Abstract| This paper discusses general requirements for architecture de nition languages, and describes the syntax and semantics of the subset of the Rapide language that is designed to satisfy these requirements. Rapide is a concurrent event-based simulation language for de ning and simulating the behavior of system architectures. Rapide is intended for modelling the architectures of concurrent and distributed systems, both hardware and software. In order to represent the behavior of distributed systems in as much detail as possible, Rapide is designed to make the greatest posible use of event-based modelling by producing causal event simulations. When a Rapide model is executed it produces a simulation that shows not only the events that make u p the model's behavior, and their timestamps, but also which events caused other events, and which e v ents happened independently.
I. Introduction
Rapide LVB + 93 , LKA + 95 is an executable architecture de nition language EADL. Although it has many of the features of present-day e v ent-based simulation languages, it also provides new features to represent system architecture see, e.g., LVM .
In this paper we rst describe design requirements for EADLs. The architecture de nition features of Rapide are then presented. Their semantics are described in terms of causal event executions and illustrated by a series of simple examples. We show h o w these features can be used to model the behavior of both static and dynamic architectures. We also show h o w mappings can relate widely di erent architectures, one at a high level of abstraction and another at a much more detailed level. Finally, w e give a brief history of Rapide and the current status of its supporting toolset.
Other features of Rapide are described in other papers: these are object-oriented features for deriving new interface types and modules from previous ones KLM94 , Tea94c , concurrent reactive programming constructs Tea94a , and formal constraints Tea94b . An earlier version of Rapide This project is funded by D ARPA under ONR contract N00014-92-J-1928 and AFOSR under Grant A F OSR91-0354 was outlined in LKA + 95 , and its use to model one large-scale example, the X Open DTP standard architecture XoD92 standard was described. In that paper we discussed how mappings, in conjunction with formal constraints, can be used to test conformance of systems to architectural standards.
The current simulation toolset for Rapide has been built for modelling and simulationof architectural designs during the early phases of system development, and also for testing conformance of systems to architectural designs.
II. Features for defining architecture
There is now a widespread belief that software engineering must go beyond object oriented methods to a new technology based upon architecture". Technologies such a s CORBA Gro91 , for example, allow distributed systems of interacting modules to be wired together. However, an architectural plan of the system is needed to both guide the wiring-up" and to prototype the behavior of the system before e ort is put into building the modules i.e., the system's components.
An architecture in Rapide is an executable speci cation of a class of systems. It can be at any level of abstraction. An architecture consists of interfaces, connections, and constraints. The interfaces specify the behavior of components of the system, the connections de ne the communication between components using only the features speci ed in their interfaces, and the constraints restrict the behavior of the interfaces and connections. This is called an interface c onnection architecture LVM since the communication between system components is de ned by connections between their interfaces. When a Rapide architecture is executed it produces a causal event history which is automatically checked for conformace to constraints.
Interface connection architectures can be built quickly in Rapide. They have t w o main purposes. First, to build with relatively little e ort, a prototype that enables one to study and predict behavior before e ort is put into building a full system. Second, to de ne a plan" or framework" to guide construction of a system, possibly by automated synthesis methods. To a c hieve these goals, Rapide must be powerful enough to de ne interface connection architectures that can be executed and their properties measured, the system, when it is built, must conform to the architecture.
A. Requirements for ADLs
The requirement of su cient p o w er" leads us to the following general principles to be satis ed by the Rapide In programming languages, although interfaces restrict the visibility i n to modules, communication between modules is implemented in the modules. For example, communication is represented by function calls buried in classes C++ o r p a c k age bodies Ada, or task entry calls buried in task bodies Ada. Communication is implemented but there is no communication abstraction.
On the other hand, hardware simulation languages do provide communication abstraction, but only for static architectures. In VHDL, for example, communication between entity i n terfaces is de ned in structural architectures by port maps that wire interfaces together. Separate congurations associate entity bodies modules with interfaces in an architecture; di erent con gurations de ne different implementations of an architecture, but the communication is de ned once in the architecture for all possible con gurations of it. Similarly, static connections between a xed number of component i n terfaces are expressed in Verilog TM91 by parameter bindings.
Communication integrity: Interfaces may communicate directly only if there i s a n a r chitecture c onnection between the interfaces.
This requires the architecture's connections to de ne all the direct communication between pairs of interfaces. It is possible for two unconnected interfaces to communicate through a third interface this is called indirect communication.
Dynamicism: Rapide should be c apable of modelling architectures of dynamic systems in which the number of components and connections may vary when the system is executed.
Causality and Time: Rapide should be c apable of expressing casual dependency and independency between behaviors of interfaces and connections, and their timing.
These two requirements are forced by the wealth of dynamic and distributed systems where architecture de nition and modelling has become a primary issue. Many event-based modelling languages provide simulation timestamps and determinisitic event i n terleaving. Concurrency is thereby expressed in simulation results, but dependence and independence of behaviors is not. Moreover, current ADL's cannot model dynamic systems.
Hierarchical Re nement: Rapide should allow both components and connections in an architecture t o b e r eplaced by subarchitectures to form new architectures. This is a requirement that is needed to allow hierarchical design methodologies as currently practiced in many areas e.g., hardware or protocols, to be applied to architecture modelling. Most programming and simulation languages support hierachical re nement of components, generally by allowing an interface to be implemented by a module containing a set of submodules. We require connections also to be re nable into architectures.
Relativity: Rapide should provide features for interpreting the behavior of one architecture a s b ehavior of another architecture or an interface.
