Distributing requirements specifications on basic splice by Orzan, S.-M. (Simona-Mihaela)
Centrum voor Wiskunde en Informatica
REPORTRAPPORT
Distributing Requirements Specifications on Basic Splice
S.M. Orzan
Software Engineering (SEN)
SEN-R0101 January 31, 2001
Report SEN-R0101
ISSN 1386-369X
CWI
P.O. Box 94079
1090 GB  Amsterdam
The Netherlands
CWI is the National Research Institute for Mathematics
and Computer Science. CWI is part of the Stichting
Mathematisch Centrum (SMC), the Dutch foundation
for promotion of mathematics and computer science
and their applications.
SMC is sponsored by the Netherlands Organization for
Scientific Research (NWO). CWI is a member of
ERCIM, the European Research Consortium for
Informatics and Mathematics.
Copyright © Stichting Mathematisch Centrum
P.O. Box 94079, 1090 GB  Amsterdam (NL)
Kruislaan 413, 1098 SJ  Amsterdam (NL)
Telephone +31 20 592 9333
Telefax +31 20 592 4199
Distributing Requirements Specications on Basic Splice
Simona Orzan
Centrum voor Wiskunde en Informatica
P.O. Box 94079, 1090 GB Amsterdam, The Netherlands
Email: Simona.Orzan@cwi.nl
ABSTRACT
This is an extension of work presented in [12]. It is proved that the seemingly weak architecture Basic Splice
introduced there {in which the coordination of processes is done using only a global set with read/write
primitives{ can support a distributed implementation of a large class of requirements specications, namely
LPEs (a CRL intermediate representation of specications).
2000 Mathematics Subject Classication: 68M14, 68N30, 68Q85
Keywords and Phrases: Splice, shared data space, software architecture, distributed systems, expressiveness
Note: Research carried out for the STW-project CES.5009: Formal Design, Tooling, and Prototype Implemen-
tation of a Real-Time Distributed Shared Dataspace.
1. Introduction
Shared dataspaces are a widely used mechanism for specifying the communication and synchronization
of parallel processes. The common dataspace is accessed through a certain set of operations(primitives)
like adding, deleting, test for absence/presence of data etc.; dierent coordination models can be
obtained by considering dierent sets of primitives. A natural question is how expressive these models
are. This can be addressed in two ways: one can think of \relative" expressiveness, i.e. wonder which
models can express in an easier way the same requirements |a few classes of coordination models
were compared from this point of view in [5]; alternatively, one can envision \absolute" expressiveness,
i.e. wonder which exactly are the requirements specications that can be implemented on a certain
model.
We consider a very simple shared dataspace model, with only the primitives write and nondestruc-
tive blocking read. It was introduced in [12] and was called Basic Splice because it is the ultimate
simplication of the data-oriented software architecture for complex control systems SPLICE [2] (Sub-
scription Paradigm for the Logical Interconnection of Concurrent Engines), developed at Hollandse
Signaalapparaten. The main characteristic of this architecture is that the processes can not exchange
messages directly, they only communicate through the shared data. This gives processes a high degree
of independence and insures a certain exibility for the whole system; i.e., easy adaptation to changes
in the environment, easy dynamic reconguration, suitable basis for fault-tolerance techniques. The
idea of viewing Splice as a shared dataspace was proposed in [1, 6]. Alternative Splice descriptions
are discussed in [3, 4].
The role of an architecture in the design of a complex distributed system is to describe how applica-
tion processes should coordinate. One of the problems that we encounter after we have the architecture
is how to distributedly implement on it the requirements of the system under design. That is, how
to transform the requirements into a set of application processes that communicate using the archi-
tecture's rules. We address this problem by studying the \absolute" expressiveness of the seemingly
very weak shared dataspace model Basic Splice.
2 Distributing Requirements Specications on Basic Splice
Following [12], we view Basic Splice as a process which is running in parallel with the application
processes coordinated by it. All processes are specied in the language CRL; we work with a special
format called Linear Process Equation(LPE), for which powerful techniques(focus and cones method,
fair abstraction rules) have been developed [10].
We give a mapping from the requirements specication expressed as an LPE to a set of processes
(also written as LPEs) that, when running in parallel and coordinated by Basic Splice, show the same
behavior as the initial specication. The equivalence used is branching bisimilarity [8]. In this way
we prove that it is possible to distributedly implement on Basic Splice a class of processes as large as
LPEs. That is, almost all requirements specications, since it was proved [9] that a very large part
of CRL specications can be expressed as LPEs.
1.1 LPEs
We will briey present CRL (micro Common Representation Language) , which is a language for
specifying interacting processes that rely on data. Its signature includes datasorts (like Bool, Nat)
and a distinct sort Proc of processes. The notation
~
d will be used for tuples of data variables. We
have a set of action labels Act and fa(
~
d)ja 2 Actg are actions parameterized by data terms.
Process terms are constructed using the operators + (choice), : (sequential composition), k (parallel
composition), j (communication merge),
P
and / .. The operator
P
is the generalized choice.
P
d:Nat
P (d), for instance, denotes the possibly innite sum P (0) + P (1) + P (2)    . The conditional
P /b.Q, with P and Q being processes and b a boolean, means \if b then P else Q". Constant  of the
sort Proc represents deadlock and is neutral element for +. Constant  of the sort Proc represents the
silent step(not observable). The encapsulation operator @
H
(P ) enforces actions in H to communicate;
within process P they can not execute alone, but only as part of a communication step. The hiding
operator 
I
(P ) renames in P all the actions from I to  .
