An assessment of DREAM, appendix E by Riddle, W. E.
  
 
 
N O T I C E 
 
THIS DOCUMENT HAS BEEN REPRODUCED FROM 
MICROFICHE. ALTHOUGH IT IS RECOGNIZED THAT 
CERTAIN PORTIONS ARE ILLEGIBLE, IT IS BEING RELEASED 
IN THE INTEREST OF MAKING AVAILABLE AS MUCH 
INFORMATION AS POSSIBLE 
https://ntrs.nasa.gov/search.jsp?R=19800021565 2020-03-21T17:30:47+00:00Z
Ap pEt,\) D 1X E
From: H. Hunke, Software EngineeriM Environments, !forth-Holland
Pub.	 Co., AmsterTaFi, The Netherlands, 	 19 O) .
RSSM/ 100
AN ASSESSMENT OF DREAM
William E.	 Riddle
Cray Laboratories inc.
5311 Western Avenue
Moulder, Colorado	 80301
14
`r ^G VY ^ ^ '^V
	r
1	 ^	 ^
The Design Realization,	 Evaluation And Modelling	 (DREAM) System is eval-
uated.	 A short history of the DREAM research project is first given in
n order to provide an historical 	 context.	 Then,	 the significant charac-
teristics of DREAM as a development environment are given,	 the design
^ notation which is the basis for' the DREAM system is reviewed, and 	 the
o	 ca M development tools envisioned as part of DREAM are discussed.	 In the
N concluding section, 	 insights into development environments and their
production which we have gained from the work on DREAM are presented
r- and used to make suggestions for future work in the area of develop-
'D ment environments.
M
0
INTRODUCTIONo .
U During software system development, 	 help is	 critically needed	 in many activities,
^a	 + (n among them:	 1) recording what is known and what has been decided about the sys-
W U
tem,	 2) uncovering what is unknown, 3) assessing the suitability and the complete-
r,.,,- ness of the
	
(eventual)	 system, and 4) coordinating and monitr— ing the effQl , ts of
0 
o
the team working on the development project.
H^
Development environments are currently being studied as a way of providing help
b for these activities.	 A development environment is a collection of tools which
provide a facilitating context in which to carry out development.
	
The tools are
m.H typically programs,	 such as compilers or text editors, which augment the "powers"
G of the developers and ease the production of a suitable, executable version of the
system.
	
But,	 tools may also be n>tat onaZ and serve to augment the developers'
c
denotational powers, or cognitive and serve to rationalize the de.:velopment process.
No
,^ In this	 paper, we give an assessment of the Design Realization,
	 Evaluation And
^a o FS4 [Modelling
	 (DREAM)	 System, as a development environment. 	 In the next section, we
­t
a short history of the DREAM project in order to provide some historical
	 con-
e° w7 o text.	 Then,	 in the following three sections, we discuss 	 the significant charac-
a	
a teristics of DREAM as a development environment, give a brief overview of the
U H u notational	 tool which is the basis for the DREAM system, and discuss the other
04 V' tools provided	 (or to be provided) 	 by DREAM.	 In the concluding section, we relate
M a a some of the insights into development environments and their production which we
04 M
have gained from our work on DREAM.V
A SHORT HISTORY
Like most systems, DREAM is a product of initial goals, prior experiences, biases
This work was performed while the author was affiliated with the University of
^^^__	 Colorado and was su pported, in part, by grant NSG 1638 from NASA_LangJey Research
r;
k•
and external "forces." In this section, we provide a brief history of the DREAM
project with the intent of providing some insight into the technical and non-tech-
nical concerns which influenced the evolution of the DREAM system.
During the period 1973-1975, an auto^r.7ata theoretic formalism for modelling parallel
systems was developed and its theort;tical aspects were investigated (this work is
reviewed in [Riddle 79d] and [Riddle ! 79e7). Under the formalism, a parallel system
is considered to be a single-level Lollection of asynchronous components. Component
interdependencies are modelled by message exchang ►) and some components provide mes-
sage buffering capabilities. 'The non-buffering components are modelled as sequen-
tial processes which carry out a controlled sequence of message production, trans-
mission and reception operations. A parallel system's behavior may be described
in terms of sequences of message transfers among components using a notation very
similar to, but more powerful than the notation of regular expressions. The ex-
istence of dual behavior/r'<ructure i notations affords ti ►e opportunity to assess
the "correctness" of a parcicular system structure by assessing the consistency
between the behavior produced by thle structure and a specification of the system's
desired behavior. However, the power of the formalism is such that very few con-
sistency questions are algorithmically decidable.
Concurrent with this research, the TOPD system, developed by Peter Henderson and
his colleagues at the University of Newcastle upon Tyne ([Henderson 75b]), was
acquired and used as the basis for a senior-level software engineering course.
The TOPD system is a development environment oriented primarily toward the im-
plementation phase of sequential program development. It allows the development
of a program to be done as a series of abstract descriptions, each of which is
a finite-state model organized as a collection of data abstractions. The TOPD
notation allows the description of behavior in terms of state transitions and the
TOPD system provides assessment facilities [Henderson 75a] which allow the check-
ing of the consistency between a procedure's behavior l and structural descriptions.
It was in this context that the DREAM project began, in early-1976, with the in-
tent, of preparing a prototype version of a TOPD-like system useful for the develop-
ment of concurrent software systems. Sycor, Inc., provided support because the
prototype was potentially useful in developing software for clusters of intelligent
terminals.
The project was decidedly a research one, however, and was not driven in any way
by a particular software development effort at Sycor or elsewhere. One goal was
to investigate the feasibility and desirability of basing a concurrent foftware
system development environment upon the theoretical model of parallel systems which
had been developed. An equally strong goal was to provide a basis for the exper-
imental evaluation of development environments and methodologies. Our aspirations
in the latter direction followed from our feeling that experimental evaluation
required the R;ility to perform well-defined, analyzable, partial development
efforts and oor belief that a development environment supporting modelling pro-
vided this ability.
Initially, our efforts focused upon developing a notation primarily founded upon
our model of parallel systems but ,ghicr , utilized some notions from general sys-
tems theory and incorporated some compatible concepts from the TOPD Notation. We
blatan.tly stole the general structure of the TOPD notation, as well as its concept
of state-based models for describing data abstractions, but used our model of par-
allE'l systems as the conceptual basis for our notation and extended the state-
based model adopted from TOPD. The result was the DREAM Design Notation (DDN)
which will be discussed in a subsequent section.
1. We use the to-iii "structure in the automata theoretic sense of denoting the
causes of a sy c ' is behavior	 d we use the term "organization" to denote the
more phy giC dl A S r) e c t's of a	 Thus, we would say "data organization" instead
'k	 of ,_,d0l, st7-uct,ure."
During its development, we used DON in several description tasks in order to as-
sure ourselves that it was both effective and reasonably natural for describing a
relatively broad variety of systems including operating systems, process-based
problem solving systems and embedded control systems. Most of our description
"experiments," however, concerned operating systems or parts of operating systems,
We also adopted the TOPD system's organization and prepared preliminary versions
of many of the components of a prototype DREAM system ­ a data base, a syntax
checker and a command interpreter. Integration tasting of these components was
precluded by the disbanding of the research group in late-1977. Several of us
moved to other institutions, and we took advantage of the interruption in our ac-
tivity as a group to both prepare reports and critically examine what vie had done.
Ovtt-c the last two years, our critical examination has been broadened to consider
a ri;,mber of specific topics which arose during our development of DDN. Some of
these studies concerned the extension of DON's conceptual base to a broader spec-
trum of systems ([Wileden 78a], [Segal 80]). We also investigated both the rela-
tionship of our work to system's theory [Riddle 79b] and the nature of a top-down
design methodology based on dual behavior/structure notations such as DON
[Riddle 79c]. Finally, we have been developing algorithms that can be used (in
modified form) to assess the consistency of DON descriptions ([Bristow 79],
[Stavely 79]).
At the moment, the research group is distributed and loosely-coupled. Each of us
has a different focus to our individual work (flight control system design, dis-
tributed problem-solving system development, analysis algorithm development), but
our work is somewhat integrated through our previous joint efforts.
THE DREAM SYSTEM
A wide variety of systems may be called development environments — even r.urrent-
day operating systems are, in some sense, development environments. The different
possibilities may be distinguished by characteristics such as the system's method-
ological base, the development phases supported, the intended audience, etc. In
this section, we "define" the DREAM system in terms of a number of then. distin-
guishing characteristics.
9xaI1^l'
Concurrent Systems	 ` P^^ . I3'
POOR  QUAL11r
As indicated previously, DREAM is oriented towaru the development of concurrent
systems, i.e., systems .having parts which either actually or logically operate
in parallel. We have not restricted attention to any specific type of concurrent
systems and feel that DREAM is applicable to a wide variety including multi
programmed systems, multiprocess systems, multiprocessor systems, networks and
distributed systems. In DON, we have provided a set of description capabilities
which are appropriate for conceptualizing systems of any of these types even
though these types differ extensively with respect to some characteristics. As
a corollary, DON does not have facilitieti for describing those aspects, such as
the allocation of processes to processors, which distinguish theso different types
of concurrent systems (although these aspects can sometimes be indirectly
described) .
Our orientation toward this general class of software is not solely because of
our previous work on a formalism for describing parallel sy',tems. Rather, it is
our belief, confirmed by our own and others' experiences, that the development
of concurrent systems is particularly taxing, especially with respect to the
assessment of suitability.
i
r	 Design Phase
	
