and O are disjoint sets of identiers, and R is a formula with the elements of I and O
as its only free variables. We refer to the elements of I and O as the input- and the outputidentiers, respectively. Each input-identier models the communication history of an input
channel and each output-identier models the communication history of an output channel.
R characterizes the allowed relation between the communication histories of the input-channels
and the communication histories of the output-channels and is therefore called the input/output
relation. Each communication history is modelled by a (possibly innite) stream of actions.
The denotation of a specication S def
= (I O R) is a set of stream processing functions mapping
named stream tuples onto named stream tuples, namely the set characterized by:
S ] def
= ff 2 I ! ! O! j 8 2 I ! : ( f ()) j= Rg
where ( f ()) j= R i R evaluates to true when each input identier i 2 I is interpreted as
(i), and each output identier o 2 O is interpreted as f ()(o).
The basic renement relation is represented by . It holds only for specications with identical
sets of input/output identiers. Given two specications S1 and S2 , then S1 S2 i S2 ] S1 ] . Thus a specication S2 renes a specication S1 i any function which satises S2 also
satises S1 . This corresponds to what is normally referred to as behavioral renement.
Given two specications S1 def
= (I1 O1 R1 ) and S2 def
= (I2 O2 R2 ), such that
I1 \ I2 = O1 \ O2 = then S1 S2 represents the network pictured in Figure 4. The channels modelled by O1 \ I2 and
O2 \ I1 are internal. The external input channels are represented by (I1 n O2 ) (I2 n O1 ), and
(O1 n I2 ) (O2 n I1 ) represents the external output channels. The denotation of this network is
characterized by
S1 S2 ] def
= ff1 f2 j f1 2 S1 ] ^ f2 2 S2 ] g:
The operator nj=1 is lifted from functions to specications in a similar way.
6
I1 O2
n
?
S1
O1 I2
n
O2 I1 O1 I2
\
?J
J
?
\
?
J
J
J
S2
I2 O1
?
n
O2 I1
?
n
Figure 4: S1 S2
4 Partial Renement
This section introduces a renement relation, called partial renement, which guarantees the
preservation of safety properties. The suitability of this renement relation for top-down system
development is investigated.
Given two specications
~ O
~ R~ )
S~ def
= (Q
S def
= (Q O R)
where Q Q~ and O O~ , then S~ is a partial renment of S , written S p S~, i
8f~ 2 S~ ] ) 9f 2 S ] : 8 2 Q~ ! : f~()=O v f ():
Thus S~ is a partial renement of S i for any function f~ which satises S~, there is a function
f which satises S , such that for any input history for the channels represented by Q~ , the
projection of f~() on O is a prex of f (). Remember that f () by denition is equal to
f (=Q).
We now prove that partial renement is reexive, transitive and a congruence with respect to
. This implies that whenever we have rened a specication S into a network of specications
nj=1 Sj such that
S p nj=1 Sj ()
and there is a network of specications nj=1 Sj such that
0
Sj p Sj
1 j n
0
then it also holds that
S p nj=1 Sj :
0
Thus the workload invested in establishing () does not have to be repeated when the renement
of the component specications of nj=1 Sj is continued.
We start by proving that p is reexive and transitive.
7
Proposition 1 Given three specications S1 S2 S3 whose input/output identiers are charac-
terized by (Q1 O1 ), (Q2 O2 ), (Q3 O3 ), respectively. Assume that Q1 Q2 Q3 and O1 O2 O3 . Then
(1) : S1 p S1 (2) : S1 p S2 ^ S2 p S3 ) S1 p S3 :
Proof: (1) follows trivially. To prove (2), assume
(3) : S1 p S2 (4) : S2 p S3 :
Let f3 be such that
(5) : f3 2 S3 ] :
(4) (5) imply there is an f2 such that
(6) : f2 2 S2 ] (7) : f3()=O2 v f2 ():
(3), (6) imply there is an f1 such that
(8) : f1 2 S1 ] (9) : f2()=O1 v f1 ():
(7) (9) and O1 O2 imply
(10) : f3 ()=O1 = f3 ()=O2 =O1 v f2()=O1 v f1 ():
The way (10) was deduced from (3) (4) implies (2).
end of proof
8
Before stating the general congruence property for partial renement, we prove an intermediate result, whose conclusion (3) is visualized by Figure 5. Thus we have four specications
S1 S2 S~1 S~2. Their sets of input/output identiers are characterized by (Q X O Y ),
~ O~ Y~ ), (Y~ Z
~ X~ K~ ), respectively. It is assumed that the sets
(Y Z X K ), (Q~ X
~ X
~ O
~ Y~ Z
~ K~ are all disjoint, and that Q Q~ , X X~ , O O~ , Y Y~ , Z Z~ ,
of identiers Q
~
K K.