In the following, I is a nite set of indices, D and E
i
are datasorts (not necessarily nite), d and e
i
are
data variables of sorts D and E
i
, f
i
; g
i
and b
i
are functions, f
i
; g
i
: DE
i
 ! D, b
i
: DE
i
 ! Bool.
An LPE is a recursive specication of the form:
Spec (d : D) =
X
i2I
X
e
i
:E
i
a
i
(f
i
(d; e
i
)):Spec (g
i
(d; e
i
)) / b
i
(d; e
i
) .  (1.1)
Each summand of
P
i2I
denes a set of transitions from state d to state g
i
(d; e
i
) and it is enabled for
all e
i
for which the guard b
i
(d; e
i
) is true.
1.2 Basic Splice
In our setting, Basic Splice is viewed as a special process SPLICE(A), running in parallel with the
application processes. A is the shared dataspace, the global set in which values of some sort D are
added. This set can only grow, as the read primitive in our model is nondestructive.
Application processes should be allowed to communicate only through the shared dataspace, never
directly. This is done by making them use the special actions write and read and introducing the co-
actions Write and Read in the dataspace process SPLICE(A). The communications read(x)jRead(x)
and write(x)jWrite(x) are considered actions themselves: R(x) and W (x).
The architecture is described by the following recursive specication:
SPLICE(A : Set(D)) =
X
x:D
Write(x):SPLICE(A [ fxg) +
X
x:D
Read(x):SPLICE(A) / x 2 A . 
When a communication W (x) occurs, SPLICE(A [ fxg) proceeds; that is, the value x is added to
the global set - unless this value was already present, in which case nothing happens. The blocking
behavior of the read primitive is nicely expressed by the condition /x 2 A.. The communication R(x)
can only happen if x is present in the global set (otherwise Read(x) doesn't exist among the actions
of SPLICE(A)). So, if an application process wants to do read(3), it has to wait until 3 comes in the
Introduction 3
database; this will add Read(3) to the sum that represents S, which will allow the communication.
Note that after this communication S proceeds with an unchanged database, since read doesn't delete
the read value.
This view of the architecture as a special component and communication done by the read=Read
and write=Write pairs provide an elegant formal semantics to the two primitives of the architecture.
Example 1 To make clear how CRL and Basic Splice function, we describe an implementation on
Basic Splice of a very simple buer specication.
For this, we consider the datasort Queue, to represent a queue of natural numbers. It has the
constant emptyqueue and the following operations: push: NatQueue !Queue, which adds an element
to a queue; pop:Queue !Queue, which extracts the top element of the (not empty) parameter queue;
top:Queue ! Nat, which returns the top element of the given queue; and notempty:Queue ! Bool,
which adds an element to a queue. And we dene the following CRL specication of the buer:
BufSpec (Q: Queue) =
X
d:Nat
SCAN(d):BufSpec(push(d,Q)) + SEND(top(d)):BufSpec(pop(Q)) /notempty(Q). 
(1.2)
The visible actions are SCAN , which inputs a natural number to the buer and SEND, which
outputs a natural number from the buer. Data must be sent out in the same order in which it was
scanned.
We need that the global set memorizes values of sort NatNat { a value represents (sequence num-
ber, data item). So, our Splice process will be SPLICE(A : Set(NatNat)). Then the implementation
on Splice of the buer can be:
BufImpl = B
scan
(0) kB
send
(0) k S (;)
where
B
scan
(n : Nat) =
X
d:Nat
SCAN(d):write(n; d):B
scan
(n+ 1)
B
send
(n : Nat) =
X
d:Nat
read(n; d):SEND(d):B
send
(n+ 1)
(1) is indeed the implementation of (1.2), since it can be proved that
BufSpec (emptyqueue) = 
fR;Wg
@
fRead;Write;read;writeg
BufImpl
(branching bisimilar)
1.3 The problem
We are looking for a distributed implementation of LPEs on the architecture Basic Splice. Given a
requirements specication Spec(d), we want to build a set of processes P
1
;    ; P
n
and some initial
database A
0
such that P
1
k    kP
n
kSPLICE(A
0
), after hiding read, write, Read and Write, equals
Spec(d) (in the sense of branching bisimilarity).
There can be imagined many sets of constraints to impose on processes P
i
. Studying dierent
schemes from the eciency point of view is interesting and is subject of further work. Now the goal
is only to prove that distribution is possible, so we consider a very simple constraint: each P
i
should
\produce" only one action from those in Spec(d). If, for instance, the specication requirements is
a:b, the distributed implementation should have a component for a and another for b.
The matter of distributing functionalities of a requirements specication over more communicating
components was also studied in [11] for LOTOS expressions; the synchronization is solved there with
message passing, while Basic Splice coordinates the components using persistent data.
Section 2 describes the translation scheme and section 3 proves it correct.
4 Distributing Requirements Specications on Basic Splice
2. The translation scheme
Consider a specication in LPE format Spec(d) (1.1), in with jI j = n. The corresponding distributed
process will have n components, each responsible for one action a
i
. They communicate via SPLICE,
through a global set of pairs (NatD). An element (t; d) of the global set represents:
t (a natural number) = timestamp - this is the moment when the pair was added to the database; it
is also the number of visible + invisible steps executed until the time of insertion
d = the current data; the global state of the system, according to the specication
Components are triggered in turns, by the timestamp, in a circular innite pass: component i will
be activated at all moments t = k  n + i (8k). When activated, it will choose to execute its action
or not. In both cases, it will increase the \global time" and pass the turn to its next sister. This
cycle is needed to insure that the nondeterminism that may exist in the global specication Spec(d)
is preserved in the distributed implementation. At any time, all possible actions must have a chance
to execute.
