Process Algebraic Architectural Description Languages: Generalizing
  Component-Oriented Mismatch Detection in the Presence of Nonsynchronous
  Communications by Bernardo, Marco et al.
Process Algebraic Architectural Description Languages:
Generalizing Component-Oriented Mismatch Detection
in the Presence of Nonsynchronous Communications
Addendum to:
“Handling Communications in Process Algebraic Architectural Description Languages:
Modeling, Verification, and Implementation”
Journal of Systems and Software 83:1404–1429, August 2010
Marco Bernardo Edoardo Bonta` Alessandro Aldini
Universita` di Urbino “Carlo Bo” – Italy
Abstract
In the original paper, we showed how to enhance the expressiveness of a typical process algebraic
architectural description language by including the capability of representing nonsynchronous communi-
cations. In particular, we extended the language by means of additional qualifiers enabling the designer
to distinguish among synchronous, semi-synchronous, and asynchronous ports. Moreover, we showed
how to modify techniques for detecting coordination mismatches such as the compatibility check for star
topologies and the interoperability check for cycle topologies, in such a way that those two checks are ap-
plicable also in the presence of nonsynchronous communications. In this addendum, we generalize those
results by showing that it is possible to verify in a component-oriented way an arbitrary property of a
certain class (not only deadlock) over an entire architectural type having an arbitrary topology (not only
stars and cycles) by considering also behavioral variations, exogenous variations, endogenous variations,
and multiplicity variations, so to deal with the possible presence of nonsynchronous communications.
The proofs are at the basis of some results mentioned in the book “A Process Algebraic Approach to
Software Architecture Design” by Alessandro Aldini, Marco Bernardo, and Flavio Corradini, published
by Springer in 2010.
Introduction
In [3], we showed how to enhance the expressiveness of a typical process algebraic architectural descrip-
tion language by including the capability of representing nonsynchronous communications. We focused on
PADL [4, 1] and extended it by means of additional qualifiers enabling the designer to distinguish among
synchronous, semi-synchronous, and asynchronous ports.
Semi-synchronous ports are not blocking. A semi-synchronous port of a component succeeds if there is
another component ready to communicate with it, otherwise it raises an exception so as not to block the
component to which it belongs. For example, a semi-synchronous input port can be used to model accesses
to a tuple space via input or read probes. A semi-synchronous output port can instead be used to model
the interplay between a graphical user interface and an underlying application, as the former must not block
whenever the latter cannot do certain tasks requested by the user.
Likewise, asynchronous ports are not blocking because the beginning and the end of the communications
in which these ports are involved are completely decoupled. For instance, an asynchronous output port can
be used to model output operations on a tuple space. An asynchronous input port can instead be used to
model the periodical check for the presence of information received from an event notification service. The
semantic treatment of asynchronous ports requires the addition of implicit repository-like components that
implement the decoupling.
1
ar
X
iv
:1
80
5.
11
67
6v
1 
 [c
s.S
E]
  5
 M
ay
 20
18
As far as verification is concerned, in [3] we showed how to modify techniques for detecting coordination
mismatches. In particular, we addressed the compatibility check for star topologies and the interoperability
check for cycle topologies, both introduced in [4], in such a way that those two checks are applicable also in
the presence of nonsynchronous communications.
This is accomplished by viewing certain activities carried out through semi-synchronous and asynchronous
ports as internal activities when performing the above mentioned checks. The reason is that each such activity
has a specific outcome and takes place at a specific time instant when considered from the point of view of
the individual component executing that activity. However, in the overall architecture, the same activity can
raise an exception (if the port is semi-synchronous and the other ports are not ready to communicate with it)
or can be delayed (if the port is asynchronous and the communication is buffered). Thus, if we do not regard
exceptions and all the activities carried out through asynchronous ports as internal activities at verification
time, the compatibility or interoperability check may fail even in the absence of a real coordination mismatch.
In Thms. 4.7 and 4.9 of [3], we showed results based on adaptations of the compatibility check for star
topologies and the interoperability check for cycle topologies, which correspond to Thms. 4.5 and 5.2 of [4].
However, in Thms. 4.14, 4.15, 4.23, 4.25, and 4.26 of [1], the results of [4] were generalized by showing that it
is possible to verify in a component-oriented way an arbitrary property of a certain class (not only deadlock)
over an entire architectural type having an arbitrary topology (not only stars and cycles) by considering also
behavioral variations, exogenous variations, endogenous variations, and multiplicity variations.
In this addendum to [3], we extend the general results of [1] to deal with the possible presence of
nonsynchronous communications. Observing that Prop. 5.1 of [2] is a slight extension of Thm. 4.7 of [3] and
that Props. 5.2 and 5.3 of [2] are slight extensions of Thm. 4.9 of [3], this work gives rise to Thm. 5.1 and
Cors. 5.1, 5.2, 5.3, and 5.4 of [2], which respectively extend Thms. 4.14, 4.15, 4.23, 4.25, and 4.26 of [1].
Arbitrary Topologies and General Properties
As in [1, 2], we start with an architectural description A that has an arbitrary topology and a property P that
belongs to the class Ψ of properties each of which (i) is expressed only in terms of the possibility/necessity of
executing certain local interactions in a certain order through a logic that does not allow negation to be freely
used and (ii) comes equipped with a weak behavioral equivalence ≈P coarser than weak bisimilarity that
preserves P and is a congruence with respect to static process algebraic operators. Following the notation
used in [2], we denote by FC1,...,Cn the frontier of a set of AEIs {C1, . . . , Cn}, by CUC the cyclic union of an
AEI C, and by CU(κ) the set of cyclic unions generated by a cycle covering algorithm κ; moreover, subscript
bbm, standing for before behavioral modifications, replaces bbv, standing for before behavioral variations.
Theorem 5.1 of [2] Let A be an architectural description and P ∈ Ψ be a property for which the following
two conditions hold:
1. For each K ∈ A belonging to an acyclic portion or to the intersection of some cycle with acyclic
portions of the abstract enriched flow graph of A, K is P-compatible with every C ∈ BK − CUK .
2. If A is cyclic, then there exists a total cycle covering algorithm κ such that for each cyclic union
{C1, . . . , Cn} ∈ CU(κ):
(a) If FC1,...,Cn = ∅, then there exists Cj ∈ {C1, . . . , Cn} that P-interoperates with the other AEIs in
the cyclic union.
(b) If FC1,...,Cn 6= ∅, then every Cj ∈ FC1,...,Cn P-interoperates with the other AEIs in the cyclic
union.
(c) If no Cj ∈ FC1,...,Cn is such that [[Cj ]]pc;wobA satisfies P and there exists Cg ∈ {C1, . . . , Cn} −
FC1,...,Cn such that [[Cg]]pc;wobA satisfies P, then at least one such Cg P-interoperates with the
other AEIs in the cyclic union.
Then [[A]]pc;#Abbm satisfies P iff so does [[C]]pc;wobA for some C ∈ A.
2
Proof We proceed by induction on the number m ∈ N of cycles in the abstract enriched flow graph of A:
• If m = 0, then the abstract enriched flow graph of A is acyclic. We prove the result by induction on
the number s ∈ N≥1 of stars in the abstract enriched flow graph of A:
– If s = 1, then there is only one star in the abstract enriched flow graph of A, which we assume to
be composed of the AEIs K,C1, . . . , Cn and centered on K. In order to avoid trivial cases, let us
assume n > 0. We distinguish among the following three cases:
∗ Case i: [[K]]pc;wobA satisfies P. By virtue of condition 1, since K is P-compatible with all the
AEIs in BK , from Prop. 5.1 of [2] we derive that also [[K,BK ]]tc;#K,BK ;KK,BK /
n∪
l=1
(HK,Cl ∪EK,Cl)
satisfies P. Since [[K,BK ]]tc;#K,BK ;KK,BK = [[A]]
tc;#A;K
bbm , it holds that [[A]]pc;#Abbm satisfies P too,
because P does not contain any free use of negation.
