Behaviour and Refinement of Port-Based Components with Synchronous and Asynchronous Communication by Janisch, Stephan
Behaviour and Refinement of
Port-Based Components with
Synchronous and Asynchronous
Communication
Stephan Janisch
Dissertation
an der Fakultät für Mathematik, Informatik und Statistik der
Ludwig-Maximilians-Universität München
zur Erlangung des Grades Doctor rerum naturalium (Dr. rer. nat.)
Erster Gutachter: Prof. Dr. Rolf Hennicker, LMU München, IFI, PST
Auswärtiger Gutachter: Prof. Dr. Stephan Merz, INRIA Lorraine, LORIA
Dritter Gutachter: Prof. Dr. Martin Wirsing, LMU München, IFI, PST
Abgabedatum: 18. Juni 2010
Tag der mündlichen Prüfung: 27. Juli 2010
Abstract
Component-based development is an established discipline of Software Engineering.
It focuses on the development of strongly encapsulated components to support reuse within
the construction of hierarchical systems by assemblies of components and their connectors.
Software component models define concepts for the construction of component-based sys-
tems. Formal software component models additionally define a model of dynamic com-
ponent behaviour and support formal analysis which is of paramount importance for the
verification of behavioural properties and component correctness. This holds in particular
for the development of concurrent component-based systems.
Existing formal component models usually use a synchronous rendezvous mechanism
to define the global behaviour of communicating concurrent components. However, in
order to support the specification and analysis of concurrent systems an asynchronous
communication timing, as prominent for example in FIFO buffered communications of
message-passing systems, must also be taken into account. Moreover, in order to support
component-based development of hierarchical systems with top-down or bottom-up design
approaches, it is crucial to distinguish between behaviour specifications and behaviour im-
plementations. Still, an integrated view of specification and implementation of component
behaviour must be provided.
In this thesis, we develop a formal software component model with hierarchical port-
based components, providing an integrated approach for the static and dynamic modelling
of concurrent message-passing systems with synchronous and asynchronous message ex-
change. We consider components that execute in parallel to each other and communicate
solely by message exchange via ports. Binary connectors between ports are utilised for
synchronous (rendezvous) or asynchronous (FIFO buffered) message exchange. Compo-
nents and connectors are used for a compositional construction of assemblies. Assemblies
in turn can be used for the implementation of composite components by delegating mes-
sages between the ports of the composite component and the open ports of the assembly.
The proposed model distinguishes abstract models for component implementations
and component specifications. We call the former “component behaviours” and the lat-
ter “component frames”. Behaviours and frames are formally related by a definition of
implementation correctness. We show that our model supports top-down and bottom-up
design approaches, and component-wise evolution [dAH01b] in hierarchical systems. As
a formal model of behaviours we use I/O-transition systems (IOTSs) and for frames we
use input-persistent I/O-transition systems (PIOs). IOTSs are in fact a special case of PIOs
that in turn are a specialisation of modal I/O automata of Larsen and Nyman [LNW07].
We develop a theory for refinement and compatibility of PIOs with synchronous and
asynchronous communication and show that our refinement relation, called blackbox re-
finement, satisfies fundamental properties such as transitivity and compositionality. Mo-
tivated by the aim to detect communication errors we take into account the asymmetry of
sending (output) and receiving (input) messages and develop different notions of output
compatibility with varying degrees of freedom for the interleaving of local, non-shared
component actions. Based on an encoding of FIFO buffers we show that blackbox refine-
ment is transferable to asynchronously communicating components. Moreover, we develop
a notion of asynchronous output compatibility that is a natural extension of synchronous
iii
output compatibility and show its preservation by blackbox refinement. The resulting the-
ory is an interface theory in the sense of [BMSH10]. Concerning more general properties
we define a greybox variant of blackbox refinement. Greybox refinement allows to distin-
guish internal labels and we show that greybox refinement preserves safety properties with
regard to the communication traces of a composed system.
As a concrete syntax we use UML components with ports for the specification of static
structures, state machines for the specification of behaviours, and protocol state machines
for frames. By combining an industry-strength modelling language with a formal theory
we obtain both a precise and well-understandable specification as well as an unambiguous
meaning of dynamic system aspects.
With regard to verification we must take into account that systems of buffered PIOs are
potentially infinite-state systems which makes most verification problems undecidable. We
consider foremost the verification of asynchronous compatibility and discuss a criterion for
closed systems based on synchronous compatibility. For the general verification support
of buffered PIO systems we discuss a translation to Communicating Finite State Machines
(CFSM) [vB78]. We develop a CFSM correspondence of asynchronous compatibility and
sketch the application of a symbolic CFSM-based approach to its verification.
Finally, we illustrate the model developed within this thesis, using the Common Com-
ponent Modelling Example (CoCoME). The CoCoME, initiated as a GI-Dagstuhl research
seminar, aimed at a comparison of existing component models using a common require-
ment specification and reference implementation of a point-of-sale system. We consider
UML specifications of static and dynamic system aspects, illustrate their translations to
transition systems, and discuss proof obligations arising from behaviour, correctness, and
frame analysis.
iv
Acknowledgements
I would like to thank my supervisor Rolf Hennicker for his guidance and support dur-
ing all the years. The countless discussions about both, concepts and theory, often resulted
in new ideas to extend and improve the results of this thesis. Rolf continously insisted on a
conceptional sustainable and formally precise development and, by this means, contributed
to a component model which is hopefully precise about concepts and, at the same time, in
touch with practical applicability.
I am also deeply indebted to Alexander Knapp for many fruitful discussions and the
joint work on our publications. Alexander’s help in technical, but also in conceptional
questions was invaluable. His intuition in formal reasoning repeatedly helped me to move
on with the theoretical parts of my research. Moreover, I would like to thank Stephan
Merz and Martin Wirsing for their reviews and critical reading of this thesis and the whole
PST team for providing a perfect working atmosphere with lots of discussions, especially
during the days we spent at our yearly “hut seminar”.
Finally, I thank my wife Clarissa da Costa and my whole family for their encourage-
ment and support. I am especially grateful to Gudrun da Costa for her language corrections
of the informal parts of this thesis.
v

Contents
Chapter 1. Introduction 1
1. Component-Based Software Engineering 1
2. Component Models and Distributed Systems 4
3. Contribution and Overview 9
Chapter 2. A Formal Model for Components with Behaviours 15
1. Port-Based Components and Behaviours 15
2. I/O-Transition Systems (IOTS) with Queues 22
3. Components with (A)Synchronous Communication 26
4. Implementation using Message-Oriented Middleware 31
Chapter 3. Behavioural Neutrality in Synchronous Assemblies 35
1. Syntactical Reduction of Synchronous Assemblies 35
2. Port-Based Views of Component Behaviour 39
3. Application to the Compressing Proxy System 43
4. Discussion and Related Work 44
Chapter 4. A Theory for Refinement and Compatibility 47
1. Input-Persistent I/O-Transition Systems (PIO) 48
2. Asynchronous Communication 58
3. Compatibility and N-ary Composition 64
4. Greybox Refinement and General Properties 66
5. Discussion and Related Work 73
Chapter 5. On the Verification of PIO Systems 75
1. Verification Based on Finite-State PIOs 76
2. Correspondence with Communicating Finite State Machines (CFSM) 81
Chapter 6. Frames for the Specification of Component Behaviours 99
1. Frame Specifications for Port-Based Components 99
2. Compressing Proxy Revisited 103
3. Supporting Component-Based Development 107
4. Port-Based Frame Verification of Communication-Safety 110
5. Related Work 112
Chapter 7. UML2 – Applied Features and Extensions 113
1. Static Structure of Components and Assemblies 113
2. Component Behaviour and UML State Machines 117
3. Frame Specifications and UML Protocol State Machines 119
4. From State Machines to Transition Systems 120
Chapter 8. The Common Component Modelling Example (CoCoME) 125
1. Modelling of the CoCoME 125
2. Static Structures 126
3. Component Behaviours and their Translation 129
vii
viii CONTENTS
4. Hierarchical Component Behaviours 131
5. Frame Specifications of Simple and Composite Components 136
6. Analysis and Proof Obligations 137
Chapter 9. Conclusion 143
1. Related Work 143
2. Evaluation and Prospects 152
Bibliography 155
CHAPTER 1
Introduction
1. Component-Based Software Engineering 1
2. Component Models and Distributed Systems 4
3. Contribution and Overview 9
The thesis starts with an introduction into component-based software engineering as
a sub-discipline with distinct characteristics which allows us to separate it from other
paradigms such as, for instance, object-oriented software engineering. In particular, we
identify the specifics of component-based development to which the provision of an ap-
propriate software component model is fundamental. A software component model de-
fines what exactly components are and how they have to be composed in order to support
the construction of larger systems. Software component models differ in variable classes
of systems. Within this thesis we examine concurrent message-passing systems with syn-
chronous and asynchronous message exchange and develop a formal software component
model with a focus on modelling and behavioural analysis. After a discussion of what we
believe constitutes a formal software component model, we summarise the contributions
of this thesis and provide an overview of the single chapters.
1. Component-Based Software Engineering
Component-based software engineering (CBSE) has emerged as a sub-discipline of
software engineering aiming at the development of reusable components and component-
based systems. Reusability might be achieved by composing systems out of prefabricated
components which can be considered as key aspect of the paradigm underlying CBSE. In
this context it is an important goal to be able to compose without reference to a certain
implementation [Som06, Chap. 19]. Components are supposed to be delivered by third-
parties, or at least by independent project teams, as binary units so that there is no necessity
to compile a component before it is composed with other components to be integrated
into a larger system. Therefore, it is important to develop components as encapsulated
entities that are equipped with a precise specification of their static structure as well as
their dynamic behaviour.
CBSE is rooted in a promise of software engineering with off-the-shelf components,
developed by third-parties and composable for system construction without too much
knowledge of component implementation details but with enough knowledge to judge ap-
propriateness with regard to given requirements [NR68]. It turned out that it is extremely
difficult to find the appropriate abstraction level for the unambiguous description of com-
ponents. We believe that there is still no consensus of what constitutes a complete com-
ponent description including an integration of control- and data-related specifications as
well as an integration of non-functional properties. However, focused research on each of
these issues is promising and it seems that an integrated description is not out-of-reach.
In contrast, agreement seems to exist concerning the description of functional component
properties that relate to the control behaviour of components. Control behaviour of compo-
nents is usually specified by protocols describing temporal orderings of message exchange
1
2 1. INTRODUCTION
or method calls. Then the relation to an implementation is either by a formal implementa-
tion relation or by code generation. Since implementations are equipped with data, these
relations usually include an abstraction step.
Regardless of the concrete relation between specification and implementation, the
specification of control behaviour is used for two complementary development concerns
in CBSE. On the one hand, specifications are composed to compute the behaviour of an
assembly of components. Moreover, they are abstracted, hiding internal details, to effec-
tively construct behavioural specifications for hierarchical component-based systems. On
the other hand, these descriptions are also used as a design specification for the indepen-
dent development of components as mentioned above. Therefore, it is crucial to obtain a
precise understanding of the interplay between composition and independent refinement
respectively implementation. Formal software component models examined hereafter (cf.
Sect. 3) aim at providing exactly such an understanding.
Besides system construction, also maintenance and evolution focus on components
and their specification. Components are either replaced by new versions or existing com-
ponents are modified. In both cases it is important to know about the effects of the mod-
ification before any part of the original system is indeed touched. Unambiguous specifi-
cations again may serve as a helpful tool. Altogether, CBSE is characterised as follows:
(1) Independent development of reusable components
(2) System development by assembly and hierarchical composition
(3) Maintenance and evolution by substitution (and adaption) of components
Component development should be independent to support reuse, be it internal reuse within
some given project or external in the sense that commercial prefabricated components
are used. Moreover, independent development also leads to looser coupling of an inte-
grated system and therefore helps in understanding the structure and behaviour of large
component-based systems. The key to CBSE is composition. Systems are developed by
composition of components and connectors, resulting in what is called an assembly. As-
semblies in turn can be encapsulated within a composite component that can again be used
for composition with other components and connectors. In this way, CBSE features a form
of hierarchical composition. Finally, maintenance and evolution of a component-based
system proceeds mainly by component substitution. Of course, also adaption of existing
components, or more precisely, of existing component implementations plays an important
role. However, such an adaption might also be understood as a substitution using a new
component with an equivalent specification, but modified implementation.
Component-Based Development. We refer to the development process embedded within
CBSE by component-based development (CBD).1 In general, system construction often
follows either a top-down approach where initial system requirements are decomposed
into parts that are refined stepwise until an executable system is finally obtained, or bottom
up where first the parts of a system are designed in detail and then the parts altogether
are composed to achieve an implementation with respect to given requirements. CBD
often follows a mixture of top-down and bottom-up steps during system development.
While one starts with general system requirements and proceeds top-down to construct
a component architecture appropriate for the given requirements, one also searches for
existing components that might be reusable for the construction of the given system. If such
a component indeed exists, it is integrated into the existing architecture in a bottom-up way.
The following (simplified) steps might be considered to be characteristic for component-
based system development; cf. [Crn03, p.155] or [Som06, Sect. 19.2]:
1CBD is sometimes also denoted as component-based system development (CBSD). The notion of CBSE is
usually used in the broader sense of an engineering discipline; cf. [Crn03] for instance.
1. COMPONENT-BASED SOFTWARE ENGINEERING 3
(1) Identify usable components (e.g. repository)
(2) Select components; refine or modify requirements
(3) Adapt or implement missing components
(4) Compose and deploy components (after validation)
(5) Maintain system by replacing or modifying components
The identification of usable components is guided by the initial requirements for the system
under construction. Since CBSE aims at reuse of existing components, this activity appears
quite early in the development process. The components are selected, and according to
component availability, requirements might be modified (if a system is constructed faster
due to reused components, clients might be willing to accept modifications of their initial
requirements). It is unlikely that all required components are already available, hence
it is necessary to adapt existing or implement new components in order to fill gaps due
to missing components. After that, the final set of components is validated, composed,
and deployed. Note that the previous step of component implementation may already
involve component composition for the realisation of composite components. Finally, and
as mentioned in the more general context of CBSE above, maintenance is characterised by
substitution of existing components. Either we replace a complete component, or we may
modify its implementation.
Fundamental to the CBD process is the general component model chosen as an appro-
priate means to model the given system under construction. More precisely and following
Lau and Wang [LW07], it is the software component model which plays a key role dur-
ing component-based development. A software component model defines the syntax, the
semantics, and the composition of components relating to the following questions: How
are components represented? What exactly are components? How are components com-
posed? Software component models (SCM) are supposed to answer these questions for the
complete life cycle of a component: design, deployment, and runtime.2
Concerning the design of components, there is a long-standing research direction in
the context of architectural description languages (ADL). Research within this area usu-
ally focused on the design and analysis of systems composed of “architectural units”. Two
prominent ADLs, Darwin [MDEK95] and Wright [AG97], using components and con-
nectors as their architectural units are considered more detailed in our comparison with
related work in Chap. 9. Opposed to the design focus of ADLs, there exist industrial
component-based frameworks with an implementation focus such as CORBA [OMG]
or Microsoft .NET [Mic, TGG+05]. Since the component models of these frameworks
do usually not fully support the component concepts underlying the models of ADL ap-
proaches, a number of frameworks, e.g. Fractal [BCL+06] or SOFA [BHP06], and archi-
tectural programming languages, e.g. Java/A [Hac04], ComponentJ [SC00] or ArchJava
[ACN02], emerged that try to close the conceptual gap between design and implementation
of component-based systems.
All of the component models mentioned above have in common that a particular soft-
ware component model is defined and used. However, since the concepts of the models
differ sometimes considerably, one may ask to what extend the main CBSE characteristics
stated above are indeed supported within the respective approach. Lau and Wang discuss
this issue with a focus on the life cycle of components and use a slightly extended list
of characteristics that is already biased by their notion of software component model and
therefore provides a useful reification of the more general characteristics for CBSE: “[..]
components should be preexisting reusable software units”, “[..] components should be
produced and used by independent parties”, “[..] components should be composable into
composite components”, “[..] it should be possible to copy and instantiate components”
2In terms of programs one may think of a program design, an installed program and a running program
4 1. INTRODUCTION
and “Composition means [..] also a systematic approach to system construction” [LW07,
p. 709].
The first three requirements directly translate the general characteristics of reusability,
independent implementation, and hierarchical composition as discussed in CBSE context
above. The remaining aspects, however, provide more detailed requirements. First, instan-
tiation of components calls for a notion of declarations to be used for system construction.
For this reason, component type descriptions are needed that may be (re)used within a dec-
laration similar to attribute declarations within a class of some object-oriented language.
Second, the aim of a “systematic approach to system construction” based on composition
obviously entails their requirement on hierarchical composition with composite compo-
nents, but may additionally be considered to be a call for the general support of top-down
and bottom-up approaches to system development. Due to their explicit distinction be-
tween design-time, deployment and runtime entities, a systematic approach should provide
a link between deployed and running entities (at the bottom of a system development) and
their design specifications (at the top of a system development). Therefore, if an entity
on either level is touched (e.g. replaced or modified), the consequences for the other level
should be clear. Such a notion of software component models gives rise to characteristics
of component-based development along a certain SCM as shown in Fig. 1.1.
(1) Independent development of reusable component types
(2) Reusability of component types along declarations
(3) System development by assembly and hierarchical composition
(4) Maintenance/Evolution by substitution (and adaption) of component types
(5) Support for top-down and bottom-up system development
FIGURE 1.1. Characteristics of component-based development
Lau and Wang point to the necessity to have a composition theory available that allows
a formal reasoning about composition [LW07, p. 711]. One of the aims is to be able to
predict the effect of component composition. We think that this remark directly leads to
the notion of formal software component models as discussed in Sect. 3 below. A formal
software component model is a SCM that supports formal reasoning about the behaviours
of components and their composition.
2. Component Models and Distributed Systems
Any software component model must be precise about the mechanisms of component
composition within the particular model. Depending on what a component exactly con-
sists of, such a composition means that components are somehow connected allowing to
interact respectively to communicate with each other. Note that here and in the following
text we will use interaction and communication synonymously. There is no hidden means
of interaction in component-based systems. Components must provide a public interface3
that describes the possibilities to interact with that component. Due to this strict encap-
sulation, it does not seem to make much difference if we talk either of interacting or of
communicating components.
One particular class of systems whose development might take the most advantage out
of a component-based approach are distributed systems. Andrew S. Tanenbaum provides
the following loose characterisation of this class of systems: “A distributed system is a
collection of independent computers that appears to its users as a single coherent system”
and gives a schematic view as depicted in Fig. 1.2 [TM07].
One of the important characteristics of distributed systems is the possibility of uniform
interaction between different applications despite possibly different operating systems or
particular network services. Middleware aims, amongst others, at providing this means
3Here we do not yet refer to the technical notion of UML or Java interfaces
2. COMPONENT MODELS AND DISTRIBUTED SYSTEMS 5
Local OS 2 Local OS 3
Application B
Computer 4Computer 1 Computer 2 Computer 3
Network
Local OS 4Local OS 1
Distributed system layer (middleware)
Appl. CAppl. A
FIGURE 1.2. Distributed systems and middleware (from [TM07, Fig. 1-1])
and is realized by a software layer that spans over all machines which should be integrated
into a distributed system. The software then provides communication facilities for the
particular applications hiding away heterogeneous operating systems or network services.
The given figure shows that systems of this kind fit well with the characteristics of
component-based systems. The different applications correspond to components and the
middleware providing the communication facilities implements connectors that are used
by the particular applications to communicate with each other. The distributed applica-
tion B could be modelled by a composite component that consists of two subcomponents
executing on computer 2 and 3 respectively.
Communication in distributed systems is always based on message passing [TM07,
p. 115] which is mainly due to the fact that there is no shared memory in a distributed
system. Applications send and receive messages using the given middleware. Even though
the availability of concrete communication facilities depends on the implementation of the
middleware, there are important general properties of communication that can be discussed
independently from concrete implementations. Amongst others one may distinguish syn-
chronous and asynchronous communication. With synchronous communication a “sender
is blocked until its request is known to be accepted” whereas with asynchronous commu-
nication the “sender continues immediately after it has submitted its message for trans-
mission” [TM07, p. 125].4 Two important corresponding communication mechanisms are
remote procedure call (RPC) and message-oriented middleware (MOM). The former aims
at providing a more convenient way of interprocess communication than the latter. In fact,
message-oriented communication is considered as a low-level mechanism that might be
used as a mechanism to realize remote procedure calls. The basic idea of RPC is simple:
instead of calling a procedure on the same machine, it is possible to call a procedure on
a different machine. There are a number of technical difficulties, but the basic concept
remains. Concerning synchronisation, as in local calls, the sender is blocked until the
result returns. There is also a notion of asynchronous RPC that we do not further elab-
orate here and refer to [TM07] instead. The notion of remote method invocation (RMI)
is principally equivalent to RPC. The main difference is that RMI applies to object-based
distributed systems. Thus, methods are invoked on remote objects using global object
references. While RPC is usually used to enable synchronous communication between
distributed applications, message-oriented middleware allows for asynchronous communi-
cation that completely decouples the sender and receiver of messages. The receiver of a
message must not even exist at the time some application sends out a message. In case
4Note that this notion of synchronicity could be interpreted in the sense of process algebraic rendezvous synchro-
nisation: if several outputs are available, the sender is blocked before committing to any output and released as
soon as it is known which outputs are accepted
6 1. INTRODUCTION
of so-called persistent communications, the middleware will store the particular message
until some receiver comes back to live again.
Message-oriented systems usually allow for message exchange following a point-to-
point or a publish/subscribe pattern. For instance, Java Message Service (JMS) [Mic02], a
specification for message-oriented middleware implementations in Java, exactly considers
these two models of message exchange. With point-to-point communication the sender and
receiver of messages use queues for buffered communication. With the publish/subscribe
model so-called topics are used to which a receiver subscribes. In case a sender publishes
a message related to this topic the receiver is notified accordingly. A more detailed de-
scription of these modes of communication is given in [Mic02], and more concretely in
the context of the reference implementation of JMS in [Mic07].
The publish/subscribe model is directly related to the support of group communication
in distributed systems. Following the terminology used by [Kaa92], group communication
denotes sending of messages from 1 to n destinations; with broadcast, a group communi-
cation is implemented that requires all destinations to receive the message, while multicast
requires reception only by those that indeed had announced interest before.
As apparent from a further study of the goals of distributed systems [TM07, pp. 3–
15], the communication mechanisms mentioned find their counterpart in the behavioural
descriptions of components and their composition. Formal software component models
provide a perfect match with the goal of “openness”. An open distributed system is a sys-
tem that provides services through interface definitions. These specifications must not only
cover syntactical issues, such as available operation signatures, but they are also expected
to provide semantical information such as the effect of a particular service. In [TM07, p. 8]
the importance of proper interface specifications in order to support “interoperability” and
“portability” is stressed. The former relates to interaction between different applications
that relies solely on the interface specifications, and the latter refers to the possibility to
reuse an application in distributed systems that implement the same interfaces. We would
claim that these characteristics are covered by independently developed component types
that are reused and composed based on their behavioural specifications only. Portability
may additionally require support for bottom-up system development which allows to first
develop a single component in great detail and then to put this component into a larger
context again by composition that relies on the specification of the particular component.
Since, in comparison with RPC, message-oriented communication is considered the
more basic, low-level communication mechanism [TM07, Kaa92], labelled transition sys-
tems seem to provide an appropriate formalism for a precise abstract representation of these
specifications. Indeed, transition systems are an established and widely used operational
model for the modelling and analysis of parallel systems, in particular for message-passing
systems. Baier and Katoen define two basic mechanisms for the description of communi-
cation in the context of transition systems: messages are either transferred synchronously
using a handshake mechanism (rendezvous) or asynchronously by buffered message ex-
change using channels [BKL08, pp. 35 ff.]. Analysis of systems with buffered message
exchange is notoriously difficult. If the channels are assumed unbounded (for more conve-
nient modelling purposes), the underlying transition systems are potentially infinite-state
making nearly any verification problem undecidable [BZ83]. However, even if the chan-
nels are bounded by some fixed capacity, the state-space soon becomes too large to apply
finite-state verification techniques effectively. This is one of the reasons why synchronous
communication based on a handshake mechanism, as prevalent in most process algebraic
theories, is an important means of modelling and analysing the behavioural aspects of
component-based systems. The transition systems resulting from the synchronous compo-
sition of communicating components consist only of successful communication traces and
thus are usually much smaller with regard to the global state space. Note that “successful”
2. COMPONENT MODELS AND DISTRIBUTED SYSTEMS 7
is defined independently from the communication direction. If a sender may choose non-
deterministically among a set of alternative output transitions, all of these outputs are con-
sidered for synchronisation with corresponding input transitions of a potential receiver. In
this vein only the successful synchronisations show up in the composed transition system.
Since these transitions correspond to the potential communications between components,
the synchronous mechanism yields a correct but incomplete representation. In particular,
when it comes to analysing communication errors like messages sent that are not received,
this issue of incompleteness is of major importance.
The combination of the characteristics of concurrent message-passing systems such
as distributed systems and a formalisation of communication based on transition systems
yields a formal component model with a precise definition of static entities and their means
of interaction. Components represent possibly hierarchically structured applications that
communicate with each other via synchronous and asynchronous connectors. Communi-
cation consists of sending and receiving messages, and is described by behavioural spec-
ifications based on transition systems. The composition of components and connectors is
called an assembly whose behaviour is a derived transition system. Composite components
use assemblies for their implementation again showing a derived behaviour that is based
on the behaviour of the encapsulated assembly.
The following example illustrates a specification of a simple component-based system,
exemplifying the concepts introduced so far. In particular, we would like to illustrate the
relation to distributed systems as an example for an implementation within the general
class of concurrent message-passing systems.
Bank/ATM System. In the following we specify a simple Bank/ATM system using the
UML2 for static structure specification and UML state machines for the behavioural de-
scriptions. We do not aim at illustrating or explaining available modelling features in
detail. We rather would like to give a small example to clarify some of the main concepts
of component-based systems introduced so far.
Figure 1.3 shows the specification of the system. A composite component with type
BankAtm contains an assembly of two simple components with types Bank and Atm used
for the component declarations bank:Bank and atm:Atm. Ports specify typed interaction
points of a component. The simple component types Bank and Atm have port declara-
tions a:AtmCom, m:Mgt and s:Srv respectively that are connected with an asynchronous
assembly connector called ab and type Bat and an anonymous delegate connector. The two
simple component declarations and the assembly connector form an assembly with open
port m:Mgt. The provided and required interfaces of the port types AtmCom and Srv with
their operations are depicted using the UML ball-and-socket notation on the right-hand
side of Fig. 1.3. The port type Mgt is specified analogously and not further described. If
two ports are connected by an assembly connector, the provided interface of one port has
to match the required interface of the other and vice versa. The open port of the assembly
is connected to the port declaration r:Mgt of the composite component BankAtm. Here, we
reused the same port type, but in general one may also use a different type as long as the
particular interfaces match.
Our behavioural descriptions are based on transition systems with distinguished input,
output, and internal actions focusing on the temporal order of messages sent and received
interspersed with local internal computations. For the concrete specification we use a sim-
ple subclass of UML state machines. Hence, any existing UML modelling tool can be
used for the design of port-based components. Behaviours for the component types Bank
and Atm are given in Fig. 1.3. Input and output messages are indicated by p.m/ and /p.m,
respectively, where p is the port name on which the message m is sent or received respec-
tively. The behaviours are slightly simplified as they do not show internal actions and the
bank behaviour does not make use of the port m:Mgt. The behaviour of the assembly and
8 1. INTRODUCTION
(a) Static structure
bank:Bank [1]
<<async>>
ab:Bat
BankAtm
atm:Atm [1]
s:Srv [1]
r:Mgt [1] m:Mgt [1]
a:AtmCom [1]
(b) Ports and Interfaces
<<port>>
verifyPin()
withdraw()
pinOk()
pinNotOk()
giveMoney()AtmRequest
BankAck
BankAck
AtmRequest AtmRequest
BankAck
AtmCom
<<port>>
Srv
(c) Behaviour Bank (d) Behaviour Atm
FIGURE 1.3. Specification of a simple Bank/ATM system
the composite component is derived from a combination of the behaviours for the compo-
nents Bank and Atm. The behaviour at the ports m:Mgt and r:Mgt, however, is trivial due to
the simplified presentation of the bank behaviour sending and receiving messages via port
a:AtmCom only.
Figure 1.4 illustrates a possible realisation as a distributed system. Note that the figure
is not supposed to specify a formal deployment view to the given system, but merely takes
up the schematic view of Fig. 1.2 neglecting any questions related to types, instances,
or concrete connections. The composite component BankAtm is realised as a distributed
application. The application Report is assumed to be realised by a component that connects
to the open port r:Mgt of BankAtm.
Appl. A Bank Atm
OS 2 OS 3
Computer 4Computer 1 Computer 2 Computer 3
Network
BankAtm Reporting
Middleware with connectors for BankAtm system
OS 4OS 1
FIGURE 1.4. Bank/ATM distributed system
Now immediately the important question arises about what exactly is the role of the
component behaviours given above with regard to such a realisation? Obviously the be-
haviours should be used for formal reasoning about the given system, but what are the
properties of interest? What are notions of correct implementations allowing to replace a
component of the given system without effect on the remaining components? These and
similar questions will be addressed in the context of this thesis on the basis of an appropri-
ately defined and formally precise software component model.
3. CONTRIBUTION AND OVERVIEW 9 	

