Shared Variables Interaction Diagrams

Rajeev Alur Radu Grosu Department of Computer and Information Science Department of Computer Science University of Pennsylvania State University of New York at Stony Brook [email protected] [email protected]

Abstract variables paradigm. Textbooks on concurrent programming (e.g., [14, 17]) contain many pictures describing the interac- Scenario-based specifications offer an intuitive and vi- tions of processes communicating by shared variables, and sual way of describing design requirements of distributed similar scenarios arise in diverse areas such as transaction software systems. For the communication paradigm based processing in concurrent databases (c.f. [18]) and consis- on messages, message sequence charts (MSC) offer a stan- tency in shared-memory multiprocessors [13]. dardized and formal notation amenable to formal analysis. In our definition of an SVID, an action corresponds to, In this paper, we define shared variables interaction dia- possibly multiple, reading/writing of shared variables. The grams (SVID) as the counterpart of MSCs when processes actions of one process are visually ordered. The causal de- communicate via shared variables. After formally defining pendence among actions of different processes is illustrated

SVIDs, we develop an intuitive as well as formal definition Ô by arrows: an arrow from an action a of process to an ac-

of refinement for SVIDs. This notion provides a basis for

Õ Õ tion b of process means that reads a value that was writ- systematically adding details to SVID requirements. ten by Ô. If the variable involved in this communication is

write-shared, then there is an implicit additional constraint b that between these two actions a and , there is no interven- 1. Introduction ing action that writes to this variable. Checking whether all such implicit constraints are consistent with one another can Message Sequence Charts (MSCs) are a commonly used be computationally hard, and is shown to be NP-complete in visual description of design requirements for concurrent general. We also establish that the problem can be solved in systems such as telecommunications software [19], and linear-time when all the variables are read-shared but write- have been incorporated into software design notations such exclusive. Benefits of SVIDs are the same as that of MSCs: as UML [6]. On one hand, the clear graphical layout of an they give an intuitive and visual understanding of interac- MSC immediately gives an intuitive understanding of the tions among processes in a single execution, and have a intended system behavior, and on the other, the notation formal semantics. The execution of a concurrent program has been standardized (ITU standard Z.120) with precise can also be depicted by a linear trace involving actions of semantics, and hence, can be subjected to analysis. This all processes, but a single SVID captures many such execu- has already motivated the development of algorithms for a tions succinctly, and makes causal dependencies explicit. variety of analyses including detecting race conditions and An appealing notion for systematic hierarchical develop- timing conflicts [3], pattern matching [16], detecting non- ment of specifications or models involves refinement (this is local choice [7], and model checking [4], and tools such as present in all concurrency formalisms [20]). The definition uBET [11] and MESA [5]. of SVIDs, and the underlying shared-variables paradigm, An MSC depicts the desired exchange of messages suggests many natural ways of refining SVIDs. We identify among communicating entities in distributed software sys- different ways of visually adding more details to an SVID: tems. An alternative paradigm for communication in dis- by moving arrows depicting dependencies, by introducing tributed systems involves shared variables. Communication new variables, actions, and/or new arrows, by splitting com- and synchronization via shared objects provides a higher posite actions, and by splitting processes into subprocesses. level of abstraction, and is supported by many modern con- All these cases are captured by our formal definition of re- current programming languages. In this paper, we propose finement for SVIDs. The definition requires existence of a shared variables interaction diagrams (SVID) as a formal mapping of implementation actions to specification actions and visual notation for describing scenarios in the shared consistent with the dependencies. We show the problem of checking refinement to be NP-complete. When the commu- The inter-process communication via shared variables is

nication is point-to-point, that is, each variable has a sin- depicted by arrows (or edges) between boxes. An arrow

b b ¾

gle writer and a single reader, the problem can be solved in pointing from a box ½ to a box indicates that the value of

b b ¾

polynomial time. the variables updated by ½ is read (or checked) by .For

Å b b

½¾ ¾4

The remaining paper is organized as follows. Section 2 instance, in Figure 1, in ¾ , the arrow from to spec-

f Ô b

¾ ¾4

introduces the definition of SVIDs. Section 3 defines the ifies that the value of ½ read by in box is the value

f Ô b

½ ½¾ notion of refinement for SVIDs. Section 4 compares SVIDs written to ½ by in box . Thus, the arrows establish a

to related formalisms, and in particular to message sequence causal order between actions of different processes: the ac-

