CAPÍTULO 2: ESTILO E INTERPRETACIÓN DEL AGUABAJO
2.1. Formato Instrumental
2.1.1. Vestigios de la conquista y colonización en los formatos instrumentales
when any releases ?Cfrom any then setCALLING (?C):= FALSE endCALLING
As a larger example of TSL specications, the formal specication of the Dining Philoso- phers program of Figure 2 will be presented. There are several requirements of this program that can be formally specied in TSL, including the following:
The actions of picking up and putting down a fork must alternate. Each philosopher uses only the forks to his immediate right and left. No fork is picked up by a philosopher when he is eating.
No fork is put down by a philosopher when he is not eating.
It is never the case that all philosophers are simultaneously holding one fork while waiting to pick up the other.
This last specication, a specication of deadlock-freedom, would not be satised by the program of Figure 2, but it may nevertheless be specied in TSL.
Since the tasks in the program are components of arrays, it is necessary to dene an ID OF property, which keeps track of the ID of each task. A FORK COUNT property is used to keep track of how many forks each philosopher is holding. It is also necessary to dene an EATING property, which states that a philosopher is eating once he has picked up two forks and is no longer eating once he has put down two forks. Finally, a property WAITING TO EAT COUNT is used to count the number of philosophers which have picked up the rst fork for eating but have not yet picked up the second. These four properties are dened in TSL in Figure 4. It will be assumed for the sake of simplicity that (1) Only philosophers pick up and put down forks, (2) If an eating philosopher puts down one fork then he will put down the second before picking the rst up again, and (3) A non-eating philosopher that has picked up one fork will pick up the second fork before he puts the rst fork down. All of these assumptions can be easily stated in TSL. Figure 5 gives the TSL specication of the program.
;;+ propertyIDOF (task) : NATURAL := 0 ;;+ is
;;+ when?T accepts any at GETID(ID=
>
?I)then ;;+ set IDOF (?T):= ?I;;+ endIDOF
;;+ propertyFORKCOUNT (task) : NATURAL :=0 ;;+ is
;;+ when?F accepts ?P at PICKUPthen
;;+ set FORK COUNT (?P):= FORKCOUNT (?P)+ 1 ;;+ when?F accepts ?P at PUTDOWNthen
;;+ set FORK COUNT (?P):= FORKCOUNT (?P); 1 ;;+ endFORK COUNT
;;+ propertyEATING (task) : BOOLEAN := FALSE ;;+ is
;;+ when?F1 accepts ?Pat PICKUPwhere FORK COUNT(?P) =0 ;;+ then ?F2 accepts ?P atPICKUPwhere ?F2
=
=?F1;;+ set EATING (?P):= TRUE ;;+
;;+ when?F1 accepts ?Pat PUTDOWN whereFORK COUNT (?P) =2 ;;+ then ?F2 accepts ?P atPUTDOWNwhere ?F2
=
=?F1;;+ set EATING (?P):= FALSE ;;+ endEATING
;;+ propertyWAITINGTO EAT COUNT: NATURAL :=0 ;;+ is
;;+ when?F accepts ?P at PICKUPwhere FORKCOUNT (?P) =0 then ;;+ set WAITING TO EAT COUNT := WAITINGTO EAT COUNT +1 ;;+ when?F accepts ?P at PICKUPwhere FORKCOUNT (?P) =1 then ;;+ set WAITING TO EAT COUNT := WAITINGTO EAT COUNT ;1 ;;+ endWAITINGTO EAT COUNT
2.4. SUMMARY 35
;; PICKUP alternates with PUTDOWN:
;;+ when?F accepts ?P1 at PICKUP ;;+ then?F accepts ?P1 at PUTDOWN ;;+ before ?Faccepts ?P2at PICKUP ;;+
;;+ when?F accepts ?P1 at PUTDOWN ;;+ then?F accepts ?P1 at PICKUP ;;+ before ?Faccepts ?P2at PUTDOWN
;; A philosopher uses only the forks to his immediate right and left: ;;+ not?P calls ?F whereID OF (?F)
=
=IDOF (?P)and;;+ ID OF (?F)
=
=(ID OF (?P)+1)mod 5 ;; A philosopher does not pick up a fork while he's eating:;;+ not?P calls any at PICKUPwhere EATING (?P)
;; A philosopher does not put down a fork while he's not eating: ;;+ not?P calls any at PUTDOWNwhere not EATING (?P) ;; Deadlock never occurs:
;;+ not any calls any atPICKUP
;;+ where WAITING TOEAT COUNT =MAX PHILOSOPHERS Figure 5: TSL Specication of Dining Philosophers.
2.4 Summary
As the survey of this chapter demonstrates, the theory and practice of concurrent program- ming is at a stage at which it is feasible to develop large distributed software systems for execution on parallel hardware. However, several deciencies and unsolved problems are apparent in this technology as it currently exists:
1. The technology underlying the construction of distributed implementations of concur- rent programming languages is decient for the following reasons:
(a) Descriptions of concurrent languages in general focus on the design of constructs for expressing concurrency. Implementations, if they exist, are usually mentioned only in passing for the purpose of claiming the successful implementation of a
language.
(b) Concurrent programming languages other than Ada which have been successfully implemented on multiprocessors are in general small, experimental languages. (c) No successful distributed implementation of Ada has been described to a satis-
factory extent in the literature previous descriptions have dealt exclusively with the design of uniprocessor implementations. Thus, no serious consideration has been given to the important issues in distributed supervisor design|the over- all software architecture, the interface to application programs, the interface to the underlying computer system, the separation of machine-independent compo- nents from machine-dependent components, and the separation of components of unrelated functionality.
2. The technology available for verifying that a distributed implementation of a concur- rent language is consistent with the language semantics is decient for the following reasons:
(a) No suitable system exists for automatic verication of concurrent software sys- tems, such as a distributed supervisor. Furthermore, the systems which do exist require a great deal of reasoning on the part of the programmer to introduce auxiliary variables and construct a global invariant that is strong enough for proving non-interference or co operation of the proofs of individual tasks.
(b) Other testing methods|parallel debuggers, history logging, reproducible testing, interactive replays|are unable to automatically dierentiate incorrect program behavior from correct program behavior. Such determination is left entirely up to the programmer.
(c) As will be further discussed in Chapter 6, methods for verifying a language im- plementation based on automated testing suer from the fact that each test program must be instrumented individually, with machine-processable specica- tions or with executable checking code, so that it can check some part of the language implementation.
This thesis describes new approaches to solving the problems which have caused the con- tinued existence of the above deciencies.