!4
DREAM is oriented toward
In this early segment of
tem's modules and define
upon decomposing a system
dicating the interactions
the an!W1,( tu1-r;1	 phase of software development.
the total (Ii-sign phase, the task is to delineate the sys-
the couplin(Is among modules.' Thus, attention is primarily
into its parts, defining the parts' interfaces, and in-
and interdependencies among the parts.
The architectural design phase is preceded and followed by other phases --indicat-
ing what these entail serves to delimit the architectural design phase even fur-
ther by indicating what it does no entail. Preceding the architectural design
; p hase are the )-oqui•i ,ainonts dcaffni.6iou and rslwol f'l'ootion phases during which the
system's overall capabilities are prescribed. Following the architectural design
phase are the al..l(,r-{l.lun t1o.siern and the -lilvicni ir.j^^'rim^>>trrt:i.^^r^ phases durinq which
the information structuring and manipulation aspects of the system are detailed
and encoded in some executable form. Thus, sandwiched as it is between these other
phases, a primiary purpose of the architectural design phase is to transform the
requirements levied against the entire s,;Item into information retention and man-
ipulation requirements to be satisfied by the system's components.
Implicit in this view of the system lifecycle is that system certification and
maintenance are fret. separate phases. Rather, certification, by either verifica-
tion or validation approaches, is viewed as a continual concern which must be per-
formed during wo), phase. Maintenance is viewed as regression to some previous
point in the development followed by re -development. Thus, the activities, of
certification and maintenance are improtant during the architectural design phase
and it is our intent to support these activities in DREAM.
Total System
In many applications, the components of a, concurrent system are physical ones
(e.g., aircraft engines) or human ones ( (,, .g., a patient being operated on) a's well
as software. DDN allows the consideration of the total system (hardware, wetware
and software) and thus permits the design of the software to be carried out with
full concern given to the environment in which the software will function.
Modelling
It is our belief that the..fundamental activity during architectural design is
modelling — in fact, the name "architectural design" was chosen to deliberately
suggest a relationship to the discipline of architecture in which the preparation
of schematic, conceptual models is a paramount concern. The models developed
during the architectural design of software (or buildings) are abstract repre-
sentations of the actual system which omit tho system's fine detail but faith-
fully reflect its externally observable characteristics. In these abstract rep-
resentations, whatever is represented is done so to a level of accuracy and rigor
that there is an adequate basis for suitability assessment. Also, the representa-
tions are in a medium in which alterations may be more easily investigated.
The analogy to architecture indicates one additional aspect of the design-level
modelling of software. This is that there are at least two purposes of a model.
One is that indicated above - it should reflect externally observable character-
istics. The second purpose is that the model should be an adequate basis for
preparing implementation plans (blueprints). DDN is intended as a medium in
which models with either or both of these. purposes can be prepared.
_ Funct.ional i t.y
Therie 0,01 mazy, IdLt:.L, F.r,	 seaf'twcar^t system'	 :itability, roughly partitionable
V) firnc-t 'Mal itv oncerns, c)erforinance
°ns. Some
	
c,	 a-^^d economic conce r
work has been done on assessment with respect to performance concerns 	 S
([Sanquinetti 77], [Sanquinetti 78], [Sancluinetti 79]) at the level of the con-
ceptual basis underlying DON, but tw oriontation of DUN itself is exclusively
upon the description and assessment of a system's functional characteristics.
This focus was taken in order to reduce the scope of our work to a manageable
size rather than because of any feeling that performance or economic concerns are
of less importance. Much to the contrary, we feel that truly effective env•;ron-
ments must support the assessment of systems with res pect to these other concerns;
but we also know that facilities to allow such assessment are extremely difficult
to provide.
Decision-making Support
As noted, certification is considerQd to be a continuous activity that is well-
integrated with the activity of design preparation. It is an intent of DREAM
that designers be able to not only gradually evolve a design but also be able to
gradually evolve a de^ Fensible confidence in the suitability of that design. Thus,
DREAM includes a number of tools which guide the decision-making process, allow
the recording of decisions, and help designers determine the validity of their
decisions.	 In DREAM, decision-making guidance is supported by tools which help
designers identify unmade decisions and the information impacting the decisions.
Decision recording is aided by providing appropriate notational tools (i.e.,
languages). Decision verification is aided by tools which allow designers to see
the results, in terms of the system's functionality, of a decision •! y ^ 04i^ evn^,oxt
of all previous decisions.
To date, our accomplishments have fallen short of our intentions and we have fully
developed only one decision-making tool, the DON notation for recording decisions
in terms of their effect on the structure and behavior of the system's components.
We have developed other techniques, discussed later, for decision verification,
but have not put these into a form compatible with DON.
Methodology Independence	
0>R,CGYI KC P1^GE I3
OF POOR QUALITY
Because of our goal to provide a facility for the evaluation of a variety of
methodologies, and because of our reluctance to posit a universally applicable
methodology, we attempted to keep.DREAM as free of methodological constraints as
possible. This did not, however, mean to us that we could not make the system
easier to use under one methodology and our proclivity toward top-dawn elabora-
tion is quite apparent in the DON language.
One effect of this decision is that DREAM does not enforce the use of any par-
ticular tools at any particular points during design evolution. Our view of the
DREAM system user (which we adopted from TODD) is that of a person who thinks
off-line and then uses the system to helm keep track of decisions and periodi-
cally derive information by which the logical consequences of the decisions may
be deduced. As a consequence, DREAM does 	 preclude the entry of new informa-
tion concerning the design which is incompatible with existing information.
Rather, DREAM enforces only the rule that all information is syntactically correct
and provides tools through which designers may uncover incompatibilities and in-
consistences when warranted by whatever design "style" they use.
Language-based Integration
While DREAM does not achieve the integration of its tools by organizina them
around a unifying methodology, it should be apparent from the discussion so far
that it does follow the alternativr approach to integration by basing the tools
upon some common notation. The DON language and the view of software systems
-.V_. L.._.^ .....{....L{..e:.__ n­iiAn 3 r•nRVnnn ha-i c
 fnr. dofinina thn tnnl r, and tI pir
relationships in terms of how they construct, modify and manipulate descriptions
in the language. The tools themselves make extensive use of both the syntactic
and the semantic aspects of DDN.
In actuality, DDN is a collection of compatible sub-lanquages. Therefore, DREAM is
more correctly characterized as being integrated on the basis of a family of com-
patible languages. Anyone who has worked with "large" programming languages will
appreciate the desirability of having a col le ction of "small," well-defined lan-
guages where attention has been given to separation of concerns..
"Sophisticated" Users
DREAM is intended to be used by experienced design practitioners. Provision is
made to represent information of interest to both requirements definers and sysi,crr,
implementors, but it is assumed that the design practitioners will function as
interpreters of the information for these other concerned parties. ro attempt has
been n'a;de to make DREAM usable by managers, end-system users, customers, docu-
wentors, testers, accountants, etc., all of whom have a legitimate concern in the
design and its implications. DREAM can, in some instances, represent the informa-
tion of interest to these agents, but the designers are again assumed to provide
an interpretive interface to this information.
DREAM DESIGN NOTATION
The heart of the DREAM system is the DDN language. It -?mbodies a formalism which
facilitates the conceptualization of concurrent software systems during their
architectural design. Also, it is the basis for the integration of the tools pro-
viding aid to design practitioners. Before describing these tools, it is necessary
to give a brief overview of the DDN language and that is the purpose of this sec-
Lion. More detail on the DDN language can be found in the cited reports or inferred
from the example that appears in the Appendix.
Structural Models
In DDN, a system is modelled as an hierarchical, but not necessarily tree-like,
organization of components which operate asynchronously. At each level in this
hierarchical decomposition of the system, components interact directly by the
transmission of messages or indirectly through shared information repositories.
Components which interact by message tran-mission are called Sul.)
	 ("?? r
([Riddle 77], [Riddle 78a], [Riddle 78b]). At each level, the subsystems represent
the components which operate concurrently. Each subsystem's 'interface to its
environment (i.e., the other subsystcins at the same level) is defined in terms of
) , , a rt:, through which messages may flow. The components within a subsystem know only
about the ports — the environment of the subsystem is riot visible to the subsystem's
components. Likewise, the environment knows only about the subsystem's ports and
cannot "see" inside the subsystem. Thus, the subsystem's interface is akin to a
data abstraction interface with the ports serving a role analogous to a data ab-
straction's procedures.
Some of a subsystem's components are primitive, that is, not decomposible. These
oont v7. T ,vore8v,°r govern the flow of messages through the ports and serve to dis-
tribute incoming messages to component subsystems and to collect messages from
component subsystems for transmission out through the ports. Control processes may
communicate directly by message transmission. Also, they may communicate via
shared information repositories.
In Figure 1, we give a gru,.,,,^_al reprr 	
-1tion of a DDN model using circles to
denote subsyst r	 triangles Ga denote control processes and squares to denote
DAIGMAL PAGE ],1
	
02 P-OOA -QUALXTX	 top
	
f	 `•
	
!	
^ 11
	
! ^	 I
r	 1
1
	
1+ 1 i 1	 ^^	 ^ ^
1	 !
	