Ô b ¾4

charts (MSCs). tion of ¾ corresponding to must happen after the action

Ô b ½¾ of ½ corresponding to . For write-shared variables, the arrows establish an additional causal dependence between 2. Shared Variables Interaction Diagrams reads and writes, namely, not only the read should happen

after the write, but in addition, there should be no interven- Å

Peterson’s mutual exclusion protocol. In order to il- ing write to the shared variable. For instance, in ¾ ,the

b b Ø ½¿

lustrate the use and utility of shared variables interaction arrow from box ¾¾ to says that the value of read by

Ô b Ø Ô b

½¿ ¾ ¾¾

diagrams (SVID) let us consider the Peterson’s mutual ex- ½ in box is the value written to by in box .This

Ô Ô

Ô b

½ ¾ ½¿

clusion protocol for two asynchronous processes and . means that the action of ½ corresponding to happens af-

Ô Ô

Ô b

½ ¾ ¾¾ The protocol makes sure that and never simultane- ter the action of ¾ corresponding to , and between these ously reach their critical sections and that each may eventu- two actions there is no action involving writing to the shared

ally enter its critical section provided it desires to do so. variable Ø. In this case, this enforces an implicit causal de-

Ô Ô b b Ô Ø

¾ ½¾ ¾¾ ¾

To achieve the desired synchronization among ½ and pendence between box and (i.e, writes to after

f Ô ½

the protocol uses three variables. The first variable ½ is a in this scenario). Ô

boolean variable (or flag), that when set, signals that ½ de- To simplify the notation we adopt the (usual) convention Ô

sires to enter its critical section. It is writable only by ½ but that, write exclusive variables of a process preserve their

Ô f b ¾

it can be read by ¾ . The second variable, the flag ,plays values if not explicitly updated. Hence, a box contained

Ô

Ô f Ô Ø

½ ½

thesamerolefor ¾ as does for . Finally, the variable by a process exports not only the variables explicitly up- Ô (turn) is used to resolve the conflict when both processes try dated by b but also the write exclusive variables of that are

to simultaneously enter their critical sections. The variable not updated by b. This allows the use of empty boxes (not

is written and read by both processes and ranges over the explicitly drawn) as sources for arrows. Similarly to MSCs

½; ¾g set of process identifiers, i.e., f in the binary case. the arrows may be labeled. However, the arrow labels are not messages. They are conditions over variables that have Exemplary SVIDs for the protocol. In Figure 1 we to hold in order to perform the update operation at the head show four typical scenarios for the Peterson’s protocol as of the arrow. basic SVIDs. They intuitively capture the synchronization

The vertical process lines define a top down linear or-

Ô Ô ¾ (communication) patterns between the processes ½ and .

der among the update operations (boxes) of the same pro-

Å Å ¿ The SVIDs ½ and describe the situations where only

cess (like in MSCs time flows top/down). Hence, verti-

Ô Ô Å

¾ ¾ ½ or only requests the critical section. The SVIDs

cal lines describe local synchronization whereas arrows de- Å

and 4 show how the tie is resolved when both processes

scribe global synchronization.

Ô Ô ¾ ½ and request the critical section. These scenarios can To improve readability we use, as with MSCs, condi- be used for understanding the behavior of the protocol, or tions. They are drawn inside hexagonal boxes. Intuitively, they can be used as a specification for designing the proto- a condition is an update of the program counter variable as- col. Clearly, there are many more scenarios that are possi- sociated with the relevant process. ble, and the specified ones serve only as a guide. In the following we define SVIDs in a formal way. To As with message sequence charts (MSCs), vertical lines simplify the definition we do not consider arrow labels. correspond to processes. However, in contrast to MSCs, They might be understood simply as comments that reflect the processes do not communicate with each other via mes- the most recent value of the associated variables. Similarly, sages. Instead, they communicate via shared variables.The we do not include the conditions in the formal definition. way a process updates its variables is given textually in the left compartment of rectangular boxes (or vertices). The Definition 1 (Shared variables interaction diagram) A variables needed (or read) by the update operations in a box shared variables interaction diagram Å consists of the fol- are given in the right compartment of the same box. Vari- lowing components: ables and updating operations inside a box are not ordered.