In a formal denition, the component X
i
, responsible of action a
i
is:
X
i
(m) =
X
d:D
read(m; d):
(
X
e
i
:E
i
( a
i
(f
i
(d; e
i
)):write(m + 1; g
i
(d; e
i
)) / b
i
(d; e
i
) .  ) + write(m + 1; d) ) : X
i
(m+ n)
(2.1)
The parameter m of X
i
is the moment when X
i
expects to be activated next. As mentioned before,
m is always of the form k  n + i. At moment m, read(m; d) from X
i
synchronizes with Read(m; d)
from SPLICE(A), for some d. This activates X
i
. After \acting", X
i
will set its parameter to the next
active moment (k + 1)  n+ i, i.e. m+ n.
The initial state of the implementation is
k
i
X
i
(i) k SPLICE(f(0; d)g) (2.2)
We will prove that this distributed implementation on Basic Splice of a LPE is almost equivalent
to the specication. That is: if we hide in the implementation the actions dealing with the global
set (read,write,Read,Write) and we abstract from the communication actions (R,W ), then we get
(approximately) the specication Spec(d).
Theorem 1 For every requirements specication expressible as a LPE Spec(d), the components X
i
resulted by applying the translation scheme satisfy:
:Spec(d) = :
fR;Wg
@
fRead;Write;read;writeg
(k
i
X
i
(i)kSPLICE(f(0; d)g)):
Example 2 The regular process X = (a+ a:b+ b:a): can be written as this LPE:
X(d : f0; 1; 2; 3g) = a:X(3) / d = 0 _ d = 2 . 
+ a:X(1) / d = 0 . 
+ b:X(2) / d = 0 . 
+ b:X(3) / d = 1 . 
3. Correctness proof 5
By applying the translation scheme, we get the following distribution:
X
0
(m) =
X
d:f0;1;2;3g
read(m; d):(a:write(m+1; 3) / d = 0_ d = 2 . +write(m+1; d)):X
0
(m+4)
X
1
(m) =
X
d:f0;1;2;3g
read(m; d):(a:write(m + 1; 1) / d = 0 .  + write(m+ 1; d)):X
1
(m+ 4)
X
2
(m) =
X
d:f0;1;2;3g
read(m; d):(b:write(m + 1; 2) / d = 0 .+write(m+ 1; d)):X
2
(m+ 4)
X
3
(m) =
X
d:f0;1;2;3g
read(m; d):(b:write(m + 1; 5) / d = 1 .  + write(m+ 1; d)):X
3
(m+ 4)
And according to theorem 1:
:X = :
fR;Wg
@
fRead;Write;read;writeg
(SPLICE(f(0; 0)g) k X
0
(0) k X
1
(1) k X
2
(2) k X
3
(3))
Example 3 Alternatively, the same X can be written as another LPE (clustered LPE), branching
bisimilar to the rst one:
X(d : f0; 1; 2; 3g) =
X
e:Bool
a:X(\if (d = 0 ^ e) then 1 else 3
00
) / d = 0 _ d = 2 . 
+ b:X(\if d=0 then 2 else 3
00
) / d = 0 _ d = 1 . 
Then the distributed version would be:
X
0
(m) =
X
d:f0;1;2;3g
X
e:Bool
read(m; d):
(a:write(m+1; \if (d = 0^ e) then 1 else 3") / d = 0_ d = 2 . +write(m+1; d)):X
0
(m+2)
X
1
(m) =
X
d:f0;1;2;3g
read(m; d):
(b:write(m+ 1; \if d=0 then 2 else 3") / d = 0 .  + write(m + 1; d)):X
1
(m+ 2)
And again, by theorem 1,
:X = :
fR;Wg
@
fRead;Write;read;writeg
(SPLICE(f(0; 0)g) k X
0
(0) k X
1
(1))
We showed two ways of distributing on SPLICE the process (a+ a:b+ b:a):. Note how the \degree
of distribution" can be changed by clustering the actions, as opposite to spreading them over more
summands. In the rst example, dierent a actions were placed on dierent summands of the LPE;
in the second, all a-actions were grouped on the same summand.
3. Correctness proof
This chapter is devoted to thoroughly prove that the translation dened above is correct. That is, to
prove theorem 1.
First of all, to be able to compare the two processes appearing in the theorem, we need them in a
linearized form. The specication Spec(d) is an LPE already by denition; it's left to linearize the
implementation (2.2). In [9] it was shown that this is possible.
6 Distributing Requirements Specications on Basic Splice
3.1 Implementation linearized
Each component X
i
from the implementation (denition 2.2) passes in its life only through the follow-
ing locations: 0 {ready to read, 1 {activated; make a choice (execute action or pass the turn), 2 {action
performed; pass the turn. A \life" example: 0
R
 ! 1
W
 ! 0
R
 ! 1
W
 ! 0
R
 ! 1
a
i
(d;e
i
)
 ! 2
W
 ! 0
R
 ! 1
etc.
In the linearized version of the implementation, we view everything globally. The state of the system
as a whole will be described by the following parameters:
 A { the set of pairs (the database), the parameter of process S.
 ~m 2 N
n
{ the vector of \moments"; m
i
= the parameter of process X
i
, the moment when X
i
will be activated next.