∗ Case ii: [[K]]pc;wobA does not satisfy P, but there exists Cj ∈ BK such that [[Cj ]]pc;wobA satisfies P.
By virtue of condition 1, Cj is P-compatible with K:
([[Cj ]]
pc;#K
A ‖S(Cj ,K;A) [[K]]tc;#CjCj ,BCj ) / (HCj ,K ∪ ECj ,K) ≈P [[Cj ]]
pc;wob
A
where we observe that:
[[K]]
tc;#Cj
Cj ,BCj = [[K]]
pc;#Cj
Cj ,BCj /ϕK,async(OALIK)
≈P [[K]]pc;#CjA / (Name − VK;Cj ) /ϕK,async(OALIK)
By virtue of condition 1, since K is P-compatible with all the AEIs in BK , from Prop. 5.1
of [2] we derive in particular that:
[[K,BK − {Cj}]]tc;#K,BK ;KK,BK /
n∪
l=1,l 6=j
(HK,Cl ∪ EK,Cl) ≈P [[K]]pc;wobA
Since [[K]]
pc;#Cj
A – occurring in the former of the last two equalities – is given by [[K]]
pc;wob
A
– occurring in the latter of the last two equalities – in parallel with the buffers associated
with the originally asynchronous local interactions of K attached to Cj , from the last equality
we derive that:
[[K]]
pc;#Cj
A / (Name − VK;Cj ) /ϕK,async(OALIK)
≈P
[[K,BK − {Cj}]]tc;#K,BK ;KK,BK /
n∪
l=1,l 6=j
(HK,Cl ∪ EK,Cl) / (Name − VK;Cj ) /ϕK,async(OALIK)
Thanks to the last two hidings, all the actions but those in ϕK;Cj (LIK;Cj ) are hidden, hence
the first hiding in the right-hand term above is redundant and we obtain that:
[[K,BK − {Cj}]]tc;#K,BK ;KK,BK /
n∪
l=1,l 6=j
(HK,Cl ∪ EK,Cl) / (Name − VK;Cj ) /ϕK,async(OALIK)
≈P
[[K,BK − {Cj}]]tc;#K,BK ;KK,BK / (Name − VK;Cj ) /ϕK,async(OALIK)
By definition of totally closed semantics, we then derive that:
[[K,BK − {Cj}]]tc;#K,BK ;KK,BK / (Name − VK;Cj ) /ϕK,async(OALIK)
≈P
[[K,BK − {Cj}]]tc;#K,BK ;KK,BK / (Name − VK;Cj )
Hence, summarizing, we have proved that:
[[K]]
tc;#Cj
Cj ,BCj ≈P [[K,BK − {Cj}]]
tc;#K,BK ;K
K,BK / (Name − VK;Cj )
From the first equality at the beginning of this case and the congruence property of ≈P with
respect to static process algebraic operators, we obtain that:
([[Cj ]]
pc;#K
A ‖S(Cj ,K;A) ([[K,BK − {Cj}]]tc;#K,BK ;KK,BK / (Name − VK;Cj ))) / (HCj ,K ∪ ECj ,K)
≈P
[[Cj ]]
pc;wob
A
Since ≈P preserves P, the left-hand term of the previous equality satisfies P. From the fact
that P does not contain any free use of negation, we derive that [[Cj ,K,BK−{Cj}]]tc;#K,BK ;Cj ,KK,BK
3
satisfies P. Since [[Cj ,K,BK − {Cj}]]tc;#K,BK ;Cj ,KK,BK = [[A]]
tc;#A;Cj ,K
bbm , it holds that [[A]]pc;#Abbm
satisfies P too, because P does not contain any free use of negation.
∗ Case iii: no AEI in the star satisfies P. By following the same arguments as case i, we reduce
the star to the AEI K, which does not satisfy P, from which it immediately follows that not
even [[A]]pc;#Abbm satisfies P.
– Let the result hold for a certain s ≥ 1 and suppose that the abstract enriched flow graph of A is
composed of s+1 stars. Due to the acyclicity of the abstract enriched flow graph of A, there must
be a star – say composed of the AEIs K,C1, . . . , Cn and centered on K – that is attached only
to one other star in the abstract enriched flow graph of A – say with Ci. Then, we distinguish
among the following four cases:
∗ Case I: [[Ci]]pc;wobA does not satisfy P, but there exists Cj ∈ BK − {Ci} such that [[Cj ]]pc;wobA
satisfies P. By considering BK − {Ci} in place of BK and following the same arguments as
case ii, it is straightforward to obtain that [[Cj ,K,BK − {Cj , Ci}]]tc;#K,BK ;Cj ,KK,BK satisfies P
too. Now, by virtue of condition 1, K is P-compatible with Ci:
([[K]]pc;#CiA ‖S(K,Ci;A) [[Ci]]tc;#KK,BK ) / (HK,Ci ∪ EK,Ci) ≈P [[K]]
pc;wob
A
Since ≈P is a congruence with respect to static process algebraic operators, we derive that:
([[Cj ,K,BK − {Cj , Ci}]]tc;#K,BK ;Cj ,KK,BK ‖S(K,Ci;A)[[Ci]]
tc;#K
K,BK ) / (HK,Ci ∪ EK,Ci)
≈P
[[Cj ,K,BK − {Cj , Ci}]]tc;#K,BK ;Cj ,KK,BK
and, as a consequence, the left-hand term of this equality satisfies P. Note that such a term is
≈P -equivalent to [[K,BK ]]tc;#K,BK ;Cj ,KK,BK / (HK,Ci ∪EK,Ci). Since P does not contain any free
use of negation, we derive that also [[K,BK ]]tc;#K,BK ;Cj ,KK,BK satisfies P and, for the same reason,
so does [[K,BK ]]tc;#K,BK ;Cj ,KA . Since P is expressed only in terms of local interactions, it holds
that [[K,BK ]]tc;#K,BK ;Cj ,KA /EK,BK satisfies P too, where EK,BK is the set of exceptions that
may be raised by semi-synchronous interactions involved in attachments between K and the
AEIs in BK .
Now, consider the architectural description A′ obtained by replacing the AEIs K,C1, . . . , Cn
with a new AEI K ′ isomorphic to [[K,BK ]]tc;#K,BK ;Cj ,KA /EK,BK . It turns out that A′ has
an acyclic topology with one fewer star with respect to A, so the induction hypothesis is
applicable to A′ if we show that all of its AEIs satisfy condition 1. It will then follow that
[[A′]]pc;#A′bbm satisfies P because so does [[K ′]]pc;wobA′ and hence, since P does not contain any
free use of negation, we will derive that [[A]]pc;#Abbm satisfies P because so does [[Cj ]]pc;wobA .
It is easy to see that K ′ satisfies condition 1. If C is an arbitrary AEI attached to K ′ because
it was previously attached to Ci, by virtue of condition 1 in A we have that:
([[Ci]]
pc;#C
A ‖S(Ci,C;A) [[C]]tc;#CiCi,BCi ) / (HCi,C ∪ ECi,C) ≈P [[Ci]]
pc;wob
A
from which it follows that in A′:
([[K ′]]pc;#CA′ ‖S(K′,C;A′) [[C]]tc;#K
′
K′,BK′ ) / (HK′,C ∪ EK′,C) ≈P [[K ′]]
pc;wob
A′
because ≈P is a congruence with respect to static process algebraic operators.
