Abstract
With the commercial development of multicore processors, the challenges of writing multithreaded programs to take advantage of these new hardware architectures are becoming more and more pertinent. Concurrent programming is necessary to achieve the performance that the hardware offers. Traditional approaches present concurrency as an advanced topic: they have proven difficult to use, reason about with confidence, and scale up to high levels of concurrency. This article reviews process-oriented design, based on Hoare's algebra of Communicating Sequential Processes (CSP), and proposes that this approach to concurrency leads to solutions that are manageable by novice programmers; that is, they are easy to design and maintain, that they are scalable for complexity, obviously correct, and relatively easy to verify using formal reasoning and/or model checkers. These solutions can be developed in conventional programming languages (through CSP libraries) or specialized ones (such as occam-π) in a manner that directly reflects their formal expression. Systems can be developed without needing specialist knowledge of the CSP formalism, since the supporting mathematics is burnt into the tools and languages supporting it. We illustrate these concepts with the Santa Claus problem, which has been used as a challenge for concurrency mechanisms since 1994. We consider this problem as an example control system, producing external signals reporting changes of internal state (that model the external world). We claim our occam-π solution is correct-by-design, but follow this up with formal verification (using the FDR model checker for CSP) that the system is free from deadlock and livelock, that the produced control signals obey crucial ordering constraints, and that the system has key liveness properties.
Supplemental Material
Available for Download
Online appendix to santa claus: formal analysis of a process-oriented solution on article 14.
- Barnes, F. 2006. Compiling CSP. In Communicating Process Architectures 2006, P. Welch, J. Kerridge, and F. Barnes, Eds. Concurrent Systems Engineering Series, vol. 64, WoTUG-29. IOS Press, Amsterdam, The Netherlands, 377--388.Google Scholar
- Barnes, F. and Welch, P. 2004. Communicating mobile processes. In Communicating Process Architectures 2004, I. East, J. Martin, P. Welch, D. Duce, and M. Green, Eds. Concurrent Systems Engineering Series, vol. 62, WoTUG-27. IOS Press, Amsterdam, The Netherlands, 201--218.Google Scholar
- Barnes, F., Welch, P., Moores, J., and Wood, D. 2010a. The KRoC home page. Systems Research Group, University of Kent, http://www.cs.kent.ac.uk/projects/ofa/kroc/.Google Scholar
- Barnes, F., Welch, P., Sampson, A., Ritson, C., Dimmich, D., Brown, N., Simpson, J., Warren, D., and Bonnici, E. 2010b. Concurrency Research Group, Computing Laboratory, University of Kent. http://www.cs.kent.ac.uk/research/groups/sys/concur.html.Google Scholar
- Barrett, G. 1995. Model checking in practice: The T9000 virtual channel processor. IEEE Trans. Softw. Engin. 21, 2, 69--78. doi:10.1109/32.345823. Google Scholar
Digital Library
- Ben-Ari, M. 1998. How to solve the Santa Claus problem. Concur. Pract. Exper. 10, 6, 485--496.Google Scholar
Cross Ref
- Benton, N. 2003. Jingle bells: Solving the Santa Claus problem in polyphonic C#. Tech. rep. Microsoft Research.Google Scholar
- Benton, N., Cardelli, L., and Fournet, C. 2004. Modern concurrency abstractions for C#. ACM Trans. Program. Lang. Syst. 26, 5. ACM Press, 769--804. Google Scholar
Digital Library
- Biere, A., Cimatti, A., Clarke, E., and Zhu, Y. 1999. Symbolic model checking without BDDs. In Tools and Algorithms for Construction and Analysis of Tools and Algorithms for Construction and Analysis of Systems. Google Scholar
Digital Library
- Brown, N. 2007. C++CSP2: A many-to-many threading model for multicore architectures. In Communicating Process Architectures 2007, A. McEwan, S. Schneider, W. Ifill, and P. Welch, Eds. Concurrent Systems Engineering Series, vol. 65, WoTUG-30. IOS Press, Amsterdam, The Netherlands, 183--205.Google Scholar
