Concurrent Pascal

Home , Concurrent Pascal, Per Brinch Hansen

199 lEEE 2, JUNE 1975 The Programming Language Concurrent Pascal

PER BRINCH HANSEN

Abstract—The paper describes a new programming language for structured programming of computer operating systems. It extends the sequential programming language Pascal with concurrent programming tools called processes andmonitors. Section I explains these concepts informally by means of pictures illustrating a hierarchical design of a simple spooling system. Section IIuses the same example to introduce the language notation. The main contribution of Concurrent Pascal is to extend the monitor concept with an explicit hierarchy of access rights to shared data structures that can be statedin the program text and checked by a compiler.

Index Terms Abstract data types, access rights, classes, concurrent processes,— concurrent programming languages, hierarchical operating systems, monitors, scheduling, structured multiprogramming.

I. THE PURPOSE OF CONCURRENT PASCAL

A. Background Fig. 2. Process. 1972 I have been working on a newprogramming programming computer SINCElanguage for structured of The next picture shows a process component in more operating systems. This language is called Concurrent detail (Fig. 2). language Pascal. It extends the sequential programming A process consists of a private data structure and a processes Pascal with concurrent programming tools called sequential program that can operate on the data. One and monitors [l]-[3]. process cannot operate on the private data of another Pascal. It This is an informal description of Concurrent process. But concurrent processes can share certain data to bring out the uses examples, pictures, and words crea- structures (such as a disk buffer) The access rights of a concepts without getting . tive aspects of newprogramming process mention the shared data it can operate on. into their finer details. I plan to define these concepts preciselyand introduce a notation for themin laterpapers. C. Monitors may imprecise from a formal This form of presentation be A disk buffer is a data structure shared by two concur- perhaps more effective from a human point of view, but is rent processes. The details of how such a buffer is con- point of view. structed are irrelevant to its users. All the processes need to they can send and receive data through it. B. Processes know is that If they try to operate on the buffer in any other way it is We will study concurrent processes inside an operating probably either a programming mistake or an example of system and look at one small problem only: how can large tricky programming. In both cases, one would like a amounts of data be transmitted from one process to compiler to detect such misuse of a shared data structure. another by means of a buffer stored on a disk? To make this possible, we must introduce a language Fig. 1 shows this little system and its three components : construct that will enable aprogrammerto tell a compiler a process that produces data, a process that consumes how a shared data structure can be used by processes. data, and a disk buffer that connects them. This kind of system component is called a monitor. A Thecircles are system components and the arrows are the monitor can synchronize concurrent processes and trans- access rights of these components. They show that both mit data between them. It can also control the order in processes can use the buffer (but they do not show that which competing processes use shared, physical resources. data flows from the producer to the consumer) . Thiskind Fig. 3 shows a monitor in detail. of picture is an access graph. A monitor defines a shared data structure and all the operations processes can perform on it. These synchroniz- Manuscript received February 1, 1975. This project is supported ing operations are called monitor procedures. A monitor by the National Science Foundation under Grant DCR74- 17331. also defines an initial operation that will be executed when The author is with the Department of Information California Institute of Technology, Pasadena, Calif. 91125. its data structure is created.

TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. SE-1,NO.

Science, 200 lEEE TRANSACTIONS JUNE 1975 PASCAL 201 Access rights Shored data Virtual disk Card reader Disk buffers Line printer Console Synchronizing operations Console resource Disk buffer Initial operation Fig. Virtual consoles Input process Job process Output process 5. Buffer refinement. Fig. 3. Monitor. Fig. 4. Spooling system. Fig. 7. Decomposition of virtual consoles.