 !"#$%&'()*!'&+((,&--.%&&--/01234506768+!(.+!!!#(+!!!.(9(9  :#'$(( );(!&$<$!(--+..--4886=008
+!&>&!#(.<$& &+$'?"#@50088<$!(--++..--A((.B !&& . A(.(<CDEFGHIJDKLMGENODFPDQNQLIRDSNH
FIGURE 1.5. Aspects of formal software component models
3. Contribution and Overview
Within this thesis we develop a formal software component model with a focus on
modelling and general behavioural analysis. Figure 1.5 provides an overview of what we
think are fundamental categories and aspects in this context (values given in parentheses
are used for a comparison with related work in Chap. 9). The given categories can be
aligned to the notion of software component model as discussed above (cf. Sect. 1). The
static elements define how components are represented, and together with behaviour and
implementation it is also defined what is represented. Moreover, the execution model un-
derlying the behavioural aspects additionally defines how components are composed and
hence the categories indeed cover all information that constitute a software component
model in the sense of Lau and Wang. However, we draw a sharper line between com-
ponent and software component models, since we require an explicit distinction between
specification and implementation of component behaviour to qualify as a software compo-
nent model. In contrast, our requirements on support for formal analysis again may be put
into line along the notion of composition theory [CSSW04] mentioned by Lau and Wang;
cf. [LW07, p. 711]. A composition theory formally describes the result of applying com-
ponent composition. We understand composition here in a broader sense, including a form
of hierarchical composition using blackbox views of component behaviour.
As evident from Fig. 1.5, formal software component models integrate aspects from
different but closely related domains. For instance, we use the UML2 [RJB05] for the con-
crete specification of structural and dynamical aspects of port-based components. Inspired
by ROOM [SGW94] we favour port types as an explicit means for structural specification
of interaction points, which is in contrast to strictly interface-based component models.
Our component model is a formally defined software component model aimed at being
used for architectural design specifications of concurrent systems that rely on message-
oriented communication. This choice is directly reflected in our execution model that
uses an interleaving model of concurrent message exchange. In contrast to most other
approaches we do not restrict to synchronous rendezvous communication, but also con-
sider asynchronous FIFO buffered communication. The behavioural model is backed by
input-persistent I/O-transition systems (PIO) being a specific class of modal I/O automata
[LNW07]. Implementations are represented abstractly by completely persistent PIOs co-
inciding with I/O-transition systems that in turn are based on interface automata of de
Alfaro and Henzinger [dAH01a]. To illustrate specifications with a concrete language we
will use a restricted class of simple UML state machines for implementations and protocol
state machines for specifications. In order to illustrate implementations along a concrete
10 1. INTRODUCTION
programming language we discuss the implementation of port-based components based on
the Java Message Service specification JMS [Mic02].
We define equivalence relations similar to process algebraic approaches such as Wright,
Darwin, and more recently PADL [BCD02]. Most importantly, we define refinement re-
lations for specifications related to [dAH01a, LNW07] as well as a correctness relation
between specifications and abstract models of implementations methodologically related
to [PV02]. Finally, we aim at providing formal support for component-based design which
in particular means to allow hierarchical abstraction, to support top-down and bottom-up
approaches to system design, and to support “component-wise evolution” as discussed in
[dAH01b] and similar also in [PV02]. As a concrete property being preserved during top-
down or bottom-up development steps we consider communication-safety. This property
implies the absence of architectural incompatibilities in the sense of [BOR04] or [AP05].
Concerning general properties we discuss the preservation of safety properties based on
finite and infinite execution traces of a system, showing similarities with Tracta [Gia99].
Even though each of the mentioned aspects is covered by a number of related works,
a formal software component model addressing an integrated view on the different aspects
together with support for asynchronous message exchange as prevalent, for instance, in dis-
tributed systems is still missing. Especially, the formal relation between abstract models
of behaviour specifications and models of implementations is often neglected. However,
a precise theory for specification refinement and implementation correctness is crucial for
a proper support of hierarchical system construction in the context of component-based
system development. Moreover, a statement on specific and general properties that are pre-
served by correct hierarchical system construction is important to indicate the applicability
of the developed theory. Here, the integration of asynchronous communication imposes
particular difficulties. The contributions of this thesis in these aspects are as follows:
(1) An integrated formal software component model is developed that covers both, static
and dynamic aspects of hierarchical system development. Ports play an important role
for the structural definition of components’ interaction points.
(2) Models for the specification and implementation of component behaviours are dis-
tinguished and a theory for refinement and implementation correctness is developed.
The models take asynchronous communication into account by an integration of FIFO
queues for buffered message exchange. It is shown that hierarchical component-based
system development is properly supported by the formal part of our component model.
(3) Notions of synchronous and asynchronous compatibility are developed, exemplifying
specific properties that are of interest in the context of formal behavioural analysis. The
preservation of safety properties is examined as an example for more general proper-
ties. The verification of asynchronous compatibility in closed systems is addressed by
a criterion based on synchronous compatibility. General verification of systems with
asynchronous communication is addressed by a translation to Communication Finite
State Machines (CFSM).
Overview. Table 1.1 shows an overview of the definitions for syntax and formal models
used by our component model. The numbers in parentheses refer to the corresponding
chapter. An abstract syntax and formal model for static specifications is defined by a meta-
model and a set-theoretical (algebraic) model in Chap. 2. For dynamic system aspects we
distinguish the implementation and specification of component behaviours by “behaviours”
and “frames”. The formal model of behaviours uses I/O-transition systems (IOTSs) and is
developed in Chap. 2. Before our component model is extended with an abstract syntax for
frames in Chap. 6, we develop a refinement theory based on input-persistent I/O-transition
systems (PIOs) in Chap. 4. The concrete syntax is defined in Chap. 7, using UML com-
ponents with ports for static structures, and simplified variants of UML state machines
(STMs) and protocol state machines (PSMs) for behaviours and frames. In the following
3. CONTRIBUTION AND OVERVIEW 11
we give a more detailed overview of the mentioned and the remaining chapters of this
thesis.
Component Abstract Syntax Formal Model Concrete Syntax
Static Metamodel (2) Algebraic model (2) UML Components (7)
Dynamic Behaviour (2) IOTSs (2) UML STMs (7)Frame (6) PIOs (4) UML PSMs (7)
TABLE 1.1. Syntax and formal models
In Chapter 2 we develop a formal model for port-based component behaviours with
synchronous and asynchronous communication. The general concepts are defined by a
metamodel and illustrated using the example of a compressing proxy system. The meta-
model is complemented by an algebraic model, making precise the core structural elements
and behavioural features of port-based component systems. Component behaviours are for-
mally represented by I/O-transition systems which are equipped with basic operators and
equivalence relations as known from process algebraic languages such as CCS [Mil89] or
FSP [KM06]. Message queues are encoded by I/O-transition systems and composed with
component behaviour, resulting in systems with FIFO buffered message exchange. On
this basis we define a formal model for components with behaviours that communicate by
synchronous and asynchronous message exchange. We include guidelines for implementa-
tions based on message-oriented middleware using JMS and its reference implementation
Open Message Queue [Mic07].
Support for the construction and behavioural analysis of large scale component-based
systems that communicate solely by synchronous communication is developed in Chap-
ter 3. In this way, also an application of the formal model of Chap. 2 is illustrated. The
crucial concept is a notion of neutral component behaviour. Component behaviour can be
considered to be neutral within a given assembly if its composition does not show an ef-
fect on the assembly behaviour apart from the synchronisation of shared transitions without
loosing any transition of the original assembly behaviour. A major result of this chapter is
an algorithm that shows how to remove neutral components for the computation of a syn-
tactically reduced but behaviourally equivalent assembly. A reduced assembly may then
be used to implement a given composite component in a more efficient way. Moreover,
we show that it is sufficient to perform neutrality checks using the projection of a com-
ponent behaviour to one of its ports, provided that the projected behaviour is a weakly
deterministic I/O-transition system. The port projection is usually a simpler and smaller
transition system, at least after minimisation with respect to greybox respectively blackbox
equivalence. The approach is illustrated with the compressing proxy system introduced in
Chap. 2.
Chapter 4 elaborates a theory for refinement and compatibility of PIOs with synchro-
nous and asynchronous communication. In order to support hierarchical system develop-
ment and analysis of component behaviours, the refinement relation should satisfy fun-
damental properties such as reflexivity, transitivity, and compositionality. Moreover, the
relation should, on the one hand, preserve as much properties as possible, but on the other
hand leave enough freedom for concrete design decisions. Our study is motivated by the
aim to detect behavioural incompatibilities as discussed in Chap. 2, taking into account
the asymmetry of sending (output) and receiving (input) messages. We develop different
notions of output compatibility with varying degrees of freedom for the interleaving of
local, non-shared component actions. It turns out that, in order to preserve output com-
patibility, we need additional information that allows to couple the message transfer with
the refinement of the transition that specified the transfer. On this account our approach
extends I/O-transition systems to input-persistent I/O-transition systems (PIO) and defines
a blackbox refinement relation that demands the preservation of persistent transitions. The
12 1. INTRODUCTION
relation is denoted “blackbox” because it ignores differences of internal labels. PIOs can be
considered as a special case of modal I/O automata (MIO) and then, blackbox refinement
corresponds to weak modal refinement.
Our theory is required to cope with FIFO buffered message exchange. Based on an
encoding of FIFO buffers we show that blackbox refinement is indeed transferable to asyn-
chronously communicating components. Moreover, we develop a notion of asynchronous
output compatibility that is a natural extension of synchronous output compatibility to an
asynchronous setting and show its preservation by blackbox refinement. The resulting the-
ory is an interface theory in the sense of [BMSH10], which is briefly discussed in Sect. 5
of Chap. 4.
Additionally, we define communication-safety as a notion of output compatibility for
n-ary compositions of PIOs. We show that blackbox refinement of single transition sys-
tems preserves communication-safety of their composition and, moreover, investigate to
what extend pairwise analysis of output compatibility implies communication-safety. Fi-
nally, we consider more general properties and a greybox variant of our refinement relation.
Greybox refinement distinguishes internal labels. We show that greybox refinement pre-
serves safety properties with regard to the communication traces of a composed system
and briefly discuss counter-examples for the preservation of liveness properties.
In Chapter 5 we consider foremost the verification of asynchronous communication-
safety. Due to the modelling with unbounded FIFO queues, we must take into account that
systems of buffered PIOs are potentially infinite-state systems which makes most verifica-
tion problems undecidable. We investigate a criterion for asynchronous communication-
safety in closed systems based on synchronous compatibility. An important additional as-
sumption, input-separation of the underlying transition systems, is conceptionally related
to single-threaded components. For the general verification support of buffered PIO sys-
tems we discuss a translation to Communicating Finite State Machines (CFSM) [vB78].
CFSM systems consist of finite state machines communicating with each other via un-
bounded, full-duplex, and error-free FIFO channels. Thus, there is a close relationship of
systems of buffered PIOs and CFSM systems. We describe a translation of IOTSs to CF-
SMs and develop a CFSM correspondence of asynchronous communication-safety. After
that we sketch the application of a symbolic CFSM-based approach to the verification of
asynchronous communication-safety. Finally, necessary extensions to verify PIOs instead
of IOTSs are briefly discussed.
With the basic formal model in Chap. 2 components are equipped with behaviours
(formalised by I/O-transition systems) that are supposed to represent the implementation
of a component. Chapter 6 extends this model by a specification layer with so-called
component frames using the theory developed in Chap. 4. Frames are formally related
to behaviours by a correctness relation: the semantics of a frame is the class of all be-
haviours which are a blackbox refinement of the frame. We illustrate the completed com-
ponent model using the compressing proxy system from Chap. 2. After that, we show
that the model supports important characteristics of component-based development. We
examine support for top-down and bottom-up design approaches and, moreover, show that
component-wise evolution [dAH01b] is supported in hierarchical systems. Top-down de-
sign starts with a frame F that is refined to a composition of several frames. Then, support
for top-down design allows to conclude that the composition of component-wise correct
blackbox refinements yields a correct implementation of the original frame F . By this kind
of support it is shown that the definitions of refinement and implementation relations work
smoothly together.
Bottom-up design first details the implementation of single components. If the be-
haviours are correct, i.e. they are a blackbox refinement of the frame of the respective
component, then support for bottom-up design allows to conclude that the behaviour com-
position yields a greybox refinement of the corresponding frame composition. In this way it
3. CONTRIBUTION AND OVERVIEW 13
is shown that the implementation relation preserves “greybox properties” of compositions
and thus supports, for instance, analysis of communication traces in composed systems.
Finally, we discuss a port-based approach for the verification of compatibility and
communication-safety based on frames and port protocols illustrating the fundamental dif-
ficulty of making effective use of port protocols that hide too much of the component
behaviour.
In Chapter 7 we define a concrete syntax for our component model using UML2 com-
ponents with ports, state machines and protocol state machines. We summarise applied
UML2 features and explain the meaning of additional notations and stereotypes. We re-
late static structure elements with our formal model and discuss an informal pattern-based
translation from state machines to transition systems. Based on this translation we define
the relation between UML state machines and protocol state machines, and component
behaviours and frames as considered in Chap. 6. In this way, we may apply our theory as
a formal underpinning for the definition of a UML-based theory of refinement (protocol
conformance) and compatibility.
Availability of a concrete specification language was of particular importance for the
modelling of the Common Component Modelling Example5 (CoCoME) in [KJH+08a] .
CoCoME was initiated as a modelling contest aiming at a comparison of existing compo-
nent models based on a common requirement specification and reference implementation
of a point-of-sale system. Chapter 8 revises our initial submission and illustrates features
of our component model that were not available at the time of writing [KJH+08a]. The
formal model sketched in [KJH+08a] considered only synchronous communication along
a rendezvous mechanism. It did not distinguish between behavioural specification (frames)
and implementation (behaviours) of components and it did not feature a theoretical model
for refinement and compatibility. We provide a brief introduction to the CoCoME require-
ments and elaborate on our static structure specifications using UML class and component
diagrams, and on our modelling of component behaviours using UML state machines. We
illustrate the modelling of more complex component behaviours using hierarchical UML
submachine states and translate selected behaviours to IOTSs based on Chap. 7. We spec-
ify component frames for simple and composite components using UML protocol state
machines and discuss the analysis of compatibility, implementation correctness and refine-
ment on the level of the corresponding transition systems.
The main part of the conclusion in Chapter 9 discusses related work with respect to the
aspects of formal software component models given by Fig. 1.5. We consider as relevant
for a more detailed comparison only those component models from the literature that have
similar objectives like Sofa 2.0 [BHP06], GCM/Fractal [HKR08, BABC+09], STSLib
[FR08], FSP/Tracta [KM06, GKC99], and Wright [AG97]. We conclude with remarks on
prospects, limitations and future work.
Publications. The thesis is based on publications as listed below. In (P1) we modelled
and analysed the CoCoME using the Java/A component model. The study in (P2) focused
on the detailed development of a behavioural theory using I/O-transition systems. Finally,
in (P3) we extended the model to take into account asynchronous communication. In the
following we briefly relate the publications to the chapters of this thesis.
(P1) Alexander Knapp, Stephan Janisch, Rolf Hennicker, Allan Clark, Stephen Gilmore,
Florian Hacklinger, Hubert Baumeister, and Martin Wirsing. Modelling the CoCoME
with the Java/A Component Model. In Andreas Rausch, Ralf Reussner, Raffaela Mi-
randola, and Frantisek Plasil, (Eds.): The Common Component Modeling Example:
Comparing Software Component Models, LNCS 5153, pp. 207–237. Springer, Hei-
delberg (2008).
5http://www.cocome.org
14 1. INTRODUCTION
(P2) Rolf Hennicker, Stephan Janisch, and Alexander Knapp. On the Observable Be-
haviour of Composite Components. Electronic Notes in Theoretical Computer Sci-
ence (5th FACS’08), Vol 260 (1) Jan 2010, pp. 125–153.
(P3) Rolf Hennicker, Stephan Janisch and Alexander Knapp. Refinement of Components
in Connection-Safe Assemblies with Synchronous and Asynchronous Communica-
tion. Christine Choppy and Oleg Sokolsky (Eds.): Monterey Workshop 2008, LNCS
6028, pp. 154–180. Springer, Heidelberg (2010).
The Java/A component model described in (P1) provided the basis for a metamodel in
(P2) for components with (observable) behaviours and synchronous communication. Parts
of the modelling of the CoCoME in (P1) appear in Chap. 8. The formal approach to dead-
lock analysis of (P1) evolved into the formal behavioural model based on I/O-transition
systems in (P2), yet without asynchronous communication. The analysis techniques devel-
oped in (P2) appear in revised and aligned form in Chap. 3
(P3) extends the behavioural component model of (P2) with asynchronous commu-
nication. The resulting metamodel and algebraic model appears in revised and slightly
extended form in Chap. 2. Furthermore we developed a compositional theory for refine-
ment, defined a notion of asynchronous compatibility (called buffered compatibility) and
showed for closed systems with two components the preservation of compatibility under
further assumptions like input-separated component behaviours. However, the approach
did not carry over to open systems. Even though we believe that a generalisation to ar-
bitrary closed systems is possible, we did not pursue the approach of (P3). Instead, we
developed a new theory using input-persistent I/O-automata that appears in Chap. 4. The
criterion for asynchronous compatibility in Chap. 5 was inspired by a corresponding theo-
rem in (P3).
CHAPTER 2
A Formal Model for Components with Behaviours
1. Port-Based Components and Behaviours 15
1.1. Concepts of Port-Based Components 16
1.2. Example: Compressing Proxy System 17
1.3. Composition and Behavioural Incompatibilities 20
2. I/O-Transition Systems (IOTS) with Queues 22
2.1. Transition Systems with Partitioned I/O-Labellings 22
2.2. Operators on I/O-Transition Systems 23
2.3. Greybox and Blackbox Equivalence 24
2.4. Encoding of FIFO Queues 26
3. Components with (A)Synchronous Communication 26
3.1. Ports, Components, and Connectors 26
3.2. Assemblies and Composite Components 28
4. Implementation using Message-Oriented Middleware 31
4.1. Java Message Service and Open MQ 31
4.2. Implementation of Port-Based Components 32
This chapter develops a formal model for systems of port-based components with syn-
chronous and asynchronous communication. The general concepts are defined by a meta-
model and illustrated using the example of a compressing proxy system. The metamodel is
complemented by set-theoretical definitions stating precisely the core structural elements
and behavioural features of port-based component systems. Component behaviours are
formally represented by I/O-transition systems that are equipped with basic operators and
notions of equivalence as known from process algebraic languages such as CCS or FSP.
Message queues are encoded by I/O-transition systems and composed with component be-
haviour, resulting in systems with FIFO buffered message exchange. On this basis we
define a formal model for components with behaviours that communicate by synchronous
and asynchronous message exchange. We close the chapter with guidelines for implemen-
tations based on message-oriented middleware using the Java Message Service specifica-
tion and its reference implementation Open Message Queue. Related formal component
models are discussed in Chap. 9.
1. Port-Based Components and Behaviours
We consider components to be strongly encapsulated behaviours. Encapsulation is
achieved by ports that regulate any interaction of components with their environment.
Components can be hierarchically structured containing an assembly of components and
connectors that link components using their ports. Interaction consists of synchronous or
asynchronous message exchange and we therefore distinguish synchronous and asynchro-
nous connectors. By synchronous communication we understand a rendezvous mechanism
where sender and receiver synchronise on message exchange. In contrast, asynchronous
communication works with FIFO-buffering where the messages issued by a sender are
buffered and can be taken (and processed) later on by the receiver. Sending and receiving
15
16 2. A FORMAL MODEL FOR COMPONENTS WITH BEHAVIOURS
messages with synchronous and asynchronous communication timing are basic primitives
of general message-passing systems [Tuc04, Sect. 96.3.4].
1.1. Concepts of Port-Based Components. Figure 2.1 shows the metamodel of our
component model. A port describes a (partial) view on a component. The operations
offered by a port are summarised in its provided interface; the operations needed in its
required interface. An operation declares the signature to be used for message exchange
along this port. Ports as well as components and connectors are in fact considered as
types that can be used in local declarations of components and assemblies respectively. A
declaration consists of a name and a type.
type
1
*
prv 0..1 req0..1
Declaration
ports
ports
cmps * conns * conns
Component
Component
Composite
Behaviour
Component
Simple
*
1 /beh
Assembly
Connector
type1
Delegate
Connector
Assembly
Connector
Connector
Declaration
Component
Asynchronous
Synchronous
Connector
Port
Interface
Operation
Port
asm
type
*
/beh
1
1 beh
1..2
1
1
Connector
Declaration
*
FIGURE 2.1. Component metamodel
There are two kinds of components, simple components and composite components which
are abstracted in the metaclass component. Any kind of component has a set of port dec-
larations that introduce locally unique port names with corresponding port types. Compo-
nents can be used in component declarations for the construction of assemblies.
An assembly defines the internal structure of a composite component in terms of a set
of local component declarations and local connector declarations using binary assembly
connectors that link local components using their port declarations. Assembly connec-
tors can be synchronous or asynchronous indicating which kind of communication timing
is used for the message exchange along this connector. In a composite component, non-
connected (open) ports of local components may be connected to so-called relay ports of
the composite component, using declarations of delegate connectors. Unary connectors
can be used to close ports of a component that should not be available, neither for connec-
tion nor for delegation. This feature is used in Chap. 3 to reduce assemblies with so-called
neutral leaf components.
For each simple component a given behaviour is supposed to represent the imple-
mentation of a component. Behaviours describe the temporal order of receiving messages
(input), sending messages (output) and executing local actions (internal). Composite com-
ponents encapsulate an assembly as an implementation of their behaviour. Therefore, the
behaviour of a composite component is a derived behaviour (indicated by the preceeding
slash symbol in Fig. 2.1). An assembly in turn has an associated derived behaviour that de-
pends on the behaviours of its local components and the types of its assembly connectors.
We use UML2 notation for the concrete specification of the static structure of comp-
onent-based systems, in particular we make use of UML structured classifiers, components,
ports, interfaces and connectors. Since all these entities except interfaces own so-called
structural properties, for instance the port declarations of a component is a structural prop-
erty, it is also allowed to specify multiplicities indicating how many instances of a compo-
nent or port may exist at runtime [RJB05, property]. However, we will use singletons only
1. PORT-BASED COMPONENTS AND BEHAVIOURS 17
(multiplicity 1) and leave an extension of our formal component model supporting arbitrary
multiplicities, especially an extension of the semantics on the level of global behaviours in
hierarchically structured component-based systems, to future work. Moreover, we restrict
the components of our models to binary communication. UML2 would allow for arbitrary
n-ary connectors. However, these kinds of connectors would complicate our formal treat-
ment of behaviours based on I/O-transition systems while being not strictly necessary from
the semantical point of view: An n-ary connector is perfectly described by a component
whose behaviour reflects the desired connector behaviour. Such a “connector-component”
is then linked in between the n components along n binary connectors. Finally, note that
we usually do not consider messages with different parameter values for the specification
of a component behaviour while operations in interfaces in general may show formal pa-
rameters.
The behaviours will be described directly on a semantic level using (finite) I/O-tran-
sition systems (IOTSs, see Sect. 2) and represented by graphs with labelled transitions and
states. We do not intend to propose a particular, e.g., process algebraic or state machine,
syntax for specifying behaviours. In fact, any concrete syntax could be used as long as an
interpretation using IOTSs is provided. This interpretation may also provide the construc-
tion of messages with different values according to the parameter types of the respective
operation. In the graphical representation we indicate that a message m is received (input
label, provided) by the visual representation m/ and, symmetrically, that a message m is
sent (output label, required) by /m. Internal, local actions are represented by transitions
labelled without slash. An initial state is indicated by an incoming arrow without source
state.
1.2. Example: Compressing Proxy System. We illustrate our component model by
a compressing proxy system.1 An HTTP proxy server mediates connections between a
web server and its clients. In order to increase network bandwidth, the proxy server may
apply different compression techniques depending on the kind of information transferred.
The proxy server distinguishes between textual (txt) and graphical (gif) data and applies
different compression tools before sending the data further downstream.
We describe the static structure of the compressing proxy system by a composite com-
ponent type CompressingProxy that consists of an assembly of three simple components
with types Adaptor, GZip, and GifToJpg introduced by the respective component declara-
tions adapt:Adaptor, gzip:GZip, and gifToJpg:GifToJpgas shown in Fig. 2.2. The adaptor
receives uncompressed data upstream, delegates the textual data for compression to gzip,
which employs the gzip utility, and the graphical data to gifToJpg, a tool to convert GIF- to
JPG-images. The compression result will then be sent downstream.
The simple components as well as the composite component show port declarations such
as t:TxtCompr or l:UpStream. The port declarations of composite components are called
relay ports. Port declarations inside the assembly are connected by synchronous and asyn-
chronous assembly connectors while delegate connectors link port declarations of inner
components and relay ports of the composite component. Communication timing is speci-
fied by stereotypes «sync» and «async». The connector tz between t:TxtCompr and z:Zip is
an asynchronous assembly connector, the connector gj is synchronous, and the anonymous
connector between u:UpStream and l:UpStream is a delegate connector.
The provided and required interfaces of the port types of the compressing proxy sys-
tem are depicted with the UML ball-and-socket notation on the right-hand side of Fig. 2.2.
1This example is to some extend identical with an example originally used by [IU01] (and also by [BCD02]) to
illustrate an approach to prove deadlock-freedom in component assemblies.
18 2. A FORMAL MODEL FOR COMPONENTS WITH BEHAVIOURS
adapt : Adaptor [1]
u : UpStream [1] d : DownStream [1]
t : TxtCompr [1] g : GifCompr [1]
gif : GifToJpg [1]
j : ToJpg [1]
gzip : GZip [1]
z : Zip [1]
«component»
CompressingProxy
l : UpStream [1] r : DownStream [1]
«async»
tz:TZ
«sync»
gj:GJ
«port»
DownStream
«port»
ToJpg
«port»
GifCompr
«port»
TxtCompr
«port»
UpStream
«port»
Zip
GCR
GCP
DSR
GCR
GCPTCR
TCP
USP
TCP
TCR
FIGURE 2.2. Static structure of a compressing proxy server
If two ports are connected by an assembly connector, it is required that the provided in-
terface of one port is equal to the required interface of the other, and vice versa.2 The
operations of these interfaces are assumed to be given as follows:
USP = {openTxt, openGif}, TCR = {txt, endTxt}, GCR = {gif},
DSR = {comprData}, TCP = {stop, zip, endZip}, GCP = {jpg}.
We do not consider operations with parameters here, thus the operation names coincide
with the messages used for communication.
Based on the static structure of the compressing proxy system, the informal descrip-
tion of its intended behaviour reads as follows: A proxy of type CompressingProxy receives
stream-based data on its port l that is delegated to the port u of the contained component
adapt. The adaptor distinguishes textual and graphical data received at port u and forwards
data for textual compression via port t and graphical compression via port g. After receiv-
ing the compression result, the component sends the data further downstream using port d
which is relayed to port r of the composite component.
The behaviour of simple components, which are basic building blocks of port-based
component systems, are assumed to be given by IOTSs provided by the component im-
plementor respectively designer. Figure 2.3 shows behaviours of the simple components
Adaptor, GZip and GifToJpg. Since components communicate only via ports, any label rep-
resenting a message received or sent has the form p.m where p is a port name and m is a
message according to the provided or required interface of the port. Behaviours also show
internal actions represented by internal transition labels without prefix. Additionally we al-
low an anonymous internal action τ to reflect a possible internal choice of the component
that can or should not be further detailed.
For instance, the behaviour of the component Adaptor shows label for receiving mes-
sages u.openTxt, u.openGif, t.zip, t.stop, t.endZip, and g.jpg, and for sending messages
d.comprData, t.txt, t.endTxt, and g.gif. The only internal action is timeout. The adaptor com-
ponent receives requests for either text or gif compression u.openTxt or u.openGif resp. at
the upstream port u. After having sent an initial part of textual data t.txt via port t, there
is a choice between sending further text until the end of the text is reached (signalled by
t.endTxt), or the message t.stop is received, for example indicating a buffer overflow of
the component attached for text compression. In the first case, the component waits to
receive zip data (t.zip) until transmission end is signalled by t.endZip. In the second case,
2In general, one could use a more flexible condition so that the required interface of one port is included in
the provided interface of the other one. However, it is technically more convenient to use the more restrictive
condition from above.
3The adaptor behaviour corresponds exactly to the adaptor behaviour in [BCD02] if we remove the communica-
tion concerning the port g for compression of graphical data.
1. PORT-BASED COMPONENTS AND BEHAVIOURS 19
(a) Behaviour of Adaptor3
/d.comprData
/t.txt
t.endZip/
/t.endTxt
timeout
u.openTxt/ t.zip/ t.zip/ t.endZip/
t.zip/
u.openGif/
t.stop/ /g.gif
g.jpg/
t.zip//t.txt
a2 a3a1a0 a5 a7 a8 a9a6a4
(b) Behaviour of GZip
z.endTxt/
/z.endZip
/z.zip/z.stopz.txt/
z.txt/
/z.zipz0 z1 z2 z3
(c) Behaviour of GifToJpg
/j.jpg
j.gif/cancel
j.gif/ process
j1 j2j0
FIGURE 2.3. Behaviour of simple components
the component retrieves compressed data via t.zip and the communication proceeds until
eventually the end of the text will be reached. In both cases a new communication can be
started by sending again an initial piece of textual data to be compressed via t.txt. After
the text compression is finished, the component sends the compression result comprData
further downstream at port d.
Note that the communication between Adaptor and GZip is asynchronous, therefore
the behaviours are not blocked until a message sent is received. Instead, the sender may
continue immediately, analogously to the execution of local actions. An asynchronous
connector is equipped with two FIFO queues, one for each communication direction. For
the given protocol this means, e.g., that the adaptor may continue to send text even though
the GZip component has sent a stop request in the meantime. This is not an immediate
defect, since it is the FIFO buffer which is flooded by txt messages, not the communica-
tion partner. If we assume that the adaptor eventually receives the message stop then the
communication may proceed indeed as required.
Graphical compression consists only of sending the GIF input further on via g.gif at
port g and then to receive the JPG result back again. In case the compression takes too
long, an internal timeout transition is triggered and the adaptor sends instead of a JPG the
uncompressed data further downstream via d.comprData. The behaviour of the GZip com-
ponent mirrors the corresponding part of the adaptor. In fact the design process following
a bottom-up approach would probably start with the behaviour of the tool component GZip
and then mirror this behaviour in the design of the adaptor component. The component
GifToJpg shows an internal choice within its behaviour. After having received gif at port
j, the component either processes the given GIF or returns without processing to its initial
state. In the former case either the JPG result is sent back via j.jpg or another GIF is re-
ceived at port g which transits back to the given internal choice. In this case a previous
result is dismissed and JPGs are delivered only for the latest given GIF.
The behaviours of assemblies and composite components are derived behaviours. As-
semblies use component declarations showing a name and a component type. In order to
distinguish the different components inside an assembly, the labels of their behaviours are
prefixed by the name of the component declaration, thus turning, e.g., u.openGif of the
component Adaptor into adapt.u.openGif w.r.t. the declaration adapt:Adaptor. The overall
20 2. A FORMAL MODEL FOR COMPONENTS WITH BEHAVIOURS
behaviour of an assembly shows both, the interaction behaviour of the composed compo-
nents that are connected within the assembly via their ports, and the communication po-
tential at the open ports of components that are not connected within the assembly. Hence,
an assembly behaviour is a derived behaviour, given by the composition of the component
behaviours of all declared components and connectors of the assembly.
The synchronisation within an assembly maps the labels of the ports connected by an
assembly connector to the name of the connector, thus making them shared between the
respective components. Transitions with shared labels synchronise and represent commu-
nication of the components via their connected ports. Open ports do not appear in assem-
bly connectors, therefore those parts of component behaviours related to open ports remain
unsynchronised. In general, we also consider the case where a port is neither open nor con-
nected to another port. Technically, these ports are closed by applying unary connectors so
that, altogether, the internal actions of an assembly behaviour comprise the synchronised
transitions along the shared actions of its components and the unused actions of closed
ports. The behaviour according to the remaining open ports is described by the unsynchro-
nised input and output transitions of the component behaviours that are the only external
actions of an assembly.
For instance the behaviour of the assembly underlying the CompressingProxy compo-
nent is computed by the synchronisation of the component behaviours of adapt: Adaptor,
gzip:Gzip, and gifToJpg:GifToJpg according to the connectors of their ports. The synchroni-
sation label for the output label adapt.g.gif of adapt:Adaptor and the input label gifToJpg.j.gif
of gifToJpg:GifToJpg is given in accordance with the connector gj by the label gj.gif. Now,
both component behaviours may synchronise on transitions with the shared label gj.gif.
If the assembly contains asynchronous connectors, the derived behaviour is a potentially
infinite-state system, due to the unboundedness of the FIFO queues used to model buffered
communication. For strictly synchronous assemblies, the composition can be computed
and represented by finite-state techniques. Assuming that the assembly connector tz is
synchronous, the mentioned assembly behaviour has 30 states and 65 transitions (includ-
ing internal and τ -transitions). If we hide internal actions of components and use the
minimisation procedure of observational equivalence, we obtain the simpler IOTS given
by Fig. 2.4a. The minimised IOTS shows only synchronised and open transitions as well
as those τ -transitions that could not be removed without invalidating observational equiv-
alence.4
Finally, the behaviour of composite components is derived in such a way that the input
and output actions of a composite component are delegated between its relay ports and the
open ports of the assembly. The synchronised transitions of the assembly are considered
to be internal labels of the composite component analogous to internal actions of simple
components. When a component is put into the context of a new assembly, its internals
are hidden, i.e. relabelled to the anonymous action τ . Figure 2.4b shows the resulting
component behaviour of CompressingProxy, after hiding and minimisation with respect to
blackbox equivalence under the assumption of tz being a synchronous connector.
1.3. Composition and Behavioural Incompatibilities. Fundamental to component-
based design is a composition operator that allows to construct new components from an
assembly of existing components (and connectors). Arbitrary composition might lead to a
vast number of component interoperability errors concerning different aspects and proper-
ties of the underlying components. Becker et al. [BOR04] provide a classification of these
errors in the context of general component characteristics comprising functional as well
as non-functional aspects. In the centre of our interest are architectural incompatibilities
4Computed using the LTSA tool with an FSP encoding of the given behaviours.
1. PORT-BASED COMPONENTS AND BEHAVIOURS 21
(a) Assembly behaviour
/d.comprData
tz.endZip
u.openGif/tz.endTxt
tz.txtu.openTxt/
tz.zip
tz.zip tz.zip
tz.zip
tz.endZiptz.stop
tz.txt
gj.jpg gj.gif
τ
(a7, z0, g0) (a8, z0, g0)(a6, z3, g0)(a1, z0, g0) (a2, z1, g0) (a3, z2, g0) (a5, z2, g0)(a4, z3, g0)(a0, z0, g0)
(a9, z0, g1)
(b) Component blackbox view
l.openTxt/
/r.comprData
l.openGif/
c0 c1
FIGURE 2.4. Assembly behaviour and blackbox view of CompressingProxy
which includes mismatches on the signature level of interfaces as well as incompatible as-
sumptions on synchronisation of buffered or unbuffered message exchange. We denote the
latter as behavioural incompatibilities.
While syntactical mismatches can be handled by static analysis of the interface spec-
ifications of a given component-based system, incompatibilities concerning the dynamic
behaviours of components are usually much harder to cope with. For example detecting
global deadlock states within an arbitrary assembly of components requires in general a
complete search within the globally reachable state space of the composed behaviours.
Therefore, it is of interest to examine compositional analysis techniques that allow to con-
clude global properties from modular component- or pairwise analysis. As an exemplary
property we focus on a communication error that is justified by the component’s local view
on message exchange as follows. If a component receives a message, it is implied that there
is some component in the system which had sent this message. Therefore, at the moment of
message reception it seems that everything is correct within the running system. However,
this does not apply to sending of messages. At the moment of message sending there is no
guarantee at all that the message will eventually reach some receiving component within
the given system.
Consider, for instance, the potential communication between the adaptor and the GIF
converter component in Fig. 2.3. If the adaptor reaches state a9, a timeout may occur
and the behaviour proceeds to state a7. Anyhow, the GIF converter might have reached
state j2 in the meantime and sends out the requested JPG with a transition to its initial
state j0. But then the message sent is not received by the adaptor, since state a7 does not
provide a corresponding reception transition. In order to detect this kind of architectural
incompatibility we aim to develop appropriate notions of compatibility for synchronous
and asynchronous communication within port-based component systems.
As a prerequisite we first need a more precise and formal model of component be-
haviours. Such a model should explain what behaviours are exactly and how they might be
composed to construct larger systems. In particular, it should be able to cope with synchro-
nous as well as asynchronous communication and it should provide appropriate notions of
(observational) equivalence to allow the substitution of a given component by different but
behaviourally equivalent components. The design of the model described in Sect. 2 takes
these requirements into account. In Sect. 3 we formally relate this model to the concepts
of Sect. 1.1. The formal component model also provides a detailed account on metamodel
constraints mentioned in Sect. 1.1 only informally.
22 2. A FORMAL MODEL FOR COMPONENTS WITH BEHAVIOURS
Furthermore, there should not be a must to redo analysis of architectural incompat-
ibilities for any modification of a given component-based system. Instead, it should be
possible to carry out analysis on the level of more abstract specifications of component be-
haviour and then conclude that a given property holds for any correct implementation. In
this way, it is possible to substitute components as long as their implementation is correct
with respect to the original specification. In Chap. 4 we develop a theory that supports this
kind of reasoning. The theory is first developed independently from our concrete compo-
nent model and then put into context in Chap. 6. This chapter also shows that our theory
supports both, top-down and bottom-up approaches to component-based design. The for-
mer requires support for stepwise refinement of specifications and the latter requires an
implementation relation that preserves absence of communication errors after substituting
components by different but still correctly implemented components.
2. I/O-Transition Systems (IOTS) with Queues
Within this section we summarise definitions and basic properties for I/O-transition
systems that are similar to the interface automata of de Alfaro and Henzinger [dAH05].
Minor syntactical differences are, first, the assumption on I/O-labellings to be partitioned
inputs and outputs and, second, to allow besides internal transitions also an anonymous
internal action τ for abstraction from internal actions. De Alfaro and Henzinger define
composition and a refinement relation in order to investigate a particular notion of compat-
ibility between interface automata, while we define composition, relabelling, hiding, and
equivalence relations in order to formalise behaviours of components, assemblies and com-
posite components. In particular composite components are not considered in [dAH05].
2.1. Transition Systems with Partitioned I/O-Labellings. The definition of I/O-
transition systems with partitioned I/O-labellings relies on the (standard) notion of par-
titions. Let M be a set, Z ⊆ ℘M is a partition of M if ∅ /∈ Z and for X,Y ∈ Z,
X 6= Y implies X ∩ Y = ∅ and ⋃{X | X ∈ Z} = M . We write ⋃Z to refer to the set⋃{X | X ∈ Z}.
Definition 2.1 (IOL) An I/O-labelling (IOL) L = (I,O, T ) consists of three mutually
disjoint sets of input labels I , output labels O, and internal labels T ; we write
⋃
L for the
set of labels I ∪O ∪ T and assume τ /∈ ⋃L.
A partitioned IOL L = ((I1, O1), . . . , (In, On), T ), n ≥ 1, is an IOL where inputs and
outputs are given by a partition {(I1, O1), . . . , (In, On)}.
Partitions of input and output labels are used for the formalisation of asynchronous
communication in Chap. 4. Usually anything which holds for IOLs also holds for parti-
tioned IOLs. If this is not the case it is explicitly stated, otherwise we silently assume that
there is only a syntactical difference and do not mention partitioned IOLs explicitly.
Definition 2.2 (IOTS) An I/O-transition system (IOTS) A = (L, S, s0,∆) is given by an
IOL L, a set of states S, an initial state s0 ∈ S and a transition relation ∆ ⊆ S × (
⋃
L ∪
{τ})× S. An IOTS A = (L, S, s0,∆) is partitioned, if L is partitioned.
We use the following notations. If A = (L, S, s0,∆) is an IOTS, we write LA, SA,
s0,A and ∆A to refer to the labels L, the states S, the initial state s0 and the transition
relation ∆ of A respectively. Moreover, if LA = (I,O, T ), we write IA, OA and TA
to refer to I , O and T respectively. The transition labels of an IOTS A are given by
L(A) = IA ∪OA ∪ TA ∪ {τ}; the silent (internal) labels are given by T (A) = TA ∪ {τ}.
Definition 2.3 (Reachable states) The reachable states R(A) of an IOTS A = (L, S,
s0,∆) are inductively defined as follows: s0 ∈ R(A); and if s ∈ R(A) and there is
an l ∈ ⋃L ∪ {τ} and an s′ ∈ S with (s, l, s′) ∈ ∆, then s′ ∈ R(A). For an s ∈ R(A),
we writeR(s) for the subset of states reachable from s.
2. I/O-TRANSITION SYSTEMS (IOTS) WITH QUEUES 23
Definition 2.4 (Execution fragment, cf. [BKL08]) Let A be an IOTS and let s ∈ SA. A
finite execution fragment of an IOTS A is a finite sequence ρ = s0l1s1 . . . lnsn of states
si ∈ SA and labels li+1 ∈ L(A) such that (si, li+1, si+1) ∈ ∆A for all 0 ≤ i < n;
if n = 0, then s0 is a finite execution sequence. An infinite execution fragment of A is
an infinite sequence ρ = s0l1s1l2s2 . . . of states si ∈ SA and labels li+1 ∈ L(A) such
that (si, li+1, si+1) ∈ ∆A for all i ≥ 0. An execution fragment of A is either a finite
or an infinite execution fragment of A; with frag∗(A), fragω(A) and frag(A) we refer to
the finite, infinite and to all execution fragments of A respectively. An execution fragment
of A is initial, if it starts in the initial state s0,A of A. We write frag∗0(A), fragω0 (A) and
frag0(A) for the initial respective execution fragments of A.
We use the following notation to abbreviate conditions on the transition relation of an
IOTS. LetA be an IOTS and let X ⊆ L(A). We write (s, s′) ∈ ∆XA if either s = s′ or there
exists l1, . . . , ln ∈ X and s1, . . . , sn−1 ∈ SA such that (s l1s1 . . . sn−1ln s′) ∈ frag(A);
we write (s, l, s′) ∈ ∆XA if l /∈ X and there exists l1, . . . , lk−1, lk+1, . . . ln ∈ X and
s1, . . . , sn−1 ∈ SA such that (s l1s1 . . . lk−1sk−1l sk+1lk+1 . . . sn−1ln s′) ∈ frag(A); if
X = {τ} we write ∆τA.
2.2. Operators on I/O-Transition Systems. While the definition of IOTSs and their
products are motivated by interface automata [dAH05], hiding and relabelling are moti-
vated by their counterparts in process algebras such as CCS [Mil89] or FSP [KM99]. A
closer look reveals, however, that even the product operator strongly resembles the CCS
operator for composition. Also the notions of strong and weak (observational) equivalence
considered hereafter are closely related to the corresponding CCS equivalences.
We use hiding to map a subset of the labels of an IOTS to the anonymous internal
action τ . Relabellings are used for renaming labels and for changing the kind of labels.
The computation of the product of two IOTSs expresses their parallel composition with
synchronisation on identical input and output labels. To construct the product the IOLs of
the given IOTSs must be composable.
Definition 2.5 (Hiding) The hiding of an IOL L = (I,O, T ) w.r.t. a subset H ⊆ ⋃L is
the IOL L/H = (I \ H,O \ H,T \ H). The hiding of an IOTS A = (L, S, s0,∆) w.r.t.
a label set H ⊆ ⋃L is the IOTS A/H = (L/H,S, s0,∆/H) where ∆/H = {(s, τ, s′) |
(s, l, s′) ∈ ∆ ∧ l ∈ H} ∪ {(s, l, s′) | (s, l, s′) ∈ ∆ ∧ l /∈ H}.
In many cases we will choose H = T , i.e., we will hide all internal labels. Then, for an
IOL L = (I,O, T ), we write Lξ for L/T and, for an IOTS A, we write Aξ for A/TA.
Definition 2.6 (Relabelling) A relabelling ρ : L → L′ from an IOL L = (I,O, T ) to an
IOL L′ = (I ′, O′, T ′) is defined by a function fρ from
⋃
L to
⋃
L′. The relabelling of an
IOTS A = (L, S, s0,∆) w.r.t. a relabelling ρ : L → L′ is the IOTS Aρ = (L′, S, s0,∆ρ)
where ∆ρ = {(s, fρ(l), s′) | (s, l, s′) ∈ ∆ ∧ l ∈
⋃
L} ∪ {(s, τ, s′) | (s, τ, s′) ∈ ∆}.
For convenience we usually use the same name for a relabelling and its defining function,
i.e. use ρ instead of fρ. A particular application of relabelling is the internalisation of
(some) input and output labels. For an IOL L = (I,O, T ) and a subset X ⊆ I ∪ O,
we define the internalisation relabelling θX : (I,O, T ) → (I \ X,O \ X,T ∪ X) with
θX(l) = l for l ∈
⋃
L. Moreover, we need to compute the union of two relabellings for
the same IOL. Given two relabellings ρ1 and ρ2 which coincide on all elements in the
intersection of their domains, we denote their union (as function graphs) by ρ1 ∪ ρ2.
Definition 2.7 (Composability and shared labels) LetL1 = (I1, O1, T1) andL2 = (I2, O2,
T2) be IOLs. (L1, L2) are composable if I1 ∩ I2 = ∅, O1 ∩ O2 = ∅, T1 ∩ (I2 ∪ O2 ∪
T2) = ∅, and T2 ∩ (I1 ∪ O1 ∪ T1) = ∅. Two IOTSs A1 and A2 are composable if
LA1 and LA2 are composable. The shared labels of composable IOLs L1 = (I1, O1, T1)
and L2 = (I2, O2, T2), written L1 on L2, are given by (I1 ∩ O2) ∪ (O1 ∩ I2). Let
24 2. A FORMAL MODEL FOR COMPONENTS WITH BEHAVIOURS
∆ = {((s1, s2), l, (s′1, s2)) | (s1, l, s′1) ∈ ∆1 ∧ s2 ∈ S2 ∧ l /∈ L1 on L2} ∪
{((s1, s2), l, (s1, s′2)) | (s2, l, s′2) ∈ ∆2 ∧ s1 ∈ S1 ∧ l /∈ L1 on L2} ∪
{((s1, s2), l, (s′1, s′2)) | (s1, l, s′1) ∈ ∆1 ∧ (s2, l, s′2) ∈ ∆2 ∧ l ∈ L1 on L2} .
FIGURE 2.5. Transition relation for IOTS products
A1, . . . , An be pairwise composable IOTSs. The set of shared labels of A1, . . . , An is
given by S(A1, . . . , An) =
⋃
i6=j L(Ai) on L(Aj).
Two partitioned IOLs are composable, if their underlying label sets are composable
and shared labels can be uniquely assigned to the partitions.
Definition 2.8 (Composability of partitioned I/O-labellings) Let LA = ((IA,1, OA,1),
. . . , (IA,n, OA,n), TA) and LB = ((IB,1, OB,1), . . . , (IB,m, OB,m), TB) be partitioned
IOLs. LA and LB are composable if (
⋃n
i=1(IA,i),
⋃n
i=1(OA,i), TA) and (
⋃m
i=1(IB,i),⋃n
i=1(OB,i), TB) are composable, and if l ∈ S(A,B), then there exists unique i, j ∈ N
such that l ∈ (IA,i ∩OB,j) ∪ (OA,i ∩ IB,j).
Definition 2.9 (Composition) The composition (product) of two composable IOLs L1 and
L2 is the IOL L1 ⊗ L2 = ((I1 ∪ I2) \ (L1 on L2), (O1 ∪ O2) \ (L1 on L2), T1 ∪ T2 ∪
(L1 on L2)). The product of two composable IOTSs A1 = (L1, S1, s0,1,∆1) and A2 =
(L2, S2, s0,2,∆2) is the IOTS A1 ⊗ A2 = (L1 ⊗ L2, S1 × S2, (s0,1, s0,2),∆) where ∆ is
given by Tab. 2.5
Pairwise composability for a set of IOLs implies that all composable pairs of this set
have mutually disjoint shared labels. In the context of IOTS products, mutually disjoint
shared labels guarantee that the synchronisation between different IOTS is always binary
which is a prerequisite for the associativity of the IOTS product operator (cf. composability
of interface automata [dAH01b, Theorem 3.1] or [EDM08, Theorem 2.1, 2.2]).
Lemma 2.10 If the IOLs L1, . . . , Ln are pairwise composable, then for all i 6= j ∈
{1, . . . , n}, (Li, Lj) 6= (L′i, L′j) ∈ {(L,L′) | L 6= L′ ∈ {L1, . . . , Ln} ∧ L on L′ 6= ∅} it
holds that (L1 on L2) ∩ (L′1 on L′2) = ∅.
PROOF. Pairwise composability means that for all i, j ∈ {1, . . . , n} with i 6= j and
Li = (Ii, Oi, Ti) and Lj = (Ij , Oj , Tj) it holds that Ii ∩ Ij = ∅, Oi ∩ Oj = ∅ and Ti ∩⋃
Lj = ∅. Assume there exists (L1, L2) 6= (L′1, L′2) such that (L1 on L2) ∩ (L′1 on L′2) 6=
∅. Then, by definition of IOL products, ((I1∩O2)∪(I2∩O1))∩((I ′1∩O′2)∪(I ′2∩O′1) 6= ∅.
W.l.o.g. assume that (I1 ∩O2)∩ (I ′1 ∩O′2) 6= ∅, then I1 ∩ I ′1 ∩O2 ∩O′2 6= ∅, contradicting
pairwise compatibility which requires I1 ∩ I ′1 = ∅ and O2 ∩O′2 = ∅. 
Composability is preserved by IOL subsets. For L = (I,O, T ), L′ = (I ′, O′, T ′)
IOLs, we write L′ ⊆ L iff I ′ ⊆ I , O′ ⊆ O and T ′ ⊆ T .
Lemma 2.11 Let L1, L2 and L′2 ⊆ L2 be IOLs. If L1 and L2 are composable, then L1
and L′2 are composable.
PROOF. For i = 1, 2, letLi = (Ii, Oi, Ti) be composable and letL′2 = (I ′2, O′2, T ′2) ⊆
L2. Then I1∩I2 = ∅ implies I1∩I ′2 = ∅,O1∩O2 = ∅ impliesO1∩O′2 = ∅, T1∩
⋃
L2 = ∅
implies T1 ∩
⋃
L′2 = ∅ and T2 ∩
⋃
L1 = ∅ implies T ′2 ∩
⋃
L1 = ∅. 
2.3. Greybox and Blackbox Equivalence. We define three kinds of equivalence re-
lations between IOTSs. First, strong equivalence which can be considered to be a substitute
for equality. Second, greybox equivalence which abstracts from τ and is useful for exam-
ple for the minimisation of assembly behaviours in case internal synchronisation transitions
should not be hidden away. And third, blackbox (observational) equivalence which makes
no difference between internal and τ transitions and abstracts from both.
2. I/O-TRANSITION SYSTEMS (IOTS) WITH QUEUES 25
Definition 2.12 (Strong equivalence) A strong bisimulation between two IOTSs A and B
with the same IOLLA = LB = L is a relationR ⊆ SA×SB such that for all (sA, sB) ∈ R
and all l ∈ ⋃L ∪ {τ} the following holds:
∀s′A ∈ SA . (sA, l, s′A) ∈ ∆A =⇒ ∃s′B ∈ SB . (sB , l, s′B) ∈ ∆B ∧ (s′A, s′B) ∈ R,
∀s′B ∈ SB . (sB , l, s′B) ∈ ∆B =⇒ ∃s′A ∈ SA . (sA, l, s′A) ∈ ∆A ∧ (s′A, s′B) ∈ R.
The IOTSs A and B are strongly equivalent, denoted by A ≈s B, if there exists a strong
bisimulation R between A and B with (s0,A, s0,B) ∈ R.
Definition 2.13 (Greybox equivalence) A gb-bisimulation between two IOTSs A and B
with the same IOLLA = LB = L is a relationR ⊆ SA×SB such that for all (sA, sB) ∈ R
and all l ∈ ⋃L the following holds:
∀s′A ∈ SA . (sA, l, s′A) ∈ ∆A =⇒ ∃s′B ∈ SB . (sB , l, s′B) ∈ ∆τB ∧ (s′A, s′B) ∈ R,
∀s′A ∈ SA . (sA, τ, s′A) ∈ ∆A =⇒ ∃s′B ∈ SB . (sB , s′B) ∈ ∆τB ∧ (s′A, s′B) ∈ R,
∀s′B ∈ SB . (sB , l, s′B) ∈ ∆B =⇒ ∃s′A ∈ SA . (sA, l, s′A) ∈ ∆τA ∧ (s′A, s′B) ∈ R,
∀s′B ∈ SB . (sB , τ, s′B) ∈ ∆B =⇒ ∃s′A ∈ SA . (sA, s′A) ∈ ∆τA ∧ (s′A, s′B) ∈ R.
The IOTSs A and B are greybox equivalent, denoted by A ≈gb B, if there exists a gb-
bisimulation R between A and B with (s0,A, s0,B) ∈ R.
Definition 2.14 (Blackbox equivalence) A bb-bisimulation between two IOTSs A and B
with the same IOL (I,O, T ) is a relation R ⊆ SA × SB such that for all (sA, sB) ∈ R
and all l ∈ I ∪O and all t ∈ T ∪ {τ} the following holds:
∀s′A ∈ SA . (sA, l, s′A) ∈ ∆A =⇒ ∃s′B ∈ SB . (sB , l, s′B) ∈ ∆T∪{τ}B ∧ (s′A, s′B) ∈ R,
∀s′A ∈ SA . (sA, t, s′A) ∈ ∆A =⇒ ∃s′B ∈ SB . (sB , s′B) ∈ ∆T∪{τ}B ∧ (s′A, s′B) ∈ R,
∀s′B ∈ SB . (sB , l, s′B) ∈ ∆B =⇒ ∃s′A ∈ SA . (sA, l, s′A) ∈ ∆T∪{τ}A ∧ (s′A, s′B) ∈ R,
∀s′B ∈ SB . (sB , t, s′B) ∈ ∆B =⇒ ∃s′A ∈ SA . (sA, s′A) ∈ ∆T∪{τ}A ∧ (s′A, s′B) ∈ R.
The IOTSs A and B are blackbox equivalent, denoted by A ≈bb B, if there exists a bb-
bisimulation R between A and B with (s0,A, s0,B) ∈ R.
Lemma 2.15 Let A and B be IOTSs with the same IOL. Then A ≈bb B if and only if
Aξ ≈gb Bξ. 
In the following we list basic properties for greybox and blackbox equivalence that are
used mainly in Chap. 3 of this thesis. As the following claims hold analogously for black-
box equivalence, we use the notation ≈ to denote either greybox or blackbox equivalence.
Greybox (blackbox) equivalence is a congruence w.r.t. hidings, relabellings and prod-
ucts. For hiding and relabelling this follows directly from the definitions and corresponds to
the respective facts for standard process algebras, like [KM99], since greybox (blackbox)
equivalence is independent of the kind of the labels. The preservation of greybox (black-
box) equivalence by the product follows from the facts that greybox (blackbox) equivalence
is a congruence w.r.t. parallel composition with synchronisation of shared labels [KM99]
and that the equality of labellings is preserved by the product.
Lemma 2.16 Let A, B, and C be IOTSs.
(1) If A ≈ B and H ⊆ ⋃LA, then A/H ≈ B/H .
(2) If A ≈ B and ρ : LA → L′ is a relabelling, then Aρ ≈ Bρ.
(3) If A ≈ B and A and C are composable, then A⊗ C ≈ B ⊗ C. 
The product is commutative and associative up to greybox (blackbox) equivalence.
Commutativity is straightforward from the definitions; associativity carries over from the
corresponding fact for interface automata [dAH05] taking into account also τ and internal
26 2. A FORMAL MODEL FOR COMPONENTS WITH BEHAVIOURS
transitions. Furthermore, hiding of non-shared labels commutes with the formation of
products.
Lemma 2.17 Let A, B, and C be IOTSs.
(1) If A and B are composable, then A⊗B ≈ B ⊗A.
(2) If A, B, and C are pairwise composable, then (A⊗B)⊗ C ≈ A⊗ (B ⊗ C).
(3) If A and B are composable and H ⊆ ⋃LA with H ∩ S(A,B) = ∅, then
(A/H)⊗B ≈ (A⊗B)/H . 
For a finite index set I , we write
⊗
i∈I Ai for the product of the IOTSs Ai with i ∈ I ,
which is justified by Lem. 2.17 (2).
2.4. Encoding of FIFO Queues. Asynchronous communication is supported within
our component model in the form of buffered communication using FIFO queues. We
encode FIFO queues by IOTSs over a given setM of messages such that storing a message
m in the queue is an input action of the form mB and removing a message m from the
queue is an output action of the form m. The contents of a queue define the queue’s states
which are formally represented by the set M∗ of finite sequences over M . The empty
sequence is denoted by , the extension of s ∈M∗ by an m ∈M at the head of the queue
is written 〈ms〉, and extension at the tail is written 〈sm〉.
Definition 2.18 (Output queue) Let M be a set. An output queue over M is given by
QBM = ((I,O, T ), S, s0,∆), where I = {mB | m ∈ M}, O = {m | m ∈ M}, T = ∅;
S = {s | s ∈M∗}, s0 = ; and ∆ ⊆ S × (I ∪O ∪ T ∪ {τ})× S is the smallest relation
such that
(1) for all mB ∈ I and all s ∈ S, there exists (s,mB, 〈sm〉) ∈ ∆,
(2) for all m ∈ O and all 〈ms〉 ∈ S, there exists (〈ms〉,m, s) ∈ ∆.
Output queues will be used to formalise the buffering behaviour of asynchronous con-
nectors. For synchronous connectors we apply a notion of “empty IOTS” since synchro-
nous communication is already completely covered by the properties of the IOTS product
operator. An empty IOTS is given by 0 = (L, S, s0,∆) with
⋃
L = ∅, S = {s0} and
∆ = ∅. By queue and empty IOTSs we obtain a uniform definition of buffering behaviours
of connectors which is needed for the definition of assembly behaviour below (Def. 2.22).
3. Components with (A)Synchronous Communication
In this section we make the concepts introduced above using a metamodel more pre-
cise. For the formalisation of behaviours and asynchronous connectors we will use IOTSs
with the given encoding of FIFO queues.
3.1. Ports, Components, and Connectors. For the formalisation of ports we as-
sume a domain Port of ports (more precisely, port types), a domain If of interfaces and
a domain Msg of messages, together with functions msg : If → ℘Msg to return the
messages constructed from the operations of an interface, and prv : Port → If and
req : Port → If for the provided and required interfaces of a port such that for all
P ∈ Port,msg(prv(P )) ∩ msg(req(P )) = ∅. For a port P we write msg(P ) for
msg(prv(P )) ∪ msg(req(P )). We also assume a domain of port declarations PortDcl
with a function nm : PortDcl → Nm for the name and a function ty : PortDcl → Port
for the port (type); we write p : P for a port declaration d with nm(d) = p and ty(d) = P .
If ports are used for asynchronously communicating components, an output queue is
defined with respect to the messages required at the particular port.
Definition 2.19 (Port queue) The queue of a port (type) P is given by
que(P ) = QBmsg(req(P )) .
3. COMPONENTS WITH (A)SYNCHRONOUS COMMUNICATION 27
We assume a domain Cmp of components (more precisely, component types) and a
function ports : Cmp → ℘PortDcl returning the ports declared for a component. For
a component C and port declaration p : P we write C[p : P ] to indicate that p : P ∈
ports(C). The port names p used in port declarations p : P of one component C must
be unique (but this is not necessary for port types P ). Like for ports and connectors, we
assume a domain of component declarations CmpDcl with a function nm : CmpDcl →
Nm for the name and a function ty : CmpDcl → Cmp for the component (type); we
write c : C for a component declaration d with nm(d) = c and ty(d) = C. The ports of
a component declaration are given by ports(c : C) = {c.p : P | p : P ∈ ports(C)}. We
assume a sub-domain SCmp ⊆ Cmp of simple components. Each SC ∈ SCmp has a
user defined behaviour specification.
Definition 2.20 (Behaviour simple component) The behaviour of a simple component SC
is given by an IOTS
beh(SC) = ((I,O, T ), S, s0,∆) ,
where I = {p.msg(prv(P )) | p : P ∈ ports(SC)} and O = {p.msg(req(P )) | p : P ∈
ports(SC)}.
The labels of a component behaviour are just the labels according to the (provided and
required) messages of the ports of the component prefixed with the port name in the cor-
responding port declaration. Additional actions that may occur are either labelled by dis-
tinguished internal labels or by the anonymous internal action τ . For the construction of
assemblies component declarations are used. Then the behaviour of a component should
be uniquely represented within the global behaviour and hence we define the behaviour
of a component declaration c : C ∈ CmpDcl by beh(c : C) = c.beh(C) using a pre-
fix relabelling of the original behaviour. A prefix relabelling prefixes all labels of an
IOTS by some given name. We assume a primitive domain Nm of names. For an IOL
L = (I,O, T ) and some name n ∈ Nm, we define the IOL n.L = (n.I, n.O, n.T ) where
n.I = {n.i | i ∈ I} and similarly for n.O and n.T . The prefix relabelling ρn : L → n.L
is defined by ρn(l) = n.l for l ∈
⋃
L. Given an IOTS A and a name n ∈ Nm, we write
n.A for the IOTS Aρn.
For building component assemblies and composite components we will connect port
declarations of components. We assume a domain Conn of connectors (more precisely,
connector types) with a function ports : Conn → ℘PortDcl yielding the connected port
declarations such that 1 ≤ |ports(K)| ≤ 2 for each K ∈ Conn, i.e. we consider unary
and binary connectors. We assume a domain of connector declarations ConnDcl with
a function nm : ConnDcl → Nm for the name and ty : ConnDcl → Conn for the
connector (type); we write k : K for a connector declaration d with nm(d) = k and
ty(d) = K and we write k : (p : P, q : Q) if ports(K) = {p : P, q : Q}.
The domain Conn has two disjoint sub-domains AsmConn ⊆ Conn, DlgConn ⊆
Conn of assembly and delegate connectors, resp. Assembly connectors are used to connect
port declarations of components when building up a component assembly. For an assembly
connector with port declarations {p1 : P1, p2 : P2} the required interface req(P1) has to be
equal to the provided interface prv(P2) and vice versa. There are again two disjoint sub-
domains AsynConn ⊆ AsmConn, SynConn ⊆ Conn for asynchronous and synchronous
connectors, resp.
Delegate connectors are used to connect open ports of an assembly with the relay
ports of a surrounding composite component. For a delegate connector the provided and
required interfaces of its port declarations must coincide.
Asynchronous connectors are used for asynchronous communication between the ports
of components. They show a buffering behaviour which relies on the queues defined for
the connected ports.
28 2. A FORMAL MODEL FOR COMPONENTS WITH BEHAVIOURS
Definition 2.21 (Buffering connector behaviour) The buffering behaviour of an asynchro-
nous connector k : (p : P, q : Q) is given by
buf (k : (p : P, q : Q)) = k.(que(P )⊗ que(Q)) .
If a connector k : K is synchronous we set buf (k : K) = 0.
3.2. Assemblies and Composite Components. For the computation of the behaviour
of assemblies and composite components we employ several relabelling functions, which
are fixed cases of IOTS relabellings as introduced in Sect. 2. These relabellings are needed
for creating shared labels when I/O-transition systems, representing behaviours, are com-
posed. Even for asynchronous compositions shared labels will be needed for appropriate
synchronisations with the queue transition systems.
A match relabelling maps differently prefixed labels to labels with a single common
prefix. For an IOL L = (I,O, T ), X ⊆ Nm and y ∈ Nm, we define the IOL Lµ(X,y) =
(Iµ(X,y), Oµ(X,y), Tµ(X,y)) where Iµ(X,y) = {y.l | ∃x ∈ X .x.l ∈ I} ∪ {l | l ∈
I ∧ ∀x ∈ X . l 6= x.l′} and analogously for Oµ(X,y) and Tµ(X,y). The match relabelling
µ(X,y) : L → Lµ(X,y) is defined by µ(X,y)(x.l) = y.l if x ∈ X and x.l ∈
⋃
L, and
µ(X,y)(l′) = l′ otherwise.
A unary synchronisation relabelling σ(x,y) is given by the composition θX ◦ µ({x},y)
of a match relabelling and an internalisation withX = {y.l | y.l ∈ Iµ({x},y)∪Oµ({x},y)}.
For an IOL L = (I,O, T ), X ⊆ Nm and y ∈ Nm, a (binary) synchronisation relabelling
σ(X,y) is given by a match relabelling µ(X,y) with |X| = 2 and T = Tµ(X,y).
An asynchronous relabelling α(X,y) is given by the composition σ(X,y) ◦ βU with
U = {x.l ∈ I ∪ O | x ∈ X, l ∈ Nm} and βU a relabelling defined as follows: For an
IOL (I,O, T ) and a set of labels M define OMB = {lB | l ∈ O ∩M} ∪ (O \M); now
βU : (I,O, T ) → (I,OMB , T ) is defined by βU (l) = lB if l ∈ O ∩ U , and βU (l) = l
otherwise. Finally, a relay relabelling ρ(x,y) is given by a match relabelling µ(X,y) with
X = {x}.
An assembly contains a set of component declarations and a set of connector declara-
tions which connect ports (more precisely, the connector declarations connect port decla-
rations belonging to component declarations of the assembly). We assume a domain Asm
of assemblies with functions cmps : Asm→ ℘CmpDcl returning an assembly’s declared
components and conns : Asm → ℘ConnDcl yielding its declared connectors. The com-
ponent names c used in component declarations c : C of an assembly a must be unique
(but this is not necessary for the component types C). Similarly, connector names within
the assembly must be unique. For an assembly a we define the subset of asynchronous
connectors by acs(a) ⊆ conns(a) such that k : K ∈ acs(a) iff K ∈ AsynConn, and
the subset of synchronous connectors by scs(a) ⊆ conns(a) such that k : K ∈ scs(a)
iff K ∈ SynConn. The remaining connectors in conns(a) are unary and we define
ucs(a) = conns(a) \ (acs(a) ∪ scs(a)).
An assembly a ∈ Asm has to be well-formed: (i) it shows only assembly connectors,
i.e., if k : K ∈ conns(a), then K ∈ AsmConn; (ii) only ports of components inside
a are connected, i.e., for all k : K ∈ conns(a) we have that ports(K) ⊆ ⋃{ports(c :
C) | c : C ∈ cmps(a)}; and (iii) there is at most one connector for each port, i.e., if
c.p : P ∈ ⋃{ports(c : C) | c : C ∈ cmps(a)} and k : K, k′ : K ′ ∈ conns(a) with
c.p : P ∈ ports(K) ∩ ports(K ′), then k : K = k′ : K ′.
To retrieve component declarations from port declarations within an assembly a we
define cmp :
⋃{ports(c : C) | c : C ∈ cmps(a)} → cmps(a) by cmp(c.p : P ) = c : C if
c.p : P ∈ ports(c : C). The components of an assembly a may show open ports which are
not connected and we let open(a) =
⋃{ports(c : C) | c : C ∈ cmps(a)} \⋃{ports(K) |
k : K ∈ conns(a)}.
We write 〈C;K〉 for an assembly a with the set of component declarations cmps(a) =
C and the set of connector declarations conns(a) = K. We will use a notation to substitute
3. COMPONENTS WITH (A)SYNCHRONOUS COMMUNICATION 29
(replace) components within a given assembly. More precisely, we need to replace the
component type of some component declaration given by an assembly. Let a = 〈C;K〉
be an assembly, c : C ∈ C and C ′ ∈ Cmp with ports(C ′) = ports(C). The (type)
substitution of c : C by C ′ in a, written a[c : C 7→ C ′], is given by 〈(C \ {c : C}) ∪
{c : C ′};K〉. We allow also for an n-ary simultaneous substitution written a[c1 : C1 7→
C ′1, . . . , cn : Cn 7→ C ′n].
In the following we focus on the definition of the behaviour of an assembly. The idea
is that the behaviour of an assembly is determined by the composition of the behaviours
of the components occurring in the assembly. But, of course, the composition must be
defined in accordance with the possible communications between components which are
connected via their ports. Since connectors may be asynchronous the buffering behaviour
of connectors (cf. Def. 2.21) plays a crucial role. Moreover, match relabellings are neces-
sary to ensure proper synchronisation.
c : C p : P c.p.m
αÔ→ k.m k.mB α← [ d.q.m
comp.
in
comp.
out
d : Dq : Q
c.p.n
αÔ→ k.nB k.n α← [ d.q.n
comp.
out
comp.
in
m ∈ prv(P ) = req(Q)
n ∈ prv(Q) = req(P )
Figure 1: Assembly with asynchronous connector
c : C p : P c.p.m
σÔ→ k.m σ← [ d.q.m
comp.
in
comp.
out
d : Dq : Q
c.p.n
σÔ→ k.n σ←[ d.q.n
comp.
out
comp.
in
m ∈ prv(P ) = req(Q)
n ∈ prv(Q) = req(P )
Figure 2: Assembly with synchronous connector
1
FIGURE 2.6. Assembly with asynchronous connector
c : C p : P c.p.m
αÔ→ k.m k.mB α← [ d.q.m
comp.
in
comp.
out
d : Dq : Q
c.p.n
αÔ→ k.nB k.n α← [ d.q.n
comp.
out
comp.
in
m ∈ prv(P ) = req(Q)
n ∈ prv(Q) = r q(P )
Figure 1: Assembly with asynchronous connector
c : C p : P c.p.m
σÔ→ k.m σ← [ d.q.m
comp.
in
comp.
out
d : Dq : Q
c.p.n
σÔ→ k.n σ←[ d.q.n
comp.
out
comp.
in
m ∈ prv(P ) = req(Q)
n ∈ prv(Q) = req(P )
Figure 2: Assembly with synchronous connector
1
FIGURE 2.7. Assembly with synchronous connector
Figure 2.6 illustrates how the behaviour of an assembly with two asynchronously com-
municating components is constructed. There are two component declarations c : C and
d : D. The component type C has one port declaration p : P which, in the context of the
assembly with component declaration c : C, is considered as a port declaration c.p : P to
ensure uniqueness of port names within an assembly. Similarly, the component type D has
one port declaration q : Q. Thus the messages sent out from the component c via its port p
have the form c.p.n where n is a message of the required interface of P . The two ports are
connected by a connector declaration of the form k : (c.p : P, d.q : Q). Thus the required
interface of P must coincide with the provided interface of Q. According to the buffering
behaviour of the connector k there is a queue que(P ) (cf. Def. 2.19) which allows to store
outputs of the form c.p.n with n being a message according to the required interface of P .
To achieve that the issued message c.p.n will indeed be put into the queue que(P ), we use
an asynchronous relabelling α which maps c.p.n to k.nB. The message n can be dequeued
from que(P ) later on with the action k.n. Since d.q.n is an input of component d on port
q, only the synchronous part of the matching relabelling α has an effect and maps d.q.n to
k.n. The communication in the other direction works analogously.
30 2. A FORMAL MODEL FOR COMPONENTS WITH BEHAVIOURS
Figure 2.7 illustrates how the behaviour of an assembly with two synchronously com-
municating components is constructed. Here, the necessary relabelling to synchronise in-
put and output actions is much easier. Indeed, in this case a message c.p.n sent from
component c via its port p must be matched with the input action d.q.n on the port q of the
component d. For this purpose both actions are simply matched to the label k.n with the
relabelling σ, where k is again the connector’s name.
For general assemblies a, we denote the unary and binary synchronisation relabellings
by σ and the asynchronous relabellings by α as follows:
σ ≡⋃{σ(c.p,k) | k : K ∈ ucs(a) . ports(K) = {c.p : P}} ∪⋃{σ({c.p,d.q},k) | k : K ∈ scs(a) . ports(K) = {c.p : P, d.q : Q}},
α ≡⋃{α({c.p,d.q},k) | k : K ∈ acs(a) . ports(K) = {c.p : P, d.q : Q}}.
We have now the technical ingredients to define the behaviour of an assembly. In
the definition the successive application of σ and α cannot lead to conflicts because both
relabellings are disjoint due to the well-formedness of assemblies. Note also that in the case
of synchronous connectors buf (k : K) is trivial as explained in Sect. 3.1. Moreover, the
assembly behaviour is well-defined because all participating behaviours are composable.
This is due to the disjointness of provided and required operations on port types, to the
uniqueness of names for ports (in component declarations) as well as for components and
connectors (in the assembly), and to the commutativity and associativity of the composition
operator for IOTSs.
Definition 2.22 (Assembly behaviour) The behaviour of an assembly a is given by
beh(a) =
⊗
c:C∈cmps(a)((beh(c : C)ξ)σα)⊗
⊗
k:K∈conns(a) buf (k : K) .
We apply the ξ operator, hiding local internal actions of the components before compo-
sition and obtain an assembly behaviour that shows a greybox view with synchronisation
labels of the composed components and connectors. The hiding of local internal actions
corresponds to the hiding of implementation details which are not relevant for the given
hierarchical level any more. Indeed relevant, for instance for the verification of communi-
cation properties, are synchronisation transitions of components, and of components with
message buffers respectively. We take this into account by a corresponding greybox view
that leaves the communication via synchronous and asynchronous connectors internally
visible.
Composite components are constructed by encapsulating an assembly and by con-
necting, with delegate connectors, the open ports of the assembly with relay ports of the
composite component. Formally, we assume a sub-domain CCmp ⊆ Cmp of composite
components, disjoint to SCmp and functions asm : CCmp → Asm returning the under-
lying assembly of a composite component, and conns : CCmp → ℘ConnDcl returning
the connectors declared in a composite component. Similar to assemblies we require a
composite component CC to be well-formed: (i) it shows only delegate connectors, i.e.,
if k : K ∈ conns(CC ), then K ∈ DlgConn; (ii) all open ports of the asm(CC ) are
connected, i.e., for all c.p : P ∈ open(asm(CC )) there is k : K ∈ conns(CC ) such that
c.p : P ∈ ports(K); and (iii) all relay ports are connected, i.e., for all r : R ∈ ports(CC )
there is a unique k : K ∈ conns(CC ) with ports(K) = {c.p : P, r : R} and c.p : P ∈
open(asm(CC )).
We write 〈a;P;K〉 for a composite component CC with assembly asm(CC ) = a, set
of (relay) port declarations ports(CC ) = P and set of (delegate) connector declarations
conns(CC ) = K. Finally, we extend the notion of type substitution for assemblies to
composite components. Let CC = 〈a;P;D〉 a composite component, c : C ∈ cmps(a)
and C ′ ∈ Cmp with ports(C ′) = ports(C). The (type) substitution of c : C by C ′ in CC ,
written CC [c : C 7→ C ′], is given by 〈a[c : C 7→ C ′];P;D〉.We allow also for an n-ary
simultaneous substitution written CC [c1 : C1 7→ C ′1, . . . , cn : Cn 7→ C ′n].
4. IMPLEMENTATION USING MESSAGE-ORIENTED MIDDLEWARE 31
The behaviour of a composite component is derived from the behaviour of its under-
lying assembly by matching the labels on the open ports of the assemblies with the labels
on the relay ports in accordance with the delegate connectors.
Definition 2.23 (Behaviour of composite component) The behaviour of a composite com-
ponent CC is given by
beh(CC ) = beh(asm(CC ))ρ ,
where ρ =
⋃{ρ(c.p,r) | k : K ∈ conns(CC ) . ports(K) = {c.p : P, r : R}}.
The behaviour of composite components shows internal transitions that arise from the
synchronisation of components and connectors within the underlying assembly. Thus the
behaviour is a greybox behaviour analogous to the case of simple components. If a com-
posite component is set into the context of a new assembly then the blackbox view of the
component’s behaviour is used and all implementation details of the composite component
are relabelled to anonymous internal τ actions.
4. Implementation using Message-Oriented Middleware
Port-based component systems can be implemented using a message-oriented middle-
ware (MOM) such as Open Message Queue [Mic07, Open MQ] which is an implementa-
tion of the Java Message Service standard [Mic02, JMS]. A MOM provides a framework
for the realisation of distributed systems whose components communicate by asynchronous
message exchange. Components are loosely coupled without means for direct interaction
via method calls, remote method calls respectively. Data is transfered between different
components as part of messages only. Thus the basic communication mechanism is send-
ing and receiving of messages using a layer that provides data structures and mechanisms
to construct, buffer and deliver messages. Figures 1.2 and 1.4 show schematic views on
the role of the middleware layer as part of the implementation of distributed systems.
4.1. Java Message Service and Open MQ. JMS is a specification, provided by Sun
Microsystems, that defines the basic entities of a message oriented system and how to
access the MOM layer in order to communicate messages. The specification comprises
Java interfaces with informal descriptions that can be used by Java programs to access a
MOM that implements the JMS standard. As an example for such an implementation we
consider Open MQ which is a reference implementation of JMS also provided by Sun. A
Java program that uses JMS is called a JMS application.
The JMS standard essentially consists of four parts. The architecture describes what
constitutes a JMS application, the message model defines the detailed structure of JMS
messages, the communication model describes the two basic messaging styles in JMS ap-
plications, point-to-point (P2P) and publish-subscribe messaging, and finally common fa-
cilities comprise concepts that are common to these styles such as connections or sessions
for sending and receiving messages. After a brief architectural overview, we will focus on
concepts for JMS applications with P2P messaging. These concepts provide an appropriate
foundation for the implementation of port-based components with asynchronous communi-
cation. Publish-subscribe messaging can be used to realise group communication. Though,
group communication was not considered within this thesis and hence publish-subscribe
messaging does not play a particular role in the following.
A JMS application comprises a JMS Provider and essentially three kinds of entities:
JMS Clients, Messages, and Administered Objects. The JMS provider is the complete
messaging system that implements the JMS API as well as the administrative and con-
trol functionality of the middleware. JMS Clients are Java programs that create, send and
receive Messages. Administered objects are JMS objects that are implemented and man-
aged by the JMS Provider. For instance, the queues used for buffered communication are
administered objects.
32 2. A FORMAL MODEL FOR COMPONENTS WITH BEHAVIOURS
JMS specifies, amongst others the following interfaces (cf. [Mic02, Tab. 2-1]), relevant
for an implementation of port-based components with asynchronous communication:
QueueConnectionFactory to create connections with JMS Provider
QueueConnection to create sessions
Queue administered object for message exchange
QueueSession to create sender and receiver for each queue
QueueSender queue specific object to send messages
QueueReceiver queue specific object for message reception
MessageListener for asynchronous message reception
The basic procedure to set up a JMS application with P2P communication comprises
the following steps. First, use the QueueConnectionFactory to get a connection to
the JMS Provider (middleware). Next, use the QueueConnection to create one or more
QueueSessions. Then ask the JMS Provider to create all queues of the system. Queues
are essentially named message buffers. The sessions are then applied to create sender and
receiver objects with respect to the previously created queues. These objects allow explicit
sending and receiving of messages. As receiving messages blocks the calling thread, we are
also interested in the interface MessageListener that prescribes the implementation
of an asynchronous message handler, i.e., of a method onMessage(Message m) to
evaluate the current message and implement a particular reaction. An implementation of
MessageListenermust be associated with a QueueReceiver and then, the message
handler is notified by the JMS Provider each time a new message arrives in the particular
message queue.
4.2. Implementation of Port-Based Components. In the following we describe how
to implement an assembly of port-based components with asynchronous connectors as a
JMS application. The implementation of the hierarchical structure of composite compo-
nents is briefly discussed afterwards. We consider the JMS standard only, thus we do not
go into details of the concrete reference implementation Open MQ [Mic07].
An assembly comprises component and connector declarations that can be used to cre-
ate the objects of a corresponding JMS application. In the following we refer to the names
used in our metamodel (cf. Fig. 2.1). An Assembly uses a QueueConnectionFactory
and a QueueConnection to create a QueueSession for each component declaration
in cmps. In this way, we obtain a single-threaded execution context for each component.
Using the connector declarations in conns, the names of all queues required with respect
to the connected ports of the assembly are available and might be created using the JMS
provider as a named Queue. Then, for each queue, a sender QueueSender and a re-
ceiver QueueReceiver is created. With the receiver objects we associate component
implementations that implement the interface MessageListener according to mes-
sages of the provided interfaces of all of its ports. In order to enable the sending of mes-
sages within these implementations, a reference to all sender objects that relate to the ports,
i.e., to the output queues of the particular component is passed to the constructor. After
the construction phase is completed, an explicit command connection.start() is
used to start the message exchange as implemented by the components within the given
assembly.
Besides the administrative role of an Assembly, it is the implementation of a com-
ponent’s Behaviour as a MessageListener that is important for a realisation using
JMS. The implementation may use a state pattern and we propose additionally to pass
the sender objects of the component’s output queues as a parameter to the constructor of
the MessageListener implementation. In this way, an initial sending of messages
can be implemented in the constructor body. Message construction means to create a cor-
responding signal object that is passed within an ObjectMessage. Of course this is
not the only way to pass data within messages in JMS and other formats might be more
4. IMPLEMENTATION USING MESSAGE-ORIENTED MIDDLEWARE 33
suitable for a concrete application. Note that messages are not exchanged unless the un-
derlying connection with the JMS provider was explicitely started. The implementation of
the message handler realises the reactions to incoming messages up from the first receive
transition within the component’s behaviour. Mixed choice states could be realised with
timeouts. Finally, an invocation of the message handler with a message not expected in
the current state may result in an exception. As Queues are by default FIFO buffers, this
refers to a system state with a queue whose topmost element was not expected by the regis-
tered receiver. In the realm of CFSM systems, such a system state is called an "unspecified
reception state".
The following steps summarise the procedure applied by an assembly to set up and
start the asynchronous message exchange among its subcomponents.
(1) Get connection to JMS Provider (middleware)
(2) Use connection to create sessions, one for each component
(3) Create queues, one for each port, as administered objects
(4) Use sessions to create sender and receiver for each queue
(5) Create components and register them as asynchronous receiver
(6) Start message exchange (connection.start())
A composite component refers to an assembly in our metamodel; cf. 2.1. We believe that
the hierarchical structure can be preserved within an JMS implementation, if composite
components implement a MessageListener with regard to their relay ports by delega-
tion to the open ports of the assembly.