Q
?
S1
O
?
?J
J
J
Y
?
S2
J
J
X
Z
?
Q~
p
K
S~1
O~
?
?
?
?J
J
Y~
Figure 5: Partial Renement
Proposition 2 If
(1) : S1 p S~1 (2) : S2 p S~2
then
(3) : S1 S2 p S~1 S~2 :
Proof: Let f~1 and f~2 be such that
(4) : f~1 2 S~1 ] (5) : f~2 2 S~2 ] :
(1), (2), (4), (5) imply there are f1 and f2 such that
(6) : f1 2 S1 ] (7) : f2 2 S2 ] (8) : f~1()=(O Y ) v f1 ()
(9) : f~2()=(X K ) v f2 ():
(3) follows if it can be shown that
(10) : f~1 f~2 ()=(O K ) v f1 f2():
Given some 2 (Q~ Z~ )! and assume that
(11) : f1 ^ f2 () = :
9
?
J
J
J
S~2
X~
Z~
?
K~
?
The monotonicity of f~1 and f~2 implies there are chains ~ , ~ such that
(12) : ~ 1 = _ (X~ Y~ 7! )
(13) : ~j = f~1 k f~2 (~j )
(14) : ~ j+1 = _ ~j :
(Remember that any stream processing function f
Q! ! O! where I Q.)
We want to prove that
2
I!
!
O! is overloaded to any domain
(15) : ~j =(O Y X K ) v :
The base-case follows trivially from (8), (9), (11), (12), (13) and the monotonicity of f1 and f2.
Assume for some k 1
(16) : ~k =(O Y X K ) v :
We show that
(17) : ~k+1 =(O Y X K ) v :
(13) implies that
(18) : ~k+1 =(O Y X K ) = f~1 k f~2(~k+1 )=(O Y X K ):
(18) and the denition of k imply that
(19) : ~k+1 =(O Y X K ) = f~1 (~k+1 )=(O Y ) _ f~2 (~k+1 )=(X K ):
(8), (9), (19) imply
(20) : ~k+1 =(O Y X K ) v f1 (~k+1 ) _ f2 (~k+1 ):
(14), (20) imply
(21) : ~k+1 =(O Y X K ) v f1 ( _ ~k ) _ f2 ( _ ~k ):
(16), (21) and the monotonicity of f1 and f2 imply
(22) : ~k+1 =(O Y X K ) v f1 ( _ ) _ f2 ( _ ):
(11), (22) imply (17). This ends the proof of (15).
(15) and the continuity of t imply
10
~ (O Y X K ) v :
(23) : t=
(12), (13), (14) imply
~
(24) : f~1 ^ f~2 () = t:
(11), (23), (24) and the fact that is equal to ^ plus hiding imply (10).
end of proof
Q
X
j
?
S
Q~
j
?
p
?
j
j
?
S~
j
O
X~
j
?
j
?
?
Y
O~
j
j
?
Y~
j
Figure 6: Partial Renement of the j 'th Component Specication
We now extend Proposition 2 to nite networks of n specications. Each of the n component
specications Sj is partially rened into a component specication S~j in accordance with Figure
6. Q~ j represents the external input channels, X~ j represents the internal input channels, O~j
represents the external output channels, and Y~j represents the internal output channels. This
means that nj=1 Xj = nj=1 Yj . It is assumed that the 3 n sets Q~ j X~ j O~j are all disjoint, that
the n sets Y~j are all disjoint and that Qj Q~ j , Xj X~ j etc. .
Proposition 3 If
(1) : Sj p S~j
1 j n
then
(2) : nj=1 Sj p nj=1 S~j :
Proof: Follows from Proposition 2 by induction on n.
end of proof
5 Total Renement
In the previous section a renement relation called partial renement was introduced. It was
shown that this relation is reexive, transitive and a congruence with respect to . Thus partial
11
renement is well-suited as a principle for top-down design. Unfortunately, partial renement
only preserves safety properties. To ensure the preservation of both safety and liveness properties
a stronger renement relation is needed | namely what we refer to as total renement.