- Brown, N. and Welch, P. 2003. An introduction to the Kent C++CSP library. In Communicating Process Architectures 2003, J. Broenink and G. Hilderink, Eds. Concurrent Systems Engineering Series, vol. 61, WoTUG-26. IOS Press, Amsterdam, The Netherlands, 139--156.Google Scholar
- Bryant, R. 1986. Graph-Based algorithms for boolean function manipulation. IEEE Trans. Comput. C-35, 8, 253--267. Google Scholar
Digital Library
- Buth, B., Kouvaras, M., Peleska, J., and Shi, H. 1997. Deadlock analysis for a fault-tolerant system. In Proceedings of the 6th International Conference on Algebraic Methodology and Software Technology (AMAST'97). 60--75. Google Scholar
Digital Library
- Buth, B., Peleska, J., and Shi, H. 1999. Combining methods for the livelock analysis of a fault-tolerant system. In Proceedings of the 7th International Conference on Algebraic Methodology and Software Technology (AMAST'98). 124--139. Google Scholar
Digital Library
- Cameron, N., Damiani, F., Drossopoulou, S., Giachino, E., and Giannini, P. 2006. Solving the Santa Claus problem using state classes. Tech. rep. Dipartimento di Informatica, Università di Torino. http://www.di.unito.it/~damiani/papers/scp.pdf.Google Scholar
- Chandy, K. and Misra, J. 1988. Parallel Program Design—A Foundation. Addison-Wesley. Google Scholar
Digital Library
- Cimatti, A., Clarke, E., Giunchiglia, E., Giunchiglia, F., Pistore, M., Roveri, M., Sebastiani, R., and Tacchella, A. 2002. νSMV 2: An open source tool for symbolic model checking. In Proceedings of the International Conference on Computer-Aided Verification (CAV'02). 27--31. Google Scholar
Digital Library
- Dill, D., Drexler, A., Hu, A., and Yang, C. 1992. Protocol verification as a hardware design aid. In Proceedings of the IEEE International Conference on Computer Design. Google Scholar
Digital Library
- Dongarra, J. 1994. MPI: A message passing interface standard. The Int. J. Supercomput. High Perform. Comput. 8, 165--184.Google Scholar
- Formal Systems (Europe) Ltd. 1998. Failures-Divergence Refinement: FDR2 Manual.Google Scholar
- Goldsmith, M., Roscoe, A., and Scott, B. 1993. Denotational semantics for occam2 (part 1). Transput. Comm. 1, 2, 65--91. John Wiley & Sons Ltd.Google Scholar
- Goldsmith, M., Roscoe, A., and Scott, B. 1994. Denotational semantics for occam2 (part 2). Transput. Comm. 2, 1, 25--67. John Wiley & Sons Ltd.Google Scholar
- Güntensperger, R. and Gutknecht, J. 2004. Active C#. In Proceedings of the 2nd International Workshop .NET Technologies. 47--59.Google Scholar
- Hall, A. and Chapman, R. 2002. Correctness by construction: Developing a commercial secure system. IEEE Softw. 19, 1, 18--25. doi:10.1109/52.976937. Google Scholar
Digital Library
- Hewitt, C. 1977. Viewing control structures as patterns of passing messages. Elsevier Science Artif. Intel. 8, 3, 323--364.Google Scholar
Digital Library
- Hoare, C. A. R. 1985. Communicating Sequential Processes. Prentice-Hall. Google Scholar
Digital Library
- Holzmann, G. 1997. The model checker spin. IEEE Trans. Softw. Engin. 23, 5, 279--295. Google Scholar
Digital Library
- Huber, P., Jensen, A., Jepsen, L., and Jensen, K. 1985. Reachability trees for high-level Petri nets. Theor. Comput. Sci. 45, 261--292. Google Scholar
Digital Library
- Hurt, J. and Pedersen, J. B. 2008. Solving the Santa Claus problem: A comparison of various concurrent programming techniques. In Communicating Process Architectures 2008. Concurrent Systems Engineering Senes, vol. 66, WoTUG-31. IOS Press, Amsterdam, The Netherlands, 381--396.Google Scholar
- Ip, C. and Dill, D. 1996. Better verification through symmetry. Formal Methods Syst. Des. 9, 1-2, 41--75. Google Scholar
Digital Library
- Jacobsen, C. and Jadud, M. 2004. The Transterpreter: A transputer interpreter. In Communicating Process Architectures 2004, D. East, P. Duce, D. Green, J. Martin, and P. Welch, Eds. Concurrent Systems Engineering Series, vol. 62, WoTUG-27. IOS Press, Amsterdam, The Netherlands, 99--106.Google Scholar