CHAPTER 3
Behavioural Neutrality in Synchronous Assemblies
1. Syntactical Reduction of Synchronous Assemblies 35
1.1. Behavioural Neutrality and Leaf Components 36
1.2. Reduction Strategy for Synchronous Assemblies 38
2. Port-Based Views of Component Behaviour 39
2.1. Weakly Deterministic IOTSs and Neutrality 39
2.2. Port-Based Computation of Neutral Leaves 41
3. Application to the Compressing Proxy System 43
4. Discussion and Related Work 44
4.1. Neutral Leaf Components and Context Constraints 44
4.2. Neutrality and PADL compatibility 45
It is the goal of this chapter’s study to provide support for the construction and be-
havioural analysis of large scale component-based systems that communicate solely by
synchronous communication. Component behaviour can be considered to be neutral within
a given assembly if its composition does not show any effect on the assembly behaviour
apart from the synchronisation of shared transitions without loosing any transition of the
original assembly behaviour. A major result of this chapter is an algorithm that shows
how to remove neutral components for the computation of a syntactically reduced but be-
haviourally equivalent assembly. A reduced assembly may then be used to implement a
given composite component in a more efficient way. Moreover, we show that it is suffi-
cient to perform neutrality checks using the projection of a component behaviour to one
of its ports, provided that the projected behaviour is a weakly deterministic I/O-transition
system. The port projection is usually a simpler and smaller transition system, at least after
minimisation with respect to greybox respectively blackbox equivalence. Finally, we apply
our approach to the compressing proxy system introduced in Chap. 2.
1. Syntactical Reduction of Synchronous Assemblies
Construction and analysis of assembly behaviours usually implies the necessity to
compute a product of the underlying transition systems. Then, we often face the state
explosion problem that has been the source of investigation at many places. There are,
for instance, approaches to compositional reachability analysis (CRA) such as [CK96]
and, even more prominent under the umbrella of component-based systems, approaches
that focus on efficient analysis of safety and liveness properties such as [BCD02, CFN03,
GTBF03, GS05, GGMC+07]. However, the mentioned studies focus essentially on the
analysis of assembly behaviour, whereas our focus is also on the construction of the black-
box behaviour of composite components which encapsulate an assembly. Given a compos-
ite component CC that encapsulates an assembly a with behaviour beh(a), the blackbox
behaviour beh(CC )ξ of CC is formally defined by observational abstraction (hiding inter-
nal transitions) from beh(CC ) and thus from beh(a). The idea is then to identify compo-
nents within the assembly a which do not play any role for the blackbox behaviour of CC .
Formally, this idea will be reflected by our notion of behavioural neutrality. Then, instead
of computing the behaviour beh(a) of the complete assembly it is sufficient to compute the
35
36 3. BEHAVIOURAL NEUTRALITY IN SYNCHRONOUS ASSEMBLIES
behaviour of a simpler assembly, say a′, where the behaviourally neutral components have
been removed from a, such that beh(a′) and beh(a) are blackbox equivalent. As a conse-
quence, beh(CC ) is blackbox equivalent to the observational abstraction of beh(a′). The
reduction strategy is particularly useful for acyclic topologies containing a distinguished
“rooted” component, but is also sound for arbitrary topologies. The cost of the reduction
algorithm depends primary on the cost of the neutrality checks which are performed be-
tween connected components of the assembly and hence depends on the complexity of the
behaviours of the subcomponents.
We consider assemblies which comprise synchronous connectors only. An assembly
a is called (completely) synchronous, if acs(a) = ∅.
1.1. Behavioural Neutrality and Leaf Components. For the formal definition of be-
havioural neutrality we have to take into account that if we remove components and their
connectors from an assembly, components with artificially opened ports remain. These
ports should not be available for new connections which is modelled by using unary con-
nectors. Behavioural neutrality is now defined in terms of greybox equivalence between
the behaviour of an assembly with two connected components and the behaviour of an
assembly with a single component and the binary connector replaced by a unary one. Fig-
ure 3.1 illustrates this situation for components c : C, d : D and a binary connector
k : (c.p : P, d.q : Q), which is replaced by an unary connector k : (c.p : P ).
Definition 3.1 [Neutrality] Let a = 〈c : C[p : P ], d : D[d : D]; k : K〉 be a synchronous
assembly with ports(K) = {c.p : P, d.q : Q}. The synchronisation via k : K in a is
behaviourally neutral for c : C, if
beh(a) ≈gb beh(〈c : C; k : (c.p : P )〉) .
c : C c : Cd : D
q : Q p : Pp : P k ≈gb k
FIGURE 3.1. Definition of neutrality
Component and connector names in assemblies are unique, therefore we may also write
slightly shorter “synchronisation via k in a for c” if the context of an assembly is given.
Note that behavioural neutrality for c : C can only hold, if the particular communication
partner is a single-port component such as d : D in Fig. 3.1. Otherwise the labellings of
the compared assemblies would not equal each other which is a necessary prerequisite to
apply greybox equivalence for the comparison of the underlying IOTSs. In fact, Def. 3.1
lifts a notion of neutrality between IOTSs to component systems, which is formally defined
as follows: An IOTS B is called neutral for an IOTS A, if A and B are composable and
AθS ≈gb A ⊗ B where S = L(A) on L(B) are the shared labels of A and B and θS
internalises S in A. Intuitively, neutrality means that B does not restrict the behaviour
given by A if B is composed with A.
Based on the notion of behavioural neutrality, we describe our reduction strategy for
assemblies: If the synchronisation at the border of an acyclic assembly topology is be-
haviourally neutral for the next component attached to it, this leaf can not have behavioural
effect on the remaining assembly. We can thus reduce the assembly by removing a neutral
leaf component. In order to obtain again a syntactically well-formed assembly, the particu-
lar binary connector is removed and replaced by a unary connector (Lem. 3.2). In a second
step we eliminate also the unary connector by hiding the port to which the neutral leaf was
connected (Lem. 3.3).
1. SYNTACTICAL REDUCTION OF SYNCHRONOUS ASSEMBLIES 37
Formally, the leaves of an assembly are component declarations which are connected
by exactly one binary assembly connector and do not show open ports: For a ∈ Asm we
let leaves(a) ⊆ cmps(a) such that d : D ∈ leaves(a), if, and only if, open(a) ∩ ports(d :
D) = ∅ and |{k : K | k : K ∈ conns(a) ∧ |ports(K)| = 2 ∧ ports(K) ∩ ports(d : D) 6=
∅}| = 1.
Lemma 3.2 (Reduce) Let a = 〈c : C[p : P ], d : D[q : Q], C; k : K,K〉 be a synchronous
assembly with d : D ∈ leaves(a), C ⊆ CmpDcl, ports(K) = {c.p : P, d.q : Q} and
K ⊆ ConnDcl. If the synchronisation via k : K in a is behaviourally neutral for c : C,
then beh(a) ≈gb beh(〈c : C, C; k : (c.p : P ),K〉).
PROOF. The claim follows from the definitions and the congruence of greybox equiv-
alence w.r.t. relabelling and products. By definition of assembly behaviours, we have that
beh(a) = beh(c : C)σ ⊗ beh(d : D)σ ⊗⊗c′:C′∈C beh(c′ : C ′)σ ,
beh(〈c : C, C; k : (c.p : P ),K〉) = beh(c : C)σ′ ⊗⊗c′:C′∈C beh(c′ : C ′)σ′
with synchronisations σ = σ({c.p,d.q},k)∪σK and σ′ = σ(c.p,k)∪σK. Since synchronisation
via k in a is neutral for c : C we have beh(c : C)σ(c.p,k) ≈gb beh(c : C)σ({c.p,d.q},k) ⊗
beh(d : D)σ({c.p,d.q},k). Thus, by Lem. 2.16(2), we have beh(c : C)σ′ ≈gb beh(c :
C)σ ⊗ beh(d : D)σ. As neither σ(c.p,k) nor σ({c.p,d.q},k) change
⊗
c′:C′∈C beh(c′ : C ′),
we also have
⊗
c′:C′∈C beh(c′ : C ′)σ =
⊗
c′:C′∈C beh(c′ : C ′)σ′, and the claim follows
by applying Lem. 2.16(3). 
Let C ∈ Cmp and p : P ∈ ports(C). The port hiding of p : P in C, written
C \ (p : P ), results in a component C ′ ∈ Cmp such that ports(C ′) = ports(C) \ {p : P}
and beh(C ′) = beh(C)/{p.m | m ∈ msg(P )}.
Lemma 3.3 (Hide) Let a = 〈c : C[p : P ], C; k : (c.p : P ),K〉 be a synchronous assembly.
Then beh(a)/{k.m | m ∈ msg(P )} ≈gb beh(a[c : C 7→ C ′]), where C ′ = C \ (p : P ).
PROOF. The claim follows from the definitions using the fact that the labels {k.m |
m ∈ msg(P )} are not shared with any component of the reduced assembly, and that
greybox equivalence is a congruence w.r.t. IOTS products. By definition of assembly be-
haviours we have for the left-hand side
beh(a)/H = (c.beh(C)σ ⊗⊗c′:C′∈C beh(c′ : C ′)σ)/H,
and by definition of type substitution in assemblies and hiding of ports for the right-hand
side
beh(a[c : C 7→ (C \ (p : P ))])
= c.beh(C \ (p : P ))σK ⊗
⊗
c′:C′∈C beh(c′ : C ′)σK
= c.(beh(C)/{p.m | m ∈ msg(P )})σK ⊗
⊗
c′:C′∈C beh(c′ : C ′)σK,
with synchronisations σ = σ(c.p,k) ∪ σK and hiding H = {k.m | m ∈ msg(P )}. As
H does not affect C and K, the right-hand side of the first equation is greybox equivalent
to c.beh(C)σ/H ⊗⊗c′:C′∈C beh(c′ : C ′)σ by Lem. 2.17(3). Now c.beh(C)σ/H =
(c.beh(C)σ(c.p,k)/H)σK. By definition of unary synchronisation relabellings we have for
Lbeh(C) = (I,O, T ) and Lbeh(C)σ(c.p,k) = (I ′, O′, T ′) that k.m ∈ T ′ iff p.m ∈ I ∪ O.
Thus we obtain
c.beh(C)σ(c.p,k)/H ≈gb c.(beh(C)/
⋃
Lbehp:P (C)).
Since removing σ(c.p,k) from σ does not change
⊗
c′:C′∈C beh(c′ : C ′), we have
⊗
c′:C′∈C
beh(c′ : C ′)σ =
⊗
c′:C′∈C beh(c′ : C ′)σK and the claim follows by Lem. 2.16(3). 
38 3. BEHAVIOURAL NEUTRALITY IN SYNCHRONOUS ASSEMBLIES
1.2. Reduction Strategy for Synchronous Assemblies. The lemma for reduction
and hiding allow to remove neutral leaf components one after the other. The neutral
leaves of an assembly a are defined by neutralleaves(a) ⊆ cmps(a) such that d : D ∈
neutralleaves(a), if, and only if, there are component declarations c : C[p : P ], d : D[q :
Q] ∈ cmps(a), d : D ∈ leaves(a), k : (c.p : P, d.q : Q) ∈ conns(a) and the synchroni-
sation in a via k : (c.p : P, d.q : Q) is neutral for c : C. An assembly a is called finite if
cmps(a) is finite. Now define the syntactical reduction of a finite assembly a ∈ Asm by
red : Asm→ Asm such that red(a) is the assembly computed by the following algorithm:
while neutralleaves(a) 6= ∅
do d : D ← choose from neutralleaves(a)
let a = 〈c : C, d : D, C; k : (c.p : P, d.q : Q),K〉 an assembly
such that synchronisation via k in a is neutral for c
a← a[c : C 7→ (C \ (p : P ))]
od
Of course, in general, the assembly a and the reduced assembly red(a) will not be grey-
box equivalent because by hiding of ports red(a) shows less communication than a. The
assemblies, however, have observationally equivalent behaviours.
Lemma 3.4 (Assembly) Let a be a finite assembly. Then beh(a) ≈bb beh(red(a)).
PROOF. The algorithm terminates for each finite assembly a. For each iteration of
the while-loop let a0 be the assembly on entry and a1 the assembly on exit. We show
beh(a0) ≈bb beh(a1). Let a0 = 〈c : C, d : D, C; k : (c.p : P, d.q : Q),K〉 such that the
synchronisation via k in a is neutral for c, then a1 = a[c : C 7→ (C \ (p : P ))]. Assume
H = {k.m | m ∈ msg(P )}, then the following holds:
beh(a0)/H ≈gb beh(〈c : C, C; k : (c.p : P ),K〉)/H [Lem. 3.2, Lem. 2.16(1)]
≈gb beh(a[c : C 7→ (C \ (p : P ))]) = beh(a1) . [Lem. 3.3]
Thus, beh(a0)/H ≈gb beh(a1) and since H contains internal labels only we may also
hide all internal labels, that is beh(a0)ξ ≈gb beh(a1)ξ and hence we obtain the invariant
beh(a0) ≈bb beh(a1). The claim follows from the invariant. 
The reduction strategy for assemblies is directly applicable to the computation of a
blackbox composite component behaviour.
Theorem 3.5 (Reduced composite component) Let 〈a;P;K〉 ∈ CCmp with a finite. Then
beh(〈a;P;K〉) ≈bb beh(〈red(a);P;K〉).
PROOF. By definition, leaves(a) do not have open ports. Thus no components with
a delegate connector to a relay port can be removed from a by the reduction algorithm.
Therefore, 〈red(a);P;K〉 is a well-formed composite component. Blackbox equivalence
does not distinguish between internal and τ transitions, thus≈gb and≈bb coincide and the
result follows from Lem. 3.4 by renaming actions on open ports of a, and hence of red(a),
to actions on the relay ports P . 
Our reduction strategy is sound for arbitrarily structured finite assemblies. But it is
particularly useful for assemblies with an acyclic topology and for composite components
which are rooted, i.e., exactly one of the assembly components is connected to the relay
ports of the composite component, like in Fig. 3.2. Then, in the best case, all subcompo-
nents but the root rc : RC can be removed such that beh(CC) ≈gb beh(rc:RC)ρ where ρ is
a relay relabelling. Note that acyclic topologies do not present a too severe restriction in
terms of practical applicability. There is, e.g., a direct match with the architectural pattern
“Blackboard” [BFH+07] for the design of distributed communications using a common
data structure. Also, the architectural design of a large part of the Common Component
Modelling Example [RRMP08] adheres to an even more restricted acyclic structure, called
2. PORT-BASED VIEWS OF COMPONENT BEHAVIOUR 39
rc : RC
CC
FIGURE 3.2. Composite component with acyclic assembly
“star topology” in [BCD02], where each leaf is attached to one centre component. Our re-
duction strategy can also be effectively applied to assembly topologies containing cycles
as long as there are neutral leaves around that can be removed. When a cycle is reached
we would propose to encapsulate the cycle into a new, nested composite component and to
proceed as before by searching again for neutral leaves.
Finally, we would like to stress again that the behaviour of a reduced assembly is not
greybox equivalent to the behaviour of the original assembly and that the results of our
approach rely fundamentally on the additional abstraction step that is applied when the
blackbox behaviour of a composite component is considered. Not being greybox equiv-
alent means for the case of assemblies that the systems may not show the same synchro-
nisations. Indeed, syntactical reduction of assemblies removes neutral components and in
the resulting assembly the synchronisation is merely mimicked by internalisation of the
particular transitions to which the removed components where neutral. Now it is important
to note that our reduction uses the IOTS product operator to decide on neutrality and one of
the characteristic properties of IOTS composition is that only successful communication is
preserved. In case of shared transitions that are not synchronised the particular transition is
not considered any more. In particular this means, that the removal of neutral components
may also remove behaviour which might still be of interest within a global analysis of the
given assembly. Therefore, to ensure the correctness of an analysis of a reduced assem-
bly one needs to check that the property under investigation does not rely on unsuccessful
communications.
2. Port-Based Views of Component Behaviour
A closer look reveals that in order to decide on neutrality along Def. 3.1, one needs
to compute the composition of a leaf component behaviour with the behaviour of the at-
tached component, which can still be quite expensive. To further optimise our method
we are interested in criteria to avoid composition of full behaviours of components and to
compose smaller transition systems instead. An immediate candidate for smaller transition
systems are port-based views of the component behaviour. In Sect. 2.2 we show that port-
based views can be used to provide such criteria, if they are weakly deterministic. For this
purpose we first proceed with some definitions and analysis on the level of I/O-transition
systems. Afterwards, the results are related back to the component level.
2.1. Weakly Deterministic IOTSs and Neutrality. Port-based views of component
behaviour hide transitions which do not involve messages of the particular port. Aiming at
a decision on neutrality between component behaviours using port-based views then means
to check that such a hiding does not hide too much. Intuitively we need to make sure that
40 3. BEHAVIOURAL NEUTRALITY IN SYNCHRONOUS ASSEMBLIES
the behaviour at hidden ports does not involve decisions which compromises the correct-
ness of a neutrality analysis at a different port. Since hiding means a relabelling to τ and
neutrality for IOTSs is based on greybox equivalence such a critical decision is an “internal
choice” which can not be removed without invalidating greybox equivalence. Hence, on
the one hand we want to allow for τ -transitions but on the other hand we do not allow for
non-removable internal choice transitions. It turns out that Milner’s (weak) determinacy
[Mil89, Def. 11.3, Ex. 11.1] yields an appropriate notion, which is transfered to IOTSs
by a definition of “weak determinism”. Weak determinacy is preserved by observational
equivalence [Mil89, Prop. 11.4] which helps to provide a quite intuitive understanding of
weak determinism for IOTSs. In [HJK08] we prove that an IOTS A is weakly determinis-
tic, if there is a greybox equivalent, minimal IOTS B without τ -transitions; such a B is a
weakly deterministic IOTS without τ -transitions and hence also strongly deterministic. By
the transition minimisation procedure of Eloranta [Elo91], a finite τ -free minimal IOTS is
unique up to graph-isomorphism. Thus, for ensuring that a finite IOTS is weakly deter-
ministic, it suffices to minimise the IOTS w.r.t. the number of states and transitions and to
check that the resulting IOTS has no τ -transitions and that from each state there is at most
one transition for each label.
For the precise definition of weakly deterministic IOTSs we need to consider the weak
traces of an IOTS. Given an IOTS A = (L, S, s0,∆), if we remove in each finite trace
of A all τ occurrences then we obtain the weak traces of A. We define the traces of
an IOTS based on its initial execution fragments. Let A be an IOTS. The trace of an
execution fragment ρ ∈ frag∗0(A) is the sequence of labels occurring in ρ, i.e. the trace of
ρ = (s0l1s1 . . . lnsn) is the sequence λ = l1 . . . ln ∈ L(A)∗. A weak trace is obtained
from λ by projection to the alphabet
⋃
LA, i.e. by removing all τs from l1 . . . ln.1 Note
that the empty sequence  is also a weak trace. With the weak traces for all initial execution
fragments ρ ∈ frag∗0(A) we obtain the set of weak traces of A, denoted by T ∗(A).
Lemma 3.6 If A and B are IOTSs with A ≈gb B, then T ∗(A) = T ∗(B).
PROOF. Greybox equivalent IOTSs have, up to occurrences of τ transitions, the same
finite traces. Hence they have the same weak traces. 
An IOTS A is weakly deterministic if all finite traces of A which coincide up to τ
transitions lead to greybox equivalent elements of A. We extend the notation (s, l, s′) ∈
∆XA to label sequences, such that (s, λ, s′) ∈ ∆XA if s′ is reachable via labels in λ (in the
given order), possibly interspersed with labels in X. Then (s, , s′) ∈ ∆XA is equivalent
with (s, s′) ∈ ∆XA.
Definition 3.7 (Weakly deterministic) An IOTS A = (L, S, s0,∆) is weakly deterministic
if for all weak traces λ ∈ T ∗(A) the following holds: If (s0, λ, s1) ∈ ∆τ and (s0, λ, s2) ∈
∆τ then s1 ≈gb s2.
Remember that an IOTSB is called neutral for an IOTSA, ifA andB are composable
and AθS ≈gb A ⊗ B where S = L(A) on L(B) are the shared labels of A and B
and θS internalises S in A. We extend a sufficient criterion, called “interface theorem”,
from Cheung and Kramer [CK96] for determining neutrality to our setting. We generalise
their assumptions to include not necessarily finite IOTS and use greybox equivalence and
weakly deterministic IOTSs.
Proposition 3.8 Let A and B be two composable IOTSs with
⋃
LB ⊆
⋃
LA, and let
H =
⋃
LA \
⋃
LB . Let B be weakly-deterministic. Then B is neutral for A if, and only if,
T ∗(A/H) ⊆ T ∗(B).
PROOF. We abbreviate θS(A,B) by θS . “⇐” We show that R = {(sA, (sA, sB)) ∈
SA × (SA × SB) | ∃λ ∈
⋃
LA
∗
. (s0,A, λ, sA) ∈ ∆τA ∧ (s0,B , λ/H, sB) ∈ ∆τB}, where
1Remember that L(A) = IA ∪OA ∪ TA ∪ {τ} and
⋃
LA = IA ∪OA ∪ TA
2. PORT-BASED VIEWS OF COMPONENT BEHAVIOUR 41
λ/H is obtained from λ by removal of all labels given by H , is a witness for greybox
equivalence between AθS and A⊗B.
Let T ∗(A/H) ⊆ T ∗(B) hold. Let A = (LA, SA, s0,A,∆A), B = (LB , SB ,
s0,B ,∆B), AθS = (LAθS , SA, s0,A,∆AθS ), A⊗B = (LA⊗LB , SA×SB , (s0,A, s0,B),
∆A⊗B). Let R = {(sA, (sA, sB)) ∈ SA × (SA × SB) | ∃λ ∈
⋃
LA
∗
. (s0,A, λ, sA) ∈
∆τA ∧ (s0,B , λ/H, sB) ∈ ∆τB} where λ/H is the sequence of labels which results from λ
when removing all labels in H . Then (s0,A, (s0,A, s0,B)) ∈ R. In order to show that R is
a witness for greybox equivalence between AθS and A⊗B, let (sA, (sA, sB)) ∈ R.
Let (sA, l, s′A) ∈ ∆AθS . If l ∈ H or l = τ , then ((sA, sB), l, (s′A, sB)) ∈ ∆A⊗B and
(s′A, (s′A, sB)) ∈ R. If l ∈ S(A,B), let λ ∈
⋃
LA
∗ be a weak trace with (s0,A, λ, sA) ∈
∆τA and (s0,B , λ/H, sB) ∈ ∆τB . Then λl ∈ T ∗(A) and thus (λ/H)l = (λl)/H ∈
T ∗(A/H) ⊆ T ∗(B). Hence there is a s(1)B ∈ SB such that (s0,B , λ/H, s(1)B ) ∈ ∆τB and
(s(1)B , l, s
(2)
B ) ∈ ∆B . As B is weakly deterministic, s(1)B ≈gb sB , and thus there is a s′B ∈
SB with (sB , l, s′B) ∈ ∆τB . Thus ((sA, sB), l, (s′A, s′B)) ∈ ∆τA⊗B and (s′A, (s′A, s′B)) ∈
R.
Let ((sA, sB), l, (s′A, s′B)) ∈ ∆A⊗B . Then either l = τ or l ∈ S(A,B) or l ∈ H ,
since
⋃
LB ⊆
⋃
LA. If (sA, τ, s′A) ∈ ∆A then s′B = sB , (sA, τ, s′A) ∈ ∆AθS and
(s′A, (s′A, sB)) ∈ R; if (sB , τ, s′B) ∈ ∆B then s′A = sA, (sA, sA) ∈ ∆τAθS , and (sA, (sA,
s′B)) ∈ R. If l ∈ S(A,B), then (sA, l, s′A) ∈ ∆AθS and (s′A, (s′A, s′B)) ∈ R. If l ∈ H ,
then (sA, l, s′A) ∈ ∆AθS , s′B = sB , and (s′A, (s′A, sB)) ∈ R.
“⇒” The claim follows from Lem. 3.6 using the fact thatH does not contain shared la-
bels ofA andB and the congruence of greybox equivalence w.r.t. hiding. LetAθS ≈gb A⊗
B. Then A/H ⊗B ≈gb (A⊗B)/H by Lem. 2.17 (3), as S(A,B)∩H = ∅. Furthermore
(AθS)/H ≈gb (A/H)θS , again since S(A,B) ∩H = ∅. Thus (A/H)θS ≈gb A/H ⊗B
by Lem. 2.16 (1). Since
⋃
LA/H =
⋃
LB , all labels between A/H and B are shared, and
thus T ∗(A/H ⊗ B) ⊆ T ∗(B). By Lem. 3.6, we have T ∗(A/H) = T ∗((A/H)θS) =
T ∗(A/H ⊗B) ⊆ T ∗(B). 
The following corollary is the crucial result needed for the port-based computation of
neutral leaf components discussed hereafter. Essentially it says that neutrality of a weakly
deterministic IOTS B for some IOTS A can be propagated to the neutrality of B for some
more complex IOTS C, if A is greybox equivalent to some view C/H on the larger be-
haviour C.
Corollary 3.9 Let A, B, and C be IOTSs such that
⋃
LB =
⋃
LA ⊆
⋃
LC . Let B be
composable with A and C. Let H =
⋃
LC \
⋃
LA and C/H ≈gb A. Let B be weakly
deterministic. Then B is neutral for A if, and only if, B is neutral for C.
PROOF. First, since C/H ≈gb A we have, by Lem. 3.6, T ∗(C/H) = T ∗(A). B is
neutral for A iff (by Prop. 3.8, since
⋃
LB =
⋃
LA) T ∗(A) ⊆ T ∗(B) iff T ∗(C/H) ⊆
T ∗(B) iff (by Prop. 3.8, taking C for A) B is neutral for C. 
2.2. Port-Based Computation of Neutral Leaves. In this section, we focus on the
behavioural neutrality checks which are performed component-wise in our reduction al-
gorithm of Sect. 1. Components communicate exclusively via ports; therefore it should
be sufficient to compare instead of the complete behaviour of two components only the
behaviour visible at their connected ports which are usually much smaller IOTSs. We
show that the neutrality checks indeed may be optimised by considering port-based views
which hide component actions that are not visible at the given port. Here we would like
to stress that port-based checks are an optimisation to compare behaviours; the views are
not intended to replace component behaviours in the computation of assembly behaviours.
Of course, such an approach can only be sound if the particular view preserves enough
information of the complete component behaviour such that neutrality between port-based
views of component behaviours indeed implies neutrality for the synchronisation of the
42 3. BEHAVIOURAL NEUTRALITY IN SYNCHRONOUS ASSEMBLIES
underlying complete behaviours. It will turn out that weakly determinism is a fundamental
prerequisite.
Definition 3.10 (Port behaviour) Let C ∈ Cmp with p : P ∈ ports(c : C). The behaviour
of C at port p : P is given by beh(C)p:P = beh(C)/(
⋃
(LC) \ {p.m | m ∈ msg(P )}).
The behaviour beh(C)p:P is also called port behaviour of p : P in the context of C.
Similar to the hiding of ports, we may construct new components using the behaviour
of a component at a particular port. Let C ∈ Cmp and p : P ∈ ports(C). The restriction
of C to port p : P , written C ↓p:P , yields a component (type) C ′ ∈ Cmp, given by
ports(C ′) = {p : P} and beh(C ′) = beh(C)p:P .
Definition 3.11 (Port neutrality) Let a = 〈c : C[p : P ], d : D[d : D]; k : K〉 be a
synchronous assembly with ports(K) = {c.p : P, d.q : Q}. The port behaviour beh(D)q:Q
is k-neutral for beh(C)p:P if the synchronisation via k : K in a[c : C 7→ (C↓p:P ), d : D 7→
(D↓q:Q)] is behaviourally neutral for c : C↓p:P .
Unfolding the definition of port neutrality results in a characterisation in terms of IOTSs:
beh(C)p:Pσ ⊗ beh(D)q:Qσ ≈gb beh(C)p:P θS where σ is an appropriate synchronous re-
labelling using the connector k : K and S = S(beh(C)p:Pσ, beh(D)q:Qσ). Hence, port
behaviours can only be behaviourally neutral if their labellings are inverse, i.e., if input
and output labels mutually coincide. Port neutrality has the important consequence that
the behaviour of a component is unaffected if a port of the component is connected to a
neutral port of another component, provided that the behaviour of this port is weakly deter-
ministic. Weak determinism is the crucial property required to preserve neutrality within
our abstraction from component behaviours to port behaviours as given by Def. 3.10.
The following theorem is an application of the results discussed on the level of I/O-
transition systems in Sect. 2.1. It is at the core of a more efficient check for neutrality in
assemblies. Note that component C may have more than one port.
Theorem 3.12 (Port-based check) Let a = 〈c : C, d : D; k : K〉 be a synchronous assem-
bly, p : P ∈ ports(C), ports(D) = {q : Q} and ports(K) = {c.p : P , d.q : Q}. If
beh(D)q:Q is weakly deterministic and beh(D)q:Q is k-neutral for beh(C)p:P , then the
synchronisation via k :K in a is behaviourally neutral for c : C.
PROOF. By expanding definitions we show that the theorem is an instance of Cor. 3.9.
By definition of port neutrality Def. 3.11 we need to show that the behavioural neutrality
of the synchronisation via k : K in a[c : C 7→ (C↓p:P ), d : D 7→ (D↓q:Q)] implies the be-
havioural neutrality of the synchronisation via k:K in a for c : C. By definition of neutrality
Def. 3.1 this amounts to show that
beh(〈c : C↓p:P , d : D↓q:Q; k : (c.p : P, d.q : Q)〉) ≈gb beh(〈c : C↓p:P ; k : (c.p : P )〉)
implies beh(〈c : C, d : D; k : (c.p : P , d.q : Q)〉) ≈gb beh(〈c : C; k : (c.p : P )〉).
By definition of assembly behaviours:
beh(c : C↓p:P )σ2 ⊗ beh(d : D↓q:Q)σ2 ≈gb beh(c : C↓p:P )σ1
implies beh(c : C)σ2 ⊗ beh(d : D)σ2 ≈gb beh(c : C)σ1
with σ2 = σ(c.p,d.q,k) and σ1 = σ(c.p,k). By definition of restriction and behaviours of
component declarations we obtain
(c.beh(C)p:P )σ2 ⊗ (d.beh(D)q:Q)σ2 ≈gb (c.beh(C)p:P )σ1
implies (c.beh(C))σ2 ⊗ (d.beh(D))σ2 ≈gb (c.beh(C))σ1
which is, by ports(D) = {q : Q}, equivalent to
(c.beh(C)p:P )σ2 ⊗ (d.beh(D))σ2 ≈gb (c.beh(C)p:P )σ1
implies (c.beh(C))σ2 ⊗ (d.beh(D))σ2 ≈gb (c.beh(C))σ1
3. APPLICATION TO THE COMPRESSING PROXY SYSTEM 43
By definition of port behaviours we have beh(C)/H = beh(C)p:P with H =
⋃
LC \
{p.m | m ∈ msg(P )}, i.e., we have to prove that
(c.beh(C)/H)σ2 ⊗ (d.beh(D))σ2 ≈gb (c.beh(C)/H)σ1
implies (c.beh(C))σ2 ⊗ (d.beh(D))σ2 ≈gb (c.beh(C))σ1
Now H does not interfere with σ1 and σ2. Therefore, by A ≡ (c.beh(C))σ2/H , B ≡
(d.beh(D))σ2 and C ≡ (c.beh(C))σ1 we have an instance of Cor. 3.9. 
The theorem allows for a port-based computation of the neutral leaves of an assembly
which links our analysis back to the results of Sect. 1.
Corollary 3.13 Let a be a synchronous assembly, d : D ∈ leaves(a), ports(D) = {q : Q}
and k : (c.p : P, d.q : Q) ∈ conns(a). If beh(D)q:Q is weakly deterministic and beh(D)q:Q
is k-neutral for beh(C)p:P then d : D ∈ neutralleaves(a), where C = ty(cmp(c.p : P )).
PROOF. By Thm. 3.12 we derive neutrality of the leaf component D from the given
port neutrality, and with the definition of neutral leaves the claim follows. 
3. Application to the Compressing Proxy System
We apply the results of this chapter, in particular the reduction algorithm of Sect. 1,
to the efficient computation of the behaviour of the CompressingProxy component (cf.
Fig. 2.2). We start with the underlying assembly which contains the three components
adapt:Adaptor, gzip:GZip, and gifToJpg:GifToJpg and assume synchronous connectors.
Let a = 〈C;K〉 be a synchronous assembly, C = {adapt:Adaptor, gzip:GZip, gif:GifToJpg}
and K = {tz:(t:TxtCompr, z:Zip), gj: (g: GifCompr, j:ToJpg)}. First, we choose the leaf
gzip:GZip and consider its port z:Zip. Since GZip is a single-port component, component be-
haviour and port behaviour of z:Zip in the context of gzip:GZip coincide. The port behaviour
is obviously weakly deterministic, since there are no τ -transitions and the transition sys-
tem is already (strongly) deterministic; cf. Fig. 2.3. Then we check that beh(GZip)z:Zip is
tz-neutral for beh(Adaptor)t:TxtCompr by computation of the product
beh(Adaptor)t:TxtComprσ ⊗ beh(GZip)z:Zipσ
with synchronous relabelling σ according to the connector tz. This product represents
the synchronisation via tz in an assembly according to Def. 3.11. By computation of the
port behaviour beh(Adaptor)t:TxtComprσ all transitions of the adaptor behaviour as given in
Fig. 2.3 which do not involve port t:TxtCompr are relabelled to τ . The resulting IOTS
can be replaced by an observationally equivalent minimised IOTS. Then the product with
beh(GZip)z:Zipσ yields an IOTS as given in Fig. 3.3. The product of the port behaviours
is greybox equivalent to (beh(Adaptor)t:TxtComprσ)θS (cf. Fig. 2.3), where the shared la-
bels S = {tz.txt, tz.endTxt, tz.zip, tz.endZip, tz.stop} are internalised. Hence, by Cor. 3.13,
gzip:GZip is a neutral leaf of the assembly a. Our algorithm proceeds by removing this leaf
and hiding the port t:TxtCompr, i.e., the component type Adaptor is replaced by the com-
ponent type Adaptor’ obtained from the port hiding Adaptor \ (t:TxtCompr). The resulting
behaviour of Adaptor’ has a large number of τ -transitions and can be minimised to an IOTS
with 4 states and 5 transitions. Let a′ be the new assembly obtained from a after the first
reduction step.
In the second step, we choose the leaf gifToJpg:GifToJpg of a′ and consider its port
j:ToJpg. Again it is a single-port component but unfortunately, the port behaviour at j:ToJpg
is not weakly deterministic, since there is a weak trace gif which leads to state j1 and also
to state j2 (cf. Fig. 2.3), but these states are not greybox equivalent since in j1 it is possible
to choose cancel and reach state j0 which does not show an output transition labelled j.jpg.
Such an output, however would be required to be in relation with j2. Thus we cannot
apply Cor. 3.13 and we have to show directly on the level of component behaviours that
the synchronisation via gj in a′ is behaviourally neutral for adapt : Adaptor’. The neutrality
44 3. BEHAVIOURAL NEUTRALITY IN SYNCHRONOUS ASSEMBLIES
tz.txt tz.zip
tz.endZip
tz.stop
tz.endTxt
tz.txt
tz.zip
FIGURE 3.3. beh(Adaptor)t:TxtComprσ ⊗ beh(GZip)z:Zipσ
check is indeed successful. Our algorithm now removes also the leaf gifToJpg:GifToJpg
from a′ and hides the port g:GifCompr of Adaptor’. Thus, we obtain as the final result of
the reduction an assembly a′′ consisting of a single component adaptor : Adaptor” where
Adaptor” has only two ports u:UpStream and d:DownStream. The behaviour of Adaptor” has
only two states and three transitions after minimisation and hence the same holds for the
behaviour of a′′.
Finally, we apply Thm. 3.5 which shows that beh(CompressingProxy) is observational
equivalent to the behaviour of a composite component which encapsulates the very simple
assembly a′′ and which results in the behaviour shown in Fig. 2.4b. The most expensive
task in our reduction was the neutrality check between gifToJpg:GifToJpg and adapt:Adaptor’
which led to the construction of a product IOTS with 12 states and 23 transitions (before
minimisation). On the other hand, if we would have directly computed the behaviour
of CompressingProxy based on the behaviour of the original assembly a, then the most
expensive task would have been the construction of the complete behaviour of a which has
30 states and 65 transitions (also before minimisation).
4. Discussion and Related Work
The neutrality check during the syntactical reduction of an assembly involves the com-
putation of a product at the border of the component assembly for each leaf component.
Therefore, compared to the computation of the complete product, there is no direct im-
provement with respect to the number of considered transition systems. However, besides
the construction of syntactically reduced and observationally equivalent component types,
the approach can be used as a starting point for analysis of verification problems that do
not depend on the local behaviours of removed neutral leaf components.
Our approach and, in particular, our notion of neutral component behaviour shows
similarities to work of Cheung and Kramer [CK96] and Bernardo et al. [BCD02].
4.1. Neutral Leaf Components and Context Constraints. Cheung and Kramer use
automatically derived context constraints to construct the behaviour, formalised by labelled
transition systems (LTS), of composed systems more efficiently [CK96]. Context con-
straints take the form of interface processes that capture the interplay between a set of com-
posed processes playing the role of an environment for a single fixed process as part of the
composition. If the composition of interface and fixed process results in a smaller transition
system, it is substituted. The correctness of the approach relies on a transparency property
that requires a strong semantic equivalence between a (possibly) composed process P and
its composition P ‖ I with the interface process I . Criteria guaranteeing the transparency
are identified in an interface theorem [CK96, Thm. 6.4.1] to which Prop. 3.8 can be con-
sidered the counterpart using IOTSs together with weaker equivalence notions. The criteria
of [CK96] have been formulated for communicating finite-state processes where parallel
composition involves an error state for failing communications and relies on strong traces,
strong process equivalence, and strongly deterministic finite-state processes. Even though
the possibility of using weaker equivalences is mentioned in [CK96, p. 354], it is not elab-
orated. We have generalised the assumptions to include not necessarily finite IOTSs and
4. DISCUSSION AND RELATED WORK 45
use weak notions of equivalence, traces, and determinism, i.e., greybox equivalence, weak
traces, and weakly deterministic IOTSs.
Furthermore, our application to the computation of assembly behaviours is different.
We do not consider a composition of processes as an environment of some fixed process
but analyse instead the behavioural impact of leaf components. This allows, on the one
hand, to obtain a reduction algorithm generating an assembly with less components that
may be used to substitute the original assembly. On the other hand, we may improve the
efficiency of the neutrality analysis by considering port instead of component behaviours.
4.2. Neutrality and PADL compatibility. PADL [BCD02] uses observational equiv-
alence for a notion of compatibility between components that expresses the same idea as
our notion of behavioural neutrality. In PADL compatibility is used to detect architectural
mismatches and it is shown that pairwise compatibility is a sufficient criterion to derive
deadlock-freedom of an acyclic assembly from the deadlock-freedom of its local compo-
nents. This technique is, however, not applied for an explicit construction of syntactically
reduced assemblies. The syntactic reduction has the advantage that we can abstract from
synchronisations within an assembly by removing neutral components stepwise. It allows
us to utilise again behavioural neutrality after each of the reduction steps. By this means
we finally obtain a reduced assembly whose behaviour is known to be equivalent to the
original behaviour of the particular composite component.
Finally, deciding neutrality of component behaviours can still be quite expensive due
to the required check for greybox equivalence. Therefore, as discussed above in the com-
parison with [CK96], a further important difference between our approach and [BCD02]
concerns the integration of port behaviours. This increases the efficiency of the check for
neutrality, under the assumption of weak determinism.

CHAPTER 4
A Theory for Refinement and Compatibility
1. Input-Persistent I/O-Transition Systems (PIO) 48
1.1. From IOTSs to PIOs to MIOs 48
1.2. Blackbox-Refinement 50
1.3. Output Compatibility 55
2. Asynchronous Communication 58
2.1. FIFO Encoding and Buffered PIOs 59
2.2. Refinement and Asynchronous Compatibility 61
3. Compatibility and N-ary Composition 64
3.1. Communication-Safety 64
3.2. Pairwise and Incremental Analysis 65
4. Greybox Refinement and General Properties 66
4.1. Blackbox vs Greybox Refinement 69
4.2. Weak Simulation and Temporal Logics 69
5. Discussion and Related Work 73
In order to support the development and analysis of component behaviours on different
abstraction levels, a theory for the refinement of behaviour specifications is needed. The
refinement relation should satisfy fundamental properties such as reflexivity, transitivity,
and compositionality. Moreover, the relation should, on the one hand, preserve as much
properties as possible, but on the other hand leave enough freedom for concrete design
decisions. Our study is motivated by the aim to detect behavioural incompatibilities as
discussed in Chap. 2, taking into account the asymmetry of sending (output) and receiv-
ing (input) messages. We develop different notions of output compatibility with varying
degrees of freedom for the interleaving of local, non-shared component actions. It turns
out that, in order to preserve output compatibility, we need additional information that al-
lows to couple the message transfer with the refinement of the transition that specified the
transfer. On this account our approach extends I/O-transition systems to input-persistent
I/O-transition systems (PIO) and defines a blackbox refinement relation that demands the
preservation of persistent transitions. The relation is termed “blackbox” because it ignores
differences of internal labels. PIOs can be considered as a special case of modal I/O au-
tomata (MIO) and then, blackbox refinement corresponds to weak modal refinement.
Our theory is required to cope with FIFO buffered message exchange. Based on an
encoding of FIFO buffers we show that blackbox refinement is indeed transferable to asyn-
chronously communicating components. Moreover, we develop a notion of asynchronous
output compatibility that is a natural extension of synchronous output compatibility to an
asynchronous setting and show its preservation by blackbox refinement. The resulting the-
ory is an interface theory in the sense of [BMSH10] which is briefly discussed in Sect. 5.
Communication-safety defines a notion of output compatibility for n-ary composi-
tions of PIOs. We show that blackbox refinement of single transition systems preserves
communication-safety of their composition and, moreover, investigate to what extend pair-
wise analysis of output compatibility implies communication-safety.
47
48 4. A THEORY FOR REFINEMENT AND COMPATIBILITY
Finally, we consider more general properties and a greybox variant of our refinement
relation. Greybox refinement distinguishes internal labels. We show that greybox refine-
ment preserves safety properties with regard to the communication traces of a composed
system and briefly discuss counterexamples for the preservation of liveness properties.
1. Input-Persistent I/O-Transition Systems (PIO)
We extend the formalism of I/O-transition systems given in Chap. 2 (Sect. 2) to include
the specification of a distinguished set of transitions, so-called persistent transitions. These
kinds of transitions define additional information for a subset of the transitions given by
the transition relation of an I/O-transition system. The additional information is used to
relate notions of compatibility with a refinement relation for input-persistent I/O-transition
systems in such a way that refinement preserves compatibility and is still compositional
without assumptions on the environment of the given transition system.
1.1. From IOTSs to PIOs to MIOs. The overall goal is to develop a theory for port-
based components which communicate by synchronous and asynchronous message ex-
change. In such a setting, we expect component implementations to support at least all
of the specified input behaviour, i.e. to provide guarantees for the reception of messages.
For this reason, we consider a particular class of IOTSs with persistent transitions, namely
those which are input-persistent. The corresponding refinement relation is then defined in
such a way that persistent transitions, and thus the input behaviour according to a corre-
sponding specification, is preserved.
Definition 4.1 (Input-persistent I/O-transition system) An input-persistent I/O-transition
system (PIO), is a tuple (L, S, s0,∆,Π), where (L, S, s0,∆) is an I/O-transition system
and Π is a set of persistent transitions, given by Π ⊆ ∆ such that for L = (I,O, T ), for
all l ∈ I and all s, s′ ∈ S, if (s, l, s′) ∈ ∆ then (s, l, s′) ∈ Π.
The definition and notations for IOTSs are extended in a straightforward way for PIOs.
For instance, if A = (L, S, s0,∆,Π) is a PIO, we continue to use an index to refer to the
constituents of A, e.g. LA to refer to the IOL L, ΠA to refer to Π etc. An extension of the
operators of I/O-transition systems which takes the set of persistent transitions into account
yields the corresponding operators of PIOs. We assume that such a transfer preserves the
assignment of transitions to the relations ∆ and Π. For instance, we will use the ξ operator
to hide internal labels in PIOs; then it is assumed that ξ is applied to both relations and the
hidden transitions are still in the respective relation.
In the following we give an explicit definition for composability and the product oper-
ator. The product preserves persistence of a transition only in case both transitions are per-
sistent. Two PIOs A and B are composable if LA and LB are composable. The product of
two composable PIOsA andB is the PIOA⊗B = (LA⊗LB , SA×SB , (s0,A, s0,B),∆,Π)
where ∆ and Π are given for R ∈ {∆,Π} by
R = {((sA, sB), l, (s′A, sB)) | (sA, l, s′A) ∈ RA ∧ sB ∈ SB ∧ l /∈ S(A,B)} ∪
{((sA, sB), l, (sA, s′B)) | (sB , l, s′B) ∈ RB ∧ sA ∈ SA ∧ l /∈ S(A,B)} ∪
{((sA, sB), l, (s′A, s′B)) | (sA, l, s′A) ∈ RA ∧ (sB , l, s′B) ∈ RB ∧ l ∈ S(A,B)}.
Example 4.2 (PIO Composition) Figure 4.1 shows a simple system comprising a pro-
ducer process Prod and a buffer process Buf. If we assume that put is the sole shared
action, the composition results in a PIO as depicted in Fig. 4.1c. Note that the distinction
between ∆ and persistent transitions in Π does not play a special role for the composition
of PIOs. Transitions with non-shared labels are interleaved in the product and transitions
with shared labels synchronise by a rendezvous mechanism. Though, note that synchroni-
sation requires the transitions to be from the same relation, that is, persistent transitions
1. INPUT-PERSISTENT I/O-TRANSITION SYSTEMS (PIO) 49
must be specified to be persistent in both systems. If this is not the case the transition is
synchronised in ∆ but not in the set of persistent transitions of the product.
(a) Prod
/put
p0
(b) Buf
put/ put/
/get/get
b1 b2b0
(c) Prod⊗ Buf
/get
put put
blindtext
/get
(p0, b0) (p0, b2)(p0, b1)
FIGURE 4.1. PIOs for producer and buffer
Within this chapter we will make extensive use of the notation ∆XA introduced in
Sect. 2.1 of Chap. 2 to abbreviate conditions for skipping transitions in the transition rela-
tion of an IOTS. Therefore, we recall the initial definition by an informal transfer to PIOs.
Let A be a PIO, X ⊆ L(A) and R ∈ {∆,Π}. Then (s, s′) ∈ RXA means s′ is reachable
in R using labels in X, and (s, l, s′) ∈ RXA means that a transition (s¯, l, s¯′) exists in R
which is preceeded and succeeded by transitions using labels in X, that is, (s, s¯) ∈ RXA and
(s¯′, s′) ∈ RXA.
The following lemma formalises a basic property concerning the reachability of global
states in the composition of PIOs along paths of non-shared labels.
Lemma 4.3 (Non-shared reachability) Let A and B be composable PIOs and let X be a
set of labels such that X∩S(A,B) = ∅. If (sA, sB) ∈ R(A⊗B), then for all lA ∈ L(A),
l ∈ L(A) ∪ L(B) such that lA /∈ S(A,B) ∪ X and l ∈ S(A,B) the following holds
for R ∈ {∆,Π}:
(sA, s′A) ∈ RXA =⇒ ((sA, sB), (s′A, sB)) ∈ RXA⊗B ,(1)
(sA, lA, s′A) ∈ RXA =⇒ ((sA, sB), lA, (s′A, sB)) ∈ RXA⊗B ,(2)
(sA, l, s′A) ∈ RXA ∧ (sB , l, s′B) ∈ RB =⇒ ((sA, sB), l, (s′A, s′B)) ∈ RXA⊗B .(3)
PROOF. (1) Since X consists of non-shared labels only, we can construct an execution
fragment from (sA, sB) to (s′A, sB) using only transitions from RA. (2) and (3) is shown
using (1) before and after the transition labelled lA, l respectively. 
PIOs in turn are an instance of consistent modal I/O automata with ∆ the may- and Π
the must-transition relation [LNW07]. In the succeeding sections we refer to modal I/O
automata (MIO) as considered in [BMSH10] and relate some of our definitions and results
by a translation mio : PIO→ MIO which maps the PIO-constituents to the corresponding
elements of a MIO. The translation is straightforward, if we assume that all τ -transitions
of a PIO have been relabelled to internal transitions with new internal labels in T before.
The mio-translation of a τ -free PIO ((I,O, T ), S, s0,∆,Π) is given by
mio((I,O, T ), S, s0,∆,Π) = (states, start, (in, out, int), 99K,−→), such that
states = S, start = s0, (in, out, int) = (I,O, T ), and (s, l, s′) ∈99K iff (s, l, s′) ∈ ∆,
and (s, l, s′) ∈−→ iff (s, l, s′) ∈ Π. The extension of the IOTS product operator for PIOs
mentioned above coincides with the product operator as defined for modal I/O automata.
We expect the remaining operators to coincide analogously.
The difference between PIOs and MIOs lies in the requirement of input-persistence,
disallowing what is called “may input” for modal I/O automata. From a technical point of
view anything which is developed for PIOs within this chapter could be developed equally
for MIOs. Our conceptual departure, however, aims at a theory with support for modular
refinement while preserving a notion of compatibility which guarantees the absence of
certain communication errors. As argued in the following, the additional expressive power
of MIOs does not contribute in the given setting.
50 4. A THEORY FOR REFINEMENT AND COMPATIBILITY
Consider the example in Fig. 4.2 as a specification of a two-element buffer. The first
input is a so-called “must transition” and the second input is a so-called “may transition”
(indicated by the dashed line) and thus, in terms of weak modal refinement, the given MIO
is refinable by either an one-element or a two-element buffer.
m/ n/
/o/o
FIGURE 4.2. Modal I/O automata with may input (dashed line)
Since PIOs do not allow for “may input transitions” the specification in Fig. 4.2 can not be
expressed using PIOs. But a closer look reveals that may inputs are only of limited use in
our setting of output compatible environments. A communication partner on the same level
of abstraction can not send the second input, since the given MIO would not be compatible
due to the “may” attribute of the given transition. Moreover, MIO refinement does not
allow to add output transitions in the more concrete transition system. Therefore, the given
may input is neither directly usable nor by potentially refined communication partners.
Instead, communication partners using the may input must be specified with respect to a
refinement of the given MIO which guarantees the existence of the second input transition
by tagging it as “must input transition”. In general this means that in order to make an input
usable in output compatible contexts we need to use “must inputs”, and this is exactly our
requirement of input persistence in the definition of PIOs.
1.2. Blackbox-Refinement. Even though we do not consider components with data
states, refinement is based on an intuitive understanding as known from correctness rela-
tions for operation specifications in the form of pre- and postconditions. A correct imple-
mentation should work properly at least in all states where the given precondition holds,
and in this case should establish the postcondition, i.e., reach at most one of the states
where the given postcondition holds. This co-/contravariant interpretation of behavioural
specifications can be applied to transition systems with inputs and outputs too. A correct
implementation should support at least the given inputs and use at most the specified out-
puts. Additionally arbitrary internal actions may be used, as long as correctness w.r.t. inputs
and outputs is not touched.
A direct transfer of such an interpretation, however, bears problems concerning the
preservation of our notion of compatibility, motivated in Chap. 2 (Sect. 1.3) and formally
defined below. Therefore, the given basic intuition is combined with the notion of per-
sistent transitions in the following way: Specified inputs must always exist in the refined
transition system (R1). At most the specified outputs may exist in the concrete system
(R2). Specified internal transitions may be skipped and concrete internal transitions may
be added as long as the refinement relation is not invalidated (R3). Additionally, persistent
transitions are mandatory to be taken into account within a correct refinement (R4). A cor-
rect implementation is obliged to preserve persistent output transitions; persistent internal
steps need to be mimicked by arbitrary internal steps of the concrete system (including
doing no step at all) such that the refinement relation is not invalidated. Finally, we do not
make a difference in the treatment of internal and τ transitions. By this means the relation
can be used equivalently for systems which either show internal transitions or did hide such
transitions by a relabelling to the anonymous action τ already.
Definition 4.4 (Blackbox refinement) Let A and C be PIOs. C is a blackbox refinement
of A, written C vbb A, if IA = IC , OA = OC and there exists R ⊆ SA × SC such that
(s0,A, s0,C) ∈ R and for all (sA, sC) ∈ R the conditions in Tab. 4.3 hold.
1. INPUT-PERSISTENT I/O-TRANSITION SYSTEMS (PIO) 51
∀l ∈ IA ∪OA . ∀s′A ∈ SA . (sA, l, s′A) ∈ ΠA =⇒(A-I/O)
(∃s′C ∈ SC . (sC , l, s′C) ∈ ΠT (C)C ∧ (s′A, s′C) ∈ R)
∀l ∈ T (A) . ∀s′A ∈ SA . (sA, l, s′A) ∈ ΠA =⇒(A-Int)
(∃s′C ∈ SC . (sC , s′C) ∈ ΠT (C)C ∧ (s′A, s′C) ∈ R)
∀l ∈ IC ∪OC . ∀s′C ∈ SC . (sC , l, s′C) ∈ ∆C =⇒(C-I/O)
(∃s′A ∈ SA . (sA, l, s′A) ∈ ∆T (A)A ∧ (s′A, s′C) ∈ R)
∀l ∈ T (C) . ∀s′C ∈ SC . (sC , l, s′C) ∈ ∆C =⇒(C-Int)
(∃s′A ∈ SA . (sA, s′A) ∈ ∆T (A)A ∧ (s′A, s′C) ∈ R)
FIGURE 4.3. Conditions for blackbox refinement between A and C
(a) BufIn
put/
/buf
bi1bi0
(b) BufOut
buf/
/get
bo1bo0
(c) BufIn⊗ BufOut
buf put/put/
/get
/get
(bi0, bo1) (bi1, bo1)(bi1, bo0)(bi0, bo0)
FIGURE 4.4. Two one-element buffers and their composition
Since we consider input-persistent I/O-transition systems the requirement R1 is taken into
account by condition (A-I/O). Requirement R2 is modelled by (C-I/O), and the require-
ments for internal transitions motivate the application of ∆T (A)A in conditions (C-I/O) and
(C-Int). The requirement for persistent output and internal transitions is included in (A-
I/O) and taken into account by (A-Int) respectively.
Hiding internal labels does not invalidate a given blackbox refinement due to condi-
tions (A-Int) and (C-Int) which do not distinguish internal and τ transitions.
Lemma 4.5 LetA and C be PIOs. If CvbbA then CvbbAξ, CξvbbA, and CξvbbAξ.
Example 4.6 (Blackbox refinement) Assume we would like to provide an implementation
for Buf (Fig. 4.1) using the composition of two one-element buffers as depicted in Fig. 4.4.
Then, the composition of BufIn and BufOut should be in a refinement relation with Buf.
Indeed, we have BufIn ⊗ BufOut vbb Buf, which is witnessed by the relation R ⊆ SBuf ×
SBufIn⊗BufOut with R = {(b0, (bi0, bo0)), (b1, (bi1, bo0)), (b1, (bi0, bo1)), (b2, (bi1, bo1))}.
The definition of blackbox refinement coincides with weak modal refinement of modal
I/O-automata if we consider PIOs with an identical set of internal labels.
52 4. A THEORY FOR REFINEMENT AND COMPATIBILITY
Proposition 4.7 (Weak modal refinement) LetA andC be PIOs with TC = TA. mio(C) ∗m
mio(A) if, and only if C vbb A.
PROOF. The notation→∗mio(A) for internal paths used in [BMSH10] and the notation
∆X used here can be shown to be equivalent. Thus the conditions (1) and (2) of weak
modal refinement in [BMSH10] can be separated to conditions (1a), (1b), (2a) and (2b)
such that (1a) is equivalent to (A-I/O), (1b) to (A-Int), (2a) to (C-I/O) and (2b) to (C-Int).
Our mio-translation requires τ -free PIOs since modal I/O-automata allow for internal
labels but do not include τ labels. In the following we assume that τ labels of A and C
have been relabelled appropriately to new internal labels before. We use t as a generic
identifier of an internal label. Let mio(A) = (statesA, startA, (inA, outA, intA), 99KA
,−→A) and analogous for mio(C). Let RCA ⊆ statesC × statesA be a witness for
mio(C) ∗m mio(A). Then clause (1) of weak modal refinement reads as follows: for all
(sC , sA) ∈ RCA it holds that
∀s′A ∈ statesA . (sA, l, s′A) ∈−→mio(A) =⇒ (∃s′C ∈ statesC .
(((sC , l, s′C) ∈−→∗mio(C) ∧ l /∈ intC) ∨ (sC , t, s′C) ∈−→∗mio(C)) ∧ (s′C , s′A) ∈ RCA)
The conditions for mio(C) can be separated:
∀l ∈ extA . ∀s′A ∈ statesA . (sA, l, s′A) ∈−→mio(A) =⇒ (∃s′C ∈ statesC .(1a)
(sC , l, s′C) ∈−→∗mio(C) ∧ (s′C , s′A) ∈ RCA)
∀l ∈ intA . ∀s′A ∈ statesA . (sA, l, s′A) ∈−→mio(A) =⇒ (∃s′C ∈ statesC .(1b)
(sC , t, s′C) ∈−→∗mio(C) ∧ (s′C , s′A) ∈ RCA)
Consider clause (1a). By definition, (sC , l, s′C) ∈−→∗mio(C) iff there are s¯C , s¯′C ∈ statesC
such that (sC , t, s¯C) ∈−→∗mio(C), (s¯C , l, s¯′C) ∈−→mio(C) and (s¯′C , t, s′C) ∈−→∗mio(C),
which is equivalent to (sC , t, s¯C) ∈ ΠT (C)C , (s¯C , l, s¯′C) ∈ ΠC and (s¯′C , t, s′C) ∈ ΠT (C)C .
Hence (sC , l, s′C) ∈ ΠT (C)C and thus (1a) translates to
∀l ∈ inA ∪ outA . ∀s′A ∈ statesA . (sA, l, s′A) ∈ ΠA =⇒ (∃s′C ∈ statesC .
(sC , l, s′C) ∈ ΠT (C)C ∧ (s′C , s′A) ∈ RCA),
which corresponds to clause (A-I/O) of blackbox refinement. Condition (1b) and condition
(2) for may-transitions are translated analogously. 
Satisfying the requirements of a preorder is a natural demand for refinement relations
between specifications of component behaviour. In particular transitivity is important, as
one usually aims to support development processes based on stepwise refinement. Rela-
tions which allow for the removal of abstract transitions in the concrete transition system
sometimes are at risk to invalidate this property. Though, as shown in the following this is
not the case with blackbox refinement.
Proposition 4.8 (Preorder) Let A, C and D be PIOs. Then Avbb A and if D vbb C and
C vbb A then D vbb A.
The proof for transitivity uses the following Lemma.
Lemma 4.9 Let RAC be a witness for C vbb A. Let (sA, sC) ∈ RAC and assume l ∈
IA ∪OA. Then
(1) (sA, s′A) ∈ ΠT (A)A =⇒ ∃s′C ∈ SC . (sC , s′C) ∈ ΠT (C)C ∧ (s′A, s′C) ∈ RAC
(2) (sA, l, s′A) ∈ ΠT (A)A =⇒ ∃s′C ∈ SC . (sC , l, s′C) ∈ ΠT (C)C ∧ (s′A, s′C) ∈ RAC
(3) (sC , s′C) ∈ ∆T (C)C =⇒ ∃s′A ∈ SA . (sA, s′A) ∈ ∆T (A)A ∧ (s′A, s′C) ∈ RAC
(4) (sC , l, s′C) ∈ ∆T (C)C =⇒ ∃s′A ∈ SA . (sA, l, s′A) ∈ ∆T (A)A ∧ (s′A, s′C) ∈ RAC
1. INPUT-PERSISTENT I/O-TRANSITION SYSTEMS (PIO) 53
PROOF OF LEMMA. Consider (2). By (sA, l, s′A) ∈ ΠT (A)A there exists lA,i ∈ T (A)
and sA,i ∈ SA for 1 ≤ i < n such that (sA, lA,1, sA,1) ∈ ΠA, (sA,i, lA,i+1, sA,i+1) ∈ ΠA,
. . ., (sA,n, l, s′A) ∈ ΠA. By induction on the fragment length n and using RAC there
exists sC,i, s′C ∈ SC such that (sC , lA,1, sC,1) ∈ ΠC , (sC,i, lA,i+1, sC,i+1) ∈ ΠC , . . .,
(sC,n, l, s′C) ∈ ΠC and (sA,i, sC,i) ∈ RAC for all 1 ≤ i < n and (s′A, s′C) ∈ RAC . The
remaining cases hold analogously. 
PROOF OF PROPOSITION. Reflexivity holds by using the identity relation as a wit-
ness for A vbb A. Transitivity is shown using R = {(sA, sD) | ∃sC ∈ SC . (sA, sC) ∈
RAC ∧ (sC , sD) ∈ RCD}, where RAC and RCD are assumed to witness C vbb A and
D vbb C respectively. Obviously (sA,0, sD,0) ∈ R. Let (sA, sD) ∈ R and let sC ∈ SC
such that (sA, sC) ∈ RAC and (sC , sD) ∈ RCD. We show that R satisfies the conditions
of black box refinement.
(Case A-I/O) Let l ∈ IA ∪ OA and (sA, l, s′A) ∈ ΠA. By (A-I/O) for RAC there
exists s′C ∈ SC such that (sC , l, s′C) ∈ ΠT (C)C and (s′A, s′C) ∈ RAC . By Lem. 4.9 forRCD
and IA = IC = ID and OA = OC = OD, there exists s′D ∈ SD such that (sD, l, s′D) ∈
ΠT (D)D and (s′C , s′D) ∈ RCD and hence (s′A, s′D) ∈ R.
(Case A-Int) Let l ∈ T (A) and (sA, l, s′A) ∈ ΠA. By (A-Int) for RAC there exists
s′C ∈ SC such that (sC , s′C) ∈ ΠT (C)C and (s′A, s′C) ∈ RAC . By Lem. 4.9 for RCD
there exists s′D ∈ SD such that (sD, s′D) ∈ ΠT (D)D and (s′C , s′D) ∈ RCD and hence
(s′A, s′D) ∈ R.
(Case C-I/O) Let l ∈ ID ∪ OD and (sD, l, s′D) ∈ ∆D. By (C-I/O) for RCD there
exists s′C ∈ SC such that (sC , l, s′C) ∈ ∆T (C)C and (s′C , s′D) ∈ RCD. By Lem. 4.9
for RAC and IA = IC = ID and OA = OC = OD, there exists s′A ∈ SA such that
(sA, l, s′A) ∈ ∆T (A)A and (s′A, s′C) ∈ RAC and hence (s′A, s′D) ∈ R.
(Case C-Int) Let l ∈ T (D) and (sD, l, s′D) ∈ ∆D. By (C-Int) for RCD there exists
s′C ∈ SC such that (sC , s′C) ∈ ∆T (C)C and (s′C , s′D) ∈ RCD. By Lem. 4.9 for RAC there
exists s′A ∈ SA such that (sA, s′A) ∈ ∆T (A)A and (s′A, s′C) ∈ RAC and hence (s′A, s′D) ∈
R. 
Another fundamental property of any refinement relation is precongruence with re-
spect to the product operator. Precongruence allows for modular substitution of abstract
transition systems by a refinement such that the resulting composition is a refinement of the
original composition. For the case of PIOs we assume composability of the given transition
systems. Composability represents our syntactical requirements on the proper composition
of communication partner: outputs should be provided by the particular partner and inter-
nal labels should be disjoint from each other, such that these transitions indeed represent
internal, local actions of the given process.
Theorem 4.10 (Precongruence) Let A, B and C be PIOs such that A, B and C, B are
composable. If C vbb A, then C ⊗B vbb A⊗B.
PROOF. Let A ⊗ B = ((IAB , OAB , TAB), SAB , s0,AB ,∆AB ,ΠAB) and C ⊗ B =
((ICB , OCB , TCB), SCB , s0,CB ,∆CB ,ΠCB). Let RAC be a witness for C vbb A with
(s0,A, s0,C) ∈ RAC and let
R = {((sA, sB), (sC , sB)) | (sA, sC) ∈ RAC ∧ (sA, sB) ∈ R(A⊗B)},
then ((s0,A, s0,B), (s0,C , s0,B)) ∈ R. Let ((sA, sB), (sC , sB)) ∈ R. We check the condi-
tions of blackbox refinement for R.
(Case A-I/O) Let l ∈ IAB ∪OAB and ((sA, sB), l, (s′A, s′B)) ∈ ΠAB.
If l ∈ IA ∪ OA, then there exists (sA, l, s′A) ∈ ΠA and sB = s′B . By clause (A-I/O) for
RAC there exists s′C ∈ SC such that (sC , l, s′C) ∈ ΠT (C)C and (s′A, s′C) ∈ RAC . Since
l /∈ S(C,B) (by l /∈ S(A,B), IA = IC and OA = OC) we have by Lem. 4.3 (2) and
54 4. A THEORY FOR REFINEMENT AND COMPATIBILITY
T (C) ⊆ T (CB), that ((sC , sB), l, (s′C , sB)) ∈ ΠT (CB)CB . Since (s′A, sB) ∈ R(A ⊗ B) it
follows that ((s′A, sB), (s′C , sB)) ∈ R.
If l ∈ IB ∪ OB , then there exists (sB , l, s′B) ∈ ΠB and sA = s′A. Hence ((sC , sB), l,
(sC , s′B)) ∈ ΠCB and since (sA, s′B) ∈ R(A⊗B), it follows that ((sA, s′B), (sC , s′B)) ∈
R.
(Case A-Int) Let l ∈ TAB and ((sA, sB), l, (s′A, s′B)) ∈ ΠAB.
If l ∈ T (A), then there exists (sA, l, s′A) ∈ ΠA and sB = s′B . By (A-Int) for RAC there
exists s′C ∈ SC such that (sC , s′C) ∈ ΠT (C)C and (s′A, s′C) ∈ RAC . Since l /∈ S(C,B) (by
l /∈ S(A,B), IA = IC , OA = OC and C,B composable), we have by Lem. 4.3 (1) and
T (C) ⊆ T (CB), that ((sC , sB), (s′C , sB)) ∈ ΠT (CB)CB . Since (s′A, sB) ∈ R(A ⊗ B) it
follows that ((s′A, sB), (s′C , sB)) ∈ R.
If l ∈ T (B), then there exists (sB , l, s′B) ∈ ΠB and sA = s′A. Since l /∈ S(C,B) (by
composability of C and B), we have ((sC , sB), l, (sC , s′B)) ∈ ΠCB and since (sA, s′B) ∈
R(A⊗B) it follows that ((sA, s′B), (sC , s′B)) ∈ R.
If l ∈ S(A,B), then there exists (sA, l, s′A) ∈ ΠA and (sB , l, s′B) ∈ ΠB , and either
l ∈ IA ∩ OB or l ∈ OA ∩ IB . In both cases, by (A-I/O) for RAC , there exists s′C ∈ SC
such that (sC , l, s′C) ∈ ΠT (C)C and (s′A, s′C) ∈ RAC . By Lem. 4.3 (3) and T (C) ⊆ T (CB)
it follows that ((sC , sB), l, (s′C , s′B)) ∈ ΠT (CB)CB and since (s′A, s′B) ∈ R(A⊗B) we have
((s′A, s′B), (s′C , s′B)) ∈ R.
(Case C-I/O) Let l ∈ ICB ∪OCB and ((sC , sB), l, (s′C , s′B)) ∈ ΠCB.
If l ∈ IC ∪ OC , then there exists (sC , l, s′C) ∈ ∆C and sB = s′B . By clause (C-I/O)
for RAC there exists s′A ∈ SA such that (sA, l, s′A) ∈ ∆T (A)A and (s′A, s′C) ∈ RAC . By
Lem. 4.3 (1) and T (A) ⊆ T (AB) it follows that ((sA, sB), l, (s′A, sB)) ∈ ∆T (AB)AB . Since
(s′A, sB) ∈ R(A⊗B) we also have ((s′A, sB), (s′C , sB)) ∈ R.
If l ∈ IB ∪ OB , then there exists (sB , l, s′B) ∈ ∆B and sC = s′C . Hence ((sA, sB), l,
(sA, s′B)) ∈ ∆AB and since (sA, s′B) ∈ R(A ⊗ B) and (sA, sC) ∈ RAC it follows that
((sA, s′B), (sC , s′B)) ∈ R.
(Case C-Int) Let l ∈ TCB and ((sC , sB), l, (s′C , s′B)) ∈ ∆CB.
If l ∈ T (C), then there exists (sC , l, s′C) ∈ ∆C and sB = s′B . By (C-Int) for RAC there
exists s′A ∈ SA such that (sA, s′A) ∈ ∆T (A)A and (s′A, s′C) ∈ RAC . Since l /∈ S(A,B)
(by l ∈ T (C), IA = IC , OA = OC and A,B composable), we have by Lem. 4.3 (1) and
T (A) ⊆ T (AB), that ((sA, sB), (s′A, sB)) ∈ ∆T (AB)AB . Since (s′A, sB) ∈ R(A ⊗ B) it
follows that ((s′A, sB), (s′C , sB)) ∈ R.
If l ∈ T (B), then there exists (sB , l, s′B) ∈ ∆B and sC = s′C , we have ((sA, sB), l,
(sA, s′B)) ∈ ∆AB and hence (sA, s′B) ∈ R(A ⊗ B) (by composability of A and B and
l /∈ S(A,B)) and since (sA, sC) ∈ RAC it follows that ((sA, s′B), (sC , s′B)) ∈ R.
If l ∈ S(C,B), then there exists (sC , l, s′C) ∈ ∆C and (sB , l, s′B) ∈ ∆B , and either
l ∈ IC ∩ OB or l ∈ OC ∩ IB . In both cases, by (C-I/O) for RAC , there exists s′A ∈ SA
such that (sA, l, s′A) ∈ ∆T (A)A and (s′A, s′C) ∈ RAC . By Lem. 4.3 (3) and T (A) ⊆ T (AB)
it follows that ((sA, sB), (s′A, s′B)) ∈ ∆T (AB)AB and hence (s′A, s′B) ∈ R(A ⊗ B) and
((s′A, s′B), (s′C , s′B)) ∈ R. 
Note that composability of C and B must be assumed due to the possibility of arbitrary
additional internal labels in the concrete transition system.
Example 4.11 (Precongruence) As discussed in Ex. 4.6 we have BufIn ⊗ BufOut vbb Buf,
therefore we may replace Buf in the composition Prod ⊗ Buf and obtain by application of
Thm. 4.10 a refinement of the original composition, that is Prod ⊗ (BufIn ⊗ BufOut) vbb
Prod ⊗ Buf. Note that it is not required to hide synchronised transitions, since blackbox
refinement makes no difference between τ and internal transitions.
1. INPUT-PERSISTENT I/O-TRANSITION SYSTEMS (PIO) 55
∀l ∈ OA ∩ IB . ∀s′A ∈ SA . (sA, l, s′A) ∈ ∆A =⇒(A-Out)
(∃s′B ∈ SB . (sB , l, s′B) ∈ ΠOBB )
∀l ∈ OB ∩ IA . ∀s′B ∈ SB . (sB , l, s′B) ∈ ∆B =⇒(B-Out)
(∃s′A ∈ SA . (sA, l, s′A) ∈ ΠOAA )
FIGURE 4.5. Output compatibility w.r.t. autonomous labels OA and OB
Having shown that the given refinement relation is a preorder and a precongruence
allows to conclude its compositionality. Therefore, properties which are preserved by
blackbox refinement might be verified on the level of the composition of abstract tran-
sition systems and then we may conclude that the property still holds in a more concrete
system if the abstract transition systems are replaced by proper refinements.
Corollary 4.12 (Compositionality) Let A, B and C, D be PIOs such that A, B and C, D
are composable. If C vbb A and D vbb B, then C ⊗D vbb A⊗B.
PROOF. By Thm. 4.10 and C vbb A we have C ⊗B vbb A⊗B. By Prop. 4.10 and
DvbbB we haveC⊗DvbbC⊗B. Now, by Prop. 4.8, it follows thatC⊗DvbbA⊗B. 
1.3. Output Compatibility. The product operator for the composition of transition
systems captures only successful communication. An I/O-transition without a matching
counterpart does not occur in the composed transition system any more. In presence of
distinguished input and output it becomes evident, that such a model is only appropriate for
inputs (corresponding to unused provisions) but not for outputs (corresponding to required
services), at least if one aims at some guarantees for message delivery. Therefore, a notion
of output compatibility becomes an important issue. Within this section we consider three
types of compatibility, strong, weak and ultra-weak output compatibility and analyse their
preservation by blackbox refinement.
Definition 4.13 (Output compatibility) Two composable PIOs A and B are output com-
patible with respect to autonomous labels OA ⊆ (OA \ IB) ∪ T (A) and OB ⊆ (OB \
IA) ∪ T (B), written A↔(OA,OB) B, if for all (sA, sB) ∈ R(A ⊗ B) the conditions in
Fig. 4.5 hold.
A and B are ultra-weakly output compatible, written A↔u B, if OA = (OA \ IB) ∪
T (A) and OB = (OB \ IA) ∪ T (B); A and B are weakly output compatible, written
A↔w B, if OA = T (A) and OB = T (B); A and B are strongly output compatible,
written A↔s B, if OA = OB = ∅.
Weak output compatibility of PIOs corresponds to the notion of weak compatibility
for MIOs defined in [BMSH10].
Example 4.14 (Output compatibility) Consider the buffer PIO of Fig. 4.1 and assume
{(b1, get, b0), (b2, get, b1)} ⊆ ΠBuf, then Prod and Buf are ultra-weakly output compatible
but neither weakly nor strongly output compatible. The interesting product state here is
(p0, b2) which does not immediately provide a synchronising put input transition. Instead
such an input is provided in state (p0, b1) after the unshared output transition get. Since we
strictly assume output compatible environments such an unshared output will be synchro-
nised later (if the source state is still reachable in the corresponding global state space)
and hence we may skip such a transition while looking for a synchronising input.
Similarly Prod and BufIn ⊗ BufOut are ultra-weakly output compatible, if we assume
that additionally to the get-transitions, the internal transition labelled buf is persistent,
i.e. if ΠBufIn⊗BufOut ⊇ {((bi1, bo1), get, (bi1, bo0)), ((bi0, bo1), get, (bi0, bo0)), ((bi1, bo0),
56 4. A THEORY FOR REFINEMENT AND COMPATIBILITY
buf, (bi0, bo1))}. Here the interesting product state is (p0, (bi1, bo0)) which shows an in-
ternal transition before the required input transition is reached. Internal transitions can be
considered to be executable even without any environmental assumptions and hence also
in this case, compatibility should not be at risk, if such a transition precedes a matching
input.
Weak and ultra-weak compatibility are preserved by blackbox refinement. Therefore,
these notions of compatibility are examples of properties which are preserved if we replace
abstract transition systems within a given composition with more concrete systems along
blackbox refinement. First we consider ultra-weak output compatibility.
Proposition 4.15 (Ultra-weak preservation) Let A, B and C be PIOs such that A, B and
C, B are composable. If A↔u B and C vbb A, then C↔u B.
The claim holds by the following reasoning which is detailed below. Let RAC be a
relation witnessing C vbb A and let R = {((sA, sB), (sC , sB)) | (sA, sC) ∈ RAC ∧
(sA, sB) ∈ R(A ⊗ B)}. Lemma 4.16 (below) for the “upward” direction shows that,
under the given assumptions, for any reachable state (sC , sB) ∈ R(C ⊗ B) there is an
sA ∈ SA such that (sA, sB) ∈ R(A ⊗ B) and (sA, sC) ∈ RAC and hence ((sA, sB),
(sC , sB)) ∈ R. Using (C-I/O) for RAC any output of C can be related to an output of A
and hence from A↔u B we obtain an input (sB , l, s′B) ∈ ΠOB forO = (OB \ IA)∪T (A)
as a witness for condition (A-Out) w.r.t. C↔u B. A lemma for the “downward” direction
(Lem. 4.17 below) shows how RAC andR(A⊗B) can be used to construct an execution
fragment in C ⊗B from A↔u B, i.e. from (sA, l, s′A) ∈ ΠOA for O = (OA \ IB)∪ T (A)
as a witness for condition (B-Out) w.r.t. C↔u B.
PROOF OF PROPOSITION. Let RAC be a relation witnessing C vbb A with (s0,A,
s0,C) ∈ RAC . Let R = {((sA, sB), (sC , sB)) | (sA, sC) ∈ RAC ∧ (sA, sB) ∈ R(A ⊗
B)}.
Let (sC , sB) ∈ R(C ⊗ B). Then by Lem. 4.16, there exists sA ∈ SA such that
(sA, sB) ∈ R(A⊗B) and (sA, sC) ∈ RAC , hence ((sA, sB), (sC , sB)) ∈ R.
Let l ∈ OC ∩ IB and (sC , l, s′C) ∈ ∆C . By (C-I/O) for RAC there exists s′A ∈ SA such
that (sA, l, s′A) ∈ ∆T (A)A . Hence, there is s¯A, s¯′A ∈ SA such that (sA, s¯A) ∈ ∆T (A)A and
(s¯A, l, s¯′A) ∈ ∆A. By Lem. 4.3 (1), (s¯A, sB) ∈ R(A ⊗ B) and thus, by (A-Out) for
A↔uB, we have for (s¯A, sB) the existence of s′B ∈ SB such that (sB , l, s′B) ∈ ΠOBB with
OB = (OB \ IA) ∪ T (B). Since IC = IA, this is a valid witness for condition (A-Out)
w.r.t. C↔u B and (sC , l, s′C) ∈ ∆C .
Let l ∈ OB∩IC and (sB , l, s′B) ∈ ∆B . By (B-Out) forA↔uB we have for all (sA, sB) ∈
R(A ⊗ B) the existence of s′A ∈ SA such that (sA, l, s′A) ∈ ΠOAA where OA = (OA \
IB) ∪ T (A). By Lem. 4.17 there exists
((sC , sB), (s¯C , sB)) ∈ ΠOCC⊗B and ((s¯C , sB), l, (s′C , s′B)) ∈ ∆C⊗B
with OC = (OC \ IB) ∪ T (C) and (s¯C , l, s′C) ∈ ΠC (by (sA, l, s′A) ∈ ΠOAA ). Therefore
there exists
ρC = (sC lCB,1 sC,1 . . . lCB,n sC,n l s′C) ∈ frag(C)
with lCB,i ∈ OC and all transitions from ΠC for all 1 ≤ i ≤ n. In particular (sC,n, l, s′C) ∈
ΠC and thus ρC is a valid witness for condition (B-Out) w.r.t. C↔u B. 
Lemma 4.16 (Upward) Let A, B and C be PIOs. Let A, B and C, B be composable. Let
A↔uB and letRAC be a witness for CvbbA. If (sC , sB) ∈ R(C⊗B), then there exists
sA ∈ SA such that (sA, sB) ∈ R(A⊗B) and (sA, sC) ∈ RAC .
PROOF. If (sC , sB) ∈ R(C ⊗B), then there exists ρCB ∈ frag(C ⊗B) with
ρCB = ((sC,0, sB,0) lCB,1 (sC,1, sB,1) . . . lCB,k (sC , sB)),
1. INPUT-PERSISTENT I/O-TRANSITION SYSTEMS (PIO) 57
where lCB,i ∈ L(C ⊗ B). By projection to C we remove all non-shared B-steps, i.e. all
((sC,i, sB,i), lCB,i, (sC,i, sB,i+1) with lCB,i ∈ L(B) \ S(C,B) and obtain
ρmC = (sC,0 lC,1 sC,1 . . . lC,m sC,m) ∈ frag(C),
with lC,i ∈ L(C) and sC,i ∈ SC for all 1 ≤ i ≤ m and sC,m = sC . By induction on m
(see below) we construct a fragment
ρhA = (sA,0 lA,1 sA,1 . . . lA,h sA,h) ∈ frag(A),
such that for all 1 ≤ j ≤ h it holds that lA,j ∈ L(A) and there exists i ∈ {0, . . . ,m} such
that (sA,j , sC,i) ∈ RAC . Since ρhA differs from ρmC only by internal transitions not shared
with B, this fragment can be used to construct
ρAB = ((sA,0, sB,0) lAB,1 (sA,1, sB,1) . . . lAB,k′ (sA, sB)) ∈ frag(A⊗B),
with sA = sA,h using the non-shared B-steps from ρCB above, which then shows that
indeed there exists sA ∈ SA such that (sA, sB) ∈ R(A⊗B) and (sA, sC) ∈ RAC .
Base case (m = 1). Let (sC,0 lC,1 sC,1) ∈ frag(C). We show that there exists
sA,1 ∈ SA and sB,1 ∈ SB such that (sA,1, sB,1) ∈ R(A ⊗ B) and (sA,1, sC,1) ∈ RAC .
Since lC,1 ∈ L(C) we distinguish that either lC,1 ∈ IC ∪OC , or lC,1 ∈ T (C).
(1) Let lC,1 ∈ IC ∪ OC . By (C-I/O) for (sA,0, sC,0) ∈ RAC , there exists sA,1 ∈ SA
such that (sA,0, lC,1, sA,1) ∈ ∆T (A)A and (sA,1, sC,1) ∈ RAC . If lC,1 /∈ S(C,B), then
lC,1 /∈ S(A,B) (by IA = IC and OA = OC) and hence (sA,1, sB,1) ∈ R(A ⊗ B) for
sB,1 = sB,0 by Lem. 4.3 (1). For the case lC,1 ∈ S(C,B) we know by the projection from
the fragment ρCB above that there exists sB,1 ∈ SB such that (sB,0 lC,1 sB,1) ∈ ∆OBB
with OB = (OB \ IA) ∪ T (B). Thus, there is s¯B , s¯′B ∈ SB such that (sB,0, s¯B) ∈
∆OBB , (s¯B , lC,1, s¯′B) ∈ ∆B and (s¯′B , sB,1) ∈ ∆OBB . Moreover, from (sA,0, lC,1, sA,1) ∈
∆T (A)A we obtain s¯A, s¯′A ∈ SA such that (sA,0, s¯A) ∈ ∆T (A)A , (s¯A, lC,1, s¯′A) ∈ ∆A
and (s¯′A, sA,1) ∈ ∆T (A)A . By Lem. 4.3 (1), it follows that ((sA,0, sB,0), (s¯A, s¯B)) ∈
∆T (A)∪OBA⊗B , and thus (s¯A, s¯B) ∈ R(A⊗B). Now ((s¯A, s¯B), lC,1, (s¯′A, s¯′B)) ∈ ∆A⊗B and,
again by Lem. 4.3 (1), ((s¯′A, s¯′B), (sA,1, sB,1)) ∈ ∆T (A)∪OBA⊗B and hence (sA,1, sB,1) ∈
R(A⊗B).
(2) Let lC,1 ∈ T (C). By (C-Int) for (sA,0, sC,0) ∈ RAC , there exists sA,1 ∈ SA such that
(sA,0, sA,1) ∈ ∆T (A)A and (sA,1, sC,1) ∈ RAC . By Lem. 4.3 (1), (sA,1, sB,0) ∈ R(A⊗B)
and hence (sA,1, sB,1) ∈ R(A⊗B) for sB,1 = sB,0.
Induction step (m + 1). Let ρmC and ρhA be execution fragments as above such that
(sA,h, sB) ∈ R(A⊗B) and (sA,h, sC,m) ∈ RAC for some m,h ∈ N. Assume
ρm+1C = (sC,0 lC,1 sC,1 . . . lC,m+1 sC,m+1) ∈ frag(C),
then by induction assumption, there exists p ≥ 0 such that sA,h+p ∈ SA and (sA,h+p, sB) ∈
R(A⊗B) and (sA,h+p, sC,m+1) ∈ RAC . 
Lemma 4.17 (Downward) Let A, B and C be PIOs. Let RAC be a witness for C vbb A.
Let (sA, sC) ∈ RAC . Let l ∈ OB ∩ IC and s′B ∈ SB such that (sB , l, s′B) ∈ ∆B . If
(sA, sB) ∈ R(A ⊗ B) and there exists s′A ∈ SA such that (sA, l, s′A) ∈ ΠOAA , where
OA = (OA \ IB)∪T (A), then there exists s¯C , s′C ∈ SC such that ((sC , sB), (s¯C , sB)) ∈
ΠOCC⊗B and ((s¯C , sB), l, (s′C , s′B)) ∈ ∆C⊗B , where OC = (OC \ IB) ∪ T (C).
PROOF. By (sA, l, s′A) ∈ ΠOAA there exists s¯A, s¯′A ∈ SA such that (sA, s¯A) ∈ ΠOAA ,
(s¯A, l, s¯′A) ∈ ΠA and (s¯′A, s′A) ∈ ΠOAA . Hence there exist lA,i ∈ OA and sA,i ∈
SA for 1 ≤ i < n such that (sA, lA,1, sA,1) ∈ ΠA, (sA,i, lA,i+1, sA,i+1) ∈ ΠA, . . .,
(sA,n, l, s¯′A) ∈ ΠA with s¯A = sA,n. Below we show by induction on n that there exists
s¯C ∈ SC such that (sC , s¯C) ∈ ΠOCC withOC = (OC \ IB)∪T (C) and (s¯A, s¯C) ∈ RAC .
Then, by Lem. 4.3 for (sC , s¯C) ∈ ΠOCC we have ((sC , sB), (s¯C , sB)) ∈ ΠOCC⊗B . Now,
58 4. A THEORY FOR REFINEMENT AND COMPATIBILITY
since (s¯A, s¯C) ∈ RAC and (s¯A, l, s¯′A) ∈ ΠA there exists s¯′C ∈ SC such that (s¯′A, s¯′C) ∈
RAC and (s¯C , l, s¯′C) ∈ ΠT (C)C by (A-I/O) for RAC . Thus by Lem. 4.3 for (s¯C , l, s¯′C) ∈
ΠT (C)C and (sB , l, s′B) ∈ ∆B it follows that ((s¯C , sB), l, (s¯′C , s′B)) ∈ ΠC⊗B .
Base case (n = 1). Let (sA, lA,1, sA,1) ∈ ΠA with lA,1 ∈ OA. There are two cases.
If lA,1 ∈ OA \IB , then by (A-I/O) forRAC there is sC,1 ∈ SC such that (sC , lA,1, sC,1) ∈
ΠT (C)C and (sA,1, sC,1) ∈ RAC . Since OA = OC it follows that (sC , sC,1) ∈ ΠOCC .
If lA,1 ∈ T (A), then by (A-Int) for RAC there is sC,1 ∈ SC such that (sC , sC,1) ∈ ΠT (C)C
and (sA,1, sC,1) ∈ RAC . By T (C) ⊆ OC it follows that (sC , sC,1) ∈ ΠOCC .
Induction step (n + 1). Let sA,n ∈ SA and sc,m ∈ SC such that (sA,n, sC,m) ∈
RAC and (sC , sC,m) ∈ ΠOCC for some n,m ∈ N. Assume lA,n+1 ∈ OA and sA,n+1 ∈
SA such that (sA,n, lA,n+1, sA,n+1) ∈ ΠA. Then by induction assumption there exists
sc,m+1 ∈ SC such that (sA,n+1, sC,m+1) ∈ RAC and (sC , sC,m+1) ∈ ΠOCC . 
Example 4.18 (Ultra-weak preservation) Since BufIn ⊗ BufOut vbb Buf (Ex. 4.6) and
Prod↔u Buf (Ex. 4.14), Prop. 4.15 allows to conclude ultra-weak output compatibility be-
tween Prod and BufIn⊗BufOut. Note that condition (A-I/O) ofvbb forces the buf-transition
of BufIn ⊗ BufOut to be persistent. Otherwise the state ((b1), (bi1, bo0)) would not be in
relation since the input-transition put would not be reachable via persistent transitions in
ΠBufIn⊗BufOut. In contrast, the output-transitions get are not directly forced to be persistent.
However, by Prod↔u Buf it is required that {(b1, get, b0), (b2, get, b1)} ⊆ ΠBuf and now,
condition (A-I/O) of vbb ensures again that these transitions indeed exist as persistent
transitions in ΠBufIn⊗BufOut of the concrete PIO.
Preservation of weak output compatibility holds by Prop. 4.7 together with the corre-
spondence of weak output compatibility for PIOs and weak compatibility for MIOs, and
the preservation theorem in [BMSH10, Thm. 2].
Proposition 4.19 (Weak preservation) Let A, B and C be PIOs such that A, B and C, B
are composable. If A↔w B and C vbb A, then C↔w B. 
2. Asynchronous Communication
One of the major aims of this study is to develop a formal model which takes asynchro-
nous communication in the form of FIFO buffered message exchange into account. The
theory developed so far works for PIOs which synchronise by a rendezvous mechanism.
Within this section we extend our theory by an encoding of FIFO buffers (queues) for the
modelling of asynchronous buffered communication and a definition of asynchronous com-
patibility which is based on weak and ultra-weak compatibility respectively. After that we
show first, that blackbox refinement can be transfered to PIOs with FIFO buffered commu-
nication and second, that blackbox refinement also preserves asynchronous compatibility.
We start with some preliminaries concerning basic definitions and notations from the do-
main of I/O-transition systems (cf. Chap. 2, Sect. 2) and their transfer to the domain of
PIOs with asynchronous communication.
A partitioned I/O-labelling is an I/O-labelling ((I1, O1), . . . , (In, On), T ), where in-
puts and outputs are given by a partition {(I1, O1), . . . , (In, On)}. Composability of parti-
tioned IOLs requires, besides the general composability conditions, a unique assignment of
shared labels to the elements of the partition. A partitioned PIO is a PIO with partitioned
I/O-labelling.
Partitioned I/O-labellings are used to distinguish the queues of buffered transition sys-
tems. Intuitively an element of a partitioned I/O-labelling corresponds to a set of labels
as given by the port of a port-based component. Then for the required interface of the
port there will be an output queue which acts as a buffer for the messages sent into one
direction. For binary connectors the resulting communication medium results in two out-
put queues, one for each direction as illustrated in Fig. 4.6 showing two systems A and B,
2. ASYNCHRONOUS COMMUNICATION 59
...
...
QBOB
m mB
m
I = {mB, . . .}
nB nn
QBOA
O = {n, . . .}
IB = {n, . . .}
OB = {m, . . .}
OA = {n, . . .}
IA = {m, . . .}
A B
I = {nB, . . .}
O = {m, . . .}
FIGURE 4.6. Transition systems with output queues
each with one output queue QBOA and Q
B
OB
defined with respect to the output alphabet of
the respective PIO.
In general, there will be several output queues. The queues are encoded using PIOs.
In order to synchronise such a system of transition systems and queues appropriately we
need to apply a relabelling such that output messages are synchronised with the particular
queue transition system. The outputs of a queue then replace the original outputs. A
corresponding relabelling is indicated in Fig. 4.6. By this means, message exchange is
buffered and PIOs do not synchronise directly anymore. Note that the indicated output
relabelling is transparent for the communication partner.
Let L = ((I1, O1), . . . , (In, On), T ) be a partitioned IOL. An asynchronous output
labelling with respect to L is given by OB = (OB1 , . . . , OBk ) for some k ≤ n where OBi is
defined by lB ∈ OBi if l ∈ Oi, for all 1 ≤ i ≤ k. An asynchronous output labelling for a
PIO A is given by an asynchronous output labelling OBA with respect to LA.
Definition 4.20 (αPIO) A PIO with asynchronous output labelling (αPIO for short) is a
pair (A,OB) such that A is a partitioned PIO and OB an asynchronous output labelling
of A. If |OB| = |OA| we simply write A is a αPIO .
The relabelling of A for asynchronous communication with respect to OB is given by a
relabelling β from LA to L′A defined by a function f :
⋃
LA →
⋃
L′A such that f(l) = lB
if lB ∈ OB, and f(l) = l else. Relabelling of a PIO for asynchronous communication
should not be applied more than once for the same set of labels. Therefore, labels given by
an asynchronous output labelling must not yet exist in the set of labels of the underlying
PIO. We require for any αPIO (A,OB) that
⋃
LA ∩
⋃
OB = ∅.
Concerning the composability of αPIOs we need to ensure that the asynchronous out-
put labels do not invalidate composability requirements of PIOs. Two αPIOs (A,OBA)
and (B,OBB) are composable if A and B are composable and
⋃
LA ∩
⋃
OBB = ∅ and⋃
LB ∩
⋃
OBA = ∅.
2.1. FIFO Encoding and Buffered PIOs. We define an encoding of FIFO queues
using PIOs which relies on the definition of output queues in the context of I/O-transition
systems in Chap. 2. Since IOTSs are a formal representation of component implemen-
tations (behaviours), this highlights that queues are indeed not supposed to be specified
to allow for several different implementations of a queue. Instead we will use the same
implementation-related formalism of FIFO queues on both levels, on the level of specifi-
cations (PIOs) and on the level of implementations (IOTSs).
Definition 4.21 (FIFO Encoding) The PIO encoding of a FIFO queue with respect to a set
M, written QBM , is given by Q
B
M = (L, S, s0,∆,Π), where (L, S, s0,∆) is a queue IOTS
over M and Π = ∆.
An asynchronous output labelling specifies which messages of the given transition
system should be exchanged using FIFO buffers. With Def. 4.21 it is straightforward to
define a corresponding notion of buffered PIOs.
60 4. A THEORY FOR REFINEMENT AND COMPATIBILITY
Definition 4.22 (Buffered PIO) The buffered PIO for an αPIO (A, (O1, . . . , Ok)) for some
k ≤ |OA| is defined by
Ω(A, (O1, . . . , Ok)) = (Aβ ⊗QBO1 ⊗ · · · ⊗QBOk),
where β is a relabelling of A for asynchronous communication w.r.t. (O1, . . . , Ok). It is
called completely buffered, written Ω(A), if k = |OA|. We abbreviate the product of
output queues QBO1 ⊗ · · · ⊗QBOk by QBA.
Next we ensure that buffered PIOs can be used just like ordinary PIOs. In particular,
their composition is associative and commutative using the product operator for PIOs. Also
note that Ω(A, ∅) = A.
Lemma 4.23 Let (A,OBA) and (B,OBB) be αPIOs. Then the following holds:
(1) Ω(A,OBA) is a PIO with LΩ(A,OBA ) = (IA, OA, TA ∪
⋃
OBA).
(2) If (A,OBA) and (B,OBB) are composable then Ω(A,OBA) and Ω(B,OBB) are
composable.
PROOF. (1) The output queues for (A,OBA) are composable, since OBA is a partition
and, by definition, queue inputs are disjoint from queue outputs and the sets of internal
labels are empty. Thus QBA is defined. Let Ω(A,OBA) = (Aβ ⊗ QBA); Aβ and QBA are
composable since (A,OBA) is an αPIO, that is, Aβ is a valid PIO and IAβ ∩ IQBA = ∅,
OAβ∩OQB
A
= ∅, TAβ∩
⋃
QBsA = ∅ and TQBA∩
⋃
Aβ = ∅ by definition. Hence Ω(A,OBA) is
a PIO. Now, by definition of IOL products, IΩ(A,OB
A
) = (IAβ∪
⋃
IQB
A
)\S(Aβ,QBA) = IA,
OΩ(A,OB
A
) = (OAβ∪
⋃
OQB
A
)\S(Aβ,QBA) = OQBA = OA and TΩ(A,OBA ) = TAβ∪
⋃
TQB
A
∪
S(Aβ,QBA) = TA ∪
⋃
OBA .
(2) Using (1) we need to proof that IA ∩ IB = ∅, OA ∩ OB = ∅, (TA ∪
⋃
OBA) ∩⋃
OBB = ∅ and (TB ∪
⋃
OBB) ∩
⋃
OBA = ∅, which is a consequence of composability of
(A,OBA) and (B,OBB). Moreover, since IΩ(A,OBA ) = IA and OΩ(A,OBA ) = OA, we have
that shared labels will still be uniquely assigned to elements of the partitions and hence
also the requirement for the composability w.r.t partitions is preserved. 
Example 4.24 (Buffered PIO) Buffered PIOs are used to model buffered communication
between processes modelled by finite-state control automata, in our case by PIOs. With
the buffered producer example in Ex. 4.2 we considered a producer PIO composed with an
output buffer, which encodes its capacity explicitely by a corresponding number of input
transitions put, followed by an output transition get. Instead of this explicit modelling of
the buffer’s capacity, we could use buffered PIOs to abstract from capacity issues and focus
solely on the control part, which is in particular useful for the modelling of a distributed
system. In this case, the buffer between producer and consumer not only models storage
but is also used to decouple and control the message exchange.
For instance, the usual modelling of a producer/consumer-architecture requires the
consumer to wait with getting items from the storage as long as there are no items avail-
able, i.e. as long as the buffer is empty. Such a requirement could be modelled with a buffer
process BufCtr as depicted in Fig. 4.7.
(a) Prod
/put
p0
(b) BufCtr
put/
/get
b1b0
FIGURE 4.7. PIOs for producer and buffer controller
2. ASYNCHRONOUS COMMUNICATION 61
(a) Ω(Prod, OBProd)
/put/put
(p0, 〈put〉)
putB putB
(p0, ) (p0, 〈put, put〉) · · ·
(b) Ω(BufCtr, OBBufCtr)
put/
/get
b1b0
FIGURE 4.8. Buffered PIOs for the transition systems in Fig. 4.7
toast
/put
t0 t1
FIGURE 4.9. Refinement of the original producer
Then, asynchronous (buffered) communication between Prod and BufCtr is introduced
by a corresponding definition of buffered PIOs. Ω(Prod, OBProd) with OBProd = {(∅, {put})}
results in a PIO with an output queue for messages labelled put. An excerpt of the cor-
responding (infinite-state) transition system is depicted in Fig. 4.8. For the buffer con-
trol BufCtr we leave the output get open, hence define OBBufCtr = {({put}, ∅)}. Thus,
Ω(BufCtr, OBBufCtr) is still a PIO without queue which is obtained from BufCtr by a relabelling
of put for asynchronous communication (cf. Fig. 4.8). The composition Ω(Prod, OBProd) ⊗
Ω(BufCtr, OBBufCtr) then results in an infinite-state system, which repeatedly (and internally)
produces items, stores them in an internal FIFO buffer and then externally provides them
for consumption via the open output transition get.
2.2. Refinement and Asynchronous Compatibility. Our component model explic-
itly distinguishes components and connectors. The components’ behaviour is specified by
automata showing a temporal ordering of receive, send and local actions. Connectors in
contrast do not specify any application specific temporal ordering of message exchange but
act as a communication medium which determines the timing of the message exchange be-
tween components linked with this connector. Therefore, connectors are not user-defined
in the sense components are and hence our notion of refinement must not apply to connec-
tors. Instead we focus on the refinement of the components’ behaviour aiming at a notion
of compositionality which is independent of the connectors used on the abstract system
level. For the case of synchronous communication this is backed by Prop. 4.12 already.
For the case of asynchronous communication we rely on the following proposition.
Theorem 4.25 (Refinement transfer) Let (A,OB) be an αPIO and let C be a partitioned
PIO. If C vbb A, then Ω(C,OB)vbb Ω(A,OB).
PROOF. Let β be the relabelling for asynchronous communication w.r.t. OB. By
C vbb A we have Cβ vbb Aβ (similar to Lem. 2.16 (2)). Denote the output queues
for OB by QB then it follows by Thm. 4.10 that Cβ ⊗QB vbb Cβ ⊗QB. 
Example 4.26 (Refinement transfer) Suppose the producer of Ex. 4.24 creates a slice of
toasted bread which should be passed to the consumer afterwards. In a corresponding
process as depicted in Fig. 4.9 toast production is an internal step preceeding the storage
of the produced item via the (yet) open output transition put. If the internal transition is
persistent, i.e. (t0, toast, t1) ∈ ΠToast we have Toast vbb Prod, witnessed by the relation
{(t0, p0), (t1, p0)} ⊆ SToast × SProd. Therefore Thm. 4.25 is applicable and it follows that
Ω(Toast, OBProd)vbb Ω(Prod, OBProd).
62 4. A THEORY FOR REFINEMENT AND COMPATIBILITY
Note that Ω(Prod, OBProd) is an infinite-state system and hence verification of its re-
finement is in general undecidable. In contrast, Toast vbb Prod could be verified using
finite-state verification techniques.
Based on Thm. 4.25 we can claim compositionality for the case of buffered PIOs
similar to the case of PIOs with rendezvous communication. Though note that there is an
important difference: Here we rely on the refinement of the PIOs underlying the particular
buffered PIOs and not on a refinement between the buffered PIOs in turn.
Corollary 4.27 (Precongruence transfer) Let (A,OBA) and (B,OBB) be composable αPIOs
and let C be a partitioned PIO. Let C andB be composable. If CvbbA, then Ω(C,OBA)⊗
Ω(B,OBB)vbb Ω(A,OBA)⊗ Ω(B,OBB)
PROOF. The claim follows by Thm. 4.25 and Thm. 4.10. 
Example 4.28 (Precongruence transfer) Applying the corollary to Ex. 4.26 allows the
buffered producer to be replaced by a buffered toast producer in the composition with the
buffer controller. More formally, since Toastvbb Prod (cf. Ex. 4.26) we have, by Cor. 4.27,
Ω(Toast, OBProd)⊗ Ω(BufCtr, OBBufCtr)vbb Ω(Prod, OBProd)⊗ Ω(BufCtr, OBBufCtr).
Corollary 4.29 (Compositionality transfer) Let (A,OBA) and (B,OBB) be composable
αPIOs and let C, D be composable partitioned PIOs. If C vbb A and D vbb B, then
Ω(C,OBA)⊗ Ω(D,OBB)vbb Ω(A,OBA)⊗ Ω(B,OBB)
PROOF. The proof is analogous to the synchronous case (cf. Prop. 4.12). 
Another important aim of our study is to understand which basic compatibility re-
quirements may apply to the case of buffered message exchange. This corresponds to
the question which kind of architectural incompatibilities should be avoided when using
asynchronous connectors (cf. Chap. 2, Sect. 1.3). Considering our notion of output com-
patibility as defined above, we aim at guarantees for sending messages since the reception
of a message already implies that some sender was successful in omitting the particular
message which is not the case for sending. In the context of buffered message exchange
this transfers to some guarantee that, once a message has been put into the output queue of
a PIO, the particular communication partner is indeed able to dequeue the corresponding
message later on. The transition systems in Fig. 4.10 and Fig. 4.11 illustrate such a require-
ment more concretely. In Fig. 4.10 both systems are indeed able to dequeue the message
sent by its communication partner, either before or after sending messages in turn. For the
transition systems in Fig. 4.11, however, this is not the case. Here the fundamental differ-
ence between a rendezvous mechanism and buffered message exchange becomes evident.
If both systems send messages at the "same" time, the asynchronous system deadlocks due
to missing receive capabilities after having sent the message n and m respectively.
For the formal definition of a corresponding notion of asynchronous compatibility we
rely on the notions of weak, ultra-weak compatibility defined above which is due to the
encoding of FIFO buffers along transition systems for the messages sent (output queues)
in contrast to an encoding for messages received (input queues).
Definition 4.30 (Asynchronous output compatibility) Let (A,OBA) and (B,OBB) be com-
posable αPIOs. (A,OBA) and (B,OBB) are ultra-weakly asynchronous output compatible,
written (A,OBA)↔a (B,OBB), if Ω(A,OBA)↔u Ω(B,OBB); they are weakly asynchronous
output compatible if Ω(A,OBA)↔w Ω(B,OBB).
If not explicitely mentioned, we consider (A,OBA)↔a (B,OBB) and simply talk of
asynchronously output compatible αPIOs.
Example 4.31 (Asynchronous output compatibility) Consider the transition systems A
and B in Fig. 4.10 and assume S(A,B) = {n,m}, then A and B are not synchronously
2. ASYNCHRONOUS COMMUNICATION 63
(a) Control PIOs A and B
...
...
/n
n/
BA
n
mB
nn
B
m
m
/m
m/
(b) Buffered PIOs Ω(A) and Ω(B)
m/ n
B mB 〈m〉 
〈m〉 /mn/
/m /n 〈n〉 
〈n〉m/ /n
/n
FIGURE 4.10. Simultaneous sending of messages: asynchronously compatible
(a) Synchronously compatible PIOs A and B
m/
/n
/m
n/
m
n
⊗ =
(b) Buffered PIOs Ω(A) and Ω(B) deadlock
...
...
/n ...
...
.../m
n/m/
...