Given two specications
S def
= (Q O R)
~ O
~ R~ )
S~ def
= (Q
where Q Q~ and O O~ , then S~ is a total renment of S , written S t S~, i
8f~ 2 S~ ] ) 9f 2 S ] : 8 2 Q~ ! : #=(Q~ n Q) = 1 ) f~()=O = f ():
Thus S~ is a total renement of S i for any function f~ which satises S~, there is a function f
which satises S , such that for any input history , whose projection on Q~ n Q is innite, the
projection of f~() on O is equal to f ().
The antecedent \projection on Q~ n Q is innite" may seem too strong. However, since we in this
paper restrict ourselves to synchronization protocols whose behavior depend only upon whether
an acknowledgement (demand) is received or not, and not upon what sort of acknowledgement
(demand) is received, this is exactly what is needed.
Assume Q = Q~ and O = O~ , then S t S~, i
8f~ 2 S~ ] ) 9f 2 S ] : 8 2 Q~ ! : f~() = f ()
which is equivalent to S~ ] S ] . Thus in this case total renement degenerates to behavioral
renement, which implies that total renement can be seen as a generalization of behavioral
renement.
We start by proving that t is reexive and transitive.
Proposition 4 Given three specications S1 S2 S3 whose input/output identiers are charac-
terized by (Q1 O1 ), (Q2 O2 ), (Q3 O3 ), respectively. Assume that Q1 Q2 Q3 and O1 O2 O3 . Then
(1) : S1 t S1 (2) : S1 t S2 ^ S2 t S3 ) S1 t S3 :
Proof: (1) follows trivially. To prove (2), assume
(3) : S1 t S2 (4) : S2 t S3 :
Let f3 be such that
(5) : f3 2 S3 ] :
(4) (5) imply there is an f2 such that
12
(6) : f2 2 S2 ] (7) : #=(Q3 n Q2 ) = 1 ) f3()=O2 = f2 ():
(3), (6) imply there is an f1 such that
(8) : f1 2 S1 ] (9) : #=(Q2 n Q1 ) = 1 ) f2()=O1 = f1 ():
Assume
(10) : #=(Q3 n Q1 ) = 1:
(10) and Q1 Q2 imply
(11) : #(Q3 n Q2 ) = 1:
(7), (11) imply
(12) : f3 ()=O2 = f2 () = f2 (=Q2 ):
(10) and Q2 Q3 imply
(13) : #(=Q2 )=(Q2 n Q1 ) = 1:
(9), (13) and Q1 Q2 imply
(14) : f2 (=Q2 )=O1 = f1 (=Q2 ) = f1():
(12) and O1 O2 imply
(15) : f2 (=Q2 )=O1 = f3 ()=O2 =O1 = f3 ()=O1 :
(14), (15) imply
(16) : f3 ()=O1 = f1 ():
The way (16) was deduced from (10) implies
(17) : #=(Q3 n Q1 ) = 1 ) f3 ()=O1 = f1 ():
The way (17) was deduced from (3), (4) implies (2).
end of proof
13
It has been proved that partial renement is a congruence with respect to the composition
operator . The same does not hold for total renement.
Example 1 Congruence Problem:
To see that total renement does not have this property, let
S1 def
= (fqg fyg y = q)
def
S2 = (fyg fkg k = y)
S~1 def
= (fq xg fyg y v q ^ #y = minf#x + 1 #qg)
def
S~2 = (fyg fx kg k = y ^ #x = maxf#y ; 1 0g):
Clearly S1 t S~1 and S2 t S~2 . Unfortunately, for all f
any nonempty stream s, it holds that
2
S1 S2 ] and f~ 2 S~1 S~2 ] , and
f (fq 7! sg) = fk 7! sg
f~(fq 7! sg) = fk 7! ft(s) & g:
Since s 6= ft(s) & if #s > 1 it follows that
S1 S2 6 t S~1 S~2:
2
What is required is some additional proof-obligation characterizing under what conditions total
renement is a \congruence" with respect to . To allow systems to be developed in a top-down
style this proof obligation must be checkable based on the information available at the point
in time where the renement step is carried out | for example this proof-obligation should
not require knowledge about how S~1 and S~2 are implemented. With respect to Example 1 the
following condition is obviously sucient:
8f~ 2 S~1 S~2 ] ) 9f 2 S1 S2 ] : f~() = f ()
():
If () holds there is no need to require that S1 t S~1 and S2 t S~2 . This fact also characterizes
the weakness of (). If we later decide to compose S~1 S~2 with another network S~3 such that
S3 t S~3 , then it is not easy to exploit the fact that we have already proved () when we now
decide to prove that
3j =1 Sj
t
3j =1 S~j :
What we want is a proof obligation which takes advantage of the fact that S1 t S~1 and S2 t S~2
in the sense that the formulation of this additional obligation is independent of S1 and S2 .