This requirement is more general than, and complementary with, hierarchical re nement. When architectures, often for the same system, are de ned at di erent levels of abstraction, they tend to di er widely in the kinds and numbers of components and the types of data being communicated. Current technology does not provide any means to explicitly de ne the relationships between such architectures. Here, we require Rapide to provide features for relating architectures. Such features have several applications e.g., by relating architectures at di erent levels of abstraction, one architecture may serve as a constraint on the other. We illustrate this in Section VII.
B. Conformance t o A r chitecture
A system has" an architecture if it conforms to it; conversely a Rapide architecture is a constraint on systems. There are three basic conformance criteria:
1. decomposition : for each i n terface in the architecture there should be a unique module corresponding to it in the system i.e., the component implementing that interface. 1 2. interface conformance: each component in the system must conform to its interface. Since behavioral constraints can be part of Rapide interfaces, this conformance requirement is stronger than the syntactic interface conformance usually required by programming languages.
3. communication integrity: the system's components communicate directly only as speci ed by the interface connections of the architecture. A system must conform to an architecture in order that the architecture can be used to predict the system's behavior or to decide various issues about maintaining and modifying the system see LVM .
How to test or prove that a system conforms to an architecture is beyond the scope of this paper. There are style guidelines for using Rapide to help ensure communication integrity. One guideline requires components to access only their own interface constituents to communicate with other components. This helps to ensure that all direct communication between components is by i n terface connections. Also, the types of objects that can be communicated must be restricted e.g., only immutable objects to prevent communication trojan horses.
III. Causal Event Simulation
Rapide is an event processing language. Events are simply tuples of information containing, e.g., who generated the event, what activity w as done, data values, the time and duration, etc. The semantics of Rapide are de ned in terms of event processing | generating events, sending events from one component to another, and observing events. Components have the ability to generate events independently of one another. Asynchronous communication is modelled by connections that react to events generated by components and then generate events at other components; the events reacted to cause the events generated by a connection. Causality b e t w een events is also modelled by reactive behaviors of components. In addition, synchronous communication can be modelled by connections between function calls. The result of executing a Rapide architecture a set of interfaces and connections is a poset 2 showing the dependencies and independencies between events.
Let us start with some intuitive examples of how posets capture the semantics of communication architectures.
The components in gure 1 are airplanes and a control tower. Connections between them are depicted by arrows. The intuitive semantics of this picture are that airplanes can generate Radio events containing data which cause Receive events containing the same data that can be observed by the control tower. When this architecture is de ned in Rapide and executed, a typical resulting poset is shown in gure 2. Here, events are depicted as nodes and dependencies between events as directed arcs. The poset shows that airplanes, A1, A2, A3, A4 have generated Radio events independently, and that each Radio caused a Receive event at the control tower, SFO; also the Receive events are independent, so SFO may observe them in any order, possibly concurrently. Timestamps and other information are also contained in events.
A v ariant of this architecture may require all communication to the control tower to be pipelined as shown in gure 3. Here, airplanes are connected to the control tower by a pipeline connector component which orders events it receives into a sequence which is then received by the tower.
When this architecture in gure 3 is executed, resulting posets show additional dependencies due to the pipeline connector; all Receive events are ordered into a linear dependency sequence. This implies that the Receive events are observed one-by-one at SFO in their dependency order.
The semantic di erences between the broadcast and pipeline architectures are shown clearly by the posets in the two gures, 2, 4. Trace-based simulation languages do not capture event dependencies and would produce the 2 Partially Ordered Set of Events. same event trace for these two architectures.
IV. Event Patterns
Event patterns are expressions used in de ning behaviors of components, connections, and mappings between architectures. They are fundamental in representing dynamic architectures.
An action is de ned by an action name, a, and a nite list of types, t 1 ; t 2 ; : : : t n called the signature of a. A n event of action a is a tuple of information with a unique event identi er. The event contains the action name, a, data objects of the signature types, and certain other information such as the component that generated it, or the component that is the destination of the event, the event's timestamps and dependency history. W e use a tuple notation, av 1 ; : : : ; v n , for events. An event's identi er is not part of the tuple notation. Distinct events may h a v e the same tuple.
Event patterns or simply, patterns are expressions that de ne sets of events and their dependency and timing relationships i.e., posets. 
Semantics
Rapide uses two special kinds of variable. The rst is called a placeholder. Placeholder names always begin with a ?" to distinguish them from variable names which always begin with an alphabetic character. Placeholders are typed and declared the same way as ordinary variables, and they can be used similarly to build expressions. However, they di er from ordinary variables in that they can only be bound to an object as a result of pattern matching below. The other kind of special variable is an iterator. An iterator is a universal quanti er ove r a t ype. Iterator names always begin with a !" to distinguish them from ordinary variables and placeholders. Iterators are typed and declared the same way as ordinary variables. They di er from ordinary variables in that they may not be assigned values. A pattern containing an iterator is equivalent t o the conjunction and of the instances of the pattern with the iterator replaced by each object of its type. Iterators are important in de ning fan out" connection rules see Section VI.
Broadcast Communication
The process of deciding if a given poset matches a pattern If PatExp is a composite event pattern, built up from event patterns, P;P 0 , and a pattern operation, then P o s matches it if P o sis the union of the matches for P and P 0 under the same binding of placeholders, B, as follows:
1. dependent: P ! P 0 . P o sis a match if all of the events in the match for P 0 depend on all of the events in the match for P.