〈n〉

=
(, )
(〈n〉, )n
B
⊗ 
〈m〉

mB nB
mB
(〈n〉, 〈m〉)
(, 〈m〉)
mB
nB
FIGURE 4.11. Simultaneous sending and mixed-choice: not asynchronously compatible
ultra-weak output compatible, since neither does A provide an input m before sending
n, nor does B for the case of n the other way around. Note that S(A,B) = {n,m}
is the crucial prerequisite for this example. However, (A,OBA) and (B,OBB) are asyn-
chronously output compatible if OBA = {n} and OBB = {m}, i.e. if the respective out-
puts are communicated with asynchronous timing. More formally, by definition we have
(A,OBA)↔a (B,OBB), if Ω(A,OBA)↔u Ω(B,OBB). Thus, under the assumption LA = OBA
and LB = OBB , we need to check ultra-weak output compatibility for the buffered PIOs
Ω(A) and Ω(B) in Fig. 4.10, which is easily verified either by manual inspection or, in this
case, even by finite-state verification techniques.
In contrast, the transition systems A and B in Fig. 4.11 are synchronously ultra-
weak output compatible but not asynchronously output compatible. The latter is due to
the buffering of output messages, which introduces the possibility of deadlock, whenever a
mixed-choice state (a state with both an input and an output transition leaving) is left by
both communication partner using shared output transitions at the same time.
Asynchronous compatibility is preserved by blackbox refinement of the PIOs under-
lying the given buffered PIOs. This preservation result is particularly useful from the
verification point of view due to the potential infinite state space of buffered PIOs. Once
asynchronous compatibility is verified, modular refinement checks for the PIOs underlying
the given buffered PIOs are sufficient to conclude asynchronous compatibility of the more
concrete composition.
64 4. A THEORY FOR REFINEMENT AND COMPATIBILITY
Theorem 4.32 (Preservation) Let (A,OBA) and (B,OBB) be composable αPIOs and let C
be a partitioned PIO. Let C and B be composable. If C vbb A and (A,OBA)↔a (B,OBB),
then (C,OBA)↔a (B,OBB).
PROOF. By Thm. 4.25 we have Ω(C,OBA)vbb Ω(A,OBA). By definition of asynchro-
nous output compatibility we have Ω(A,OBA)↔uΩ(B,OBB), hence Prop. 4.15 is applicable
and we obtain Ω(C,OBA)↔u Ω(B,OBB), which means that (C,OBA)↔a (B,OBB), again
by definition of asynchronous compatibility. 
Example 4.33 (Preservation) The αPIOs (Prod, OBProd) and (BufCtr, OBBufCtr) are asynchro-
nously output compatible due to ultra-weak output compatibility of Ω(Prod, OBProd) and
Ω(BufCtr, OBBufCtr). Consider the buffered PIOs in Fig. 4.8. The buffered producer may
always eventually reach a state which outputs put? with one step, since all put! transi-
tions are internal transitions. Ω(BufCtr, OBBufCtr) is then required, by the conditions of ultra-
weak output compatibility, to reach a global state with a matching input transition (la-
belled put?) after at most internal and non-shared output transitions. The buffered PIO
Ω(BufCtr, OBBufCtr) in Fig. 4.8 obviously meets these requirements and therefore, we have in-
deed (Prod, OBProd)↔a (BufCtr, OBBufCtr).
If the producer is replaced by a more concrete process such as Toast (cf. Ex. 4.26), then
asynchronous output compatibility is preserved if Toastvbb Prod. Put differently, once we
know about asynchronous output compatibility, it suffices to check finite-state PIOs in order
to ensure its preservation. In the example Thm. 4.32 is applicable due to ToastvbbProd and
thus it follows from (Prod, OBProd)↔a (BufCtr, OBBufCtr) that (Toast, OBProd)↔a (BufCtr, OBBufCtr).
3. Compatibility and N-ary Composition
In this section we show how to transfer the binary notion of output compatibility to
a notion of output compatibility for n-ary compositions called communication-safety and
discuss possibilities to derive this global property from pairwise or incremental compat-
ibility analysis respectively. We consider only the case of synchronous communication,
since buffered PIOs are PIOs (cf. Prop. 4.23) and thus any definition and result holds anal-
ogously in the context of asynchronous communication1. Therefore we will use the notion
of communication-safety for compositions of PIOs as well as for compositions of buffered
PIOs. In the latter case we assume a definition analogous to Def. 4.34 below using αPIOs
(A,OBA) instead of A.
3.1. Communication-Safety. The notion of communication-safety is a direct trans-
fer of the binary definition of output compatibility to an n-ary composition of PIOs. If a
global state inR(⊗iAi) is safe, then there is for any globally reachable local output action
a reachable local input such that the output may be synchronised within the global product.
Definition 4.34 (Communication-safety) Let (A1, . . . , An) be pairwise composable PIOs
with Ai = ((Ii, Oi, Ti), Si, s0,i,∆i,Πi). A state (s1, . . . , sn) ∈ R(
⊗
iAi) is communi-
cation-safe (comm-safe) for Ak with k ∈ {1, . . . , n}, if the following holds:
∀l ∈ Ok ∩ (
⋃
i Ii) . ∃s′k ∈ Sk . (sk, l, s′k) ∈ ∆k =⇒
(∃j ∈ {1, . . . , n} \ {k} . ∃s′j ∈ Sj . (sj , l, s′j) ∈ ΠOjj ),
where Oj ⊆ (Oj \ Ik) ∪ T (Aj). The IOTS Ak is comm-safe in (A1, . . . , An), if all
(s1, . . . , sn) ∈ R(
⊗
iAi) are comm-safe for Ak. (A1, . . . , An) is comm-safe, if Ak is
comm-safe in (A1, . . . , An) for all 1 ≤ k ≤ n. Ultra-weak comm-safety is defined using
comm-safety with O = (Oj \ Ik) ∪ T (Aj), weak comm-safety with Oj = T (Aj) and
strong comm-safety with Oj = ∅.
1Neither the definitions nor the results of the given section assume finite transition systems.
3. COMPATIBILITY AND N-ARY COMPOSITION 65
Blackbox refinement preserves weak and ultra-weak comm-safety. Strong comm-
safety, however, is not preserved due to the possibility of adding and removing internal
transitions in refined PIOs.
Proposition 4.35 (Preservation) Let A1, . . . , An be pairwise composable PIOs and let
k ∈ {1, . . . , n}. Let C be a PIO such that C is composable with Ai for all i 6= k. If
C vbb Ak and (A1, . . . , An) is weakly (ultra-weakly) comm-safe, then (A1, . . . , Ak−1, C,
Ak+1, . . . An) is weakly (ultra-weakly) comm-safe.
The proof relies on the following lemma.
Lemma 4.36 Let (A1, . . . , An) be pairwise composable PIOs. If (A1, . . . , An) is comm-
safe, then Ak ↔ (A1 ⊗ · · · ⊗Ak−1 ⊗Ak+1 ⊗ · · · ⊗An) for all k ∈ {1, . . . , n}.
PROOF OF LEMMA. Let AR = (A1 ⊗ · · · ⊗ Ak−1 ⊗ Ak+1 ⊗ · · · ⊗ An). By comm-
safety of (A1, . . . , An) it holds that Ak is comm-safe in (A1, . . . , An), thus all reachable
states of ⊗i(Ai) are comm-safe for Ak. Therefore, the reachable states of Ak ⊗ AR are
comm-safe for Ak and we have for all (sk, sR) ∈ R(Ak ⊗AR) that
∀l ∈ OAk ∩ IAR . ∃s′k ∈ SAk . (sk, l, s′k) ∈ ∆Ak =⇒
∃s′R ∈ SAR . (sR, l, s′R) ∈ ΠORAR ,
withOR ⊆ (OAR \IAk)∪T (AR). Thus the compatibility condition (A-Out) holds for Ak
andAR. The proof for condition (B-Out) is analogous in the direction fromAR toAk. 
PROOF OF PROPOSITION. Let AR = (A1 ⊗ · · · ⊗ Ak−1 ⊗ Ak+1 ⊗ · · · ⊗ An). By
Lem. 4.36 it follows that Ak↔w AR and Ak↔u AR. Thus by C vbb Ak, Prop. 4.19 and
Prop. 4.15 we have C↔w AR and C↔u AR, and hence (A1, . . . , Ak−1, C,Ak+1, . . . An)
is weakly (ultra-weakly) comm-safe. 
3.2. Pairwise and Incremental Analysis. The global property of weak comm-safety
can be derived from pairwise compatibility analysis. In contrary, to verify ultra-weak
comm-safety one needs to apply an incremental approach: Knowing comm-safety for n−1
transition systems, it suffices to check compatibility between their composition and an nth
transition system to derive comm-safety for the complete product. In the following we
make these claims precise.
Theorem 4.37 (Pairwise weak) Let A1, . . . , An be pairwise composable PIOs. If Ai↔w
Aj for all i, j ∈ {1, . . . , n} with i 6= j, then (A1, . . . , An) is weakly comm-safe.
PROOF. By induction on the number of composed transition systems.
Base case (n = 2). Let (A1, A2) be pairwise composable PIOs and assumeA1↔wA2,
then, by the conditions for weak output compatibility, for all (sA1 , sA2) ∈ R(A1 ⊗A2),
∀l ∈ OA1 ∩ IA2 . ∀s′A1 ∈ SA1 . (sA1 , l, s′A1) ∈ ∆A1 =⇒(1)
(∃s′A2 ∈ SA2 . (sA2 , l, s′A2) ∈ ΠT (A2)A2 )
∀l ∈ OA2 ∩ IA1 . ∀s′A2 ∈ SA2 . (sA2 , l, s′A2) ∈ ∆A2 =⇒(2)
(∃s′A1 ∈ SA1 . (sA1 , l, s′A1) ∈ ΠT (A1)A1 )
By (1) it follows that (sA1 , sA2) is weakly comm-safe for A1 and by (2) the same holds
for A2, thus (A1, A2) is weakly comm-safe.
Induction step (n+1). Let (A1, . . . , An+1) be pairwise composable and weakly output
compatible PIOs. LetAR = (A1⊗· · ·⊗An). By the assumption of pairwise compatibility,
An+1↔w Ai for all 1 ≤ i ≤ n, thus it follows by Lem. 4.38 that An+1↔w AR. Thus, by
induction assumption, (AR, An+1) is weakly comm-safe and therefore (A1, . . . , An+1) is
weakly comm-safe. 
66 4. A THEORY FOR REFINEMENT AND COMPATIBILITY
Lemma 4.38 Let (A1, A2, A3) be pairwise composable PIOs. If A1↔w A2, A1↔w A3
and A2↔w A3, then A1↔w (A2 ⊗A3) and (A1 ⊗A3)↔w A2.
PROOF. First we show A1 ↔w (A2 ⊗ A3). By A1 ↔w A2, the conditions (1) and
(2) above (Proof (Prop. 4.37), p. 65) hold. Let (sA1 , sA2 , sA3) ∈ R(A1 ⊗ A2 ⊗ A3).
Obviously we have (sA1 , sA2) ∈ R(A1 ⊗ A2) and (sA2 , sA3) ∈ R(A2 ⊗ A3). By (1)
there exists s¯A2 , s¯
′
A2
∈ SA2 such that (sA2 , s¯A2) ∈ ΠT (A2)A2 and (s¯A2 , l, s¯′A2) ∈ ΠA2 .
Since T (A2) is not shared with any composable PIO, Lem. 4.3 is applicable and it follows
that (s¯A2 , sA3) ∈ ΠT (A2)A2⊗A3 and thus condition (A-Out) of weak output compatibility holds
for A1 and A2 ⊗ A3. Condition (B-Out) holds analogously using (2) and hence A1 ↔w
(A2 ⊗A3).
Since we could have chosen A2 instead of A1 and A1 ⊗ A3 instead of A2 ⊗ A3 we
have also (A1 ⊗A3)↔w A2. 
Example 4.39 (Pairwise ultra-weak) Proposition 4.37 does not hold for the case of ultra-
weak output compatibility. Let A1, A2 and A3 be pairwise composable PIOs as given in
Fig. 4.12. Let S(A1, A2) = {x}, S(A2, A3) = {y} and S(A1, A3) = {z}.
A1
/x z/
A2
/y x/
A3
/z y/
FIGURE 4.12. Pairwise ultra-weak compatibility does not imply comm-safety
ThenA1↔uA2,A2↔uA3 andA1↔uA3 but (A1, A2, A3) is not ultra-weakly comm-safe,
due to state (s0,A1 , s0,A2 , s0,A3) which is globally reachable but invalidates the require-
ment of ultra-weak comm-safety (Def. 4.34) for Ak with any k ∈ {1, 2, 3}.
As the example suggests we need a kind of global analysis to obtain ultra-weak com-
munication safety. This kind of analysis is also valid for weak compatibility.
Proposition 4.40 (Increment. ultra-weak) Let (A1, . . . , An) be pairwise composable PIOs.
If (A1, . . . An−1) is ultra-weakly comm-safe and (⊗n−1i=1 Ai)↔u An then (A1, . . . , An) is
ultra-weakly comm-safe.
PROOF. By induction on the number n of PIOs. The case n = 0 is trivial. Let n ∈ N.
By induction hypothesis it holds that (A1, . . . An) is ultra-weakly comm-safe. We need to
show that (⊗ni=1Ai)↔u An+1 implies ultra-weak comm-safety of (A1, . . . , An+1). Let
AR = (⊗ni=1Ai). By the compatibility condition (A-Out) for AR↔u An+1 we obtain that
An+1 is ultra-weakly comm-safe in (A1, . . . , An+1). With condition (B-Out) we obtain
ultra-weak comm-safety of AR in (A1, . . . , An+1). 
Note that the reverse direction considered in Lem. 4.36 does not claim communication-
safety of (A1, . . . An−1). Compatibility within a composition of transition systems may
depend on “unused inputs”. For example an output which is preceeded by an input that
is shared but not used by the communication partner is not reachable in the product of
these transition systems. Therefore, even though these transition systems are incompatible
their composition results in a transition system that is comm-safe. Unused input transitions
motivated the "optimistic" approach to compatibility studied by de Alfaro and Henzinger
[dAH01a]. The idea is to allow for incompatibilities as long as these are reachable only
via unused inputs. Their approach, however requires a special composition operator.
4. Greybox Refinement and General Properties
Within this section we study a notion of refinement, greybox refinement, that allows
to take synchronisation transitions within compositions of transition systems into account.
The difference with regard to blackbox refinement is similar to the difference between
4. GREYBOX REFINEMENT AND GENERAL PROPERTIES 67
∀l ∈ IA ∪OA ∪ TA . ∀s′A ∈ SA . (sA, l, s′A) ∈ ΠA =⇒(A-IOT)
(∃s′C ∈ SC . (sC , l, s′C) ∈ ΠτC ∧ (s′A, s′C) ∈ R)
∀s′A ∈ SA . (sA, τ, s′A) ∈ ΠA =⇒(A-Tau)
(∃s′C ∈ SC . (sC , s′C) ∈ ΠτC ∧ (s′A, s′C) ∈ R)
∀l ∈ IC ∪OC ∪ TC . ∀s′C ∈ SC . (sC , l, s′C) ∈ ∆C =⇒(C-IOT)
(∃s′A ∈ SA . (sA, l, s′A) ∈ ∆τA ∧ (s′A, s′C) ∈ R)
∀s′C ∈ SC . (sC , τ, s′C) ∈ ∆C =⇒(C-Tau)
(∃s′A ∈ SA . (sA, s′A) ∈ ∆τA ∧ (s′A, s′C) ∈ R)
FIGURE 4.13. Conditions for greybox refinement between A and C
greybox and blackbox equivalence considered in the context of I/O-transition systems used
for the formalisation of component behaviours in Chap. 2. The definition treats internal
transitions like input and output, but is still relaxed with regard to τ -transitions.
Definition 4.41 (Greybox refinement) Let A and C be PIOs. C is a greybox refinement of
A, written CvgbA, if LA = LC and there existsR ⊆ SA×SC such that (s0,A, s0,C) ∈ R
and for all (sA, sC) ∈ R the conditions in Tab. 4.13 hold.
Greybox refinement strengthens the conditions for internal transitions to be simulated
analogously to I/O-transitions. Thus, a given greybox refinement relation can be used to
witness blackbox refinement. Furthermore, greybox and blackbox refinement coincide for
systems without internal transitions.
Lemma 4.42 Let A and C be PIOs with LA = LC . If C vgb A then Cξ vgb Aξ. 
Proposition 4.43 Let A and C be PIOs with LA = LC . Then the following holds.
(1) If C vgb A then C vbb A.
(2) If C vbb A and TA = TC = ∅ then C vgb A.
PROOF. (1) By Lem. 4.42 it holds that CξvgbAξ. Consider the conditions ofvgb. If
we hide internal transitions in A and C, then we may remove TA and add TC in condition
(A-IOT) such that condition (A-I/O) of blackbox refinement is obtained. The remaining
conditions are treated analogously and hence, forA and C with hidden internal transitions,
the conditions (A-IOT), (A-Tau), (C-IOT) and (C-Tau) are equivalent to the respective
conditions (A-I/O), (A-Int), (C-I/O) and (C-Int) of blackbox refinement. (2) For PIOs
without internal transitions, the conditions for greybox and blackbox refinement coincide
analogously to (1). For instance, adding TA and removing TC from condition (A-I/O) of
blackbox refinement yields (A-IOT); and similar for the remaining clauses. 
Note that the assumption on empty sets of internal transitions is necessary. Consider
for example the case of TA 6= ∅. Then C is allowed by clause (A-Int) of blackbox refine-
ment to skip internal transitions labelled with l ∈ TA. Such an internal transition, however,
would be required to be preserved along clause (A-IOT) of greybox refinement. If, on the
other hand, TC 6= ∅ then it would be possible for the concrete system C to add an internal
transition not present in A along clause (C-Int) of blackbox refinement. But this is not
compatible with requirement (C-IOT) of greybox refinement.
Proposition 4.44 (Preorder) Let A, C and D be PIOs. Then AvgbA and if DvgbC and
C vgb A then D vgb A.
PROOF. Analogously to blackbox refinement (cf. Prop. 4.8). 
68 4. A THEORY FOR REFINEMENT AND COMPATIBILITY
Theorem 4.45 (Precongruence) Let A, B and C be PIOs such that A, B and C, B are
composable. If C vgb A, then C ⊗B vgb A⊗B.
PROOF. Let A ⊗ B = ((IAB , OAB , TAB), SAB , s0,AB ,∆AB ,ΠAB) and C ⊗ B =
((ICB , OCB , TCB), SCB , s0,CB ,∆CB ,ΠCB). Let RAC be a witness for C vgb A with
(s0,A, s0,C) ∈ RAC and let
R = {((sA, sB), (sC , sB)) | (sA, sC) ∈ RAC ∧ (sA, sB) ∈ R(A⊗B)},
then ((s0,A, s0,B), (s0,C , s0,B)) ∈ R. Let ((sA, sB), (sC , sB)) ∈ R. We check the condi-
tions of greybox refinement for R.
(Case A-IOT) Let l ∈ IAB ∪OAB ∪ TAB and ((sA, sB), l, (s′A, s′B)) ∈ ΠAB.
If l ∈ IA ∪ OA ∪ TA, then there exists (sA, l, s′A) ∈ ΠA and sB = s′B . By clause
(A-IOT) for RAC there exists s′C ∈ SC such that (sC , l, s′C) ∈ ΠτC and (s′A, s′C) ∈
RAC . Since l /∈ S(C,B) (by l /∈ S(A,B), LA = LC) we have by Lem. 4.3 (2), that
((sC , sB), l, (s′C , sB)) ∈ ΠτCB. Since (s′A, sB) ∈ R(A ⊗ B) it follows that ((s′A, sB),
(s′C , sB)) ∈ R.
If l ∈ IB ∪OB ∪TB , then there exists (sB , l, s′B) ∈ ΠB and sA = s′A. Hence ((sC , sB), l,
(sC , s′B)) ∈ ΠCB and since (sA, s′B) ∈ R(A⊗B), it follows that ((sA, s′B), (sC , s′B)) ∈
R.
If l ∈ S(A,B), then there exists (sA, l, s′A) ∈ ΠA and (sB , l, s′B) ∈ ΠB , and ei-
ther l ∈ IA ∩ OB or l ∈ OA ∩ IB . In both cases, by (A-IOT) for RAC , there ex-
ists s′C ∈ SC such that (sC , l, s′C) ∈ ΠτC and (s′A, s′C) ∈ RAC . By Lem. 4.3 (3) it
follows that ((sC , sB), l, (s′C , s′B)) ∈ ΠτCB and since (s′A, s′B) ∈ R(A ⊗ B) we have
((s′A, s′B), (s′C , s′B)) ∈ R.
(Case A-Tau) Let ((sA, sB), τ, (s′A, s′B)) ∈ ΠAB. Then either (sA, τ, s′A) ∈ ΠA
and sB = s′B or (sB , τ, s′B) ∈ ΠB and sA = s′A. In the former case, by (A-Tau) for
RAC , there exists s′C ∈ SC such that (sC , s′C) ∈ ΠτC and (s′A, s′C) ∈ RAC . Then, by
Lem. 4.3 (1), ((sC , sB), (s′C , sB)) ∈ ΠτCB. Since (s′A, sB) ∈ R(A ⊗ B) it follows that
((s′A, sB), (s′C , sB)) ∈ R. For the latter case we have ((sC , sB), τ, (sC , s′B)) ∈ ΠCB and
since (sA, s′B) ∈ R(A⊗B) it follows that ((sA, s′B), (sC , s′B)) ∈ R.
(Case C-IOT) Let l ∈ ICB ∪OCB ∪ TCB and ((sC , sB), l, (s′C , s′B)) ∈ ΠCB.
If l ∈ IC ∪OC ∪TC , then there exists (sC , l, s′C) ∈ ∆C and sB = s′B . By clause (C-IOT)
for RAC there exists s′A ∈ SA such that (sA, l, s′A) ∈ ∆τA and (s′A, s′C) ∈ RAC . By
Lem. 4.3 (2) it follows that ((sA, sB), l, (s′A, sB)) ∈ ∆τAB. Since (s′A, sB) ∈ R(A ⊗ B)
we also have ((s′A, sB), (s′C , sB)) ∈ R.
If l ∈ IB ∪OB ∪ TB , then there exists (sB , l, s′B) ∈ ∆B and sC = s′C . Hence ((sA, sB),
l, (sA, s′B)) ∈ ∆AB and since (sA, s′B) ∈ R(A⊗B) and (sA, sC) ∈ RAC it follows that
((sA, s′B), (sC , s′B)) ∈ R.
If l ∈ S(C,B), then there exists (sC , l, s′C) ∈ ∆C and (sB , l, s′B) ∈ ∆B , and either
l ∈ IC ∩ OB or l ∈ OC ∩ IB . In both cases, by (C-IOT) for RAC , there exists s′A ∈
SA such that (sA, l, s′A) ∈ ∆τA and (s′A, s′C) ∈ RAC . By Lem. 4.3 (3) it follows that
((sA, sB), (s′A, s′B)) ∈ ∆τAB, hence (s′A, s′B) ∈ R(A⊗B) and ((s′A, s′B), (s′C , s′B)) ∈ R.
(Case C-Tau) Let ((sC , sB), τ, (s′C , s′B)) ∈ ∆CB. Then either (sC , τ, s′C) ∈ ∆C
and sB = s′B , or (sB , τ, s′B) ∈ ∆B and sC = s′C . In the former case, by (C-Tau) for
RAC there exists s′A ∈ SA such that (sA, s′A) ∈ ∆τA and (s′A, s′C) ∈ RAC . Then by
Lem. 4.3 (1), ((sA, sB), (s′A, sB)) ∈ ∆τAB. Since (s′A, sB) ∈ R(A ⊗ B) it follows that
((s′A, sB), (s′C , sB)) ∈ R. For the latter case we have ((sA, sB), τ, (sA, s′B)) ∈ ∆AB and
since (sA, s′B) ∈ R(A⊗B) it follows that ((sA, s′B), (sC , s′B)) ∈ R. 
Corollary 4.46 (Compositionality) Let A, B and C, D be PIOs such that A, B and C, D
are composable. If C vgb A and D vgb B, then C ⊗D vgb A⊗B.
PROOF. The proof is analogous to the case of blackbox refinement (cf. Prop. 4.12)
using Prop. 4.44 and Thm. 4.45 for greybox refinement. 
4. GREYBOX REFINEMENT AND GENERAL PROPERTIES 69
4.1. Blackbox vs Greybox Refinement. Blackbox refinement between PIOs without
internal transitions can be used to derive greybox refinement.
Theorem 4.47 (Blackbox vs Greybox) Let A, B and C be PIOs such that A, B are com-
posable with TA = TB = TC = ∅. If C vbb A then C ⊗B vgb A⊗B.
PROOF. The claim follows by Prop. 4.43 (2) and Thm. 4.45. 
Using Cor. 4.46 we obtain from corresponding assumptions that C⊗DvgbA⊗B. There-
fore, in order to establish greybox refinement between compositions of PIOs, one either
checks greybox refinement for each of the PIOs of the composition or, in case there are
local internal transitions that hinder this approach, one first hides all local steps and then
checks either blackbox or greybox refinement.
For asynchronous communication we consider only the case of completely buffered
PIOs. The general case holds analogously.
Theorem 4.48 (Blackbox vs Greybox (asynchronous)) Let A, B and C be PIOs such that
A, B and C, B are composable. If C vbb A then Ω(C)ξ ⊗ Ω(B)ξ vgb Ω(A)ξ ⊗ Ω(B)ξ.
PROOF. By Thm. 4.25 we have Ω(C)vbb Ω(A) and by Lem. 4.5, Ω(C)ξvbb Ω(A)ξ.
Now the claim follows by Prop. 4.47. 
It is an open question if Thm. 4.48 holds for buffered PIOs where only the local actions
of the underlying control automata A, B and C are hidden.
4.2. Weak Simulation and Temporal Logics. The conditions (C-IOT) and (C-Tau)
of greybox refinement correspond to the requirements of weak simulation between general
labelled transition systems. By this means it is immediate that properties expressed with
respect to the transition relation ∆A of an abstract PIO A which are known to be preserved
by weak simulation are also preserved by greybox refinement, and thus hold for a greybox
refinement C of A. In the following we will define a notion of weak simulation for PIOs
that takes only the relation ∆ into account and investigate preservation results based on
finite and infinite weak traces. A specialised logic that takes both relations into account is
defined in [HJS01], though only for strong modal logic.
Definition 4.49 (Weak simulation) Let A and C be PIOs. A weakly simulates C, written
C 4∆ A, if LA = LC and there exists R ⊆ SA × SC such that (s0,A, s0,C) ∈ R and for
all (sA, sC) ∈ R the following conditions hold:
∀l ∈ IC ∪OC ∪ TC . ∀s′C ∈ SC . (sC , l, s′C) ∈ ∆C =⇒(C-IOT)
(∃s′A ∈ SA . (sA, l, s′A) ∈ ∆τA ∧ (s′A, s′C) ∈ R)
∀s′C ∈ SC . (sC , τ, s′C) ∈ ∆C =⇒(C-Tau)
(∃s′A ∈ SA . (sA, s′A) ∈ ∆τA ∧ (s′A, s′C) ∈ R)
Analogously, we define a weak simulation from C to A, denoted by A 4Π C using
the set of persistent transitions Π. In the following we focus on the direction from A to C.
Weak simulation from C to A is used in the discussion of liveness properties below.
Corollary 4.50 (Weak simulation) Let A and C be PIOs. If C vgb A then C 4∆ A.
With Cor. 4.50 a number of known results for weak simulation carry over to greybox
refinement. In the case of τ -free transition systems one could even transfer results known
for strong simulation relations, for instance preservation of the universal and the existential
fragments of CTL∗ [BKL08, Thm. 7.76, Thm. 7.79]. In the following, however, we stick
to transition systems with τ -transitions.
70 4. A THEORY FOR REFINEMENT AND COMPATIBILITY
First, we consider trace inclusion. Let A be a PIO and let s ∈ SA. The state s is
terminal if it has no outgoing transitions, i.e. for all l ∈ L(A) and for all s′ ∈ SA it holds
that (s, l, s′) /∈ ∆A. A finite ∆-run of A is a finite sequence s0,Al1s1 . . . sn−1lnsn with
si ∈ SA, li+1 ∈
⋃
LA and (si, li+1, si+1) ∈ ∆τA for all 0 ≤ i < n. An infinite ∆-run of A
is an infinite sequence s0,Al1s1l2 . . . with si ∈ SA, li+1 ∈
⋃
LA and (si, li+1, si+1) ∈ ∆τA
for all i ≥ 0. A maximal ∆-run of A is either infinite, or finite with sn being a terminal
state.
A finite weak ∆-trace of A is a finite sequence l1 . . . ln with li ∈
⋃
LA such that
there is a finite ∆-run s0l1s1 . . . sn−1lnsn of A. With T ∗∆(A) we denote the set of finite
weak ∆-traces of A. An infinite weak ∆-trace of A is an infinite sequence l1l2 . . . with
li ∈
⋃
LA such that there is a infinite ∆-run s0l1s1l2 . . . of A. With T∆(A) we denote the
set of all infinite and finite weak ∆-traces such that there is a maximal ∆-run of A.
Proposition 4.51 (Greybox trace inclusion) Let A and C be PIOs. Let C be without
terminal states. If C vgb A then T∆(C) ⊆ T∆(A).
PROOF. Since C is without terminal states it suffices to consider infinite runs. Let
% = s0,C l1s1,C l2 . . . be an infinite ∆-run ofC. By Cor. 4.50 there exists a weak simulation
relation R ⊆ SA × SC such that (si,A, si,C) ∈ R for all i ≥ 0. The relation can be used
to construct inductively an infinite ∆-run s0,Al1s1,Al2 . . . of A. Since the ∆-runs yield the
same infinite weak ∆-trace, we have T∆(C) ⊆ T∆(A). 
The assumption on terminal states is necessary. The example in Fig. 4.14 satisfies
C vgb A as witnessed by the relation R = {(a1, c1), (a2, c2), (a3, c3), (a4, c2)}. But
T∆(C) 6⊆ T∆(A) since m1 ∈ T∆(C) and m1 /∈ T∆(A).
(a) Concrete system C
c4
m2m1c1 c2 c3
m1
(b) Abstract system A
a3
m2m1a1 a2
FIGURE 4.14. Terminal states invalidate greybox trace inclusion
Greybox trace inclusion also holds for finite weak ∆-traces.2 We use Prop. 4.51 for
the proof of the following lemma and hence assume C to be without terminal states. A
direct proof would not need this assumption. Let % ∈ T∆(A) be a weak infinite ∆-
trace of A. The set of finite prefixes pref (%) is given by pref (%) = {%¯ ∈ (⋃LA)∗ |
%¯ is a finite prefix of %}. For example, if % = l1l2 . . . then pref (%) = {, l0, l0l1, . . .}.
Lemma 4.52 Let A and C be PIOs. Let C be without terminal states. If C vgb A then
T ∗∆(C) ⊆ T ∗∆(A).
PROOF. By Prop. 4.51 we have T∆(C) ⊆ T∆(A). The set of finite prefixes for
T∆(A) and T∆(C) coincide with the set of finite weak ∆-traces of A and C respectively.
Since pref is monotone we have pref (T∆(C)) ⊆ pref (T∆(A)), where pref (T∆(C)) =⋃
%∈T∆(C) pref (%) and analogous for A. Therefore T
∗
∆(C) ⊆ T ∗∆(A). 
The infinite part of greybox trace inclusion was used in [HJK09] to prove the preser-
vation of buffered compatibility, a notion of compatibility similar to our current definition
of asynchronous compatibility. In the following we investigate the preservation of more
general properties.
Safety and liveness properties. Safety properties specify that, within a transition system,
a certain action may not happen or a certain state may not be reachable. In the following we
2 cf. [BKL08, Thm. 3.30] for a corresponding claim w.r.t. strong traces.
4. GREYBOX REFINEMENT AND GENERAL PROPERTIES 71
consider the formalisation of safety properties as given by Tracta in the context of labelled
transition systems (LTS) [Gia99]. Tracta focuses on actions and uses finite deterministic τ -
free labelled transition systems for the specification of safety properties.3 The finite traces
of these property automata formally represent a safety property P using a subset of the
observable alphabet of the LTS to which P relates. Satisfaction is defined using finite trace
inclusion between the property P and the LTS restricted to the alphabet of P . Tracta uses
traces with observable actions [Gia99, p. 14] corresponding to our notion of weak finite
traces (cf. T ∗ for IOTSs in Sect. 2.1 in Chap. 3). Based on this observation we transfer
the Tracta approach to our setting as follows.
Denote the weak finite traces of an LTS by T ∗. Let A be a PIO. A safety property Psf
for A is specified by a τ -free deterministic LTS Psf = (
⋃
LA, S, s0,∆). A satisfies Psf ,
written A |= Psf if and only if T ∗∆(A/H) ⊆ T ∗(Psf), where H =
⋃
LA \
⋃
LPsf .
Next we show that greybox refinement preserves safety properties. For the proof we
rely on Lem. 4.52 which requires the concrete system to be without terminal states. Using
Cor. 4.50 and a lemma for PIOs analogous to Lem. 3.6 on finite trace equivalence between
IOTSs one could drop this assumption for the following theorem.
Theorem 4.53 Let A and C be PIOs. Let C be without terminal states. If C vgb A then it
holds that A |= Psf implies C |= Psf .
PROOF. By A |= Psf we have T ∗∆(A/H) ⊆ T ∗(Psf) with H =
⋃
LA \
⋃
LPsf .
Since H ⊆ LA and LA = LC by C vgb A, it follows from the definitions that C/H vgb
A/H . Moreover, hiding does not affect the absence of terminal states, thus Lem. 4.52 is
applicable and it follows that T ∗∆(C/H) ⊆ T ∗∆(A/H) and hence C |= Psf . 
There is an interesting connection between the satisfaction of safety properties and
neutral behaviours as discussed in Chap. 3. Since property automata are τ -free we may
apply Prop. 3.8 in order to check if a certain safety property is satisfied. Neutrality was
considered in the context of component behaviours and IOTSs. A corresponding notion for
PIOs could be defined with regard to the transition relation ∆. LetA andB be composable
PIOs. B is ∆-neutral for A if AθS(A,B) ≈gb∆ A ⊗ B (cf. p. 36), where ≈gb∆ denotes
greybox equivalence with respect to the transition relations ∆ on both sides. With an
analogy to Prop. 3.8 we obtain for composable PIOs A and B such that
⋃
LB ⊆
⋃
LA and
H =
⋃
LA \
⋃
LB , B is ∆-neutral for A iff T ∗∆(A/H) ⊆ T ∗(B). Therefore, if Psf is a
safety property for A we have
A |= Psf if and only if Psf is ∆-neutral for A.
Liveness properties assert that "eventually something good happens". In contrast to
safety properties along finite traces, eventuality relates to the infinite traces of a system
and requires, in the context of transition systems, an action to happen infinitely often or
a state to be visited repeatedly, for instance. Using a weak simulation from C to A, the
results above hold analogously for traces in Π. Therefore, we could use A 4Π C to claim
the preservation of liveness properties similar to Thm. 4.53. However, as weak simulation
is known to be ignorant with regard to divergence (infinite τ -paths) it is immediate that
greybox refinement does not preserve liveness properties in general. Consider for instance
the two examples in Fig. 4.15, taken from [Gia99, p. 101]. A liveness property φ could
require that it is always the case that if m happens then eventually n happens, using LTL
the requirement reads as (m =⇒ ♦n). Both abstract PIOs, A1 and A2, satisfy φ, but
neither does C1 nor C2, which is due to the diverging τ -paths.
One way to cope with τ loops is to extend greybox refinement with an additional
requirement for divergence, making the refinement relation divergence-sensitive. By this
means liveness properties such as φ could be preserved. We believe that such an extension
3Determinism is not a restriction. A non-deterministic LTSs can be transformed to an equivalent deterministic
LTS; cf. [Gia99, Sect. 5.1.3]
72 4. A THEORY FOR REFINEMENT AND COMPATIBILITY
(a) C1 (left) and A1 (right)
n
m
n
m
c2 vgb
τ
τ
c0 c1 a0 a1
(b) C2 (left) and A2 (right)
nm m n
c1c0
τ
a0 a1 a2vgbc2
FIGURE 4.15. Greybox refinement ignores divergence
would allow for an even more general statement, as divergence-sensitive weak equivalence
is known to preserve CTL∗\© formulas [BKL08, Lem. 7.129], that is, CTL∗ formulas
without the next operator. Since CTL∗ comprises both, CTL and LTL, such an extension
would be quite useful. We briefly address this issue in the next section.
Stutter trace inclusion. Greybox trace inclusion in the context of PIOs seems to be
an analogy to stutter trace inclusion in the context of Kripke structures as considered by
[BKL08, p. 533].4 In this case, Cor. 7.93 of [BKL08] would carry over which states the
preservation of LTL\© formulas. Stutter steps are used to abstract from internal steps.
Stutter trace inclusion then requires for all traces %C of a concrete system C the existence
of a trace %A in the abstract systemA such that %C and %A are stutter equivalent, i.e. equiv-
alent modulo stutter steps. However, a closer look reveals an important difference in the
underlying set of traces. [BKL08, Def. 7.89] considers traces as given by the executions
(runs) of the underlying transition system. Our formalisation, in contrast, uses weak traces
without internal labels, that is, traces that rely on steps (si, li+1, si+1) ∈ ∆τ with li ∈
⋃
L.
A definition that includes internals would require li ∈
⋃
L ∪ {τ}.
More precisely, an infinite strong ∆-run of a PIOA is an infinite sequence s0,Al1s1l2 . . .
with si ∈ SA, li+1 ∈
⋃
LA ∪ {τ} and if li+1 6= τ then (si, li+1, si+1) ∈ ∆τA, and if
li+1 = τ then (si, si+1) ∈ ∆τA, for i ≥ 0. An infinite strong ∆-trace of A is an infinite
sequence l1l2 . . . with li ∈
⋃
LA ∪ {τ} such that there is a strong ∆-run s0l1s1l2 . . . of A.
We denote the set of infinite strong ∆-traces of A by T s∆(A). Note that the definition is
still relaxed with respect to the number of τ transitions.
As mentioned above, greybox refinement is too weak with regard to divergent τ paths
to ensure trace inclusion for strong ∆-traces. Consider for example the transition systems
in Fig. 4.16. It holds that C vgb A but T s∆(C) 6⊆ T s∆(A) since τω = ττ . . . ∈ T s∆(C)
while τω /∈ T s∆(A).
(a) Concrete system C
m
τ
(b) Abstract system A
m
τ
FIGURE 4.16. Greybox refinement and strong ∆-traces
4In other words, greybox trace inclusion uses the action (event) labels of a transition system, hence is action-
based, while stutter trace inclusion uses state propositions, hence is state-based.
5. DISCUSSION AND RELATED WORK 73
A solution along the lines of divergence-sensitive equivalence relations as defined in
[BKL08, Def. 7.106] requires an extension of our refinement relations that takes diver-
gence of the concrete system into account. A state s ∈ SA of a PIO A diverges if there
exists an infinite execution fragment sl1s1l2 . . . ∈ frag(A) such that li = τ for all i ≥ 1.
Let A and C be PIOs. A refinement relation R ⊆ SA × SC is divergence-sensitive if
for all (sA, sC) ∈ R it holds that, if sC diverges then sA diverges. A definition of
divergence-sensitive greybox refinement requires the existence of a divergence-sensitive
relation R ⊆ SA × SC such that (s0,A, s0,C) ∈ R and for all (sA, sC) ∈ R the conditions
in Tab. 4.13 hold.
Since divergence-sensitive weak equivalence is known to preserve CTL∗\© formulas
we believe that it is possible to show an analogous result for divergence-sensitive greybox
refinement. Such a result requires a translation between PIOs and Kripke structures which
could be based on work of de Nicola and Vaandrager who define a mapping between la-
belled transition systems and Kripke structures in [NV90]. However, still this relates to
the slightly restricted setting of this section which considered only the ∆ part of PIOs
and therefore it could be more effective to approach directly an extension of the strong
modal logic developed by [HJS01] to a weak modal logic suitable for the specification of
properties with regard to both transition relations of a PIO.
5. Discussion and Related Work
The development of a refinement theory initially started with a slightly aligned notion
of interface automata [dAH01a], called I/O-transition systems, in [BHH+06]. Since then,
the quest for an appropriate theory applicable to port-based components focused on inter-
face automata and extensions of their refinement relation based on alternating simulation
[dAH01a]. Alternating simulation is characterised by a simulation relation that alternates
between inputs and outputs. The correct refinement of a more abstract specification is re-
quired to show at least the inputs and at most the outputs as given by the specification. The
freedom to add inputs, in particular in combination with the freedom to add and remove
internal transitions is useful to allow implementations with additional I/O behaviour. But,
in contrary, it endangers the preservation of properties that have been verified on the level
of the specifications.
We considered the property output compatibility, a notion similar to “compatibility”
of de Alfaro and Henzinger but also to what is called “bad activity” by Adamek and Plasil
in [AP05]. It turned out that it is difficult to preserve compatibility if it is allowed to add
internal transitions before an input transition of the specification is simulated in the im-
plementation. The approach of de Alfaro and Henzinger disallows such a refinement, and
we did likewise in our first approach to transfer the relation to systems with asynchronous
communication in [HJK09]. However, we believe that refinements with additional inter-
nal transitions preceeding the simulated input transition are quite common, in particular in
the setting of component-based systems where composition and abstraction are the crucial
system building operators. Moreover, the preservation result for the relation developed in
[HJK09] did not generalise for arbitrary open systems.
The solution, motivated by the aims (1) to preserve a notion of weak compatibility
for both, synchronous and asynchronous communication and (2) to be transferable to open
systems with asynchronous communication required the strengthening of the refinement
relation with regard to the input transitions of a specification. If we do not allow to add ar-
bitrary input transitions we are one step closer to our aims. Additionally, in order to obtain
freedom with regard to preceeding internal transitions while preserving output compati-
bility, the preservation of these internal paths is required if it is a path to a matching input
transition. Taken together we arrive at a concept of "persistent transitions" as a subset of the
transitions of an IOTS that cover at least paths to inputs needed to preserve output com-
patibility of the specification. The resulting formalism of input-persistent I/O-transition
74 4. A THEORY FOR REFINEMENT AND COMPATIBILITY
systems is a special case of modal I/O automata [LNW07] and the given theory might
have been worked out on the basis of MIOs as considered in [BMSH10] for systems with-
out buffered message exchange as well. However, we abstained from doing so, since,
as argued in Sect. 1.1, the additional expressiveness seems not required in the context of
output compatible environments.
In [BMSH10] a notion of “interface theory” is defined, providing a formal frame
for a comprehensible and structured comparison of different refinement and compatibility
relations for modal I/O automata. An interface theory is a tuple (A,⊗,≤,∼) comprising
a domain A of specifications, a composition operator ⊗ : A × A → A, a reflexive and
transitive refinement relation ≤ ⊆ A × A, and a symmetric compatibility relation ∼ ⊆
A×A satisfying
(1) Compositional refinement: If S′ ≤ S and T ′ ≤ T then S′ ⊗ T ′ ≤ S ⊗ T .
(2) Preservation of compatibility: If S ∼ T and S′ ≤ S and T ′ ≤ T then S′ ∼ T ′.
As argued in the following, the theory developed within this chapter defines an interface
theory with asynchronous composition. PIOs with asynchronous output labelling (αPIO,
Def. 4.20) provide the specification domain. Asynchronous composition is given by prod-
ucts of buffered PIOs (Def. 4.22), i.e., for completely buffered PIOs by Ω(A)⊗Ω(B); re-
flexivity and transitivity holds by Cor. 4.27 and we denote the corresponding composition
operator by ⊗as. The refinement relation is given by blackbox refinement (vbb, Def. 4.4)
and the compatibility relation by asynchronous output compatibility (↔a, Def. 4.30).
Corollary 4.54 (αPIO,⊗as,vbb,↔a) is an interface theory.
PROOF. (1) Compositional refinement holds by Cor. 4.29 and (2) preservation of asyn-
chronous compatibility by Thm. 4.32. 
Finally, with the definition of greybox refinement, we distinguish a case that is im-
portant for the development of component-based systems but often neglected in the devel-
opment of interface theories: the different labels of internal transitions in the refinement
relation. For instance, both, interface automata with alternating simulation and modal I/O
automata with weak modal refinement ignore the concrete name of an internal label. This
is in fact equivalent to an approach with anonymous τ transitions. However, with such a re-
lation we can not investigate the preservation of properties concerning the communication
traces of a composed system. As to greybox refinement, we distinguish between internal
labels and τ , allowing to abstract from irrelevant implementation details while, at the same
time, preserving enough information to verify properties with regard to the communication
traces of a system.
None of the mentioned approaches considers buffered message exchange. Thus, asyn-
chronous compatibility was not yet considered in the context of the mentioned approaches.
In Chap. 5 we will see that there is a different research community, investigating the ver-
ification of properties similar to asynchronous compatibility. However, within these ap-
proaches refinement relations are usually not considered.
CHAPTER 5
On the Verification of PIO Systems
1. Verification Based on Finite-State PIOs 76
1.1. Compatibility, Refinement and Equivalence 76
1.2. A Criterion for Asynchronous Compatibility 77
2. Correspondence with Communicating Finite State Machines (CFSM) 81
2.1. From I/O-Transition Systems to CFSM Systems 81
2.2. Communication Safety and Unspecified Reception 83
2.3. CFSM Systems with Local Actions 86
2.4. Queue Content Decision Diagrams (QDD) 92
2.5. QDDs and Asynchronous Communication Safety 95
2.6. On Extensions for the Verification of PIOs 97
Verification problems usually belong to one of the following categories: (1) application-
specific properties such as safety properties of communication traces (2) generic properties
such as reachability or compatibility (3) semantic equivalence and refinement relations.
The preservation of safety properties was examined in Chap. 4 while Tab. 5.1 provides an
overview of some basic problems of interest with regard to (2) and (3). In this chapter we
consider foremost the verification of asynchronous communication-safety.
TABLE 5.1. Verification problems of interest
Verification Finite Infinite Mixed
Reachability R(A⊗B) R(Ω(A)⊗ Ω(B))
Compatibility A↔B Ω(A)↔ Ω(B)
Refinement C vA Ω(C)v Ω(A) Ω(C)vA
Equivalence A ≈ A′ Ω(A) ≈ Ω(A′) Ω(A) ≈ A′
The problems of the first column are concerned with finite state transition systems and
thus model checking techniques are readily applicable. Of course, one needs to adjust and
extend existing approaches and algorithms, but there remain the fundamental principles,
e.g. of reachability analysis or refinement and equivalence checking. The second column
involves buffered transition systems. Since these kinds of transition systems are equipped
with unbounded output queues, known problems related to the verification of infinite-state
systems also apply here. As an example consider our notion of asynchronous compatibil-
ity. The definition is a requirement for the reachable states of buffered transition systems.
Since composition shows, in general, again an infinite state space, the reachability problem
for infinite-state systems is of interest not only for a single buffered transition system but
also for their composition. For the refinement verification involving buffered transition sys-
tems, blackbox refinement between finite-state system was shown to be transferable to the
buffered case (cf. Prop. 4.25). The equivalence problem, however, still exists. Moreover,
there is no criteria or algorithm to decide on the refinement between a buffered and a finite
transition system such as Ω(A)v F . The latter example directly touches the third column
that shows problems where infinite and finite transition systems occur somehow “mixed”.
75
76 5. ON THE VERIFICATION OF PIO SYSTEMS
These kinds of verification problems are known as regularity problems [Kuc99]. Though,
we are not aware of an existing approach that is applicable to the refinement verification of
a buffered transition system and a non-buffered system.
The mentioned remaining open problems could be tackled by a test on the bounded-
ness of the underlying message buffers. If the system is bounded, finite-state techniques
can be applied. The approaches of Marechal et al. [MPR04] and Leue et al. [LMW04]
are quite close to our formal model of asynchronously communicating systems and thus
promising candidates for a transfer to a boundedness test for buffered PIO systems.
The general case, however, is that verification problems related to infinite-state sys-
tems are undecidable and one needs to find techniques with a trade-off between generality
(applicable only for restricted subclasses), termination (semi-algorithms which may not
halt) and exactness (over/under approximations of original system behaviour). As an ex-
ample for a technique that disclaims termination, we apply a symbolic approach in the
context of Communicating Finite State Machines (CFSM) [vB78]. A CFSM system con-
sists of a set of finite state machines communicating with each other via unbounded, full-
duplex, error-free FIFO-channels. With respect to analysis, early CFSM related research
was usually interested in the verification of generic or application-specific properties. At
the core of these problems there is the reachability problem shown to be undecidable in the
seminal work of Brand and Zafiropulo [BZ83]. As a consequence, a number of interest-
ing verification questions are undecidable for the general class of CFSM systems [CF05,
Thm. 14], amongst others a communication error named unspecified reception. Later it
will turn out that there is not only a close correspondence between buffered transition
systems and CFSM systems but also in the generic properties of interest. Asynchronous
comm-safety of transition systems is closely related to the notion of unspecified reception
in CFSM systems.
In the remainder, we first summarise existing tools and approaches that are applica-
ble to the verification of compatibility, refinement, and equivalence of finite-state PIOs.
After that, we focus on the verification of asynchronous compatibility. First, we develop
a criteria based on synchronous compatibility. Synchronous compatibility turns out to
be a surprisingly weak property in comparison to asynchronous compatibility of buffered
systems. Then, we elaborate the relation between systems of buffered IOTSs and CFSM
systems. We consider a CFSM correspondence to asynchronous compatibility and exem-
plify an application of this correspondence for concrete verification. Finally, we sketch an
application of a symbolic verification approach for infinite-state systems and close with
remarks on required extensions for the CFSM based verification of PIOs instead of IOTSs.
1. Verification Based on Finite-State PIOs
The verification of finite-state PIOs is usually supported by existing tools or known
algorithms or slight extensions hereof. We will discuss relevant references but leave the
concrete implementation open. Instead we will focus on the theoretical results and partly
on abstract algorithms needed for the automated verification of the problems mentioned
above.
1.1. Compatibility, Refinement and Equivalence. The definition of compatibility
uses the reachable state space of the product of two transition systems. The product A ⊗
B can be computed by standard algorithms for the computation of global state spaces.
Both, explicit-state or on-the-fly algorithms could be employed. The set of reachable states
R(A⊗B) can be computed by a standard depth-first search in A⊗B (e.g. [BKL08]).
Compatibility could be verified along the computation of a transitive closure which
takes the legal labels on paths towards compatible transitions into account. Legal labels
are determined by the respective notion of compatibility. For weak compatibility, internal
and τ -labels are legal; for ultra-weak compatibility additionally unshared output labels are
allowed and finally for strong compatibility there are no legal labels at all. Verification
1. VERIFICATION BASED ON FINITE-STATE PIOS 77
of output compatibility then proceeds by single-step checks between output and matching
input using the corresponding transitive closure.
Besides, since PIOs are a special case of modal I/O automata, the MIO workbench, a
tool for the verification of modal I/O automata [BMSH10] can be used to check for strong
and weak compatibility between PIOs. An extension of the MIO workbench to check for
ultra-weak compatibility seems to be straightforward after a discussion with the authors
of [BMSH10]. Alternatively on may extend the approach of [DOS09] who implemented
several kinds of compatibility checks in Maude.
Due to the correspondence between blackbox refinement and weak modal refinement
as considered in [BMSH10] we may readily use the MIO workbench for the verification
of blackbox refinement between finite state PIOs. For the case of equivalence verification,
again an extension of the MIO workbench seems to be feasible. Tool-support with regard to
equivalence checks should also support minimisation according to observation equivalence
for PIOs similar to the LTSA tool in the context of FSP [MKC+] and labelled transition
systems.
The verification of refinement between buffered PIOs relies on Prop. 4.25 and the
verification of blackbox refinement for the underlying finite-state PIOs. The refinement
transfer to systems with buffered communication does not work for the mixed case, i.e. it
does not hold that C vbb A implies Ω(C)vA which is due to the interleaving of buffered
outputs with the input transitions of the given αPIO.
1.2. A Criterion for Asynchronous Compatibility. Considering our notions of com-
patibility synchronous compatibility might be expected to be strong enough to entail asyn-
chronous compatibility. In general, however, this is not the case which is due to mixed
choice states, that is, due to states that show both an input and an output transition at the
same time. While composition with synchronous communication works perfectly with
such states, asynchronous communication introduces a buffer step whose interleaving then
may lead to a deadlock within the composition of buffered transition systems. Figure 4.11
illustrates this case for the composition of two buffered PIOs.
Systems that do not show mixed choice states can be considered to be representations
of single-threaded components. At any point in time, these systems either send messages,
engage in local actions or receive messages and for any state with a reception there are only
receptions. We call these kind of systems input-separated. A PIO A is input separated if
for all s ∈ R(A) with (s, l, s′) ∈ ∆A for some s′ ∈ SA and l ∈ IA it holds that {l′ ∈
L(LA) | ∃s′ ∈ SA . (s, l′, s′) ∈ ∆A} ⊆ I . Fu et al. [FBS05] showed in the context of a
formal model for web services that synchronous compatibility of input-separated systems
suffices to conclude synchronizability of a given n-ary service composition where each peer
is equipped with a single input queue.1 Their proof relies on a reordering of the executions
within a system of asynchronously communicating peers such that whenever a message is
put into a queue it is immediately taken out of the queue. Such a reordering exists due
to the input-separation of the given peers. In the following we show an analogous result
for our setting of input-separated PIOs. A similar result has been proven in [HJK09] for
closed systems of two IOTSs, strong synchronous compatibility and a slightly different
notion of asynchronous compatibility.
We consider execution fragments of compositions of buffered PIOs that are initial and
maximal. To simplify the presentation we focus on completely buffered PIOs. Let A be
a PIO. An execution fragment ρ ∈ frag(A) of A is initial and maximal if its first state is
s0,A and it is either infinite or finite with its last state being a terminal state. With exec(A)
we denote all executions of A that are initial and maximal.
1It is claimed, however, that the approach can be extended to a model with one queue for each pair of communi-
cating peers [FBS05, p. 1051].
78 5. ON THE VERIFICATION OF PIO SYSTEMS
Definition 5.1 (Immediate communication) Let A and B be composable αPIOs. Let
Sys = Ω(A) ⊗ Ω(B). An execution ((σ0,A, σ0,B) l1 (σ1,A, σ1,B) l2 . . .) ∈ exec(Sys)
is an execution with immediate communication if it holds that
∀l ∈ S(A,B) . ∀i > 0 . li = lB =⇒ li+1 = l .
Executions of buffered systems with immediate communication are related to execu-
tions of systems with synchronous communication as depicted in Fig. 5.1. The upper part
of the figure shows an execution of a buffered system with one output queue. The label l is
assumed to be shared between the underlying PIOs A and B, and is communicated imme-
diately along the transition labelled l after it has been put into the queue with the transition
labelled lB. Immediate communication implies, due to the FIFO ordering of queues, that
the particular queue was empty before the enqueue action.
l
(sA, , sB) (s′A, 〈l〉, sB)
lB
l
(s′A, s′B)(sA, sB)
· · ·
· · · · · ·
(s′A, , s′B) · · ·
FIGURE 5.1. Immediate communication and synchronous executions
The set of persistent transitions Π of PIOs does not play a decisive role for the relation
between states indicated in Fig. 5.1. Assume l is an output of the underlying PIO A which
is not persistent. Then all transitions are neither persistent and the relation holds as is;
if the output l is persistent then the enqueue action is persistent while persistence of the
communication depends on the input transition of B. If (sB , l, s′B) ∈ ΠB then the com-
munication is persistent; if (sB , l, s′B) /∈ ΠB then the communication is neither persistent.
In both cases, however, the relation between the states in Fig. 5.1 is not touched.
The basic idea of [FBS05] is to show that for any execution of a buffered system
composed of compatible input-separated peers, there exists an equivalent execution with
immediate communication. Equivalence is based on communication traces of the system.
Let A and B be composable αPIOs. The communication trace C of an execution ρ ∈
exec(Ω(A) ⊗ Ω(B)) is defined inductively: If ρ = (σ0,A, σ0,B) then C (ρ) = ; if ρ =
ρ′ · (σA, σB)l(σ′A, σ′B) then C (ρ) = C (ρ′) · l if l ∈
⋃
LA ∪
⋃
LB and C (ρ) = C (ρ′)
otherwise. Besides input-separation we need to assume that A and B do not diverge on
output or internal actions. Otherwise there are infinite paths in the buffered system that can
not be related to synchronous executions. Such a relation, however, is fundamental for the
proof of the succeeding proposition. An αPIO A diverges autonomously if there exists an
infinite execution s0l1s1l2 . . . ∈ exec(A) such that li ∈ OA ∪ T (A) for all i ≥ k for some
k ≥ 1.
Proposition 5.2 Let A and B be composable αPIOs such that (A,B) is a closed system,
and both are input-separated and do not diverge autonomously. If A↔w B then for all
ρ ∈ exec(Ω(A) ⊗ Ω(B)) there exists ρ′ ∈ exec(Ω(A) ⊗ Ω(B)) such that C (ρ) = C (ρ′)
and ρ′ is an execution with immediate communication.
PROOF. By induction on the number of labels in the communication trace for ρ. We
prove that for all 0 ≤ n ≤ |C (ρ)| there exists ρ′ with C (ρ) = C (ρ′) and the first n
enqueue actions in ρ′ are immediately communicated. Let C (ρ) = l1l2 . . . l|C (ρ)|−1 .
For the base case n = 0 we have C (ρ) =  and the claim holds trivially. Induction
hypothesis (IH): For all 1 ≤ n ≤ |C (ρ)| there exists ρ′ such that C (ρ) = C (ρ′) and the
first n enqueue actions in ρ′ are immediately communicated.
Induction step (n+ 1). Let Sys = Ω(A)⊗Ω(B). We consider an output of Ω(A), the
case for Ω(B) is symmetric. Let ln+1 ∈ OA and assume
((σn,A, σn,B), lBn+1, (σ¯n,A, σn,B)) ∈ ∆Sys is the n+ 1 step in ρ.(*)
1. VERIFICATION BASED ON FINITE-STATE PIOS 79
First we show that the first non-internal action of Ω(B) in Sys is the reception (i.e.
input) of ln+1. With (IH) it holds for ρ′ that all enqueue actions labelled lB in ρ′ are
immediately followed by a corresponding communication transition labelled l. Let σn,A =
(sA, ~qA), σn,B = (sB , ~qB) and denote the output queue ofA for the shared labelsOA∩IB
in ~qA by qBBA . Since all queues are initially empty, it follows that q
BB
A = . The execution
ρ′ is used for an inductive construction of the fragment ((s0,A, s0,B)l1 · · · ln(sA, sB)) ∈
frag(A⊗B), hence (σn,A, σn,B) and (sA, sB) are in relation.
With (*) we have ((sA, ~qA), lBn+1, (s′A, ~q′A)) ∈ ∆Ω(A) and thus (sA, ln+1, s′A) ∈ ∆A.
Now, by A↔w B, there exists s′B ∈ SB such that (sB , ln+1, s′B) ∈ ΠT (B)B . Since A↔w
B is a requirement for R(A ⊗ B), it holds for all s¯B ∈ SB with (sB , s¯B) ∈ ΠT (B)B
and (s¯B , ln+1, s′B) ∈ ΠB that s¯B has an outgoing input transition and since B is input-
separated, it follows that s¯B shows only outgoing input transitions. The state s¯B is reached
in ΠB by internal transitions with labels from T (B) only. Hence, if (sB , ~qB) ∈ R(Ω(B))
then (s¯B , ~qB) ∈ R(Ω(B)) such that (s¯B , ~qB) shows outgoing input transitions only. Since
qBBA =  it follows that the execution fragment ending in (*) above can be extended and
set into relation with a synchronous execution as follows:
λ ∈ (T (B) ∪ T (A))∗
· · · ((sA, ~qA), (sB , ~qB))
lBn+1 ((s′A, ~q′A), (sB , ~qB))
(s′A, s′B)(sA, sB)· · · · · ·
((s¯′A, ~q′A), (s¯B , ~qB))
ln+1
((s′A, ~qA), (s′B , ~qB)) · · ·
ln+1
Consider the state ((s′A, ~q′A), (sB , ~qB)) after the enqueue action. Since (A,B) is a closed
system there can not be any outgoing non-shared transitions, interleaved in the compo-
sition of Ω(A) and Ω(B). Thus, with respect to actions of Ω(B) the only continuation
other than communicating ln+1 are labelled by T (B). Since A is input-separated the only
continuation concerning actions of Ω(A) are local actions labelled by T (A) and further
enqueue actions lB with l ∈ OA.
SinceA andB are not autonomously diverging, local actions do not affect the commu-
nication traces of Ω(A) ⊗ Ω(B) and can be ignored. Consider state ((s¯′A, ~q′A), (s¯B , ~qB))
after the sequence of transitions with labels in λ. If Ω(A) does not show further enqueue
actions we are done, since lBn+1 and the labels in λ are local actions in Ω(A) ⊗ Ω(B), we
may safely rearrange the ordering such that lBn+1 is immediately followed by the communi-
cation transition labelled ln+1 and obtain an execution ρ′ such that C (ρ) = C (ρ′) and the
first n + 1 enqueue actions are immediately followed by a corresponding communication
and the queue qBBA is empty again.
If ((s¯′A, ~q′A), (s¯B , ~qB)) continues with enqueue actions of Ω(A) then, since A is not
diverging autonomously, there exists a state (s′′A, ~q′′A) ∈ SΩ(A) that is either terminal or
a state with outgoing input-transition. The state ((s′′A, ~q′′A), (s¯B , ~qB)) is reached after a
sequence of transitions labelled by λBA ∈ (OA ∩ IB)∗. Since A is input-separated and B
is still awaiting an input of ln+1, the only possible continuation from ((s′′A, ~q′′A), (s¯B , ~qB))
is the communication of ln+1. The resulting execution sequence with labels λBA · ln+1 can
be reordered to an execution with labels ln+1 · λBA without effect on the communication
trace of the given system and again in relation to a synchronous execution as indicated
in the figure above. The same argumentation holds until a state ((s′′A, ~qA), (s′′B , ~qB)) with
qBBA =  is reached. 
80 5. ON THE VERIFICATION OF PIO SYSTEMS