The problem observed in Example 1 is that total renement may lead to premature termination
when the specications are composed into networks with feedback loops. This phenomenon can
be understood as deadlock caused by an erroneous synchronization protocol.
With respect to the given semantics this problem occurs only when the renement step introduces
a new least xpoint | new in the sense that the least xpoint is reached too early. For the
renement step conducted in Example 1, it therefore seems sensible to require that for any
2 fqg! :
14
f~1 2 S~1 ] ^ f~2 2 S~2 ] ^ f~1 ^ f~2() = ^ 0
2 fxg1 ) f~1 ( _ _ 0 ) = =fy g
()
This condition states that when the least xpoint has been reached then the output along y will
not be extended if additional input is received along the feedback channel x. It makes sure that
no new least xpoint has been introduced as a result of the synchronization.
In some sense the proof-obligation corresponds to the freedom from deadlock tests in more
traditional proof systems OG76], St$91] and PJ91]. In Example 1 this proof obligation is not
fullled. However, if S~2 's input/output relation is replaced by
k = y ^ #x = #y
then () holds. Thus in the case of Example 1, () seems to be a reasonable proof-obligation.
The next step is to gure out how this obligation should look like in the general case.
Example 2 :
Let S1 , S2 and S~1 be as in Example 1, and let
S~2 def
= (fy z g fx kg k v y ^ #k = #x = minf#y #z g):
We then have that
S1 S2 t S~1 S~2:
Unfortunately, () does not hold. To see that, let f~1 2 S~1 ] , f~2 2 S~2 ] , and assume that q^ is
a stream such that #^q > 1. Clearly
f~1 ^ f~2 (fq 7! q^ z 7! g) = fy 7! ft(^q) & x 7! k 7! g:
Moreover
f~1(fq 7! q^ x 7! q^g) = fy 7! q^g:
Thus () is not satised.
2
In fact () must be weakened by adding assumptions about the environment's behavior. In the
case of Example 2 it seems sensible to require that for any 2 fq z g! :
f~1 2 S~1 ] ^ f~2 2 S~2 ] ^ f~1 ^ f~2() = ^ #(=fzg) = 1 ^ 0
)
2 fxg1
f~1( _ _ ) = =fyg:
0
This motivates the next proposition, which characterizes a condition under which a total renement corresponding to Figure 5 is valid. It is assumed that Q~ , X~ , O~ , Y~ , Z~ , K~ are disjoint sets
of identiers with corresponding subsets Q, Q^ , X , X^ , etc. such that Q^ = Q~ n Q, X^ = X~ n X ,
etc.