They may be regarded as being performed simultaneously, Processes. A finite set È of processes. Each process

¾ È Ô:X i.e., they define an atomic action. Ô has an associated (finite) set of (typed) M1 M2 M3 M4

pp1 p2 1 p2 p1 p22p1 p

ini ini ini ini ini ini ini ini

b b b 11 f 1 := F f2 := F 21 b11 f 1 := F f2 := F 21 f 1 := F f2 := F f 1 := F f2 := F

idle idle idle idle idle idle

f1 := T f1 := T f2 := T f := T f1 := T f2 := T 1 11 21 1 1 b12 b12 b22 t := 1 t := 1 t := 2 t := 2 t := 1 t := 2

reqCS reqCS reqCS reqCS reqCS reqCS

b13 f2 b13t t b 23 f1 t t

inCS inCS f1 b24 inCS f2 inCS

b b 14 f 1 := F 14 f 1 := F f2 := F f2 := F

idle idle idle reqCS idle idle reqCS idle

Figure 1. Basic SVIDs for the Peterson protocol

variables. The variables in Ô:X are classified into inherited variables of the immediate predecessors, i.e.,

Ô:X Ô:X Ú:X [ ´Ù:X [ Ù:Ô:X µ

Ö × Ö Û e

Ù;Ú µ¾E

read variables , write-shared variables and ´ .

£

Ô:X Ô:X = Û

write-exclusive variables e . We denote by

Ô:X [ Ô:X Ô e × the set of write variables of and by

We say that a SVID Å is consistent if there is a lin-

X = [ Ô:X Å

¾È Ô the set of all variables of .Itis earization of the updates in Å that respects the linear ver-

required that the write-exclusive variables of different tical (process) orders and the partial horizontal (arrows) or-

Ô 6= Õ Ô:X \ Õ:X = ; e

process are disjoint: for , e , and der. In addition, the horizontal order should reflect most =

every variable is written by some process: Å:X recent updates (see definition below). For example, in Fig-

[ Ô:X

¾È Û

Ô . Å

ure 1, ½ is a consistent SVID with three linearizations

b b b b b ;b b b b b b b b b b

½½ ½¾ ½¿ ½4 ½½ ¾½ ½¾ ½¿ ½4 ½½ ½¾ ¾½ ½¿ ½4

¾½ and . Ú Vertices. A finite set Î of vertices. Each vertex has an

associated process Ú:Ô. The set of vertices belonging

Definition 2 (Consistent SVID) An SVID Å is called con- Ô:Î

to a process Ô is denoted by . This set is linearly

Ú Ú :::Ú

¾ Ò

sistent if there is a linear order ½ of all vertices in <

ordered by the (top down) relation Ô . We denote by <

Å:Î such that (1) it is consistent with , (2) it is consistent

< [ <

¾È Ô

the partial order Ô obtained by taking the

Ü e =´Ù; Ú µ with E , and (3) if is a variable and is an edge

union of these linear orders.

Ü ¾ Ú:X Ü ¾ Ù:X Û Û

with Ö and then there is no vertex

Ù Ú Ü ¾ Û:X £

between and with Û .

Ú Ú:X

Update boxes. Each vertex has an associated set Ö Ú:X

of read variables, a set Û of write variables and a

The consistency requirement makes sure that the value

Ú:× Ú:X

state .Theset Ö is the set of variables read in order to perform the update, and it is required assigned by a process to a variable in an update box at the

tail of an arrow is also the value considered by the other

Ú:X  Ú :Ô:X Ú:X

Ö Û that Ö .Theset is the set of variables explicitly updated, and it is required that process in the box at the head of the arrow. This condition is

new when compared with MSCs and it is necessary because

Ú:X  Ú :Ô:X Ú:× Û Û . Finally, the state corresponds to the update and it is a mapping that associates each both the process containing the box at the head of an arrow

or another process if the variable is write shared might have

Ü ¾ Ú:X a ¾ Ì Ì

Ü Ü variable Û to a value where is the 1 written the variable too.

type associated to Ü .

b Ü

Note that if a box ½ reads a variable , then the def-

 Î ¢ Î

Read edges. A finite set E of edges denoting inition of an SVID requires that it has an incoming edge

b Ü Ü

Ú Ú:X ¾

the read dependencies. For each vertex the set Ö from some box that writes to or inherits . Multiple

b b

Ú ¿

of read variables of is included in the set of write and incoming edges are not ruled out. Suppose both ¾ and

Ü b Ü

write to and have an edge to box ½ that reads .Inthis 1The specific state associated with a vertex is not of importance for

subsequentresults. The definition can be made more general to allow more case, if Ü is write-shared, the SVID cannot be consistent.