2. both: P and P 0 . P o sis a match if there are matches for patterns P and P 0 .
3. distinct: P P 0 . P o sis a match if all of the events which matched P are distinct from the events which matched P 0 .
4. either: P or P 0 . P o sis a match if there is a match of pattern P or a match of pattern P 0 in this case a match for both patterns is not needed.
5. independent: P jj P 0 . P o sis a match if none of the events which matched P are dependent o n a n y o f t h e events which matched P 0 and vice-versa. 6. after: P P 0 . P o sis a match if all of the events which matched P have timestamps according to the Rapide clock less than those of all of the events which matched P 0 . 7. iteration: P exp op is shorthand for the pattern built up from exp copies of P and the operation op where exp is one of zero or more, + one or more, or n exactly integer n copies, and op is any of the preceding binary operations.
8. guarded p attern: P where E. P o sis a match i f i t is a match o f P and the boolean expression E is true when P o sis observed by the component or architecture containing the pattern see Section V.
Examples
Simple Patterns
Here are some simple patterns and descriptions of the posets which w ould match them.
A?i and B?i;
A n A event and a B event with the same parameter. A ! B; A n A event and a B event which depends on the A event. A B; A n A event and a B event which is temporally later than the A event.
A?i where ?i 4;
A n event whose parameter is greater than 4. An interface de nes a type of components. It provides an abstract de nition of externally visible behavior | i.e., the behavior that is visible to, and may be observed by, a n architecture containing those components. An interface denes i the kinds of events that a component can observe or generate, ii the functions it provides to other components or requires from other components, iii its states and state transitions, and iv constraints on its external behavior. In general, components can be small static values e.g., integers or large dynamic systems with varying state e.g., airplanes. Interface types provide component abstraction Section II.
Structure of interface types
The syntax structure of interfaces is outlined in Figure 5 . f X g" means a list of 0 or more X's, and X " means X is optional. Standard Pascal-like t ypes Boolean, string, integer, array, record etc., but not pointers are assumed here without de nition. Many features are omitted from this overview. For example, interface type declarations can have t ype and object parameters thus allowing polymorphic types, can inherit from other type declarations, and can refer to seperately compiled units.
Semantics of interfaces
An interface de nes a type of object called a module.
Modules that conform to an interface belong to its type. If an interface is a component o f a n a r c hitecture then a module of the interface's type can be a component o f a system that conforms to that architecture. The module corresponds under the decomposition principle Section IIBto that interface. The architecture is called the parent of the interface, and the system is called an instance of the architecture.
First we describe how i n terfaces are used to de ne communication between modules of a conforming system.
An interface declares sets of provides, requires, action and service constituents. Those interface constituents are visible to the parent architecture. Other components of the architecture can be wired up by connections, Section VI to those interface constituents. Thus communication b et w een interfaces is de ned by the connections.
Object name declarations are declarations of objects of procrustean types e.g, integers, arrays, etc., interface types or function types. A module conforming to the interface must provide the objects and functions named in the provides constituents. Thus, for example, other components can be connected to call its provided functions. Conversely, a module may call requires functions of its interface and assume they are connected to call provided functions of other components. Connections between required and provided functions de ne synchronous communication.
An interface speci es the types of events its modules can observe and generate by declaring, respectively, in and out actions. Connections in the parent architecture can call the in actions of a module's interface, thus generating in events which the module can observe; conversely, the module can call its out actions, thereby generating events which the parent architecture can observe. Architecture connections between components' actions react to events generated by one component b y generating events observed by other components thus connections de ne asynchronous communication between components.
Any other constituents of a module not in its interface can be referred to only locally within the module. Conversely, a module can only refer to its interface constituents and its internal constituents. These visibility rules, together with parameter type restrictions later ensure communicationintegrity Section II-B of systems that are instances of an architecture. Thus, modules of a system communicate through the connections of the system's architecture.
Next we describe how the behaviors of interfaces execute as components of an interface connection architecture.
An interface optionally contains a behavior which consists of a set of types, objects, functions, and transition rules. Only procrustean objects are allowed. Objects declared in an interface model state. T ransition rules model how modules of the type react to patterns of observed events by c hanging their states and generating events. A behavior is an abstraction of modules of that interface type.
An interface observes in events from the architecture. It reacts by executing its transition rules and generating out events which are sent to other components. An interface can also generate its own in events and observe its own out events. Similarly, a n i n terface observes calls to its provides functions; the interface must declare functions in its behavior that are executed in response to these calls. When an interface calls its requires functions it depends upon the parent architecture to connect those calls to provides functions in other components.
There are two kinds of transition rules in behaviors. Those with the operator, = , are called pipes; those with the operator, jj are called agents. A pipe with a sequential pattern in its body speci es the behavior of a single thread of control, whereas an agent speci es the behavior of arbitrarily many threads below.
A state transition rule has two parts, a trigger and a body. A trigger is either an event pattern or a booleanvalued expression. A body is an optional set of state assignments followed by a restricted pattern which describes a poset. A provides function body is treated as if it was a transition rule that is triggered by a function call; function calls are treated as events. The execution semantics of transition rules are as follows. If any of the boolean triggers are true, the process of arbitrarily choosing one of the true triggers, executing its rule body is repeated until none of the boolean triggers is true.