^	
}	
1	
r	
I
subsystem	 —=-T message transmission "channel"
Q control process
fir•— procedure call with only value parameters
—•-!El procedure call with only result parameters
muni tor procedure call with both value anda^-• -^ result parameters
n link
procedure FIGURE 1
c
7
1
6-A o
.'w> F
av
N°V)o
^ A
1. 7.
w
W N
I O
O 0U OW U
cn wA
z
W O
H
o
H WQ
"skin." The small, black squares in the figure are special shared data reposi'- ' 8
tories, called ;irzk:,, which provide potentially infinite message buffering
facilities. This figure more clearly indicates that subsystems provide the means
for encapsulating collections of data storaq e components (internal, shared informa-
tion repositories) and data processing components (internal subsystems). Note that
component-sharing is allowed, even between levels of decomposition.
Shared data repositories are modelled as monitoi ,n [Hoare 741 since this well-known
construct provides much of what is needed [Riddle 79a]. A monitor in DUN denotes
a multi-procedure data abstraction which can function as a data repository shared
among asynchronous data processing components. There is the restriction that only
monitors may be components within monitors. (This somewhat arbitrary restriction
comes from a feeling that once a locus of control is sequentialized it should re-
main sequentialized.)
Behavior Models
A structural model reflects operational aspects of the system specifying interfaces
and modelling the algorithms which control the use of the interfaces. This is
analogous to defining the structure of a stack data abstraction and the structure
of a tree-search algorithm which uses a stack by specifying the Rush and pop pro-
cedures and giving an abstraction of the tree-search algorithm which indicates,
non-deterministically, the calls upon the push and pop procedures.
A structure gives rise to, or causes, some behavior which is the effect, over time,
of "executing" the structure. Thus the behavior of a stack data abstraction is
rei`lected by statements such as "the number of ms's is less than or equal to the
number of Push's," and the behavior of the stack as used by the tree-search al-
gorithm is reflected by statements which indicate the sequences of pop's and
push's which the algorithm creates when it is executed.
Notice that a component will have an	 (or zc tua l) brhuz , ior which is the
behavior the component's structure is capable of producing. A component will also
have one or more	 (or	 ^(^I) brhovi,ors which are those stemming from
the use of the component. In the absence of any knowledge of about how a compon-
ent is actually used, its	 hwh;avi,,	 can be defined with the implication
that any legal extrinsic behavior should exercise the component only in ways that
are indicated in the required behavior. DREAM'S certification tools, which will
be discussed later, determine suitability by comparing extrinsic, required and/or
intrinsic behaviors.
DDN provides a number of ways of specifying a component's required behavior and
thus giving a behavioral model of the component ([Riddle 78b], [Wileden 78b]).
Required behavior that relates to the usage of interfaces may be specified by in-
dicating conditions upon the information which may legally pass through the inter.
face. Thus, conditions may be levied against messages that may pass through
subsystem ports or values that may "pass through" parameters to monitor procedure
calls.
More complicated aspects of a monitor component's behavior, concerning when the
component's procedures may be legally invoked, may be specified by giving pre-
and post-conditions, stated in terms of the "stjte" of the component and associated
together to form a transition which indicates the effect of the procedure. For
example, a stack's states could be specified as em ty, full, and otherwi se and the
transitions for poi could be:
full — -i otherwise
othe rwi se -- -gp otherwise or e Rty
which indicate that	 •annot Lie Ierj,.,,,, invoked when the stack is ei^)tv
and specify t 1,, rec«irud behavior to be "causod" when pop is invoked.	 (Tho
specification of behavior by state transitions is a concept which we borrowed from 9
TODD.)
A final set of DON constructs for spurify Hg roquired behavior allows the descrip-
tion of behavior over time. l:'ocoo i.an bo dofinod as the occurrence of "interest-
ing happenings'" during system operation an(] the required behavior may then be ex-
F
	
	
pressed as required sequences of events. E'or example, procedure names are auto-
matically events and the usual requi,rod behavior for a stack could be specified as:
REENTRANT (SEQUENCE (jLush, pop))
which, because of the scm<fntics of RELNTRANT, wf^ans that the number of rj_ush's
f
must be greater than or elual to the number of ppp,'s.
f
The DDN constructs for event seciuVricc , definition are powerful but parsimonious.
Also, they are a formal notation and are therefore not extremely "friendly" for
design practitioners who lack training in the formal aspects of computer science.
However, they provide a set of denotational capabilities which are extremely im-
portant for behavioral modelling.
CITUGINAIC V GE IS
Organizational  Mode 1	 QR POOR QUALITY,
following the precedent set by the TOPD language (and originated, we believe, in
the Simula language [Dahl 66]), DON descriptions are a collection of al-,!;; defini-
tions. A model is therefore obtained from a description by a process of 1rtjCan-
t.-ia.l`o7r. Standard declarative constructs are used to denote hierarchical organ-
ization and special constructs are providod to denote component sharing since the
standard declarative constructs would permit only tree-like hierarchies
[Riddle 801. Message co;nmunication pathways among subsystems are defined by using
additional descriptive constructs.
DDN views instantiation as occurring entirely before execution and thus models
have a static organization. Many dynamic organizations can, however, be
"simulated" by the dynamic use of a static communication pathway organization,
but the resulting models tend to be overly complex and unclear.
A Final Word
DON is a poor programming language; but that's because it is not intended to be
a programming language. The intent in developing DUN is to provide modelling
constructs which allow the description of what modules comprise a system and what
the interactions among the modules should be. Exactly how the modules interact is
not considered to be properly part of a DDN model. Thus, for example, a single
concurrent process synchronization mechanism (message transfer) is provided in
DUN whereas one actual synchronization in the fully developed system would be
achieved by the use of one of a number of synchronization mechanisms.
However, DDN looks like a programming language and this is perhaps a mistake.
We have seen designers misled by the similarity and, as a consequence, they mis-
use the language. We feel, however, that the concepts included in DDN are the
right ones for the architectural design ofconcurrent systems. We feel that the
problems which arise should be solved by education of the designers rather than
changing DDN.
DREAM SYSTEM TOOLS
We plan a number of tools to help design practitioners in constructing suitable
models for concurrent software systems. We know that some of these tools are
feasible because we have constructed prototype versions. Others have been de-
,_....	 . _.._ .	
f
put them in a form suitable for use with DDN. We discuss these tools in this sec- 10
tion as if they have been constructed and the cited references indicate more ex-
actly the degree to which they have been developed.
Data Base Core
The fundamental tool in DREAM is a data base in which are stored fragments of a
DDN textual description. Most fragments define some aspect of some class of com-
ponents in the model; others give information concerning tests or analyses, doc-
umentation, etc. The DDN syntax defines how the =se fragments are related and
provides for naming them. Fragments to be retrieved from the data base are
selected by these names and thus DDN itself is used as the basis for the data base
query language.
Description fragments have other attributes besides names. In the current data
base implementation [Numbrecht 80], there can be an arbitrary number of addi-
tional attributes although the number of attributes and their values are fixed
for any data base. Further, there must be at least one attribute which hold a
time/date stamp reflecting when the fragment was inserted into the data base.
Users may establish a "slice" through the data base by specifying values for the
attributes and any modifications to the data base are relative to the fragments
in the active slice. The time/date stamp attribute is used to resolve all ambi-
quities, in effect selecting the "newest" fragment in any collection which is
selected by an ambiguous retrieval command or slice definition. This data base
organization provides a good deal of flexibility, alloying "windows" into the
data base which can reflect time, versions, design team organization, etc.
Bookkeeping Tools
In keeping with the view that a DREAM user intersperses relatively long periods
of offline thinking with relatively short periods of modification of the infor-
mation contained in the data base, the DREAM tools for aiding the maintenance
of the evolving design's description are simple extensions of the data base inter-
face. It is assumed that the host operating system's editor can be used to pre-
pare new or modified description fragments. The bookkeeping tools then amount
to 1) an entry tool which syntax checks the fragment and presents syntactically
correct fra gments to the data base for insertion, and 2) a retrieval tool which
interprets the user's retrieval directives and constructs the appropriate data
base query commands.
Decision-making Tools
The major tools provided by DREAM are those which aid design practitioners in
assessing the suitability of the design as it evolves and in identifying what
remains to be designed. These tools fail into three categories which we discuss
below.
F'hav zphi^as i nq 1'Uo7;,. Tools in this category re-present the information in the
data base in a form, perhaps structured in some canonical format or presented
graphically, in which the user may more easily inspect it and perhaps even iden-
tify some errors. The information is no more and no less than that already con-
tained in the data base although the use may focus on some subset of the total
information. Figure 1 is an example of chat might be produced by an instantia-
tion graph paraphrasing tool. Other par phrasing tools could produce control
maps akin to flow charts or they could p-oduce cross-reference charts.
Extraction Too Zs. Th = type of tool exa"ines the information in the data base
and, knowing the sF n, 	 - s of DDN, derivLs feedback "or the designers concerning
,^	 the charac jwr r s tic ^,	 Lrie model. Usually, this feedback concerns the intrinsic
FN
L____
c
simulators, finite-State testors [Henderson 75a,,t , .ind event sequence expression
	 11
derivers [Riddle 79e],
f.!3 r2S^,;".ra„^^^ (hr^,l^lr^a ;"^,3:' .	 These tools onci —,or incompatil; i l sties among various
description fragments or	 a doscriptinr, fragment and some rule (e.g,, no
deadlock), Because of the difficulty irnd impo^ _, p ity of doing exact, algorithmic
analysis, these tools uncover anomali-s (i.c;,, d( , ,^, Lions which are suspicious but
are noc confirmed errors) and the designers must use, intuition, experience and in-
sight to determine whether or not a 'det,ec:ted anomaly i in fact an error. Fxampl es
of consistency checking tools arty ; the TODD c.onsi ,itency checker [Henderson 75a],
event trace checkers [Stavely 79], and synchronization anomaly detectors
[Bristow 791.
rCONCLUSIONS	 OWTI'M	 T9Or Pooh QUALITY,
Even though we have riot yet prepared a full implementation of DREAM, our develop-
ment of DDN, along with its assessment and with our investigation into analysis
techniques and other associated topics, has ,ivtn us some insights into the char-
acteristics of effective development support systems. Further, we have also
gained some insight into major problems which remain to be Solved on the way to
achieving these systems. These insights, ;overal of them quite obvious with 20/20
hindsight, are discussed in this concludi-rg section.
Some Lessons Learned
By building on IWI D as a base language, arcs by not giving
enoug,n thought to the inadvisability of having a large, complex iangc:age, .:e
suffered a severe case of the "Second System Syndrome." We do not believe that we
have unnecessary constructs. Nor do wefeel that the constructs appear in conflict-
ing f•'orms. We do think that DDN should be more clearly decomposed into the family
of interrelated languages which it. actually is. Perhaps it is sufficient to par-
tition the 'language along structurt^/behavior/org,rnization lines, but that is not
entirely clear at the moment.
:1.h^x^^rt.i^^fi Of	 Decomposition oi' thi, not,itional tools into an integrated
collection of logically complete languages is part o f a larg-:r issue. il,'i. tools
in a development system must serve a narrowly defined purpose and it is a mistake
to make tools do "double duty.” For example, having DDN be both a model descrip-
tion language on,l the basis for a data base query language is a mistake since it
complicates the language and negatively impacts the a g ility to easily change either
aspect of the language.
It is, of cour se, extremely desirable that a Tower of Babel situation be avoided.
The point is that our experiences with DDN indicate: one should define a numher of
small, interrelated, well-defined languages and then attempt to amalgamate them.
We made the mistake of trying to put everything into one language from the very
beginning.
Tool w9agc. A beautifully handcrafted banjo can be just a piece of art and not a
musical instrument. So it is with software development tools - their value depends
on their usefulness for software development rather than their elegance on more
esoteric levels. It is imperative, therefore, that tools emerge through a natural
selection process involving actual use.
A well-established approach is to implement the tools, nut them into use, and see
how they are accepted. This is also an effective w:iy to "sell" tools to practi-
tioners since, if they accept the tool thn,n they will ask for more (a phenomenon
which has been called the "Potato Chip Principlo" [Nassi 80]).
For a number of reasons, we did not take this approach 'iii developing ^RE,\M. Per-
L_._-	 21...._.._^.J..4_.^. __l__^.__.._L.._i ^.. _____.._._	 I..__	 _._.. _..__.	 .
ter--®--°.-^ -	 ..:.,..-r	 -	 t.....^-	 .....,^ .	 „^.- .-r..- ^•-:r
V
evolve it as a result of that usage. But it is equally important to do gedanken'
	 12
experiments away from the heat of battle -- one has only to compare Pascal and
Fortran to see this. In developing DDN we have done a number of gedanken experi-
ments and feel that this introspective, controlled usage of tools is an important
development approach.
L'xp`l.oratio^z. DREAM provides little tll y,oat help for exploring and comparing alter-
native designs. Designers may describe alternatives, assess them individually and
compare the results. But, more sophisticated facilities are generally needed to
help developers keep track of the alternatives, their sirnilarites and their
differences. Facilities are also necessary to help developers trace back through
a sequence of decisions.
Tatluo(ztion.	 In teaching TODD and DDN, we have found it possible, but difficult, to
establish the right frame of mind for effective use of modelling-based tools.
Even those more sophisticated students, who embrace, good programming methodologies,
tend to use the familiar to understand the unfamiliar and look at architectural
design as something of the same nature as algorithm design, only more complicated.
Further, the fact that TOPD and DDN have their heritage in programming languages
fosters this reaction. We have found it mandatory to carefully establish the
nature of architectural design prior to introducing design notations.
Some Problems for the Future
R uuatlon. It probably overloads the world to create yet another paraphrase of
MacArthur's famous saying, but it is true that "(-,, Id programmers never die they
,just become designers,' And so it should be, since system designers must be rela-
tively sophisticat".ed programmers so that they create feasible designs. But this
means that we cannot rely on experience being the "teacher" and must directly
address the issue of educating developers in the ways to appropriately and effec-
tively use tools and development environments.
Lczrujuadrs. Several proposals for primitives which should be in languages for pro-
gramming distributed systems (e.g., [Andrews 771, [Hoare 78], [Liskov 79]) have
duplicated some of the primitives found in DDN. This indicates that some of the
primitives we developed for DDN are useful for the implementation-level descrip-
tion of systems. We view this as desirable since it lessens the gap between a
design and an implementation. But we also feel that blurring the distinction
between design and implementation is not a good idea since it will allow, and per-
haps even encourage, implementation decisions to be prematurely made. if the
language-extension approach to preparing development environments is chosen, we
feel it is critically important to allow the use of the primitive concepts (e.g.,
message transmission) without having to express all the details (e.g., message
buffering constraints).
I:oa7urz(.io7z. We currently lack the techniques that will be necessary to assess the
impact of tools and environments; there are many 	 advantages and disadvan-
tages, but assLssments are intuitive, subjective, ambiguous and contradictory. We
need models of the development process and developers themselves. We need metrics
of system quality and development methodology quality. And, we need some idea of
how to conduct "small," experimental development projects in a way which allows
valid inferences to be drawn concerning "large" efforts.
DeveZopment StryZc. A particular need, in order to be able to prepare truly effec-
tive environments, is for some understanding of how developers reaZly carry out
their work. Most development methodologies make the assumption that the process
of development is, or can be, the ord6 cl v progression of logical steps, and ration-
alization of the process i,, no doubt, beiteficial. But creative processes are
nor°torious fr-, their randot ass and we need to understand the nature of this ran-
domness rath	 +han try f ,	 nlinato or control it. Only with such an understand-
ing can Offec'.ivo heat) b
	