~
l 2 f0; 1; 2g
n
{ the vector of locations (l
i
is the current location of component i); as explained
above, a location can be only 0,1,2

~
d 2 D
n
{ the vector of data items; d
i
is the data that component i knows of, currently. Although
in principle there is only one global view on data, components may have temporary dierent
views. That's why we need
~
d as parameter, instead of just d.
For the initial state,
 A = f(0; d)g. We are at moment 0 and the current data is the global specication's parameter d

~
l = 0. All the components are in the \start" location 0
 ~m = (0; 1;    ; n   1). Component i waits to be activated at moment i; rst component to be
activated is 0, triggered by (0; d), the only pair from the database A.

~
d =
~
0. In the initial state the values in this vector don't matter, since they will be used only
after being initialized by a reading (from A) action.
The fact that all components X
i
from (2.2) are independent allows us to obtain the linearized version
of (2.2) by just summing their separate behaviors in the interaction with SPLICE(A):
Impl(A;
~
l; ~m;
~
d) =
n 1
X
i=0
(
X
y
R(m
i
; y): Impl(A;
~
l[ l
i
:= 1 ]; ~m;
~
d[ d
i
:= y ])
/ l
i
= 0 ^ (m
i
; y) 2 A . 
+W (m
i
+ 1; d
i
): Impl(A [ f(m
i
+ 1; d)g;
~
l[ l
i
:= 0 ]; ~m[m
i
:= m
i
+ n ];
~
d)
/ l
i
= 1 . 
+
X
e
i
:E
i
(a
i
(f
i
(d
i
; e
i
)): Impl(A;
~
l[ l
i
:= 2 ]; ~m;
~
d)
/ l
i
= 1 ^ b
i
(d
i
; e
i
) . )
+W (m
i
+ 1; d
i
): Impl(A [ f(m
i
+ 1; g
i
(d
i
; e
i
))g;
~
l[ l
i
:= 0 ]; ~m[m
i
:= m
i
+ n ];
~
d)
/ l
i
= 2 . )
(3.1)
3. Correctness proof 7
The use of focus points method [10] to prove the equivalence between a specication and an im-
plementation requires that the specication shouldn't contain  -steps and that the implementation
should be convergent (without innite  -loops). This means that the equivalence of our specication
and implementation cannot be immediately proved because of the innite  -loops that appear in the
implementation when we abstract from R and W .
Therefore we consider an intermediate specication Y , in which we abstract only from R's and the
second W (call it W
2
), while keeping the other W (W
1
) as a visible action - but renamed to an action
without arguments v, because in Y we also drop the database A.
When we distinguish between the two W , (3.1) becomes:
Impl(A;
~
l; ~m;
~
d) =
n 1
X
i=0
(
X
y
R(m
i
; y): Impl(A;
~
l[ l
i
:= 1 ]; ~m;
~
d[ d
i
:= y ])
/ l
i
= 0 ^ m
i
; y) 2 A . 
+W
1
(m
i
+ 1; d
i
): Impl(A [ f(m
i
+ 1; d)g;
~
l[ l
i
:= 0 ]; ~m[m
i
:= m
i
+ n ];
~
d)
/ l
i
= 1 . 
+
X
e
i
:E
i
(a
i
(f
i
(d
i
; e
i
)): Impl(A;
~
l[ l
i
:= 2 ]; ~m;
~
d)
/ l
i
= 1 ^ b
i
(d
i
; e
i
) . )
+W
2
(m
i
+ 1; d
i
): Impl(A [ f(m
i
+ 1; g
i
(d
i
; e
i
))g;
~
l[ l
i
:= 0 ]; ~m[m
i
:= m
i
+ n ];
~
d)
/ l
i
= 2 . )
(3.2)
So, the claim of theorem 1 rewrites to:
:Spec(d) = :
fR;W
1
;W
2
g
@
fRead;Write;read;writeg
Impl(f(0; d)g;
~
0; (0; 1;    ; n  1);
~
0)
Next, we will proceed in 2 steps:
 pre-abstraction: dene the intermediate specication Y (c;d) and prove, using the focus points
method, that

fR;W
2
g
@
fRead;Write;read;writeg
Impl(f(0; d)g;
~
0; (0; 1;    ; n  1);
~
0)[W
1
 ! v] = Y (0; d)
(sections 3.2, 3.3, 3.4)
 abstraction: prove by fair abstraction that
:
fvg
Y (0; d) = :Spec(d)
(section 3.5)
8 Distributing Requirements Specications on Basic Splice
3.2 Pre-abstraction
We dene the intermediate specication Y as follows:
Y (c;d) =
n 1
X
i=0
(
v: Y ((i+ 1) mod n;d)
/ i = c . 
+
X
e
i
:E
i
(a
i
(f
i
(d; e
i
)): Y ((i+ 1) mod n; g
i
(d; e
i
))
/ i = c ^ b
i
(d; e
i
) . ) )
(3.3)
The parameter c is a natural number in f0;    ; n  1g and points to the active component X
c
(m
c
).
Its values in the successive calls of Y reect the order in which components become active:
Y (0; ?)  ! Y (1; ?)  ! Y (2; ?)  !     ! Y (n  1; ?)  ! Y (0; ?)  ! Y (1; ?)    .
The other parameter, d, is the global state of the system.