- Jensen, K. 1997. Coloured Petri Nets: Basic Concepts, Analysis Methods and Practical Use (Volume 1). Springer. Google Scholar
Digital Library
- Jones, S. 2007. Beautiful concurrency. In Beautiful Code: Leading Programmers Explain How They Think, A. Oram and G. Wilson Eds., O'Reilly.Google Scholar
- Lamport, L. 1978. Time, clocks and the orderings of events in a distributed system. Comm. ACM 21, 558--565. Google Scholar
Digital Library
- Lowe, G. 1996. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In Tools and Algorithms for the Construction and Analysis of Systems. Springer, 147--166. Google Scholar
Digital Library
- McEwan, A. 2006. Concurrent program development. DPhil thesis, University of Oxford.Google Scholar
- McEwan, A. and Schneider, S. 2007. Modeling and analysis of the AMBA bus using CSP and B. In Communicating Process Architectures 2007, A. McEwan, S. Schneider, W. Ifill, and P. Welch Eds. Concurrent Systems Engineering Series, vol. 65. WoTUG-30. IOS Press Amsterdam, The Netherlands, 379--398. Google Scholar
Digital Library
- Melton, R., David, L. Dill, Ip, C., and Stern, U. 1996. Murφ Annotated Reference Manual. Stanford University.Google Scholar
- Milner, R. 1999. Communicating and Mobile Systems: The π-Calculus. Cambridge University Press. Google Scholar
Digital Library
- Mitchell, J., Mitchell, M., and Stern, U. 1997. Automated analysis of cryptographic protocols using Murφ. In Proceedings of the IEEE Symposium on Security and Privacy. Google Scholar
Digital Library
- Muller, H. and Walrath, K. 2000. Threads and swing. Sun Developer Network. http://java.sun.com/products/jfc/tsc/articles/threads/threads1.html.Google Scholar
- Ritson, C. and Welch, P. 2007. A process-oriented architecture for complex system modelling. In Communicating Process Architectures 2007, A. McEwan, S. Schneider, W. Ifill, and P. Welch Eds. Concurrent Systems Engineering Series, vol. 65. WoTUG-30. IOS Press, Amsterdam, The Netherlands, 249--266.Google Scholar
- Ritson, C. G., Sampson, A. T., and Barnes, F. R. M. 2009. Multicore scheduling for lightweight communicating processes. In Proceedings of the Coordination Models and Languages, COORDINATION. J. Field and V. T. Vasconcelos, Eds. Lecture Notes in Computer Science, vol. 5521. Springer, 163--183. Google Scholar
Digital Library
- Roscoe, A. 1997. The Theory and Practice of Concurrency. Prentice Hall. Google Scholar
Digital Library
- Roscoe, A. 2009. On the expressiveness of CSP. http://www.comlab.ox.ac.uk/publications/publication2766-abstract.html.Google Scholar
- Sampson, A. 2007. Compiling occam to C with Tock -- CPA 2007 Fringe. Systems Research Group, University of Kent, http://www.wotug.org/paperdb/send_file.php?num=217.Google Scholar
- Sampson, A., Ritson, C., Jadud, M., Barnes, F., and Welch, P. 2010a. occam-π home page. Systems Research Group, University of Kent, http://occam-pi.org/.Google Scholar
- Sampson, A., Brown, N. C. C., Ritson, C. G., Jacobsen, C. L., Jadud, M. C., and Simpson, J. 2010b. Tock (Translator from occam to C from Kent) home page. Systems Research Group, University of Kent, http://projects.cs.kent.ac.uk/projects/tock/trac/.Google Scholar
- Schneider, S. 1999. Concurrent and Real-time Systems—The CSP Approach. Wiley and Sons Ltd., Chichester, UK. Google Scholar
Digital Library
- Schneider, S. and Delicata, R. 2004. Verifying security protocols: An application of CSP. In Communicating Sequential Processes. The First 25 Years, A. Abdallah, C. Jones, and J. Sanders, Eds. Lecture Notes in Computer Science, vol. 3525. Springer, 243--263. Google Scholar
Digital Library
- Sgs-Thomson Microelectronics Limited. 1995. occam 2.1 Reference Manual, Prentice-Hall.Google Scholar
- Siegel, S. 2007. Model checking non-blocking MPI programs. Verific. Model Checking, Abstract Interpr. 4349, 44--58. Google Scholar
Digital Library