thy° -ih software development tools and environments.
fI
ACKNOWLEDGMENTS
I am indebted to the other members of the DREAM project -- John Sayler, Al Segal,
Al Stavely and Jack Wileden — for their help, Thor comments and assessments pre-
sented here were formulated during nunorou s
 discussions and I would like to thank
the following people in particular for their willingness to listen and construc-
tively criticize: Roy Campbell, Bryan Edwards, Gerry Estrin, Vic Lesser, Ed Senn,
Raymond Yeh, and Pamela Zave.
G
REFERENCES
	
	
t)RTGINATC P YI& VT
OF POOR gUALIT i
Andrews 77
G.R. Andrews and J.R. McGraw. Language features for process interaction.
Softwan'^^ 	 No t(iv, 0, 2 (March 1977), 114-127.
Bristow 79
G. Bristow, C. Drey, B. Edwards and W. Riddle. Anomaly detection in concurrent
programs. I' k n hha , t h NOPa;N''cnal r':>nj% on Woftu>zpo F,'itginearing, Munich,
Germany, (September 1979), pp. 265-273.
k
Dahl 66
0. Dahl and K. Nygaard. SIMULA - An Algol-basod simulation language. t'cwun.
9 ( September 1966) , 671-678.
Dijkstra 68
E.W. Dijkstra. The structure of the T.H.E. multiprogr aiming system. G"ry%m.
11. c.. :. , 11, 5 (ray 1905) , 341-346.
Henderson 75a
P. Henderson. Finite state modelling in program development. sIr.;1Iw uut: ucs,
10, 6 (June 1975), 221-227.
Henderson 75b
P. Henderson, R.A. Snowdon, J.U. Gorrie and I.I. King. The TOPD System, Tech.
Report 77, Computing Laboratory, Univ. of Newcastle upon Tyne, England,
(September 1975).
Hoare 74
C.A.R. Hoare. Monitors: An operating system structuring concept. C(mr., . A, 6'. N.
175 10 (October 1974), 549-557.
Hoare 78
C.A.R. Hoare. Communicating sequential processes. t.^u= A.C.M., A, 8 (August
1978), 666-667,
Humbrecht 80
J. Humbrecht. DE:MDAB: A design and maintenance data base system. M.S. Thesis,
Dept. of Computer Sci., Univ. of Colorado at Boulder, Colorado, (to appear 1980).
Liskov 79
B.H. Liskov. Primitives for distributed computing. Proc. Symp. on Operating
System Principles, Asilomar, California, (December 1979), pp. 33-42.
Nassi 80
I. Nassi. Software development tools: An industrial perspective.
	 In Riddle
and Fairley (eds.), 	 007S, Springer Verlag, Heidleberg,
Germany,(1980).
Riddle 72
W.E. Riddle. Hierarchical modelling of operating system structure and
Proe. A.O.M.. Notion& Conj%, Boston, August 1972.
Riddle 77
W. Riddle. Abstract process types. RSSM/42, CU-CS-121-77„ Dept. of Computer
Sci., Univ. of Colorado at Boulder, (December 1977; revised July 1978).
13
!	
`	 4
4
y
S
14
Riddle 78a
W. Riddle, J. Sayler, A. Segal, A. Stavely and J. Wileden. A description scheme
to aid the design of collections of concurrent processes. Py,oc. 19?8 Ala ti.onaZ
Comj)uter Conj'., Anaheim, California, (June 1978), pp. 549-554.
Riddle 78b
W. Riddle, J. Wileden, J. Sayler, A. Sogal and A. Stavely. Behavior modelling
during software design. JAWE Y'mma. rrr „r>ft.7,7avr Ent	 (I 	 SR-4, 4 (July 1978),
283-292.
Riddle 79a
W, Riddle, J. Sayler, A. Segal, A. Stavely and J. Wileden. Abstract monitor
types.	 1jive. - 'J)vc ,ificatioli oj ' Holi•abl,` :ii rf ' 17Ji71'i.' C.onf., Boston, Massachusetts,
(April 1979), pp. 37-43.
Riddle 79b
W. Riddle and J. Sayler. Modelling and simulation in the design of computer
software systems.
	