We aim to show, by using an appropriate state mapping, that this process is equivalent to the
process 
fR;W
2
g
Impl[W
1
 ! v], which we will call X(A;
~
l; ~m;
~
d):
X(A;
~
l; ~m;
~
d) =
n 1
X
i=0
(
X
y
: X(A;
~
l[l
i
:= 1]; ~m;
~
d[d
i
:= y] )
/ l
i
= 0 ^ (m
i
; y) 2 A . 
+ v: X(A [ f(m
i
+ 1; d)g;
~
l[l
i
:= 0]; ~m[m
i
:= m
i
+ n];
~
d)
/ l
i
= 1 . 
+
X
e
i
:E
i
(a
i
(f
i
(d; e
i
)): X(A;
~
l[ l
i
= 2 ]; ~m;
~
d[d
i
:= g
i
(d; e
i
)])
/ l
i
= 1 ^ b
i
(d; e
i
) . )
+ : X(A [ f(m
i
+ 1; d
i
)g;
~
l[l
i
:= 0]; ~m[m
i
:= m
i
+ n];
~
d)
/ l
i
= 2 . )
The state mapping must relate equivalent states of X and Y . To insure this, the focus points
method [10] requires that certain matching criteria should be satised. In order to prove these, some
properties that hold in all X 's states will be necessary (invariants).
We continue with stating and proving a few invariants (section 3.3), then we will give the state
mapping h : States(X)  ! States(Y ) (section 3.4) and check the required matching criteria.
3.3 Invariants
In the following, ? denotes any instance of data from D.
We will need the function
active : States(X)  ! f0   n  1g; active( hA;
~
l; ~m;
~
di ) = the x for which(m
x
; ?) 2 A
3. Correctness proof 9
Lemma 1 The following invariants hold for the implementation X:
1. (8t) there is at most one pair (t; ?) 2 A
2. 9!i (0  i < n) s.t. (m
i
; ?) 2 A (i.e., active is well dened). And m
i
= max
(t;d)2A
t.
3. if x = active(hA;
~
l; ~m;
~
di) then
8i 2 f0   n 1g s.t. i 6= (x 1) mod n; m
(i+1) mod n
= m
i
+1 and m
x
= m
(x 1) mod n
+1 n.
(in other words: in each state we have an arithmetic progression m
x
< m
x+1
<   m
n
< m
1
<
  m
x 1
, with step 1)
4.
~
l =
~
0
or (9i(0  i < n) : l
i
= 1 and 8j 6= i l
j
= 0
or (9i(0  i < n) : l
i
= 2 and 8j 6= i l
j
= 0).
5. if l
i
> 0 then active(hA;
~
l; ~m;
~
di) = i.
Proof .
We rst prove that these invariants hold for X 's initial state
hA
0
;
~
l
0
; ~m
0
;
~
d
0
i = hf(0; d)g;
~
0; (0; 1;    ; n  1);
~
0i :
1. immediate.
2. i=0.
3. active(A
0
;
~
l
0
; ~m
0
;
~
d
0
) = 0.
(8i : 0  i  n  2) m
0
i+1
= m
0
i
+ 1 = (m
0
i
+ 1) mod n.
And m
0
0
= 0 = (n  1) + 1  n = m
0
n 1
+ 1  n = m
0
( 1) mod n
+ 1  n.
4. l
0
=
~
0.
5. l
0
=
~
0.
Now, supposing that they hold for an arbitrary state hA;
~
l; ~m;
~
di, we will prove that they're still true
for X 's next state hA
0
;
~
l
0
; ~m
0
;
~
d
0
i. We have to analyze the following possibilities (extracted from the
description of process X):
 for some k, l
k
= 0 ^ (m
k
; ?) 2 A and a -step happens.
Then hA
0
;
~
l
0
; ~m
0
;
~
d
0
i = hA;
~
l[l
k
:= 1]; ~m;
~
d[d
k
:= y]i.
In this case, (1),(2),(3) remain true because state components that occur in these properties
(database A and moments' array ~m) haven't changed.
(m
k
; ?) 2 A
inv:(2)
 active(A;
~
l; ~m;
~
d) = k  j 6= active(A;
~
l; ~m;
~
d);8j 6= k
inv:(5)
 l
j
= 08j 6= k.
But l
k
= 0 too, so
~
l =
~
0, which means that
~
l
0
= (0    1    0),i.e. (4) is true.
The only index i for which l
0
i
> 0 is k (l
0
k
= 1). k = active(A
0
;
~
l
0
; ~m
0
;
~
d
0
) (because A
0
= A and
~m
0
= ~m), so (5) holds too.
 for some k, l
k
= 1 and a v action happens.
Then hA
0
;
~
l
0
; ~m
0
;
~
d
0
i = hA [ f(m
k
+ 1; d)g;
~
l[l
k
:= 0]; ~m[m
k
:= m
k
+ n];
~
di
1. We have to prove that the newly added pair (m
k
+1; d) hasn't disturbed this property, i.e.
there is no (m
k
+ 1; ?) already in A. This is true, since m
k
+ 1 > m
k
inv:(2)
= max
(t;d)2A
t.
2. If n > 1, the unique i is (k + 1) mod n, because m
0
(k+1) mod n
= m
k
+ 1 (inv. (3)) and
(m
k
+ 1; d) 2 A
0
. Uniqueness is given by inv. (1).
If n = 1, the active process 0 remains active ((m
0
+ 1; d
0
) 2 A
0
and m
0
0
= m
0
+ 1).