- Sulzmann, M., Lam, E., and Van Weert, P. 2008. Actors with multi-headed message receive patterns. In Proceedings of the Coordination Models and Languages (COORDINATION'08), D. Lea and G. Zavattaro, Eds. Lecture Notes in Computer Science, vol. 5052. Springer. Google Scholar
Digital Library
- Trono, J. 1994. A new exercise in concurrency. SIGCSE Bull. 26, 3, 8--10. Google Scholar
Digital Library
- Valiant, L. 1990. A bridging model for parallel computation. Comm. ACM 33, 8. ACM Press, 103--111. Google Scholar
Digital Library
- Welch, P. 2000. Process oriented design for Java: Concurrency for all. In Proceedings of Parallel and Distributed Process Techniques and Applications, H. Arabnia, Ed. Vol. 1. CSREA, CSREA Press, 51--57.Google Scholar
- Welch, P. 2006. A fast resolution of choice between multiway synchronisations. In Communicating Process Architectures 2006. Concurrent Systems Engineering Series, vol. 64. WoTUG-29. IOS Press, Amsterdam, The Netherlands, 389.Google Scholar
- Welch, P. and Austin, P. 2010. Communicating sequential processes for Java (JCSP) Home Page. Systems Research Group, University of Kent, www.cs.kent.ac.uk/projects/ofa/jcsp.Google Scholar
- Welch, P. and Barnes, F. 2005a. Communicating mobile processes: Introducing occam-pi. In 25 Years of CSP, A. Abdallah, C. Jones, and J. Sanders Eds. Lecture Notes in Computer Science, vol. 3525. Springer, 175--210. Google Scholar
Digital Library
- Welch, P. and Barnes, F. 2005b. Mobile barriers for occam-π: Semantics, implementation and application. In Communicating Process Architectures 2005, J. Broenink, H. Roebbers, J. Sunter, P. Welch, and D. Wood Eds. Concurrent Systems Engineering Series, vol. 63. WoTUG-63. IOS Press, Amsterdam, The Netherlands, 289--316.Google Scholar
- Welch, P. and Barnes, F. 2008. A CSP model for mobile channels. In Communicating Process Architectures 2008. Concurrent Systems Engineering Series, vol. 66. WoTUG-31. IOS Press, Amsterdam, The Netherlands, 17--33.Google Scholar
- Welch, P., Barnes, F., and Polack, F. 2006. Communicating complex systems. In Proceedings of the 11th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS'06), M. Hinchey, Ed. IEEE, 107--117. Google Scholar
Digital Library
- Welch, P., Brown, N., Moores, J., Chalmers, K., and Sputh, B. 2007. Integrating and Extending JCSP. In Communicating Process Architectures 2007, A. McEwan, S. Schneider, W. Ifill, and P. Welch, Eds. Concurrent Systems engineering Series, vol. 65. WoTUG-30. IOS Press, Amsterdam, The Netherlands, 349--370.Google Scholar
- Wikipedia. 2007. Stealth aircraft. http://en.wikipedia.org/wiki/Stealth_aircraft.Google Scholar
- Wood, D. and Welch, P. 1996. The Kent retargetable occam compiler. In Proceedings of the Parallel Processing Developments, WoTUG'19, B. O'Neill, Ed. Concurrent Systems Engineering, vol. 47. WoTUG-19. IOS Press, Amsterdam, The Netherlands, 143--166. Google Scholar
Digital Library
Index Terms
Santa Claus: Formal analysis of a process-oriented solution
Recommendations
The symbiosis of concurrency and verification: teaching and case studies
AbstractConcurrency is beginning to be accepted as a core knowledge area in the undergraduate CS curriculum—no longer isolated, for example, as a support mechanism in a module on operating systems or reserved as an advanced discipline for later study. ...
Embedding the stable failures model of CSP in PVS
IFM'05: Proceedings of the 5th international conference on Integrated Formal MethodsWe present an embedding of the stable failures model of CSP in the PVS theorem prover. Our work, extending a previous embedding of the traces model of CSP in [6], provides a platform for the formal verification not only of safety specifications, but ...
Specification, Refinement and Verification of Concurrent Systems—An Integration of Object-Z and CSP
This paper presents a method of formally specifying, refining and verifying concurrent systems which uses the object-oriented state-based specification language Object-Z together with the process algebra CSP. Object-Z provides a convenient way of ...






Comments