Abstract. We explain a transformational approach to the design and veri cation of communicating concurrent systems. The transformations start form speci cations that combine trace-based with state-based assertional reasoning about the desired communication behaviour, and yield concurrent implementations. We illustrate our approach by a case study proving correctness of implementations of safe and regular registers allowing concurrent writing and reading phases, originally due to Lamport.
Introduction
For concurrent systems a variety of speci cation formalisms have been developed, among them Temporal Logic MP91], iterative programs like action systems Bac90] or UNITY programs CM88], input/output automata LT89], and process algebra Mil89, BW90] . However, it remains a di cult task to design correct implementations starting from such speci cations. It is here that we wish to make a contribution.
We are developing a novel transformational approach to the design of communicating concurrent systems. Our work originates from the ESPRIT Basic Research Action \ProCoS". ProCoS stands for \Provably Correct Systems" and is a wide-spectrum veri cation project where embedded communicating systems are studied at various levels of abstraction ranging from requirements' capture over speci cation language and program- We use a speci cation language SL that combines trace-based with state-based assertional reasoning. The trace part speci es in a modular fashion in which order communications on the channels may occur. To this end, regular expressions over channel alphabets are used. In the trace part we build on ideas of pure process algebra with uninterpreted action symbols. Of course in any realistic application one has also to reason about values that are communicated. In SL the communication values are speci ed with the help of a state part which consists of state variables and communication assertions describing when a channel is enabled for communication and what the e ect of such a communication is. The state part corresponds to an iterative program in the style of action systems or UNITY extended by communication through explicit message passing.
The speci cation language SL is not as high-level as temporal logic can be, but it has the advantage that it allows us to formulate transformation rules for the stepwise design of implementations. In the ProCoS project we have developed a set of transformation rules that is complete for transforming a large class of speci cations into sequential occam-like programs ORSS92]. In this paper we present further transformation rules that enable us to derive distributed concurrent systems with components communicating by synchronous message passing.
Our work on transformational design is in the tradition of the work originated by Burstall and Darlington and pursued further to practical application in projects like CIP ( Kri89] . While these approaches were concerned with conventional sequential programs, we study here concurrency and communication.
Central to our approach is the concept of a mixed term Old91b], i.e. a construct that mixes programming and speci cation constructs. Mixed terms are well suited to express intermediate stages of a design where some implementation details are xed and others are still open. Mixed terms arise naturally as a formalization of the method of stepwise re nement originally advocated by Dijkstra and Wirth. They appear also in the renement calculi of Mor90, Bac90] , but these calculi deal with sequential or iterative programs without explicit communication.
In this paper we illustrate our approach by a case study that is concerned with one of the basic assumptions of many distributed algorithms, viz. the correct interprocess communication. In his article Lam86], Lamport analyzes interprocess communication through registers that can be accessed by writers and readers in a possibly concurrent, i.e. overlapping fashion. The assumptions that distributed algorithms make about interprocess communication is mirrored by the values that a reader of the register may obtain in case of an overlapping writing phase. Lamport denes three classes of registers called safe, regular and atomic where safe registers are the weakest and atomic are the strongest class. The main contribution of Lam86] are several constructions of stronger register types from weaker ones together with correctness proofs in a speci c formalism. The topic of concurrent registers has excited quite some interest in the literature on distributed algorithms. A good overview can be found in LG89].
In this paper we specify safe and regular registers in the language SL and systematically derive one of Lamport's concurrent implementations using our transformational approach.
Speci cations
In this section we use the example of registers to provide an introduction to the speci cation language SL. As in Lam86] we consider registers that can store a value of some value set V and that are shared by one writer and possibly several readers. We begin with the case of only one reader. Following LG89] such a register can be modelled as a system communicating through directed channels with its environment consisting of a writer and a reader as shown in Figure 1 
tr = (W,3).A.R.(T,3).R.(W,5).A.(T,4).R.(T,5)
satis es 1-reader-V-safe. Note that within the second reading phase a writing phase occurs which sets the state variable c to false.
Hence at the end of this reading phase an arbitrary value from V may be output on channel T. Here we have chosen the value 4. On the other hand, the last reading phase ends with c evaluating to true and thus outputs the most recently written value, which is 5.
The formal semantics of the speci cation language SL is de ned in a predicative style in Old91b] and ORSS92] and is beyond the scope of this paper. We mention only that in this semantics each SL speci cation S is identi ed with a pair : P where is the interface of S and P is a predicate describing the behaviour speci ed by S in terms of communication traces, ready sets and some other ingredients that are not important here.
A ready set is a set of channels that are ready for communication. In principle, the trace part of speci cation 1-reader-V-safe can be eliminated in favour of an extended state part. However, this would result in a speci cation that is more di cult to understand. In general, we strive to express the data independent aspects of a system behaviour in the trace part.