15
Proposition 5 If for any 2 (Q~ Z~)! , 2 (O~ Y~ X~ K~ )! , 2 (X^ Y^ )
0
1
(1) : S1 t S~1 (2) : S2 t S~2 (3) : f~1 2 S~1 ] ^ f~2 2 S~2 ] ^ f~1 ^ f~2 () = ^ #=(Q^ Z^ ) = 1
)
f~1 k f~2( _ _ )=(O Y X K ) = =(O Y X K )
0
then
(4) : S1 S2 t S~1 S~2 :
Proof: Assume (1), (2), (3). Let f~1 and f~2 be such that
(5) : f~1 2 S~1 ] (6) : f~2 2 S~2 ] :
(1), (2), (5), (6) imply there are f1 and f2 such that
(7) : f1 2 S1 ] (8) : f2 2 S2 ] (9) : #=(Q^ X^ ) = 1 ) f~1 ()=(O Y ) = f1 ()
(10) : #=(Y^ Z^ ) = 1 ) f~2()=(X K ) = f2 ():
It is enough to show that
(11) : #=(Q^ Z^ ) = 1 ) f~1 f~2 ()=(O K ) = f1 f2 ():
Given some 2 (Q~ Z~ )! such that
(12) : #=(Q^ Z^ ) = 1:
Assume that
(13) : f1 ^ f2 () = :
The monotonicity of f~1 and f~2 implies there are chains such that
(14) : ~ 1 = _ (X~ Y~ 7! )
(15) : ~ j+1 = _ ~j (16) : ~j = f~1 k f~2 (~j ):
As in the proof of Proposition 2 it follows straightforwardly by induction on j that
16
(17) : ~j =(O Y X K ) v :
(17) and the continuity of t imply
~ (O Y X K ) v :
(18) : t=
Since ~ characterizes the Kleene-chain, it also holds that
~
(19) : f~1 ^ f~2 () = t:
Assume
(20) : 0
^ Y^ )1 :
2 (X
(3), (5), (6), (12), (19), (20) imply
~ (O Y X Z ):
(21) : f~1 k f~2 ( _ (t~) _ )=(O Y X Z ) = t=
0
(9), (10), (12), (20) imply
(22) : f~1 k f~2 ( _ (t~) _ )=(O Y X Z ) = f1 k f2 ( _ (t~) _ ):
0
0
(20), (21), (22) imply
~ (O Y X Z ):
(23) : f1 k f2 ( _ (t~) _ ) = f1 k f2 ( _ (t~)) = t=
0
(13), (18), (23) imply
(24) : f1 k f2 ( _ (t~)) = f1 ^ f2 ():
(23), (24) imply
~ (O Y X Z ) = f1 ^ f2 ():
(25) : t=
(19), (25) imply
(26) : f~1 ^ f~2 ()=(O Y X K ) = f1 ^ f2 ():
(26) and the fact that is equal to ^ minus hiding imply (11).
end of proof
It can be argued that the freedom from deadlock test (3) of Proposition 5 is too strong, because
we may nd specications S1 , S2 , S~1 and S~2 which satisfy (1) (2) and (4), but not (3). For
17
example this is the case if:
S~1 def
= (fq xg fyg y v q ^ #y = minf#q #x + 1g)
~S2 def
= (fyg fk xg x = k = yj10 ):
S1 def
= (fqg fyg y = q)
def
S2 = (fyg fkg k = yj10 )
However, whenever we run into such a problem, which seems to be rather articial, there are
specications S1 S2 S~1 S~2 such that
0
S1 S2
0
0
0
S1 S2
0
0
S~1 S~2
0
0
S~1 S~2 holds, and
S1 S2 t S~1 S~2
0
0
0
0
follows by Proposition 5. For example, with respect to our example, this is the case if
S1 def
= (fqg fyg y = qj10 )
def
S2 = S2 0
0
S~1 def
= (fq xg fyg y v q ^ #y = minf#qj10 #x + 1g)
~S2 def
= S~2 :
0
0
Thus it is enough to strengthen the specications in such a way that the communication along
the internal channels is halted as soon as the external channels have reached their nal value.
Since is a special case of t it follows that Proposition 5 is (relative, semantic) complete
modulo a (relative, semantic) complete set of rules for behavioral renement.
Another point to note is that in practise it is normally so that whenever (3) holds we also have
that
f~1 2 S~1 ] ^ f~2 2 S~2 ] ^ f~1 k f~2( _ ) = ^ =(Q^ Z^ ) = 1
)
f~1 k f~2 ( _ _ )=(O Y X K ) = =(O Y X K ):
0
Thus in order to use Proposition 5 it is in most cases not necessary to characterize the leastxpoint solution.