In Zeigler (ed. ), Aft ,
 i hock) lo,.ip 4- n .5ya ains Model iin;i an'i
Simulut-ion, North-Holland, Amsterdam, The Netherlands, (1979), pp. 359-386.
Riddle 79c
W. Riddle. An event-based design methodology s- ► pported by DREAM. In Schneider
(ed. ) A'0in;aZ Alo(lel3 anti' Pvactl,ral g'ooli, fi71' htf lJZ'viut vn Syete7m5 1Rc_v i n, North-
Holland, Amsterdam, Tie Netherlands, (1979), pp. 93-108.
Riddle 79d
W. Riddle. An approach to software system behavior description. ocwgit[1,
Languaued, 4, (1979) , 29-47.
Riddle 79e
W. Riddle.An approach to software system modelling and analysis. C,•arrj:^.?t,?r
Lun(yaayes, 4, (1979) , 49-66.
Riddle 80
W. Riddle, J. Sayler, A. Segal, A. Stavely and J. Wileden. Hierarchical de-
scription of software system organization. z lmu. 13th Hawaii Intevm-2tlonaz c"onf.
on SYsGem Sci., Honolulu, Hawaii, (January 1980).
Sanguinetti 77
J.W. Sanguinetti. Performance prediction in an operating system design method-
ology. RSSM/32 (Ph.D. Thesis), Dept. of Computer and Comm. Sci., Univ. of
Michigan, Ann Arbor, Michigan, (May 1977).
Sanguinetti 78
J.W. Sanguinetti. A formal technique for analyzing the performance of complex,
systems. Proc. CF'rUG Conf., Boston, Massachusetts, (October 1978).
Sanguinetti 79
J.W. Sanguinetti. A technique for integrating simulation and system design.
Proc. Conk'. ore Simulation, Maaeum ment zncl A1odc'll •l7,q of Computer
Boulder, Colorado, (August 1979), pp. 163-172.
Segal 80
A. Segal. Modelling supervisory systems which execute on interruptible
pro c essors. Ph.D. Thesis, Dept. of Computer and Comm. Sci., Univ. of Michigan,
Ann Arbor, Michigan, (to appear 1980).
Stavely 79
A. Stavely. The membership problem for behaviors of concurrent software systems.
RSSM/93 and CSR 153, Computer ,
 Sci. Dept., New Mexico Inst. of Mining and Tech.,
Socorro, New Mexico, (September 1979).
Wileden 78a
J.C. Wileden. Mod-lling para"el systems with dynamic structure. RSSM/71
(Ph.D. Thesis), '	 t. of Com,- er and Comm. Sci., Univ. of Michigan, Ann Arbor,
Michigan, ()anuary 1978).
15
Wileden 78b
Wileden, J.C. Behavior specification in a software design system. RSSM/43,
COINS Tech. Rep. 78-14, Dept. of Computer and Info. Sci., Univ. of Massachusetts,
Amherst, July 1978.
Y
DTtI INAX
	 T3
QT; F-MR, Q) L T '1.1T'Y:
ji
hK
APPENDIX:	
16
.Example DDN Description
In this appendix, we give a DDN description of an operating syster , that is struc-
tured similarly to the T.H.E. operating system developed by Dijkstra and his
colleagues [Dijkstra 68]. The description given here is essentially a translation
of the description given in a notation that served as a basis for the DDN notation
[^Ri ddl a 72].
First we use the DDN Notation to give simple models of the devices managed by the
operating system.
[memory control unit]: SUBSYSTEM CLASS;
DOCUMENTATION; Items in this class of subsystems process
requests for reading and writing of the real memory.
Each request is in the form of an address within the
real memory space. No account is taken in this model
of the response to a read request.
END DOCUMENTATION;
channel: IN PORT;
BUFFER SUBCOMPONENTS; address OF [real address]
END BUFFER SUBCOMPONENTS;
END IN PORT;
process: CONTROL PROCESS;
MODEL; ITERATE; RECEIVE channel;
END ITERATE;
END MODEL;
END CONTROL PROCESS;
END SUBSYSTEM CLASS;
[operator console]: SUBSYSTEM CLASS;
DOCUMENTATION; This models the console and the operator
using it.
END DOCUMENTATION;
message_in: INPORT;
BUFFER SUBCOMPONENTS; message OF [program message]
END BUFFER SUBCOMPONENTS;
END IN PORT;
reply_out: OUT PORT;
BUFFER SUBCOMPONENTS; reply OF [operator reply]
END BUFFER SUBCOMPONENTS;
END OUT PORT;
operator: CONTROL PROCESS;
MODEL; ITERATE; RECEIVE message in;
SET reply TO ans;
SEND reply out;
END ITERATE;
END MODEL;
END CONTROL PROCESS;
END SUBSYSTEM CLASS;
[card reader]: SUBSYSTEM CLASS;
DOCUMENTATION; This models the actual card reader. For
purposes of this model, the card reader reads in one
card at a time in response to requests from some part
of ­ n operatin g
 vstem.
F' ,	'CUMENTATTu,',;
PNg	 TrM CLASS,
[card reader]: SUBSYSTEM CLASS;
request in: INPORT;
BUFFER SUBCOMPONENTS; read ,request OF [read request message]
END BUFFER SUBCOMPONENTS;
END IN PORT;
card out: OUT PORT;
BUFFER SUBCOMPONENTS; card image OF [card]
END BUFFER SUBCOMPONENTS;
END OUT PORT;
reader: CONTROL PROCESS;
MODEL; ITERATE; RECEIVE request in;
SET card image TO defined;
SEND card out;
END ITERATE;	 OJ 1GINAL pAGE. r^END MODEL;	 POOR
END CONTROL PROCESS; 	 QUALI'fy
END SUBSYSTEM CLASS;
[printer]: SUBSYSTEM CLASS;
DOCUMENTATION; The model is of a printer which receives
carriage control signals separately from lines to to
printed. It is not necessary that each carriage
control signal be followed by a line to be printed.
END DOCUMENTATION;
carriage control: IN PORT;
BUFFER SUBCOMPONENTS; signal OF [carriage—control—signal]
END BUFFER SUBCOMPONENTS;
END IN PORT
contents: IN PORT;
BUFFER SUBCOMPONENTS; line OF [print—line]
END BUFFER SJ BCOMPONENTS ;
END IN PORT;
print: CONTROL PROCESS;
MODEL; ITERATE; RECEIVE carriage control;
MAYBE; RECEIVE contents;
END MAYBE;
END ITERATE;
END MODEL;
END CONTROL PROCESS;
END SUBSYSTEM CLASS;
In giving these models, we have indicated the need to have several different types
of information. In some cases, we have indicated "values" that pieces of infor-
mation should assume. This can be recorded more explicitly by using DDN monitor
classes to record the names for these types of information and their possible
"values" as delineated so far.
[real address]: MONITOR CLASS;
E.,'-,! D MONITOR CLASS;
[program message]: MONITOR CLASS;
DOCUMENTATION; messages sent by a program to the operator
through the operator's console;
END DOCUMENTATION;
END MONITOR CLASS;
[operator_ reply]: MONITOR CLASS;
STATE SUBSETS; ans END STATE SUBSETS;
END MONITOR CLASS;
4.
17
[read request message]: MONITOR CLASS;
END MONITOR CLASS;
18
[card]: MONITOR 01LASS;
STATE SUBSETS; defined END STATE SUBSETS;
END MONITOR CLASS;
[carriage control signal]: MONITOR CLASS;
END MONITCk CLASS;
[print _line]: MONITOR CLASS;
END MONITOR CLASS;
Before giving the operational parts of the operating system itself, another prim-
itive part of the overall system that needs to be modelled is a program running
under the operating system. The system is a multiprogrammed one, so the class
definition facilities are used to model a generic program running under the
operating system. With respect to the devices and resources managed by the oper-
ating system, the important thing to describe about a program is that it produces
a nondeterministic sequence of uses of the various resources and devices.
[program]: SUBSYSTEM CLASS;
card request: OUT PORT;
BUFFER SUBCOMPONENTS; read request OF [read—request—message]
END BUFFER SUBCOMPONENTS;
END OUT PORT;
read card: IN PORT;
BUFFER SUBCOMPONENTS; card image OF [card]
END BUFFER SUBCOMPONENTS;
END IN PORT;
printer control:.OUT.PORT;
BUFFER SUBCOMPONENTS: signal OF [carriage—control—signal]
END BUFFER SUBCOMPONENTS;
END OUT PORT;
line contents: OUT PORT;
BUFFER SUBCOMPONENTS; line OF [print_,line]
END BUFFER SUBCOMPONENTS;
END OUT PORT;
to_operator: OUT PORT;
BUFFER SUBCOMPONENTS; message OF [program message]
END BUFFER SUBCOMPONENTS;
END OUT PORT;
from operator: IN PORT;
BUFFER SUBCOMPONENTS; reply OF [operator reply]
END W FF ER $U BCOMPONENTS;
END INPORT;
access: OUT PORT;
BUFFER SUBCOMPONENTS; address OF [virtual—address]
END BUFFER SUBCOMPONENTS;
END OUT PORT;
END SUBSYSTEM CLASS;
[virtual address]: MONITOR CLASS;
STATE SUBSETS; defined END STATE SUBSETS;
END MONITOR CLASS;
w I
COMMENT read operation;
SET read request TO defined;
SEND card request;
RECEIVE read card;
COMMENT write operation;
SET signal TO defined;
SEND printer control;
MAYBE; SET line TO defined;
SEND line contents;
END MAYBE;
COMMENT interact with operator;
SET message TO defined;
SEND to operator;
MAYBE; COMMENT riot all messages
regjire a reply;
RECEIVE from operator;
(PERHAPS)
O'R'GlAro
END MAYBE;
(OTHERWISE) COMMENT read or write a location
in program's virtual
raemory space;
SET addre ,;s TO defined;
SEND access;
END SELECT;
END ITERATE;
END MODEL;
END CONTROL PROCESS;
Notice that there is an inconsistency among these models — the operator always
replies to each message that a program sends whereas the program does not always
expect a reply. This could be uncovered by simulation-based testing at this
level of modelling or by more formal analysis. This inconsistency will be re-
moved when the operation of the system with respect to conversations between a
program and the operator is elaborated later.
The description of the operating system at this level of modelling may be com-
pleted by giving models of the major operational parts of the operating system.
First, the address translator which converts addresses in the virtual memory spaces
of the programs into the actual memory space of the memory system:
[address translator]: SUBSYSTEM CLASS;
virtual space: IN PORT;
BUFFER SUBCOMPONENTS; v address OF [virtual—address]
END BUFFER SUBCOMPONENTS;
END IN PORT;
actual space: OUT PORT;
BUFFER SUBCOMPONENTS; a address OF [real_address]
END BUFFER SUBCOMPONENTS;
END OUT PORT;
END SUBSYSTEM CLASS;
'[address 
—
translator]: SUBSYSTEM CLASS' translate: CONTROL PROCESS;
MODEL; ITERATE; RECEIVE virtual space;
SET a address TO defined;
SEND actual space;
END ITERATE;
END MODEL;
END CONTROL PROCESS;
'[program]: SUBSYSTEM CLASS' r
MODEL; ITERATE; SELECT;
(PERHAP^F )
(PERHAPS)
un: CONTROL PROCESS;	 19
Before giving mode's of the other major processing portions of the operating sys-
terns_ the de_fi:nitA..nnc_.n.f .tha niarac. n:f inf_n.r_ma.ti.nn nrnr_cc_cad b y	 ehnailA	 J
be updated.	
20
'[read_request message]: MONITOR CLASS'
STATE SUBSETS defined END STATE" SUBSETS;
'[carriage_control signal]: MONITOR CLASS'
STATE SUBSETS defined END STATE: SUBSETS;
'[print line]: MONITOR CLASS'
STATE SUBSETS defined END STATE SUBSETS;
'[program message]: MONITOR CLASS'
STATE SUBSETS defined END STATE SUBSETS;
'[real address]: MONITOR CLASS'
STATE SUBSETS defined END STATE: SUBSETS;
At this level of modelling, there are no further distinctions that can be made
among the "values" of these pieces of information.
The next processing module within the operating System is the handler of messages
between the programs and the operator. At this level of modelling, the handler
is either passing on a program's message, perhaps with some accesses to the
handler's virtual memory space, or passing on the operator's reply, again possibly
with some accesses to the handler's virtual memory space. The description o` this
class is parameterized with respect to the number of programs that can be handled.
BUFFER SUBCOMPONENTS;
t PORT;
IN PORT;
SUBCOMPONENTS; reply OF [operator—replyli
BUFFER SUBCOMPONENTS;
PORT;
reply out: ARRAY[1::# of_y;rograms] OF OUT PORT;
BUFFER SUBCOMPONENTS; reply_to program OF [operator—,reply]
END BUFFER SUBCOMPONENTS;
END OUT PORT;
END SUBSYSTEM CLASS;
[message_interpreter]: SUBSYSTEM CLASS;
access: OUT PORT;
BUFFER SUBCOMPONENTS; address OF [virtual address]
END BUFFER SUBCOMPONENTS;
END OUT PORT;
collector: ARRAY[l::# ofjrogram;] OF CONTROL PROCESS;
DOCUMENTATION; These control processes serve to funnel all
of the messages from all of the programs into one stream
and therefore to model that the message handler can
handle the messages in any order.
END DOCUMENTATION;
message stream: LOCAL OUT PORT;
BUFF'=R SUBCOMPONENTS; hold message OF [program message]
BUFFER SUP 4'MPONENTF
:AL OUT PORT;
mnvir i	 T-r mh-rt	 orrriv ND
lk
[message_interpreter]: SUBSYSTEM CLASS;
QUALIFIERS: #, of programs END QUALIFIERS;
message_in: ARRAY [1::# of_programs] OF IN P(;;';
BUFFER SUBCOMPONENTS; message OF [program-message]
END BUFFER SUBCOMPONENTS;
END INPORT;
message out: OUT PORT;
BUFFER SUBCOMPONENTS; message—to—operator OF [program message]
END
END OU'
reply in:
BUFFER
END
END IN
tzl
SET hold message(MY INDEX) TO message(MY_INDEX);
SEND nu,ssagc,—stream(MY„INDEX);
END ITERATE;
END MODEL;
END CONTROL PROCESS;
handler: CONTROL PROCESS;
get message: LOCAL IN PORT;
BUFFER SUBCOMPONENTS; one of the messages OF [program message]
END BUFFER SUBCOMPONENTS;_
END LOCAL IN PORT;
MODEL; ITERATE; RECEIVE get message;
ITERATr PERHAPS;
SET address TO defined;
SEND access;
END ITERATE;
SET message_ to , operator TO defined;
SEND message out;
MAYBE; COMMENT reply not always expected;
RECEIVE reply--in;
ITERATE PERHAPS;
^RI,GINAI; ^,
	