10 Distributing Requirements Specications on Basic Splice
3. x
0
= active(A
0
;
~
l
0
; ~m
0
;
~
d
0
) = (k + 1) mod n. Notice that (x
0
  1) mod n = k.
For i 2 f0   n   1g; i 6= k; i 6= (k   1) mod n, the property remains true, as m
0
= m for
the values involved.
It remains to be shown that m
0
k
= m
0
(k 1) mod n
+ 1 and that m
0
x
0
= m
0
k
+ 1  n.
m
0
k
= m
k
+ n
inv:(3)
= (m
(k 1) mod n
+ 1  n) + n = m
(k 1) mod n
+ 1 = m
0
(k 1) mod n
+ 1
m
0
x
0
= m
x
0
inv:(3)
= m
k
+ 1 = (m
0
k
  n) + 1.
4. l
0
i
= l
i
= 0;8i 6= k and l
0
k
= 0. So,
~
l
0
=
~
0.
5.
~
l
0
=
~
0, by invariant (4).
 for some k and some e
k
2 E
k
, l
k
= 1 ^ b
k
(d
k
; e
k
) and an a
k
action happens.
Then hA
0
;
~
l
0
; ~m
0
;
~
d
0
i = hA;
~
l[ l
k
= 2 ]; ~m;
~
d[d
k
:= g
k
(d
k
; e
k
)]i.
(1),(2),(3) hold because the state components involved are not changed by this step.
l
k
= 1
inv:(4)
 l
i
= 0 8i 6= k. So, since and l
0
i
= l
i
= 08i 6= k and l
0
k
= 2, (4) holds in the current
state too.
And, nally, (5) holds too, as the active index did not change (it's still k).
 for some k, l
k
= 2 and a -action happens.
Then hA
0
;
~
l
0
; ~m
0
;
~
d
0
i = hA [ f(m
k
+ 1; d
k
)g;
~
l[l
k
:= 0]; ~m[m
k
:= m
k
+ n];
~
di.
All the invariants are shown to hold by a reasoning similar to the second case (\for some k,
l
k
= 1 and a v action happens").
We proved (invariant 1) that for any \moment" t there is at most one data item d such that (t; d) 2 A.
When this item exists, we will denote it by data(A; t).
Notice that data(A;m
active( hA;
~
l;~m;
~
di )
) is dened for all reachable states in States(X).
Lemma 2 If l
i
= 1 then data(A;m
i
) = d
i
.
Proof . If l
i
= 1 then the most recent step in X was a  -step (a read from the database). This could
happen only if the guard was true: l
i
= 0 ^ (m
i
; y) 2 A, for some y; by denition, y = data(A;m
i
).
The changes that occur in the state hA;
~
l; ~m;
~
di as a result of this step are l
i
:= 1 and d
i
:= y. That
is, d
i
:= data(A;m
i
).
3.4 State mapping
We dene the state mapping h : States(X)  ! States(Y ) as follows:
Let x = active( hA;
~
l; ~m;
~
di ).
h( hA;
~
l; ~m;
~
di ) =

hx;data(A;m
x
)i if l
x
2 f0; 1g
h(x + 1) mod n; d
x
i if l
x
= 2
Proving bisimilarity between X (which plays the role of the implementation) and Y (the specica-
tion) turns to proving that h satises the matching criteria [10]. For this, we heavily rely on the
invariants discussed above.
Lemma 3 For X, Y and h described above, the matching criteria hold:
1. (a) for all i,
(8y 2 D) l
i
= 0 ^ (m
i
; y) 2 A  ! h( hA;
~
l; ~m;
~
di ) = h( hA;
~
l[l
i
:= 1]; ~m;
~
d[d := y]i )
3. Correctness proof 11
(b) for all i,
l
i
= 2  ! h( hA;
~
l; ~m;
~
di ) = h( hA [ f(m
i
+ 1; d
i
)g;
~
l[l
i
:= 0]; ~m[m
i
:= m
i
+ n];
~
di )
(internal steps in X don't change the mapped state in Y )
2. (a) for all i, l
i
= 1  ! c = i (v enabled in X ) v enabled in Y )
(b) for all i, (8e
i
: E
i
) l
i
= 1 ^ b
i
(d
i
; e
i
)  ! c = i ^ b
i
(d; e
i
)
(X can do a
i
(f
i
(?; e
i
))) Y can do a
i
(f
i
(?; e
i
)))
(soundness: in each state, for each external action, if X can do it ) Y can do it, too)
The external actions that X can do are v (that can happen when l
i
= 1) and fa
i
(f
i
(d; e
i
))g (that
are enabled when l
i
= 1 ^ b
i
(d
i
; e
i
) is true).
3. FC(hA;
~
l; ~m;
~
di) : 9i(1  i  n) s.t. l
i
= 1 and l
j
= 08j 6= i, i.e.
~
l = (0;    ; 0; 1; 0;    ; 0).
(a) for all i, FC(hA;
~
l; ~m;
~
di) ^ i = c  ! l
i
= 1
(b) for all i, (8e
i
: E
i
)FC(hA;
~
l; ~m;
~
di) ^ i = c ^ b
i
(d; e
i
)  ! l
i
= 1 ^ b
i
(d
i
; e
i
)
(completeness: Y can do a step ) X can do that step, too - eventually after a number of internal
steps)
4. for all i, (8e
i
: E
i
)b
i
(d
i
; e
i
)  ! f
i
(d
i
; e
i
) = f
i
(d; e
i
)
(the data labels on the visible actions coincide).