We can define Virtual consoles a disk buffer as a monitor. Within this the disk. So a monitor can also have access rights to other monitor there will be shared variables that define the system components (see Fig. 3) . location and length of the buffer on the disk. There will Disk also be two monitor procedures, send and receive. The D - system Design Console resource initial operation Disk resource will make sure that the buffer starts as A process executes a sequential program-itis active an empty one. an component. A monitor is just a collection of procedures Virtuol consoles Processes cannot operate directly on Virtual disks shared data. They that do nothing until they are called by processes-it is a can only call monitor procedures that have access to passive component, But there are strong similarities Fig. 6. Decomposition of virtual disks. shared data. A monitor procedure is executed as part of a between a process and a monitor: both define a data calling process (just like any other procedure) . structure (private or shared) and the meaningful opera- lf concurrent processes Each virtual disk is only used by a single disk buffer simultaneously call monitor tions on it, The main difference between processes procedures and (Fig. 5). A system component that cannot be that operate on the same shared data these monitors is the way they are scheduled for execution called procedures must be executed simultaneously by several other components will be called strictly one at a time. Other- It seems natural therefore to regard processes and wise, the results of monitor a class. A class defines a data structure and the possible calls will be unpredictable, monitors as abstract data types defined in terms of the This means that the machine operations on it (just like a monitor). The exclusive must be able to delay operations one can perform on them. If a compiler can processesfor short periods access of class procedures to class variables can be guaran- of time until it is their turn to check that these operations are the only ones carried execute monitor procedures. teed completely at compile time. The virtual machine We will not be concerned out on the data structures, then we may be able to build about how this is done, does not have to schedule simultaneous calls of class but will just notice that a monitor very reliable, concurrent programs in which controlled Input process Job process Output process procedure procedures at run time, because such calls cannot occur. has exclusive access to shared data while it is access to data and physical resources is guaranteedbefore being This makes class calls considerably faster than monitor Fig. 8. Hierarchicalsystem structure. executed. these programs are put into operation. We have then to bo the (virtual) calls. machine on which concurrentprograms some extent solved the resource protection problem in the run The spooling system includes two will handle short-term scheduling of simultaneous cheapest possible manner (without hardware virtual disks but to control disk scheduling within the monitor illusory. To mechanisms onlyonereal disk. So we a monitor calls. But the programmer must also be able to and run time overhead). need single disk resource monitor give the programmercomplete control of disk scheduling, delayprocesses longer to control the order in which competing processes use processes to enter queue for periods of time if their requests So we will define processes and monitors as data types the should be able the disk during for data disk (Fig. 6). This monitor defines two procedures, request and other resources cannot be satisfied immedi- and make it possible to use several instances of the same disk transfers. Since arrival and service in the disk queueing ately. If, for example, a process and release access, to be called by a virtual disk before and system are tries to receive data from component type in a system. We can, for example, use potentially simultaneous 'Operations they must an empty disk buffer after each disk transfer. be handled by different it must be delayed until another two disk buffers to build a spooling system with an input system components, as shown in process sends more data. It would seem simpler to replace the virtual disks and Fig. 6. procesS) a job procesS; and an Qutput prQcegs (Rg 4) j Concurrent Pascal includes a simple the disk resource by a single monitor that has exclusive If the disk fails persistently during input/output this data type, called will distinguish between definitions and instances of com- a queue, that can be access to the disk and does the input/output. This would on an operator's used by monitorprocedures tocontrol ponents by calling them system types and system compo- should be reported console. Fig. 6 shows medium-term scheduling processes. certainly guarantee that processes use the disk one at a two instances of a class type, a They of A monitor can either nents. Access graphs (such as Fig. 4) will always show called virtual console. delay a process time. But this would be done according to the built-in give calling in a queue or continue another system components (not system types) the virtual disks the illusion that they have their process that is short-term scheduling policy of monitor calls. own private waiting in a queue. It is not important Peripheral devices are considered to be monitors imple- consoles. here to understand Now to make a virtual machine efficient, one must use The virtual consoles get how these queues work exceptfor the mented in hardware. They can only be accessedby a single exclusive access to a single, real following essential a very simple short-term scheduling rule (such as first console by calling a console 7). rule : aprocess only has exclusive access procedure io that delays the calling process until an input/ resource monitor (Fig. to shared data as long come, first served) [2]. If the disk has a moving access Notice that we now have standard as it continues to executestatements output operation is completed. Interrupts are handled by a techniquefor dealing within a head this is about the worst possible algorithm one with monitorprocedure. As soon as aprocess is delayed the virtual machine on which processes run. can virtual devices. m a it its use for disk transfers. It is vital language queue loses exclusive access until another process To make the programming language useful for stepwise that the make If we put all these system components together, we get calls the same monitor it possible for the programmer to write a medium-term a complete picture a simple spooling system 8). and wakes it up again. (Without system design it should permit the division of a system of (Fig. this rule, it would scheduling algorithm that will minimize disk head move- Classes, monitors, processes C, M, be impossible for other processes to type, such as a disk buffer, into smaller systemtypes. One and aremarked and P. enter a monitor and let waiting processes ments [3]. The data type queue mentioned earlier makes continue their of these other system types should give a disk buffer Scope eX( U lOn it possible to implement arbitrary scheduling rules within E. Rules access to the disk. We will call this system type virtual Althoughi u 'u u a a monitor. I the disk buffer example does not show this disk. It gives a disk buffer the illusion that it has its Some years ago was part of a team that built a multi- yet, procedures own The difficulty is that while a monitor is performing an monitor should also be able to call pro- private disk. A virtual disk hides the details of disk input/ programming system in which processes can appear and cedures defined within other monitors. Otherwise, input/output operation it is impossible for other processes disappear dynamically [4]. In practice, this system was the output from the rest of the system and makes the disk to language will not be very useful for hierarchical design, enter the same monitor and join the disk queue, They used mostly to set up a fixed configuration of processes. look like a data structure (an array of disk pages). The will In the case of a disk buffer, one of these other monitors only operations automatically be delayed by the short-term scheduler Dynamic process deletion will certainly complicate the on this data structure are read and write and only allowed to could perhaps define simple input/output operations on a page. enter the monitor one at a time after semantics and implementation of aprogramming language each disk transfer. This will, of course, make the attempt considerably. And since it appears to- be unnecessary for