Also any such C satisfies condition 1 in A′. Starting from the fact that by virtue of condi-
tion 1 in A we have that:
([[C]]pc;#CiA ‖S(C,Ci;A) [[Ci]]tc;#CC,BC ) / (HC,Ci ∪ EC,Ci) ≈P [[C]]
pc;wob
A
we have to prove that in A′:
([[C]]pc;#K
′
A′ ‖S(C,K′;A′) [[K ′]]tc;#CC,BC ) / (HC,K′ ∪ EC,K′) ≈P [[C]]
pc;wob
A′
which can be accomplished by proving that:
[[K ′]]tc;#CC,BC ≈P [[Ci]]
tc;#C
C,BC
On the one hand, since K ′ is attached to C in A′ because Ci is attached to C in A, it holds
that:
[[K ′]]tc;#CC,BC ≈P [[K,BK ]]
tc;#C,K,BK ;Cj
A /EK,BK /ϕCj ,async(OALICj ) / (Name − VCi;C)
≈P [[K,BK ]]tc;#C,K,BKA /EK,BK / (Name − VCi;C)
4
On the other hand, it holds that:
[[Ci]]
tc;#C
C,BC ≈P [[Ci]]
pc;#C
C,BC /ϕCi,async(OALICi)
≈P [[Ci]]pc;#CA /ϕCi,async(OALICi) / (Name − VCi;C)
and by virtue of condition 1:
[[Ci]]
pc;wob
A ≈P ([[Ci]]pc;#KA ‖S(Ci,K;A)[[K]]tc;#CiCi,BCi ) / (HCi,K ∪ ECi,K)
≈P [[Ci,K]]tc;#Ci,K;CiCi,BCi / (HCi,K ∪ ECi,K)
Since [[Ci]]
pc;#C
A is given by [[Ci]]
pc;wob
A in parallel with the buffers associated with the origi-
nally asynchronous local interactions of Ci attached to C, we derive that:
[[Ci]]
pc;#C
A /ϕCi,async(OALICi) / (Name − VCi;C)
≈P
[[Ci,K]]
tc;#C,Ci,K;Ci
Ci,BCi / (HCi,K ∪ ECi,K) /ϕCi,async(OALICi) / (Name − VCi;C)≈P
[[Ci,K]]
tc;#C,Ci,K;Ci
Ci,BCi /ECi,K /ϕCi,async(OALICi) / (Name − VCi;C)
because HCi,K ⊆ (Name − VCi;C). Note that the term above includes [[K]]pc;wobA , which, by
virtue of condition 1 and Prop. 5.1 of [2], satisfies:
[[K]]pc;wobA ≈P [[K,BK − {Ci}]]tc;#K,BK ;KK,BK /
n∪
l=1,l 6=i
(HK,Cl ∪ EK,Cl)
Since ≈P is a congruence with respect to static process algebraic operators, from the equali-
ties above we derive that:
[[Ci,K]]
tc;#C,Ci,K;Ci
Ci,BCi /ECi,K /ϕCi,async(OALICi) / (Name − VCi;C)≈P
[[Ci,K,BK − {Ci}]]tc;#C,K,BK ;CiCi,BCi /
n∪
l=1,l 6=i
(HK,Cl ∪ EK,Cl) /ECi,K /ϕCi,async(OALICi) / (Name − VCi;C)
Since
n∪
l=1,l 6=i
HK,Cl ⊆ (Name−VCi;C), by definition of totally closed semantics the right-hand
term of the last equality is ≈P -equivalent to:
[[K,BK ]]tc;#C,K,BKCi,BCi /
n∪
l=1
EK,Cl / (Name − VCi;C)
≈P
[[K,BK ]]tc;#C,K,BKCi,BCi /EK,BK / (Name − VCi;C)
Since the hiding operation hides all the actions but the interactions from Ci attached to C,
this term is ≈P -equivalent to [[K,BK ]]tc;#C,K,BKA /EK,BK / (Name − VCi;C). Therefore, we
have shown that [[K ′]]tc;#CC,BC ≈P [[Ci]]
tc;#C
C,BC .
∗ Case II: [[Ci]]pc;wobA satisfies P. The proof straightforwardly derives from case I; in particular,
K ′ turns out to be isomorphic to [[K,BK ]]tc;#K,BK ;CiA .
∗ Case III: [[K]]pc;wobA satisfies P. The proof straightforwardly derives from case i and case I;
in particular, K ′ turns out to be isomorphic to [[K,BK ]]tc;#K,BK ;KA .
∗ Case IV: no AEI in the star satisfies P. It is sufficient to apply the same arguments as the
previous case and then observe that K ′ does not satisfy P.
• Let the result hold for a certain m ≥ 0 and suppose that the abstract enriched flow graph of A has
m + 1 cycles. Since the cycle covering algorithm κ of condition 2 is total, let Y = {C1, . . . , Cn} be a
cyclic union in CU(κ) that directly interacts with at most one cyclic union in CU(κ). In the following,
we let I = {Cg} ∪ FC1,...,Cn if there exists Cg satisfying condition 2.c, and I = FC1,...,Cn otherwise.
Now, we replace the AEIs C1, . . . , Cn with a new AEI C whose behavior is isomorphic to:
[[Y]]tc;#Y;IA / (Name − ∪
C′∈I
VC′;A) / ∪
C′∈I
(HC′,Y ∪ EC′,Y)
thus obtaining an architectural description A′ such that:
1. [[C]]pc;wobA′ satisfies P iff so does at least one AEI in Y. Indeed, one such AEI exists in Y iff,
by virtue of conditions 2.b and 2.c, I includes an AEI C ′ that P-interoperates with Y such that
5
[[C ′]]pc;wobA satisfies P, which means that [[Y]]tc;#Y;C
′
A / (Name−VC′;A) / (HC′,Y ∪EC′,Y) satisfies P
and hence so does [[C]]pc;wobA′ because P does not contain any free use of negation.
2. C preserves condition 1. In fact, let K be an arbitrary AEI attached to C because it was previ-
ously attached to an AEI Cj of FC1,...,Cn . It holds that C is P-compatible with K and vice versa.
On C side, we have that in A:
([[Cj ]]
pc;#K
A ‖S(Cj ,K;A) [[K]]tc;#CjCj ,BCj ) / (HCj ,K ∪ ECj ,K) ≈P [[Cj ]]
pc;wob
A
from which it follows that in A′:
([[C]]pc;#KA′ ‖S(C,K;A′) [[K]]tc;#CC,BC ) / (HC,K ∪ EC,K) ≈P [[C]]
pc;wob
A′
because ≈P is a congruence with respect to static process algebraic operators.
On K side, it can be similarly shown that from:
([[K]]
pc;#Cj
A ‖S(K,Cj ;A) [[Cj ]]tc;#KK,BK ) / (HK,Cj ∪ EK,Cj ) ≈P [[K]]
pc;wob
A
we derive that:
([[K]]pc;#CA′ ‖S(K,C;A′) [[C]]tc;#KK,BK ) / (HK,C ∪ EK,C) ≈P [[K]]
pc,wob
A′
because Cj P-interoperates with the other AEIs in Y due to condition 2.b.
3. If A′ is cyclic, then condition 2 is preserved. In fact, let CU ′(κ) be the set of cyclic unions for
A′ obtained from CU(κ) by replacing in each original cyclic union every occurrence of C1, . . . , Cn
with C. Every cyclic union in CU ′(κ) that does not include C has a corresponding topologically
equivalent cyclic union in CU(κ).
Now, consider a cyclic union X ′ ∈ CU ′(κ) formed by the AEIs H1, . . . ,Hm, C. Then, CU(κ) in-
cludes a cyclic union X formed by the AEIs H1, . . . ,Hm, Cj , where Cj ∈ FC1,...,Cn . By virtue of
condition 2.b:
[[X ]]tc;#X ;CjA / (Name − VCj ;A) / (HCj ,X ∪ ECj ,X ) ≈P [[Cj ]]pc;wobA
Since ≈P is a congruence with respect to static process algebraic operators:
[[X ′]]tc;#X ′;CA′ / (Name − VC;A′) / (HC,X ′ ∪ EC,X ′) ≈P [[C]]pc;wobA′
Therefore, if FH1,...,Hm,C = ∅, then condition 2.a is preserved; otherwise, if C ∈ FH1,...,Hm,C , then
C preserves condition 2.b and so does each Hl ∈ FH1,...,Hm,C − {C} as from:
[[X ]]tc;#X ;HlA / (Name − VHl;A) / (HHl,X ∪ EHl,X ) ≈P [[Hl]]pc;wobA
we derive that:
[[X ′]]tc;#X ′;HlA′ / (Name − VHl;A′) / (HHl,X ′ ∪ EHl,X ′) ≈P [[Hl]]pc;wobA′
because Cj P-interoperates with its cyclic union.