5. (a) l
i
= 1  ! h(hA [ fm
i
+ 1; d
i
g;
~
l[l
i
:= 0]; ~m[m
i
:= m
i
+ n];
~
di) = h(i+ 1) mod n;di
(b) l
i
= 1 ^ b
i
(d
i
; e
i
)  ! h(hA;
~
l[l
i
:= 2]; ~m;
~
d[d
i
:= g
i
(d
i
; e
i
)]i) = h(i+ 1) mod n; g
i
(d; e
i
)i
(every visible action takes related states to related states, i.e. if the initial states in X and Y
are h-mapped, then the states after executing the action are also h-mapped)
Proof .
1. Let hA;
~
l; ~m;
~
di be X 's state before the  -step, (c;d) the state in Y mapped from it, hA
0
;
~
l
0
; ~m
0
;
~
d
0
i
X 's state after the  -step and (c
0
;d
0
) its h-mapped Y state. We have to prove that (c;d) and
(c
0
;d
0
) are equal.
(a) After the  -step, x and m
x
are not changed (because A and ~m didn't change). The only
dierent value is of l
x
, but this doesn't aect h's denition since l
x
:= l
x
+ 1 = 1 is still in
f0; 1g. So, hc
0
;d
0
i = hx;data(A
0
;m
0
x
)i = hx;data(A;m
x
)i = hc;di.
(b) l
i
= 2
inv:(5);def. h
 hc;di = h(i+ 1) mod n; d
i
i.
If n > 1 then i = x 6= (x 1) mod n
inv:(3)
 m
(i+1) mod n
= m
i
+1  active(hA
0
;
~
l
0
; ~m
0
;
~
d
0
i)
= (i+ 1) mod n. In the new state,
~
l = 0  l
(i+1) mod n
= 0.
hc
0
;d
0
i
def. h
= h(i+ 1) mod n;data(A;m
(i+1) mod n
)i = h(i+ 1) mod n; d
i
)i = hc;di.
If n = 1 then i = x = (x + 1) mod n, so hc;di = hi; d
i
i. The active process (i = x = 1)
remains active in the new state (inv. (2)). hc
0
;d
0
i
l
0
i
=0;def. h
= hi;data(A
0
;m
0
i
)i. m
0
i
= m
i
+n,
i.e. m
i
+1 and in A
0
there is (m
i
+1; d
i
)  data(A
0
;m
0
i
) = d
i
 hc
0
;d
0
i = hi; d
i
i = hc;di.
2. Let hA;
~
l; ~m;
~
di denote always the current state.
(a) l
i
= 1
inv:(5)
 i = active(hA;
~
l; ~m;
~
di)
def: h
 c = i.
(b) True, because d = d
i
from lemma 2 and l
i
= 1  ! c = i was shown at (2(a)).
12 Distributing Requirements Specications on Basic Splice
3. (a) Let i
0
be the i from FC (l
i
0
= 1). Then, from inv. (5) and denition of h, c = i
0
. But
c = i, also, so i = i
0
. This means that l
i
= l
i
0
= 1.
(b) l
i
= 1 is shown with the same reasoning as in 3(a). b
i
(d
i
; e
i
) is true because b
i
(d; e
i
) is true
and d = d
i
(lemma 2).
4. The conditions b
i
(d; e
i
) are evaluated when l
i
= 1. By lemma 2 and denition of h, we get
d = d
i
, so f
i
(d
i
; e
i
) = f
i
(d; e
i
).
5. Again, we will denote hA;
~
l; ~m;
~
di and hA
0
;
~
l
0
; ~m
0
;
~
d
0
i the states of X before and after executing
the discussed action. Similarly, hc;di and hc
0
;d
0
i are the corresponding states in Y .
(a) l
i
= 1
inv:(5);lemma 2
 hc;di = hi; d
i
i. active(hA
0
;
~
l
0
; ~m
0
;
~
d
0
i) = (i+ 1) mod n, by a reasoning
similar to 1(b). Because l
0
(i+1) mod n
= 0, we have c
0
= (i + 1) mod n and d
0
= d
i
. But
according to lemma 2, d = d
i
. So, hc
0
;d
0
i is indeed h(i+ 1) mod n;di.
(b) l
0
i
= 2
inv:(5)
 active(hA
0
;
~
l
0
; ~m
0
;
~
d
0
i) = i
def. h;l
0
i
=2
 hc
0
;d
0
i = h(i+ 1) mod n; d
0
i
i =
h(i+ 1) mod n; g
i
(d
i
; e
i
)i.
So far we have proved that

fR;W
2
g
@
fr;w;Read;Writeg
( k
i
X
i
(i)kSPLICE(f(0; d)g) ) [W
1
 ! v] = X(f(0; d)g;
~
0; (0; 1;    ; n  1);
~
0)
and
X(f(0; d)g;
~
0; (0; 1;    ; n  1);
~
0) = Y (0; d).
It's left now to establish: :
fvg
Y (0; d) = :Spec(d)
3.5 Abstraction
The denition ( 3.3) says that
Y (c;d) = v: Y ((c+ 1) mod n;d) +
X
e
c
:E
c
(a
c
(f
c
(d; e
c
)): Y ((c + 1) mod n; g
c
(d; e
c
)) / b
c
(d; e
c
) . )
(for c 2 f0   n  1g)
i.e.,
Y (0; d) = v:Y (1; d) +
X
e
0
:E
0
a
0
(f
0
(d; e
0
)): Y (1; g
0
(d; e
0
)) / b
0
(d; e
0
) . 