ON SOFTWARE ENGINEERING, BRINCH HANSEN: PROGRAMMING LANGUAGE CONCURRENT

C \ 203 I PROGRAMMING CONCURRENT 202 lEEE JUNE 1975 type outputprocess = large class of 11. THE USE OF CONCURRENT PASCAL a real-time applications, it seems wise to ponentby component, bottom up (but could, of course, be process(buffer: diskbuffcr) ; exclude it altogether. So an operating system written in conceived top down or by iteration) . When an incomplete A. Introduction var block: page; Concurrent Pascal will consist of a fixed number of pro- operating system has been shown to work correctly (by In Section I the concepts of Concurrent Pascal were cycle cesses, monitors, and classes. These components and their proof or testing) , a compiler can ensure that this part of receive(block) ; explained informallyby means of pictures of a hierarchical buffer . data structures will exist forever after system initializa- the system will continue to work correctly when new (block) system. I will now use the same example to in- printlmes ; tion. An operating system can, however, be extended by untested program components are added on top of it. spooling the language notation of Concurrent Pascal. The end recompilation. It remains to be seen whether this restric- Programming errors within new components cannotcause troduce is still informal. lam neither trying to define ii } a declaration of the main system tion will simplify or complicate operating system design. old components to fail because old components do not presentation Thc f0 ow ng shows language precisely nor to develop a working system. But the poor quality of most existing operating systems call new components, and new components only call old the components: This will be done in other papers. I am just trying to show clearly demonstrates an urgent need for simpler ap- components through well-defined procedures that have var bufferl, buffer2: diskbuffcr; proaches. the flavor of the language. alreadybeen tested. reader: inputprocess; In existing programming languages the data structures (Strictly speaking, a compiler can only check that B. Processes master: jobprocess; of processes, monitors, and classes would be called "global single monitor calls are made correctly; it cannot check will now program the system components in Fig. 8 writer: outputprocess; data." This term would be misleading in Concurrent sequencesof monitor calls, for example whether a resource We one at a time from top to bottom (but we could just as j mpu process, called the reader, a job process, Pascal where each data structure can be accessed by a is always reserved before it is released. So one can only Tnere s an t up) process, called the writer. single component only. It seems more appropriate to call hope for compile time assurance of partial correctness.) well do it bottom . called the master, and an output Although we only need one input process, we may as two digk buffers, and buffer2, that them permanent data structures. Several other reasons besides program correctness make Then there are bufferl as a general system type of which several I have argued elsewhere that the most dangerous aspect a hierarchical structure attractive: well define it connect them may exist: explain how a disk buffer is defined and of concurrent programming is the possibility of time- 1) a hierarchical operating system can be studied in a copies Later I will that the disk buffers already dependentprogramming errors that are impossible to locate stepwise manner as a sequence of abstract machines simu- type inputprocess = initialized. If we assume have initialized, we can initialize the input process by program testing ("lurking bugs") [2], [s], [6]. If we lated by programs [8]; process (buffer: diskbuffer) ; been as are going to depend on real-time programming systems 2) a partial ordering of process interactions permits varblock: page; follows: , reader(bufferl) in our daily lives, we must be able to find such obscure one to use mathematical induction to prove certain overall init errors before the systems are put into operation. properties of the system (such as the absence of dead- readcards (block) ; The j^ statement allocates space for the private variables Fortunately, a compiler can detect many of these errors locks) [2]; sequential buffer . send(block) ; 0f the reader process and starts its execution as a if processes and monitors are represented by a structured 3) efficient resource utilization can be achieved by end process with access to bufferl. notation in a high-level programming language. In addi- ordering the program components according to the speed access rights of a process to other system com- An input process has access to a buffer of type diskbuffer The tion, we must exclude low-level machine features (regis- of the physical resources they control (with the fastest such as bufferl, are also called its parameters. A (to defined later) . The process has a private variable ponents, ters, addresses, and interrupts) from the language and resources being controlled at the bottom of the system) be only initialized once. After initialization, block