SET address TO defined;
app	 ^pE I$	 SEND access;
^UALjT	 END ITERATE;
FOR SOME i IN [1::# of programs];
SET reply 
—
to_program(i) TO defined;
SEND reply out(i);
END FOR;
END MAYBE;
END ITERATE;
END MODEL;
END CONTROL PROCESS;
CONNECTIONS;
FOR ALL i IN E1::# of programs];
PLUG(collector(i)jmessage_stream,
END FOR;
END CONNECTIONS;
END SUBSYSTEM CLASS;
The connections among the ports of the control processes serve, as the comment in
the documentation of the collector control processes indicates, to set up a message
communication network which funnels all of the messages into one stream. This net-
work, when there are four programs, may be graphically represented as in Figure 2.
A further elaboration of the message interpreter, given later, will indicate that
an alternative communication network is really used. This one, and the models of
the control processes, serve to give an abstract description of the interactions
of this part of the operating system with the other parts of the operating system.
The remaining major part of the operating system is the spooling subsystem. In
the following model of this part, we exhibit an alternative to funnelling message
from many sources into one stream — the spooler is set up to poll the various
sources of requests in some nondeterministic (at this point anyway) order.
handlerjget_message);
repl _ t(1) message_in(1)
rep ^ ou 2)
re y_ t(3)
	 coll ctor(1)
	 message in(2)
r ply , it(4
cone tor(2)
colt	 tor(3)
^^	 •. messag _in(3)
reply__i
message`	 coll ctor(4)
access 
FIGURE 2
)i
[spooling—system]: SUBSYSTEM CLASS;
access: OUT PORT;
r	 BUFFER SUBCOMPONENTS; address OF [virtual address]
END BUFFER SUBCOMPONENTS;
	 [v
—
addr
 OUT PORT;
to operator: OUT PORT;
BUFFER SUBCOMPONENTS; message OF [program message]
END BUFFER SUBCOMPONENTS;
END OUT PORT;
from operator: IN PORT;
BUFFER SUBCOMPONENTS; reply OF [operator—reply]
i	 END BUFFER SUBCOMPONENTS;
END IN PORT;
END SUBSYSTEM CLASS;
`	 [spooling system]: SUBSYSTEM CLASS;
QUALIFIERS; # of user programs END QUALIFIERS;
read
—
request
 _in: ARRAYY[l::# of user
—
Programs]
  OF IN PORT;
BUFFER SUBCOMPONENTS; program read request
OF [read request message]
	
i
END BUFFER SUBCOMPONENTS;	 I
END IN PORT;
read request out: OUT PORT;
BUFFER SUBCOMPONENTS; read request OF [read—request—message]
END BUFFER SUBCOMPONENTS;
END OUP' PORT;
read car-: IN PORT;
BUFFr SUBCOMPONF "!TS: card image OF [card]
`t!FFER SUBCOMPONENT7 ;
LND 1'! faU't^^`;
f
22
23BUFFER SUBCOMPONENTS; dc:livc:reci^cardimay^: OF [card]
END BUFFER SUBCOMPONENTS;
END OUT PORT;
printer control in: ARRAY[1::,1 of user programs] OF IN PORT;
BUFFER SUBCOMPONENTS; signal OF 'Tcarriage ,Ac:ontrol signal]
END BUFFER SUBCOMPONENTS;
END IN PORT;
printer control out: OUT PORT;
BUFFER SUBCOMPONENTS; signal_to__printer
OF [carriage
.—
control
—
signal]
END BUFFER SUBCOMPONENTS;
END OUT PORT;
line contents in: ARRAY[1::11 of user programs] OF IN PORT;
BUFFER SUBCOMPONENTS; line OF [print—line]
END BUFFER SUBCOMPONENTS;
END IN PORT;
line contents out: OUT PORT;
BUFFER SUBCOMPONENTS; line to y rinter OF [print line]
END BUFFER SUBCOMPONENTS;
END OUT PORT;
spooler: CONTROL PROCESS;
MODEL; ITERATE; SELECT;
(PERHAPS) COMMENT send a message to tho
operator;
SET message TO defined;
SEND to operator;
MAYBE; RECEIVE from operator;
END MAYBE;
(PERHAPS) COMMENF read or write a location
in virtual memory space;
SET address TO defined;
SEND access;
(OTHERWISE) COMMENT service a request
from one of the user
programs;
FOR SOME i IN [1::# of user_programs];
MAYBE; RECEIVE rcadrequest_in(i);
SET read request TO defined;
SEND read request out;
RECEIVE read card;
SET delivered_ccard image(i)
TO card ^image;
END
END ITERATE;
END MODEL;
END CONTROL PROCESS;
END SUBSYSTEM CLASS;
SCND read care! out(i) ;
ELSE:	 _ 
JiECEIVE printer control_in(i);
SET signaly^to_printer
TO defined;
SEND printer__control out;
MAYBE;	 _
C,ECEIVE line contents_in(i);
SET line _to-yrinter
TO line(i);
SEND line contents out;
END MAYBE;
END MAYBE;
SELECT;
+i
This concludes the description of all of the components for the operating system'. 24
The remaining step at this level of modelling is to describe the operating system
itself, indicating its componentry and the network of communication pathways
among the components.
[operating system]: SUBSYSTEM CLASS;
QUALIFIERS;# of user_programs END QUALIFIERS;
SUBCOMPONENTS;
programs ARRAY[1::# of user_programs] OF [program],
memory system OF [memory control system],
console OF [operator console],
reader OF [card reader],
hard copy OF [printer],
translator OF [address translator],
interpreter OF [message interpreter(# of userrograms+l)],
spool OF [spooling system(#: of user^programs)e
END SUBCOMPONENTS;
	