We now generalize Proposition 5 in the same way as Proposition 2 was generalized in the
previous section. Thus we have a network of n component specications Sj which are totally
rened into component specications S~j in accordance with Figure 6. As before Q~ j represents
the external input channels, X~ j represents the internal input channels, O~ j represents the external
output channels, and Y~j represents the internal output channels. Moreover, we also have the
same constraints as earlier, namely that nj=1 X~ j = nj=1 Y~j , that the 3 n sets Q~ j X~ j O~j are
all disjoint, that the n sets Yj are all disjoint, and that Qj Q~ j , Xj X~ j etc. In addition,
let Q~ = n1 Q~ j , O~ = nj=1 O~j , Y~ = nj=1 Y~j , O = nj=1 Oj , Y = nj=1 Yj , Q^ = nj=1 (Q~ j n Qj ),
X^ = nj=1 (X~j n Xj ), Y^j = Y~j n Yj .
18
Proposition 6 If for any 2 Q~ ! , 2 (O~ Y~ )! , 2 X^
0
1
(1) : Sj t S~j
1 j n
(2) : ^nj=1 f~j 2 S~j ] ^ (
^ nj=1 f~j )() = ^ #=Q^ = 1
)
(knj=1 f~j )( _ _ )=(O Y ) = =(O Y )
0
then
(3) : nj=1 Sj t
nj=1 S~j :
Proof: Assume (1), (2). Let
(4) : f~j 2 S~j ]
1 j n:
(1), (4) imply there are functions f1 : : : fn such that
(5) : fj 2 Sj ] 1 j n
(6) : #=(Q^ j X^ j ) = 1 ) f~j ()=(Oj Yj ) = fj ()
1 j n:
It is enough to show that
(7) : #=Q^ = 1 ) (
nj=1 f~j )()=O = (
nj=1 fj )():
Given some 2 Q~ ! such that
(8) : #=Q^ = 1:
Assume that
(9) : (
^ nj=1 fj )() = :
The monotonicity of the functions f~1 : : : f~n implies there are chains such that
(10) : ~ 1 = _ (X~ Y~ 7! )
(11) : ~ j+1 = _ ~j (12) : ~j = (knl=1 f~l )(~j ):
As in the proof of Proposition 2 it follows straightforwardly by induction on j that
(13) : ~j =(O Y ) v :
(13) and the continuity of t imply
19
~ (O Y ) v :
(14) : t=
Since ~ characterizes the Kleene-chain, it also holds that
~
(15) : (
^ nj=1 f~j )() = t:
Assume
(16) : 0
^ 1:
2X
(2), (4), (8), (15), (16) imply
~ (O Y ):
(17) : (knj=1 f~j )( _ (t~) _ )=(O Y ) = t=
0
(6), (8), (16) imply
(18) : (knj=1 f~j )( _ (t~) _ )=(O Y ) = (knj=1 fj )( _ (t~) _ ):
0
0
(16), (17), (18) imply
~ ( O Y ):
(19) : (knj=1 fj )( _ (t~) _ ) = (knj=1 fj )( _ (t~)) = t=
0
(9), (14), (19) imply
(20) : (knj=1 fj )( _ (t~)) = (
^ nj=1 fj )():
(19), (20) imply
~ (O Y ) = (
^ nj=1 fj )():
(21) : t=
(15), (21) imply
(22) : (
^ nj=1 f~j )()=(O Y ) = (
^ nj=1 fj )()
(22) and the fact that is equal to ^ minus hiding imply (7).
end of proof
Example 3 Introducing Channel Constraints:
To see how Proposition 6 can be employed in practise, assume we have a network consisting of n
specications composed in sequence as indicated by Figure 7. The network communicates with
its environment via x0 and xn . Each specication Sj characterizes a component which applies
20
?
x0
?
x1
S1
x2
x
S2
n;1
?
x
n
n
:::
S
Figure 7: Asynchronous Network
an operation represented by the function gj to each message received on xj 1 and outputs the
result along xj . This means that the j 'th component is required to satisfy the specication
;
Sj def
= (fxj
;
fxj g xj = map(xj 1 gj ))
1g
;
where map(s f ) is equal to the stream we get by applying the function f to each element of the
stream s.
Assume we want to implement this network employing some architecture based on hand-shake
communication. We then get the network pictured in Figure 8.
J
J
?
x0
J
?J
J
~
J
J
S1
J
y0
?
x1
J
J
?J
~
J
y1
S2
J
J
J
J
J
x2
J
J
y2
n;1
x
:::
J
J
?