Ü b b ¿ abstract states such as predicates, or to omit the state altogether. If is write-exclusive, then both ¾ and must belong to

the same process, and thus, are linearly ordered according Henceforth we will assume that we are dealing only with

b b ¿

to the visual vertical order. If ¾ appears before in this consistent SVIDs. Note that an SVID has multiple lin-

b b ½ order, then the edge from ¾ to is redundant. earizations, and thus, provides a more succinct representa- If there are no write-shared variables, i.e., if the SVIDs tion than linear traces. use the one-to-many communication paradigm, then consis- tency can be verified in linear time. 3. Refinement Theorem 1 (Consistency check: write-exclusive case) If

Å is an SVID such that all variables are write-exclusive, GivenanSVIDË as a high-level requirement, one may then the problem of checking consistency of Å can be want to add more details to the requirement leading to an- solved in linear time.

other SVID Á . In this context, given an implementation Ë SVID Á and a specification SVID , it is important to know

Proof: If all variables of Å are write-exclusive, then

Á Ë Á  Ë

£ if refines (or implements) , written as ,inamathe-

´< [E µ Å is consistent iff the relation is acyclic. Thus, matically precise way. We are mainly interested in a refine- checking inconsistency reduces to finding a cycle in a graph, ment notion that has a concrete, syntactic counterpart that and can be performed by standard linear-time search algo- would guide the users to add details in a visual, yet formal, rithms. £ way. Intuitively, there are three simple ways to refine an One-to-many communication is the typical case for (asyn- SVID: (1) by moving arrows and adding empty boxes, (2) chronous) hardware applications where connecting the out- by splitting the vertices and (3) by splitting the processes2. puts of two gates is not allowed. An example of an incon-

sistent SVID for this paradigm is shown in Figure 2 (there Moving arrows and adding empty boxes. The write

b b

Ô ¾¿ is an implied cycle between ½¿ and ). exclusive variables of a process that are updated in a box

If there are also write-shared variables, i.e., if the SVIDs b ½ maintain their value down the process line as long as they

also use the many to one communication paradigm, then b

are not updated in another box ¾ . This is not only an ex-

checking consistency can be difficult. If Ü is a write-shared pected behavior for SVIDs but it also allows to move the Ú variable written in vertex Ù and read in vertex , then the arrows exporting only write exclusive variables in order to

consistency requirement says that any other vertex Û that simplify the SVID, by minimizing the number of arrows

Ù Ú

writes to Ü should come either before or after .Thatis, crossing each other. The transformation of moving arrows

Ù Ú Û we want to add an edge from Û to or from to .If can restrict the set of allowed linearizations, and leads to a

only one of these edges is consistent with the partial-order refined SVID. Moreover, it allows to introduce empty boxes

£

½

´< [E µ

then we can resolve the dependence efficiently. if this further simplifies the SVID. In the SVID Å in Fig- ¾

This is likely to be the typical case. For instance, in sample f

ure 2, we show how to move the arrow exporting the flag ½

Å Å scenario ¾ , the consistency requirement says that the box

of the SVID ¾ of Figure 2.