T
CONNECTIONS;
PLUG (translatorlactual .. space, memory systemlchannel);
PLUG (interpreterlmessa gje out, consolelmessage_in);
PLUG (consolelreply out, interpreter reply_in);
PLUG (interpreter access, translator virtual space);
PLUG (spoollread request: out, reader request—in);
PLUG (reader card out, spoollread card);
PLUG (spool printer control out, hard copy carriage control);
PLUG (spool line contents out, hard copyJco ,ents);
PLUG (spool access, translator virtual space);
PLUG (spool to operator, interpreterimessage_iri(1));
PLUG (interpreter1reply out(1), spoollfrom operator);
FOR ALL i IN [1::# of user_ programs];
PLUG (program(iTIcard request, spoollread request_in(i));
PLUG (spoollread card out(i), program(i);read card_);
PLUG (program(i) printer._control, spoonprinter control in(i));
PLUG (program(i) line contents, spoollline contents in(T));
PLUG (program(i) to operator, interpreter message_in(i+1)
PLUG (interpreterJreply out(i+1), program lfrom operator);
PLUG (program(i)laccess, translatorlvirtual_space);
END FOR;
END CONNECTIONS;
END SUBSYSTEM CLASS;
The communication network that is set up by this description is essentially that
given in Figure 1 in [Riddle 72].
**********
In [Riddle 72] the level of modelling for the operating system is elaborated for
each of the major operational parts of the operating system. For purposes of ex-
ample, we will carry that elaboration out for the message_interpreter and
address —translator parts of the operating system, The elaboration of the
spooling system, using DDN, is left as an exercise.
For the address translator, we need first: to model the external storage that is
used to hold paged-out portions of the virtual spaces.
[external storage]: SUBSYSTEM CLASS;
read request: IN PORT;
BUFFER SUBCOMPONENTS; request OF [io_request]
END BUFFER SUBCOMPONENTS;
END IN PORT;
write request: IN POR
BUFFER SUBCOMPONE r '	 rite request OF [io request]
BUFFER SIJu^u +ru,,..NT5;	 —
R
'i
x
ENO BUFFER CONDITIONS;
END IN PORT;
read done: OUT PORT;
BUFFER SUBCOMPONENTS; signal OF [io.done_signal]
END BUFFER SUBCOMPONENTS;
END OUT PORT,
write done: OUT PORT;
BUFFER SUBCOMPONENTS; write signal OF (io.—done—signal]
END BUFFER SUBCOMPONENTS
END OUT PORT;
io: CONTROL PROCESS;
MODEL; ITERATE; MAYBE;
RECEIVE read request;
I	 SET signal TO accomplished;
SEND read done;
ELSE;	
--
RECEIVE write request;
ORIGINAL' PAGE' Ig
	 SET write signal TO accomplished;
QE PO.Oj& QU
. U77X
	
	
SEND write done;
END MAYBE;
END ITERATE;
END MODEL;
END CONTROL PROCESS;
END SUBSYSTEM CLASS;
[io request]: MONITOR CLASS;
STATE SUBSETS; read, write END STATE SUBSETS;
END MONITOR CLASS;
[io done signal]: MONITOR CLASS;
STATE SUBSETS; accomplished END STATE SUBSETS;
END MONITOR CLASS;
We have used the buffer conditions construct of DDN to indicate that only write
requests may come in through the write request port.
We also need a semaphore.
[semaphore]: MONITOR CLASS;
STATE SUBSETS; uninitialized, zero, one
END STATE SUBSETS;
DOCUMENTATION; This is a binary semaphore which may be used
for mutual exclusion. The operation of the procedures is
not elaborated here — thf;y may be "programmed" using
signals and waits upon condition variables.
END DOCUMENTATION;
initialize: PROCEDURE;
TRANSITIONS; uninitialized - one
END TRANSITIONS;
END PROCEDURE;
p: PROCEDURE;
TRANSITIONS; one -r zero; zero _r zero
END TRANSITIONS;
END PROCEDURE;
v: PROCEDURE;
TRANSITIONS; zero -r one
END TRANSITIONS;
END PROCEDURE;
END MONITOR CLASS;
Now we can s pecify the parts of the address translator as controlp rocesses.
I
25
r
[address translator]: SUBSYSTEM CLASS;
virtual space: INPORT;
BUFFER SUBCOMPONENTS; v addra-is OF [virtual address]
END BUFFER SUBCOMPONENTS;
END IN PORT;
actual space: OUT PORT;
BUFFER SUBCOMPONENTS; a .address OF [real address]
END BUFFER SUBLOMPONRNfS;
END OUT PORT;
SUBCOMPONENTS;
storage OF [external storage],
mutex OF [semaphore]—
END SUBCOMPONENTS
check: CONTROL PROCESS;
set up swap: LOCAL OUT FURT;
(SUFFER SUBCOMPONENTS; signal OF [activate signal]
END BUFFER SUBCOMPONENTS;
END LOCAL OUT PORT;
BODY; ITERATE; RECEIVE virtual space;
mutex.p;
—
spa
 access the page tables;
mutex.v;
IF PERHAPS
THEN a address.assign;
SEND actual space;
ELSE signal.assign;
SEND set_upjwap;
END IF;
END ITERATE;
END BODY; END CONTROL PROCESS; END SUBSYSTEM CLASS;
In this control process definition, we have used a body textual unit to indicate
that what is being defined is an actual part of the subsystem rather than ,just
a model. Within the body, we have used nondeterminism to indicate that it is not
yet completely specified as to how the decision is made as to whether the page is
in the actual memory system or on external storage. This is not really legal in
DDN — a legal description would require the definition of a flag variable that
was set (nondeterministically) to either true or fals e within the critical section
and was used to control the subsequent fl(w of processing.
The definition of the address
—
translator is completed with the following textual
units.
[address translator]: SUBSYSTEM CLASS;
swap: CONTROL PROCESS;
wait for a ctivation:
	
LOCAL IN PORT;
BUFFER -'.JBCOMPONENTS; signal	 OF [activ ; '- signal]
END BUFFER SUBCOMPONENTS;
_
END LOCAL IN PORT;
read request:	 LOCAL OUT PORT;
BUFFER SUBCOMPONENTS; request OF [io request]
END BUFFER SUBCOMPONENTS;
—
END LOCAL OUT PORT;
read done:	 LOCAL IN PORT;
BUFFER SUBCOMPONENTS; signal OF [io done signal]
END BUFFER SUBCOMPONENTS; r
END LOCAL	 IN PORT;
write request:
	
LOCAL OUT PORT;
BUFFER SUBCOMPONENT`': write request OF [io_request]
END BUFFER	 ! R('	 'ONENTS;
END LOCAL OUT
i t e -dan .	 LOCAL	 li p	 i w„^_ r
26
It
T
END BUFFER SUBCOMPONENTS;
	 27
END LOCAL IN 'PORT;
BODY; ,ITERATE; RECEIVE wait For activation;
mutex.p: COMMINT check for page unchanged;
mutex.v;
IF PERHAPS
THEN write request.assign;
SEND 4rite request;
RECEIVE write—done; 
END IF;
request.assign;L71^GX^;I	
SEND read request;
RECEIVE read done;
-to0j? U 1^;, lS
	