For each given n, the above speci cation can be extended to one speci ying a safe register with n readers using communication channels R i and T i for i 2 1::n ( Figure 3 ). 
Regular Registers
Let us now specify the behaviour of a regular register for n readers and the value set V in the language SL. We can reuse a large part of the speci cation n-reader-V-safe above. Only the speci cation of the value returned at the end of a reading phase need to be changed. The idea is here to replace the where k 2 f1; 3; 5g. After each of these traces the register is ready to engage in communications on channels W and R.
Transformational Approach
The standard setting for a transformational approach is that speci cations are transformed stepwise into programs. For example, our aim in ProCoS is to transform speci cations of the language SL into programs of an occam-like programming language PL. In our present study we do not aim at occam-like programs but wish to show how to construct complex registers from simpler ones.
Such a construction can be conveniently expressed in the language MIX of mixed terms. MIX comprises n-ary programming operators OP that can be applied to speci cations or other mixed terms S 1 ; :::; S n yielding a mixed term OP Strengthening. These transformations strengthen the system behaviour by restricting the initial state, the state space or the e ect of a communication. They either remove some nondeterminism or lead to overspeci cation. It requires creativity to nd the right degree of strengthening within the design process. Introducing an invariant declaration in a speci cation without invariants is included as the special case of strengthening inv true.
T 3.5 (e ect strengthening) An e ect predicate p may be replaced by any predicate q such that q^V I ) p holds and its free variables agree with the read and write list.
Modifying speci cation components. 
Regular Implements Safe
From their informal description it seems obvious that a regular register implements a safe one. Here we will prove this relation formally for the SL speci cations given in Section 2. Since both speci cations agree on their interface and trace parts, we need to relate only their state parts. To this end, we shall apply the above transformation rules and massage the speci cation n-reader-V-safe until speci cation n-reader-V-regular is obtained. We proceed in three steps:
1. The communication assertions of T i are modi ed to the pattern of the regular register speci cation. Therefore the state space is extended by set-valued variables C 1 ; :::; C n and the invariant V n i=1 c i ) (C i = fvg) is introduced.
By appropriate initialization and e ect
strengthening the invariant of Step 1 is made redundant. This allows to remove the same and afterwards all variables c 1 ; :::; c n .
OLD SR 8/1] January 1993 3. The variable old is added and channels W and R i are strengthened to achieve the regular speci cation pattern. In the following we give a detailed account of this re nement by referring to the numbers of applied transformation rules. Starting point is the speci cation n-reader-V-safe.
Step 1 We extend the internal state space by new local variables C 1 ; :::; C n where write accesses are restricted to channels W and R 1 ; :::; R n T3. 
Concurrent Implementations
In this section we study the implementation of a speci cation as a system of concurrently working subsystems synchronized via internal communication. When designing such a system one rst decides on its architecture, i.e. which tasks should be performed concurrently and how subsystems should com-OLD SR 8/1] January 1993 municate. The transformational re nement process is then guided by these decisions.
As an example we consider the implementation of an n-reader-V-safe register using n copies X 1 ; :::; X n of 1-reader-V-safe registers and an auxiliary write process WP due to Lam86, LG89] . The architecture of this implementation is shown in Figure 5 . Thus We now present a formal transformational design of this implementation consisting of the following steps:
Local channels are declared and their global sequencing is constrained.
The state space is extended to cover the state spaces of the n single reader register. The behaviour is strengthened to achieve the e ects of the 1-reader-V-safe speci cation. The whole speci cation is decomposed into the subsystems WP and X 1 ; :::; X n .
Local Channels
A communication on a local channel is independent from and invisible to the environment. It may be performed as soon as its enable predicate holds in the current internal state and the extended trace satis es the sequencing constraints of all trace assertions. Thus in contrast to external channels there is no synchronization with the environment.
Interface channels ch 1 ; :::; ch k of a specication S are localized applying to S the declaration operator CHAN with parameters ch 1 ; :::; ch k :
S 1 = CHAN ch 1 ; :::; ch k S:
CHAN is one of the operators of the language MIX so that S 1 is a mixed term. The semantics of CHAN implies that the system S 1 avoids engaging in unboundedly many communications on the local channels ch 1 ; :::; ch k . Thus CHAN is a so-called \angelic" operator which is di cult to implement.
To avoid non-implementability we additionally use the operator HIDE from MIX: S 2 = CHAN ch 1 ; :::; ch k HIDE ch 1 ; :::; ch k S: Systems S 1 and S 2 behave the same as long as S does not allow unbounded communication on ch 1 ; :::; ch k . But in contrast to S 1 unbounded communication on these channels leads to divergence of S 2 . For a more detailed analysis see ORSS92].