of type page. The data type page is declared else- process can be let a virtual machine control them. If we want real-time [8]; and private* variables of a process exist where as an arrayof characters: the parameters systems to be highly reliable, we must stop programming 4) a hierarchical system designed according to the forever. They are called permanent variables. them in assembly language. (The use of hardware protec- previous criteria is often nearly decomposable from an type page = array (.1..512.) of char The init statement can be used to start concurrent tion mechanisms is merely an expensive, inadequate way analytical point of view. This means that one can develop their a sequential program-in this execution of several processes and define access of making arbitrary machine language programs behave stochastic A process type defines models of its dynamic behavior in a stepwise cycle that inputs a block from a card rights. As an example, the statement almost as predictably as compiled programs.) [9]. case, an endless manner through buffer to another process. buffer2) , A Concurrent Pascal compiler will check that the private reader and sends it the init rpader(bufferl) , master(bufferl , the details of card reader input. data of a process only are accessed by that process. It F. Final Remarks We will ignore writer (buffer'2) The send operation on the buffer is called as follows will also check that the data structure a or (wi.th of class monitor It seems most natural to represent a hierarchical system : starts concurrent execution of the reader process only is procedures. (using the block as a parameter) accessed by its structure, such as Fig. 8, by a two-dimensional picture. access tobufferl) , the masterprocess (with access to botn Fig. 8 shows that access rights within an operating sys- But when we write a concurrent program we must some- send (block) buffers), and the writer process (with access to buffer2). tem normally are not tree structured. Instead they form how represent these access rules by linear text. This can only its ownparameters and private The next component type we will define is a jobprocess: A process access a directed graph. This partly explains why the traditional limitation of written language tends to obscure the sim- variables. The latter are not accessible to other system scoperules of block-structured languages are inconvenient plicity of the original structure. That is why I have tried type jobprocess = components. Compare this with the more liberal scope for concurrent programming (and diskbuffer) for sequential pro- to explain the purpose of Concurrent Pascal by means of process (input, output: ; rui es 0f block-structured languages in which a program gramming as well) . In Concurrent Pascal one can state pictures instead of language notation. varblock : page ; block can access not only its own parameters and local the access rights of components in the program text and The class concept is a restricted form of the class con- cycle variables, but also those declared in outer blocks. In have them checked by a compiler. cept of Simula 67 [10]. Dijkstra suggested the idea of input,receive(block) ; Concurrent Pascal, all variables accessible to a system Since the execution of a monitor procedure will delay monitors [B]. The first structured language notation for update (block) ; component are declared within its type definition. This the execution of further calls of the same monitor, we monitors was proposed in [2], and illustrated by examples output,send (block) ; access rule and the init statement make it possible for a must prevent a monitor from calling itself recursively. in [3]. The queue variables neededby monitors for process end programmer to state access rights explicitly and have Otherwise, processes can become deadlocked. So the com- scheduling were suggested in [5] and modified in [3]. by a compiler. They also make it possible A job process has access to two disk buffers called input them checked pilerwill check that theaccess rights of systemcomponents The main contribution of Concurrent Pascal is toextend system type as a self-contained program unit, and output. It receives blocks from one buffer, updates to study a are hierarchically ordered (or, if you like, that there are monitors with explicit access rights that can be checked examples do not show this, them and sends them through the other buffer. The Although the programming no cycles in the access graph) . at compile time. Concurrent Pascal has been implemented constants, types, and Procedures details of updating can be ignored here. one can also define data The hierarchical ■ordering of system components has at Caltech for the PDP computer. Our system These objects can only be used within 11/45 Finally, we need an output process that can receive data within a process. vital consequences for system design and testing [7]. uses sequential Pascal as a job control and user program- a disk buffer and output them on a line printer : the process type. A hierarchical operating system will be tested com- ming language. from