ab.verifyPin
ab.pinNotOk
ab.withdraw
ab.pinOk
ab.giveMoney
ab.verifyPinB
ab.giveMoneyB
ab.withdrawB
ab.pinNotOkB
ab.pinOkB
FIGURE 5.2. Assembly behaviour of the Bank/Atm system of Fig. 1.3
(a) A (left) and B (right)
/m /x m/
(b) Execution in Ω(A)⊗ Ω(B)
m
σ1 σ2
mB
σ3 σ4 · · ·
xB /x
FIGURE 5.3. Ultra-weak output compatibility and buffered executions
Theorem 5.3 (Weakly asynchronous output compatibility) Let A and B be composable
αPIOs such that (A,B) is a closed system, and both are input-separated and do not diverge
autonomously. If A↔w B then Ω(A)↔w Ω(B).
PROOF SKETCH. Let ρ ∈ exec(Ω(A) ⊗ Ω(B)). By Prop. 5.2 we obtain from ρ an
equivalent execution ρ′ with immediate communication. With ρ′ we relate the states within
Ω(A)⊗Ω(B) to the states within a synchronous execution inA⊗B as depicted in Fig. 5.1
and the proof of Prop. 5.2. By this means we obtain for any local output in Ω(A)⊗ Ω(B)
a weakly matching input using A↔w B and hence Ω(A)↔w Ω(B). 
Example 5.4 The composition of the transition systems for the behaviour of the Bank and
Atm components as introduced in Fig. 1.3 of Chap. 1 results in a closed system as indicated
by Fig. 5.2. Due to the application of an asynchronous connector in the static structure
specification, a buffering behaviour of the connector ab is involved. Labels of the form
ab.mB represent the action of sending a message m on the connector ab which means
to put the message into a message buffer managed by the connector. Labels of the form
ab.m represent the action of taking a message out of the buffer. The transition systems
in Fig. 1.3 are both input-separated and always eventually receiving. Moreover they are
weakly output compatible, since any shared output is immediately synchronised by an input
of the particular communication partner. Thus Thm. 5.3 is applicable and it follows that
the behaviours are weakly asynchronously compatible.
Since [FBS05] considered n-ary composition of web service behaviours, we believe
that a corresponding generalisation of Thm. 5.3 to conclude weak asynchronous comm-
safety of n-ary closed systems is feasible. Ultra-weak output compatibility makes a dif-
ference only within open systems. For the case of open systems, already the case of two
communicating transition systems imposes the need for an aligned definition of "imme-
diate communication". Consider for instance the transition systems in Fig. 5.3. Assume
x /∈ S(A,B), then the buffered system resulting from the composition of Ω(A) and Ω(B)
shows an execution σ1 mB σ2 xB σ3 x σ4 m . . . that can not be reordered to an execution
with immediate receives without affecting its communication trace. Note that for weak
output compatibility this case could not arise since B only engaged in internal actions be-
fore the matching input is reached. In case of ultra-weak output compatibility additionally
non-shared outputs may occur on these paths as illustrated by the given example.
2. CORRESPONDENCE WITH COMMUNICATING FINITE STATE MACHINES (CFSM) 81
2. Correspondence with Communicating Finite State Machines (CFSM)
Our model of asynchronous communication is closely related to systems of commu-
nicating finite state machines. CFSM systems are usually considered without internal ac-
tions, that is, the only action are either enqueue or dequeue actions and internal or τ moves
are not taken into account. Within this section we first provide a translation for a corre-
sponding class of IOTSs. Such a translation is useful not only for a deeper understanding
of the interrelation between our model of asynchronously communicating components and
CFSM systems but also to make a large number of interesting research results, e.g. bound-
edness tests [LMW04] or criteria for the decidability of reachability problems [CF05],
applicable to the verification of buffered IOTSs. In this context we investigate a corre-
spondence between asynchronous compatibility and unspecified reception, a well-known
communication error in CFSM systems, showing that freedom of unspecified reception is
not sufficient to conclude asynchronous compatibility.
The work of Boigelot et al. [BG99, BGWW97] on the symbolic verification of sys-
tems with unbounded FIFO queues relies on a definition of CFSM systems with local ac-
tions. We provide again a translation for a corresponding class of IOTSs which makes their
approach applicable to the verification of IOTSs with internal moves. After that we sketch
an application to the verification of asynchronous compatibility and finally we discuss how
to extend the approach to cope with PIOs instead of IOTSs.
2.1. From I/O-Transition Systems to CFSM Systems. A list of general CFSM ver-
ification problems can be found, for instance, in [CF05] which was also used as a starting
point for the succeeding CFSM related definitions.
Definition 5.5 (CFSM cf. [CF05]) A communicating finite state machine (CFSM) is a
tuple M = (Q, q0,Σ, δ) where Q is a finite set of states, q0 ∈ Q an initial state, Σ an
alphabet and δ ⊆ Q× (N× {!, ?} × Σ)×Q) a finite set of transitions.
We write (q, j!l, q′) ∈ δ instead of (q, (j, !, l), q′) ∈ δ and analogously for labels
involving ?. Moreover we define Σsnd = {l ∈ Σ | ∃q, q′ ∈ Q . ∃j ∈ N . (q, j!l, q′) ∈ δ}
and analogously Σrcv for (q, j?l, q′) ∈ δ.
The transition labels of CFMSs comprise a unique integer that identifies the channel
to be used for sending (!) or receiving receiving (?) messages defined by alphabet Σ. The
given CFSMs correspond to finite IOTSs which communicate completely asynchronous
and do neither show internal nor τ transitions. The class of completely asynchronous pure
IOTSs consists of finite I/O-transition systems A = (L, S, s0,∆) with partitioned I/O-
labelling L such that ((L, S, s0,∆,Π), OB) is an αPIO with
⋃
L =
⋃
OB and ∆ = Π.
Definition 5.6 (CFSM translation) Let A be a completely asynchronous pure IOTS. The
cfsm-translation from A to a CFSM is given by cfsm(A) = (Q, q0,Σ, δ) such that Q =
SA, q0 = s0,A, Σ =
⋃
LA and for L = ((I1, O1, . . . , In, On), T ) for all 1 ≤ j ≤ n:
(s, j!l, s′) ∈ δ ⇐⇒ ∃l ∈ Oj . (s, l, s′) ∈ ∆A,
(s, j?l, s′) ∈ δ ⇐⇒ ∃l ∈ Ij . (s, l, s′) ∈ ∆A.
Note that CFSMs do not distinguish send and receive label within Σ and therefore the
mapping is, in general, not reversible. However, often there is no need to consider the
complete alphabet and one may reconstruct at least the subset Σsnd ∪ Σrcv ⊆ Σ used in δ.
Communicating finite state machines together with a set of FIFO-buffered communi-
cation channels constitute a formal framework for the analysis of communication proto-
cols. Usually it is assumed that between each pair of CFSMs there are two channels, thus
allowing for separated unidirectional buffered communication. There are different classes
of CFSM systems along distinguished properties of their channels. Of course, first of all,
the channels might be bounded or unbounded. Second the channels may "loose" messages
82 5. ON THE VERIFICATION OF PIO SYSTEMS
during transmission from a sender to a receiving CFSM. These kind of systems are a pos-
sible means to model communication along unreliable transmission mediums. In contrast
"perfect channels" do not loose any message during transmit. Moreover, the classification
might also distinguish along specific properties such as a "well-ordering" of messages in
order to identify particular restricted system classes for the study of decidability questions.
A corresponding list comprising also the mentioned classes can be found in [CF05, Sect.
1.1]. In the following we consider CFSM systems with unbounded perfect FIFO-channels.
Definition 5.7 (CFSM System, cf. [CF05]) A communicating system is a tuple Sys =
(M1, . . . ,Mn) of CFSMs Mi = (Qi, q0,i,Σi, δi) with pairwise disjoint alphabets Σi.
Let p be the number of channels in Sys2. The global state space (set of configurations)
ΓSys of Sys is defined by ΓSys = Q1 × . . . × Qn × (Σ∗)p, where Σ =
⋃
i Σi. A state
γ ∈ ΓSys is called a configuration of Sys. The initial configuration is given by γ0,Sys =
((q0,1, . . . q0,n, 1, . . . p)). The operational semantics of a communicating system Sys
induces a transition relation→Sys⊆ ΓSys × ΓSys, where
((q1, . . . qn, x1, . . . xp), (q′1, . . . q′n, x′1, . . . x′p)) ∈→Sys,
if there exists i ∈ {1, . . . , n}, j ∈ {1, . . . , p} and l ∈ Σ such that one of the following
holds:
((qi, j!l, q′i) ∈ δi ∧ q′k = qk for all k 6= i) ∧ (x′j = xj l and x′h = xh for all h 6= j),
((qi, j?l, q′i) ∈ δi ∧ q′k = qk for all k 6= i) ∧ (lx′j = xj and x′h = xh for all h 6= j).
For (γ, γ′) ∈ −→ we write γ −→ γ, or redundantly, γ ls−→ γ′ for ls ∈ {(qi, j!l, q′i),
(qi, j?l, q′i)}; we write label(ls) to extract the label j!l, j?l respectively from the given
local step.
The notation γ ls−→ γ′ shows the local step ls ∈ {(qi, j!l, q′i), (qi, j?l, q′i)} which triggered
the particular global transition. Therefore, a communicating system can be understood as
a labelled transition system. The formal underpinning of this view in [CF05] is the reach-
ability set and reachability graph of Sys. The reachability set R(Sys) of a communicating
system Sys is defined inductively: γ0,Sys ∈ R(Sys); and if γ ∈ R(Sys) and there is
γ′ ∈ ΓSys such that γ −→Sys γ′, then γ′ ∈ R(Sys). The set of statesR(γ), reachable from a
given γ ∈ R(Sys) is defined analogously using the reachability set of Sys. The reachabil-
ity graph is a labelled graph whose nodes are given byR(Sys) and whose edges correspond
to global transitions according to the notation γ ls−→Sys γ′. Thus the reachability graph repre-
sents a transition system similar to the composition of buffered I/O-transition systems. In
the following we define a translation iots from Sys to a (composed) buffered I/O-transition
system and after that discuss the correspondence between products of buffered IOTSs and
the iots-translation of the communicating system which consists of cfsm-translations of
the given IOTSs.
The iots-translation of a communicating system yields a completely asynchronous
pure IOTS as follows. Denote the selection of projected channel alphabets by (Σ∗)p ↓Σi ,
which selects the h ≤ p projections Σ i,1 × · · · × Σ i,h of Σ to the ith alphabet Σi such
that Σ i,j ∩Σi 6= ∅ for all 1 ≤ j ≤ h (the projections Σ i,j yield the alphabet of the jth
queue of the ith transition system, i.e. Σi,1 × · · · × Σi,h is a vector of all queues where
symbols from Σi are involved).
Definition 5.8 (Sys IOTS) Let Sys = (M1, . . . ,Mn) be a communicating system and let
zi = |(Σ∗)p ↓Σsnd
i
| for 1 ≤ i ≤ n. The iots-translation of Sys is a completely asynchronous
pure IOTS given by iots(Sys) = (L, S, s0,∆), where
2The number of edges in a complete graph is n(n− 1)/2, thus for the case of two channels between any pair of
CFSMs we would have p = n(n− 1) queues.
2. CORRESPONDENCE WITH COMMUNICATING FINITE STATE MACHINES (CFSM) 83
1. L = (I,O, T ), where I = ∅, O = ∅ and
T =
⋃n
i=1{lB | l ∈ Σsndi } ∪
⋃n
i=1{l | l ∈ Σrcvi } .
2. S and s0 is obtained by a reordering based on (Σ∗)p ↓Σi , such that
(Q1 × . . .×Qn × (Σ∗)p) 7→ (Q1 × (Σ∗)p ↓Σsnd1 × · · · ×Qn × (Σ
∗)p ↓Σsndn ),
(q0,1, . . . , q0,n, 1, . . . , p) 7→ (q0,1, ()z1 , . . . , q0,n, ()zn).
3. ∆ ⊆ S ×⋃L× S is the smallest relation such that
(i) if (~q, ~x)
(qi,j?l,q
′
i
)−−−−−−→Sys (~q′, ~x′) then (f(~q, ~x), l, f(~q′, ~x′)) ∈ ∆, where
(~q, ~x) = ((q1, . . . , qi, . . . , qn), (x1, . . . , lxj , . . . , xp)),
(~q′, ~x′) = ((q1, . . . , q′i, . . . , qn), (x1, . . . , xj , . . . , xp)),
f(~q, ~x) = ((q1, ~x1), . . . , (qi, ~xi), . . . , (qk, (xk,1, . . . , lxk,j , . . . , xk,zk)), . . . , (qn, ~xn)),
f(~q′, ~x′) = ((q1, ~x1), . . . , (q′i, ~xi), . . . , (qk, (xk,1, . . . , xk,j , . . . , xk,zk)), . . . , (qn, ~xn)).
(ii) if (~q, ~x)
(qi,j!l,q
′
i
)−−−−−→Sys (~q′, ~x′) then (f(~q, ~x), lB, f(~q′, ~x′)) ∈ ∆, where
(~q, ~x) = ((q1, . . . , qi, . . . , qn), (x1, . . . , xj , . . . , xp)),
(~q′, ~x′) = ((q1, . . . , q′i, . . . , qn), (x1, . . . , xj l, . . . , xp)),
f(~q, ~x) = ((q1, ~x1), . . . , (qi, (xi,1, . . . , xi,j , . . . , xi,zi)), . . . , (qn, ~xn)),
f(~q′, ~x′) = ((q1, ~x1), . . . , (q′i, (xi,1, . . . , xi,j l, . . . , xi,zi)), . . . , (qn, ~xn)).
The translation cfsm(A) of a single IOTSA and the IOTS-view iots(Sys) of a commu-
nicating system Sys allows to draw a correspondence between CFSM systems and buffered
I/O-transition systems. Since CFSM systems are closed systems we need an additional as-
sumption on the closedness of the given IOTSs. Pairwise composable IOTSs (A1, . . . , An)
are a closed system, if I⊗iAi = O⊗iAi = ∅, i.e. if the remaining sets of input and output
labels are empty. We state the following without formal proof. Moreover, the translation of
labels in the IOTS-view takes only those labels into account that actually have been used
within the local transition relations δi, that is, labels from Σsnd∪Σrcv. This syntactical dif-
ference from the alphabets of the underlying IOTSs could be handled by a corresponding
alphabet extension. To simplify the presentation we assume that all labels have actually
been used in transitions and call such an IOTS without unused labels.
Proposition 5.9 (Correspondence) Let (A1, . . . , An) be a closed system of pairwise com-
posable completely asynchronous pure IOTSs without unused labels. Then (cfsm(A1), . . . ,
cfsm(An)) =
⊗
i Ω(Ai). 
2.2. Communication Safety and Unspecified Reception. We consider the notion
of unspecified reception configurations. For the precise definition in the sense of [CF05]
and supported by an earlier understanding in [GMY84], we need a notion of “receiving
state”. Even though not necessary for the definition of unspecified reception we consider
also “mixed states” as a prerequisite for later discussions. A state q ∈ Q of a CFSM M =
(Q, q0,Σ, δ) is a receiving state, if all of its outgoing transitions are receiving transitions; a
mixed state shows both, a sending and a receiving transition (at least one of each). We use
these notions for IOTSs analogously. The following definition extends [CF05, Def. 12] for
unspecified receptions.
Definition 5.10 (Ineffective reception) Let Sys = (M1, . . . ,Mn) be a communicating
system. A configuration γ = (q1, . . . , qn, x1, . . . , xp) ∈ ΓSys is an ineffective reception
configuration, if there exists i ∈ {1, . . . , n} such that qi is a receiving or a mixed state and
∀l ∈ Σi . ∀q′i ∈ Qi . (qi, j?l, q′i) ∈ δi =⇒ (|xj | ≥ 1 ∧ xj 6= l Σ∗).
84 5. ON THE VERIFICATION OF PIO SYSTEMS
If qi is a receiving state, then γ is an unspecified reception configuration, if it is a mixed
state we call γ an ignored reception configuration. The system Sys is free from unspecified
(ignored) receptions, if γ is not an unspecified (ignored) reception configuration for all
γ ∈ Rsnd(Sys).
In an unspecified reception configuration there exists a machine Mi which is stuck at
a receiving state. Being stuck means here, thatMi can not proceed with any of its outgoing
receive transitions (qi, j?l, q′i) since the topmost message of the jth queue is different from
l. This kind of error state reminds of our original motivation for the introduction of asyn-
chronous compatibility for transition systems with buffered communication. Given some
local output, we aimed for the unbuffered, synchronous case to guarantee the existence of a
matching input within a composed system such that messages sent do not “disappear” due
to a missing reception (synchronisation). A natural transfer of this property to the buffered
case resulted in our definition of asynchronous compatibility for buffered transition sys-
tems. The requirement “not to disappear” was then understood as “enqueued messages
are eventually dequeued” that is eventually processed. And indeed, we have the following
implication.
Proposition 5.11 Let (A1, . . . , An) be a closed system of pairwise composable com-
pletely asynchronous pure IOTSs. If (Ω(A1), . . . ,Ω(An)) is ultra-weakly comm-safe, then
(cfsm(A1), . . . , cfsm(An)) is free from unspecified receptions.
PROOF. The proposition is a special case of Prop. 5.16 along Cor. 5.15. 
As witnessed by the translation of the transition systems in Fig. 5.4 and argued in the
following example the reverse direction is not true.
Example 5.12 (Unspecified reception) Figure 5.4 shows two pairs of I/O-transition sys-
tems whose CFSM-translation yield a communication system which is free of unspecified
receptions. The IOTSs on the lefthand side do not show receiving states at all, hence there
is no unspecified reception. In contrast, the IOTSs on the righthand side do show receiv-
ing states but there is also the chance to enter a path (along input x) where the receiving
state is missed. The input transition moves to a state without any outgoing transition, and
since the initial state is neither a receiving state we have again freedom from unspecified
reception.
/n /m /n n/
/y
x/
FIGURE 5.4. Free from unspecified reception
/y
x/y/
/n n/
FIGURE 5.5. Receiving states
Both pairs of transition systems are not asynchronously output compatible due to missing
receive transitions. Figure 5.5 shows a revision of the righthand pair aimed to repair that
defect, but again the transition systems are not asynchronously compatible. The incompat-
ibility reveals a fundamental difference between unspecified reception and asynchronous
compatibility.
For a first illustration observe that an extension of the machine sending n by an ar-
bitrary receive transition different from receiving y would also result in a CFSM system
which is free from unspecified reception. The latter may come as a surprise but indeed the
2. CORRESPONDENCE WITH COMMUNICATING FINITE STATE MACHINES (CFSM) 85
requirement for unspecified reception is for receiving states only and the given transition
system shows a mixed state, not a receiving state. Thus we would have an ignored reception
configuration which is a communication error different from what is commonly understood
as unspecified reception. From a conceptual point of view this means that unspecified re-
ception is supposed to catch up situations where a machine is definitely stucked which is
obviously not the case for the given mixed-choice system since it is always able to send out
messages n without ever using its receive transition. This is quite some difference to our
definition of asynchronous output compatibility with a requirement for all reachable states
of a given composition. With the definition of ignored reception configurations we are one
step closer. The discussed system with an input different from y "ignores" the necessity to
receive y and continues to send n instead.
Still the transition systems in Fig. 5.5 are not asynchronously compatible due to the
input transition x which globally allows to reach a state where the input n is not received.
Adding a loop after x with input n solves this problem and the resulting system is indeed
asynchronously compatible.
In both given examples there are mixed states which are not asynchronously compati-
ble but skipped over by the definition of unspecified reception due to their property of not
being a receiving state. A third problem arises from pure send states such as the one given
on the lefthand side of Fig. 5.4. If there is neither a receiving nor a mixed state none of
the mentioned requirements applies. In order to close this last gap we expect a transition
system to provide at last any receive transition in case a state with a non-empty queue is
entered. More precisely, letM = (Q, q0,Σ, δ) be a CFSM and let q ∈ Q. The states reach-
able from q via snd-transitions are given inductively by q ∈ Rsnd(q); and if q′ ∈ Rsnd(q)
and there is q′′ ∈ Q such that (q′, l, q′′) ∈ δ and l ∈ ΣsndM then q′′ ∈ Rsnd(q). More-
over, q is a receiving or mixed state for j ∈ N if there exists l ∈ ΣrcvM , q′ ∈ Q such that
(q, j?l, q′) ∈ δ.
Definition 5.13 (Eventually receiving) Let Sys = (M1, . . . ,Mn) be a communicating
system. A configuration γ = (q1, . . . , qn, x1, . . . , xp) ∈ ΓSys is eventually receiving, if for
all j ∈ {1, . . . , p} there exists i ∈ {1, . . . , n} such that the following holds:
xj 6=  =⇒ (∃(q′1, . . . , q′n, x′1, . . . , x′p) ∈ R(γ) . (q′i ∈ Rsnd(qi) ∧
q′i is a receiving or a mixed state for j)) .
Definition 5.14 (Asynchronously responsive) A communicating system Sys is asynchron-
ously responsive, if for all γ ∈ R(Sys) it holds that γ is eventually receiving and is neither
an unspecified nor an ignored reception configuration.
Corollary 5.15 If a communicating system Sys is asynchronously responsive, then it is
free from unspecified reception. 
In the following we sketch a proof for the correspondence of ultra-weak comm-safety
and asynchronous responsiveness. By this means comm-safety of buffered IOTSs can be
verified along tools for the verification of CFSM systems and, in contrary, knowing ultra-
weak comm-safety for a given system of IOTSs can be used to conclude asynchronous
responsiveness, and hence unspecified reception, of the corresponding CFSM system. Note
that we consider closed systems and hence ultra-weak comm-safety coincides with weak
comm-safety. An example for the verification of asynchronous responsiveness is given in
Ex. 5.29 for a simple Bank/ATM system.
Proposition 5.16 (Asynchronously responsive) Let (A1, . . . , An) be a closed system of
pairwise composable completely asynchronous pure IOTSs. (Ω(A1), . . . ,Ω(An)) is ultra-
weakly comm-safe iff the communicating system (cfsm(A1), . . . , cfsm(An)) is asynchron-
ously responsive.
86 5. ON THE VERIFICATION OF PIO SYSTEMS
PROOF SKETCH. “⇒” Let Ω(Ai) be the buffered system with local output B in the
given reachable global state. Then one of the queues is not empty. By ultra-weak comm-
safety there is a state σ globally reachable such that l becomes the topmost message of
this queue. Since ultra-weak comm-safety requires an autonomously reachable matching
input transition and autonomously in a closed system without τ and internal transitions
means reachable by local snd-transitions we obtain the property eventual receiving for σ.
Thus there exists a snd-reachable σ′ which provides the matching input transition. If σ′ is
a mixed state, then by the requirement of ultra-weak comm-safety, it holds that σ′ is not
an ignored reception; also, if σ′ is a receiving state it holds that σ′ is not an unspecified
reception. Since ultra-weak comm-safety is a requirement for the complete reachable state
space this means that the communicating system obtained from the cfsm-translation of the
given IOTSs is asynchronously responsive.
“⇐” Asynchronous responsiveness is a requirement for the complete state space,
hence the argumentation proceeds analogously. Due to the property eventually receiving
we find receiving or mixed states γ′, reachable from some given queue state with message
l being topmost. By definition, reachability is via snd-transitions and thus γ′ is globally
reachable. In case of a receive state we have by the assumption of unspecified reception
that the input transitions matches; in case of a mixed state, we use the assumption of ig-
nored receptions to obtain the matching input. Therefore we have a witness for ultra-weak
comm-safety of γ′ and the claim follows by asynchronous responsiveness being a complete
state space requirement. 
By Prop. 5.16 one may apply CFSM verification techniques to show asynchronous
responsiveness in order to verify asynchronous compatibility of the considered class of
IOTSs. Now the complexity lies in the three conditions for asynchronous responsiveness:
without unspecified reception, without ignored reception and eventually receiving. Since
the notion of unspecified reception is a well-known topic for CFSM verification it would
be interesting to get a similar understanding of CFSM systems that are eventually receiv-
ing and without ignored receptions. The progress requirements of Gouda et al. [GMY84]
seems to come closest. Here, a state is called non-progress state if and only if it is an
unspecified reception, a deadlock or an overflow state. Obviously, asynchronous respon-
siveness does not include deadlock freedom but systems without overflow states seem to
be quite close to the systems that are eventually receiving and without ignored reception.
A fully detailed and formal account on these issues could be an interesting issue for future
work.
2.3. CFSM Systems with Local Actions. Boigelot et.al. [BG99, BGWW97] de-
veloped and applied a special kind of finite state machines, Queue content Decision Di-
agrams (QDD), for a symbolic representation of the queue contents of CFSM systems.
By this means, potentially infinite-state systems can be represented in a finite way, paving
the way for an application of model-checking techniques for the verification systems with
unbounded FIFO queues. Their definition of CFSM systems include local actions, that is,
actions local to a CFSM without an effect on the queues of the given system of CFSMs.
In the following we describe a translation between a corresponding class of IOTSs and
CFSM systems with local actions. After that, we introduce QDDs and investigate their
applicability to the verification of asynchronous compatibility.
For a better understanding of the relationship and translation between IOTSs and CF-
SMs we provide an explicit account of what we call CFSM with local actions.
Definition 5.17 (Extended CFSM) A CFSM with local actions (extended CFSM) is a tuple
M = (Q, q0,Σe, δe) whereQ is a finite set of states, q0 ∈ Q an initial state, Σe = Σc∪Σa
alphabets for communication and local actions, and δ ⊆ Q×(Σa∪(N×{!, ?}×Σc))×Q
a finite set of transitions. Σa is assumed to be given by Σa = Σainp∪Σaout ∪Σaτ of mutually
disjoint alphabets.
2. CORRESPONDENCE WITH COMMUNICATING FINITE STATE MACHINES (CFSM) 87
We write (q, j!l, q′) ∈ δ instead of (q, (j, !, l), q′) ∈ δ and analogously for labels
involving ?. Moreover we define Σsnd = {l ∈ Σc | ∃q, q′ ∈ Q . ∃j ∈ N . (q, j!l, q′) ∈ δ}
and analogously Σrcv for (q, j?l, q′) ∈ δ.
In the following we also allow compositions of buffered IOTSs which are not nec-
essarily closed. We use an I/O distinction Σa = Σainp ∪ Σaout ∪ Σaτ and treat open I/O-
transitions as local actions. By this means, CFSMs with local actions can be used for the
translation of finite completely persistent αPIOs. More formally, we consider the class of
IOTSs with asynchronous output labelling (αIOTS) given by finite I/O-transition systems
A = (L, S, s0,∆) with partitioned I/O-labelling L such that ((L, S, s0,∆,Π), OB) is an
αPIO with
⋃
L =
⋃
OB and ∆ = Π. The I/O-labelling L = ((I1, O1), . . . , (In, On), T )
consists as usual of input, output and internal labels.
Definition 5.18 (CFSMe translation) Let A be an αIOTS where LA = ((I1, O1), . . . ,
(In, On), T ) and OBA = (O1, . . . , Ok), k ≤ n. The translation cfsme from A to a CFSM
is given by cfsme(A) = (Q, q0,Σe, δe) such that Q = SA and q0 = s0,A. The alphabet
Σe is defined by Σc =
⋃{Ii | 1 ≤ i ≤ k} ∪ ⋃OBA and Σainp = ⋃{Ii | k < i ≤ n},
Σaout =
⋃{Oi | k < i ≤ n} and Σaτ = T . The transition relation δe is given by
∀1 ≤ j ≤ k . (l ∈ Σc ∧ (s, j!l, s′) ∈ δe ⇐⇒ l ∈ Oj ∧ (s, l, s′) ∈ ∆A),
∀1 ≤ j ≤ k . (l ∈ Σc ∧ (s, j?l, s′) ∈ δe ⇐⇒ l ∈ Ij ∧ (s, l, s′) ∈ ∆A),
l ∈ Σa ∧ (s, l, s′) ∈ δe ⇐⇒ l ∈ ⋃{⋃((Ii, Oi), T ) | k < i ≤ n} ∧ (s, l, s′) ∈ ∆A.
Our translation treats any open transition as a local action, which definitely makes
sense for open outputs, due to the unbounded communication buffers in systems of CF-
SMs. Together with internal transitions theses can be considered as "autonomous" local
actions. The understanding of input transitions as local actions, however, leads to an im-
plicit verification assumption. Namely that the open input transitions indeed are used after
the system has been composed further. Depending on the concrete verification problem at
hand, it might be the case, that the verification result is invalidated by later compositions.
Output compatibility is an example of such a property. Considering an input transition
as a local action is equivalent to the hiding of the transition on the level of PIOs, IOTSs
respectively. But a verification with hidden open transitions is invalidated within later
compositions in case the open transitions are not used by the respective communication
partner.
Boigelot et al. define a notion of communication protocol that basically corresponds
to the syntactic structure of CFSM systems defined above. Protocols are additionally
equipped with an alphabet of local actions and a global control transition relation given
by the product of the underlying CFSMs without queues. Instead of the direct definition
of protocols as given in [BGWW97] we give a definition in the sense of CFSM systems,
though based on CFSMs with local actions.
Definition 5.19 (CFSM Protocol, cf. [BGWW97]) Let Syse be a system (M1, . . . ,Mn)
of CFSMs (Qi, q0,i,Σei , δei ) with local actions. A protocol for Syse is a tuple
P = (Contr , Init,Act,Msg,Que,Trans),
where Contr = Q1 × · · · × Qn, Init = (q0,1, . . . , q0,n), Act =
⋃
i Σai , Msg =
⋃
i Σci ,
Que = (Msg|1)∗ × · · · × (Msg|k)∗ where k is the number of queues and Msg|i projects
Msg to the messages stored by queue i in Que such that the indices used by the local
transitions of each machine Mi have their appropriate and unique counterpart in Que.
Finally Trans ⊆ Contr × Op × Contr , where Op = Act ∪ N × {!, ?} × Msg such
that ((c1, . . . , cn), op, (c′1, . . . , c′n)) ∈ Trans if there exists i ∈ {1, . . . , n} such that
(ci, op, c′i) ∈ δei and ck = c′k for all k 6= i.
88 5. ON THE VERIFICATION OF PIO SYSTEMS
TABLE 5.2. Protocols [BGWW97] extend CFSM systems [CF05]
CFSM Protocol (Def. 5.19) CFSM system (Def. 5.7)
Contr = Q1 × · · · ×Qn Q1 × · · · ×Qn from Sys
Init = (q0,1, . . . , q0,n) (q0,1, . . . , q0,n) from Sys
Act =
⋃
i Σai (no local actions)
Msg =
⋃
i Σci Σ =
⋃
i Σi
Que = (Msg|1)∗ × · · · × (Msg|k)∗ (Σ∗)p in ΓSys
Trans ⊆ Contr ×Op × Contr , ⋃i δi ⊆ ⋃i(Qi ×Op ×Qi) ,
Op = Act ∪ (N× {!, ?} ×Msg) Op = N× {!, ?} × Σ
Table 5.2 shows how the constituents of a protocol are related to the elements of a
communicating system. The main difference are local actions and a corresponding exten-
sion of the control part of the transition relation for transitions without queue effect. Note
that Trans is a global control transition relation. There is not yet any queue effect asso-
ciated with the gathered local transitions. A protocol is a foremost structural aid to define
the syntactic ingredients of a communicating system.
Example 5.20 (Protocol) In the producer/consumer example Ex. 4.24 we considered PIOs
with must transitions only, hence we can consider them as IOTSs; cf. Fig. 4.7. The buffer
controller showed an open output transition obviating their translation to a CFSM sys-
tem. With the definition of extended CFSMs and protocols we may now translate the
given systems as depicted in Fig. 5.6 with Σsnd = {put}, Σa = ∅ for cfsme(Prod); and
Σrcv = {put}, Σaout = {get} for cfsme(BufCtr). From cfsme(Prod) and cfsme(BufCtr)
we obtain a protocol with Contr = {p0} × {b0, b1}, Init = (p0, b0), Act = {get},
Msg = {put}, Que = {put}∗ and a transition relation Trans ⊆ Contr ×Op × Contr as
given by Fig. 5.6.
(a) cfsme(Prod)
1!put
p0
(b) cfsme(BufCtr)
/get
b1b0
1?put
(c) (cfsme(Prod), cfsme(BufCtr))
/get
1?put
(p0, b1)1!put (p0, b0) 1!put
FIGURE 5.6. Extended CFSMs and global control transition relation
The definition of global state space and transition relation for a CFSM protocol proceeds
similar to the case of CFSM systems above. The state space of a CFSM protocol P is given
by ΓP = Contr × Que. The global transition relation of P is defined by the smallest
2. CORRESPONDENCE WITH COMMUNICATING FINITE STATE MACHINES (CFSM) 89
(p0, b1, )
put! (p0, b0, 〈put, put〉) · · ·(p0, b0, ) (p0, b0, 〈put〉)put!
(p0, b1, 〈put〉) · · ·put!
put?
getget
put?
FIGURE 5.7. Global transition relation of CFSM protocol
relation −→P ⊆ ΓP × (Act ∪ ({!, ?} ×Msg))× ΓP such that
(~c, j!l,~c′) ∈ Trans =⇒ (((~c, x1, . . . xk), l!, (~c′, x′1, . . . x′k)) ∈ −→P ∧(i)
(x′j = xj l and x′h = xh for all h 6= j)),
(~c, j?l,~c′) ∈ Trans =⇒ (((~c, x1, . . . xk), l?, (~c′, x′1, . . . x′k)) ∈ −→P ∧(ii)
(lx′j = xj and x′h = xh for all h 6= j)),
(~c, a,~c′) ∈ Trans =⇒ ((~c, ~x), a, (~c′, ~x)) ∈ −→P .(iii)
Example 5.21 (Global transition relation) The global transition relation for the protocol
of (cfsme(Prod), cfsme(BufCtr)) is an infinite-state system as depicted in Fig. 5.7.
The iots-translation iotse(P ) of a protocol P is defined analogously to the translation
iots(Sys) of a communicating system Sys with the difference that the sets of input and
output labels are not empty anymore:
1. L = (I,O, T ) with I =
⋃
i Σai,inp, O =
⋃
i Σai,out and T =
⋃
i Σai,τ ∪
⋃
i{lB | l ∈
Σsndi } ∪
⋃
i{l | l ∈ Σrcvi },
2. S, s0 and ∆ are obtained by a reordering analogously to the translation iots(Sys).
With cfsme and iotse we are able to translate compositions of buffered IOTSs that are
not necessarily closed. The only restriction left concerns rendezvous communication via
shared labels. In contrast to the general case we can not allow synchronous communication
since communication in CFSM systems is always buffered and hence there is no equivalent
for rendezvous communication of buffered IOTSs. However, the restriction seems not to be
to severe since a system with both, rendezvous and buffered communication could be trans-
formed into a system with only buffered communication by composing all systems with
synchronous communication before analysis. Again we state the correspondence without
formal proof. A system ((A1, OB1 ), . . . , (An, OBn )) of pairwise composable asynchronous
IOTSs is internally completely asynchronous, if (
⋃
LAi \
⋃
OBi ) ∩ (
⋃
LAj \
⋃
OBj ) = ∅
for all i, j ∈ {1, . . . , n} with i 6= j. Analogous to the correspondence Prop. 5.9 above, we
assume no unused labels to simplify the presentation.
Proposition 5.22 (Correspondence) If a system ((A1, OB1 ), . . . , (An, OBn )) of pairwise
composable asynchronous IOTSs is without unused labels and internally completely asyn-
chronous, then
iotse(cfsme(A1), . . . , cfsme(An)) =
⊗
i Ω(Ai, OBi ). 
Example 5.23 (Translation) Figure 5.8 shows an excerpt of the (infinite-state) IOTSs ob-
tained from the composition Ω(Prod, LBProd)⊗Ω(BufCtr, LBCtr) (cf. Fig. 4.8 in Chap. 4). After
reordering the state vectors and relabelling enqueue actions the given transition system in-
deed coincides with Fig. 5.7.
For the verification of communication safety, the definition of asynchronous respon-
siveness Def. 5.14 needs adjustment due to the local actions in extended CFSM systems.
The definition of unspecified reception carries over identically, but the definition of ig-
nored reception states and eventually receiving states need to take the local actions in
90 5. ON THE VERIFICATION OF PIO SYSTEMS
((p0, ), b1)
putB ((p0, 〈put, put〉), b0) · · ·
put
((p0, ), b0) ((p0, 〈put〉), b0)put
B
((p0, 〈put〉), b1) · · ·put
B
/get/get
put
FIGURE 5.8. Composition of buffered IOTSs
Σa = Σainp ∪ Σaout ∪ Σaτ into account. The crucial difference lies in the underlying no-
tions of mixed states and snd-reachable states that are extended to cope with local actions
labelled by Σa as follows.
Let M = (Q, q0,Σe, δe) be an extended CFSM with Σe = Σc ∪ Σa. A state q ∈ Q
is a mixed state if it shows both an input as well as an output or a local transition; that is,
if there exists q′, q′′ ∈ Q such that (q, l?, q′) ∈ Q with l ∈ ΣrcvM and (q, l′, q′′) ∈ Q with
l′ ∈ ΣrcvM ∪ Σa. Now, the extension of Def. 5.10 is straightforward along the definition of
CFSM protocols.
Let P be a CFSM protocol for (M1, . . . ,Mn) extended CFSMs with k = |Que|. A
state γ = (q1, . . . , qn, x1, . . . , xk) ∈ ΓP is an ineffective reception configuration, if there
exists i ∈ {1, . . . , n} such that qi is a receiving or a mixed state and
∀l ∈ Σc . ∀q′i ∈ Qi . (qi, j?l, q′i) ∈ δe =⇒ |xj | ≥ 1 ∧ xj 6= l (Msg|j)∗ .
If qi is a receiving state, then γ is an unspecified reception configuration, if it is a mixed
state we call γ an ignored reception configuration.
For the definition of eventually receiving states, all locally reachable states instead of
snd-reachable states need to be considered. Note that this includes snd-reachable states.
Let M = (Q, q0,Σe, δe) be an extended CFSM with Σe = Σc ∪ Σa and let q ∈ Q. The
locally reachable states from q are given inductively by q ∈ Rloc(q); and if q′ ∈ Rloc(q)
and there is q′′ ∈ Q such that (q′, l, q′′) ∈ δe with l ∈ ΣsndM ∪ Σa then q′′ ∈ Rloc(q). The
extension of the definition is again straightforward.
Let P = (Contr , Init,Act,Msg,Que,Trans) and γ = (q1, . . . , qn, x1, . . . , xk) ∈
ΓP where k = |Que|. The state γ is eventually receiving, if for all j ∈ {1, . . . , k} there
exists i ∈ {1, . . . , n} such that the following holds:
xj 6=  =⇒ (∃(q′1, . . . , q′n, x′1, . . . , x′k) ∈ R(γ) . (q′i ∈ Rloc(qi) ∧
q′i is a receiving or a mixed state for j )) .
With the revised definitions we define asynchronous responsiveness for CFSM pro-
tocols and claim the correspondence with ultra-weak comm-safety of the corresponding
system of asynchronous IOTSs. A CFSM protocol P is asynchronously responsive, if for
all γ ∈ R(ΓP ) it holds that γ is eventually receiving and is neither an unspecified nor an
ignored reception configuration.
Claim 5.24 Let (A1, . . . , An) be a system of pairwise composable internally completely
asynchronous IOTSs. (Ω(A1), . . . ,Ω(An)) is ultra-weakly comm-safe iff the CFSM proto-
col for (cfsme(A1), . . . , cfsme(An)) is asynchronously responsive.
In order to illustrate the basic ideas for the verification of communication safety within
compositions of buffered IOTSs we consider a simple example involving a fictitious pro-
tocol between a bank server and an ATM.
Example 5.25 (Simple Bank/ATM) For the IOTSs given in Fig. 5.9 we assume alphabets
such that (Bank, Atm) is a system of pairwise composable internally completely asynchro-
nous IOTSs. The ATM sends immediately after the request for pin verification (vp) a re-
quest for withdrawal (wd). In case the bank acknowledges the pin to be correct (ok) the
2. CORRESPONDENCE WITH COMMUNICATING FINITE STATE MACHINES (CFSM) 91
system proceeds with the permission to give money (gm). Note the simultaneous sending
of messages ok and wd.
(a) Bank (simplified)
/ok/gm
wd/
vp/b0
b3
b1
b2
(b) ATM (async)
/vp
/wd
ok/
gm/
a1
a2
a0
a3
FIGURE 5.9. IOTSs for Bank/ATM protocol with incorrect ATM
gm!
(b0, a1, , 〈vp〉)
(b1, a1, , )
(b0, a0, , ) (b0, a2, , 〈vp wd〉)
(b2, a1, 〈ok〉, )
vp?
(b1, a2, , 〈wd〉)
vp?
vp!
ok!ok!
(b2, a2, 〈ok〉, 〈wd〉)
wd!
wd!
wd!
(b3, a3, , )
ok? wd?
ok?
(b2, a3, , 〈wd〉)
wd?
(b2, a3, 〈ok〉, )
(b0, a3, 〈gm〉, )
gm?
FIGURE 5.10. Global transition relation for (cfsme(Bank), cfsme(Atm))
The cfsme translation of the given IOTSs results in a CFSM protocol for (cfsme(Bank),
cfsme(ATM)) with global transition relation as depicted in Fig. 5.10. Obviously the state
space is finite and we may apply verification techniques for finite-state systems.
The basic idea for the verification of communication-safety is to verify asynchronous
responsiveness for the given CFSM system and conclude ultra-weak comm-safety of the
corresponding composition of buffered IOTSs by Prop. 5.16, Claim 5.24 respectively. To
show asynchronous responsiveness we need to check that the given system is eventually
receiving and free from unspecified and ignored receptions. The system is eventually re-
ceiving since for any state with an empty queue there are receiving states reachable solely
via loc-transitions, that is transitions labelled with labels from Σsnd ∪ Σa. There is ex-
actly one mixed state, ((b0, a1), , vp) after the first sending of vp!, and this state is free of
ignored receptions due to the outgoing receive transition for message vp. Thus the system
is free from ignored receptions and it is free from unspecified receptions, since for any
receiving state it holds that the possible queue contents can be processed by the outgoing
transitions. Therefore the CFSM protocol (cfsme(Bank), cfsme(Atm)) is asynchronously
responsive and by Prop. 5.16, Claim 5.24 respectively. we conclude that Ω(Bank)⊗Ω(Atm)
is ultra-weakly comm-safe.
We extend the Bank/ATM example to illustrate a protocol with communication errors
due to mixed states within the given local transition systems of Bank and Atm.
92 5. ON THE VERIFICATION OF PIO SYSTEMS
Example 5.26 (Bank/ATM mixed) Consider the Bank/ATM protocol extended by tran-
sitions to communicate failed pin verifications as given by Fig. 5.11 and the clip of the
corresponding global transition system in Fig. 5.12.
(a) Bank
/ok
/nok
/gm
wd/
vp/ b1
b3 b2
b0
(b) Atm (async)
/vp
nok/
/wd
ok/
gm/
a1
a3 a2
a0
FIGURE 5.11. Extension to communicate failed pin verification
...
(b0, a1, , 〈vp〉)
(b1, a1, , )
(b0, a0, , ) (b0, a2, , 〈vp wd〉)
vp?
(b1, a2, , 〈wd〉)
vp?
vp!
ok!ok!
wd!
wd!
nok?
wd!
(b0, a1, 〈nok〉, )
(b0, a2, 〈nok〉, 〈wd〉)
nok!
nok!
...
FIGURE 5.12. Clip of global transition system with incorrect ATM
The state ((b0, a1), nok, ) is a mixed state with an outgoing reception of nok and an out-
going send transition for wd. The state is free from ignored receptions, since the queue
content nok is received along the transition leading to state ((b0, a0), , ). Though the sys-
tem is not asynchronously responsive. The state ((b0, a2), nok,wd), which was not present
in the original global transition system, is a state that is not eventually receiving. The erro-
neous state is due to the wrong order of sending wd and receiving ok in the protocol of the
Atm together with the new output nok in the Bank protocol. Therefore Ω(Bank) ⊗ Ω(Atm)
is not ultra-weakly comm-safe.
The global transition system of the given example is a finite-state system. Hereafter
we consider a symbolic verification approach that works for a certain class of infinite-state
systems, namely those that are QDD-representable. An extension for the verification of
PIOs instead of IOTSs is briefly discussed in Sect. 2.6.
2.4. Queue Content Decision Diagrams (QDD). A Queue-content Decision Dia-
gram (QDD) is a specific finite state machine that can be used for the symbolic represen-
tation of queue contents within systems communicating via unbounded FIFO channels. In
the following we summarise basic definitions and operations for QDDs from [BGWW97]
and [BG99] and after that illustrate how protocols (i.e. CFSM systems with local actions)
extended with QDDs can be used to verify asynchronous compatibility of systems with
buffered IOTSs.
2. CORRESPONDENCE WITH COMMUNICATING FINITE STATE MACHINES (CFSM) 93
(a) CFSMs
1!m
s0
1?m
t0
(b) Product and QDD annotation
1!m
((s0, t0),m∗)
1?m
FIGURE 5.13. Extension by QDDs
A finite-state automata is a tupleF = (Σ, S, s0,∆, F ), where Σ is an alphabet, S is
a finite set of states, s0 ∈ S an initial state, ∆ ⊆ S × Σ ∪ {} × S a transition relation
and F a set of accepting states. A finite word w ∈ Σ∗ with w = a1 . . . an is accepted by
F if there exists si ∈ S such that (si−1, ai, si) ∈ ∆ and sn ∈ F for all 1 ≤ i ≤ n. The
language accepted by F is given by L(F ) = {w | w is accepted byF}. The projection
of a word w on a subset Σ′ ⊆ Σ, written w|Σ′ , is given by removing all symbols in w
which are not in Σ′. F is deterministic if there is no transition labelled  and all outgoing
transitions of any reachable state show different labels.
Let P = (Contr , Init,Act,Msg,Que,Trans) be a protocol and let k = |Que|. A queue-
content decision diagram (QDD) for P is a deterministic finite-state automataQ such that
for all w ∈ L(Q) it holds that w = w|Msg1 . . . w|Msgk , where Msgi is the set of messages
stored by queue i for 1 ≤ i ≤ k.
The queue content within the global state space is represented by QDDs such that each
global control state in Contr is extended by a QDD whose accepted language represents
the possible queue contents at this global state.
Example 5.27 (QDD) Figure 5.13 shows a simple system of two CFSMs which commu-
nicate via one queue (with identifier 1). The product is extended by m∗ which is a regular
expression describing the language accepted by the QDD of this global control state.
The QDDs are computed along an extended global transition relation. The computa-
tion uses specific operations to compute the accepted language L(Q) for a given global
control state ~c ∈ Contr depending on the queue operation op ∈ {i!m, i?m} obtained from
a transition (~c′, op,~c) ∈ Trans to ~c. Thus, while travelling through the extended control
transition system the accepted language assigned to a control state evolves each time the
state is visited. The computation terminates if the accepted language of each control state
has stabilised (i.e. does not change any more). Stabilisation, and therefore termination is
not guaranteed in general. However, if the algorithm terminates, then the final pairs of con-
trol states and QDDs are an exact representation of the reachable global state space of the
underlying protocol. QDD representable systems satisfy a regularity property. The algo-
rithm is independent from the ordering used for the construction of the accepted languages
L(Q) of the QDDs; cf. [BGWW97, Thm. 3].
An important concept used for the computation of QDDs are meta-transitions. For
specific patterns in the control transition system, meta-transitions are added which allow
to generate a whole set of reachable states in one step. For example a self-loop (~c, i!m,~c)
results in a meta-transition (~c, (i!m)∗,~c) which is evaluated during QDD construction.
Example 5.28 (Meta-transition) The example above is extended by meta-transitions as
illustrated in Fig. 5.14. The QDD computation for such an extended control transition
relation concludes m∗ as an accepted language for the given control state. Note that an
approach without meta-transitions would not terminate for the given example since the
accepted language evolves infinitely. Moreover, note that the accepted language would not
differ, if the receiver in Fig. 5.13 would wait for an input different from m.
Therefore, meta-transitions are an important concept to enable the construction of
finite representations of an infinite state space. Boigelot et al. [BGWW97] propose three
94 5. ON THE VERIFICATION OF PIO SYSTEMS
(a) Control transition relation (left) and meta-transitions (right)
1!m
1?m
(s0, t0)
(1!m)∗
(1?m)∗
(s0, t0)
(b) Global transition relation without QDDs
1!m ((s0, t0), 〈m m〉) · · ·((s0, t0), 〈m〉)1!m
1?m 1?m
((s0, t0), )
FIGURE 5.14. Meta-transitions and infinite state space
kinds of meta-transitions: repeatedly receiving messages (1), repeatedly sending messages
(2) and repeatedly receiving messages on one queue followed by sending messages on a
different queue (3). Assuming that reachability skips over local actions (i.e. transitions
without queue effect), meta-transitions are added to the global control transition systems
as follows:
(1) (~c, (i?w)∗,~c′) with w = m1 . . .mn,
if ~c′ is reachable from ~c by transitions labelled i?mh for 1 ≤ h ≤ n,
(2) (~c, (i!w)∗,~c′) with w = m1 . . .mn,
if ~c′ is reachable from ~c by transitions labelled i!mh for 1 ≤ h ≤ n,
(3) (~c, (i?w1; j!w2)∗,~c′) for i 6= j with w1 = m1 . . .mn and w2 = m1 . . .mr,
if ~c′ is reachable from ~c by transitions labelled i?mh for 1 ≤ h ≤ n followed by
transitions labelled j!mg for 1 ≤ g ≤ r.
The language definitions explained hereafter precisely specify, on the one hand the
effect of ordinary transitions, and on the other hand, the effect of meta-transitions on the
computation of the QDDs. In total there are five cases which need to be distinguished.
The corresponding QDD operations computing the effect of global control transitions on
the evolution of the associated QDDs are given in [BG99] and implemented in a C library
[Boi] that could be included in a model checker for CFSM systems.
Let P = (Contr , Init,Act,Msg,Que,Trans) be a protocol. Let ~c ∈ Contr and Q
the QDD associated with ~c. Let Transµ be a relation obtained from Trans by the addition
of meta-transitions. Let (~c, op,~c′) ∈ Transµ where op ∈ {i?m, i!m} ∪ {(i?w)∗, (i!w)∗,
(i?w1; j!w2)∗}. Then the language Lop(Q) accepted by the QDD for ~c′ with respect to
the label op of incoming (meta-) transitions is given by:
Li!m(Q) = {w′′ | ∃w′ ∈ L(Q) . w′′|Mi = w′|Mim ∧ ∀j 6= i . w′′|Mj = w′|Mj},(1)
Li?m(Q) = {w′′ | ∃w′ ∈ L(Q) . w′|Mi = mw′′|Mi ∧ ∀j 6= i . w′′|Mj = w′|Mj},
L(i!w)∗(Q) = {w′′ | ∃w′ ∈ L(Q), k ≥ 0 .(2)
w′′|Mi = w′|Miwk ∧ ∀j 6= i . w′′|Mj = w′|Mj},
L(i?w)∗(Q) = {w′′ | ∃w′ ∈ L(Q), k ≥ 0 .
w′|Mi = wkw′′|Mi ∧ ∀j 6= i . w′′|Mj = w′|Mj},
L(i?w1;j!w2)∗(Q) = {w′′ | ∃w′ ∈ L(Q), k ≥ 0 .(3)
w′|Mi = wk1w′′|Mi ∧ w′′|Mj = w′|Mjwk2 ∧ ∀h /∈ {i, j} . w′′|Mh = w′|Mh}.
Definition (1) treats transitions with enqueue or dequeue actions, while (2) and (3) explain
the effect of meta-transitions. The conditions are taken from [BG99, pp. 242, 244].
2. CORRESPONDENCE WITH COMMUNICATING FINITE STATE MACHINES (CFSM) 95
2.5. QDDs and Asynchronous Communication Safety. If a given CFSM protocol
is QDD-representable, then there exists a finite representation of its global transition re-
lation which associates a QDD with each control state. The QDD represents the contents
of the queues within this state. Asynchronous compatibility of systems of buffered IOTSs
requires, given a state with some non-empty queues, a succeeding sequence of receive tran-
sitions that matches the given queue contents. If this content is represented by a QDD we
have, instead of a sequence of messages stored within the particular queue, regular expres-
sions such as (m∗ x n∗), meaning that there are arbitrary many messages m stored topmost
of this queue, and after that a message x, etc. A compatible communication partner is then
required to receive arbitrary many messages m (and after that x, etc.), thus we seek transi-
tions that match star expressions like m∗ which is exactly provided by meta transitions for
repeated inputs.
For the concrete verification we may apply the approach described above, using the no-
tion of asynchronous responsiveness of CFSM protocols. Again we need small extensions
of the underlying definitions taking the meta-transitions for inputs into account. We as-
sume that the considered CFSMs are annotated with meta-transitions already (cf. Fig. 5.15
for an example). Instead of queue contents, we need to consider the projections of the
corresponding QDD. We use the notation qddj to refer to the projection of a QDD qdd ,
describing the jth queue of a global state γ ∈ ΓP of a CFSM protocol P ; with nxt(qddj)
we refer to the topmost element of qddj , that is either a single message m or an expression
m∗.
Let P be a CFSM protocol for (M1, . . . ,Mn) extended CFSMs with k = |Que|. A
state γ = (q1, . . . , qn, x1, . . . , xk) ∈ ΓP is an ineffective reception configuration, if there
exists i ∈ {1, . . . , n} such that qi is a receiving or a mixed state and
∀l ∈ Σc . ∀q′i ∈ Qi . (qi, j?l, q′i) ∈ δe =⇒ qddj 6=  ∧ nxt(qddj) 6= l ,(1)
∀l ∈ Σc . ∀q′i ∈ Qi . (qi, (j?l)∗, q′i) ∈ δe =⇒(2)
qddj 6=  ∧ (nxt(qddj) 6= l ∨ nxt(qddj) 6= l∗) .
A state q ∈ Q of an extended CFSM M = (Q, q0,Σe, δe) with meta-transitions is a
receiving or mixed state for j ∈ N if there exists l ∈ ΣrcvM , q′ ∈ Q such that (q, j?l, q′) ∈ δe
or (q, (j?l)∗, q′) ∈ δe. Let P be a CFSM protocol for (M1, . . . ,Mn) extended CFSMs
with k = |Que|. Let γ = (q1, . . . , qn, qdd1, . . . , qddk) ∈ ΓP . The state γ is eventually
receiving, if for all j ∈ {1, . . . , k} there exists i ∈ {1, . . . , n} such that the following
holds:
qddj 6=  =⇒ (∃(q′1, . . . , q′n, qdd ′1, . . . , qdd ′k) ∈ R(γ) . (q′i ∈ Rloc(qi) ∧
q′i is a receiving or a mixed state for j )) .
By this means, the notion of asynchronous responsiveness is completely adjusted to a set-
ting with meta-transitions and its verification may proceed as before. In order to illustrate
these basic ideas for QDD-based verification of communication-safety, we first reconsider
the Bank/ATM example Ex. 5.25 from above.
Example 5.29 (Simple Bank/ATM with QDD) The cfsm translation of the given IOTSs
results in a CFSM system (cfsme(Bank), cfsme(ATM)) with global transition relation as
depicted in Fig. 5.10. Obviously the state space is finite and we could equally well apply
verification techniques for finite-state systems. However, the system can also be used as a
simple example for the verification of communication safety with a QDD-based represen-
tation of queue-contents. Since there are no loops or cycles which satisfy the conditions
for meta-transitions we may understand the queue contents of the given transition system
directly as words accepted by the QDD associated to the corresponding control states.
For example, the projection of the QDD for state (b0, a2, , 〈vp wd〉) to the second queue
accepts the words described by the regular expression (vp wd).
96 5. ON THE VERIFICATION OF PIO SYSTEMS
To show asynchronous responsiveness we need to check that the given system is even-
tually receiving and free from unspecified and ignored receptions. A non-trivial QDD
corresponds to a potentially non-empty queue. By this, the argumentation proceeds anal-
ogously to Ex. 5.25. The only difference is the QDD based check of the condition qddj 6=
 ∧ nxt(qddj) 6= l for unspecified and ignored receptions respectively.
As a simple but illustrative infinite-state example we consider the IOTSs of a producer
and a buffer controller as introduced before. Remember that the system is not only infinite-
state but also open, thus it is mandatory to use the extended definitions of CFSM systems
with local actions and the extended IOTS translations cfsme and iotse.
Example 5.30 (Infinite-state) The global transition system for the communicating system
(cfsme(Prod), cfsme(BufCtr)) as depicted in Fig. 5.6 is an infinite-state system with open
output transitions. Due to the unbounded output queue of the producer the system may
infinitely send items without ever receiving one. Exactly these kind of cycles (loops) are
candidates for the introduction of meta-transitions. Figure. 5.15 shows the addition of two
meta-transitions. The meta-transition for Prod is due to the self loop in the original system
and the meta-transition for BufCtr is due to the repeated reception of put interleaved with
the local action get. The symbolic representation of the corresponding global transition
relation is depicted in Fig. 5.16. The meta-transitions for sending the message put allow to
derive a QDD which accepts the language described by put∗ as a symbolic representation
of the queue content for the control states (p0, b0) and (p0, b1).
(a) cfsme(Prod)
p0
put!
(put!)∗
(b) cfsme(BufCtr)
/get
b0
(put?)∗
b1
put?
FIGURE 5.15. Extended CFSMs with meta-transitions
/get
put?
put! put!((p0, b0), put∗) ((p0, b1), put∗)
FIGURE 5.16. Finite representation of an infinite state space
The verification requires to check for unspecified or ignored receptions and eventually
receiving states. The last requirement indeed holds, since for the QDDs in both states
the initial state is locally reachable and the state b0 is an appropriate mixed state (due to
the reception of put). For the remaining requirements we have only a mixed state (again
in b0) and no receive state. The CFSM cfsme(BufCtr) shows a meta-transition labelled
(put?)∗, thus in case of a non-trivial QDD in the corresponding global state we need to
check the second requirement of ineffective receptions above. The state ((p0, b0), put∗)
yields a non-trivial QDD with nxt(qdd) = put∗ and hence the input transitions of the state
b0 in cfsme(BufCtr) must provide a corresponding meta-transition. Since such a transition
exists the given system is asynchronously responsive.
2. CORRESPONDENCE WITH COMMUNICATING FINITE STATE MACHINES (CFSM) 97
2.6. On Extensions for the Verification of PIOs. PIOs extend I/O-transition sys-
tems with a set of persistent transitions. Formally, the persistent transitions of a PIO are
a subset of the transition relation of its underlying IOTS and thus a kind of additional in-
formation that can be incorporated into the CFSM view of systems with FIFO buffered
communication. In the following, we exemplify this claim for the case of CFSM systems
without local actions.
Given a CFSM system (Q, q0,Σ, δ), we denote the subset of persistent CFSM transi-
tions by pi(δ). The subset is either assumed to be specified or given by a translation from
PIOs. In the former case we extend the definition of CFSMs to obtain a correspondence be-
tween systems of buffered PIOs and thereby extended CFSM systems. In the latter case we
define pi(δ) as part of the CFSM translation of PIOs. In both cases, however, the additional
information is available in the form of a transition subset pi(δ).
The support for the verification of asynchronous comm-safety for PIOs using a defini-
tion of asynchronous responsiveness for CFSM systems can be extended to take persistent
transitions into account in a straightforward way. The definition of ineffective receptions
uses pi(δ) instead of δ, i.e., under the assumptions of Def. 5.10,
∀l ∈ Σi . ∀q′i ∈ Qi . (qi, j?l, q′i) ∈ pi(δi) =⇒ (|xj | ≥ 1 ∧ xj 6= l Σ∗) ,
with the intuitive meaning that there should be a persistent reception, instead of an arbitrary
reception, that can be used to dequeue the next element. The extension of eventually
receiving states is based on an extension of the snd-reachable states. The reachability
path must use persistent transitions only. If we denote by Rsndpi(δ)(q) the states, reachable
using persistent snd-transitions in pi(δ), then the condition for eventually receiving states
is extended, with assumptions as given by Def. 5.13 merely by replacingRsnd(qi):
xj 6=  =⇒ (∃(q′1, . . . , q′n, x′1, . . . , x′p) ∈ R(γ) . (q′i ∈ Rsndpi(δ)(qi) ∧
q′i is a receiving or a mixed state for j)) .
In a next step, the correspondence with asynchronous comm-safety of buffered PIO
systems in Prop. 5.16 must be established using the new definitions. We believe that a suc-
ceeding extension for CFSM systems with local actions and for the symbolic verification
with QDDs works analogously to the stepwise extensions as carried out in the course of
this chapter for the case of I/O-transition systems.