Here we present a rule dealing with the combined e ect of introducing local channels with hiding. and the trace part TA T satis es the following conditions: 1. it prevents unbounded communication on the new channels, 2. its projection onto the old channels allows exactly the same traces as TA, 3. for each pre x t of one of its traces and for each trace assertion ta 2 TA T the intersection of all extensions of t with the alphabet of ta contains at most one of the new channels.
Condition 1 implies that T describes a divergence free system. Conditions 2 and 3 imply that semantically S and T describe the same traces and ready sets. An application of this rule requires to nd a right extension of the trace part meeting both these conditions and the overall development idea. In our example we introduce the local channels w 1 ; :::; w n ; a 1 ; :::; a n . As mentioned above communications on w i and a i are always enclosed by a preceding W and a nishing A communication. Hence the application conditions 1{3 of T4.1] are satised. No restrictions are required between write and acknowledge channels of di erent single readers. Thus we replace the speci cation n-reader-V-safe by the following mixed term: CHAN w 1 ; :::; w n ; a 1 ; :::; a n HIDE w 1 ; :::; w n ; a 1 ; :::; a n spec input w 1 ; :::; w n of V output w 1 ; :::; w n of V input a 1 ; :::; a n of signal output a 1 ; :::; a n of signal ::: all n-reader-V-safe components ::: i 2 1::n : trace W; A; w i ; a i in pref(W:w i :a i :A) end
Trace Assertions and Invariants
Now we aim at the behaviour of the single reader registers. This requires an extended reasoning about modi cations of the state part where in addition to the rules presented in 3.1 also the trace part is taken into account.
The following rule provides a generalization of the invariant reasoning based on T3.6] and T3.7]. It checks whether a predicate q holds whenever the system may engage in a communication on channel ch and allows us to modify its communication assertion appropriately. We say that a channel ch establishes q if it holds in the terminating state of each ch communication:
establish(q; ch ) , df wh ch ^th ch ) q w 0 ch =w ch ]:
T 4.2 (e ect modi cations under trace assertions) Let trace ch 1 ; :::; ch k in re be a trace assertion and q be a predicate which is stable for all channels of nfch 1 ; :::; ch k g. Let ch 2 fch 1 ; :::; ch k g be a channel such that in every word of the regular language of re each occurrence of ch is preceded by a channel ch establishing q. If further all intermediate channels between ch and ch are stable for q then the e ect th ch may be weakened to q ) th ch or strengthened to q^th ch without changing the behaviour.
For the moment the design process proceeds by the same technique shown in detail in 3.2: the state space is changed and communication assertions are strengthened; invariants are introduced to modify communication assertions and are removed afterwards.
At In the following steps the e ect predicates are modi ed such that they become independent from variables m and c 1 ; :::; c n . This is done by iterated application of the invariant technique shown in the previous example. New invariants are introduced and some effects are modi ed under them. After that effect predicates of other channels are strengthened to make the invariant redundant. S n i=1 i , TA = S n i=1 TA i , Va = U n i=1 Va i 2 , CA = S n i=1 CA i and I = S n i=1 I i . Then S SYN S 1 ; ; S n ] ; i.e. S is equivalent to a mixed term where synchronization is applied to all S i .
We remark that TA enforces synchronization of all communications that appear on channels in more than one of the local trace assertions TA i . The disjointness condition on the local variables Va i re ects distributed concurrency. Thus a parallel decomposition must be prepared by rearranging speci cation components to achieve disjointness. To this end, we shall use the transformations T3.1] and T3.2].
Semantically the meaning of TA is a regular language over the set of all channels. Thus modi cations of the set of all trace assertions do not change the speci ed system behaviour as long as the same language is described. The trace merging algorithm RS91, ORSS92] provides a transformation to join several trace assertions into a single one. A special case of trace merging is given by the following rule.
T 4.4 (trace projection)
Let trace ch 1 ; :::; ch k in re be a trace assertion within TA and let ch l 1 ; ::ch lm be a subset of its alphabet. Let f re be a regular expression equivalent to re where all occurrences of names fch 1 ; :::; ch k gnfch l 1 ; ::ch lm g are replaced by nil 3 . Then the addition of the projected trace assertion trace ch l 1 ; ::ch lm in f re to TA does not change the behaviour.
Let us now consider the example. The intended architecture (cf. Figure 5) determines the allocation of the interface components and variable declarations to the subsystems. As mentioned above, each single reader 2 Union of pairwise disjoint sets. 
Discussion
Our work on transformational design of concurrent systems is close in spirit to the work on UNITY CM88] and to Back's work on re nement calculus Bac90]. One of the differences is that UNITY and Back start from iterative programs akin to Dijkstra's do-od loops whereas we start from SL speci cations with an explicit treatment of communication. This leads us also to consider a richer class of programming operators and hence transformation rules than previous work.
The case study deals with one of the simpler concurrent implementations of registers originally due to Lamport Lam86] 