Now, let us consider condition 2.c and assume that no AEI in the frontier of X satisfies P. If, by
virtue of condition 2.c, there is Hg ∈ X such that [[Hg]]pc;wobA satisfies P and Hg P-interoperates
with X , then, by virtue of the same arguments used for Hl, we immediately derive that Hg
P-interoperates with X ′, thus preserving condition 2.c.
On the other hand, if Cj is such that [[Cj ]]
pc;wob
A satisfies P, then we have shown that [[C]]pc;wobA′
satisfies P and P-interoperates with X ′. Hence, C preserves condition 2.c in the case it does not
belong to the frontier of X ′.
4. The abstract enriched flow graph of A′ has at most m cycles.
Then, by the induction hypothesis, the theorem holds for [[A′]]pc;#A′bbm . Since P does not contain any
free use of negation, we immediately derive that the theorem holds also for [[A]]pc;#Abbm .
Behavioral Variations
We continue by extending the result to behavioral variations, i.e., to instances of an AT whose observable
behaviors conform to each other according to weak bisimilarity ≈B as defined in [1, 2].
Corollary 5.1 of [2] Let A be an architectural description and P ∈ Ψ be a property for which the two
conditions of Thm. 5.1 of [2] hold. Whenever≈B⊆≈P , then for each AT instanceA′ that strictly behaviorally
conforms to A it turns out that [[A′]]pc;#A′bbm satisfies P iff so does [[C]]pc;wobA for some C ∈ A.
6
Proof Due to behavioral conformity, [[A′]]pc;#A′bbm ≈B [[A]]pc;#Abbm up to an injective relabeling function that
matches local interactions occurring in A′, A, and P. Therefore, [[A′]]pc;#A′bbm ≈P [[A]]pc;#Abbm up to the same
relabeling function, because ≈B⊆≈P , and hence [[A′]]pc;#A
′
bbm satisfies P iff so does [[A]]pc;#Abbm . The result then
follows from Thm. 5.1 of [2].
Exogenous Variations
We now extend the result to topological variations of exogenous nature, which take place at the topological
frontier formed by architectural interactions as explained in [1, 2]. Following the notation used in [2], we
denote by SFC1,...,Cn the semi-frontier of a set of AEIs {C1, . . . , Cn}; moreover, we consider partially/totally
semi-closed interacting semantics, in which architectural interactions are left visible, and the related P-semi-
compatibility and P-semi-interoperability checks, together with the notion of exo-coverability.
Corollary 5.2 of [2] Let A be an architectural description and P ∈ Ψ be a property for which the two
conditions of Thm. 5.1 of [2] hold. Let A′ be an AT instance resulting from a strictly topologically conformant
exogenous variation of A for which the following additional conditions hold:
3. For each K ∈ A belonging to an acyclic portion or to the intersection of some cycle with acyclic portions
of the abstract enriched flow graph of A, if K is of the same type as an AEI having architectural
interactions at which the exogenous variation takes place, then K is P-semi-compatible with every
C ∈ BK − CUAK .
4. IfA′ is cyclic, thenA′ is exo-coverable by κ and, for each Cj ∈ SFC1,...,Cn with {C1, . . . , Cn} ∈ CUA(κ),
if Cj is of the same type as an AEI having architectural interactions at which the exogenous variation
takes place, then Cj P-semi-interoperates with the other AEIs in {C1, . . . , Cn}.
Then [[A′]]pc;#A′bbm satisfies P iff so does [[C]]pc;wobA for some C ∈ A.
Proof We show that A′ satisfies the two conditions of Thm. 5.1 of [2], from which the result will immediately
follow:
• A′ satisfies condition 1. Consider an AEIK ∈ A′ belonging to an acyclic portion or to the intersection of
some cycle with acyclic portions of the abstract enriched flow graph of A′, and an AEI C ∈ BK−CUA
′
K .
We distinguish among the following four cases:
– Both AEIs are in A. On the one hand, if K is not an AEI having architectural interactions at
which the exogenous extension takes place, then K is P-compatible with C by virtue of condition 1
applied to A. On the other hand, if K is an AEI having architectural interactions at which the
exogenous extension takes place, then by virtue of condition 3 it holds that K is P-semi-compatible
with C in A, from which we derive that K is P-compatible with C in A′.
– K ∈ A and C is an additional AEI. By hypothesis, in A there is an attachment between an
AEI K ′ and corr(C), such that K ′ is of the same type as K and corr(C) ∈ BK′ − CUAK′ . Then,
by virtue of condition 3, K ′ is P-semi-compatible with corr(C), from which it follows that K is
P-compatible with C.
– K is an additional AEI and C ∈ A. By hypothesis, in A there is an attachment between an
AEI C ′ and corr(K), such that C ′ is of the same type as C and C ′ ∈ Bcorr(K) − CUAcorr(K).
Then, by virtue of condition 1, corr(K) is P-compatible with C ′, from which it follows that K is
P-compatible with C.
– Both K and C are additional AEIs. By hypothesis, in A there are two attached AEIs corr(K) and
corr(C) such that, by virtue of condition 1 applied to A, corr(K) is P-compatible with corr(C).
As a consequence, K is P-compatible with C.
7
• If A′ is cyclic, then A′ satisfies condition 2. We first observe that A′ satisfies condition 2.a because, by
virtue of condition 4, the exogenous variation of κ applied to A′ cannot generate a single cyclic union
with empty frontier.
Now, suppose that CUA′K is a cyclic union generated by the exogenous variation of κ. By virtue of
condition 4, we distinguish between the following two cases:
– If K is in A, then CUA′K = CUAK and each Ci ∈ FCUA′K belongs to SFCUAK . Then, by virtue of
condition 4 or by virtue of condition 2.b applied to A, Ci P-interoperates with the other AEIs of
CUA′K . Hence, CUA
′
K satisfies condition 2.b. For the same reason, if CUAK satisfies condition 2.c,
then so does CUA′K .
– IfK is an additional AEI, then CUA′K is strictly topologically equivalent to CUAcorr(K) ∈ CUA(κ). By
means of an argument similar to the one applied above, it follows that CUA′K satisfies condition 2.b
because so does CUAcorr(K), and that if CUAcorr(K) satisfies condition 2.c, then so does CUA
′
K .
Endogenous Variations
We further extend the result to endogenous variations, which take place inside the topological frontier as
explained in [1, 2]. Following [2], we consider the notion of endo-coverability.
Corollary 5.3 of [2] Let A be an architectural description and P ∈ Ψ be a property for which the two
conditions of Thm. 5.1 of [2] hold. Let A′ be an AT instance resulting from an endogenous variation of A
for which the following additional conditions hold:
3 . For each attachment in A′ from interaction o of an AEI C ′1, which belongs to an acyclic portion or
to the intersection of some cycle with acyclic portions of the abstract enriched flow graph of A′, to
interaction i of an AEI C ′2 ∈ BC′1 − CUA
′
C′1
, there exists an attachment in A from interaction o of an
AEI C1 of the same type as C
′
1, with C1 belonging to an acyclic portion or to the intersection of
some cycle with acyclic portions of the abstract enriched flow graph of A, to interaction i of an AEI
C2 ∈ BC1 − CUAC1 of the same type as C ′2.
4 . No local interaction occurring in P is involved in attachments canceled by the endogenous variation.