CHAPTER 6
Frames for the Specification of Component Behaviours
1. Frame Specifications for Port-Based Components 99
1.1. Correct Components 100
1.2. Frame Analysis 101
2. Compressing Proxy Revisited 103
2.1. Frame Specification and Correctness 103
2.2. Communication-Safety 105
3. Supporting Component-Based Development 107
3.1. Top-Down and Bottom-Up Design 107
3.2. Evolution in Hierarchical Systems 108
3.3. Weak- and Ultra-Weak Communication-Safety 108
4. Port-Based Frame Verification of Communication-Safety 110
5. Related Work 112
In Chap. 2 we defined a formal model for port-based components with behaviours.
Behaviours are formalised by I/O-transition systems and represent the implementation of
a component. Within this chapter we extend the given model by a specification layer
using the theory developed in Chap. 4. We illustrate our extension using the compressing
proxy system that was already used to introduce component behaviours in Chap. 2. In
this context we discuss implementation correctness, refinement and communication-safety.
After that, we show that our model supports important characteristics of component-based
development such as top-down and bottom-up design approaches. Finally, we discuss a
port-based approach for the verification of compatibility and communication-safety based
on frames and port protocols.
1. Frame Specifications for Port-Based Components
In correspondence with the terminology used by SOFA [BHP06], we call the speci-
fication of a component’s behaviour a “frame” and integrate these kinds of specifications
within our metamodel as depicted in Fig. 6.1. Any component is assumed to be equipped
with a frame. There is an association between behaviours and frames which represents a
correctness relation to be formally defined below. The behaviour of a correct component
is associated with the frame of the particular component. Since components are not neces-
sarily correct, however, their behaviour might not be in the correctness relation and hence
does not refer to any frame. In contrast, since frames represent a behavioural specification,
there is usually a set of behaviours which could be considered a valid implementation of
some given frame.
Frame specification use only external I/O-labels and the anonymous τ action for the
abstract modelling of internal choice.
Definition 6.1 (Frame) The frame of a component C ∈ Cmp is an input-persistent I/O-
transition system frm(C) = ((I,O, T ), S, s0,∆,Π) with I =
⋃{p.msg(prv(P )) | p :
P ∈ ports(C)}, O = ⋃{p.msg(req(P )) | p : P ∈ ports(C)} and T = ∅.
99
100 6. FRAMES FOR THE SPECIFICATION OF COMPONENT BEHAVIOURS
*
prv 0..1 req0..1
Declaration
ports
ports
cmps * conns * conns
1 frm
0..1
*
Component
Component
Composite
Behaviour
Component
Simple
*
1 /beh
Assembly
Connector
type1
Delegate
Connector
Assembly
Connector
Connector
Declaration
Component
Asynchronous
Synchronous
Connector
Port
Interface
Operation
Port
Frame
asm
type
*
/beh
1
1 beh
1..2
1
1
Connector
Declaration
*
type
1
FIGURE 6.1. Extension of the metamodel (cf. Fig. 2.1)
Note that the port prefix of the I/O-labels of a frame allows to create an appropriate parti-
tioned I/O-labelling if needed for the formal treatment of buffered communication. As long
as this is not the case we continue to use unpartitioned I/O-labellings for better readability.
1.1. Correct Components. Input-persistent I/O-transition systems (PIOs) specify,
besides the transitional behaviour of a component, which of its transitions are persis-
tent. Behaviours, in contrast, show only the transitional behaviour of a component. In
the more general formalism of modal automata [LT88] an implementation is an automata
with must-transitions only. In the context of PIOs this corresponds to complete persistence,
i.e. to ∆ = Π. Hence implementations are perfectly described by I/O-transition systems
(L, S, s0,Π). Put the other way around behaviours can be readily applied to a definition
of correct implementations along the refinement relation for PIOs if they are translated to
a PIO with ∆ = Π before. The pio-translation of an I/O-transition system is defined by
pio(L, S, s0,∆) = (L, S, s0,∆,∆).
Definition 6.2 (Correct implementation) Let C ∈ Cmp. The class of correct implemen-
tations of C is given by [[frm(C)]] = {(L, S, s0,∆) | pio(L, S, s0,∆) vbb frm(C)}.
Component C is correct (correctly implemented) if beh(C) ∈ [[frm(C)]].
Showing that a component is correct is fundamental to the verification of component-
based designs no matter if a top-down or a bottom-up approach was chosen for the design
of the given system. For bottom-up approaches it allows to conclude the correctness of the
composed implementations w.r.t. some global frame and for top-up approaches it allows
to conclude that the composed frames are a refinement of such a frame. Section 3 further
elaborates on this topic. In the following we first need to be more precise on mechanisms
for the composition of frames.
Frame specifications make use of the same static structures as component behaviours.
Therefore we apply the same assembly mechanism to define the composition of frames.
Analogously to behaviours we need to extend the notion of frames to component decla-
rations and clarify what the frame of a connector declaration is. Then, we may use the
match relabellings α and σ as defined in Chap. 2 to ensure proper synchronisation between
the composed entities. The behaviour of a synchronous connector is an empty transition
system which acts as a neutral element for the composition of transition systems and the
behaviour of an asynchronous connector is defined by the composition of two queues as-
sociated with the ports of the given connector. Since both kinds of connectors do not allow
for user-defined behaviours, for example a message ordering different from FIFO, there is
no reason to consider user-defined frames of connectors. Thus, the frame of a connector
declaration k : K ∈ ConnDcl is given by translation of its buffering behaviour to an
1. FRAME SPECIFICATIONS FOR PORT-BASED COMPONENTS 101
input-persistent I/O-transition system, that is frm(k : K) = pio(buf (k : K)). Note that
buf (k : K) does not show internal labels due to the definition of queue IOTSs. There-
fore, the frame of a connector (declaration) is indeed a frame in the sense that it does not
show any internal but only input and output labels. The frame of a component declaration
c : C ∈ CmpDcl is given by frm(c : C) = c.frm(C). The following lemma states the
equivalence of the given translation and a direct definition using the PIO encoding of FIFO
queues (cf. Def. 4.21) for later reference. The claim follows directly from the definitions.
Lemma 6.3 Let k : K be an asynchronous connector with ports(K) = {p : P , q : Q}.
Then pio(buf (k : K)) = k.(QBmsg(req(P ))⊗QBmsg(req(Q))), whereQB is the PIO encoding
of FIFO queues w.r.t. required messages of P and Q resp. 
Definition 6.4 (Frame assembly) The frame of an assembly a is given by
frm(a) = (
⊗
c:C∈cmps(a)(frm(c : C)σα)⊗
⊗
k:K∈conns(a) frm(k : K)) .
Composite components are assumed to be equipped with a frame just like simple com-
ponents. Correctness as required by Def. 6.2 above then depends on the relation between
the assembly behaviour of the component and its frame which is consistent with the def-
inition of composite components in Chap. 2. With the following table we provide a brief
conceptual overview in order to summarise and relate our behavioural definitions with the
frame definitions for components, connectors and assemblies.
Behaviour Frame
beh(C) = IOTS frm(C) = PIO
buf (K) = que(P )⊗ que(Q) frm(K) = pio(buf (K))
beh(a) =
⊗
beh(C)ξ ⊗⊗ buf (K) frm(a) =⊗ frm(C)⊗⊗ frm(K)
beh(CC ) = beh(a)ρ frm(CC ) = PIO
The only difference is in the definitions for composite components. The behaviour of as-
semblies and composite components is derived from the behaviours of the subcomponents.
The frame, in contrast, is derived only for assemblies. For composite components we still
expect an explicitely given frame specification; cf. Def. 6.2. Note that frm(a) usually
shows internal transitions as a result from the synchronisation of component and connector
frames. This is in contrast to the internal transitions of the frame of a composite component
which is, analogously to simple components, supposed to show anonymous τ actions only.
1.2. Frame Analysis. Having a frame composition mechanism at hand, the compat-
ibility properties studied on the level of PIOs can directly be transferred to the level of
frames. Then, by the notion of correct components defined above, an analysis of compat-
ibility, communication-safety (comm-safety) respectively on the level of frame specifica-
tions allows to conclude comm-safety of component behaviours. Remember that comm-
safety is the n-ary version of output compatibility and comes in three flavours, strong, weak
and ultra-weak comm-safety corresponding to the respective kind of output compatibility.
Since blackbox refinement preserves weak and ultra-weak output compatibility we have
the following.
Proposition 6.5 (Frame analysis) Let a ∈ Asm such that for all c : C ∈ cmps(a),
beh(c : C) ∈ [[frm(c : C)]]. If frm(a) is weakly (ultra-weakly) comm-safe, then beh(a)
is weakly (ultra-weakly) comm-safe.
PROOF. By definition frm(a) is a composition of PIOs. Thus by definition of correct-
ness, pio(beh(c : C)) vbb frm(c : C) for all c : C ∈ cmps(a). The connector transition
systems for frame and behaviour assemblies are equivalent due to the direct translation
from connector behaviour to connector frame (cf. Lem. 6.3). Hence the assumptions of
Prop. 4.35 hold and the claim follows by n applications of Prop. 4.35. 
102 6. FRAMES FOR THE SPECIFICATION OF COMPONENT BEHAVIOURS
Strong compatibility is not preserved by blackbox-refinement and hence strong comm-
safety does not carry over. In order to get an analogous result, a strong variant of the
blackbox refinement that does not allow insertion and removal of internal transitions must
be used.1
Frame analysis using Prop. 6.5 allows to infer properties of an implementation from
an analysis of its specification, i.e. from an analysis on the frame level of the component-
based system. In general, results from frame analysis can be expected to carry over for any
property which is preserved by blackbox refinement between PIOs. For instance, Chap. 4
examined the preservation of safety properties using a greybox variant of blackbox refine-
ment. Greybox refinement is related to our notion of correct implementations by Thm. 4.47
and Thm. 4.48. We consider assemblies with hidden enqueue actions.
Proposition 6.6 (Safety properties) Let a ∈ Asm such that for all c : C ∈ cmps(a),
beh(c : C) ∈ [[frm(c : C)]]. Let HB = ⋃{lB | lB ∈ Tfrm(a)} and let Psf be a safety
property for frm(a) \HB. If frm(a) \HB |= Psf then beh(a) \HB |= Psf .
In order to simplify the proof’s presentation, we will use directly behaviours and
frames of component types, skip a detailed discussion with relabellings σ and α for the
proper synchronisation within assemblies (cf. Def. 2.22), and consider completely buffered
PIOs. The latter corresponds to components that communicate by asynchronous connec-
tors only. Let sync(a) ⊆ cmps(a) and async(a) ⊆ cmps(a) be the subsets of syn-
chronously and asynchronously communicating components in assembly a. First we proof
the following lemma.
Lemma 6.7 Let a ∈ Asm such that for all c : C ∈ cmps(a), beh(c : C) ∈ [[frm(c : C)]].
Let HB =
⋃{lB | lB ∈ Tfrm(a)}. Then beh(a) \HB vgb frm(a) \HB.
PROOF OF LEMMA. By definition of assembly frames, associativity and commutativ-
ity of the product operator, and definition of buffered PIOs:
frm(a) \HB = (⊗c:C∈cmps(a) frm(C)⊗⊗k:K∈conns(a) frm(K)) \HB
= (
⊗
c:C∈sync(a) frm(C)⊗
⊗
c:C∈async(a) Ω(frm(C))) \HB
=
⊗
c:C∈sync(a) frm(C)⊗
⊗
c:C∈async(a)(Ω(frm(C)) \HB)
=
⊗
c:C∈sync(a) frm(C)⊗
⊗
c:C∈async(a)(Ω(frm(C))ξ).
For the third step, note that HB comprises only enqueue labels and thus the hiding does
not affect synchronously communicating components. As frames do not show internal la-
bels we may replace the hiding of enqueue labels by a hiding of all internal labels using ξ
in the fourth step. By the correctness assumption beh(c : C) ∈ [[frm(c : C)]], the invari-
ance of blackbox refinement w.r.t. ξ (cf. Lem. 4.5), and the transfer property of blackbox
refinement (cf. Cor. 4.29) it holds that⊗
c:C∈sync(a) beh(C)ξ vbb
⊗
c:C∈sync(a) frm(C) and⊗
c:C∈async(a) Ω(beh(C))ξ vbb
⊗
c:C∈async(a) Ω(frm(C))ξ.
Now, theorems 4.47 and 4.48 are applicable and we obtain⊗
c:C∈sync(a) beh(C)ξ vgb
⊗
c:C∈sync(a) frm(C) and⊗
c:C∈async(a) Ω(beh(C))ξ vgb
⊗
c:C∈async(a) Ω(frm(C))ξ.
Thus, by compositionality of greybox refinement (cf. Cor. 4.46), it follows that⊗
c:C∈sync(a) beh(C)ξ ⊗
⊗
c:C∈async(a) Ω(beh(C))ξ vgb frm(a) \HB.
As the left-hand side is obtained from beh(a)\HB analogously to the case of frm(a)\HB
above, the claim follows. 
1For example the PIO-correspondence for strong modal refinement of MIOs [BMSH10].
2. COMPRESSING PROXY REVISITED 103
(a) CompressingProxy
«component»
CompressingProxy
l : UpStream [1] r : DownStream [1]
(b) frm(CompressingProxy)
l.openGif/c0 c1
/r.comprData
l.openTxt/
(c) GZip
«component»
GZip
z : Zip [1]
(d) frm(GZip)
/z.cont
/z.stop
z.endTxt/
z.txt/
z.txt/
/z.endZip
/z.zip
/z.zip
z2 z3z1z0
(e) GifToJpg
«component»
GifToJpg
j : ToJpg [1]
(f) frm(GifToJpg)
/j.jpg
j.gif/
j.gif/
τ
g1g0 g2
τ
FIGURE 6.2. Frame specifications
PROOF OF PROPOSITION. By Lem. 6.7, it holds that beh(a) \HBvgb frm(a) \HB.
Hence, the claim follows by Thm. 4.53 if beh(a) is without terminal states. The general
case holds by a generalisation of Thm. 4.53; cf. p. 71. 
2. Compressing Proxy Revisited
Within this section we aim at illustrating the concepts of our component model ex-
tended with frame specifications. First, we will introduce frame specifications for the
components constituting the compressing proxy system known from Chap. 2 and after that
discuss component correctness for simple and composite components. Finally we will
discuss analysis and preservation of comm-safety within the given system.
2.1. Frame Specification and Correctness. We start with the compressing proxy
component introduced in Chap. 2 (Sect. 1.2) and consider its originally required function-
ality. The component should receive uncompressed textual and graphical data upstream
and send compressed data further downstream. An immediate design to meet these require-
ments is shown in Fig. 6.2a/6.2b. For the port interfaces we assume the port UpStream to be
equipped with a provided interface USP = {openTxt, openGif} and the port DownStream
with a required interface DSR = {comprData}.
Next, assume we have components GZip and GifToJpg available as tools for textual and
graphical compression as depicted in Fig. 6.2c/6.2d and Fig. 6.2e/6.2f. In order to employ
these tools for the implementation of ComprProxy we will need to design a component
which links their behaviour with the required functionality of the compressing proxy com-
ponent. Since component-based design aims at independence from implementation details
this addresses the frames of the given components which are assumed to be given by the
transition systems (PIOs) in Fig. 6.2d and Fig. 6.2f. The interfaces for the ports of these
104 6. FRAMES FOR THE SPECIFICATION OF COMPONENT BEHAVIOURS
components are assumed to be given according to the labels used in the respective frame
specification.
The frame specification of the zip compression component specifies a compression
tool which retrieves streamed textual data until z.endTxt is triggered. In this case a cor-
responding zip archive is sent back, again using a stream with a corresponding endZip
message. An optional feature is the possibility to interrupt the reception of textual data by
sending z.stop, for instance to avoid an internal buffer overflow of the zip component. The
feature is optional due to the specification of z.stop as being not persistent (indicated by
a dashed transition arrow). Support of clients which require explicit acknowledgements
to continue with text transmission is modelled by the transition labelled z.cont. Acknowl-
edgements again are an optional feature.
In contrast to the frame of GZip, the frame specification for the component GifToJpg
is completely persistent. Though there is a difference between behaviours and frame. A
frame is not allowed to show transitions with internal labels. Instead frames always hide
these kind of labels using the anonymous internal label τ which makes different inter-
nal transitions indistinguishable. By this means the size of frame specification may often
be reduced significantly along the minimisation procedure of observational equivalence,
sometimes even up to the complete removal of all given τ -transitions. This is not the case,
however, with the frame of GifToJpg which shows an internal choice after receiving gif at
port j. An implementation will either proceed and send a jpg back via j or cancel immedi-
ately and wait for another gif. In case a message gif is received in between, the current jpg
is dismissed.
In Chap. 2 we introduced behaviours for the components GZip and GifToJpg (Fig. 2.3)
which indeed are correct behaviours w.r.t. the frame specifications given in Fig. 6.2d and
Fig. 6.2f. The behaviour of GZip reifies the output transition (z1, z.stop, z2) and disregards
the possibility to send out cont acknowledgements, while the behaviour of GifToJpg merely
provides named labels process and cancel for the anonymous internal labels given by the
frame specification.
Still missing is the above mentioned component to incorporate the given tool compo-
nents in such a way that the resulting composition is a valid implementation of the com-
pressing proxy component. Figure 6.3 shows the frame of an adaptor component which
provides such an integration in a simple way. We assume ports of the component given
according to the labels used for the specification of its frame. The component passes ei-
ther textual data to the zip component, or graphical data to the JPG conversion tool. After
compression is finished, the result is sent further downstream and the adaptor is ready to
receive further textual or graphical data. The messages communicated in between mirror
the frame of GZip, or use the services provided by the frame of GifToJpg in a rather direct
way respectively.
t.endZip/
g.gif//g.jpg
/d.comprData
t.zip/t.zip/
t.endZip/
u.openGif//t.endTxt
/t.cont
/t.txt /t.stop
u.openTxt/ /t.txt t.stop/ t.zip/ t.zip/
τ
a4 a8a0 a2a1 a5 a6
a9
a7
a′2
a3
FIGURE 6.3. Frame specification of component Adaptor
In order to complete the specification of the compressing proxy component we fur-
ther need to decide on the communication timing between the given components, that is
we need to decide on the kind of connectors. Since the protocols were designed with a
2. COMPRESSING PROXY REVISITED 105
gj.jpg gj.gif
/d.comprData
tz.endZip
u.openGif/tz.endTxt
tz.txt tz.stopu.openTxt/
tz.conttz.txt tz.stop tz.zip
tz.zip tz.zip
tz.zip
tz.endZip
(a0, z0, g0)
τ (a9, z0, g1)
(a7, z0, g0) (a8, z0, g0)(a6, z3, g0)(a1, z0, g0) (a2, z1, g0) (a3, z2, g0) (a5, z2, g0)
(a′2, z1, g0)
(a4, z3, g0)
FIGURE 6.4. Frame composition using synchronous connectors
u.openGif/
gj.gif
...
gj.jpg
τ
(a7, z0, g0) (a8, z0, g0) (a9, z0, g0)(a9, z0, g1) (a9, z0, g2)
τ
τ
ττ
FIGURE 6.5. Composition of Adaptor and GifToJpg
rendezvous-like mechanism in mind, we set up a static structure with synchronous connec-
tors. For the remaining part we assume static elements as given by the original design in
Chap. 2 (Fig. 2.2). Then, the composition of frames and synchronous connectors yields an
input-persistent I/O-transition system (PIO) as depicted in Fig. 6.4. Here and in the fol-
lowing the component names do not contribute to the discussion and thus we simplify the
representation, omitting the names of component declarations for better readability. More-
over the composition was simplified with regard to τ -transitions in the synchronisation
part between Adaptor and GifToJpg (transitions (a8, z0, g0) to (a7, z0, g0)). The original
product yields an interleaving as depicted in Fig. 6.5 which is observational equivalent to
the simplified representation in Fig. 6.4. Since all transitions in between receiving mes-
sages upstream and sending compressed data further downstream are internal transitions,
it is easily verified that the resulting frame assembly indeed is a refinement of the initial
requirements. More formally, we have
frm(〈C;K〉)ρvbb frm(CompressingProxy),
where C = {adapt:Adaptor, gzip:GZip, gif:GifToJpg}, K = {tz:(t:TxtCompr, z:Zip), gj: (g:
GifCompr, j:ToJpg)} and ρ is a relay relabelling which maps the port names u and d used
for Adaptor to the port names l and r used for the specification of CompressingProxy. Note
that the mentioned minimisation w.r.t. observational equivalence does not touch the validity
of refinement. Moreover, compatibility analysis is not affected either, as long as weak or
ultra-weak output compatibility is concerned. This is not the case if we aim at proofing
strong output compatibility, since observational equivalence allows to add τ -transitions as
long as the weak bisimulation relation is not invalidated and thus strong compatibility is
not preserved.
2.2. Communication-Safety. Frame analysis is one of the advantages of an approach
to component-based development that explicitly distinguishes component specifications
and implementations. In our model such a distinction manifests in the difference between
frames and behaviours of a component. The frame is usually a more abstract descrip-
tion, representing a whole class of possibly (correct) implementations, and thus for any
property which is known to be preserved by the implementation relation between frames
and behaviours it suffices to analyse component frames instead of behaviours. As a rep-
resentative example Prop. 6.5 allows to conclude weak and ultra-weak comm-safety for
compositions of correct component behaviours.
106 6. FRAMES FOR THE SPECIFICATION OF COMPONENT BEHAVIOURS
(a) GZip (async)
/z.zipz1z0
/z.zip
/z.endZip
z.txt/
(b) Adaptor (async)
τ
t.endZip/
a0 a1
/t.txt
/t.txt t.zip/
FIGURE 6.6. GZip and Adaptor for buffered communication
There are several possibilities to analyse comm-safety. Consider, for instance, the
frame composition in Fig. 6.4. First, since the design of the adaptor component followed
the given frame specifications of the tool components rather closely, we may expect pair-
wise weak output compatibility to hold between the given frames. In this case Prop. 4.37
would be applicable to conclude weak comm-safety of the given frame composition. In-
deed, an analysis for Adaptor and GZip even yields strong output compatibility, that is we
have
frm(Adaptor)σ↔s frm(GZip)σ and hence frm(Adaptor)σ↔u frm(GZip)σ,
where σ is the synchronous relabelling w.r.t. the connector tz:(t:TxtCompr, z:Zip) (again
note that we left out the component names for better readability). Unfortunately this is not
the case for the frames of Adaptor and GifToJpg. Even worse, the frames are not output
compatible at all, due to the transition (g2, j.jpg, g0) (Fig. 6.2f) being globally reachable
in state (a9, z0, g1) (Fig. 6.4). In order to fix this defect, we need to add appropriate re-
ception transitions for the jpg messages sent by GifToJpg. Adding two reception loops to
frm(Adaptor), one in state a7 and one in state a0, yields weakly output compatible frames.
Now, since frm(GZip) and frm(GifToJpg) are obviously output compatible, Prop. 4.37 is
applicable and it follows that the composition in Fig. 6.4 is weakly comm-safe. Alterna-
tively it would also suffice to add only the reception loop in state a0. In this case, we
obtain ultra-weak output compatibility between Adaptor and GifToJpg which is, however,
not strong enough to conclude comm-safety from pairwise analysis. Instead, an incremen-
tal analysis using Prop. 4.40 is necessary to show ultra-weak comm-safety for the given
composition. The difference between pairwise and incremental analysis draws a clear bor-
der for the applicability of port-based techniques for verification (cf. Sect. 4) to which the
feasibility of pairwise analysis is of paramount importance.
We did not yet consider frame analysis with asynchronous connectors. Indeed, frame
design of port-based components is in general strongly influenced by assumptions on the
underlying communication mechanism. There might be frame specifications that are well-
suited for both kinds of communication timing, but there might be protocols too that fit
either to the synchronous but not to the asynchronous case or vice versa. For example, the
adaptor component designed above yields a rather complicated behaviour in case an asyn-
chronous connector is employed between the components Adaptor and GZip. With buffered
communication in mind simpler designs such as, for example, the frames as depicted in
Fig. 6.6 could be used. The transition systems are not ultra-weak output compatible due to
the output transition (a1, t.txt, a0) in the adaptor frame on the right-hand side. The global
control state (z1, a1) is reachable, but the frame of GZip on the left-hand side provides to
receive txt only after the shared output transition (z1, z.endZip, z0). For ultra-weak com-
patibility, such a transition would need to be either internal or non-shared output.
The frame specifications of Fig. 6.6 combined with an asynchronous connector yield
a global transition system which is infinite-state due to the possibility on both sides of the
communication to send messages without ever receiving one. The adaptor component may
send the message txt and GZip may send the message zip arbitrary often. In order to confirm
asynchronous compatibility for the given specifications one needs to apply either criteria
3. SUPPORTING COMPONENT-BASED DEVELOPMENT 107
which are applicable to the given finite-state control automata (frames) or, for instance,
symbolic approaches such as the QDD approach described in Chap. 5.2
Once weak (ultra-weak) comm-safety is established for an assembly of component
frames with synchronous or asynchronous connectors, Prop. 6.5 allows to conclude weak
(ultra-weak) comm-safety for the implementation of the system as long as components
are correctly implemented. Remember that our implementation relation (cf. Def. 6.2) is
independent from the particular kind of connectors and hence works for systems with both,
synchronous and asynchronous communication. Moreover it is important to note that this
holds for all behaviours which are correct w.r.t. the frame of a given component. For
example using an implementation of the component GZip with a behaviour that neither
sends cont nor stop is perfectly acceptable with regard to frm(GZip) in Fig. 6.2d, and the
composition of the system on behavioural level is still comm-safe due to comm-safety on
the frame level of the system.
3. Supporting Component-Based Development
In this section we show that our approach indeed supports characteristic features of
component-based development. First, we examine support for top-down and bottom-up
design approaches.
3.1. Top-Down and Bottom-Up Design. Top-down design decomposes a single spec-
ification into a number of separated specifications whose composition is either equivalent
or a refinement of the original global specification. Then, if we use implementations for the
composition’s parts, we are allowed to conclude that the composition of the implementa-
tions is a valid implementation of the original single specification. Bottom-up approaches
start with detailed single components which are composed to create an implementation of
some given specification. Under the assumption of correct component implementations our
approach supports both, top-down and bottom-up approaches to component-based design.
Theorem 6.8 (Bottom-up) Let a ∈ Asm such that for all c : C ∈ cmps(a), beh(c : C) ∈
[[frm(c : C)]]. Let HB =
⋃{lB | lB ∈ Tfrm(a)}. Then beh(a) \HBvgb frm(a) \HB and
beh(a)vbb frm(a).
PROOF. The first claim holds by Lem. 6.7 and then, beh(a)vbb frm(a) follows from
Prop. 4.43 (1) and the invariance of blackbox refinement w.r.t. hiding of internal labels
(cf. Lem. 4.5). 
Theorem 6.9 (Top-down) Let C ∈ Cmp and let a ∈ Asm such that for all d : D ∈
cmps(a), beh(d : D) ∈ [[frm(d : D)]]. If frm(a)vbb frm(C) then beh(a) ∈ [[frm(C)]].
PROOF. By Thm. 6.8, transitivity of blackbox refinement, and Def. 6.2 of correct
implementations. 
Example 6.10 (Top-down/Bottom-up) The compressing proxy system above was devel-
oped using a mixture of top-down and bottom-up steps. Given the frame of the compress-
ing proxy component, we seeked to identify existing components whose behaviour compo-
sition can be used to implement the given component. Thus, the first design step followed
a bottom-up approach. Once appropriate components had been identified with GZip and
GifToJpg, however, the direction switched and we considered their frame specifications and
designed an adaptor component, aiming at establishing blackbox refinement between the
composition of the frame specifications of all three components and the frame specification
as given for the compressing proxy component.
2The examples have been checked by hand.
108 6. FRAMES FOR THE SPECIFICATION OF COMPONENT BEHAVIOURS
3.2. Evolution in Hierarchical Systems. Besides the general support of component-
based design approaches, any formal component model should also support modular sub-
stitutability based on its refinement and implementation relations. We consider the notion
of “component-wise evolution” [dAH01b]. Evolution aims at replacing an implementa-
tion without changing the frame of the original component. In this case it should suffice
to check only correctness w.r.t. the frame of the original component in order to conclude
the correctness of an evolved assembly. For the presentation of subsequent claims we will
use the notations for type substitution in assemblies and composite components defined in
Chap. 2 (Def. 2.22/2.23).
Proposition 6.11 (Evolution) Let CC ∈ CCmp. Let c : C ∈ cmps(asm(CC )) and let
C ′ ∈ Cmp with ports(C) = ports(C ′). If beh(CC ) ∈ [[frm(CC )]] and beh(C ′) ∈
[[frm(C)]] then beh(CC [c : C 7→ C ′]) ∈ [[frm(CC )]].
PROOF. By Def. 6.2 of correct implementations we have pio(beh(C ′))vbb frm(C).
By Prop. 4.10 it follows that pio(beh(asm(CC )[c : C 7→ C ′]))vbb pio(beh(asm(CC ))).
Now, the claim follows by transitivity of blackbox refinement (cf. Prop. 4.8) and the defi-
nition of correct implementations. 
Example 6.12 (Evolution) Replacing the component GZip by a different component, say
GZip’ which does not send stop messages is still correct w.r.t. frm(GZip) in 6.2d, i.e.
beh(GZip′) ∈ [[frm(GZip)]] and thus, by Prop. 6.11, we may replace GZip by GZip’ and
still have a correct implementation of frm(CompressingProxy).
The following proposition shows the support of evolution for hierarchical component-
based systems of depth two.3 The proposition can be used to show support of evolution in
arbitrary hierarchical systems by induction on the depth of the hierarchy.
Proposition 6.13 (Hierarchy) Let CCT ∈ CCmp such that beh(CC ) ∈ [[frm(CC )]] and
let cc : CC ∈ cmps(asm(CCT )). Let c : C ∈ cmps(asm(CC )) and C ′ ∈ Cmp with
ports(C) = ports(C ′). If beh(C ′) ∈ [[frm(C)]], then
beh(CCT [cc : CC 7→ CC ′]) ∈ [[frm(CCT )]],
where CC ′ = CC [c : C 7→ C ′].
PROOF. Using Prop. 6.11 we conclude from beh(C ′) ∈ [[frm(C)]] that CC ′ with
CC ′ = CC [c : C 7→ C ′] is still correct, that is beh(CC ′) ∈ [[frm(CC )]]. Now, for
cc : CC ∈ cmps(asm(CCT )) it follows again by Prop. 6.11 that beh(CCT [cc : CC 7→
CC ′]) ∈ [[frm(CCT )]]. 
3.3. Weak- and Ultra-Weak Communication-Safety. So far we have discussed gen-
eral support for top-down and bottom-up design approaches as well as general support for
evolving (hierarchical) systems. Next we show that frame analysis for ultra-weak comm-
safety carries over to frame refinements in top-down design approaches. Moreover, ultra-
weak comm-safety is preserved under substitution of correct component behaviours for
evolving (hierarchical) systems. The succeeding claims also hold for weak comm-safety.
Strong compatibility, however, is not preserved by blackbox-refinement and hence strong
comm-safety does not carry over. In order to get analogous results for strong comm-safety,
a strong refinement relation must be applied that does not allow for the insertion and re-
moval of internal transitions.
Proposition 6.14 (Comm-safe top-down design) Let a ∈ asm such that for all d : D ∈
cmps(a), beh(d : D) ∈ [[frm(d : D)]]. Let c : C ∈ cmps(asm(a)) and let C ′ ∈ Cmp with
3The statement is similar to the claim on behaviour preservation for arbitrary nested hierarchies in the context
of behaviour protocols [PV02, Thm. 3.4.4] (behaviour protocols are used as a formal model for component
behaviours in SOFA).
3. SUPPORTING COMPONENT-BASED DEVELOPMENT 109
ports(C) = ports(C ′). If frm(a) is weakly (ultra-weakly) comm-safe and frm(C ′) vbb
frm(C), then frm(a[c : C 7→ C ′]) is weakly (ultra-weakly) comm-safe.
PROOF. The claim is a consequence of Prop. 4.15 (Prop. 4.19 resp.) along an expan-
sion of definitions similar to the proofs for the support of bottom-up and top-down design
approaches. 
It is not strictly necessary to refine frames in order to preserve weak or ultra-weak
comm-safety. By component-wise evolution we may also replace components using a
different (but correct) implementation while leaving the frame specification untouched.
Proposition 6.15 (Comm-safe evolution) Let a ∈ asm such that for all d : D ∈ cmps(a),
beh(d : D) ∈ [[frm(d : D)]]. Let c : C ∈ cmps(asm(a)) and let C ′ ∈ Cmp with
ports(C) = ports(C ′). If frm(a) is weakly (ultra-weakly) comm-safe and beh(C ′) ∈
[[frm(C)]], then beh(a[c : C 7→ C ′]) is weakly (ultra-weakly) comm-safe.
PROOF. By Prop. 6.14 and definition of correct implementations (Def. 6.2) it follows
that frm(a[c : C 7→ C ′]) is weakly (ultra-weakly) comm-safe. Hence beh(a[c : C 7→ C ′])
is weakly (ultra-weakly) comm-safe by Prop. 6.5. 
Example 6.16 (Comm-safe top-down design and evolution) Consider the compressing
proxy example and assume frm(〈C;K〉) with C = {adapt:Adaptor, gzip:GZip, gif:GifToJpg}
and K = {tz:(t:TxtCompr, z:Zip),gj: (g: GifCompr, j:ToJpg)} is comm-safe (e.g. with frame
specifications as depicted in Fig. 6.2d, Fig. 6.2f and Fig. 6.3, and synchronous connectors
K ⊆ SynConn). Moreover, assume that
(i) one of the frames is refined, or
(ii) one of the implementations is replaced.
Then, (i) can be used to illustrate the preservation of comm-safety in top-down designs
and (ii) to illustrate the preservation of comm-safety in evolving systems. For instance,
assume GZip’ is a component which refines the frame of GZip to a frame which does not
support cont acknowledgements. Then, we may conclude along Prop. 6.14 that the frame
composition using the new component is still comm-safe. More formally we may conclude
comm-safety of frm(〈C;K〉[gzip:GZip 7→ GZip’]). For (ii) we replace a component using
the original frame specification but a different implementation. If the new component is
correct, then we may use Prop. 6.15 to conclude that comm-safety on the behavioural
level still holds. More formally, with a component GZip’, showing a behaviour such that
beh(GZip’) ∈ [[frm(GZip)]] and ports(GZip) = ports(GZip’) we may conclude comm-safety
of beh(〈C;K〉[gzip:GZip 7→ GZip’]).
Finally, we extend our claim to show support for hierarchies of depth two. The propo-
sition can be used to show support for arbitrary hierarchies by induction on the depth of
the hierarchy.
Proposition 6.17 (Comm-safe hierarchy) Let CC ∈ CCmp such that beh(asm(CC )) ∈
[[frm(CC )]]. Let c : C ∈ cmps(asm(CC )) and letC ′ ∈ Cmp with ports(C) = ports(C ′).
If frm(asm(CCT )) is weakly (ultra-weakly) comm-safe and beh(C ′) ∈ [[frm(C)]] then
beh(asm(CCT )[cc : CC 7→ CC ′]) is weakly (ultra-weakly) comm-safe,
where CC ′ = CC [c : C 7→ C ′].
PROOF. By Prop. 6.13 we know frm(asm(CCT )[cc : CC 7→ CC ′]) v frm(CCT ).
Since frm(CCT ) is weakly (ultra-weakly) comm-safe and v preserves weak (ultra-weak)
comm-safety (Prop. 4.15, Prop. 4.19 ), it follows that frm(asm(CCT )[cc : CC 7→ CC ′])
is weakly (ultra-weakly) comm-safe. Finally, since weak and ultra-weak comm-safety do
not distinguish internal labels and anonymous internal actions labelled τ , it follows that
beh(asm(CCT )[cc : CC 7→ CC ′]) is weakly (ultra-weakly) comm-safe. 
110 6. FRAMES FOR THE SPECIFICATION OF COMPONENT BEHAVIOURS
4. Port-Based Frame Verification of Communication-Safety
The general idea of port-based verification is to use ports as partial views to compo-
nents and analyse instead of component interaction only the interaction which is visible at
the particular ports. In our component model this means to consider the connectors of an
assembly. The pairwise analysis is then used to conclude global properties of the underly-
ing assembly behaviour. Of course such an approach is only applicable if the property un-
der analysis indeed is a consequence of pairwise considerations. As an example consider
our notions of output compatibility in n-ary compositions, i.e., strong, weak, and ultra-
weak comm-safety. While weak comm-safety follows from pairwise analysis (Prop. 4.37),
ultra-weak comm-safety does not (Ex. 4.39). Therefore we will focus on weak output
compatibility in the following.
In contrast to our approach using ports for a more efficient check between component
behaviours in Chap. 3, we assume the mentioned port view to be explicitely given, i.e. we
assume an explicitely specified port protocol. Note that, analogous to frame specifications,
τ -transitions are still allowed but internal actions should not be visible any more.
Definition 6.18 (Port protocol) The protocol of a port P ∈ Port is an input-persistent
I/O-transition system prot(P ) = ((I,O, T ), S, s0,∆,Π) with I = msg(prv(P )), O =
msg(req(P )) and T = ∅. The protocol of a port declaration is given by prot(p : P ) =
p.prot(P ).
Figure 6.7 shows the corresponding extension of our metamodel. Ports are equipped
with an optional protocol that may be used to specify partial views with regard to the
component’s frame. Such a protocol may support verification of global properties by pair-
wise checks between port protocols of the components. As an example we consider weak
comm-safety that is known to support pairwise verification on the level of frame specifica-
tions (Prop. 4.35).
*
type
1
*
prv 0..1 req0..1
Declaration
ports
ports
cmps * conns * conns
prot
0..1
Component
Component
Composite
Behaviour
Component
Simple
*
1 /beh
Assembly
Connector
type1
Delegate
Connector
Assembly
Connector
Connector
Declaration
Component
Asynchronous
Synchronous
Connector
Port
Interface
Operation
Port
Frame
1 frm
0..1
*
asm
type
*
/beh
1
1 beh
1..2
1
1
Connector
Declaration
FIGURE 6.7. Metamodel with frames and port protocols
The analysis is based on the following notion of connector compatibility.
Definition 6.19 (Comm-safe connectors) An assembly connector k : K ∈ ConnDcl with
ports(K) = {p : P , q : Q} is weakly comm-safe if K ∈ SynConn implies prot(P )↔w
prot(Q), and K ∈ AsynConn implies Ω(prot(P ))↔w Ω(prot(Q)).
Communication-safety in assemblies relates to the frame specifications of compo-
nents. Therefore, we need a formal relation between the frame specification and the port
protocols of a component. We will use blackbox refinement for this purpose since this is
our weakest relation between PIOs that is known to preserve weak output compatibility
for both, synchronous and asynchronous communication. We first consider the case of two
components.
4. PORT-BASED FRAME VERIFICATION OF COMMUNICATION-SAFETY 111
Lemma 6.20 (Port-based weak comm-safety) Let a = 〈c : C[p : P ], d : D[q : Q]; k : K〉
be an assembly such that ports(K) = {c.p : P , d.q : Q}. If frm(C) vbb prot(p : P ),
frm(D) vbb prot(q : Q) and k : K is weakly comm-safe then beh(a) is weakly comm-
safe.
PROOF. We distinguish k : K being either synchronous or asynchronous. If k : K is
a synchronous connector then prot(P )↔w prot(Q). Since compatibility is preserved by
prefix relabelling we also have k.prot(P )↔w k.prot(Q). By Prop. 4.19 for frm(C)σvbb
k.prot(p : P ) it follows that frm(C)σ ↔w k.prot(Q) where σ is the synchronous rela-
belling σ({c.p,d.q},k). By a symmetric reasoning with port Q and component D it follows
that frm(c : C)σ↔w frm(d : D)σ and hence beh(a) is weakly comm-safe.
If k : K is an asynchronous connector it holds that Ω(prot(P ))↔w Ω(prot(Q)) and also
Ω(k.prot(P )) ↔w Ω(k.prot(Q)). Denote the asynchronous IOL of k.prot(P ) by LP .
Then it follows by Prop. 4.32 for frm(C)αvbbk.prot(p : P ) that Ω(frm(c : C)α,LP )↔w
Ω(k.prot(Q)) where α is the asynchronous relabelling α({c.p,d.q},k). Hence, by a symmet-
ric reasoning, Ω(frm(c : C)α,LP )↔w Ω(frm(d : D)α,LQ) which means that beh(a) is
weakly comm-safe. 
For the generalisation to arbitrary assemblies we consider only assemblies which are
either completely synchronous or completely asynchronous. An assembly a is completely
synchronous if acs(a) = ∅; it is completely asynchronous if (scs \ ucs) = ∅, that is, the
only synchronous connectors are unary. The restriction to a homogenous communication
timing is due to the corresponding restriction on the level of PIOs in Sect. 3 of Chap. 4.
In order to verify heterogenous assemblies, components that communicate synchronously
may be gathered and replaced by an equivalent component such that only components
communicating via asynchronous communication remain.
Corollary 6.21 (Weak comm-safety) Let a be an assembly which is either completely
synchronous or asynchronous. If for all assembly connectors k : (c.p : P , d.q : Q) ∈
conns(a) it holds that frm(cmp(c.p : P )) vbb prot(p : P ) and frm(cmp(d.q : Q)) vbb
prot(q : Q) and k : K is weakly comm-safe then beh(a) is weakly comm-safe.
PROOF. By Lem. 6.20 and Prop. 4.37 for synchronous assemblies. Since buffered
PIOs are PIOs, Prop. 4.37 also applies to the case of asynchronous connectors. 
The refinement requirements for the component frames with regard to the port pro-
tocols are rather strong assumptions. As the complete frame specification needs to be in
relation, any input or output of the particular component needs to be taken into account. In
particular this means that all of the connected ports of a component are equipped with the
same alphabet. Even if this might be handled along mechanisms such as alphabet exten-
sion as applied in process algebras, it remains the requirement that the frame specification
integrates the port protocols in an independent way. That is, the communication at different
ports is not interleaved at all which is obviously quite a strong requirement for the frame
specification of a component.
Therefore, it would be important to weaken the assumptions in such a way that it
is not necessary to take the complete frame specification into account. For instance, we
may hide all output transitions that do not involve the currently considered port. Since
we usually assume output compatibility, this assumption should not affect the correct-
ness of the global conclusion. More precisely, denote the output labels of a component
frame frm(C) by OC and assume prot(p : P ) to be the protocol of a port of C. Let
Hout¬p = OC \ {p.m | m ∈ msg(req(P ))}. Then, a possibly weaker assumption would
require frm(C)/Hout¬p vbb prot(p : P ) allowing to conclude analogously to the reason-
ing above that frm(C)/Hout¬p and frm(D)/Hout¬q are weakly compatible. However, weak
compatibility with such a hiding corresponds to ultra-weak compatibility and ultra-weak
compatibility does not allow for pairwise analysis (Ex. 4.39). Hence, the result from the
112 6. FRAMES FOR THE SPECIFICATION OF COMPONENT BEHAVIOURS
binary case does not carry over to n-ary compositions, i.e., to weak comm-safety of assem-
blies.
On the contrary hiding inputs is not backed by any compatibility assumption. Thus
we do not expect to find weaker assumptions for the general case of assemblies with an
arbitrary topology. We believe, however, that an analysis of acyclic assemblies similar to
our approach for the detection of neutral component behaviours and a syntactical reduction
of assemblies in Chap. 3 also works for a port-based verification of weak comm-safety with
such a weaker assumption. Hence an integration of the reduction approach of Chap. 3 with
an analysis of comm-safety could be an interesting issue for future work.
5. Related Work
This chapter completes the formal behavioural model of Chap. 2 with a more abstract
specification layer using component frame specifications. The resulting formal software
component model was shown to support fundamental characteristics of component-based
development. Such a support is formally also considered by SOFA 2.0 [PV02] and by
Component Interaction Automata [CVZ06]. The former discusses support for hierarchical
composition within arbitrarily nested hierarchies, and the latter develops a generic notion
of equivalence that probably could be used to prove support of top-down and bottom-up
design similar to our approach. Moreover, their notion of independent implementability
seems to be similar to our notion of evolution in hierarchical systems.
Component frames provide a specification of a component’s behaviour that is usually
more abstract compared to the formal representation of its implementations. The difference
between specification and implementation is also examined by de Alfaro and Henzinger in
[dAH01b]. Their framework sheds some light on the difference and the interrelation be-
tween component implementation and specification, called interfaces in [dAH01b], in the
context of component-based design. While the representation of a component’s implemen-
tation is supposed to describe what the component actually does, an interface description
should describe how the component can be used. Formally distinguished component and
interface algebras are used for an abstract representation of component implementations
and interfaces. Both algebras are equipped with a form of composition and hierarchy (re-
finement). Then, an interface algebra together with an implementation relation that relates
to a component algebra is called an interface theory. In our terminology, this would be
called a formal software component model while we call the interface algebra an inter-
face theory. Their study of support for top-down and bottom-up design, and evolution is
conceptually closely related. According to [dAH01b], interfaces should support top-down
design, components should support bottom-up verification, and support for evolution (im-
plementation substitutability) is support for a task that replaces a component (type) without
observable effect on the original composition.
CHAPTER 7
UML2 – Applied Features and Extensions
1. Static Structure of Components and Assemblies 113
2. Component Behaviour and UML State Machines 117
3. Frame Specifications and UML Protocol State Machines 119
4. From State Machines to Transition Systems 120
Our concrete specifications comprise UML2 class and composite structure diagrams
for the description of the static structure of components, ports, interfaces, and especially
of composite components and their assemblies.1 We use UML2 state machines to spec-
ify component behaviours and protocol state machines for component frames. Within this
chapter we summarise applied UML2 features and detail on the meaning of additional
notations and stereotypes. We relate static structure elements with our formal model and
discuss an informal pattern-based translation from state machines to transition systems.
Based on this translation we define the relation between UML state machines and proto-
col state machines and component behaviours and frames as considered in Chap. 6. The
given translation allows to apply the theory for IOTSs and PIOs developed in Chap. 4
as a formal underpinning for the definition of a UML-based theory of refinement (proto-
col conformance) and compatibility. In combination with a corresponding extension of a
UML modelling tool this would provide a convenient formal tool for UML-based design
and verification of port-based component systems.
1. Static Structure of Components and Assemblies
Table 7.1 provides an overview of the elements for static structure specifications of
our component model and their correspondence to the UML. In order to provide a link to
our formal model, we have included selected formal definitions. In the following, however,
we elaborate each of the mentioned elements only conceptually and refer to Chap. 2 for
details on the formal notation.
Port-based components have their correspondence with UML components that are
encapsulated by UML ports. We use either behaviour or delegation ports; the former in
case of simple components and the latter in case of composite components (see [RJB05,
Fig. 14-216] for a general illustration of the difference between behaviour and delegation
ports). UML ports are equipped with required and provided interfaces which are used to
specify operations that are available or needed at the particular port. The interfaces in
our component model specify signal receptions only. For a derivation of signal types we
use the following convention. Consider the interface in Fig. 7.1 taken from the CoCoME
example below.
The interface specifies two operation signatures within a compartment labelled by the UML
stereotype «signal». In this way, signal receptions are specified which is just a statement
that the implementing “classifier is prepared to react to the receipt of a signal” [OMG09,
Sect. p. 449]. Instead of an explicit type specification of the associated signal we implicitly
1The difference between class diagrams and composite structure diagrams is not strict. As mentioned in [RJB05]:
“There is no rigid line between a composite structure diagram and a general class diagram”.
113
114 7. UML2 – APPLIED FEATURES AND EXTENSIONS
TABLE 7.1. Component model and UML2 modelling elements
Concept Formal Model (selected elements) UML2 modelling element
Port P ∈ Port, p : P ∈ PortDcl Behaviour/Delegate ports
Interface req(P ), prv(P ) ∈ If Interface with «signal»
Message msg(req(P )),msg(prv(P )) ⊆ Msg Signal object
Component C ∈ Cmp, ports : Cmp→ ℘PortDcl Component with ports
Simple component SCmp ⊆ Cmp Component with ports
Connector K ∈ Conn, ports : Conn→ ℘PortDcl Connector
Assembly conn. AsmConn ⊆ Conn, req/prv vs prv/req Assembly conn.
Delegate conn. DlgConn ⊆ Conn, req/prv vs req/prv Delegate conn.
Synchronous conn. SynConn ⊆ Conn Asm. conn. with «sync»
Asynchronous conn. AsynConn ⊆ AsmConn Asm. conn. with «async»
Assembly a ∈ Asm, cmps : Asm→ ℘CmpDcl, Internal structure
conns : Asm→ ℘ConnDcl
Composite component CCmp ⊆ Cmp, asm : CCmp→ Asm, Structured classifier
conns : CCmp→ ℘ConnDcl
«signal»
debitCard( transactionId : String )
validateCard( cardInfo : String, pin : int )
BankR
transactionId : String
«signal»
DebitCard
cardInfo : String
pin : int
«signal»
ValidateCard
FIGURE 7.1. Interfaces and signal types
assume corresponding signal type specifications DebitCard and ValidateCard as illustrated
in the given figure. The type names are derived from the operation names and the attributes
correspond to the given parameters. Our concept of messages relates to an object of the
respective signal type, thus there are as many messages as instantiations of the given type
exist. Since we do not consider data states on the formal level of component behaviours,
however, a message when used as a label in a transition system usually consists of a name
only. The translation from received or sent UML signals to labels of transition systems is
detailed below.
The difference between simple and composite components has its counterpart in using
UML components with ports for simple components and UML components as structured
classifier for the representation of composite components. A structured classifier contains
parts and connectors that realise its behaviour. The ports of a structured classifier define
its external interaction points and are connected with the open ports of the internal parts
by UML delegate connectors. Inside the structured classifier, UML assembly connectors
are used. Our concept of assembly corresponds to the internal structure of the classifier
without delegate connectors and thus does not have a true UML counterpart in the sense
that assemblies are first-class citizen with a possibility to be specified stand-alone. In UML,
parts and their connectors need always to be set into the context of a structured classifier.
The parts, connectors and ports are in fact declarations that specify name, type and
multiplicity of the particular entity. By the “part concept” UML introduces the possibility
to reuse types, in particular component types in different contexts. This reuse possibility
is important for component-based development as component reuse is at the core of CBSE
(cf. Chap. 1, Sect. 1). For connector declarations we often specify the name of assembly
connectors only and leave other information unspecified or implicitly specified by deriva-
tion from the connected port types. Connector multiplicities are in principle independent
1. STATIC STRUCTURE OF COMPONENTS AND ASSEMBLIES 115
from port multiplicities. Though, we restrict our connectors to singleton types whose mul-
tiplicity 1 is not explicitly shown in the diagrams. Moreover, we do not consider group
communication and hence allow only for binary connectors.
As an example consider the compressing proxy component introduced in Chap. 2
whose static structure specification is for convenience repeated here in Fig. 7.2. The com-
posite component type CompressingProxy consists of an assembly of three simple com-
ponents with types Adaptor, GZip, and GifToJpg introduced by the respective component
declarations adapt:Adaptor, gzip:GZip, and gifToJpg:GifToJpg. The simple components as
well as the composite component show port declarations such as t:TxtCompr or l:UpStream.
adapt : Adaptor [1]
u : UpStream [1] d : DownStream [1]
t : TxtCompr [1] g : GifCompr [1]
gif : GifToJpg [1]
j : ToJpg [1]
gzip : GZip [1]
z : Zip [1]
«component»
CompressingProxy
l : UpStream [1] r : DownStream [1]
«async»
tz:TZ
«sync»
gj:GJ
FIGURE 7.2. Using UML2 for the specification of composite components
In the given example we use only singleton types for both, components and ports. The
components are connected with assembly connectors named tz and gj. The anonymous
delegate connectors link the open port declarations u:UpStream and d:DownStream of the
assembly with the port declarations l:UpStream and r:DownStream of the composite com-
ponent type CompressingProxy.
We introduce three stereotypes for specific kinds of connectors. Stereotypes «sync»
and «async» specify the communication timing and the stereotype «seq-adapter» an adap-
tion pattern for connections between ports with different multiplicities. Figure. 7.3 shows
an example for the specification of an asynchronous and an adapter connector. The commu-
nication timing relates to the message exchange between components. With a synchronous
connector a rendezvous (handshake) mechanism is used and with an asynchronous connec-
tor FIFO buffers are used, one for each communication direction. The precise meaning of
«sync» and «async» is formally given by the definition of buffering connector behaviours
in Chap. 2, Def. 2.21. and their integration with component behaviours in Def. 2.22.
The stereotype «seq-adapter» is used to bridge communication links between ports
that are specified with different multiplicities. Consider, for instance the specification of the
CoCoME component CashDeskLine in Fig. 8.2a below. There might be several instances
of type CashDesk according to the multiplicity 1..* of the component’s declaration. With
a sequential adapter connector we think of an additional component that provides as many
ports as there are instances of CashDesk and exactly one port to face the communication
with the bank. Figure. 7.3 illustrates the corresponding expansion of the static structure for
the connector between the bank port of possibly several cashDesks and the bank port of
the composite component CashDeskLine. The behaviour of a «seq-adapter» connector is
supposed to realise the communication between n cashdesks and one bank by sequential
(synchronised) arrangement of multiple requests of different cash desk components.
116 7. UML2 – APPLIED FEATURES AND EXTENSIONS
static structure expandedCashDeskLine[  ]
coordinator : Coordinator [1]
cds : C-CD [*]
cashDesks : CashDesk [1..*]
b : CDA-Bank [1]
co : CDA-C [1]
i : CDA-I [0..1]
 : CDS−B−Adapter [1]
cds : CD [*] bank : B [1]
«component»
CashDeskLine
i : CDA-I [0..1]«seq−adapter»
«async»
co−cds
FIGURE 7.3. Sequential adapter in component CashDeskLine
Finally, we allow for the static modelling of attributes and operations for components
and ports. The former provides a convenient way to specify data-dependent component be-
haviour and the latter is used to declare internal methods that help to illustrate the intended
meaning of internal actions. Since we do not consider data states on the formal behavioural
level of our component model, the data-related specifications need to be abstracted or in-
stantiated for the translation to I/O-transition systems. For this reason we did not include
these concepts in our metamodel in Chap. 2 (Fig. 2.1). The precise relation to the UML
is analogous to the relation between the Java/A component model and UML as defined in
[KJH+08a, Fig. 1]. Note that component, port and connector declarations are represented
by metaclasses with the suffix Property instead of Declaration in [KJH+08a].
Multiplicities of Ports and Components. The formal part of our component model is
not set up to cope with issues of dynamic reconfiguration. Static structure specifications
with multiplicities 6= 1 are considered to be architectural templates for a number of dif-
ferent instantiation possibilities. Before an analysis along our formal model of port-based
components is feasible, we need to resolve multiplicity specifications 6= 1, and select an
appropriate instance with multiplicities 1 only. Of course this is a limitation of our current
formal model, but it also highlights potential ways to cope with multiplicity specifications.
Instead of an extension of the formal model, multiplicities may also be resolved on the
syntactical level, leaving the formal model untouched and thus easier to comprehend.
Under the assumption of fixed upper bounds for port and component multiplicities
(instead of unbounded upper limits specified using the UML value *) a static structure with
a maximal number of instances is constructed by adding port declarations to components
and component declarations to composite components. The resulting specification shows
multiplicity 1 only. The names of additional port and component declaration use, for in-
stance, the original name extended by a suffix derived from a counter variable according to
the given upper bound. After all declarations have been added, binary assembly connec-
tors are used to link all of the created port declarations. The communication timing «sync»
or «async» is inherited from the original connector specification. The approach integrates
with sequential adapter connectors, specified by a connector with stereotype «seq-adapter»
(Sect. 1), and orthogonal component behaviours, specified by state machines with stereo-
type «orthogonal» (Sect. 4), by taking into account the new port declaration names within
the particular behaviour computation.
2. COMPONENT BEHAVIOUR AND UML STATE MACHINES 117
2. Component Behaviour and UML State Machines
UML state machines provide a convenient means for the concrete representation of
the implementation behaviour of port-based components. We consider a particular, re-
stricted class of UML state machines along features as shown in Fig. 7.4. Their seman-
tics is given by the superstructure specification [OMG09]; their informal meaning is dis-
cussed also in the reference manual [RJB05]. The behaviour of the CoCoME component
CashDeskApplication in Fig. 8.9b provides an example which applies all of the mentioned
features.
(1) States are initial, simple, submachine, choice or final states.
(2) State entry and exit actions are sequences of send and internal actions.
(3) Transitions comprise guards, triggers and effects.
(4) Guards are boolean expressions component, port or signal attributes.
(5) Transition trigger events are signal events only (signal trigger).
(6) Effects are sequences of send and internal actions.
(7) Submachines follow the same restrictions.
FIGURE 7.4. Relevant state machine features
The only deviation from the UML concerns the "input-enabled" execution semantics
that discards events if no matching transition is enabled. There is an event pool associated
with a state machine which is used to check for event occurrences. The order of event
processing is a semantic variation point, but usually a FIFO order is assumed. Events are
ignored, that is, removed from the pool without any effect if the current stable state does
not show an outgoing transition whose trigger matches the given event. Stability means
that currently there is no run-to-completion step executing [RJB05, pp. 604 ff.], [OMG09,
pp. 565–566]. As illustrated in Fig. 7.5, discarding events corresponds to triggering a self-
loop. In particular this means that the machine is not blocked but continues to process
received events.
(a) Specification
simple example[  ]
p.y/
 / p.z(1)
(b) Semantics
simple example[  ]
not p.y/
p.y/
 / p.z(1)
FIGURE 7.5. UML execution semantics for unspecified receptions
Ignoring events conceptually means that received events are definitely lost if a stable
state without matching signal trigger is reached. Since such a behaviour is rather an imple-
mentation issue, we prefer to use a looser approach that does not rely on a fixed (default)
behaviour for unspecified receptions. One of the important aims of the development of our
formal component model with asynchronous communication is to prevent unexpected loss
of signals by an analysis for communication errors (cf. Chap. 2, Sect. 1.3). For this rea-
son we fix the processing order to use a FIFO policy and interpret a state machine "as-is"
without adding any default behaviour for missing event receptions. We rely on our notion
of asynchronous output compatibility to guarantee that events that have been sent are not
ignored at the receiver’s site.
118 7. UML2 – APPLIED FEATURES AND EXTENSIONS
Beyond existing UML features we use additional notations and fix some semantic vari-
ation points as follows. Sequences of actions are interpreted as a shorthand for an explicit
sequential specification with one transition and successor state for each action. For guards
the usual boolean connectivities and simple arithmetic operators such as + or ≤ are used.
For internal actions we use attribute assignment, simple arithmetic operators and private
helper functions. Signal trigger and send actions of state machine transitions use a notation
that includes the port name where the particular signal is sent or received:
(1) Signal trigger are written p.m/, meaning that the behaviour is ready to receive signal
m at port p. The signal’s attributes are specified by the operation signature for m as given
by the provided interface of port p and may be accessed for data values after this event
occurred.
(2) Send actions are written /p.m(x1, . . . , xn), meaning that a signal m is sent via port p.
The values represented by variables x1, . . . , xn are assigned to the signal’s attributes ac-
cording to the order of the formal parameters as specified by the operation signature for m
in the required interface of port p.
Figure 7.6 shows an example to illustrate the data-related aspects of signal trigger and
send actions. A signal trigger of port p:P declared in the context of component type C is
defined with regard to the signatures of the provided interface I. The trigger are written
p.x/ and p.y/. The values of the latter are accessible using the attributes according to the
signal type Y, that is, by an expression y.n. As an example application we consider the
send action according to the signature given in the required interface G. The send action is
written /p.z(y.n) meaning that we pass the current value of the signal’s attribute further with
a signal of type Z (not shown in Fig. 7.6) whose attribute value h equals y.n. In the same
vein we use constants, simple arithmetics or helper functions to describe attribute values
of signals sent.
«component»
C
p : P
«signal»
z( h : int )
G
«signal»
x()
y( n : int )
I
n : int
«signal»
Y«port»
P
I
G
FIGURE 7.6. Data associated with a signal
We define and use two stereotypes, «orthogonal» in the context of a state machine
and «tau» in the context of transitions. The latter is a means to specify an anonymous
internal action in case further internal details should either be hidden for the purpose of
encapsulation or are not relevant for a precise understanding of the behaviour at hand.
In contrast to UML internal actions we do not interpret «tau» transition along the usual
run-to-completion semantics [OMG09, pp. 565 ff.]. If a mixed choice state with both,
an outgoing transition with signal trigger and a transition without trigger and only a send
action is encountered, the UML semantics always triggers the send transition, even though
there is a transition with a signal trigger specified. Figure 7.7 illustrates this point with
mixed choice state s0. In order to allow the reception transition to be triggered, we insert
a «tau» transition before the send action, in fact resolving the mixed choice state to a state
with an internal choice. Note that a state machine interpreter would need to implement the
«tau» using a timeout or the like, that decides on the time spent waiting for an event that
matches the signal trigger.
The stereotype «orthogonal» is explained along its application in the state machine
for the CoCoME component Coordinator in Fig. 8.8. The stereotype is parametrised and
is used to derive a common global behaviour of several independent copies of the given
state machine that are supposed to be executed in parallel to each other. The parameter
3. FRAME SPECIFICATIONS AND UML PROTOCOL STATE MACHINES 119
s0
s2
s1
 / p.z(1)
p.x/
s1
s2
s0
 / p.z(1)«tau»
p.x/
FIGURE 7.7. Internal actions with relaxed run-to-completion semantics
numCopies = |cds| of the stereotype stores the required number of copies. In the concrete
example the multiplicity of the set of ports cds as declared by the type specification of
Coordinator in Fig. 8.2b is supposed to provide this information. In the translation to tran-
sition systems below, the parameter is used to generate indexed and thus different labels.
3. Frame Specifications and UML Protocol State Machines
Figure 7.8 summarise features of UML2 protocol state machines (PSM) that are rele-
vant for frame specifications within our component model. In contrast to state machines,
PSMs do not allow for the direct specification of effects. Instead, pre- and post-conditions
are supposed to be used to specify behavioural aspects in a more declarative way. Since
our formal model does not consider pre- and post-conditions we will, however, not make
use of this feature. Therefore there are no action related features in Fig. 7.8. In particular,
transitions do not show effects and guards use signal attributes only. Without internal ac-
tions we can not specify port or component attribute assignments and therefore it does not
make sense to include them in guard expressions.
(1) States are initial, simple, submachine, choice or final states.
(2) Transitions comprise guards and triggers.
(3) Guards are boolean expressions with signal attributes.
(4) Transition trigger events are signal events only (signal trigger).
(5) Submachines follow the same restrictions.
FIGURE 7.8. Relevant protocol state machine features
Making PSMs applicable for the specification of component frames requires exten-
sions in two respects. First, our specifications describe a temporal ordering of messages
received and sent. Therefore, we allow transitions with guards, triggers and sequences of
send actions analogous to transitions with send actions of UML state machines as described
above. Moreover, we allow for the specification of anonymous internal actions using the
stereotype «tau» and parameterised specification of multiple copies using the stereotype
«orthogonal». Second, we add a further stereotype «opt» for the specification of optional
transitions. An optional transition must not necessarily exist in the implementation while
ordinary transitions will be interpreted as mandatory. It is an obligation for correct im-
plementations to provide a corresponding transition. In contrast to UML state machine
semantics, the UML semantics of PSMs considers the reaction to receptions of unexpected
events as a semantic variation point [OMG09, pp. 538]. Thus, our direct interpretation for
the translation of PSMs to PIOs described below is in accordance with the UML semantics.
As an example consider the frame specification of a bank component, depicted in
Fig. 7.9. The example is taken from the CoCoME in Chap. 8 and included here for conve-
nience. The specification describes a simple protocol for PIN validation with a succeeding
debit of the particular account. The positive answers to the respective requests are both
optional. By this means, implementations that always deny a validation or debit request (or
both) are correct with respect to the given frame specification. In contrast, the transitions
120 7. UML2 – APPLIED FEATURES AND EXTENSIONS
component frameBank[  ]
 / b.notOk
b.validateCard/
b.debitCard/
 / b.debitOk
«opt»
 / b.denied
«opt»
 / b.ok(randomVal)
FIGURE 7.9. Frame specification of a bank component
with trigger for the signals validate and debit as well as transitions with negative answers
are mandatory for correct implementations.
4. From State Machines to Transition Systems
Even within our restricted class of simple UML (protocol) state machines there are
some features which can not immediately be translated to I/O-transition systems (IOTS),
input-persistent I/O transition systems (PIO) respectively. State machines use guards and
attributes which both are not available with transition systems. Moreover, state machines
use a form of hierarchical construction with submachines that neither exist within our
formalism.
Guards and attributes need to be manually translated in a preprocessing step either
by abstraction or by instantiation in case of finite data domains as given, for instance, by
boolean typed variables or enumerations. The translation of submachine states is, due to
their macro semantics straightforward by complete expansion and could be automated. In
the following we describe the translation from state machines (STM) to IOTSs and after
that extend the approach for the translation of protocol state machines (PSM) to PIOs. The
necessary preprocessing comprises the following steps:
1. Abstract data variables
2. Abstract and resolve guards
3. Expand submachine states
We explain these steps by pattern-like translations. First, we consider labels involv-
ing data variables such as a send action of the form /p.z(x). If the type of x has a finite
domain one may generate labels and transitions for each value within this domain. If no
guards are involved the distinction does not play a role and it suffices to consider just one
abstracted transition labelled /p.z without any parameter value. This pattern is exemplified
in Fig. 7.10a. In case succeeding transitions depend on the values sent, for instance using
guards that involve the variable x, the concrete values need to be taken into account for
each of these transitions. Figure 7.10b shows the corresponding situation after a signal has
been sent. The translation generates internal labels and transitions that allow to distinguish
the different paths. This approach, however, is not correct if the receiver behaviour also de-
pends on the attributes of the signal sent. For this case, exemplified by a receiver as given
in Fig. 7.10c, the transitions need to be aligned such that both, sender and receiver, use
matching transition labels. The sender in Fig. 7.10b then uses transitions labelled /p.zPos
and /p.zNeg0 instead of the given send transition with succeeding internal transitions.
The translation of UML submachine states is straightforward by expanding the partic-
ular state as illustrated in Fig. 7.11. The transition p.cancel/ is added to any stable subma-
chine state. The submachine transition to its final state triggers the unlabelled completion
transition to state s1.
The result of the preprocessing is an intermediate STM with new labels, transitions
and states, that maps directly to an IOTS. The states of the IOTS, including the initial state
are given by the STM states. STM signal trigger translate to input labels, the send actions to
4. FROM STATE MACHINES TO TRANSITION SYSTEMS 121
(a) Data abstraction
 / p.z(x)
p.y/
p.y/
/p.z
(b) Guards and internal choice
 / p.z.(x)
 [x > 0]
 [else]
xElse
xPos
/p.z
(c) Dependent receiver
 [h > 0]
 [else]
p.z/ p.zPos/
p.zNeg0/
FIGURE 7.10. Patterns for the translation of data variables and guards
 : submachine
s0
s1
p.start/
p.cancel/
 / p.result
submachine subSTM[  ]
sub0
sub1
 / r.data r.cont/
r.fin/
r.fin/
p.start/ /r.data
r.cont/
p.cancel/
/p.result
s0 sub1
s1
sub0
FIGURE 7.11. Expansion of submachine states
output labels and the internal actions of the STM to internal actions of the IOTS; transitions
are in 1:1 correspondence including «tau» transitions of the STM which are translated
to τ -transitions of the IOTS. The result is an IOTS with an I/O-labelling that comprises
only labels that have been used in the state machine specifications. Moreover, to assign
correctly to a partitioned I/O-labelling requires to use the port-prefixes in the STM labels.
Alternatively, and more complete, one could use the static structure specification and create
a partitioned I/O-labelling using the information available with the port declarations of the
context classifier of this STM.
The translation is complete, if the original STM was not specified to be «orthogonal»;
otherwise a product is computed along the required number of copies given by the stereo-
type’s parameter numCopies. More formally, let A be the IOTS obtained by translation of
the STM. Let (ρi)i∈I be a family of relabellings (with index set I) such that each ρi yields
globally unique new labels by appending i to the original labels. Then the translation with
122 7. UML2 – APPLIED FEATURES AND EXTENSIONS
respect to a stereotype «orthogonal» with parameter numCopies is given by the product
⊗i∈{1,...,|numCopies|}Aρi. Consider for example the STM of the Coordinator component in
Fig. 8.8. The port declaration cds:C-CD in Fig. 8.2b uses multiplicity *. Assume this mul-
tiplicity is fixed to some value k ∈ N, then the product consists of completely interleaved
transitions that have been relabelled using (ρi)i∈{1,...,k}. The relabelling generates labels
of the form li for all l ∈
⋃
LA for all i ∈ {1, . . . , k}.
Since protocol state machines are special kinds of STMs, the translation of PSMs
to PIOs works identically, except the treatment of the stereotype «opt» which has not be
considered in the context of STMs. However, the necessary extension is minimal. Let
A = (L, S, so,∆,Π) be a PIO. Translate all state machine transitions to transitions in ∆
and if the annotation «opt» is absent include the given transitions in Π.
Based on the given translation we can use UML state machines and protocol state
machines for the concrete specification of component behaviour and frames with a precise
meaning on the formal level of IOTSs and PIOs. The connection between concrete UML
specifications and their formal meaning can be given by an instantiation of the abstract
model of frames and behaviours developed in Chap. 6. We assign the translation of PSMs
to provide the frame and the translation of STMs to provide the behaviour of a component.
Denote the translation of STMs to IOTSs by [[·]]IOTS; and of PSMs to PIOs by [[·]]PIO.
Definition 7.1 (UML frame and behaviour) Let Frm be a protocol state machine for com-
ponent C ∈ Cmp. Let Impl be a state machine for simple component SC ∈ SCmp.
The frame of C is given by frm(C) = [[Frm]]PIO. The behaviour of SC is given by
beh(SC ) = [[Impl]]IOTS.
The translation can be used to develop a UML theory of compatibility and refinement
for the considered classes of STMs and PSMs. For instance, a concrete notion of UML
protocol conformance [OMG09, pp. 534–535] could be based on the theory for PIOs and
IOTSs developed in Chap. 4. In this way, also notions of composition and compatibility
could be defined, both, for STMs and PSMs which paves the way to extend existing UML
modelling tools to provide convenient support for the UML-based design and verification
of port-based component systems.
We summarise the translations described within this chapter by an abstract algorithm
that is used for both, the translation of STMs and the translation of PSMs. Let M be a STM
or PSM. The translation [[·]]PIO : STM ∪PSM→ PIO is given by [[M]]PIO = A, where
the construction of A is described by the following algorithm:
M← preprocess(M)
let A = ((I1, O1, . . . , In, On), T ), S, s0,∆,Π)
(I1, O1, . . . , In, On)← port declarations of static structure
T ← internal labels of M
S ← states of M
s0 ← initial state of M
forall transitions (s, l, s′) in M do
If(l = ε ∧ «tau») then ∆← ∆ ∪ (s, τ, s′)
else ∆← ∆ ∪ (s, l, s′)
If(¬ «opt») then Π← Π ∪ (s, l, s′)
od
If(«orthogonal») then
let n = numCopies
let (ρi)i∈{1,...,n} be a family of i-appending relabellings
A← Aρ1 ⊗ . . .⊗Aρn
fi
4. FROM STATE MACHINES TO TRANSITION SYSTEMS 123
We encoded the absence of a label in UML transitions annotated «tau» by l = ε. Moreover,
the relabellings may not use an arbitrary strategy for the creation of unique labels, as the
product must later be relabelled to synchronise with a corresponding communication part-
ner. But then one needs to know about the concrete labels, i.e., about the applied strategy.
Finally, note that [[M]]IOTS is now given by [[M]]PIO.