J
J
n;1 J
y
?J
~n
S
J
x
n
J
J
J
nJ
y
Figure 8: Synchronous Network
Each of these new components is characterized by
S~j def
= (fxj 1 yj g fxj yj
;
1g
;
R~j )
where
R~ j def
= xj v map(xj 1 gj ) ^ #xj = minf#xj 1 #yj + 1g ^ yj 1 = xj :
;
;
;
Clearly
Sj t S~j
1 j n:
Since each R~ j is deterministic and
#yn = 1 ^ (^nj=1 R~ j ) ) ^nj=1 R~ j yy _ y ]
j
j
0
j
where R~ j yy _ y ] denotes that each occurrence of yj in R~ j is replaced by the expression yj _ yj ,
it follows by Proposition 6 that
j
j
0
0
j
21
nj=1 Sj
t n S~j
j=1
():
Hand-shake communication is of course not the only way to synchronize the network pictured
in Figure 7. Assume the architecture chosen for the implementation oers channels which can
store up to 100 messages. We may then redene the input/output relation of S~j as below:
R~ j def
= xj v map(xj 1 gj ) ^
#xj = minf#xj 1 (#yj + 1) 100g ^ #yj 1 = #xj ==100:
;
;
;
Again it follows straightforwardly by Proposition 6 that this is a correct total renement.
Of course that the network in Figure 8 is a total renement of the network in Figure 7 does not
mean that buer overow cannot occur. It remains the developer's responsibility to formulate
a correct protocol. For example if
R~ j def
= xj = map(xj 1 gj )
;
then () although there is no synchronization between the components in nj=1 S~j | the output
along xj is completely independent of the input along yj . On the other hand, if
R~ j def
= xj v map(xj 1 gj ) ^ #xj = minf#xj 1 #yj + 1g ^ yj 1 = xj 1 ;
;
;
;
then () holds, and buer overow cannot occur. However, there is no correct implementation
of S~j which require only a bounded amount of local memory. Thus in this case the buer overow
problem has been transferred from the channels to the components.
2
6 Conclusions
Since Kahn's inuential paper on the modeling of deterministic dataow networks was published in 1974 Kah74], a number of authors has proposed formalisms for the specication of
reactive systems based on asynchronous communication via unbounded, directed channels (see
for example Kel78], BA81], Par83], Kok87], Jon87], LT87], BDD+ 93]). The unboundedness
assumption is very useful when specifying and reasoning about systems at an abstract level.
However, at some point in a development this assumption must be discharged in the sense that
the communication is synchronized in order to avoid channel overow. The contribution of this
paper is the formulation of a renement relation allowing this transition from unbounded to
bounded communication to be conducted in a natural way.
We rst proposed a relation for partial correctness | called partial renement, which then was
generalized into a renement relation for total correctness | called total renement. Partial
renement guarantees only the preservation of safety properties. To be sure that both safety
and liveness properties are preserved, the principle of total renement is required.
Partial renement was proved to be reexive, transitive and a congruence with respect to the
composition operator on specications. It was shown that total renement characterizes a
reexive and transitive relation, but does not satisfy the congruence property. The problem was
found to be that deadlocks can be introduced when feedback loops are added | deadlock in the
22
sense that the least xpoint is reached too early. Nevertheless, we have shown that rules can be
formulated which allow for top-down system development in a modular style | modular in the
sense that design decisions can be checked at the point in a development where they are made,
i.e., on the basis of the component specications alone, without knowing how they are nally
implemented. In addition to the obvious premise that each (concrete) component specication
is a total renement of the corresponding (abstract) component specication, a freedom from
deadlock test must be fullled.
As already explained the proposed renement relation is mainly suited for synchronization which
does not distinguish between dierent types of acknowledgements (or demands) | what matters
is whether an acknowledgement (demand) is received or not, i.e., not whether an acknowledgement (demand) of a special sort is received.
There are several ways of generalizing total renement. For example the following denition
8f~ 2 S~ ] ) 9f 2 S ] : 8 2 Q~ : 9
0
~ n Q)! ) f~( _ 0 )=O
2 (Q
= f ()
is stronger, but leads to more complicated proof-obligations based on an assumption/commitment
style of reasoning AL90], SDW93].