5 . If A or A′ is cyclic, then A′ is endo-coverable by κ and for each cyclic union CUA′C generated by the
endogenous variation of κ:
(a) No local interaction of the AEIs of CUAC that P-interoperate with the other AEIs in CUAC by virtue
of condition 2 of Thm. 5.1 of [2] is involved in attachments canceled by the endogenous variation.
(b) No possibly added AEI in CUA′C belongs to the frontier of CUA
′
C .
(c) If C ∈ A, then [[CUA′C ]]pc;#CU
A′
C
CUA′C
/H ≈P [[CUAC ]]pc;#CU
A
C
CUAC
/H where H contains all local interactions
of the added/removed AEIs as well as those attached to them.
Then [[A′]]pc;#A′bbm satisfies P iff so does [[C]]pc;wobA for some C ∈ A.
Proof We show that A′ satisfies the two conditions of Thm. 5.1 of [2], from which the result will immediately
follow thanks to condition 4 :
• A′ satisfies condition 1. Consider an AEIK ∈ A′ belonging to an acyclic portion or to the intersection of
some cycle with acyclic portions of the abstract enriched flow graph of A′, and an AEI C ∈ BK−CUA
′
K .
We distinguish between the following two cases:
8
– Both AEIs are in A. The only interesting case occurs whenever K and C are not attached in A.
In this case, by virtue of condition 3 , there exists an attachment in A of the same kind between
an AEI of the same type as K and an AEI of the same type as C, from which the result follows
by virtue of condition 1 applied to A.
– K ∈ A and C is an additional AEI, or K is an additional AEI and C ∈ A, or both K and C are
additional AEIs. It is sufficient to apply the same argument illustrated above.
• If A′ is cyclic, then A′ satisfies condition 2. Suppose that the endogenous variation of κ generates a
single cyclic union CUA′C with empty frontier. Then, by virtue of condition 5 .c, [[CUA
′
C ]]
pc;#CUA′C
CUA′C
/H ≈P
[[CUAC ]]pc;#CU
A
C
CUAC
/H and by virtue of conditions 5 .a and 5 .b it turns out that conditions 2.a and 2.c are
preserved. In particular, we now show that if there exists Ci ∈ CUAC that, by virtue of condition 2.a
or 2.c applied to A, P-interoperates with the other AEIs in CUAC , then Ci P-interoperates with the
other AEIs in CUA′C . By hypothesis:
[[CUAC ]]tc;#CU
A
C ;Ci
A / (Name − VCi;A) / (HCi,CUAC ∪ ECi,CUAC ) ≈P [[Ci]]
pc;wob
A
By condition 5 .a, H ⊆ (Name − VCi;A). Hence, the left-hand term of this equality is P-equivalent to:
[[CUAC ]]pc;#CU
A
C
CUAC
/H / (Name − VCi;A) / (HCi,CUAC ∪ ECi,CUAC )
and to:
[[CUA′C ]]pc;#CU
A′
C
CUA′C
/H / (Name − VCi;A′) / (HCi,CUA′C ∪ ECi,CUA′C )
which, for the same motivations, is P-equivalent to:
[[CUA′C ]]tc;#CU
A′
C ;Ci
A′ / (Name − VCi;A′) / (HCi,CUA′C ∪ ECi,CUA′C )
from which the result follows.
Now, suppose that CUA′C is a cyclic union with nonempty frontier generated by the endogenous variation
of κ. We distinguish between the following two cases:
– If CUA′C is equal to CUAC (resp. strictly topologically equivalent to a cyclic union Y ∈ CUA(κ)),
then CUA′C satisfies conditions 2.b and 2.c because so does CUAC (resp. Y).
– If CUA′C includes some of the added AEIs or CUAC includes some of the removed AEIs, then it is
sufficient to apply condition 5 as shown above to derive that conditions 2.b and 2.c are preserved.
Multiplicity Variations
We finally extend the result to multiplicity variations, which take place at and-/or-interactions as explained
in [1, 2].
Corollary 5.4 of [2] Let A be an architectural description and P ∈ Ψ be a property for which the two
conditions of Thm. 5.1 of [2] hold. Let A′ be an AT instance resulting from a multiplicity variation of A for
which the following additional conditions hold:
3˜ . No local interaction occurring in P is involved in attachments canceled by the multiplicity variation.
4˜ . No local or-interaction involved in the multiplicity variation is attached to a semi-synchronous uni-
interaction or to an input asynchronous uni-interaction.
5˜ . Each local or-interaction involved in the multiplicity variation is enabled infinitely often.
6˜ . If A or A′ is cyclic, then CUA(κ) = CUA′(κ).
Then [[A′]]pc;#A′bbm satisfies P iff so does [[C]]pc;wobA for some C ∈ A.
9
Proof We show that A′ satisfies the two conditions of Thm. 5.1 of [2], from which the result will immediately
follow thanks to condition 3˜ :
• A′ satisfies condition 1. Consider an AEIK ∈ A′ belonging to an acyclic portion or to the intersection of
some cycle with acyclic portions of the abstract enriched flow graph of A′, and an AEI C ∈ BK−CUA
′
K .
We distinguish among the following five cases:
– Both AEIs are in A and are attached through interactions that are not subject to the multiplicity
variation. Then, K is P-compatible with C by virtue of condition 1 applied to A.
– K is in A and has an and-interaction (subject to the multiplicity variation) to which the AEI C
is attached. If C is in A, then K is P-compatible with C by virtue of condition 1 applied to A.
If C is an additional AEI, then C is of the same type as an AEI C ′ of A that is attached to K
through the same and-interaction. By virtue of condition 1, K is P-compatible with C ′, from
which we derive that K is P-compatible with C.
– K is in A and has an or-interaction (subject to the multiplicity variation) to which the AEI C
is attached. First, assume that C is in A. By virtue of condition 4˜ , both in A and in A′ the
AEI C does not raise any exception because of the attachments between K and any other AEI
attached to the or-interaction. Hence, K is P-compatible with C by virtue of condition 1 applied
to A. Second, assume that C is an additional AEI. In this case, we can apply the same argument,
observing that C is of the same type as an AEI C ′ of A that is attached to K through the same
or-interaction.
– C is in A and has an and-interaction (subject to the multiplicity variation) to which K is attached.
If K is in A, then K is P-compatible with C by virtue of condition 1 applied to A. If K is an
additional AEI, then it is of the same type as an AEI K ′ of A that is attached to C through the
same and-interaction. By virtue of condition 1, K ′ is P-compatible with C, from which we derive
that K is P-compatible with C.
– C is in A and has an or-interaction (subject to the multiplicity variation) to which the AEI K
is attached. First, assume that K is in A. By virtue of condition 4˜ , both in A and in A′ the
AEI K does not raise any exception because of the attachments between C and any other AEI
attached to the or-interaction. Moreover, by virtue of condition 5˜ , K eventually communicates
with C through the or-interaction of C. Hence, K is P-compatible with C by virtue of condition 1
applied to A. Second, assume that K is an additional AEI. In this case, we can apply the same
argument, observing that K is of the same type as an AEI K ′ of A that is attached to C through
the same or-interaction.
• A′ satisfies condition 2 because, by virtue of condition 6˜ , the set of cyclic unions generated by κ for A′
is the same as the one generated by κ for A.
References
[1] A. Aldini and M. Bernardo, “On the Usability of Process Algebra: An Architectural View”, in Theoretical
Computer Science 335:281–329, 2005.
[2] A. Aldini, M. Bernardo, and F. Corradini, “A Process Algebraic Approach to Software Architecture Design”,
Springer, 2010.
[3] M. Bernardo, E. Bonta`, and A. Aldini, “Handling Communications in Process Algebraic Architectural Descrip-
tion Languages: Modeling, Verification, and Implementation”, in Journal of Systems and Software 83:1404–
1429, 2010.