CHAPTER 8
The Common Component Modelling Example (CoCoME)
1. Modelling of the CoCoME 125
2. Static Structures 126
3. Component Behaviours and their Translation 129
4. Hierarchical Component Behaviours 131
5. Frame Specifications of Simple and Composite Components 136
6. Analysis and Proof Obligations 137
The Common Component Modelling Example (CoCoME), initiated as a GI-Dagstuhl
research seminar1, was a modelling contest that aimed at a comparison of existing compo-
nent models using a common requirement specification and reference implementation of
a point-of-sale system. Within this chapter we revise our initial submission and illustrate
features of our component model that were not available at the time of writing [KJH+08a].
The formal model sketched in [KJH+08a] considered only synchronous communication
based on a rendezvous mechanism. It did not feature a theoretical model for refinement
and compatibility and it did not distinguish between behavioural specification (frames) and
implementation (behaviours) of components. After a brief introduction into the CoCoME
we discuss static structure specifications and illustrate the description of component be-
haviours with UML state machines and their translation to I/O-transition systems. The
modelling of more complex component behaviours is illustrated using UML submachines.
Finally, we introduce frame specifications for simple and composite components using
UML protocol state machines and discuss the analysis of compatibility, implementation
correctness and refinement on the level of the corresponding transition systems.
1. Modelling of the CoCoME
The original requirements and modelling of the trading system underlying the Com-
mon Component Modelling Example (CoCoME) is due to Larman who applied the system
to illustrate an approach to object-oriented analysis and design in [Lar04]. In [HKW+07],
the example is used to provide requirement specifications for the participants of the mod-
elling contest CoCoME. The trading system models sale and management of products
within stores that may belong to a common enterprise. The system comprises an embed-
ded system part with cash desks and associated hardware devices such as a cashbox and
a card reader, as well as an information system part for product management within an
inventory. Also connections with external systems are taken into account by a connection
to a bank server to support card payment at a cash desk.2
The following summarises the key elements of the system as described in [HKW+07,
pp. 16–18]. A cash desk comprises the following hardware devices: bar code scanner, card
reader, cash box, printer, light display, and a cash desk PC to which the single devices
are connected. The PC also manages connections to an external bank server. A cash
desk line denotes the set of cash desks that belong to a particular store. A server for the
1http://www.cocome.org
2Note that such a requirement calls for the modelling of an open system.
125
126 8. THE COMMON COMPONENT MODELLING EXAMPLE (COCOME)
product management along an inventory is associated with the store. Several stores might
be organised within an enterprise with which again a server is associated. The server
allows to manage the product stocks of different stores. For the behavioural modelling
in the succeeding sections we focus on the functional requirements according to the use
cases process sale (UC1) and manage express checkout (UC2) [HKW+07, pp. 19–21].
The former describes the standard process and exceptional processes for selling products
at a cash desk, and the latter describes how a so-called cash desk express mode should be
enabled or disabled automatically, depending amongst others on the number of items sold
at a certain cash desk within a certain amount of time.
Two important features of our component model are its strict use of ports to specify
the potential interaction points of components and the distinction between types and dec-
larations. These features already enabled us to model some aspects of the trading system
in a more convenient way, compared to the static modelling as given by [HKW+07]. Be-
sides minor deviations from the given behavioural requirements, the main deviation from
the CoCoME requirements is a structurally different modelling in the information system
part. Since we will not discuss this part of the CoCoME system, we refer to [KJH+08a]
for further details. In the following we focus on the embedded system part of the CoCoME
and aim at illustrating features of our component model that were not available at the time
of writing [KJH+08a].
Modelling Approach. Due to the modelling of component behaviours using UML state
machines, which we consider to be representations of the implementation of a component,
our original approach to the design and implementation of the CoCoME essentially pro-
ceeded bottom-up. We started from the given use case descriptions and sequence diagrams
as a representation of detailed requirement specifications. After and during static structure
modelling for simple (non-composite) components we designed component behaviours ac-
companied by formal analysis of the respective assemblies. The simple components were
applied for the design of composite components, yielding a first draft of the complete ar-
chitecture. Within the next iterations, the alternative and exceptional processes of the use
case descriptions were taken into account to extend and correct the initial design. In case
of ambiguous or unclear requirements our design followed the prototype implementation
of the CoCoME.
Since we didn’t develop frame specifications, there was no top-down step (in the sense
of Chap. 6 and Prop. 6.9) involved during system development. In order to argue for a
bottom-up step in the sense of Prop. 6.8, the initial requirement specifications could be
considered to represent an assembly frame specification for the CoCoME system. Then,
even though implementation correctness was not discussed formally, the development fol-
lowed a bottom-up approach, because all the developed component behaviours were in-
formally discussed at length in [KJH+08a], [KJH+08b] respectively, with respect to the
behavioural requirements of the CoCoME. It is characteristic for bottom-up design to de-
velop single components in great detail and afterwards compose these components to ob-
tain a communicating system.
2. Static Structures
In order to provide a clear-cut entry point for the succeeding modelling we describe
the static specification of the component Store which is one of the composite components
in the upper layers of the hierarchical system design. As depicted in Fig. 8.1 the component
Store is a composition of a CashDeskLine, an Inventory and an instance of the component
Data. The inventory is connected to a facade component Data which hides the concrete
data base from the application as required in the CoCoME. The port e:Enterprise of Data is
not used, when instantiating the component as part of a Store. Also, the optional operator
ports of Inventory, allowing to attach explicit GUI components, remain unconnected. The
2. STATIC STRUCTURES 127
component Store uses mandatory relay ports to connect to a bank component and a data
base. Relaying the port I-PD of component Inventory is optional, in order to take into
account the requirements of the exceptional processes in Use Case 8 (enterprise server
may be temporally not available). The bank component, required for card payment at
the cash desks of a store, is considered external to the system. Therefore the component
declares a relay port of type CDA-Bank to delegate incoming and outgoing communications
between a bank and internal components, respectively. The port multiplicity with a lower
bound of 1 indicates that for a proper instantiation of Store it is strictly required to provide
appropriate bank connections.
static structureStore [  ]
cdl : CashDeskLine [1]
b : CDA-Bank [1]
i : CDA-I [0..1]
d : Data [1]
db : DataBase [1]
e : Enterprise [0..1]
s : Store [0..1]
i : Inventory [1]
d : I-Data [1]
m : I-Manager [0..1]
s : I-Sale [0..1]
sm : I-StockManager [0..1]
pe : I-PD [0..1]
«component»
Store
db : DataBase [1]b : CDA-Bank [1] pe : I-PD [0..1]
FIGURE 8.1. Static structure of the component Store
Any store instantiated as part of the trading system comprises a cash desk line which in
turn represents a set of cash desks, monitored by a coordinator. A CashDeskLine (Fig. 8.2a)
consists of at least one cash desk connected to a coordinator which decides on the express
mode status of the cash desks. The composite component CashDeskLine declares two relay
ports delegating the communication between the cash desks, the inventory (i : CDA-I) and
the bank (b : CDA-Bank). The connector declarations in Fig. 8.2a are annotated with the
stereotype seq-adapter, meaning that the communication between the ports of the cash
desks and the relay ports i and b respectively, is implemented by a sequential adapter. In
contrast, the communication between the cash desks and the coordinator does not need to
be adapted, because each CashDesk instance is linked via its CDA-C port to its own instance
of the coordinator port C-CD. Sharing the bank connection among the desks of a cash desk
line follows the CoCoME requirement in [HKW+07, Fig. 5] which shows a multiplicity
of 1 for the particular required Bank interface, port respectively.
The coordinator component, specified in Fig. 8.2b, decides on the cash desks’ sales
mode (express or normal mode). The component declares its port of type C-CD with multi-
plicity * to allow to connect an arbitrary number of cash desks that should be monitored by
this coordinator. An asynchronous connector «async» is used to link the components. By
this means the concurrently operating cash desks communicate along FIFO buffers with
the coordinator component.
The CashDesk component as depicted in Fig. 8.3 is the most complex composite com-
ponent of the trading system. Each cash desk consists of several hardware devices managed
by a cash desk PC. The cash desk specification models the embedded system part of the
CoCoME with characteristic features of reactive systems such as asynchronous message
exchange or distinguished controller components at the centre of acyclic architectures. The
cash desk component comprises six subcomponents modelling the hardware devices as de-
scribed in the CoCoME and one component CashDeskApplication (CDA) modelling the
functionality associated with the cash desk PC. We consider rendezvous-based as well as
128 8. THE COMMON COMPONENT MODELLING EXAMPLE (COCOME)
(a) CashDeskLine
static structureCashDeskLine[  ]
coordinator : Coordinator [1]
cds : C-CD [*]
cashDesks : CashDesk [1..*]
b : CDA-Bank [1]
co : CDA-C [1]
i : CDA-I [0..1]
«component»
CashDeskLine
i : CDA-I [0..1]
b : CDA-Bank [1]«seq−adapter»
«seq−adapter»
«async»
co−cds
(b) Coordinator
static structureCoordinator[  ]
−enableExpress : Boolean = false
−decideExpressMode() : Boolean
−updateSaleHistory( products : ProductWithStockItemTO [*], mode : PaymentMode )
«component»
Coordinator
cds : C−CD [*]
«signal»
saleRegistered( cdId : String, p : ProductWithStockItemTO [*], m : PaymentMode )
CashDeskP
expressModeEnabled( cashDeskId : String )
«signal»
CashDeskR
CashDeskR
CashDeskP
FIGURE 8.2. Static structure specifications
FIFO buffered message exchange and therefore the communication timing of the assem-
bly connectors is left unspecified. For the behavioural description and analysis we will
consider both cases, «sync» and «async».
A cash desk has three ports to allow for the communication with a bank, inventory
and coordinator component. The component and port multiplicities of the static structure
in Fig. 8.3 reflect the requirements of the CoCoME. Since an exceptional process for Use
Case 1 (process sale) explicitly mentions that the inventory might not be available, the port
i is specified optional. The optional ports of CashBox, Scanner and CardReader model the
communication of an operator with the particular hardware device. In case of a cash desk
actually deployed, the ports might be connected with some low-level interrupt handler. The
ports are not part of the external interface of a cash desk component [HKW+07, Fig. 13]
and therefore do not delegate to corresponding open ports of CashDesk. For a translation
to our formal model either further components could be connected or unary connectors
would be applied to close these ports.
3. COMPONENT BEHAVIOURS AND THEIR TRANSLATION 129
static structureCashDesk[  ]
cda : CashDeskApplication [1]
b : CDA-Bank [1]
cb : CDA-CB [1] cdg : CDA-CDG [1]
co : CDA-C [1]
cr : CDA-CR [1]
i : CDA-I [0..1]
ld : CDA-LD [1]
p : CDA-P [1]s : CDA-S [1]
cdg : CashDeskGUI [1]
cda : CDG-CDA [0..1]
ld : LightDisplay [1]
cda : LD-CDA [0..1]
cr : CardReader [1]
ca : CR-Cashier [0..1]
cda : CR-CDA [1]
cu : CR-Customer [0..1]
cb : CashBox [1]
ca : CB-Cashier [0..1]
cda : CB-CDA [1]
s : Scanner [1]
ca : S-Cashier [0..1]
cda : S-CDA [1]
p : Printer [1]
cda : P-CDA [1]
«component»
CashDesk
b : CDA-Bank [1] co : CDA-C [1]i : CDA-I [0..1]
FIGURE 8.3. Static structure specification of CashDesk
The cash desk application links all internal components of a cash desk and com-
municates with components external to the cash desk such as a bank server, the inven-
tory or the cash desk coordinator. In order to facilitate the particular communication,
CashDeskApplication declares one port for each. Figure 8.4 (top) shows the static struc-
ture of the component with private state attributes, port declarations and interface details.
As a naming convention, we have used component abbreviations such as CDA-CB for the
port types and the suffixes R (P) for interfaces required (provided) by a port. Component
attributes are used as helper variables within UML state machines for a more convenient
specification of component behaviour. In the same vein we also use port attributes which,
however are not shown in the diagram of Fig. 8.4. A fully detailed static specification can
be found in [KJH+08b].
The static structure specifications of the remaining subcomponents of the composite
component CashDeskLine essentially mirror the ports and interfaces of the central compo-
nent CashDeskApplication and are not shown here. Again, fully detailed static structures are
given in [KJH+08b]. Note, however, that the specifications in [KJH+08b] might slightly
deviate from the specifications given within this chapter in order to align the modelling
with new features such as asynchronous FIFO buffered communication.
3. Component Behaviours and their Translation
We consider the implementation of the composite component CashDeskLine, CashDesk
respectively and start with basic state machines for the simple components of CashDesk
to illustrate the translation of basic features, proceeding step-wise to more complex be-
haviours due to the application of more features. We omit a presentation of the component
CashDeskGUI since, according to the reference implementation [HKW+07], the GUI al-
lows its clients to send messages and signals in any order, that is, without any behavioural
restriction. The rather complex behaviours of the components CashBox and in particular
CashDeskApplication are discussed without translation in Sect. 4.
The most basic component within the CashDesk component is modelled by the bar
code scanner whose implementation behaves as depicted in Fig. 8.5. At the cashiers port
ca the scanner component receives the barcode of a scanned product which is then sent
further along port cda to the cash desk application. The signal trigger is given by an event
scanProductBarcode which is according to our conventions for the derivation of signal
types (cf. Chap. 7) an object of type ScanProductBarcode with attribute barcode:int. The
translation to an IOTS is immediate after an abstraction of the data represented by the
signal attribute barcode:int that is passed to the cda port.
130 8. THE COMMON COMPONENT MODELLING EXAMPLE (COCOME)
CashDeskApplication static structure[  ]
«component»
CashDeskApplication
b : CDA−Bank [1]
cb : CDA−CB [1]
cdg : CDA−CDG [1]
co : CDA−C [1]cr : CDA−CR [1] i : CDA−I [0..1] ld : CDA−LD [1]
p : CDA−P [1]
s : CDA−S [1]
«signal»
saleRegistered( cashDeskId : String, p : ProductWithStockItemTO [*], mode : PaymentMode )
CoordinatorR
«signal»
cashAmountEntered( amount : double, final : boolean )
cashBoxClosed()
changeAmountCalculated( amount : double )
runningTotalChanged( productName : String, price : double, total : double )
saleFinished()
saleStarted()
saleSuccess()
PrinterR
«signal»
cashAmountEntered( amount : double, final : boolean )
expressModeDisabled()
expressModeEnabled()
invalidCreditCard()
invalidItem()
runningTotalChanged( productName : String, price : double, total : double )
saleStarted()
saleSuccess()
CDGuiR
«signal»
cashAmountEntered( amount : double, final : boolean )
cashBoxClosed()
expressModeDisabled()
paymentMode( mode : PaymentMode )
productBarcodeEntered( barcode : long )
saleFinished()
saleStarted()
CashBoxP
productInfo( data : ProductWithStockItemTO )
«signal»
InventoryP
«signal»
changeAmountCalculated( amount : double )
saleSuccess()
CashBoxR
expressModeEnabled( cashDeskId : String )
«signal»
CoordinatorP
«signal»
productBarcodeScanned( barcode : int )
ScannerP
«signal»
debitCard( transactionId : String )
validateCard( cardInfo : String, pin : int )
BankR
«signal»
creditCardScanned( cardInfo : String )
pinEntered( pin : int )
CardReaderP
«signal»
accountSale( saleObj : SaleTO )
query( barcode : long )
InventoryR
«signal»
debitOk()
denied()
notOk()
ok( transactionId : String )
BankP
activate()
expressModeDisabled()
expressModeEnabled()
«signal»
CardReaderR
expressModeDisabled()
expressModeEnabled()
«signal»
LightDisplayR
LightDisplayR
CoordinatorP
CoordinatorRCardReaderR
CardReaderP
InventoryP
InventoryR
CashBoxR
CashBoxP
ScannerP PrinterR
CDGuiR
BankR
BankP
FIGURE 8.4. Static structure specification of CashDeskApplication
component behaviourScanner [  ]
 / cda.productBarcodeScanned(scanProductBarcode.barcode)
ca.scanProductBarcode/
ca.spb/
/cda.pbs
FIGURE 8.5. Behaviour of the Scanner component
Next we consider the behaviour specification of of the component LightDisplay. Cash
desks may be switched to an express mode which is signalled at the cash desks LightDisplay.
Both signals, expressModeEnabled and expressModeDisabled, are always accepted. Ini-
tially only the former triggers a state change, encoding the switch to express mode and
hereafter only the latter triggers the state change to normal mode back again. The compo-
nent behaviour specifies internal behaviour using private operations that represent signals
for the hardware device to show green and black lights. The private operations are inter-
preted by internal labels green and black, and then there is again a direct mapping to an
IOTS.
The behaviour of the Printer component is specified in Fig. 8.7 and illustrates a specifi-
cation with guards. The printer records after a sale started the last registered product by its
name and price and prints the current total price. After the sale is finished, the behaviour
4. HIERARCHICAL COMPONENT BEHAVIOURS 131
component behaviourLightDisplay[  ]
 cda.expressModeDisabled()
 cda.expressModeEnabled()
cda.expressModeDisabled()
 / showBlack()
cda.expressModeEnabled()
 / showGreen()
cda.emd/
green
cda.eme/
black
cda.eme/
cda.emd/
FIGURE 8.6. Behaviour of the LightDisplay component
waits to receive information concerning the amount of money paid by the current customer.
As long as this information is not explicitely finished, a loop is entered that is left either
if a saleSuccess event is received or the the entered amount is explicitely finalised. After
that change is calculated and the the closing the of cash box registered. The choice state
uses a boolean guard that is resolved to a loop in the IOTS in a straightforward way.
Figure 8.7b shows the behaviour specification of the component CardReader as a first
example of a more complex behaviour. There are two main functional regions in the be-
haviour specification. On the one hand, the card reader may be deactivated by receiving a
message expressModeEnabled. On the other hand, within the lower region reached by the
reception of a signal activate, the port possibly engages in sending credit card information.
From any of the “active” states the card reader may be again be deactivated by the mes-
sage expressModeEnabled. The IOTS-translation is depicted in Fig. 8.7d. The transitions
for reception of expressModeEnabled and activate leaving the complex state in UML state
machine are translated to one transition for each of the substates in the IOTS-translation.
The behaviour specification of the component CashBox is more involved compared to
the other devices attached to the CDA, but it does not introduce new features. Therefore,
we defer the discussion of its behaviour to Sect. 4. The same holds for the specification
of the component CashDeskApplication. Even though this component plays an application-
specific key role as the centre of a star topology (within CashDesk), we directly switch to
the Coordinator component which resides on the hierarchical level of CashDesk.
The CashDeskLine of a store consists of a number of cash desks and an instance of
the component Coordinator whose behaviour is specified in Fig. 8.8. The coordinator de-
cides on the mode of the cash desks which is either express or normal. Note that even
if the coordinator decided to signal expressModeEnabled, the component may receive yet
another sale registration from the same cash desk because the communication partners are
executing concurrently. In this case the sale registration has precedence over the coordina-
tor’s decision: the behaviour receives the signal saleRegistered and recomputes its internal
decision. The component keeps track of the particular sale history for each cash desk and
decides upon this history to signal an express mode switch for this particular cash desk.
The update of the sale history is required to be synchronised (not described in the
behaviour) due to the potentially concurrent execution of several requests via port declara-
tion cd:cds (specified with multiplicity *). Due to this feature, the STM specification uses
the stereotype «orthogonal» and assigns the required number of copies of the given be-
haviour to the multiplicity of cd:cds. The translation takes this parameter into account and
computes a corresponding product of the translated transition system. The computation
applies a relabelling of each copy such that the final transition system results in a complete
interleaving of the |cds| copies.
4. Hierarchical Component Behaviours
The state machines for the components CashBox and CashDeskApplication result in
transition systems too large to be depicted graphically. However, we believe that the be-
haviours nicely illustrate a real-world application of our component model and therefore
we include a brief presentation, though without a translation to transition systems. The
132 8. THE COMMON COMPONENT MODELLING EXAMPLE (COCOME)
(a) Printer
component behaviourPrinter[  ]
 [cashAmountEntered.final]
cda.saleSuccess/
cda.saleStarted/
 [not cashAmountEntered.final]
cda.cashAmountEntered/cda.changeAmountCalculated/
cda.cashBoxClosed/
cda.saleFinished/
cda.runningTotalChanged/
(b) CardReader
component behaviourCardReader[  ]
ca.pullCard/ / cda.cardInfo = 
pullCard.cardInfo
cu.enterPin/ / cda.pin = 
enterPin.pin
 / cda.creditCardScanned(cda.cardInfo)
 / cda.pinEntered(cda.pin)
cda.expressModeEnabled/
cda.expressModeDisabled/
cda.activate/    cda.expressModeEnabled/ cda.activate/
 cda.expressModeEnabled/
  cda.activate/
(c) Printer
cda.cbc/
cda.sst/
cda.rtc/
cda.ssu/
cda.cac/
cda.caef/
cda.cae/
cda.sf/
(d) CardReader
cda.emd/
cda.a/ ca.pc/ cu.ep//cda.ccs bufPin
cda.eme/
cda.eme/ cda.eme/
cda.a/
cda.a/
cda.eme/
cda.a/
cda.a/
cda.eme/
bufInfo
/cda.pe
cda.a/
cda.eme/
FIGURE 8.7. Behaviour of the Printer and the CardReader component
examples clearly indicate the importance of hierarchical constructions and guards for a
comprehensible modelling of more complex behaviours.
The component CashBox uses two ports, an optional operator port ca of type CB-Cashier
and a mandatory port cda of type CB-CDA; cf. Fig. 8.3. The former allows to connect the
component to inputs of the cashier, the latter specifies the behaviour with regard to the
cash desk application. The message productBarcodeEntered at the CB-Cashier port is not
mentioned in the sequence diagrams of the CoCoME but in the standard process and also
in an exceptional process of Use Case 1. It allows the cashier to manually enter a product
bar code in case there are problems with the bar code scanner. The component behaviour
of CashBox in Fig. 8.9a maps the cashier’s input at the ca port essentially directly to corre-
sponding notifications at the cda port.
4. HIERARCHICAL COMPONENT BEHAVIOURS 133
component behaviourCoordinator[  ]
entry / cd.cashDeskId = saleRegistered.cashDeskId; 
updateSaleHistory(saleRegistered.products, 
saleRegistered.payMode);
enableExpress  = decideExpressMode();
<<orthogonal>>
{numCopies = |cds|}
 / cd.expressModeEnabled(cd.cashDeskId)
 [enableExpress] [not enableExpress]
cd.saleRegistered/
«tau»
 cd.saleRegistered/
cdi.sr/
/cdi.eme
τ
cdi.sr/
noei
⊗|numCopies|
i=1
enei
FIGURE 8.8. Behaviour specification of Coordinator
Figure 8.9b specifies the component behaviour of the cash desk application. Using
the port declarations of the static structure in Fig. 8.4 it shows the dependencies and inter-
linkages between the different ports of the CDA. For example messages sent via ports p or
cdg such as p.saleStarted and cdg.saleStarted are sequentially arranged after the message
cb.saleStarted was received at port cb. Furthermore port attributes as well as component
attributes such as itemCounter are assigned as an effect, and afterwards used, for instance,
as actual parameters in messages sent.
Since the specification of the cash desk application’s behaviour is rather involved,
we used submachines, shown in Fig. 8.10, to factor out the major steps of the entire sale
process: after saleStarted was received at the cash box port cb, the submachine ScanItems
repeatedly receives product bar codes and notifies the printer and the GUI about product
details such as name and price. Thereafter the payment mode must be chosen, resulting
in a transition to the corresponding submachine. Note that the execution of CardPayment
might be cancelled at any state by the reception of cb.paymentMode(Cash) modelling the
cashier’s ability to switch from card to cash payment, e.g., in case of problems with the
credit card. Then, before the sale process is completed, the component tries to account
the sale at the inventory within AccountSale. If it is not available (which is an explicit
requirement of the CoCoME), the sale information is stored locally and delivered during
the next sale processes. Finally, in SwitchMode the component waits for a signal to switch
into express mode, to disable a previous express mode, or to start a new sale.
134 8. THE COMMON COMPONENT MODELLING EXAMPLE (COCOME)
(a) CashBox
component behaviourCashBox [  ]
cda.paymentMode(cda.mode)entry / 
entry / 
cda.amount = keyToLong(key);
cda.cashAmountEntered(cda.amount, cda.final);
ca.barcode = ca.appendKey(pressDigit.key)entry / 
cda.amount = 0.0; cda.mode = Cash; entry / cda.amount = 0.0; cda.mode = Cash; entry / 
ca.cashPayment/
 ca.pressDigit [pressDigit.key = Enter] /  cda.final = true;
ca.pressDigit [pressDigit.key <> Enter] / cda.final = false;
 [not cda.final]
cda.changeAmountCalculated/  [cda.final]
ca.cardPayment / cda.mode = CreditCard; 
cda.paymentMode(cda.mode)
ca.startNewSale   / cda.saleStarted() 
ca.pressDigit [pressDigit.key = Enter] / 
cda.productBarcodeEntered(cda.barcode)
 cda.saleSuccess/
ca.saleFinished / cda.saleFinished()
ca.closeCashBox() / 
cda.cashBoxClosed()
ca.startNewSale / 
cda.saleStarted()
cda.saleSuccess()
ca.pressDigit/[pressDigit
.key <> Enter]
ca.pressDigit/ [pressDigit.key <> Enter]ca.disableExpressMode / 
cda.expressModeDisabled()
ca.cashPayment/
(b) CashDeskApplication (cf. Fig. 8.10 for submachines)
component behaviourCashDeskApplication[  ]
entry / 
 : ScanItems
co.products = new List<ProductWithStockItemTO>();
itemCounter = 0;
cdg.total = 0.0
cdg.amount = 0.0; cdg.final = false;
cb.amountEntered = 0.0; 
cb.changeAmount = 0.0;
saleHistory.add(new SaleTO(co.products))entry / 
 : AccountSale
entry / 
 : CashPayment
 : SwitchMode
entry / 
 : CardPayment
p.saleStarted(); 
cdg.saleStarted()
 [ [paymentMode.mode=CreditCard]]
 / co.payMode = CreditCard
cb.paymentMode/ / 
  cb.saleStarted()
 / 
co.saleRegistered(co.cash
DeskId, co.products, 
co.payMode)
  cb.paymentMode/ 
[paymentMode.mode = Cash]
 [paymentMode.mode=Cash]
 / cdg.saleSuccess()
 cb.saleStarted()
 / co.payMode = Cash
FIGURE 8.9. Behaviour specifications of CashBox and CashDeskApplication
4. HIERARCHICAL COMPONENT BEHAVIOURS 135
submachine of CDAScanItems[  ]
entry / 
cdg.productName = i.productInfo.name;
cdg.productPrice = i.productInfo..purchasePrice;
cdg.total = cdg.total + i.productInfo..purchasePrice;
exit /
    co.products.add(i.productInfo);
    itemCounter = itemCounter + 1;
i.barcode = barcode;entry / 
 / 
p.runningTotalChanged(c
dg.productName, 
cdg.price, 
cdg.total);cdg.runningTot
alChanged(cdg.productN
ame, cdg.price, cdg.total)
cb.productBarcodeEntered [not 
expressMode or (expressMode and 
itemCounter < 8)]
 [i.productInfo = null] / 
cdg.invalidItem()
 [i=null] / cdg.invalidItem()
s.productBarcodeScanned [not 
expressMode or (expressMode 
and itemCounter < 8)]
i.productInfo / i.productInfo = productInfo.data
 [i<>null]
 
[else]
cb.saleFinished / 
p.saleFinished()
 cb.productBarcodeEntered/ 
[else]
 / i.query(i.barcode)
 s.productBarcodeScanned/ 
[else]
submachine of CDACashPayment[  ]
entry / 
cb.changeAmount = 
append(cb.changeAmount, cashAmountEntered.amount);
cdg.amount = cashAmountEntered.amount; 
cdg.final = cashAmountEntered.final; 
p.cashAmountEntered(cdg.amount, cdg.final);
cdg.cashAmountEntered(cdg.amount, cdg.final)
 / 
p.changeAmountCalculated(cb.
changeAmount); 
cb.changeAmountCalculated(c
b.changeAmount)
cb.cashBoxClosed / 
p.cashBoxClosed();
 [cdg.final]
cb.cashAmountEntered/ [not cdg.final]
submachine of CDACardPayment[  ]
b.notOk/
b.debitOk   / p.saleSuccess(); 
cb.saleSuccess();
b.ok / b.transactionId = 
ok.transactionId
cr.creditCardScanned / b.cardInfo = 
creditCardScanned.cardInfo
b.denied/
 [not expressMode] / 
cr.activate()
 [else] / 
b.debitCard(b.transacti
onId)
 [b.transactionId = null]
 / cdg.invalidCreditCard()
 / 
b.validateCard(b.cardInfo,
 b.pin)
cr.pinEntered / b.pin 
= pinEntered.pin
submachine of CDAAccountSale [  ]
entry / 
SaleTO s = new SaleTO(saleHistory.last());
saleHistory.removeLast();
 
[else]
 / i.accountSale(s)
 [i <> null and 
saleHistory−>notEmpty()]
submachine of CDASwitchMode [  ]
entry / 
entry / 
expressMode = false; 
cdg.expressModeDisabled(); 
ld.expressModeDisabled(); 
cr.expressModeDisabled()
expressMode = true; 
cdg.expressModeEnabled(); 
ld.expressModeEnabled(); 
cr.expressModeEnabled()
co.expressModeEnabled/    
cb.expressModeDisabled/    
co.expressModeEnabled/
co.expressModeEnabled/  
 [expressMode]
cb.expressModeDisabled/
 [not expressMode]
 [not expressMode]
cb.expressModeDisabled/   
 [expressMode]
FIGURE 8.10. Submachine specifications for CDA (cf. Fig. 8.9b)
136 8. THE COMMON COMPONENT MODELLING EXAMPLE (COCOME)
5. Frame Specifications of Simple and Composite Components
Frame specification provide means for more abstract specifications of component be-
haviour. Internal actions are not distinguished, abstracting from internal local computa-
tions and additional annotations may be used that specify optional transitions. We use a
slightly extended form of UML protocol state machines for the concrete specification of
component frames. The applied features and extensions are explained in Chap. 7 together
with a translation to input-persistent I/O-transition systems. In the following, we discuss
frame specifications for the simple components Coordinator and Bank, and for the compos-
ite components CashDesk and CashDeskLine.
(a) Coordinator
component frameCoordinator[  ] <<orthogonal>>
{numCopies = |cds|}
<<opt>><<tau>>
<<tau>>
 / 
cd.expressModeEna
bled(cd.cashDeskId)
cd.saleRegister
ed/
(b) PIO translation
cdi.sr/
/cdi.eme
τ
⊗|numCopies|
i=1
τ
(c) Bank
component frameBank[  ]
 / b.notOk
b.validateCard/
b.debitCard/
 / b.debitOk
«opt»
 / b.denied
«opt»
 / b.ok(randomVal)
FIGURE 8.11. Example for simple frame specifications
The specification of frames takes requirements3 into account without focusing on im-
plementation details. In this way, a more abstract design model with respect to the given
requirements is achieved. Additionally, parts of the behaviour may be specified optional
to allow a wider range of correct implementations. The specification for the component
Coordinator in Fig. 8.11 illustrates these aspects. The design was driven by the require-
ment to continuously be able to receive a signal saleRegistered. The component internally
decides either to send a signal expressModeEnabled or to receive yet another sale registra-
tion. In contrast to the optional decision to enable a cashdesk’s express mode, the internal
transition moving back to the initial state is mandatory. Otherwise implementations would
be allowed that stop after having received the first signal saleRegistered.
Compared to the behaviour of the coordinator component in Fig. 8.8, the frame spec-
ification is less detailed and thus better comprehensible. As the frame of a component is
supposed to include all of the potential communication behaviour of an implementation, it
is perfectly applicable for the construction of assembly frames that are smaller and again
better comprehensible compared to assemblies of component behaviours.
3given, for instance, by use case descriptions or sequence diagrams (or both)
6. ANALYSIS AND PROOF OBLIGATIONS 137
The figure also illustrates the PIO translation of the protocol state machines according
to Chap. 7. Beside the mapping of transitions without stereotype «opt» to persistent PIO
transitions, the translation is analogous to the IOTS translation of UML state machines that
was illustrated in Sect. 3 above.
With Fig. 8.11c we discuss a different scenario for the modelling of a frame specifi-
cation. The CoCoME is an example of an open system due to the communication with a
bank component that is external to the trading system. A concrete component Bank is not
available. Nevertheless, the communication for credit card payments is modelled as part
of the behaviour of the component CashDeskApplication. In this case, a frame specification
for the bank component can be used to specify the expected behaviour of the yet unknown
component. Such a specification states that any component, implementing the given frame
correctly is allowed to be integrated with the trading system.
The concrete specification in Fig. 8.11c allows implementations that always refuse
credit cards or always deny the debit of a successfully validated credit card. This option-
ality is motivated by the possibility to switch to cash payment at the cash desk of a store.
Thus, a sale process may be finished even in case a bank component always refuses the
validation of a credit card.
As an example for frame specifications of composite components consider the static
structure specification of the component CashDeskLine in Fig. 8.2a. The component de-
clares two ports, one for the communication with an inventory and another one for the
communication with a bank. With frame specifications of composite components we may
abstract from any internal details, i.e., we specify the behaviour as described by the given
requirements, but only with respect to the communication at the given ports. For instance,
Fig. 8.12a shows a component frame that takes the optionality of credit card payment into
account. In order to simplify the presentation we did not model the optionality of the com-
munication with the inventory as required by the CoCoME. The frame specification shows
a completely optional internal decision to sale products in normal or in express mode. In
normal mode, credit card payment is possible and the bank communication is integrated
by the submachine state BankComm.
The frame specification of CashDesk in Fig. 8.12b demonstrates a decomposition of
the frame specification of CashDeskLine and hence is an example for a top-down design
step. The only difference is an additional part for the communication with the coordinator
component. Intuitively, the composition of the frames of the subcomponents CashDesk
and Coordinator is supposed to result in a transition system with the additional part being
completely internal. In this case, the assembly behaviour would be a valid blackbox re-
finement of the frame of CashDeskLine and the decomposition a valid top-down step in the
hierarchical design of the trading system.
6. Analysis and Proof Obligations
The formal analysis of the given component behaviours and frames can be split into
three parts. First, behaviour analysis, considering component behaviours and their com-
position within assembly behaviours only. Second, correctness analysis for simple and
composite components, and third, frame analysis that checks for refinement and properties
such as communication-safety using component and assembly frames.
Behaviour Analysis. Our original submission of the CoCoME focused on correctness
analysis between port protocols and component behaviours, and neutrality checks within
the component CashDesk. We do no repeat this analysis here. Instead, we briefly mention
specifics that relate to the component model as developed within this thesis.
First of all, the approach to reduce the internal structure of CashDesk by neutral com-
ponent behaviours still works using Chap. 3. However, in case we are interested to show
138 8. THE COMMON COMPONENT MODELLING EXAMPLE (COCOME)
(a)
component frameCashDeskLine[  ]
 : SaleExpr
 : SaleNorm
«opt»
 /  i.query(i.barcode)
«opt»
 / i.query(i.barcode)
(b)
component frameCashDesk[  ]
 : SaleNorm : SaleExpr
 /  i.query(i.barcode) / i.query(i.barcode)
«tau»
 / 
co.saleRegistered(co.cas
hDeskId, co.products, 
co.payMode)
co.expressMo
deEnabled/
(c)
submachineSaleNorm[  ]
 : BankComm
«opt»
 / 
b.validateCard(b.
cardInfo, b.pin)
«tau»
«opt»
 / 
i.query(i.bar
code)
i.productInfo/
 / 
i.accountSale(i.
saleObj)
submachineSaleExpr[  ]
 / 
i.accountSale(i.
saleObj)
«opt»
 / 
i.query(i.bar
code)
i.productInfo/
submachineBankComm[  ]
b.notOk/
 / 
b.debitCard(b.tra
nsactionId)
b.denied/ b.debitOk/b.ok/
FIGURE 8.12. Frame specifications of composite components
communication-safety of the given assembly, we may not use the syntactically reduced as-
sembly. Our approach disregards the communication direction in the checks for neutrality.
Therefore, if the central component CashDeskApplication is not compatible to the output of
an attached device, for instance the cash box component, then this incompatibility disap-
pears in a reduced assembly as long as the behaviour of the attached component is neutral
for the CashDeskApplication.
In order to verify communication-safety, it is necessary to consider the complete as-
sembly asm(CashDesk). For the case of weak comm-safety, pairwise verification using
Prop. 4.37 suffices. Ultra-weak comm-safety, however, must be checked in an incremental
way using Prop. 4.40 that computes the global assembly behaviour stepwise.
While the initial modelling in [KJH+08a] used synchronous connectors, we use asyn-
chronous connectors now. Such a modelling is closer to the CoCoME requirement of using
an event bus for the communication between the hardware devices of a cash desk compo-
nent. Hence, the underlying behaviours are completely buffered and, for instance, an anal-
ysis of weak comm-safety with Prop. 4.37 results in an obligation to proof the following
conjunction:∧
c:C∈leaves(asm(CashDesk))
Ω(beh(cda:CashDeskApplication)ξ)α↔w Ω(beh(c : C)ξ)α .
6. ANALYSIS AND PROOF OBLIGATIONS 139
In general, it is necessary to check all connected pairs of components. Thus, due to the
specific topology of the given component, we can use the leaves of the assembly to obtain
all relevant pairs.
The example is a suitable candidate to evaluate the CFSM-based approach with a
symbolic verification of asynchronous compatibility; cf. Chap. 5. However, due to the size
of the underlying transition systems, a manual check is not feasible and must be postponed
until mechanical tool support is available.
Correct Implementation. Correctness analysis involves refinement proofs between the
behaviour and the frame of a component. For the case of simple components, we need to
check blackbox refinement between the PIO-translations of the given UML specifications.
For instance, the behaviour of component Coordinator as given in Fig. 8.8 is a correct
implementation of the frame specification as given in Fig. 8.11a. Consider the translation
to transition systems and ignore for now the product operator and the parameter i in the
labels. Assume, that the states of the behaviour transition system are labelled b0, . . . , b3
and the frame transition system is labelled f0, . . . , f2, both starting with b0 respectively f0
in the initial state. Then, the relation R = {(b0, f0), (b0, f1), (b1, f1), (b2, f1), (b3, f2)} is
a witness for beh(Coordinator)vbb frm(Coordinator). Now, consider the product operator
and the labels distinguished by i. Using R we obtain a witness for each transition system
of the product, thus, by compositionality of blackbox refinement (Cor. 4.12), it follows that
the product of the behaviours is a valid refinement of the product of the frames. Therefore,
the component Coordinator is indeed correctly implemented.
The correctness proof for composite components is usually more involved. Consider,
for instance, the component CashDesk as depicted in Fig. 8.3. In order to proof its cor-
rect implementation, the complete product of all subcomponent behaviours must be com-
puted. As asynchronous connectors should be applied to be in line with the CoCoME
requirements, the composition may result in an infinite-state transition system. Therefore,
a manual check or a check with the MIO workbench is not feasible due to the size of the
example and thus, we merely record the proof obligation that results from the correctness
requirement for the component CashDesk. In order to show beh(asm(CashDesk))ρ vbb
frm(CashDesk), it is necessary to find a blackbox refinement relation such that:⊗
c:C∈cmps(asm(CashDesk))
Ω(beh(c : C)ξα)ρvbb frm(CashDesk) .
Note that the frame of CashDesk is a finite-state transition system. As already men-
tioned in Chap. 5, problems of this kind are called regularity problems. However, it seems
that these problems are not necessarily easier to solve, compared to the case where both
transition systems are infinite-state systems [KM02].
Frame Analysis. The analysis of component frames involves, on the one hand, analysis of
properties like communication-safety for the composition of frames and, on the other hand,
analysis of refinement between frames. The former is analogous to behaviour analysis,
and the latter is analogous to correctness analysis. An important difference, though, is the
more abstract view as given by frame specifications which makes frame analysis sometimes
more amenable to manual checks. In the following we consider compatibility between the
component frames for CashDeskLine and Bank, and for CashDesk and Coordinator. We
conclude this section with a brief discussion on frame refinement for a simple and a more
complex refinement of the component CashDeskLine.
Consider the frame specifications for CashDeskLine and Bank as given in Fig. 8.12a,
8.12c, and Fig. 8.11c. First, we assume that the components communicate synchronously
and check output compatibility of frm(CashDeskLine) and frm(Bank). It turns out, that
the frames are even strongly output compatible, due to the following informal reasoning
using the given UML frame specifications. Initially, the bank component is idle and waits
140 8. THE COMMON COMPONENT MODELLING EXAMPLE (COCOME)
according to its frame specification in Fig. 8.11c for a signal validateCard. The signal
is sent by the frame of CashDeskLine in submachine SaleNorm as depicted in Fig. 8.12c
before the submachine state BankComm for bank communication is entered. After the
signal was sent, the submachine BankComm in turn waits for the validation result. This
alternating protocol continues until BankComm reaches its final state and the frame spec-
ification of Bank reaches its initial state again. Since the bank communication is not
interleaved with any other part of the component’s transition systems, we conclude that
frm(CashDeskLine)↔s frm(Bank).
Next, assume that the components communicate asynchronously. Then, also the out-
put queues have to be taken into account, resulting in a proof obligation of the form (as-
suming completely buffered frames) Ω(frm(CashDeskLine))↔ Ω(frm(Bank)). Since the
communication between CashDeskLine and the inventory is not interleaved with the bank
communication, we consider the frames for CashDeskLine and Bank as a closed system.
More precisely, we close the inventory port of CashDeskLine using a unary connector and
then consider an observational equivalent frame without τ -loops. This simplified transition
system mirrors the frame of Bank. As both transition systems do not diverge autonomously
and both are input-separated, Thm. 5.3 is applicable and Ω(frm(CashDeskLine)) ↔w
Ω(frm(Bank)) follows from weak (synchronous) compatibility between the simplified
frame of CashDeskLine and the frame of Bank.
As a further example, we check synchronous output compatibility of frm(CashDesk)
and frm(Coordinator). It turns out that the frame specifications as depicted in Fig. 8.12b
and Fig. 8.11a are not output compatible. After the coordinator received a message with
the signal saleRegistered sent by CashDesk, the latter may proceed autonomously (using
internal and output transitions) to the submachine state SaleExpr, for instance. But then,
CashDesk is not ready to receive the signal expressModeEnabled that could be sent by the
Coordinator now. Conceptually, such a system state is related to a timeout behaviour of the
cash desk: after sale registration the component does not wait indefinitely for the decision
of the coordinator. Instead, the component may internally decide to move on with the next
sale process. Therefore, in order to obtain ultra-weakly output compatible frame speci-
fications, we extend the frame of CashDesk with receive loops in the submachine states
SaleExpr and SaleNorm. In this way, an expressModeEnabled signal that is delivered too
late is simply ignored and the resulting frame specifications are ultra-weakly output com-
patible. The specifications are not yet weakly output compatible, as the initial state does
not receive a signal expressModeEnabled, but the "output reachable" submachine states do.
Asynchronous output compatibility of frm(CashDesk) and frm(Coordinator) is ver-
ified analogously to the case of CashDeskLine and Bank above. The open ports of the
component CashDesk are closed using unary connectors. Then, we observe that the ob-
tained frame specification as well as frm(Coordinator) satisfy the assumptions of Thm. 5.3
and hence Ω(frm(CashDesk))↔wΩ(frm(Coordinator)) follows from weak (synchronous)
compatibility between the simplified frame of CashDesk and the frame of Coordinator.
Our notion of blackbox refinement provides two degrees of freedom for the refined
transition system. First, adding or skipping internal transitions is allowed as long as the
reached states are still in refinement relation. Second, optional transitions may be dropped
completely. By this means, refined transition systems may implement only parts of the
specified behaviour. The frame specification, for instance, of CashDeskLine declares the
transitions to its submachine states as optional (using the stereotype «opt»). As already
illustrated in the context of the correctness analysis above, the PIO translation results in
transition systems where mandatory, i.e., non-optional transitions are persistent. Thus,
a valid blackbox refinement must only preserve non-optional transitions and hence any
refinement of CashDeskLine that ignores the moves to the submachine states is a valid
refinement.
6. ANALYSIS AND PROOF OBLIGATIONS 141
For a more complex refinement problem, consider the assembly frame according to the
internal structure of the composite component CashDeskLine and the frame specification of
the component CashDeskLine. The connector co-cds is annotated with «async», i.e., FIFO
buffered communication must be used to compute the assembly frame. Hence, in order to
proof frm(asm(CashDeskLine))ρvbb frm(CashDeskLine), it is necessary to show that
(Ω(frm(cashDesks:CashDesk)α)⊗ Ω(frm(coordinator:Coordinator)α))ρ
is a blackbox refinement of frm(CashDesk). For the given proof obligation we considered
the singleton case, where the subcomponent cashDesks:CashDesk is declared with multi-
plicity 1. For the verification with an arbitrary fixed multiplicity k, an expansion of the
internal structure and of the «seq-adapter» connectors as described in Chap. 7 is necessary
before the frame of the assembly is computed.