Next, the interface observes an event from the set of its events that have been generated and not yet observed. These events are queued awaiting observation. An event is observed by a n i n terface at most once. If no events are queued, the module waits for one. Events are observed in a sequential order which is consistent with their temporal and causal orderings. 4 Observing an event m a y trigger one or more transition rules. A rule R triggers if some subset of the events thus far observed but not yet used in triggering R match its pattern. If more than one set of observed events can trigger a rule, the earliest in time and dependency and largest is chosen. If R triggers, the binding of placeholders used to match its pattern is applied to its body, and that instance of R 0 sbody is then ready for execution. The set of rule body instances that are ready for execution are then executed one by one in some order.
The guards in pattern triggers are evaluated whenever an interface event is generated. Their values are associated with the event. In matching a pattern that has a guard i.e., is restricted by a where condition the guard, rst the pattern is matched with the observed events and then the guard is evaluated. The value of the guard that is associated with the last event used in matching the pattern is taken as the value of the guard when the pattern is matched.
Executing a rule body consists of changing the state of the behavior part by calling operations of objects declared there, generating the unique poset of new events de ned by the instance of the restricted pattern, and adding the poset to the execution of the parent architecture. When the new events are added they depend on all of the events in the match of the trigger; they also depend on events that triggered the last rules to change any of the state objects that are referenced in executing the rule e.g., in a guard in the trigger or in a parameter expression on the right side of the rule. In addition, if the rule is a pipe, then all of the generated events depend on all events generated by a n y previous triggering of the rule.
Execution of a behavior then continues with evaluating boolean triggers rst, and then observing events, as above.
Below Any e v ent m a y take part in triggering a given rule at most once, although it may take part in triggering several rules.
Constraints specify restrictions on the behavior of an interface. That is, the behavior that results from executing transition rules must match the pattern of a constraint. For example, a constraint can specify that rules trigger only in certain orders, in certain states, etc.
The behavior of a module corresponding to an interface in an instance of an architecture is constrained to be consistent with both the interface's behavior and constraints i.e., interface behaviors act as additional constraints on modules that conform to the interface. 5 Services A service names a group of constituents in an interface note, it is not an object, it is a name. Services provide a powerful notation for connecting large numbers of actions or functions Section VI. Services also specify the types of complementary connections an interface expects" from its parent architecture. So services specify, to some degree, the types of other components to which a n i n terface expects to be connected.
A service S of type T in interface I declares that type I has the provides and requires functions and objects of T, and the in and out actions and services of T. T o name them the name S" must be appended with the usual ." notation before the name of the constituent. For example, if type T has an out action A, then S.A" is a name of the out action A of I.
Since a service is a type, it is a concise notation for replication e.g., one can declare arrays of a service of large numbers of connections.
A service S 0 is dual to S if its type is dual T. A dual type contains a set of constituents of I with the same names as constituents of T, but with dual roles: a provides function of T is a requires function of dual T, an in action of T is an out action of dual T, a type S service of T i s a t ype dual S service of dual T, and conversely. Dual services of the same type in objects usually of di erent t ypes may b e connected together easily since they have complimentary constituents. of O. Each i n terface type T has an operator &" de ned on it which converts an object of T into the corresponding name in the name type, &T. The only operators de ned on name types are equality =", assignment :=", and dereferencing *". Equality and assignment are de ned as usual. The dereference operator of a name type &T is de ned to convert a name in &T to the corresponding object of the interface type T.
Only the parent architecture Section VI of T may dereference T 0 s name. This restriction distinguishes name types from pointers; its purpose is to ensure communication integrity Section II-B. An example of name types is given in Section VI.
Discussion
Component abstraction Section II is provided by interface types which include a powerful method of de ning behavior. A single Rapide transition rule can express the reaction of a concurrent distributed system since its output pattern can de ne a complex poset of events with various dependencies and timing. Generally, many di erent modules or architectures will conform Section VI to an interface.
Communication integrity of architectures Section II is aided by s t yle guidelines on the types of parameters of actions and functions, together with the visibility rules for modules and interfaces. Parameters of functions and actions should be of Procrustean types or name types. Consequently if a name of a component is passed, the receiver cannot dereference it to start direct communication with that component; only the parent architecture can communicate directly with its components. Style guidelines are not enforced by the Rapide compiler.
Behaviors are non determinisitic. In matching triggers of transition rules, events are selected one at a time and rules that trigger are executed one at a time in an arbitrary order. Because of shared state between rules, and since independent e v ents may be selected in any order, the triggering on posets and order of execution of state transitions, as well as the parameter values of the events or function calls they generate, are all non deterministic.
Constraints may be supported in di erent w a ys by v arious tools. For example, executions can be checked and violations detected runtime checking tools, or transitions may be allowed to execute only if a constraint w on't be violated safe execution, or transition rules can be proved consistent with constraints veri cation.
Complexity of Interfaces: Interfaces specify separately synchronous communication b y function calls from asynchronous communication by e v ents. Attempts to simplify interface design by using the same speci cation mechanism e.g., provides and requires actions lead users to incorrect expectations, both in subtyping of interfaces KLM94 , and in semantic equivalences between functions and actions. Interfaces also provide behaviors and constraints to satisfy component abstraction Section II. Overall, Rapide interfaces are more complex than, say, class public parts in C++ or package speci cations in Ada. Indeed, richer interfaces are needed for architecture de nition since they must go beyond the traditional information hiding role of interfaces if they are to support component abstraction. Comments: This agent transition rule could be part of the behavior of the AutoControl interface. It is triggered by a Boolean condition and speci es a reaction consisting of the generation of three independent e v ents. Two of these are in events which will be observed by the AutoControl object itself. The other is an out event which will cause other events according to the architecture's rules. The events generated by triggering this rule will depend on whatever events caused Speedometer 55 e.g., events causing some local state to change. An agent rule such as this one, does not impose any dependency between the events generated by di erent triggerings of the rule.