[4] M. Bernardo, P. Ciancarini, and L. Donatiello, “Architecting Families of Software Systems with Process Alge-
bras”, in ACM Trans. on Software Engineering and Methodology 11:386–426, 2002.
10
ORIGINAL PAPER
Handling Communications in Process Algebraic Architectural Description Languages:
Modeling, Verification, and Implementation
Marco Bernardo Edoardo Bonta` Alessandro Aldini
Abstract
Architectural description languages are a useful tool for modeling complex software systems at a high
level of abstraction. If based on formal methods, they can also serve for enabling the early verification
of various properties such as component coordination and for guiding the synthesis of code correct
by construction. This is the case with process algebraic architectural description languages, which are
process calculi enhanced with the main architectural concepts. However, the techniques with which those
languages have been equipped are mainly conceived to work with synchronous communications only. The
objective of this paper is threefold. On the modeling side, we show how to enhance the expressiveness of
a typical process algebraic architectural description language by including the capability of representing
nonsynchronous communications in such a way that the usability of the original language is preserved.
On the verification side, we show how to modify techniques for analyzing the absence of coordination
mismatches like the compatibility check for acyclic topologies and the interoperability check for cyclic
topologies in such a way that those checks are valid also for nonsynchronous communications. On the
implementation side, we show how to generate multithreaded object-oriented software in the presence
of synchronous and nonsynchronous communications in such a way that the properties proved at the
architectural level are preserved at the code level.
1 Introduction
The growing complexity and the increasing size of modern software systems can be managed by adopting
notations for formal or semi-formal system modeling (model-driven approach). In this way, design documents
with a precise syntax can be produced and shared by all the people contributing to system development. In
order to avoid delays and cost increases due to the late discovery of errors in the development process, another
task that such notations should carry out is to enable the rigorous and hopefully automated analysis of system
properties and to guide the synthesis of code correct by construction. For instance, it is widely recognized
that property verification finds its own rightful place in the architectural design phase [38, 12]. The reason is
that this phase precedes system implementation and provides support for declarative/behavioral/topological
system models that are complete at a high level of abstraction.
Many architectural description languages have been proposed. Some of them – like, e.g., Wright [4, 3],
Darwin/FSP [31, 32], LEDA [14], PADL [1], and pi-ADL [35] – are based on process algebra [34, 29, 6]
due to its support to compositional modeling. It is worth noting that process algebra is compositional, but
not component-oriented. Thus, from the point of view of process algebra, its architectural versions are a
significant step forward in terms of usability. In fact, they give special prominence to the main architectural
concepts – components, connectors, and styles – while hiding the process algebraic technicalities to the
software developer.
On the modeling side, this architectural upgrade has three important consequences. First, it permits
to describe the behavior of the components separately from the representation of the system topology, thus
overcoming the modeling difficulties deriving from the direct use of certain process algebraic operators like,
e.g., parallel composition. Second, it highlights the interactions among components and the classification of
their communications, thus allowing for static checks establishing system model well-formedness. Third, it
fosters the reuse of the specification of single components as well as of complete systems, thus supporting
the compositional and hierarchical modeling of entire system families.
On the verification side, process algebraic architectural description languages inherit all the techniques
applicable to process algebra, like model checking [18] and equivalence checking [19]. In addition, such
languages are equipped with ad-hoc analysis techniques (see, e.g., [4, 30, 15, 1]) mostly based on behavioral
equivalences [27], which are useful for detecting coordination mismatches that may arise when assembling
together components that are correct if taken in isolation. Moreover, they can generate diagnostic information
for pinpointing components responsible for mismatches.
11
The ad-hoc analysis techniques proposed in the literature deal only with synchronous communications.
In that setting, all ports of software components are blocking. A component waiting on a synchronous input
port cannot proceed until an output is sent by another component. Similarly, a component issuing an output
via a synchronous output port cannot proceed until another component is willing to receive. The limitation
to synchronous communications is not so restrictive for usual properties like deadlock freedom, which should
hold when no communication is blocking. In contrast, the validity of other properties related to activity
sequencing or message ordering may not be guaranteed in the presence of nonsynchronous communications.
In order to address the usual properties in a more general setting as well as the other properties mentioned
above, the first contribution of this paper is to show how to enhance the expressiveness of a typical process
algebraic architectural description language by including the capability of representing nonsynchronous com-
munications in such a way that the usability of the original language is preserved. More specifically, we focus
on PADL [1] and we extend it by means of additional qualifiers useful to distinguish among synchronous,
semi-synchronous, and asynchronous ports.
Semi-synchronous ports are not blocking. A semi-synchronous port of a component succeeds if there is
another component ready to communicate with it, otherwise it raises an exception so as not to block the
component to which it belongs. For example, a semi-synchronous input port can be used to model accesses
to a tuple space via input or read probes [25]. A semi-synchronous output port can instead be used to model
the interplay between a graphical user interface and an underlying application, as the former must not block
whenever the latter cannot do certain tasks requested by the user.
Analogously, asynchronous ports are not blocking. Here the reason is that the beginning and the end of the
communications in which these ports are involved are completely decoupled. For instance, an asynchronous
output port can be used to model output operations on a tuple space. An asynchronous input port can instead
be used to model the periodical check for the presence of information received from an event notification
service [16].
In the extended language, semi-synchronous ports can be easily handled with suitable semantic rules
generating exceptions whenever necessary, whereas asynchronous ports require the addition of implicit
repository-like components. In any case, the semantic treatment of nonsynchronous communications is
completely transparent to PADL users, as they only have to specify suitable synchronicity-related qualifiers
in their architectural descriptions. Therefore, the degree of usability of the original language is unaffected.
The second contribution of this paper is to show how to modify techniques for analyzing the absence of
coordination mismatches – like the compatibility check for acyclic topologies and the interoperability check
for cyclic topologies introduced in [1] – in such a way that those checks can still be applied in the presence
of nonsynchronous communications.
This is accomplished by viewing certain activities carried out through semi-synchronous and asynchronous
ports as internal activities when performing the above mentioned checks. The reason is that each such activity
has a specific outcome and takes place at a specific time instant when considered from the point of view of
the individual component executing that activity. However, in the overall architecture the same activity can
raise an exception (if the port is semi-synchronous and the other ports are not ready to communicate with it)
or can be delayed (if the port is asynchronous and the communication is buffered). Thus, if we do not regard
exceptions and all the activities carried out through asynchronous ports as internal activities at verification
time, the compatibility or interoperability check may fail even in the absence of a real coordination mismatch.
The third contribution of this paper is to show how to generate multithreaded object-oriented software
from process algebraic architectural descriptions including various kinds of communications in such a way
that the properties proved at the architectural level are preserved at the code level. This last contribution is
related to one of the big issues in the software engineering field, i.e., guaranteeing that the implementation
of a software system complies with its architectural description [23]. Indeed, the purpose of automatic
code generation should be not only to speed up system implementation, but also to ensure conformance by
construction.
In order to bridge the gap between system modeling/verification and system implementation, we propose
an approach that automatically synthesizes multithreaded Java programs from PADL descriptions containing
an arbitrary combination of synchronous, semi-synchronous, and asynchronous ports. The choice of Java as
12
target language is due to the fact that Java offers a set of mechanisms for the well-structured management of
threads and their shared data, which should simplify the code generation task. Moreover, its object-oriented
nature – and specifically its encapsulation capability – makes Java an appropriate candidate for coping with
the high level of abstraction of process algebraic architectural descriptions during code generation.
The proposed approach is divided into two phases. In the first phase, we develop an architecture-driven
technique for thread coordination management. Similar to previous work (see, e.g., [37]), we advocate the
provision of a suitable software package that takes care of the details of thread coordination by means of
architecture-inspired units in a way that is completely transparent to the software developer. The distin-
guishing feature of the first phase of our proposal is that also the employment of the package should follow
the same architecture-centric spirit. In other words, the use of the package units should be guided by the
architectural description of the system to be developed, as this description is a well suited tool for achieving
correct thread coordination in the case of concurrent object-oriented programs.