PASCAL BRINCH HANSEN LANGUAGE TRANSACTIONS ON SOFTWARE ENGINEERING,

buffer, 204 lEEE JUNE 1975 205

C. Monitors The queuing mechanism will be explained in detail in D. Queues Theinitial statementof a virtual disk initializesitsvirtual The disk buffer is a monitor type: the next section. A monitor procedure can delay a calling process for console and the real disk. The initial statement of a disk buffer initializes its any length of time by executing a delay operation on a Section 11-C shows an example of how a virtual disk is type diskbuffer = virtual dis'k with access to the console and disk resources. queue variable. Only one process at a time can a declared and initialized (within a disk buffer) . monitor (consoleaccess, diskaccess: wait in resource; It also sets the buffer length to zero. (Notice, that a disk queue. When a calling process is delayed by a monitor A class can only be initialized once. After initialization, base, limit: integer) ; buffer does not use its access rights to the console and procedure it loses its exclusive access to the monitor its parameters and private variables exist forever. A class only its own var disk: virtualdisk; sender, receiver: queue; disk, but only passes them on to a virtual disk declared variables until another process calls the same monitor procedure can access temporary and per- head, tail, length: integer; within it. ) and executes a continue operation on the queue in which manent variables. These cannot be accessed by other The following shows a declaration of two system com- the process is waiting. components. procedure entry (block: page) send ; ponents of type resource and two integers defining the operation calling process return A class is a system component that cannot be called begin Thecontinue makes the base and limit of a disk buffer : from its monitor call. If any process is waiting in the simultaneously by several other components. This is if length = limit then delay(sender) ; selected queue, it will immediately resume the execution guaranteed by the following rule : a class must be declared disk, write(base + tail, block) ; varconsoleaccess, diskaccess: resource; of the monitor procedure that delayed it. After being as a permanent variable within a system type; a class tail : = (tail + 1) mod limit; base, limit: integer; resumed, the process again has exclusive access to the can be passed as a permanent parameter to another class length : = length + 1 buffer: diskbuffer; permanent variables of the monitor. (but not to a process or monitor). So a chain of nested continue(receiver) ; Other of process queues (called class calls can only be started by a single process or moni- end; variants "events" and If we assume that these variables already have been "conditions") are proposed in [3], [s]. They are multi- tor. Consequently, it is not necessary to schedule simultaneous they procedure entry receive (var block: page) initialized, we can initialize a disk buffer as follows : process queues that use different (but fixed) scheduling class calls at run time— cannot occur. begin rules. We do not yet know from experience which kind of init buffer limit) if length = 0 then delay(receiver) ; (consoleaccess, diskaccess, base, queuewill be the most convenient one for operating system F. Input/Output single-process queue disk,read (base + head, block) ; design. A is the simplest tool that The real disk is controlled by a class head:= (head + 1) mod limit; The init statement allocates storage for the parameters gives the programmercomplete control of the scheduling length:= length 1; and shared variables of the disk buffer and executes its of individual processes. Later, I will show how multi- type disk = class — initial statement. can single-process continue (sender) ; process queues be built from queues. with two procedure entries end; A monitor can only be initialized once. After initializa- A queue must be declared as a permanent variable tion, the parameters and shared variables of a monitor within a monitor type. read(pageno, block, error) begin "initial statement" exist forever. They are called permanent variables. The write (pageno, block, error) init disk(consoleaccess, diskaccess) ; parameters and local variables of a monitor procedure, E. Classes 0; The class uses a standard procedure head:= o;tail:= length: = 0; however, exist only while it is being executed. They are Every disk buffer has its own virtual disk. A virtual end called