This rule abstracts a behavior of AutoControl modules albeit one that most drivers wouldn't like. RS, 232 service. Services in these interfaces express an important abstraction of the modules with these interfaces. Namely, the modules expect" to be connected to other modules with RS,232 services, again illustrating support for component abstraction. A computer and a modem can be connected in an architecture by a single connection statement, as shown in Section VI. This allows architectures with potentially large numbers of connections to be written with clarity and conciseness.
Note that a more ambitious interface would contain a behavior part de ning RS,232 prototcols.
VI. Architectures
An interface connection architecture is a set of interfaces, a set of connection rules, and a set of constraints. Connection rules de ne relationships between events independently of any implementation; they are communication abstraction constructs Section II. Connections are de ned using event patterns. Event patterns provide the expressive p o w er to de ne both static and dynamic architectures Section II.
Syntax
An architecture contains declarations of types, components and other objects, a set of connection rules, and a set of constraints.
Semantics
The optional return type name is the interface type of the architecture. An architecture de nes a module of that interface type. If the return type is omitted, the empty interface type, Triv, is the default. Generally, i n Rapide, architectures are parameterized, and are therefore architecture generators that, when called, return modules of the return type. Here, in order to focus on connection features, we h a v e omitted parameterization.
The Rapide architecture construct encapsulates both an interface connection architecture in which all components are interfaces, and instances of such an architecture, in which components may be module of the interface types. Types and components are declared in the declarations section of an architecture.
Static architectures may simply declare all components by naming them in object declarations. On the other hand, dynamic architectures may declare the interface types of components and rely on creation rules below to de ne when, during execution, components of those types are created or destroyed.
The connection part contains connection rules and creation rules. Connections de ne communication between components by e v ents or function calls, and creation rules de ne event conditions that lead to creation of new components.
A connection rule Abbrev: connection is composed of two patterns. The patterns are separated by a connection operator, to, = , jj . As with transition rules, the left pattern of a connection is called its trigger. The right side of a connection is called its body.
Connections are used to wire up" components of an architecture as follows. A trigger must be a pattern of out events or requires function calls of components; a body must be a pattern of in events or provides function calls of components. A connection may also wire the architecture's interface to its components. In this case, the trigger is a pattern of in events and provides functions of the interface and the body is a pattern of in events and provides functions of components, or conversely, the trigger is a pattern of out events and requires functions of components and the body is a pattern of out events and requires functions of the interface.
The semantics of executing connections is as follows. Events or function calls are either generated by the components in the architecture or observed at the interface of the architecture. These events are selected one-by-one in any order that is consistent with their dependency and temporal orders and matched with the pattern triggers of the connections. However, unlike transition rules, matching of triggers of di erent connections may take place independently or concurrently because there is no state shared between connections. The essential points are: i any e v ent may contribute once to triggering a particular connection rule but may trigger many di erent rules, and ii if more than one poset of the selected events can trigger a rule then an earliest in the dependency order maximal poset is used.
The guards in the pattern triggers of connection rules are evaluated when an event is generated that can be observed by the architecture. Their values are associated with the event for future reference. During matching, if P a tis guarded by a where condition, the value of that guard that was associated with the last event to be selected in matching P a tis used as the value of the guard.
The number of guards that need be evaluated for any observable event can clearly be reduced in general. Any given event will be a potential participant in matching only a subset of the guarded patterns in the set of connection triggers. This is a compiler optimization.
Basic connections. A basic connection is a to connection between two basic patterns, or more generally, b e t w een two lists of basic patterns. Consider a connection between two basic patterns. Whenever an event matches triggers the left pattern, P a t , in a basic connection rule, P a ttoP a t 0 , then i all placeholders in the right pattern, P a t 0 , m ust be bound by the match, ii the rule results in generating a new in event whose tuple is the instance of P a t 0 , and this event is received by the component named in that tuple, and iii the two e v ents are equivalent with respect to dependency and time.
Equivalence of the two e v ents means that all other events have the same dependency relationship to both of the events, and also the two e v ents have the same timestamps. This does not mean that the events are equal, but simply that they cannot be distinguished by dependency or time.
A basic connection between two lists of basic patterns is a shorthand for several basic connections. That is, a match o f a n y one of the left patterns causes or triggers the generation of the events, one for each pattern in the right list, and the events generated are all equivalent t o the triggering event with respect to dependency and time.
Basic connections between functions. A basic connection de nes an alias of a requires function of a component to a provides function of a component, and a sychronization at each call between the caller and callee. The following conditions must hold for a basic connection between functions to be correct: i the left pattern must match calls of the requires function and the right pattern must match calls to the provides function, ii the provides function must be a subtype of the requires function.
Evaluation of a call to the requires function triggers the connection. The resulting instance of the connection's right pattern must be a call to the provides function. The caller's execution is suspended, the call to the provides function is executed and any return object is returned to the caller as the value of the triggering requires function call.
By using guards in the triggering function call, the alias for a requires function can vary at runtime. If a requires function call has more than one alias, perhaps because a call triggers more than one connection, one of the return objects is the result.
Basic connections can also alias provides or requires functions of the architecture's interface to provides or requires functions of components, respectively.