mutex,p; COMMENT update the page tables;Q 'lill,	 mutex.v;
a address.assign;
SEND actual—space;
END ITERATE;
END BODY;
END CONTROL PROCESS;
END SUBSYSTEM CLASS;
[address translator]: SUBSYSTEM CLASS;
CONNECTIONS;
PLUG (checkiset up_swap, swapiwait for activation);
PLUG (swapiread request, storageiread request);
PLUG (storageiread done, swaiI read done);
PLUG (swapiwriterequest, storageiwrite request);
PLUG (storageiwrl-te done, swapiwrite done);
END CONNECTIONS;
The graphical representation of this connection network is essentially that appear-
ing as Figure 6 in [Riddle 72]. The major difference is that in the 1 = igl)" ,^  in
[Riddle 72], the semaphore is represented as a link process because the precursor
of DDN did not have the concept of monitor class.
This elaboration indicates one of the major purposes of control processes in addi-
tion to their role in modelling. When components within a subsystf"Il arc partic-
ular to that subsystem, a body for a control process alay be prepared to indicate
the algorithm for the message handling carried out by the component. DDN would
allow a class definition to be prepared and then an instance of that class to be
declared as a subcomponent within the subsystem ­ as was done for the ex^%­ ernal
storage component. But it is often sufficient to indicate the component directly
as a control process body, and this serves the additional purpose of drawing a
direct correspondence between the subsystem's modelled be avior and the operation
of the subsystem's components.
In these textual units, we have again used procedures named assig n. We should
define these within the class definitions, but this is not roally very illustra-
tivF, so we will skip that.
For the elaboration of the message__interpreter, we will not only specify the
operation of some of its components, but will also elaborate the description with
respect to the types of messages that are processed. The intent of this elabora-
tion is to specify some aspects of conversations between a program and the opera-
tor. First, we elaborate t;e types of messages that can be sent by the programs
to the operator.
V[program message]: MONITOR CLASS;
	 26
STATE SUBSETS; write, write_and w wait, terminate
END STATE SUBSETS;
set to terminate: PROCEDURE;
TRANSITIONS;	 terminate
END TRANSITIONS;
END PROCEDURE;
END MONITOR CLASS;
We have included the procedure set to terminate because it will be needed in later
descriptions.. The state ,ubsets indicate that the program may send a message to
the operator without a fiply expected (write), send a message with a reply expected
(write and wait), or indicate that the conversation with the operator may be termi-
nated.—
In the elaboration of the message_ interpreter, it will attach an identification
of the originating program to the message before passing it on to the operator.
Thus we need a class definition that describes these coded messages.
[encoded message]: MONITOR CLASS;
QUALIFIERS; #_of_programs END QUALIFIERS;
STATE VARIABLES;
id: VALUES (1::# of_programs),
content: VALUES Tmessage, null)
END STATE VARIABLES;
STATE SUBSETS;
write: <<--, content=message>=,
write and wait: <<--, content =message» ,
terminate: <<--, content=null»
END STATE SUBSETS;
assign: PROCEDURE;
PARAMETERS:
id VALUE OF [1::#^ of _programs],
message _to_be sent VALUE OF [program message]
END PARAMETERS;
TRANSITIONS; message _to be_sent=write -*write,
message_to_be sent=write and wait -> write_ and_ wait,
message_-tobe_sent=terminate- -^ terminate
END TRANSITIONS;
END PROCEDURE;
END MONITOR CLASS;
We also need similar class definitions for the messages sent from the operator to
the program.
[operator_reply]: MONITOR CLASS;
STATE SUBSETS; ans, suspend
END STATE SUBSETS;
assign: PROCEDURE;
PARAMETERS;
reply to be sent VALUE OF [enco,ied reply]
END PARAMETERS;	
_
TRANSITIONS; reply _to_be_sent=ans 	 and
END TRANSITIONS;
DOCUMENTATION; This procedure may not be legally invoked
when the operator has sent a suspend message.
END DOCUMENTATION;
END PROCEDURE;
END MONITOR CLASS;
r[encoded reply]: MONITOR CLASS;	 29
QUALIFIERS;# of_programs END QUALIFIERS;
STATE VARIABLES;
id: VALUES (1::# of programs),
content: VALUES Trnessagr., null)
END STATE VARIABLES;
STATE SUBSETS;
ans : <<--, content message» ,
suspend: <<--, content—null,—
END STATE SUBSETS;
find id: PROCEDURE;	
Q►
Q
PARAMETERS;	 \ 4441
 RESULT OF [1::#_of_prograni	
^bqG^END PARAMETERS;
END MONITOR CLASS;
With these monitor classes, we are in a position to give the elaboration of the
message_.interpreter.
[message_ interpreter]: SUBSYSTEM CLASS;
QUALIFIERS; # ofrograms END QUALIFILRS;
message_ in: ARRAY[1::# of_ .programs] OF INPORT;
BUFFER SUBCOMPONENTS; message OF [program message]
END BUFFER SUBCOMPONENTS;
END IN PORT;
message out: OUT PORT;
BUFFER SUBCOMPONENTS; message . to_ operator
OF [oncoded message(# of-programs)]
END BUFFER SUBCOMPONENTS;
END OUT PORT;
reply in: INPORT;
BUFFER SUBCOMPONENTS; reply OF [encoded reply(1' ofjrograrns)]
END BUFFER SUBCOMPONENTS;
END IN PORT;
reply out: ARRAY[1::# of_programs] OF OUT PORT;
BUFFER SUBCOMPONENTS: reply_to_program OF [operator—reply]
END BUFFER SUBCOMP01ENTS;
END OUT PORT;
access: OUT PORT;
BUFFER SUBCOMPONENTS: address OF [virtual—address]
END BUFFER SUBCOMPONENTS:
END OUT PORT;
SUBCOMPONENTS;
mutex OF [semaphore]
END SUBCOMPONENTS;
transfer: ARRAY[1::# of_p rograms] OF CONTROL PROCESS;
pass message_in: LOCAL OUT PORT;
BUFFER SUBCOMPONENTS; passed message OF [program message]
END BUFFER SUBCOMPONENTS,
END LOCAL OUT PORT;
MODEL; ITERATE; RECEIVE message in(MY INDEX);
SET passed message(MY_INDEX) TO message(MY-_INDEX);
SEND pass message_in(MY_INDEX);
END ITERATE;
END MODEL;
END CONTROL PROCESS;
encode: ARRAY[1::# of programs] OF CONTROL PROCESS;
get
—
message
 _in: LOCAL. 1N PORT;
BUFFER SUBCOMPONENTS; message from_progran>_or decode
OF—[program message
END BUFFER SUBCOMPONENTS;
END LOCAL IN PORT;
:_ .. _
_.	 _	 _I34DY_:_ __ ITERATE
30
RECEIVE get_message in(MY_INDEX);
mutex.p;
WHILE message from_p rogram or^decode(MY_INDEX)
write and wait;
ITERATE PERHAPS;
address.assign;
SEND access;
END ITERATE;
message_to.operator.assign(MY_INDEX,
message_fromorogram or_ decode(MY_INDEX)) ;
SEND message_out;
RECEIVE get_message_in(MY_INDEX);
END WHILE;
IF message from_program or decode(MY_INDEX)
= write;
THEN: ITERATE PERHAPS;
address.assign;
SEND access;
END ITERATE;
miyssage to_opc-rator.assign(MY_INDEX,
message._from_program or decode(MY_INDEX));
SEND message out;
END IF;
inutex.v;
END ITERATE;
END BODY;
END CONTROL PROCESS;
decode: CONTROL PROCESS;
transfer suspend: ARRAY[1::# ofo rograms] OF LOCAL OUT PORT;
BUFFER SUBCOMPONENTS: term _message OF [program message]
BUFFER SUBCOMPONENTS;
END LOCAL OUT PORT;
LOCAL SUBCOMPONENTS;
id OF [1::# of programs]
END LOCAL SUBCOMPONENTS;
BODY; ITERATE;
RECEIVE reply in;
reply.find_id-Cid);
IF reply = suspend
THEN; term message(id).set_to_terminate;
SEND transfer suspend(id);
ELSE; reply_to_proaram(id).assign(reply);
SEND reply__out(id);
END IF;
END ITERATE;
END BODY;
END CONTROL PROCESS;
CONNECTIONS;
FOR ALL i IN [1::# of_programs];
PLUG (transfer(T)1pass message in,
encode-Ci)lget message_in);
PLUG (decode transfer suspendTi),
encode(i)lget_message_in);
END FOR;
END CONNECTIONS
END SUBSYSTEM CLASS;
This completes tho elaboration of the me,,sage_interpreter. It remains to upd4te
the model of the )erator's console to reflect the new level of modelling
achieved in the
	 -1 of the message_interpreter,
ti
- 	 [operator console]: SUBSYSTEM CLASS; 	 31
DOCUMENTATION; This models the console and the operator
using it.
END DOCUMENTATION;
message_in: IN PORT;
BUFFER SUBCOMPONENTS; message OF [encoded _message(#! oforograms)]
END BUFFER SUBCOMPONENTS;
END IN PORT;
END SUBSYSTEM CLASS;
[operator console]: SUBSYSTEM CLASS;
reply out: OUT PORT;
BUFFER SUBCOMPONENTS; reply OF [encoded reply(# ofo rograms)]
END BUFFER SUBCOMPONENTS;
END OUT PORT;
operator: CONTROL PROCESS;
LOCAL SUBCOMPONENTS; id OF [id::l#_of_programs]
END LOCAL SUBCOMPONENTS;
BODY; ITERATE;
RECEIVE message in;
message.find_idTid);
IF message = write and wait;
THEN; reply.set-id(id);
reply.set type;
0AIGINAI: PAGE IS
	
SEND reply_out;
,QE Wp$ QU-QUA 	 IF reply = suspend AND PERHAPS;THEN; reply.set some id;
reply.set message;
SEND reply out;
END IF;
END IF;
END 'ITERATE;
END BODY;
END CONTROL PROCESS;
QUALIFIERS; #i ofo rograms END QUALIFIERS;
END SUBSYSTEM CLASS;
This description requres the definition of four procedures to operate upon encoded
replies.
'[encoded reply]: MONITOR CLASS' set id: PROCEDURE;
PARAMETERS;
id VALUE OF [1::#i oforograms]
END PARAMETERS;
END PROCEDURE;
'[encoded reply]: MONITOR CLASS' set_type: PROCEDURE;
TRANSITIONS; -> ans, -> suspend
END TRANSITIONS;
END PROCEDURE;
'[encoded 
—
reply]: MONITOR CLASS' set—some—id: PROCEDURE;
END PROCEDURE;
'[encoded reply]: MONITOR CLASS' set message: PROCEDURE;
TRANSITIONS; -)- ans
END TRANSITIONS;
END PROCEDURE;
Note the use of nondeterminism in the procedure set type. This makes the descrip-
tion of the operation of the operator_ console be a nondeterministic one even
though a body is given for the control process.