Y (1; d) = v:Y (2; d) +
X
e
1
:E
1
a
1
(f
1
(d; e
1
)): Y (2; g
1
(d; e
1
)) / b
1
(d; e
1
) . 
.
.
.
Y (n  1; d) = v:Y (0; d) +
X
e
n 1
:E
n 1
(a
n 1
(f
n 1
(d; e
n 1
)): Y (0; g
n 1
(d; e
n 1
))
/b
n 1
(d; e
n 1
) . 
Y (0; d)   Y (n  1; d) form a fvg   cluster, with exits
fa
i
(f
i
(d; e
i
)): Y ((i+ 1) mod n; g
i
(d; e
i
)) / b
i
(d; e
i
) . ; 8i : 0  i < n and 8e
i
2 E
i
g
4. Conclusions 13
CFAR [7] (Cluster Fair Abstraction Rule) states that in a fair execution, one of the exits will eventually
be taken. In our case, this means:
:
fvg
Y (0; d) = :
n 1
X
i=0
X
e
i
:E
i

fvg
(a
i
(f
i
(d; e
i
)): Y ((i+ 1) mod n; g
i
(d; e
i
))) / b
i
(d; e
i
) . 
= :
n 1
X
i=0
X
e
i
:E
i
(a
i
(f
i
(d; e
i
)):
fvg
Y ((i+ 1) mod n; g
i
(d; e
i
))) / b
i
(d; e
i
) . 
and similarly
:
fvg
Y (1; d) = :
n 1
X
i=0
X
e
i
:E
i
(a
i
(f
i
(d; e
i
)):
fvg
Y ((i+ 1) mod n; g
i
(d; e
i
))) / b
i
(d; e
i
) . 
.
.
.
:
fvg
Y (n  1; d) = :
n 1
X
i=0
X
e
i
:E
i
(a
i
(f
i
(d; e
i
)):
fvg
Y ((i+ 1) mod n; g
i
(d; e
i
))) / b
i
(d; e
i
) . 
From this it follows that :
fvg
Y (0; d) = :
fvg
Y (i; d), for i 2 f1   n 1g (transitivity). So, we can
write
:
fvg
Y (0; d) = :
n 1
X
i=0
X
e
i
:E
i
(a
i
(f
i
(d; e
i
)):
fvg
Y (0; g
i
(d; e
i
))) / b
i
(d; e
i
) . 
By applying RSP we see that :
fvg
Y (0; d) is a solution of :Spec(d) (1.1)
This ends the proof of theorem 1.
4. Conclusions
We have proved that, from a functional point of view, the architecture Basic Splice is very expressive:
any CRL requirements specication has a distributed implementation on it. This extends a result
in [12] which states that all nite processes can be distributedly implemented on Basic Splice.
Further work includes investigating other distribution schemes, based on dierent criteria. We
should look for \ecient" implementations { for instance, schemes that would minimize the number
of communication steps (i.e., interactions with the database). To this end, it might be necessary
to add new primitives to the current Basic Splice model or to consider weaker equivalences between
specication and implementation.
Acknowledgments. Thanks to Bas Luttik and Jaco van de Pol for valuable discussions and sugges-
tions.
14
References
1. R. Bloo, J.J.M. Hooman, and E. de Jong. Semantical aspects of an architecture for distributed
embedded systems. In Proceedings of the 2000 ACM Symposium on Applied Computing, volume 1,
pages 149{155, 2000.
2. Maarten Boasson. Control systems software. IEEE Transactions on Automatic Control,
38(7):1094{1106, July 1993.
3. M. Bonsangue, J. Kok, M. Boasson, and E. de Jong. A software architecture for distributed
control systems and its transition system semantics. In Proceedings of the 1998 ACM Symposium
on Applied Computing (SAC'98).
4. M. Bonsangue, J. Kok, and G. Zavattaro. Comparing software architectures for coordination
languages. In P. Ciancarini and A.L. Wolf, editors, Proceedings of Coordination'99, volume 1594
of Lecture Notes in Computer Science, pages 150{165. Springer Verlag.
5. Antonio Brogi and Jean-Marie Jaquet. On the expressiveness of coordination models. In P. Cian-
carini and L. Wolf, editors, Coordination languages and models: Third International Conference,
volume 1594 of Lecture Notes in Computer Science, pages 134{149, Amsterdam, 1999. Springer-
Verlag.
6. P.F.G. Dechering and E. de Jong. Transparent object replication: A formal model. In Fifth
Workshop on Object-oriented Real-time Dependable Systems(WORDS'99F), Monterey, California,
USA, 2000. IEEE Computer Society.
7. Wan Fokkink. Introduction to Process Algebra. Texts in Theoretical Computer Science, An EATCS
Series. Springer-Verlag, 2000.
8. Rob J. Van Glabbeek and W. Peter Weijland. Branching time and abstraction in bisimulation
semantics. Journal of the ACM, 43(3):555{600, May 1996.
9. Jan Friso Groote, Alban Ponse, and Yaroslav Usenko. Linearization in parallel pcrl. Report
SEN-R0019, CWI, July 2000.
10. Jan Friso Groote and Jan Springintveld. Focus points and convergent process operators. a proof
strategy for protocol verication. Report CS-R9566, CWI, 1995.
11. Rom Langerak. Transformations and Semantics for LOTOS. PhD thesis, Twente University,
1992.
12. Jaco van de Pol. Expressiveness of Basic Splice. Report SEN-R0033, CWI, December 2000.