Basic connections between services. A basic connection can be used to connect a service of a component t o a dual service of a component. The connection de nes a set of basic connections, one for each pair of constituents with the same name in the two services. It is bi-directional in the sense in each of the basic connections the out constituent is action or function name in the trigger and the in constituent is the action or function name in the body.
General connections. The semantics of a general connection, P a t o p P a t 0 , where op is = or jj , are as follows. When P a tis matched, P a t 0 m ust de ne a unique poset i.e., all placeholders in P a t 0 m ust be bound by the match. Then the connection is executed. The events in the instance of P a t 0 are generated together with the dependencies de ned as follows: i each e v ent i n P a t 0 depends on all events in the triggering poset, ii each e v ent depends on other events in P a t 0 as de ned by the pattern, P a t 0 , iii if the connection operator is = a pipe then all the generated events depend on all events generated by previous triggerings of the connection. The result is a new poset of in events of components and out events of the interface.
An architecture may be constrained by patterns in its constraint section. The sets of events generated by the architecture's interfaces and connections must match the constraint patterns. Constraints may, for example, require components to use a particular communication protocol. As discussed in Section V, constraints may be supported in di erent w a ys by v arious tools.
Conformance to an interface
If an architecture is bound to a non-trival interface it should conform to the interface. This means that :
1. calls to provides function names in the interface should result if at all in objects of the return type. To a c hieve this, the architecture should have basic connections aliasing provides function names in the interface to provides functions of its components, or alternatively it can declare an executable function body with the same name. 2. Any poset of interface events resulting from executing the architecture should satisfy constraints in the interface. That is, in events observed by the interface may trigger connections in the architecture, and result eventually in out events of the interface being generated by connections in the architecture. These out events will be related by dependencies and time to the in events, thus de ning posets of interface events. The posets of interface events must satisfy the interface constraints. 3. An interface poset generated by an architecture must be a super poset of the poset generated by its interface behavior i.e., a superset of the events with an identical dependency order on the common subset. In this sense, an interface behavior Section V acts as a constraint o n a n a r c hitecture of that interface type.
Discussion
Connection rules provide communication abstraction Section II. They refer only to constituents functions and actions of interfaces of components and are independent of the modules implementing the components.
Basic connections are fundamental. A general connection is, in fact, an abstract interface expressed in a succinct notation. A general connection can be replaced in any architecture by a c onnector component whose transition rule expresses the same connection relation between in and out events together with basic connections between components and the connector.
Hierarchy Section II is provided by the ability to bind architectures to interfaces using connections, and by conformance criteria. Both interfaces and connection rules can be expanded into architectures of lower level components. An event o f a n y person pushing a button triggers the rule and produces a new event denoting that the button's light is on. The two e v ents are identical with respect to dependency and time i.e., they have the same dependencies with all other events and the same timing. It is not possible to distinguish the two e v ents either by a clock o r b y looking at their causal history. So the connection links persons and lift buttons in a very strong way; the actions of pushing buttons and lighting buttons appear identical according to time and causal history. Figure 1 , Section III. Whenever any airplane a match for ?A generates a Radio event containing a message and the InRange predicate of that airplane is true in the state when the radio event i s generated, then SFO will receive a Receive event with the same message. The connection triggers only when an airplane is in range. This connection rule is a conditional broadcast between all airplanes and the control tower. It de nes communication in a system that may h a v e v arying numbers of airplane components. It is essentially a fan-in connection. It imposes dependencies between pairs of Radio and Receive events as shown in the poset Figure 2 , Section III. In this gure, nodes are events and directed arcs represent dependency. The poset also shows that the Receive events are all independent. This implies that they could be observed by the control center concurrently.
To illustrate how posets distinguish between di erent architectures, we simply change the connection rule in the previous example to be a pipe instead of a basic connection.
Example: Pipelining air tra c control. Comments: We h a v e c hanged the air control sector architecture so that all radio events are observed at the control center through a pipe rule. Essentially, a pipe is used to connect airplanes and the control center as shown in Figure 3 . Now all airplanes communicate with SFO b y a single pipe instead of by broadcast. Pipe connections order the events they generate into a linear dependency sequence. In this case, each generated event, SFO.Receive, depends on the ?A.Radio event that triggered the rule, and all previous SFO.Receive events.
The SFO.Receive events are all in a linear dependence chain, as shown in Figure 4 . This means that messages can only be received at the control center one-by-one in their dependency order.
The semantic di erences between the broadcast and pipeline architectures are shown clearly by the posets in the two gures, 2, 4.
Example: Using RS-232 to connect computers and modems Figure 7 . This connection expresses a set of 25 basic connections between pairs of RS,232 constituents with the same name; in each connection the out constituent is the action in the trigger pattern.
Example: An Intelligent Network Architecture.
An intelligent network is a dynamic architecture which works by passing the names of components to other components. The restrictions on name types Section V ensure that the Network Architecture's connection rules de ne all pairs of components that may participate directly in data transfer.
There are three types of components: providers, clients, and brokers. The numbers of components of each t ype can vary although in our example they are xed. Providers can Register with a broker, indicating the service they provide. The broker stores the names of providers which are contained in Register events as the actor element and the jobs they can perform.
A client can ask a broker for a provider of a job by calling Find Provider. As a result the name of a provider is supplied by the broker to the client not a provider itself. A client can then use the name of the provider to request a job. The client cannot dereference the name and get the provider, and then call the provider directly. A client m ust communicate a request for a job with the provider's name to the architecture. The parent architecture is the only module that can dereference the provider's name in its connection rules and generate the request to the provider. The rst rule connects any provider's out action Register with the broker's in action Register Provider. This is a fanin rule connecting many providers to a single broker; asynchronous actions are used so that providers don't block.