b b b

¾¾ ½¿ ½¾ should either precede or follow . The latter is inconsistent with the vertical order. Hence, we can resolve Splitting vertices. One may split a box that contains a the disjunctive dependency conclusively by adding an edge set of reads and writes in several successive boxes placed on

the same process line and such that each contains a disjoint

b b ¾¾ from ½¾ to . If both the edges are consistent, we can

make a greedy choice, but backtracking may be necessary, subset of the original set of reads and writes. As an example ¾

of this transformation, the SVID Å in Figure 2 refines the

leading to exponential worst-case complexity ¾ ½

SVID Å . Splitting boxes may be applied repeatedly un- ¾ Theorem 2 (Consistency check: general case) Checking til all boxes contain either only one read or only one write the consistency of an SVID with write shared variables is operation for a single variable. NP-complete. Splitting processes. The third type of refinement we Proof: Membership in NP is obvious since check- consider is splitting processes into subprocesses such that ing whether a guessed linearization satisfies all the require- the set of variables of each subprocess is contained in one ments of consistency is easy. For hardness, the proof is by of the original processes (thus, implementation processes reduction from the problem of checking sequential consis- cannot aggregate distinct variables of different processes). tency. Consider the case when all variables are shared, and During the splitting, a write shared variable may become all boxes involve a single read or a single write. Check- write exclusive. However, a write exclusive variable cannot ing consistency, then, corresponds to verifying whether the become write shared. Similarly to splitting vertices, split- local views of individual processes are sequentially consis- ting processes may be applied repeatedly until each process tent. Since the edges match reads with writes, this is a re- writes only one variable, distinct from the variable associ- stricted case of sequential consistency, which is known to 2In the full paper we define a more general refinement that allows to

be NP-hard [8]. £ augment an SVID with additional variables, boxes, and/or arrows. M1 M2 M3 Inconsistent 2 2 2

p1 p2 p1 p2 p1 p2 p1 t p2

zero zero ini ini ini iniini ini

b b11 o1 := F o2 := F 21 f 1 := F f2 := F f 1 := F f2 := F f 1 := F f2 := F

one one idle idle idle idle idle idle

b12 o := T o := T b22 f := T f := T f1 := T f2 := T f := T f2 := T 1 12 121 1 1 1 11 t := 1 t := 2 t := 1 two two t := 1 t := 2 reqCS reqCS reqCS reqCS reqCS t := 2 reqCS b b 13 o1 := F o2 o2 := F o1 23 t t t t t t three three

f1 f1 f1 b b inCS inCS inCS 14 o1 := T o1 := T 24

f 1 := F four four f 1 := F f 1 := F idle reqCS idle reqCS idle reqCS

Figure 2. Inconsistency and refinement by moving arrows and splitting vertices and processes

Ë:E [

ated to the other processes. An example of this kind of re- Dependency. The specification partial order ´

¿

Ë:<µ Ö ´Á:E [ Á:<µ

finement is the SVID Å in Figure 2 obtained by refining is included in the image of the im-

¾

¾

Ø Ö

Å . In this SVID, the write shared variable has been fac- plementation partial order under the map . That is,

¾

Ô Ô Ù Ú ¾

tored out both from ½ and and transformed into a write whenever a specification vertex is related to ac-

Ë:E [ Ë:<µ

exclusive variable. This SVID mimics the way Peterson’s cording to ´ , there exist implementation

¼ ¼ ¼ ¼

Ú Ö ´Ù µ=Ù Ö ´Ú µ=Ú

protocol would be implemented with MSCs. In this case, vertices Ù and such that , ,

¼ ¼

Ù Ú ´Á:E [ Á:<µ

a shared resource like Ø is written by sending it messages and is related to according to . £ (mimicked with SVIDs by a write followed by an event ar- row) and it is read by getting from it a message (mimicked By this definition, we have

with SVIDs by a read arrow). Since this SVID is a refine-

¿ ¾ ½

Å  Å  Å  Å :

ment of the original SVID, it should be clear that SVIDs ¾

¾ ¾ ¾

offer in general a very high level of abstraction. ½

For example, let the boxes in Å be denoted by

Now let us proceed to formally define the notion of re- ¾

Ñ ;Ñ ;Ñ ;Ñ ;Ñ ;Ñ ;Ñ ;Ñ

½¾ ½¿ ½4 ¾½ ¾¾ ¾¿ ¾4

finement. ½½ and the boxes

¿

Å Ò ;Ò ;Ò ;Ò ;Ò ;Ò ;Ò ;Ò ;