In the second phase, we handle the translation of the process algebraically specified behavior of individual
software components into threads. The separation of thread behavior generation from thread coordination
management turns out to be particularly appropriate in order to limit human intervention. In fact, while a
completely automated and architecture-driven technique can guarantee correct thread coordination, only a
partial translation based on stubs is possible for the generation of threads. In addition to the considerations
of [32], in which it is shown how a disciplined process algebraic modeling is beneficial at subsequent stages,
we also provide a set of guidelines for filling in stubs, which guarantee the preservation at the code level of
properties proved on the architectural description of the system under construction.
This paper, which is a full and revised version of [10, 8, 9], is organized as follows. After recalling
PADL in Sect. 2, in Sect. 3 we extend its syntax with semi-synchronous and asynchronous ports and we
consequently revise its semantics. A running example based on a client-server system is used throughout
both sections. In Sect. 4, we modify the architectural compatibility and interoperability checks in order to
deal with nonsynchronous communications as well. The modified checks are illustrated on the architectural
description of an applet-based simulator for a cruise control system. In Sect. 5, we present the two-phase
approach for synthesizing multithreaded Java software from PADL descriptions including synchronous and
nonsynchronous communications. The approach is exemplified by means of the same cruise control system
simulator as the previous section. Finally, in Sect. 6 we provide some concluding remarks and directions for
future work.
2 The Architectural Description Language PADL
PADL is a process algebraic architectural description language. In this section, after recalling some basic
notions of process algebra (Sect. 2.1), we present PADL syntax (Sect. 2.2) and semantics (Sect. 2.3) by
illustrating them through a client-server running example. For a complete presentation and comparisons
with related work, the interested reader is referred to [1].
2.1 Process Algebra
Process calculi [34, 29, 6] provide a set of operators by means of which the behavior of a system can be
described in an action-based, compositional way. Given a set Name = Namev∪{τ} of action names including
τ for denoting an invisible action, together with a set Relab = {ϕ : Name → Name | ϕ−1(τ) = {τ}} of
relabeling functions preserving action visibility, we consider a process calculus PA with the following process
13
term syntax:
P ::= 0 inactive process
| B process constant (B ∆= P )
| a . P action prefix (a ∈ Name)
| P + P alternative composition
| P ‖S P parallel composition (S ⊆ Namev)
| P/H hiding (H ⊆ Namev)
| P [ϕ] relabeling (ϕ ∈ Relab)
Operational semantic rules map every process term P of PA to a state-transition graph [[P ]] called labeled
transition system. In this graph, each state corresponds to a process term derivable from P , the initial state
corresponds to P , and each transition is labeled with the corresponding action.
Observed that no rule is necessary for the inactive process 0 – as [[0]] must be a single-state graph with no
transitions – the operational semantic rules for dynamic operators (action prefix and alternative composition)
and process constants are the following:
a . P
a−−−→ P B
∆
= P P
a−−−→ P ′
B
a−−−→ P ′
P1
a−−−→ P ′
P1 + P2
a−−−→ P ′
P2
a−−−→ P ′
P1 + P2
a−−−→ P ′
Process a . P can execute an action with name a and then behaves as P . Process P1 + P2 behaves as either
P1 or P2 depending on which of them executes an action first (nondeterministic choice). Constant B behaves
as the process term occurring in its possibly recursive defining equation.
The operational semantic rules for static operators (parallel composition, hiding, and relabeling) are the
following:
P1
a−−−→ P ′1 a /∈ S
P1 ‖S P2
a−−−→ P ′1 ‖S P2
P2
a−−−→ P ′2 a /∈ S
P1 ‖S P2
a−−−→ P1 ‖S P ′2
P1
a−−−→ P ′1 P2
a−−−→ P ′2 a ∈ S
P1 ‖S P2
a−−−→ P ′1 ‖S P ′2
P
a−−−→ P ′ a ∈ H
P/H
τ−−−→ P ′/H
P
a−−−→ P ′ a /∈ H
P/H
a−−−→ P ′/H
P
a−−−→ P ′
P [ϕ]
ϕ(a)
−−−→ P ′[ϕ]
Process P1 ‖S P2 behaves as P1 in parallel with P2 as long as actions are executed whose name does not
belong to S. In contrast, synchronizations are forced between any action executed by P1 and any action
executed by P2 that have the same name belonging to S. Process P/H behaves as P with all executed
actions occurring in H made invisible. Process P [ϕ] behaves as P with all executed actions relabeled via ϕ.
Process terms are compared and manipulated by means of behavioral equivalences [27]. Among the
various approaches, for PA we consider weak bisimilarity, according to which two process terms are equivalent
if they are able to mimic each other’s visible behavior stepwise [34].
14
Denoted by ===⇒ the extension of −−−→ to action sequences, we say that a symmetric relation R is
a weak bisimulation iff for all (P1, P2) ∈ R: (i) whenever P1
a−−−→ P ′1 for a ∈ Namev, then P2 τ
∗aτ∗
===⇒ P ′2
and (P ′1, P
′
2) ∈ R; (ii) whenever P1
τ−−−→ P ′1, then P2 τ
∗
===⇒ P ′2 and (P ′1, P ′2) ∈ R. Weak bisimilarity ≈B,
defined as the union of all the weak bisimulations, is a congruence with respect to all the operators except
for alternative composition and has a modal characterization based on a weak variant of Hennessy-Milner
logic.
2.2 PADL Textual and Graphical Notations
A PADL description represents an architectural type, which is a family of software systems sharing certain
constraints on the observable behavior of their components as well as on their topology.
The textual description of an architectural type starts with the name and the formal parameters (initial-
ized with default values) of the architectural type. The textual description then comprises two sections, as
shown below:
ARCHI TYPE /name and initialized formal parameters.
ARCHI BEHAVIOR
...
...
ARCHI ELEM TYPE /AET name and formal parameters.
BEHAVIOR /sequence of PA defining equations built from
stop, action prefix, choice, and recursion.
INPUT INTERACTIONS /input uni/and/or-interactions.
OUTPUT INTERACTIONS /output uni/and/or-interactions.
...
...
ARCHI TOPOLOGY
ARCHI ELEM INSTANCES /AEI names and actual parameters.
ARCHI INTERACTIONS /architecture-level AEI interactions.
ARCHI ATTACHMENTS /attachments between AEI local interactions.
END
The first section defines the behavior of the system family by means of types of software components and
connectors, which are collectively called architectural element types. The definition of an AET starts with
its name and its formal parameters and consists of the specification of its behavior and its interactions.
The behavior of an AET has to be provided in the form of a sequence of defining equations written in
a verbose variant of PA allowing only for the inactive process (rendered as stop), the value-passing action
prefix operator with a possible boolean guard condition, the alternative composition operator (rendered as
choice), and recursion (behavioral invocations).
The interactions are those actions occurring in the process algebraic specification of the behavior that
act as interfaces for the AET, while all the other actions are assumed to represent internal activities. Each
interaction has to be equipped with two qualifiers. The first one establishes whether the interaction is an
input or output interaction, whereas the second one describes the multiplicity of the communications in
which the interaction can be involved.
We distinguish among uni-interactions mainly involved in one-to-one communications (qualifier UNI),
and-interactions guiding inclusive one-to-many communications like multicasts (qualifier AND), or-interactions
guiding selective one-to-many communications like those between a server and its clients (qualifier OR). It can
also be established that an output or-interaction depends on an input or-interaction, in order to guarantee
that a selective one-to-many output is sent to the same element from which the last selective many-to-one
input was received (keyword DEP).