The second rule de nes an alias between a call to a client's Find Provider function and a call to the broker's Provider Lookup function; the return value is the name of a provider. Again, it is fan-in rule connecting many clients to a broker. Synchronous function call is used because clients will need to wait for a return value. If there were multiple brokers, this rule could be generalized to alias a call to Find Provider to any broker, the result being one of the returned names.
The third rule aliases a call to any client's Request Job function to a call to the Do Job function of the provider whose name the client supplies. The rule dereferences the provider name in the client's call and calls the provider's Do Job function. The rule expresses Nu mClients Nu mProviders connections between pairs of components. Communication integrity implies that these rules de ne all of the direct communication in the Network between pairs of clients, providers and the broker. They allow u s t o draw some conclusions without knowledge of the modules implementing these components. For example: i since none of the connection rules can be triggered by the broker, we know that the broker does not initiate any communication. ii Only providers can cause the broker's Register Provider events. iii Clients do not communicate data directly to clients, and providers do not communicate data directly to providers. iv transfer of data from a provider to a client has to be caused by a function call from a client i.e., limited junk mail rule.
These properties of the network communication could not be deduced if the integrity of the connection rules Section II-B could be subverted by passing components, or pointers to components, as parameters of their functions and actions. The deductions are valid even though component names are being passed between the components. This is because only the architecture Network may dereference the names of its components as is done in the third connection rule. Thus, for example, the broker cannot use the name of providers it stores to communicate with them directly. This would not be true if pointers were used in place of names; the broker could dereference a pointer to a provider and call the provider's functions. In an ordinary programming language we w ould have to examine the implementations of all of the components.
VII. Mappings
Event pattern mappings Abbrev: mappings can be used to de ne how one architecture is related to another one, or how an architecture is related to an interface. The idea is to de ne how e v ents in one system correspond to events in another. In many cases, there is quite a wide difference between systems. For example, when two systems are at di erent levels of abstraction many e v ents in one may correspond to just one event in the other as is often the case in hierarchical design. Patterns provide the necessary expressive p o w er to de ne these kinds of mappings. Semantics. Maps have visibility i n to the declarations of their domain from architecture and range to architecture. Mapping rules can trigger on events happening at the top level inside the domain, and generate events at the top level inside the range. Rules in a mapping have the same semantics as transition rules in components or non basic connections in architectures except that they do not de ne any causal relation between the triggering events from the domain and the events they generate in the range. This section gives an example of two Rapide architectures for a simple microprocessor and an event pattern mapping from one to the other. It shows some of the complexities of real life" applications that require the power of an event pattern language.
The original version of this example in GL92 consisted of three architectures in VHDL for a simple 16-bit microprocessor at three commonly used design levels of abstraction: instruction level, register transfer level RTL and gate level. This work reported the results of using mappings written in VAL VHDL annotation language to control the complexity of the VHDL simulation. The gate level simulation for a very small input data sample produced 8073 events. Clearly, manual inspection of this amount o f output is di cult and error prone, even though it is very small in comparison with industrial simulations. 6 By using VAL mappings to map the gate level architecture to the RTL architecture, and then map the RTL architecture to the instruction level architecture, the number of events in the mapped simulation was reduced to 5. Design errors at the gate level and RTL typically incorrect architecture connections which are di cult to detect at that level, were made manifest at the instruction level in the form of missing events.
Thu s a p o w erful application of event pattern maps to design hierarchies lies in mapping complex low level simulations into behaviors of a higher level, more abstract architectures called the mapped b ehavior. The mapped behavior is much smaller and simpler. This has the following bene ts: manual inspection of the mapped behavior is feasible. formal constraints are generally part of high level architectures since they embody design requirements; low level simulations can be mapped up" and automatically checked against high level constraints. errors in the mapped behavior can be traced back t o the low level architecture by analyzing where the trig-ger patterns of the map matched in producing the high level error. Below w e give the Rapide RTL architecture of the microprocessor and the mapping to the instruction level. Figure 10 is a picture of the RTL architecture, and Figure 11 is a picture of the map from patterns of RTL events to instructions; it shows the timing relationships between a set of RTL events that would trigger the map, resulting in a load event.
The Rapide global clock v alues are the same at all levels in the design hierarchy. In Figure 11 these readings are shown horizontally at both levels. The RTL pattern involves 12 events that trigger the mapping for a load instruction. The arcs show the timing relations between the events that are required by the trigger | i.e., some events are required to occur after others, whereas some may occur in any time order. The CL events, for example, are device clock e v ents. There are 4 CL events, de ning three device clock cycles. The trigger requires particular events to occur on each cycle. The shadow of the pattern depicts the simulation time duration of the load instruction.
First, the interfaces of RTL component t ypes registers, bu ers, controllers, and logic unit are given. State transitions and constraints are omitted from these interfaces for brevity. One may assume either that there are state transitions or else an executable gate level architecture for each of these interfaces. Compilation dependencies between the interfaces are expressed by with clauses. Some of these interfaces could be derived from others by object-oriented features of Rapide Tea94a . These connection rules have a particularly simple eventbased semantics since they are all basic connections de ning equivalences between single events. There are no guards, so the architecture is static. Each connection means that whenever a given component generates an output event then the corresponding component will receive an equivalent in dependency and time input event. They de ne equivalences between pairs of single events.