Another approach is to try to combine the ideas of this paper with what Bro93] calls interface
interaction renement, which can be understood as behavioral renement modulo two representation specications allowing also the input and the output histories (including the number of
channels and their types) to be rened. When the representation specications are suciently
constrained interface interaction renement is a congruence with respect to the composition
operator on specications Bro92]. We believe the resulting relation would be suciently general to support the more sophisticated types of synchronization like for example demand driven
communication in terms of the class-climbing principle AvT87] where the demands sent along
certain channels are required to be fairly distributed over a set of classes.
7 Acknowledgements
The author has beneted from discussions with Manfred Broy and Bernhard Sch%atz.
References
AL88]
M. Abadi and L. Lamport. The existence of renement mappings. Technical Report 29, Digital, Palo Alto, 1988.
AL90] M. Abadi and L. Lamport. Composing specications. Technical Report 66, Digital,
Palo Alto, 1990.
AvT87] J.K. Annot and R.A.H. van Twist. A novel deadlock free and starvation free packet
switching communication processor. In Lecture Notes in Computer Science 258, pages
68{85, 1987.
BA81] J. D. Brock and W. B. Ackermann. Scenarios: A model of non-determinate computation. In J. Diaz and I. Ramos, editors, Proc. Formalization of Programming
Concepts, Lecture Notes in Computer Science 107, pages 252{259, 1981.
BD92] M. Broy and C. Dendorfer. Modelling operating system structures by timed stream
processing functions. Journal of Functional Programming, 2:1{21, 1992.
23
BDD+ 93] M. Broy, F. Dederichs, C. Dendorfer, M. Fuchs, T. F. Gritzner, and R. Weber. The
design of distributed systems | an introduction to Focus (revised version). Technical
Report SFB 342/2/92 A, Technische Universit%at M%unchen, 1993.
Bro92] M. Broy. Compositional renement of interactive systems. Technical Report 89,
Digital, Palo Alto, 1992.
Bro93] M. Broy. (Inter-) Action renement: The easy way. In M. Broy, editor, Proc. Program
Design Calculi, Summerschool, Marktoberdorf, pages 121{158. Springer, 1993.
HJH90] J. He, M. Josephs, and C. A. R Hoare. A theory of synchrony and asynchrony. In
M. Broy and C. B. Jones, editors, Proc. IFIP WG 2.2/2.3 Working Conference on
Programming Concepts and Methods, pages 459{478, 1990.
Hoa72] C. A. R. Hoare. Proof of correctness of data representations. Acta Informatica,
1:271{282, 1972.
Jon87] B. Jonsson. Compositional Verication of Distributed Systems. PhD thesis, Uppsala
University, 1987.
Kah74] G. Kahn. The semantics of a simple language for parallel programming. In J.L.
Rosenfeld, editor, Proc. Information Processing 74, pages 471{475. North-Holland,
1974.
Kel78] R. M. Keller. Denotational models for parallel programs with indeterminate operators. In E. J. Neuhold, editor, Proc. Formal Description of Programming Concepts,
pages 337{366. North-Holland, 1978.
Kok87] J. N. Kok. A fully abstract semantics for data ow nets. In Proc. PARLE'87, Lecture
Notes in Computer Science 259, pages 351{368, 1987.
LT87] N. Lynch and M. R. Tuttle. Hierarchical correctness proofs for distributed algorithms.
In Proc. 6th Annual ACM Symposium on Principles of Distributed Computing, pages
137{151, 1987.
OG76] S. Owicki and D. Gries. An axiomatic proof technique for parallel programs. Acta
Informatica, 6:319{340, 1976.
Par83] D. Park. The \fairness" problem and nondeterministic computing networks. In
J. W. de Bakker and J van Leeuwen, editors, Proc. 4th Foundations of Computer
Science, Mathematical Centre Tracts 159, pages 133{161. Mathematisch Centrum
Amsterdam, 1983.
PJ91]
P. K. Pandya and M. Joseph. P-A logic | a compositional proof system for distributed programs. Distributed Computing, 5:37{54, 1991.
SDW93] K. St$len, F. Dederichs, and R. Weber. Assumption/commitment rules for networks
of asynchronously communicating agents. Technical Report SFB 342/2/93 A, Technische Universit%at M%unchen, 1993.
St$91] K. St$len. A method for the development of totally correct shared-state parallel
programs. In J. C. M. Baeten and J. F. Groote, editors, Proc. CONCUR'91, Lecture
Notes in Computer Science 527, pages 510{525, 1991.
24