½¾ ½¿ ½4 ¾½ ¾¾ ¿½ ¿¾ in be denoted by ½½

Definition 3 (Refinement) A shared variables interaction ¾

Ò ;Ò ¿4

¿¿ , as shown in Figure 3. Define the implementation

Á

Ò Ñ Ò Ñ Ò diagram refines a shared variables interaction diagram Ö

½½ ¿½ ¾½ ½¾

map such that it maps ½½ to , to , and

Ë Á  Ë

Ñ Ò Ò Ñ Ò Ñ Ò Ñ , written if: Ò

½¾ ¿¾ ¾¾ ¾¾ ½¿ ½¿ ¿¿ ¾¿

¾½ to , and to , to , to

Ë Á

Ñ Ò Ñ

Variables. The set of variables in and is the same: Ò

½4 ¿4 ¾4

and finally ½4 to and to . Then it is easy to

= Á:X

Ë:X . see that the dependency condition is satisfied and that the

¿ ½ Å

process condition is satisfied too. Hence, Å refines .

¾ ¾

Ô ¾ Á:È

Processes. For every implementation process ¿

´Ò ;Ò µ Å ¾¾

Note that the vertical dependency ¾½ in be-

¾

¾ Ë:È Ô:X \

and every specification process Õ , either

¿

´Ñ ;Ñ µ Ö ´Å µ ¾¾

comes an arrow ½¾ in the image . Similarly,

¾

= ; Ô:X  Õ:X

Õ:X or . In the latter case, write

¿

´Ò ;Ò µ ´Ò ;Ò µ Å

¾½ ¿¾ ¾¾

the arrows ½¾ and in become self- ¾

shared variables in Ë may become write exclusive in

¿

´Å µ

loops in Ö . All these arrows are new when compared

¾ Ë

Á , but write exclusive variables in cannot become ½

with Å .

¾

Ô:X  Õ:X Ô:X  Õ:X

× e Û write shared: × and .

Given an “implementation” SVID Á and a “specifica- Ë

Boxes. There is a surjective map Ö from the vertices of tion” SVID , we would like to determine algorithmically if

Á  Ë

Ë Ú

Á to the vertices of such that for each vertex of holds. According to the definition of refinement, we

Ú:X = [ Û:X Ú:× = [ Û:×

Ë first need to verify the requirements concerning variables

Û Û

´Û µ=Ú Ö ´Û µ=Ú , Ö , , and

3

= [ Û:X

Ú:X and processes, both of which are stratighforward to check.

Ö Ö

´Û µ=Ú Ö . 3In the more general notion of refinement, all equalities can be made subsets, allowing the implementation to add more variables. 1 3 3 M2 r(M 2 ) M2

p1 p2 p1 p2 p1 t p2

ini ini ini ini ini ini

m11 f 1 := F f2 := F m21 f 1 := F f2 := F n11 f 1 := F f2 := F n31

idle idle idle idle idle idle

f1 := T f2 := T f1 := T f2 := T n12 f1 := T f2 := T n32 m 11m 1 1 1 12 22 n t := 1 t := 2 t := 1 t := 2 21 t := 1 n reqCS reqCS reqCS reqCS reqCS 22 t := 2 reqCS

m13 ttm23 t t n13 t t n33

inCS f1 m24 inCS f1 inCS f1 n34

m14 f 1 := F f 1 := F n14 f 1 := F

idle reqCS idle reqCS idle reqCS

Figure 3. Refinement image by a mapping Ö

Then, the the algorithm has to guess (or synthesize) a vertex gle process and written by a single process, the refinement

¿

Á  Ë Ç ´Ò µ Ò map Ö and to check the dependencies. This, in general, can relation can be determined in ,where is the

be computationally difficult if the actions appearing in an number of vertices in Á . implementation vertex can appear in multiple processes. In the standard notion of refinement for processes, im- Theorem 3 (Checking refinement: general case) Given

plementation is obtained from specification by adding more

Á Á  Ë two SVIDs Ë and , deciding whether holds is details, and typically, by restricting the set of observable NP-complete. behaviors. The notion of implementation for SVIDs allows Proof: In the general case, membership in NP is ob- splitting processes and adding constraints, and thus, con- straining the set of valid linearizations. However, it also al- vious since once the refinement map Ö is guessed, check- ing whether all dependencies are preserved can be done lows splitting of vertices, thus changing the notion of atom- polynomial-time. For NP-hardness, it is known that given icity and “increasing” the possible interleavings. While this an MSC whose vertices are labeled with symbols in an al- may seem counter to the traditional notion of hierarchical

development of systems, it seems intuitive for developing

Û ¦ phabet ¦, and a string over , the problem of determining requirements in a systematic manner by refining the atom- whether Û is a possible linearization of vertices of the MSC 4 is NP-complete [4]. This problem can be reduced to refine- icity assumptions .

ment checking problem, where Á contains a single process.