The component i n terfaces also de ne dependencies between input and output events by state transition rules which w e h a v e omitted or by their underlying gate-level architectures. So, when this Rapide architecture is executed in response to some input, it will generate a poset of events that gives the dependencies between events generated by the components as well as their timestamps according to the Rapide global clock see Figure 11 .
In VHDL one must declare the connecting wires called signals and bind each component's ports ports in VHDL correspond to actions in Rapide to the wires. Here, Rapide basic connections allow us to de ne the connecting wires" directly. Also, Rapide interface services are used to de ne 20 connections between the controller and the register bank in one connection rule. The same architecture in VHDL given in Gen91 took approximately 170 lines of VHDL to specify whereas it took less than 30 lines here. Since errors in architecture connections are common, it is important to develop succinct notation for them.
Below, we give the microprocessor instruction level interface showing some of the instructions and the mapping SimRef. The SimRef maps nite sets of RTL events those matching its triggers to single events at the instruction level. So we expect an RTL behavior to be mapped to a much simpler instruction level behavior. In this example, the SimRef trigger uses only the timing relation between events; it does not use causality. In de ning a map, it is important to specify the trigger of each rule so that it triggers on posets of low level events that are su cient to signify the corresponding high level event. If the triggers can match some subset such a s t h e upper or lower bound events of the appropriate posets, the mapped behavior will not be correct, but may contain extraneous events. Patterns provide a powerful and succinct notation for specifying su cient posets.
The Load rule, for example, speci es the RTL events which correspond to an instruction level Load event. Any clock e v ent with a parameter of 1 indicating a rising edge of the device clock may initiate a Load behavior. On the rst clock cycle the instruction register Ir must load a instruction whose instruction eld indicates a Load and the controller C must transition to state if4. On the second clock cycle the address enable bu er AEB must output a particular address value ?a which is extracted from the instruction loaded in the previous cycle, the processor must output a Read, the Data In Bu er DIB must output data ?d, and the Controller must transition to a ld state. On the third clock cycle a register any one in the register bank must execute a Load of the data ?d output by the DIB in the previous cycle and the Controller must transition to state if1. When that clock cycle completes, this poset maps to a Load instruction which indicates the data ?d was loaded from address ?a into register ?r.
The above mapping rules de ne completely the set of RTL events together with their timing which correspond to the instruction level events. Since causality is not expressed in the triggers because this example is taken from VHDL the mapping rules are not su cient. F or example, it would be possible, for some set of RTL events with the correct timing to trigger a load mapping rule when a load instruction is not executed.
VIII. History and status of Rapide
Rapide has evolved from several sources: a VHDL for event-based and architecture concepts, b ML MTH90 and C++ ES90 for type systems, and c TSL LHM + 87 for event patterns and formal constraints on concurrent behavior expressed in terms of patterns of events.
The evolutionary steps can be summarized as follows. First, Rapide departs from previous event-based languages in adopting the partially ordered set of events poset execution model in place of linear traces of events. Simulations in Rapide produce posets. The concept of posets has been described by Fidge Fid88 , and Mattern Mat88 , and was probably extant in the database literature since the 1970 0 s. The rst studies to our knowledge of the feasibility of implementing simulation languages to produce poset executions, and to check them for constraint violations, were done independently on the Rapide-0.2 project Bry92 , MSV91 , and the OEsim project AB91 .
Secondly, there are many e v ent-based reactive languages in existence; a few of the ones that we h a v e studied are VHDL VHD87 , Verilog TM91 , LOTOS BB89 , CSP Hoa78 , and Esterel BCG87 . Most of these languages have simple forms of event patterns for triggering processes | e.g., VHDL has sensitivity lists which are disjunctions of events, and LOTOS has basic events with predicate guards. In Rapide we h a v e i n troduced more powerful event patterns, as is appropriate for specifying posets. Event patterns play a basic role in features for de ning both reactive behaviors and formal constraints. Pattern matching concepts go back at least to the uni cation algorithm in Resolution theorem-proving Rob65 , and their use in AI languages is typi ed in Planner Hew71 and Prolog CM84 .
Third, the concepts of interface in Ada package speci cation and VHDL entity interface, both of which w e extended with formal annotations in prior work Luc90 , ALG + 90 , have been extended to interface types in Rapide with a capability to specify concurrent behavior. In these earlier languages, interfaces were not types. Interface types can inherit from other types using object-oriented methods, and are related by a notion of structural subtyping KLM94 . Much research i s y et to be done on interface design and the interplay b e t w een subtyping and well-formedness of architectures.
Fourth, VHDL provided us with the best previous model of architecture" which is a wiring of interfaces, totally separated from a binding of interfaces to implementations con gurations. Structural connections in VHDL, expressed by port maps that bind the ports of component interface instances to signals in an architecture, are generalized in Rapide to event pattern connection rules. This feature allows dynamic architectures.
Finally, e v ent patterns are used in Rapide to de ne mappings between architectures, thus allowing for hierarchical and comparative simulation, as described in our earlier work on VAL+ GL92 .
At present a simulation toolset for Rapide-1.0 is being tested on industrial examples of software and hardware architectures of moderate complexity. The simulator produces posets. Analysis tools display simulator output graphically, automatically check output for violations of formal constraints, and allow simulations to be animated on pictures of the architecture that is being simulated. Input tools are being constructed to allow architectures to be input in various formalisms and translated to Rapide. The eventual goal is to develop an industry scale toolset.