temporary variables. disk is defined as a class type: io(block, param, device) A monitor procedure can only access its own temporary A disk buffer has access to two other components, type virtualdisk to transfer a block to or from the disk device. The io and permanent variables. These variables are not ac- = consoleaccess and diskaccess, of type resource (to be de- parameter a cessible to other system components. Other components class (consoleaccess, diskaccess: resource) ; is record fined later). It also has access to two integer constants can, however, call procedure entries within a monitor. varterminal: peripheral: varparam : record defining the base address and limit of the buffer on the virtualconsole; disk; While a monitor procedure is being executed, it has ex- operation : iooperation ; disk. procedure entry read (pageno: integer; varblock: page) ; clusive access to the permanent variables of the monitor. If ioresult; The monitor declares a set of shared variables: the disk var error: boolean; result: concurrent processes try to call procedures within the pageno: integer is declared as a variable of type virtualdisk. Two variables begin same monitor simultaneously, these procedures will be end of type queue are to delay sender receiver repeat used the and executed strictly one at a time. processes until the buffer becomes nonfull and nonempty. diskaccess request ; that defines input/output Only monitors and constants can be permanent param- . an operation, its result, and a Three integers define the relative addresses of the head peripheral,read (pageno, block, error) ; page number on the disk. The process eters of processes and monitors. This rule ensures that calling is delayed and tail elements of the buffer and its current length. diskaccess release until io operation has been completed. processes only communicate by means of monitors. . an The monitor defines two monitor procedures, send and if error then terminal write ( 'disk failure') ; A virtual console is also defined as a class It is possible to define constants, data types, and local . receive. They are marked with the word entry to dis- until noterror; procedures within monitors (and processes). The local tinguish them from local procedures used within the end; type virtualconsole = procedures of a system type can only be called within (access: ; monitor (there are none of these in this example) class resource) . the system type. To prevent deadlock of monitor calls and procedure entry write (pageno: integer; block: page) ; Receive returns a page to calling process. var terminal: console; the If the ensure that access rights are hierarchical the following begin "similar to read" end; buffer is empty, the calling process is re- delayed in the rules are enforced: a procedure must be declared before It can be accessed by read and write operations that are ceiver queue until another process sends a page through begin "initial statement" it can be called; procedure definitions cannot be nested similar to each other : the buffer. The receive procedure will then read and re- init terminal (consoleaccess), peripheral; and cannot call themselves; a system type call move a page from the head of the disk buffer by calling cannot end procedure entryread (var text : line) ; its own procedure entries. begin a read operation defined within the virtual disk type : disk access to a The absence of recursion makes it possible for a com- A virtual has console resource and a access,request piler requirements disk Its permanent variables define virtual disk.read(base head, block) to determine the store of all system resource. a terminal,read (text) ; + console a disk. A process can access its virtual disk components. This and the use of permanent components and access.release; Finally, the receive procedure will continue by means of read and write procedures. These procedure the execution make it possible to usefixed store allocation on a computer end of a sending process (if the latter is waiting in the sender that does not support paging. entries request and release exclusive access to the real disk queue) . Since system components are permanent they must be before and after each block transfer. If the real disk fails, The real console is controlled by a class that is similar Send is similar to receive. declared as permanent variables of other components. the virtual disk calls its virtual console toreport the error. to the disk class.