£ 4. Comparison with Other Formalisms If every specification variable is written by at most one process and read by at most one process (i.e. the communi- As we discussed in the introduction, the purpose of cation is point-to-point) then each action in the implemen- shared variables interaction diagrams (SVIDs) is to describe tation can be mapped to vertices of a uniquely determined exemplary interactions (scenarios) of concurrent systems process. Since vertices of a single process are totally or- that communicate via shared variables. Hence, they play dered, there is no ambiguity in determining the refinement the same role for these systems as message sequence charts map. Once the refinement map is determined, the require- (MSCs) or interaction diagrams (in UML) play for concur- ment about dependencies can be checked by computing the rent systems that communicate via message passing. While transitive closure of the imeplementation partial-order in scenarios involving shared variables appear in many con- cubic time. 4One can reconcile these two notions of implementation by observing

Theorem 4 (Checking refinement: exclusive case) Given that, under the refinement map the implementation has more constraints Á two SVIDs Ë and such that each variable is read by a sin- and therefore less linearizations than the specification. M1 M2

p14p2 p p12f1 p f23p3 f

ini ini ini ini ini ini ini ini ini set(F) set(F) set(F) f[1] := F f[2] := F f[3] := F tstR tstR tstR get get get tstR tstR tstR set(F) val(F) val(F) val(F)

f[1] := T f[1] f[2] := T f[2] f[3] := T f[3] set(T) set(T) set(T)

tstL tstL tstL tstL tstL tstL tstL tstL tstL get get get val(T) val(T) f[3] f[1] f[2]