CHAPTER 9
Conclusion
Before we briefly summarise the main contributions and provide prospects on pos-
sible extensions for future work, we elaborate a comparison with closely related formal
software component models. The discussion is separated into a comparison of static mod-
elling elements, support for behavioural specification, support for implementations and
their description, and support for formal analysis. In this way, we relate the discussion to
the categories and aspects of formal software component models as introduced in Chap. 1.
We included the corresponding overview in Fig. 9.1 for convenience. The succeeding sub-
sections comprise in each case summaries of the features of our model within the particular
category.
1. Related Work
The port-based component model developed within this thesis has a focus on mod-
elling and general behavioural analysis. We consider as relevant for a more detailed com-
parison only those component models from the literature having a similar objective. For
example Palladio [BKR07] features a quite sophisticated component model. The focus,
however, is on model-based performance prediction and hence the notions and concepts
are strongly biased towards performance issues. Therefore, we restrict our discussion to
component models that are more directly related, i.e., Sofa 2.0 [BHP06], GCM/Fractal
[HKR08, BABC+09], STSLib [FR08], and from the classical field of architectural de-
scription languages, FSP/Tracta (Darwin) [KM06, GKC99] and Wright [AG97].1 All of
these approaches feature a component model that defines structural entities together with a
mechanism to compose them; additionally, there is an execution model that defines basic
features such as the underlying communication paradigm. What qualifies these models as
software component models is their explicit distinction of specifications and implementa-
tions of component behaviour. Finally, all of the models mentioned are formal software
component models as they support formal reasoning usually on the level of the behavioural
specifications. Figure 9.1 provides an overview of those aspects of formal software com-
ponent models that we will consider more detailed within our comparison. The options
given in parentheses define the values that are used in Tab. 9.1 to provide a summary of
our discussion on related work.
Note that according to our definition of a software component model one might argue
that Wright does not provide a software component model due to the missing treatment of
implementations. We provide a comparison though, in order to illustrate the difference,
but also the similarity with traditional ADL approaches. Another, more recently developed
candidate for such a comparison is PADL [BCD02]. PADL and its extension as described
in [AB05] also deals with formal modelling and verification of software architectures using
component-oriented techniques. The approach extends a process algebra by architectural
concepts like “architectural type” [AB05, Def. 2.4] that is similar to our notion of an as-
sembly. PADL is equipped with various kinds of extension mechanisms based on a concept
1The given references aim at representing the most recent and most complete publication of the particular ap-
proach. Since the different aspects of a formal software component model are usually published in different
articles, we provide further references within the detailed discussions below.
143
144 9. CONCLUSION  	

 !"#$%&'()*!'&+((,&--.%&&--/01234506768+!(.+!!!#(+!!!.(9(9  :#'$(( );(!&$<$!(--+..--4886=008
+!&>&!#(.<$& &+$'?"#@50088<$!(--++..--A((.B !&& . A(.(<CDEFGHIJDKLMGENODFPDQNQLIRDSNH
FIGURE 9.1. Aspects of formal software component models (from Chap. 1)
called “architectural type invocation”. Architectural type invocations do not hide local in-
teractions which makes a difference to our application of composite component that are
used within an assembly by hiding all of its internal communications. In our view, this en-
capsulation is methodologically and technically quite important for building components
in an hierarchical way. Such a support for hierarchical composition is also missing in
Wright. In this respect it makes no difference whether we include Wright or PADL into
our elaboration on related work. However, since PADL is considered more detailed in the
context of an assembly analysis for synchronously communicating components, developed
in Chap. 3 (Sect. 4), we decided to include Wright in here.
1.1. Static Elements. Our port-based component model was originally inspired by
ROOM [SGW94], that later evolved to UML for Real-Time Systems [SR98] which in turn
has been incorporated into the unified modelling language in the meantime. UML2 intro-
duces notions of components, ports, and structured classifiers that are, not surprisingly, a
perfect match with the syntactic requirements of our port-based approach to components.
Hence we use UML2 as a concrete syntax for the structural specification of port-based
components. Given that the UML2 shows a number of semantical variation points as well
as ambiguities, see e.g. [CGR08, FSKdR05], we provide a metamodel for our component
model that is, on the one hand, easily mappable to the corresponding notions of the UML2
and provides, on the other hand, a convenient starting point for the formalisation of static
structure and behaviour of port-based components. In this sense, our semantics may also
be used to remedy the ambiguities of UML2 port semantics as discussed in [CGR08].
As summarised in Tab. 9.1, we consider components that are encapsulated by ports
with provided and required interfaces and exchange messages in the form of UML sig-
nals along binary assembly connectors. We allow the static modelling of general compo-
nent (and port) attributes, but we do not allow n-ary connectors. The restriction to binary
connectors allows the development of an interface theory that supports modular pairwise
reasoning within component assemblies. In contrast, n-ary connectors usually demand for
more global analysis techniques. We use UML declarations for ports, components, and
connectors, comprising name, type, and multiplicity. Finally, we allow hierarchical system
construction by encapsulation of assemblies within UML2 structured classifier using dele-
gate connectors to link open assembly ports with the ports of the (surrounding) composite
component.
SOFA 2.0 provides a technically matured component model with regard to static mod-
elling elements. Components are encapsulated by provided and required interfaces that
1. RELATED WORK 145
TABLE 9.1. Related formal software component models
 
 
P
o
rt
-B
a
s
e
d
 
C
o
m
p
o
n
e
n
ts
 
S
O
F
A
 2
.0
 
[B
H
P
0
6
] 
G
C
M
/F
ra
c
ta
l 
[H
K
R
0
8
, 
B
A
B
C
+
0
9
] 
S
T
S
L
ib
 
[F
R
0
8
] 
F
S
P
/T
ra
c
ta
 
[K
M
0
6
,G
K
C
9
9
] 
W
ri
g
h
t 
[A
G
9
7
, 
A
D
G
9
8
] 
Static Elements 
C
o
m
p
o
n
e
n
t 
y
e
s
 
y
e
s
 
y
e
s
 
y
e
s
 
y
e
s
 
y
e
s
 
O
p
e
ra
ti
o
n
 
s
ig
n
a
l 
a
ll 
m
e
th
o
d
 
s
ig
n
a
l 
e
v
e
n
t 
e
v
e
n
t 
C
o
m
p
o
n
e
n
t 
a
tt
ri
b
u
te
s
  
y
e
s
 
y
e
s
 
y
e
s
 
y
e
s
 
n
o
 
n
o
 
E
n
c
a
p
s
u
la
ti
o
n
 
p
o
rt
 
in
te
rf
a
c
e
 
p
o
rt
 
in
te
rf
a
c
e
 
p
o
rt
 
p
o
rt
 
C
o
n
n
e
c
to
r 
b
in
a
ry
 
n
-a
ry
 
n
-a
ry
 
n
-a
ry
 
n
-a
ry
 
n
-a
ry
 
D
e
c
la
ra
ti
o
n
 
y
e
s
 
y
e
s
 
y
e
s
 
y
e
s
 
y
e
s
 
y
e
s
 
H
ie
ra
rc
h
y
 
y
e
s
 
y
e
s
 
y
e
s
 
y
e
s
 
y
e
s
 
n
o
 
 
 
 
 
 
 
 
Behavioural 
Specification 
C
o
n
c
u
rr
e
n
c
y
 m
o
d
e
l 
in
te
rl
e
a
v
in
g
 
in
te
rl
e
a
v
in
g
 
in
te
rl
e
a
v
in
g
 
in
te
rl
e
a
v
in
g
 
in
te
rl
e
a
v
in
g
 
in
te
rl
e
a
v
in
g
 
C
o
m
m
u
n
ic
a
ti
o
n
 
a
c
ti
o
n
s
 
e
v
e
n
ts
 
m
e
th
o
d
 c
a
lls
 
a
c
ti
o
n
s
 
a
c
ti
o
n
s
 
a
c
ti
o
n
s
 
C
o
m
m
. 
 t
im
in
g
 
fi
fo
, 
re
n
d
e
z
v
o
u
s
 
re
n
d
e
z
v
o
u
s
 
a
s
y
n
c
 r
e
n
d
e
z
v
o
u
s
 
re
n
d
e
z
v
o
u
s
 
re
n
d
e
z
v
o
u
s
 
re
n
d
e
z
v
o
u
s
 
S
y
n
c
h
ro
n
is
a
ti
o
n
 
c
o
n
tr
o
l-
b
a
s
e
d
 
c
o
n
tr
o
l-
b
a
s
e
d
 
d
a
ta
-f
lo
w
 
c
o
n
tr
o
l-
b
a
s
e
d
 
c
o
n
tr
o
l-
b
a
s
e
d
 
c
o
n
tr
o
l-
b
a
s
e
d
 
In
c
lu
d
e
s
 a
tt
ri
b
u
te
s
 
n
o
 
n
o
 
n
o
 
y
e
s
 
n
o
 
n
o
 
A
b
s
tr
a
c
t 
m
o
d
e
l 
P
IO
 
E
v
e
n
t 
tr
a
c
e
s
 
p
N
e
ts
 
S
T
S
 
L
T
S
 
L
T
S
 
C
o
n
c
re
te
 l
a
n
g
u
a
g
e
 
U
M
L
 P
S
M
 
B
P
 
J
D
C
 
S
T
S
 
F
S
P
 
C
S
P
 
 
 
 
 
 
 
 
Implementation 
A
b
s
tr
a
c
t 
m
o
d
e
l 
IO
T
S
 
E
v
e
n
t 
tr
a
c
e
s
 
p
N
e
ts
 
S
T
S
 
n
o
n
e
 
n
o
n
e
 
C
o
rr
e
c
tn
e
s
s
 r
e
la
ti
o
n
 
y
e
s
 
y
e
s
 
n
o
 
n
o
 
n
o
 
n
o
 
C
o
n
c
re
te
 l
a
n
g
u
a
g
e
 
U
M
L
 S
T
M
, 
J
M
S
 
J
a
v
a
 
J
a
v
a
, 
P
ro
A
c
ti
v
e
 
J
a
v
a
 
J
a
v
a
 
n
o
n
e
 
M
o
d
e
l/
c
o
d
e
 r
e
la
ti
o
n
 
tr
a
n
s
la
ti
o
n
 (
c
) 
g
e
n
e
ra
ti
o
n
 (
m
) 
g
e
n
e
ra
ti
o
n
 (
m
) 
g
e
n
e
ra
ti
o
n
 (
c
) 
tr
a
n
s
la
ti
o
n
 (
c
) 
n
o
n
e
 
L
if
e
c
y
c
le
 s
u
p
p
o
rt
 
p
a
rt
ia
l 
c
o
m
p
le
te
 
c
o
m
p
le
te
 
p
a
rt
ia
l 
p
a
rt
ia
l 
p
a
rt
ia
l 
R
e
c
o
n
fi
g
u
ra
ti
o
n
 
n
o
 
y
e
s
 
y
e
s
 
y
e
s
 
y
e
s
 
y
e
s
 
 
 
 
 
 
 
 
Analysis 
E
q
u
iv
a
le
n
c
e
 r
e
la
ti
o
n
 
y
e
s
 (
IO
T
S
) 
n
o
 
n
o
 
n
o
 
y
e
s
 
y
e
s
 
R
e
fi
n
e
m
e
n
t 
re
la
ti
o
n
 
y
e
s
 
y
e
s
 
n
o
 
n
o
 
n
o
 
y
e
s
 
H
ie
ra
rc
h
ic
a
l 
a
b
s
tr
a
c
ti
o
n
 
y
e
s
 
y
e
s
 
n
o
 
y
e
s
 
y
e
s
 
n
o
 
T
o
p
-d
o
w
n
/B
o
tt
o
m
-u
p
 
y
e
s
 
y
e
s
 
n
o
 
n
o
 
y
e
s
 
n
o
 
C
o
n
s
id
e
re
d
 p
ro
p
e
rt
ie
s
 
c
o
m
p
a
t.
/s
a
fe
ty
 
c
o
m
m
. 
fa
ilu
re
s
 
g
e
n
e
ra
l 
g
e
n
e
ra
l 
s
a
fe
ty
/l
iv
e
n
e
s
s
 
c
o
m
p
a
ti
b
ili
ty
 
T
o
o
l 
s
u
p
p
o
rt
 
M
IO
, 
L
A
S
H
 
B
P
 C
h
e
c
k
e
r 
C
A
D
P
 t
o
o
ls
e
t 
C
A
D
P
, 
S
T
S
L
ib
 
L
T
S
A
 
F
D
R
2
 
 
 
 
 
 
 
 
 
 
146 9. CONCLUSION
allow, besides signatures to be used for communication, amongst others to specify a ba-
sic kind of multiplicity and the communication style to be used for the given interface.
Concerning multiplicity, “single” and “multiple bindings” are distinguished. Supported
communication styles are procedure call, message-oriented communication, streaming and
distributed communication via shared memory [BP04]. Components may refer to an arbi-
trary number of properties and thus modelling of component attributes is supported. Con-
nectors may be n-ary, linking an arbitrary number of “SubcomponentInterfaceEndpoint”s.
Since “Frame”s, which represent a black-box view of a component, and interface types are
named entities, a notion of declaration for components and interfaces is supported. Finally,
SOFA distinguishes between frames and architectures understanding the latter to represent
implementations of the former. Frames may be hierarchically composed not only by using
architectures but also by using again frames. Therefore, a concept of static hierarchical
composition is properly supported. All of the mentioned elements refer to the presentation
of the SOFA 2.0 metamodel in [BHP06, Appendix A].
The grid component model GCM and the software component model Fractal were
initially independent developments where GCM had its source in the realm of program-
ming support, while Fractal was developed more in the spirit of traditional ADLs, though
aiming at explicit support for deployment and life cycle management of components. The
most up-to-date presentation of the combined GCM/Fractal model seems to be [HKR08].
Fractal contributes the basis for architectural static concepts and GCM adds facilities to
support group communications. The most complete description of the Fractal component
model without GCM can be found in [BCL+06]. The GCM/Fractal components repre-
sent run-time entities encapsulated by provided and required ports2. A port implements an
interface type that specifies operations, a multiplicity, and a role which is either “client”
or “server”. Client ports model provided access points, while server ports model required
access points. Interface types are extended by the GCM to allow for the specification of
“collective interface”s either of kind multicast or gathercast [HKR08, p.162]. With the
concepts of “primitive” and “composite bindings”, there is support for the modelling of
n-ary connectors. Fractal is equipped with a type system and instantiation facilities along
factory components, thus a concept of component declaration is supported. The so-called
“membrane” of a component features external and internal ports where the latter are not
accessible from the outside. Hence, Fractal allows for proper modelling of hierarchical
components.
STSLib uses a subset of KADL [PR06], an architectural description language for Kor-
rigan, to define its underlying component model. Korrigan is “a formal mixed specification
language which integrates [...] algebraic specifications for the static aspects and Labelled
Transition Systems (LTS) for the dynamic aspects” [PR06, p.1744]. The approach pro-
vides an integrated model of formal component behaviours and data types. Components
are encapsulated by an interface that specifies events that are emitted or received. Since
events are equipped with data, the concept seems to correspond to UML signals. Connec-
tors are not represented explicitly, but instead a more generic approach using modal logical
formulas is used to relate the interfaces of different components within a so-called “com-
munication diagram” [PR06, Sect. 3.3]. Thus, STSLib is considered to support a concept
of n-ary connectors. The definition of composite components relies on UML composition
diagrams [FR08, Sect. 3.5]. Therefore, it seems that a notion of declarations is supported.
The static specifications shown in [PR06, Fig. 14–17], however, do only use type specifi-
cations similar to UML class diagrams. Composite components export events emitted or
received by its subcomponents [PR06, pp. 1763–1764] and since only exported events are
visible to the outside, hierarchical modelling is supported.
FSP (Finite State Processes) and Wright are process algebraic approaches developed
in the context of architectural description languages. FSP [KM06] features a graphical
2called “interface” in [BCL+06]
1. RELATED WORK 147
notation that is based on Darwin [MDEK95] and a semantic domain that is based on la-
belled transition systems as a mixture of the transition systems described by the process
algebras CSP and CCS. The reason why we consider FSP as a related formal software com-
ponent model is, on the one hand, the similarity between UML2 structured classifier and
FSP structure diagrams, and, on the other hand, its emphasis on a hierarchical approach to
support analysis of distributed system models using transition systems that describe (com-
posite) component behaviours; cf. Tracta [GKC99].
In FSP/Tracta components are encapsulated by portals whose types are sets of event
names. Events denote simple actions without taking into account parameter values ex-
plicitely [GKC99, p. 12]; component attributes are not considered. Since FSP allows for
n-ary communication along shared actions, the approach is considered to feature n-ary con-
nectors. Both, declarations and hierarchical system constructions are supported: the former
since portals and components can be equipped with names and the latter since composite
components interact via external interfaces only, effectively hiding any interaction between
subcomponents. The focus for the development of the architectural description language
Wright was on the modelling of connector behaviours. Even though components exist as
structural entities, their detailed structural and behavioural properties are not elaborated in
[AG97]. Components are structurally defined by a set of ports that describe logical inter-
action points of the respective component. A port alphabet specifies the set of event names
relevant at the particular port. N-ary connectors link components using their ports. Both,
component and connector types are used within declarations to specify system assemblies
[AG97, Fig. 3]. However, arbitrary hierarchical system construction using composite com-
ponents is not supported.
1.2. Behavioural Specification. Usually software component models consider com-
ponents as kind of active objects that execute within their own thread of control. Note that
this is also the case for ADL approaches such as FSP and Wright. Communication between
components is either by (remote) method call or by message exchange. The behaviour
model of port-based components was initially developed for asynchronous message ex-
change relying on a rendezvous (handshake) mechanism for synchronisation [BHH+06].
In order to provide a more implementation-oriented modelling support of asynchronous
message exchange, the model was extended with input queues, one for each component,
which allowed to buffer received messages similar to the request queue of active objects
used by the GCM/Fractal approach [BABC+09]. However, since components are equipped
with several ports representing the interaction points of a component, the execution model
evolved further using one queue for each port and, finally, we switched the direction and
decided to use output instead of input queues. This last decision was largely motivated
by technical reasons. However, conceptually such a point of view is also taken in the
context of distributed systems (cf. Sect.2), and formally, for instance, in the asynchronous
pi-calculus [BPS01, Chap. 8, Sect. 3.5].
The behavioural aspects of our model are summarised by Tab. 9.1. Likewise to the
related component models, we use an interleaving semantics as our basic model of con-
currency. Behaviour is formally described by receive, send and internal actions using a
synchronous handshake mechanism or FIFO queues for buffered communication. Syn-
chronisation is control-based. This common approach is in contrast to GCM/Fractal which
is the only model that uses a data-flow approach to synchronisation. The latter refers to
so-called future values: placeholder that are exchanged asynchronously and synchronised
as soon as the corresponding value is indeed used within the client program. We do neither
model component attributes nor do we consider data states of components. Formally, com-
ponent behaviours are specified using input-persistent I/O-transition systems (PIO). As a
concrete specification language we use a slightly extended form of UML protocol state
machines. Their translation to PIOs is described in detail.
148 9. CONCLUSION
SOFA uses traces of low-level events to formally capture the behaviour and commu-
nication of components [PV02]. Their abstract model distinguishes whether an event is
emitted, received or internal. Moreover, it is explicitly stated if the particular event is a
request or a response which allows for a fine-grained modelling of both, (remote) method
calls with or without return values and asynchronous message-oriented communication.
SOFA applies regular-like expressions, “behaviour protocols”, to specify behaviours. The
semantics of a behaviour protocol is a set of event traces. The language is equipped with
various operators such as sequencing, repetition, and parallel composition. The semantics
of the composition operator uses a rendezvous (handshake) mechanism for the construction
of interleaved event traces. Component data states are not considered, hence synchronisa-
tion is necessarily control-based.
The GCM/Fractal model is outstanding in its communication technique relying on
asynchronous remote method calls with futures. A future is a placeholder variable that is
either nil or refers to an object. If such a variable is accessed, the corresponding pro-
cess is blocked until the future value is defined (not nil). These variables are exchanged
between components to communicate return values of asynchronous method calls. A for-
mal execution model for distributed object-oriented systems with futures is given by the
ASP calculus in [CH05]. The execution model is discussed in the implementation part of
the component model below. The abstract behaviour model of GCM/Fractal was initially
developed for Fractal in [BHM06] using “pNets” (parameterised Networks of Synchro-
nised Automata) which is a transition system based formalism that “unifies and extends
the value-passing CCS of Ingolfsdottir and Lin [28], and the synchronisation networks of
Arnold and Nivat [4]”.3 From the latter the basic formalism of labelled transition sys-
tems (LTS) and synchronisation vectors and networks respectively is taken, and the former
gives rise to include data parameters to be used for communication events and guards.
Based on an instantiation of parameters, pNet instantiation yields a possibly infinite LTS
and defines the semantics of pNets. The formal model is elaborated and set into context
of the GCM/Fractal component model in [CM08] and [BABC+09]. The formalisation
follows the programming model, i.e., components communicate through asynchronous
method calls with futures, using a rendezvous mechanism for composition (asynchronous
rendezvous, cf. [CH05, p.9]). The approach uses data-flow synchronisation, since com-
ponents are blocked (“wait-by-necessity”) as soon as the object underlying a future is first
accessed. The focus so far, however, is on futures, while general component attributes are
not yet considered. However, it seems that the semantics developed by Henrio et al. in
[HKR08] could be easily extended in that respect. Quite recently the formalism was ap-
plied to sketch a semantics for transparent futures [CHMV10] that were not yet taken into
account in the mentioned articles. Moreover, since pNets are a quite low-level formalism a
concrete specification language JDC (Java Distributed Components) is currently developed
by Cansado et al. [CHM10].
Behavioural specifications of STSLib are formally based on symbolic transition sys-
tems STS [FR08]. STS specify the temporal order of emitted, received and internal events
taking into account guards and parameter values that are formalised along an algebraic
approach to the specification of the underlying data types and their evaluation to concrete
values. The transition systems are symbolic since parameter values are not immediately
expanded as it is implicitly the case within our approach. Instead, expansion is defined by
an unfolding of a STS into a configuration graph, which then again might be considered as
a STS. Unfolding takes data states of components into account. The composition operator
for STS uses synchronisation vectors and applies a control-based rendezvous mechanism.
In some sense we could also consider the unfolded STS to provide the abstract model
of behavioural specifications and the symbolic STS to provide the concrete language for
behavioural specification.
3The cited references [28] and [4] correspond to the entries [IL01] and [Arn94] in our bibliography.
1. RELATED WORK 149
FSP and Wright are the most closely related approaches with respect to formal be-
havioural specification. FSP uses finite labelled transition systems and Wright relies on
CSP for the specification of component, connector behaviour respectively. Being based
on process algebras, the models use internal (τ ) and external actions to describe behaviour
and a rendezvous mechanism for the composition of components. The main difference to
our approach in that respect is that we distinguish input and output actions and therefore
develop a correspondingly different theory based on input-persistent I/O-transition systems
(PIOs). The component models do not consider attributes. Both, FSP and CSP, are tex-
tual languages whose semantics generates labelled transition systems as a formal abstract
model of behaviour.4
1.3. Implementation. Software component models aim at supporting explicitly a no-
tion of component implementation. According to Lau and Wang a support of the complete
life cycle (design, deployment and runtime) of a component is required.
Our approach, in particular our component model, was initially developed in the con-
text of the architectural programming language Java/A [Hac04] which extends Java with
architectural elements such as components, ports, and connectors. This approach provided
programming support for the complete life cycle and also for dynamic reconfiguration
[BHH+06]. Since then, however, our focus shifted from programming to behavioural
analysis which needs a more abstract model of component behaviours respectively compo-
nent implementations. Therefore, we defined I/O-transition systems as an abstract model
of the implementation of port-based components which, due to its close relation to PIOs,
may also be formally related to specifications of component behaviour. The important dif-
ference between specification and implementation is that the former usually allows for a
number of different correct implementations, while the latter may usually only be replaced
by components with, for instance, observational equivalent behaviours. As a concrete
language for implementations, we use a restricted simple form of UML state machines.
Additionally, we describe translations to an implementation based on Java Message Ser-
vice (JMS) [Mic02]. Both languages are close to our abstract implementation model of
I/O-transition systems. Therefore, formal analysis on the level of abstract models of spec-
ification and implementation can indeed be expected to carry over to properties of the
concrete implementation. Deployment is not our primary concern and therefore life cycle
support is only partial: we support component design, and along our formal behavioural
model also runtime concepts, but not deployment. In a similar vein, we do not consider
reconfiguration.
The methodological approach concerning the difference of behavioural specification
and implementation model of SOFA is similar to ours. Their approach use as an abstract
implementation model again event traces. The correctness relation with respect to the
behavioural specification is formally stated in [PV02]. As a concrete implementation lan-
guage, Java is considered. The transition from the abstract model based on behaviour pro-
tocols to Java code is left unspecified. Though, the reverse direction is tackled by testing
and pattern-like approaches in [PPK06] and [PP09]. SOFA provides programming support
for the complete component life cycle as well as for reconfiguration issues [BHP06]. This
support is, however, not related to their formal model of implementations and behaviours.
The implementation and execution model of GCM/Fractal is rooted in the grid com-
ponent part of the approach. Within this context an object-oriented programming model
and concurrent Java-based middleware implementation, ProActive, has been developed,
aiming at providing programming support for general distributed systems [BBC+06]. A
formal generalisation of this approach is given by the calculus of Asynchronous Sequen-
tial Processes (ASP) [CH05]. Together with the Fractal component model, a quite so-
phisticated execution model is obtained that integrates the GCM programming model with
4In fact, there are different semantic models of CSP and amongst them, there is also an operational semantics
generating labelled transition systems.
150 9. CONCLUSION
the management model of Fractal for the deployment and reconfiguration of hierarchi-
cal component-based systems [CM08, BABC+09]. The resulting abstract implementation
model is not yet formally related to the behavioural specifications along JDC [CHMV10].
Nevertheless, the reverse direction, “model generation” for ProActive implementations of
GCM/Fractal components seems to be quite matured [CM08]. Due to the sophisticated
management facilities developed within the context of Fractal, the approach provides ex-
tensive programming support for the complete component life cycle and reconfiguration as
required for the dynamic evolution of a particular system.
STSLib aims at Java code generation as complete as possible. The approach does not
provide a formal relation between an STS representing an implementation and a more ab-
stract behavioural STS specification. Since STSLib is the only approach that integrates
component data on the specification level, there is enough detail available to generate
imperative Java code that takes both into account, the algebraic data specifications and
the protocol specifications whose rendezvous-based composition is also translated to Java
[PNPR05, FPR07, FR08]. Similar to our approach, the initial focus with STSLib re-
spectively KADL [PR06] was on formal analysis of behavioural models on the transition
system level. Thus, there is only partial life cycle support not considering component
deployment. Dynamic reconfiguration is briefly discussed in the context of dynamic archi-
tectures [PR06, Sect. 3.5].
Architectural description languages intentionally focused on the specification and anal-
ysis of the software architecture of a given system. Therefore neither Darwin nor Wright
provide an account on implementations or explicit models hereof. Life cycle support thus
again is partial, meaning that analogously to our and the STSLib approach only design and
runtime is considered but not deployment. Wright features extensions that tackle recon-
figuration in the context of dynamic architectures [ADG98], while Darwin was initially
developed with a pi-calculus based semantics in order to better support the modelling and
analysis of dynamic architectures [MDEK95, MK96]. In contrast, FSP is more in the spirit
of a software component model due to its development and presentation in [KM06] which
describes a systematic translation from FSP behavioural models to thread-based Java code.
1.4. Formal Analysis. Based on formal models of behavioural specifications and im-
plementations, analysis aims, on the one hand, at providing early feedback during system
design with regard to architectural incompatibilities and, on the other hand, by following
either top-down or bottom-up development steps, to formally relate models of the same
abstraction level by a refinement relation, but also of different abstraction levels by an
implementation relation.
At the core of any such analysis are equivalence or refinement relations that are ap-
plied to the abstract models of component behaviour (cf. Tab. 9.1). This is particularly
true for the stepwise refinement of behavioural specifications. Refinement proceeds un-
til the specification is either concrete enough to be implemented or to be related to an
abstract implementation model by some formal implementation relation. Note that this
last step may involve two completely different formal languages. However, in our case
of PIOs for the specification and IOTSs for the implementation, the languages relate to
the same general formalism of modal I/O-automata [LNW07], and hence our refinement
relation and our implementation relation in fact coincide. Our model explicitly supports
hierarchical abstraction by hiding internal actions that stem either from local component
computations or from synchronised message exchange within a composite component. Hi-
erarchical abstraction is an important basis for the proper formal support of top-down and
bottom-up approaches to system design. The former means to relate a top-level design by
stepwise refinement to a decomposition of the original system into a system comprising
several subcomponents. The latter means to allow for modular substitution of a compo-
nent implementation in the sense that it suffices to proof a component-local correctness
criterion in order to substitute without unintended effect with regard to the remaining part
1. RELATED WORK 151
of the system. Such an effect could be the invalidation of a communication property like,
in our case, communication-safety ensuring for systems of port-based components that
messages sent indeed will eventually be received. Compatibility and refinement analysis
is supported using the MIO workbench, an Eclipse-based verification tool and editor for
modal I/O automata [May]. In the context of the LASH toolset a C library is available,
implementing algorithms and data types for a symbolic verification of systems with FIFO
buffered communication based on queue content decision diagrams (QDD) [BG99, Boi].
SOFA’s support for an analysis based on behaviour protocols is again quite closely
related to our approach. In [PV02] an explicit refinement relation is defined taking into
account the asymmetric role played by provisions and requirements of a component, i.e.,
by events received and events emitted. Moreover, hierarchical abstraction is supported
by alphabet restriction. Formal support of top-down and bottom-up approaches to system
development is essential in the mentioned article. The bottom-up direction is proven for-
mally [PV02, Thm. 3.4.4] and the top-down direction is supported by a notion of correct
implementation based on protocol conformance. The analysis of behaviour protocols to
detect architectural incompatibilities is tackled in [AP05]. Considered incompatibilities
comprise “bad activity", “no activity", and “divergence”. Bad activity corresponds to our
notion of communication-safety. No activity and divergence are related to deadlock and
divergence as known from general process algebras, though taking into account the life
cycle of components which allows to stop a running component, for instance to replace
the particular component with a new version. There is a protocol checker [MPK05] that
supports the verification of protocol compliance between two given behaviour protocols
[PPK06, Sect. 3.2]. Additionally, there is a runtime checker that tests if an executing Java
component obeys to its frame protocol by an integration with the Java PathFinder [PPK06].
According to Tab. 9.1, GCM/Fractal seems to provide only few support of formal
analysis. We would like to stress that this is definitely not the case with respect to general
properties. For the comparison of analysis techniques, however, we were particularly inter-
ested in formal support of component-related properties as suggested by the characteristics
for CBD derived in Sect. 1. In that respect, there is a need for specific analysis techniques
that are not yet provided by the GCM/Fractal approach [CHMV10, Sect. 4]. In contrast,
the support for the verification of general properties of their pNet models is quite exten-
sive using the CADP toolset [INR] that allows to check a large number of preorders and
equivalence relations, and also allows to model-check, for instance, µ-calculus formulas
[CM08, Sect. 4.6].
With STSLib the situation is similar to GCM/Fractal. There is extensive support for
general verification issues including approaches that involve theorem provers, but no ded-
icated support for an analysis in a component-based setting [PR06, Sect. 4.3]. STS can be
translated to LOTOS specifications paving the way to use CADP for general verification
issues. An STSLib API is currently developed aiming at providing more direct verifica-
tion support [FR08, Sect. 4.2]. The STS formalism features internal actions and hence we
consider STSLib to provide means of hierarchical abstraction.
FSP/Tracta use observational equivalence for a compositional reachability analysis of
labelled transition systems [GKC99]. Even though no refinement relation is employed, we
consider the approach to provide support for top-down and bottom-up design due to its sys-
tematic approach to behavioural analysis in Tracta. In particular, the verification of safety
and liveness properties in hierarchically structured systems is supported in a quite intuitive
way. Properties are specified using finite deterministic LTS or Büchi automata respectively
and may relate to actions of subsystems at an arbitrary hierarchical level [GKC99, Sect. 3]
of the given system architecture. Verification is supported by the Labelled Transition Sys-
tem Analyser LTSA that allows also LTL model checking [MKC+].
Wright is based on CSP and thus inherits its equivalence and refinement relations as
well as support for the verification of general properties using the FDR model checker
152 9. CONCLUSION
[For]. Additionally a compatibility relation based on CSP refinement is defined for con-
nector behaviours and port behaviours (of attached components) that is used to check a
notion of architectural compatibility [AG97]. Since Wright does not consider hierarchical
systems, there is neither support for hierarchical abstraction nor support for top-down and
bottom-up design approaches in component-based development.
2. Evaluation and Prospects
An integrated formal software component model with support for synchronous and
asynchronous message exchange as prevalent, for instance, in distributed systems was de-
veloped. In particular, the difference of abstract models for component implementation and
component specification was elaborated, resulting in an IOTS-based theory of component
implementations and a PIO-based theory of component specifications. The theories use a
compositional notion of refinement that preserves specific properties (different notions of
communication compatibility) and general properties (safety properties). A definition of
correct implementation established a formal link between implementations and specifica-
tions. On this basis, support for the characteristics of component-based development was
stated formally. We discussed a detailed translation to CFSM systems in order to support
the verification of systems with asynchronous communication. We used the UML2 as a
concrete specification language for static as well as dynamic aspects and provided a sys-
tematic translation to the more abstract level of transition systems. The CoCoME was used
to illustrate the features of our component model, to exemplify the translation of UML
state machines and to discuss proof obligations that might arise in a formal analysis of the
given specifications.
Evaluation. An integrated formal software component model provides a complete picture
of static structure, behaviour specification and behaviour implementation. In particular, the
separated abstract models allow a separated development of corresponding theories and
verification approaches, while implementation correctness provides the formal link that is
required to obtain an integrated model. Thus, we believe that the model developed within
this thesis also provides a useful and detailed view of the general constituents of a formal
software component model.
Frame specifications differ from behaviour specifications, amongst others, by using
only τ actions for the modelling of internal choice. We believe that such a restriction
helps to focus on the externally visible behaviour while specifying dynamical aspects.
In contrast, a distinguished local alphabet is available for the description of component
behaviours and thus helps to describe the implementation behaviour of components in a
direct way.
For practical applicability, it is important that the abstract models are conceptually
closely related to the respective concrete domains. For example, IOTSs provide a direct
match with message-oriented systems that communicate by rendezvous or FIFO-buffered
message exchange. However, they do not provide a direct match with systems that com-
municate by method calls.
Ports turned out to be an important structural modelling element. The UML concept of
provided and required interfaces of a port provides an appropriate means for the syntactical
definition of the communication alphabet at a particular interaction point of a component.
However, the role of port protocols for modular verification seems to be limited, as the
required assumptions on the relation between port protocol and component behaviour are,
at least for the verification of our notions of communication compatibility, rather strong.
Limitations and Future work. Some of the shortcomings of the developed component
model directly point to potential extensions and improvements. First, life cycle support is
only partial. According to [LW07] a complete life cycle support including deployment is
important for practical software component models. Thus, concepts for component-based
2. EVALUATION AND PROSPECTS 153
deployment as well as support for programming, installation and update of component
types should be included. Eventually, this touches also conceptual, formal, and practical
support for reconfiguration. Such a support calls for a precise distinction between types
and instances which directly relates to a second limitation. We interpreted declarations
of components and ports as architectural templates for different instantiation possibilities
defined by the given multiplicities. In this way, we considered in fact the instance but
not the type level by our formal models of dynamic system specifications. We believe
that proper support of arbitrary multiplicities could be integrated with a support for re-
configuration. Third, group communication was not considered. However, broadcast and
multicast communication is directly related to the publish/subscriber pattern that is, be-
sides point-to-point communication, the second prevalent communication mechanism in
message-oriented systems. Therefore, adding a concept of n-ary connectors together with
an appropriate theory for group communication seems to be a valuable effort.
Furthermore, tool support for verification is incomplete but indispensable for larger
case studies and practical application. This is particularly true for the formal analysis of
systems with asynchronous communication. Here, we believe that the CFSM-based sym-
bolic verification approach with QDDs is quite promising. As algorithms for the construc-
tion of QDDs exist, an integration with an existing verification tool could be a feasible next
step. For instance, the MIO workbench [May] already supports the verification of weak
output compatibility and blackbox refinement. Thus, it would be convenient to integrate
also support for the verification of systems with buffered communication. Another candi-
date for a corresponding extension is the LTSA tool [MKC+] which is a quite useful tool
for the verification of labelled transition systems.
Besides, there are extensions that are beyond a mere improvement of the existing
model. For instance, in order to develop an approach for asynchronously communicating
components with data states, all categories that constitute a formal software component
model need to be revisited. First of all, it must be clarified which kind of operational
interaction model is appropriate: signals or remote method calls. Next, an appropriate
interpretation of data-related behavioural specifications such as pre- and postconditions
of operations in an asynchronous context is still an open research question. Building on
such an interpretation, it would be interesting, on the level of implementations, to de-
velop a design-by-contract approach for a concrete concurrent programming language.
Finally, formal analysis of data-related specifications is, similar to the analysis of systems
with FIFO-buffered communication, related to the verification of infinite-state systems and
hence a research issue on its own.

Bibliography
[AB05] Alessandro Aldini and Marco Bernardo. On the Usability of Process Algebra: An Architectural
View. Theor. Comput. Sci., 335(2-3):281–329, 2005.
[ACN02] Jonathan Aldrich, Craig Chambers, and David Notkin. ArchJava: Connecting Software Architec-
ture to Implementation. In Proceedings of the 24th International Conference on Software Engi-
neering (ICSE’02), pages 187–197. ACM, 2002.
[ADG98] Robert Allen, Remi Douence, and David Garlan. Specifying and Analyzing Dynamic Software
Architectures. In Proceedings of the 1998 Conference on Fundamental Approaches to Software
Engineering (FASE’98), Lisbon and Portugal, March 1998.
[AG97] Robert Allen and David Garlan. A Formal Basis for Architectural Connection. ACM Trans. Softw.
Eng. Methodol., 6(3):213–249, 1997.
[AP05] Jirí Adámek and Frantisek Plasil. Component Composition Errors and Update Atomicity: Static
Analysis. J. Softw. Maint. Evol.-R., 17(5):363–377, 2005.
[Arn94] André Arnold. Finite Transition Systems. Semantics of Communicating Systems. Prentice-Hall,
Englewood, 1994.
[BABC+09] Tomás Barros, Rabéa Ameur-Boulifa, Antonio Cansado, Ludovic Henrio, and Eric Madelaine.
Behavioural Models for Distributed Fractal Components. Annales des Télécommunications, 64(1–
2):25–43, 2009.
[BBC+06] Laurent Baduel, Françoise Baude, Denis Caromel, Arnaud Contes, Fabrice Huet, Matthieu Morel,
and Romain Quilici. Grid Computing: Software Environments and Tools, chapter Programming
and Deploying and Composing and for the Grid. Springer-Verlag, January 2006.
[BCD02] Marco Bernardo, Paolo Ciancarini, and Lorenzo Donatiello. Architecting Families of Software
Systems with Process Algebras. ACM Trans. Softw. Eng. Methodol., 11(4):386–426, 2002.
[BCL+06] Eric Bruneton, Thierry Coupaye, Matthieu Leclercq, Vivien Quéma, and Jean-Bernard Stefani.
The FRACTAL Component Model and its Support in Java. Softw. and Pract. Exper., 36(11–
12):1257–1284, 2006.
[BFH+07] Buschmann, Frank, Henney, Kevlin, Schmidt, and Douglas C. Pattern Oriented Software Archi-
tecture Volume 5: On Patterns and Pattern Languages. Wiley, June 2007.
[BG99] Bernard Boigelot and Patrice Godefroid. Symbolic Verification of Communication Protocols with
Infinite State Spaces using QDDs. Formal Methods in System Design, 14(3):237–255, 1999.
[BGWW97] Bernard Boigelot, Patrice Godefroid, Bernard Willems, and Pierre Wolper. The Power of QDDs
(Extended Abstract). In Pascal Van Hentenryck, editor, Proceedings of the 4th International Sym-
posium on Static Analysis (SAS’97), volume 1302 of Lecture Notes in Computer Science, pages
172–186. Springer, 1997.
[BHH+06] Hubert Baumeister, Florian Hacklinger, Rolf Hennicker, Alexander Knapp, and Martin Wirsing.
A Component Model for Architectural Programming. Elect. Notes Theo. Comp. Sci. (FACS’05),
160:75–96, 2006.
[BHM06] Tomas Barros, Ludovic Henrio, and Eric Madelaine. Verification of Distributed Hierarchical Com-
ponents. Elect. Notes Theo. Comp. Sci. (FACS’05), 160:41–55, 2006.
[BHP06] Tomas Bures, Petr Hnetynka, and Frantisek Plasil. SOFA 2.0: Balancing Advanced Features in
a Hierarchical Component Model. In 4th International Conference on Software Engineering Re-
search, Management and Applications (SERA’06), pages 40–48. IEEE Computer Society, 2006.
[BKL08] Christel Baier, Joost-Pieter Katoen, and Kim Guldstrand Larsen. Principles of Model Checking.
MIT Press, 2008.
[BKR07] Steffen Becker, Heiko Koziolek, and Ralf Reussner. Model-Based Performance Prediction with the
Palladio Component Model. In Vittorio Cortellessa, Sebastián Uchitel, and Daniel Yankelevich,
editors, Proceedings of the 6th International Workshop on Software and Performance (WOSP),
pages 54–65. ACM, 2007.
[BMSH10] Sebastian S. Bauer, Philip Mayer, Andreas Schroeder, and Rolf Hennicker. On Weak Modal Com-
patibility and Refinement and and the MIO Workbench. In Proceedings of the 16th International
Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’10),
volume 6015 of Lect. Notes Comp. Sci., pages 175–189. Springer, 2010.
155
156 BIBLIOGRAPHY
[Boi] Bernard Boigelot. The LASH toolset. http://www.montefiore.ulg.ac.be/
~boigelot/research/index.html#lash (2010-02-21).
[BOR04] Steffen Becker, Sven Overhage, and Ralf Reussner. Classifying Software Component Interoper-
ability Errors to Support Component Adaption. In Ivica Crnkovic, Judith Stafford, Heinz Schmidt,
and Kurt Wallnau, editors, Proceedings of the 7th International Symposium on Component-Based
Software Engineering, volume 3054 of Lect. Notes Comp. Sci., pages 68–83. Springer, 2004.
[BP04] Tomas Bures and Frantisek Plasil. Communication Style Driven Connector Configurations. In
1st International Conference on Software Engineering Research and Applications (SERA’03), Se-
lected Revised Papers, volume 3026 of Lect. Notes Comp. Sci., pages 102–116. Springer, 2004.
[BPS01] Jan A. Bergstra, Alban Ponse, and Scott A. Smolka, editors. Handbook of Process Algebra. Else-
vier Science B.V., 2001.
[BZ83] Daniel Brand and Pitro Zafiropulo. On Communicating Finite-State Machines. J. ACM, 30(2):323–
342, 1983.
[CF05] Gérard Cécé and Alain Finkel. Verification of Programs with Half-Duplex Communication. Infor-
mation and Computation, 202(2):166–190, 2005.
[CFN03] Cyril Carrez, Alessandro Fantechi, and Elie Najm. Behavioural Contracts for a Sound Composition
of Components. In Proceedings of the 23rd IFIP International Conference on Formal Techniques
for Networked and Distributed Systems (FORTE’03), volume 2767 of Lect. Notes Comp. Sci.,
pages 111–126. Springer, 2003.
[CGR08] Arnaud Cuccuru, Sébastien Gérard, and Ansgar Radermacher. Meaningful Composite Structures.
In Krzysztof Czarnecki, Ileana Ober, Jean-Michel Bruel, Axel Uhl, and Markus Völter, editors,
11th International Conference on Model Driven Engineering Languages and Systems (MoDELS
2008), volume 5301 of Lect. Notes Comp. Sci., pages 828–842. Springer, 2008.
[CH05] Denis Caromel and Ludovic Henrio. A Theory of Distributed Objects. Springer-Verlag, 2005.
[CHM10] Antonio Cansado, Ludovic Henrio, and Eric Madelaine. Transparent First-class Futures and Dis-
tributed Components. Electr. Notes Theor. Comput. Sci., 260:155–171, 2010.
[CHMV10] Antonio Cansado, Ludovic Henrio, Eric Madelaine, and Pablo Valenzuela. Unifying Architectural
and Behavioural Specifications of Distributed Components. Electr. Notes Theor. Comput. Sci.,
260:25–45, 2010.
[CK96] Shing Chi Cheung and Jeff Kramer. Context Constraints for Compositional Reachability Analysis.
ACM Trans. Softw. Eng. Methodol., 5(4):334–377, 1996.
[CM08] Antonio Cansado and Eric Madelaine. Specification and Verification for Grid Component-Based
Applications: From Models to Tools. In de Boer et al. [dBBM09], pages 180–203.
[Crn03] Ivica Crnkovic´. Component-Based Software Engineering - New Challenges in Software Develop-
ment. Journal of Computing and Information Technology, 11(3):151–161, September 2003.
[CSSW04] Ivica Crnkovic, Heinz Schmidt, Judith Stafford, and Kurt Wallnau. 6th Workshop on Component-
Based Software Engineering: Automated Reasoning and Prediction. SIGSOFT Softw. Eng. Notes,
29(3):1–7, 2004.
[CVZ06] Ivana Cerná, Pavlína Varˇeková, and Barbora Zimmerova. Component Substitutability via Equiva-
lencies of Component-Interaction Automata. In Proc. Wsh. Formal Aspects of Component Software
(FACS’06), pages 115–130, Praha, 2006. UNU-IIST Technical Report 344.
[dAH01a] Luca de Alfaro and Thomas A. Henzinger. Interface automata. In Proceedings of the 9th Annual
Symposium on Foundations of Software Engineering, pages 109–120. ACM Press, 2001.
[dAH01b] Luca de Alfaro and Thomas A. Henzinger. Interface Theories for Component-Based Design. In
EMSOFT: Embedded Software, volume 2211 of Lect. Notes Comp. Sci., pages 148–165. Springer,
2001.
[dAH05] Luca de Alfaro and Thomas A. Henzinger. Interface-based Design. In Manfred Broy, Johannes
Grünbauer, David Harel, and C. A. R. Hoare, editors, Engineering Theories of Software-intensive
Systems, volume 195 of NATO Science Series: Mathematics and Physics and and Chemistry, pages
83–104. Springer, 2005.
[dBBM09] Frank S. de Boer, Marcello M. Bonsangue, and Eric Madelain, editors. 7th International Sym-
posium on Formal Methods for Components and Objects (FMCO’08), Sophia Antipolis, France,
October 21-23, 2008, Revised Lectures, volume 5751 of Lect. Notes Comp. Sci. Springer, 2009.
[DOS09] Francisco Durán, Meriem Ouederni, and Gwen Salaün. Checking Protocol Compatibility using
Maude. Electr. Notes Theor. Comput. Sci., 255:65–81, 2009.
[EDM08] Shahram Esmaeilsabzali, Nancy A. Day, and Farhad Mavaddat. Interface Automata with Complex
Actions: Limiting Interleaving in Interface Automata. Fundam. Inform., 82(4):465–512, 2008.
[Elo91] Jaana Eloranta. Minimizing the Number of Transitions with Respect to Observation Equivalence.
BIT, 31(4):576–590, 1991.
[FBS05] Xiang Fu, Tevfik Bultan, and Jianwen Su. Synchronizability of Conversations among Web Ser-
vices. IEEE Trans. Software Eng., 31(12):1042–1055, 2005.
[For] Formal Systems (Europe) Limited. FDR2.83 academic use release. http://www.fsel.com
(2010-03-29).
BIBLIOGRAPHY 157
[FPR07] Fabrício Fernandes, Robin Passama, and Jean-Claude Royer. Components with Symbolic Transi-
tion Systems: A Java Implementation of Rendezvous. In Alistair A. McEwan, Steve A. Schneider,
Wilson Ifill, and Peter H. Welch, editors, CPA, volume 65 of Concurrent Systems Engineering
Series, pages 89–107. IOS Press, 2007.
[FR08] Fabrício Fernandes and Jean-Claude Royer. The STSLib Project: Towards a Formal Component
Model Based on STS. Electr. Notes Theor. Comput. Sci., 215:131–149, 2008.
[FSKdR05] Harald Fecher, Jens Schönborn, Marcel Kyas, and Willem P. de Roever. 29 New Unclarities in the
Semantics of UML 2.0 State Machines. In 7th International Conference on Formal Engineering
Methods (ICFEM’05), volume 3785 of Lect. Notes Comp. Sci., pages 52–65. Springer, 2005.
[GGMC+07] Gregor Gössler, Susanne Graf, Mila Majster-Cederbaum, Moritz Martens, and Joseph Sifakis.
Ensuring Properties of Interaction Systems by Construction. In Program Analysis and Compilation
and Theory and Practice — Essays Dedicated to Reinhard Wilhelm on the Occasion of His 60th
Birthday, volume 4444 of Lect. Notes Comp. Sci., pages 201–224. Springer, 2007.
[Gia99] Dimitra Giannakopoulou. Model Checking for Concurrent Software Architectures. PhD thesis, Im-
perial College of Science and Technology and Medicine and University of London and Department
of Computing, 1999.
[GKC99] Dimitra Giannakopoulou, Jeff Kramer, and Shing Chi Cheung. Behaviour Analysis of Distributed
Systems Using the Tracta Approach. Automated Software Eng., 6(1):7–35, 1999.
[GMY84] M.G. Gouda, E.G. Manning, and Y.T. Yu. On the Progress of Communication between two Finite
State Machines. Inf. Control, 63(3):200–216, 1984.
[GS05] Gregor Gössler and Joseph Sifakis. Composition for Component-based Modeling. Sci. Comp.
Prog., 55(1-3):161–183, 2005.
[GTBF03] Holger Giese, Matthias Tichy, Sven Burmester, and Stephan Flake. Towards the Compositional
Verification of Real-Time UML Designs. SIGSOFT Softw. Eng. Notes, 28(5):38–47, 2003.
[Hac04] Florian Hacklinger. Java/A - Taking Components into Java. In Proceedings of the 13th Conference
on Intelligent and Adaptive Systems and Software Engineering, pages 163–168. ISCA, 2004.
[HJK08] Rolf Hennicker, Stephan Janisch, and Alexander Knapp. On the Observable Behaviour of Com-
posite Components. In Carlos Canal and Corina Pasareanu, editors, Proc. 5th Int. Wsh. Formal
Aspects of Component Software (FACS’08), 2008.
[HJK09] Rolf Hennicker, Stephan Janisch, and Alexander Knapp. Refinement of Components in
Connection-Safe Assemblies with Synchronous and Asynchronous Communication. In C. Choppy
and O. Sokolsky, editors, Proc. of 15th Int. Monterey Wsh., Foundations of Computer Software,
Future Trends and Techniques for Development, volume 6028 of Lect. Notes Comp. Sci., pages
154–180. Springer, 2009.
[HJS01] Michael Huth, Radha Jagadeesan, and David A. Schmidt. Modal Transition Systems: A Founda-
tion for Three-Valued Program Analysis. In David Sands, editor, 10th European Symposium on
Programming Languages and Systems (ESOP’01), volume 2028 of Lect. Notes Comp. Sci., pages
155–169. Springer, 2001.
[HKR08] Ludovic Henrio, Florian Kammüller, and Marcela Rivera. An Asynchronous Distributed Compo-
nent Model and its Semantics. In de Boer et al. [dBBM09], pages 159–179.
[HKW+07] Sebastian Herold, Holger Klus, Yannick Welsch, Constanze Deiters, Andreas Rausch, Ralf
Reussner, Klaus Krogmann, Heiko Koziolek, Raffaela Mirandola, Benjamin Hummel, Michael
Meisinger, and Christian Pfaller. CoCoME — The Common Component Modeling Example. In
Rausch et al. [RRMP08], pages 16–53.
[IL01] A. Ingolfsdottir and H. Lin. A Symbolic Approach to Value-Passing Processes, chapter 7, pages
427–478. In Bergstra et al. [BPS01], 2001.
[INR] INRIA (Grenoble/Rhone-Alpes). Construction and Analysis of Distributed Processes. Software
Tools for Designing Reliable Protocols and Systems. http://www.inrialpes.fr/vasy/
cadp (2010-03-29).
[IU01] Paola Inverardi and Sebastian Uchitel. Proving Deadlock Freedom in Component-Based Program-
ming. In Proceedings of the 4th International Conference on Fundamental Approaches to Software
Engineering (FASE’01), pages 60–75, London and UK, 2001. Springer.
[Kaa92] Marinus Frans Kaashoek. Group Communication in Distributed Computer Systems. PhD thesis,
Vrije Universiteit te Amsterdam, 1992.
[KJH+08a] Alexander Knapp, Stephan Janisch, Rolf Hennicker, Allan Clark, Stephen Gilmore, Florian Hack-
linger, Hubert Baumeister, and Martin Wirsing. Modelling the CoCoME with the Java/A Compo-
nent Model. In Rausch et al. [RRMP08], pages 207–237.
[KJH+08b] Alexander Knapp, Stephan Janisch, Rolf Hennicker, Allan Clark, Stephen Gilmore, Florian
Hacklinger, Hubert Baumeister, and Martin Wirsing. Modelling the CoCoME with the Java/A
Component Model (Extended Version). http://www.pst.ifi.lmu.de/Research/
current-projects/cocome/cocome-extended.pdf/view (2010-04-06), 2008.
[KM99] Jeff Kramer and Jeff Magee. Concurrency. State Models and Java Programs. Worldwide Series in
Computer Science. John Wiley and Sons, March 1999.
158 BIBLIOGRAPHY
[KM02] Antonín Kucera and Richard Mayr. Simulation Preorder over Simple Process Algebras. Informa-
tion and Computation, 173(2):184–198, 2002.
[KM06] Jeff Kramer and Jeff Magee. Concurrency. State Models and Java Programs, 2nd Edition. World-
wide Series in Computer Science. John Wiley and Sons, April 2006.
[Kuc99] Antonín Kucera. On Finite Representations of Infinite-State Behaviours. Information Processing
Letters, 70(1):23–30, 1999.
[Lar04] Craig Larman. Applying UML and Patterns: An Introduction to Object-Oriented Analysis and
Design. Prentice-Hall, Englewood Cliffs, 2004.
[LMW04] Stefan Leue, Richard Mayr, and Wei Wei. A Scalable Incomplete Test for the Boundedness of
UML RT Models. In Kurt Jensen and Andreas Podelski, editors, 10th International Conference on
Tools and Algorithms for the Construction and Analysis of Systems (TACAS’04), volume 2988 of
Lect. Notes Comp. Sci., pages 327–341. Springer, 2004.
[LNW07] Kim Guldstrand Larsen, Ulrik Nyman, and Andrzej Wasowski. Modal I/O Automata for Interface
and Product Line Theories. In Rocco De Nicola, editor, 16th European Symposium on Program-
ming Languages and Systems (ESOP’07), volume 4421 of Lect. Notes Comp. Sci., pages 64–79.
Springer, 2007.
[LT88] Kim Guldstrand Larsen and Bent Thomsen. A Modal Process Logic. In Proceedings and 3rd An-
nual Symposium on Logic in Computer Science (LICS), pages 203–210. IEEE Computer Society,
1988.
[LW07] Kung-Kiu Lau and Zheng Wang. Software component models. IEEE Trans. Software Eng.,
33(10):709–724, 2007.
[May] Philip Mayer. The MIO Workbench. http://www.miowb.net (2010-03-29).
[MDEK95] Jeff Magee, Naranker Dulay, Susan Eisenbach, and Jeff Kramer. Specifying Distributed Software
Architectures. In Wilhelm Schäfer and Pere Botella, editors, 5th European Software Engineering
Conference (ESEC’95), volume 989 of Lect. Notes Comp. Sci., pages 137–153. Springer, 1995.
[Mic] Microsoft. .Net. http://www.microsoft.com/net (2010-03-22).
[Mic02] Sun Microsystems. Java Message Service Specification (V1.1). Internet, April 2002.
[Mic07] Sun Microsystems. Sun Java System Message Queue 4.1 Technical Overview. Technical report,
Sun Microsystems, 2007.
[Mil89] R. Milner. Communication and Concurrency. Prentice-Hall and Inc., Upper Saddle River and NJ
and USA, 1989.
[MK96] Jeff Magee and Jeff Kramer. Dynamic Structure in Software Architectures. SIGSOFT Softw. Eng.
Notes, 21(6):3–14, 1996.
[MKC+] Jeff Magee, Jeff Kramer, Robert Chatley, Sebastian Uchitel, and Howard Foster. LTSA – Labelled
Transition System Analyser. http://www.doc.ic.ac.uk/ltsa (2010-03-29).
[MPK05] M. Mach, F. Plasil, and J. Kofron. Behavior Protocol Verification: Fighting State Explosion. Inter-
national Journal of Computer and Information Science, 6(1):22–30, 2005.
[MPR04] Olivier Maréchal, Pascal Poizat, and Jean-Claude Royer. Checking Asynchronously Communicat-
ing Components Using Symbolic Transition Systems. In Proceedings of OTM Confederated Inter-
national Conferences, CoopIS, DOA, and ODBASE, Part II, volume 3291 of Lect. Notes Comp.
Sci., pages 1502–1519. Springer, 2004.
[NR68] P. Naur and B. Randell, editors. Software Engineering: Report of a conference sponsored by
the NATO Science Committee. Brussels and Scientific Affairs Division and NATO (1969), 1968.
Garmisch, Germany, 7-11 Oct.
[NV90] Rocco De Nicola and Frits W. Vaandrager. Action versus State based Logics for Transition Sys-
tems. In Irène Guessarian, editor, Semantics of Systems of Concurrent Processes, volume 469 of
Lect. Notes Comp. Sci., pages 407–419. Springer, 1990.
[OMG] Object Management Group OMG. Corba. http://www.corba.org (2010-03-22).
[OMG09] Object Management Group OMG. Unified Modeling Language Superstructure Version 2.2.
http://www.omg.org/spec/UML/2.2/Superstructure/PDF (2010-30-30), 2009.
[PNPR05] Sebastian Pavel, Jacques Noyé, Pascal Poizat, and Jean-Claude Royer. A Java Implementation of
a Component Model with Explicit Symbolic Protocols. In Thomas Gschwind, Uwe Aßmann, and
Oscar Nierstrasz, editors, Software Composition, volume 3628 of Lect. Notes Comp. Sci., pages
115–124. Springer, 2005.
[PP09] Tomás Poch and Frantisek Plasil. Extracting Behavior Specification of Components in Legacy
Applications. In Grace A. Lewis, Iman Poernomo, and Christine Hofmeister, editors, Proceed-
ings of the 12th International Symposium on Component-Based Software Engineering (CBSE’09),
volume 5582 of Lect. Notes Comp. Sci., pages 87–103. Springer, 2009.
[PPK06] Pavel Parizek, Frantisek Plasil, and Jan Kofron. Model Checking of Software Components: Com-
bining Java PathFinder and Behavior Protocol Model Checker. In Proceedings of the 30th Annual
IEEE/NASA Software Engineering Workshop, pages 133–141. IEEE Computer Society, 2006.
BIBLIOGRAPHY 159
[PR06] Pascal Poizat and Jean-Claude Royer. A Formal Architectural Description Language based on
Symbolic Transition Systems and Temporal Logic. Journal of Universal Computer Science,
12(12):1741–1782, 2006.
[PV02] Frantisek Plasil and Stanislav Visnovsky. Behavior Protocols for Software Components. IEEE
Transactions on Software Engineering, 28(11):1056–1076, 2002.
[RJB05] James Rumbaugh, Ivar Jacobson, and Grady Booch. The Unified Modeling Language Reference
Manual, 2nd edition. Pearson Education and Inc, 2005.
[RRMP08] Andreas Rausch, Ralf Reussner, Raffaela Mirandola, and Frantisek Plasil, editors. The Common
Component Modeling Example: Comparing Software Component Models, volume 5153 of Lect.
Notes Comp. Sci. Springer, 2008.
[SC00] João Costa Seco and Luis Caires. A Basic Model of Typed Components. In Elisa Bertino, editor,
Proceedings of the 14th European Conference on Object-Oriented Programming (ECOOP’00),
volume 1850 of Lect. Notes Comp. Sci., pages 108–128. Springer, 2000.
[SGW94] Bran Selic, Garth Gullekson, and Paul T. Ward. Real-Time Object-Oriented Modeling. John Wiley
and Sons, Inc., 1994.
[Som06] Ian Sommerville. Software Engineering, 8th edition. Pearson Education, 2006.
[SR98] Bran Selic and Jim Rumbaugh. Using UML for Modeling Complex Real-Time Systems. Technical
report, ObjectTime Limited and Rational Software Corporation, March 1998.
[TGG+05] Tobin Titus, Syed Fahad Gilani, Mike Gillespie, James Hart, Benny K. Mathew, Andy Olsen,
David Curran, Jon Pinnock, Robin Pars, Fabio Claudio Ferracchiati, Sandra Gopikrishna, Tejaswi
Redkar, and Srinivasa Sivakumar. Pro .NET 1.1 Remoting, Reflection, and Threading. Apress,
2005.
[TM07] Andrew S. Tanenbaum and Maarten Van Steen. Distributed Systems – Principles and Paradigms,
Second Edition. Pearson International Edition, 2007.
[Tuc04] Allen B. Tucker, editor. Computer Science Handbook, Second Edition. Chapman & Hall/CRC,
2004.
[vB78] Gregor von Bochmann. Finite State Description of Communication Protocols. Computer Net-
works, 2:361–372, 1978.