BRINCH TRANSACTIONS ON SOFTWARE ENGINEERING, HANSEN: PROGRAMMING LANGUAGE CONCURRENT PASCAL

;

; 206 lEEE JUNE 1975 lEEE 2, JUNE 1975 207 G. Multiprocess Scheduling The initial process defines system types and instances system," Commun. Ass. Comput. Mach., vol. 13, pp. 238-250, Afterwards he joined Apr. 1970. the Danish computer Access the console disk of them. It executes statements that initialize these sys- a systems to and is controlled by two [5] , "Structured multiprogramming," Commun. Ass. Comput. manufacturer, Regnecentralen, as monitors of type resource. To simplify the presentation, I tem components. In our example, the initial process can Mach., vol. 15, pp. 574-578, July 1972. programmer and designer. In 1967he became , head of the department Regnecentralen will competing processes be sketched as follows (ignoring the problem of how base [6] "Concurrent programming concepts," Ass. Comput. at assume that are served in first- Mach. Comput. Rev., vol. 5, pp. 223-245, Dec. 1974. which developed the architecture of the RC come, first-served order. (A much better disk scheduling addresses and limits of disk buffers are defined): [7] , "A programming methodology for operating system 4000 computer and its multiprogramming algorithm is defined in [3]. It can be programmed in design," in 1974 Proc. IFIP Congr. Stockholm, Sweden: system. From 1970 to 1972 he visited Car- type North-Holland, Aug. 1974, pp. 394-397. m negie-Mellon University, Pittsburgh, Pa., Concurrent Pascal as well, but involves more details resource [8] E. W. Dijlcstra, "Hierarchicalordering ofsequentialprocesses," ■sA i;. where he wrote = monitor- " -end; Acta vol. no. the book Operating System than the present one.) 1, 2, pp. 115-138, 1971. Principles (Englewood J., console = class- " -end; [9] H. A. "The architecture of complexity," in Proc. Amer. Hm* fli N. Prentice- We will define a multiprocess queueas anarrayof single- Philosophical Society, vol. 106, no. 6, 1962, pp. 468-482. Hall, July 1973). This book contains the first virtualconsole = [10] proposalof the monitorconcept on which the programming language processocess queues 0.-J. Dahl and C. A. R. Hoare, "Hierarchical program struc- class(access:resource) ;" " -end; tures," in StructuredProgramming, 0.-J. Dahl, E. W. Dijkstra, Concurrent Pascal is based. In 1972 he became Associate Professor and C. A. R. Hoare. New Academic, of Computer Science at the California of Technology, type multiqueue ) disk = class ' ' ,end York: 1972. Institute = array ( .0. .glength-1. of queue * Pasadena. He has been a consultant to Burroughs Corporation, virtualdisk = Control Data Corporation, Jet Propulsion Laboratory, Philips, and where glength is an upper bound on the number of con- class (consoleaccess, diskaccess : resource) ; " end ; Varian Data Machines. His main research interests are computer current processes in the system. "" architectureand programming methodology. diskbuffer = Per Brinch Hansen was born in Copenhagen, on A first-come, first-served scheduler is now straight- Denmark, Novem- Dr. Brinch Hansen is a member of the Working Group 2.3 on monitor (consoleaccess, diskaccess:resource; ber 13, 1938. He received the M.S. degree in electronic engineering Programming Methodology sponsoredby the International Federa- forward toprogram: from the Technical University of Copenhagen, base, limit: integer) ;" " -end; Denmark, in 1963. tionfor Information Processing. type resource = inputprocess = monitor process(buffer: diskbuffer) ;" " -end; jobprocess = varfree: Boolean; q: multiqueue; process (input, output: diskbuffer) head, ;" ? -end; tail, length: integer; outputprocess = procedure entry request; process (buffer: diskbuffer) ;" " -end; var arrival: integer; var begin consoleaccess, diskaccess: resource; if free thenfree : = false else bufferl, buffer2: diskbuffer; begin reader; inputprocess; arrival := tail; master: jobprocess; tail:= (tail 1) mod glength; writer: outputprocess; + begin length:= length -f I J delay(q(.arrival.)); init consoleaccess, diskaccess, end; bufferl (consoleaccess, diskaccess, basel, limitl), end; buffer2 (consoleaccess, diskaccess,base2, limit2), reader(bufferl), procedure entry release; master(bufferl, buffer2), var departure: integer; writer (buffer2) begin end. if length = 0 then free: = true else begin When the execution of a process (such as the initial departure:= head; process) terminates, its private variables continue to head:= (head + 1) mod glength; exist. This is necessary because these variables may have length := length 1; been passed as permanent parameters to other system continue (q( . departure— . )) ; components. end; end; ACKNOWLEDGMENT begin "initial statement" It is a pleasure to acknowledge the immense value of a continuous free := true ; length : = 0 ; exchange of ideas with C. A. R. Hoare on multiprogramming. head:= 0; tail: = 0; structured I also thank my students end L. Medina and R. Varela for their helpful comments on this paper. H. Initial Process REFERENCES Finally, we will put all these components together into [1] N. Wirth, "The programming language Pascal," Acta In- a concurrent program. A Concurrent Pascal program con- vol. 1, no. 1,pp. 35-63, 1971. sists of nested definitions of system types. The outermost [2] P. Brinch Hansen, Operation System Principles. Englewood N. J.: Prentice-Hall, July 1973. system type is an anonymous process, called the initial [3] C. A. R. Hoare, "Monitors: An operating system structuring process. An instance of this process is created during concept," Commun. Ass. Comput. Mach., vol. 17, pp. 549-557, loading. Oct. 1974. system It initializes the other system components. [4] P. Brinch Hansen, "The nucleus of a multiprogramming

TRANSACTIONS ON SOFTWARE ENGINEERING, TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. SE-1,NO.

Informatica, Simon, Cliffs,

;

formatica, Cliffs,