val(T) tstL tstL tstL tstL tstLtstL tstL tstL tstL

Figure 4. Deadlock for three dining philosophers texts, there seems to be no effort to formally define a no- indirect way with SVIDs would probably lead to more com- tation for our intended purposes. One exception is [9], in plex solutions too. which the authors define a notation for describing scenarios From a visual point of view (as boxes connected by ar- for hybrid systems in which synchronous communication rows), SVIDs are also related to acyclic versions of Petri can be captured by global conditions over variables. nets and data flow diagrams (DFDs). Unlike these for- Since MSCs are already standardized by the ITU consor- malisms, an SVID denotes a single partially-ordered exe- tium and very popular (e.g. in the specification of telecom- cution, and has an implicit notion of shared state. munication protocols) one might wonder if MSCs could not be used instead of SVIDs for shared variables systems, too. Indeed, by associating with each global variable a sepa- 5. Conclusions rate process (vertical line) and introducing three messages set(x), get and val(v) one can model reading and writing these variables. However, this is an indirect way We have presented a formal notation for visual descrip- of dealing with the read and write primitives and the more tion of scenarios in distributed systems when the commu- shared variables the system contains, the more complex the nication is via shared variables. We have also presented a MSCs become. natural and precise way of relating such scenarios via the To illustrate this point, let us consider the dining philoso- notion of refinement. SVIDs can be useful for writing de- sign requirements. Many model checkers, such as SPIN [10] phers example (see, for instance, [15]). There are Ò philoso- phers seated around a table, usually thinking. Between each and MOCHA [1], support shared-variables communication pair of philosophers is a single fork. From time to time, any and show the counter-examples in a graphical format like philosopher might become hungry and attempt to eat. In SVIDs. Consequently, SVIDs can also be used to compare order to eat, the philosopher needs exclusive use of the two requirements with executions of models. adjacent forks. After eating, the philosopher relinquishes SVIDs are also a promising specification and debugging the two forks and resumes thinking. formalism for concurrent systems written in Java. This is In a wrong symmetric solution, each philosopher will one of the few languages that allows process creation and wait first for the right fork and after getting it will wait for process control. In Java processes are instances of a spe- the left fork. However, if all philosophers pick the right fork cial class called Thread and run in an asynchronous way. first, they will wait forever for the left fork. This situation Threads interact by using the shared memory paradigm. is illustrated for three philosophers in Figure 4 where the To obtain richer specifications using SVIDs, we will left hand side is the scenario presented as an SVID and the need to consider high-level SVIDs in the spirit of high-level right hand side is the scenario presented as an MSC. The MSCs (a high-level MSC is basically a finite graph whose MSC solution has more processes, more arrows and more nodes are labeled with basic MSCs). To be able give seman- crossings. We believe, this makes it harder to read and un- tics to such specifications, we need to define concatenation derstand. Trying to model message passing systems in an of SVIDs that accounts for the shared state. References [17] J. Reppy. Concurrent Programming in ML. Cambridge Uni- versity Press, 1999. [1] R. Alur, L. de Alfaro, R. Grosu, T.A. Henzinger, M. Kang, [18] R. Ramakrishnan and J. Gehrke. Database management sys- R. Majumdar, F. Mang, C.M. Kirsch, and B.Y. Wang. MOCHA: tems. McGraw-Hill, 1999. A model checking tool that exploits design structure. In Pro- [19] E. Rudolph, P. Graubmann, and J. Gabowski. Tutorial on ceedings of 23rd International Conference on Software Engi- message sequence charts. In Computer Networks and ISDN neering, 2001. Systems – SDL and MSC, volume 28. 1996. [2] R. Alur, K. Etessami, and M. Yannakakis. Inference of mes- [20] R.J. van Glabbeek and U. Goltz. Refinement of Actions in sage sequence charts. In Proceedings of 22nd International Causality Based Models. In Comparitive Concurrency Seman- Conference on Software Engineering, pages 304–313, 2000. tics and Refinement of Actions, pages 161–203, 1989. [3] R. Alur, G.J. Holzmann, and D. Peled. An analyzer for mes- sage sequence charts. Software Concepts and Tools, 17(2):70– 77, 1996. [4] R. Alur and M. Yannakakis. Model checking of message se- quence charts. In CONCUR’99: ConcurrencyTheory, Tenth In- ternational Conference, LNCS 1664, pages 114–129. Springer- Verlag, 1999. [5] H. Ben-Abdallah and S. Leue. MESA: Support for scenario- based design of concurrent systems. In Proceedings of the 4th International Conference on Tools and Algorithms for the Con- struction and Analysis of Systems, LNCS 1384, pages 118–135, 1998. [6] G. Booch, I. Jacobson, and J. Rumbaugh. Unified Modeling Language User Guide. Addison Wesley, 1997. [7] H. Ben-Abdallah and S. Leue. Syntactic detection of process divergence and non-local choice in message sequence charts. In Proceedings of the Second International Workshop on Tools and Algorithms for the Construction and Analysis of Systems, 1997. [8] P. Gibbons and E. Korach. Testing shared memories. SIAM Journal on Computing, 26(4):1208–1244, 1997. [9] R. Grosu, I. Krueger, and T. Stauner. Hybrid sequence charts. In ISORC’2K, the 3rd IEEE International Symposium on Object-oriented Real-time distributed Computing, pages 104–111, 2000. [10] G.J. Holzmann. The model checker SPIN. IEEE Trans. on Software Engineering, 23(5):279–295, 1997. [11] G.J. Holzmann, D.A. Peled, and M.H. Redberg. Design tools for for requirements engineering. Lucent Bell Labs Technical Journal, 2(1):86–95, 1997. [12] I. Krueger, R. Grosu, P. Scholz, M. Broy, From MSCs to Statecharts. In Distributed and Parallel Embedded Systems, Kluwer Academic Publishers, 1999. [13] L. Lamport. How to make a multiprocessor computer that correctly executes multiprocess programs. IEEE Transactions on Computers, 28(9):690–691, 1979. [14] D. Lea. Concurrent Programming in Java: Design Princi- ples and Patterns. Addison Wesley, 2000. [15] N. Lynch. Distributed algorithms. Morgan Kaufmann, 1996. [16] A. Muscholl, D. Peled, and Z. Su. Deciding properties of message sequence charts. In Foundations of Software Science and Computation Structures, 1998.