The second section of the PADL description defines the topology of the system family. It is composed
of three subsections. First, we have the declaration of the instances of the AETs – called AEIs – which
represent the actual system components and connectors, together with their actual parameters. Then, we
15
have the declaration of the architectural (as opposed to local) interactions, which are some of the interactions
of the AEIs that act as interfaces for the whole systems of the family. Finally, we have the declaration of
the architectural attachments among the local interactions of the AEIs, which make the AEIs communicate
with each other.
An attachment is admissible only if it goes from a local output interaction of an AEI to a local input
interaction of another AEI. Moreover, a local uni-interaction can be attached to only one local interaction,
whereas a local and-/or-interaction can be attached to (several) local uni-interactions only.
Besides the textual notation, PADL comes equipped with a graphical notation that is an extension of the
flow graph notation [34]. In an enriched flow graph, AEIs are depicted as boxes, local (resp. architectural)
interactions are depicted as small black circles (resp. white squares) on the box border, and attachments
are depicted as directed edges between pairs each composed of a local output interaction and a local input
interaction. The small circle/square of an interaction is extended with a triangle (resp. bisected triangle)
outside the AEI box if the interaction is an and-interaction (resp. or-interaction). Or-dependences are
depicted as dotted edges.
Example 2.1 Suppose we need to model a scenario in which there is a server that can be contacted at any
time by two identically behaving clients. Assume that the server has no buffer for holding incoming requests
and that, after sending a request, a client cannot proceed until it receives a response from the server. The
server AET can be defined as follows:
ARCHI_ELEM_TYPE Server_Type(void)
BEHAVIOR
Server(void; void) =
receive_request . compute_response . send_response . Server()
INPUT_INTERACTIONS OR receive_request
OUTPUT_INTERACTIONS OR send_response DEP receive_request
where compute response is an internal action, while send response is declared to depend on receive request
in order to make sure that each response is sent back to the client that issued the corresponding request.
Since the behavior of the two clients is identical, a single client AET suffices:
ARCHI_ELEM_TYPE Client_Type(void)
BEHAVIOR
Client(void; void) =
process . send_request . receive_response . Client()
INPUT_INTERACTIONS UNI receive_response
OUTPUT_INTERACTIONS UNI send_request
where process is an internal action. Finally, we declare the topology of the system as follows by using the
dot notation for the local interactions:
ARCHI_TOPOLOGY
ARCHI_ELEM_INSTANCES
S : Server_Type();
C_1 : Client_Type();
C_2 : Client_Type()
ARCHI_INTERACTIONS
void
ARCHI_ATTACHMENTS
FROM C_1.send_request TO S.receive_request;
FROM C_2.send_request TO S.receive_request;
FROM S.send_response TO C_1.receive_response;
FROM S.send_response TO C_2.receive_response
16
The topology is better illustrated by the following enriched flow graph:
send_request receive_response send_request
receive_request send_response
receive_response
S:Server_Type()
C_1:Client_Type() C_2:Client_Type()
where the dotted edge linking the bisected triangles is the or-dependence.
2.3 The Semantics for PADL
The semantics for PADL is given by translation into PA. The first step of the translation focuses on the
semantics of each AEI. This is defined as the behavior of the corresponding AET with all the action occur-
rences being preceded by the name of the AEI and the AET formal data parameters being substituted for
by the corresponding AEI actual data parameters.
Let C be an AET with m ∈ N≥0 formal parameters fp1, . . . , fpm and behavior given by a sequence E of
defining equations. Then the semantics of an AEI C of type C with actual parameters ap1, . . . , apm is defined
as follows, where C . introduces the dot notation on actions and { ↪→ , . . . , ↪→ } denotes a syntactical
substitution:
[[C]] = C.E{ap1 ↪→ fp1, . . . , apm ↪→ fpm}
If the AEI contains local or-interactions, each of them – consistent with the fact that it guides a selective
one-to-many communication – must be replaced by as many fresh local uni-interactions as there are attach-
ments involving the considered or-interaction. The fresh local uni-interactions are then attached to the local
uni-interactions of other AEIs to which the local or-interaction was originally attached, as shown below:
C C
C C
1
l
1
2
l
o
o
2o
o
i
i
i
i
In that case, the semantics of C is defined as follows:
[[C]] = or-rewrite∅(C.E{ap1 ↪→ fp1, . . . , apm ↪→ fpm})
In order to reflect the fact that an or-interaction can result in several alternative communications, function
or-rewrite inductively rewrites the body of any resulting defining equation by replacing with fresh uni-
interactions each occurrence of any local or-interaction whose number attach-no( ) of attachments is greater
than 1. Or-dependences are dealt with by keeping track of the set FI of fresh input uni-interactions currently
in force that arise from input or-interactions on which some output or-interaction depends. Here are the
three basic clauses of the inductive definition of or-rewrite:
17
• If a is either a local input or-interaction of C on which no local output or-interaction depends, or a local
output or-interaction that does not depend on any local input or-interaction, and attach-no(C.a) =
l ≥ 2:
or-rewriteFI (a . P ) = choice{a1 . or-rewriteFI (P ),...
al . or-rewriteFI (P )}
• If i is a local input or-interaction of C on which a local output or-interaction depends and attach-no(C.i) =
l ≥ 2:
or-rewriteFI (i . P ) = choice{i1 . or-rewriteFI ∪{i1}−{ij |1≤j≤l∧j 6=1}(P ),...
il . or-rewriteFI ∪{il}−{ij |1≤j≤l∧j 6=l}(P )}
• If o is a local output or-interaction of C that depends on the local input or-interaction i and attach-no(C.i) =
attach-no(C.o) ≥ 2 and ij ∈ FI :
or-rewriteFI (o . P ) = oj . or-rewriteFI (P )
Example 2.2 Consider the client-server system described in Ex. 2.1. Then [[C 1]] and [[C 2]] coincide with
the defining equation for Client, where action names are preceded by C 1 and C 2, respectively. In contrast,
[[S]] is given by the following defining equation obtained from the one for Server after rewriting the occurring
or-interactions:
RewSer(void; void) =
choice
{
S.receive_request_1 . S.compute_response . S.send_response_1 . RewSer(),
S.receive_request_2 . S.compute_response . S.send_response_2 . RewSer()
}
The second step of the translation defines the meaning of any set of AEIs {C1, . . . , Cn} and hence of an
entire architectural description. Fixed an AEI Cj in the set, let LICj be the set of local interactions of Cj
and LICj ;C1,...,Cn ⊆ LICj be the set of local interactions of Cj attached to {C1, . . . , Cn}.
In order to make the process terms representing the semantics of these AEIs communicate in the presence
of attached interactions having different names – in PA only actions with the same name can synchronize
– we need a set S(C1, . . . , Cn) of fresh action names, one for each pair of attached local uni-interactions
in {C1, . . . , Cn} and for each set of local uni-interactions attached to the same local and-interaction in
{C1, . . . , Cn}. In order to ensure the uniqueness of the elements of S(C1, . . . , Cn), each of them is built by
concatenating through symbol # all the original names in the corresponding maximal set of attached local
interactions. Then, we need suitable injective relabeling functions ϕCj ;C1,...,Cn mapping each set LICj ;C1,...,Cn
to S(C1, . . . , Cn) in such a way that:
ϕCj ;C1,...,Cn(a1) = ϕCg;C1,...,Cn(a2)
if and only if Cj .a1 and Cg.a2 are attached to each other or to the same and-interaction.
The interacting semantics of Cj with respect to {C1, . . . , Cn} is defined as follows:
[[Cj ]]C1,...,Cn = [[Cj ]][ϕCj ;C1,...,Cn ]
In general, the interacting semantics of {C ′1, . . . , C ′n′} ⊆ {C1, . . . , Cn} with respect to {C1, . . . , Cn} is defined
as follows (assuming parallel composition to be left associative):
[[C ′1, . . . , C
′
n′ ]]C1,...,Cn = [[C
′
1]]C1,...,Cn ‖S(C′1,C′2;C1,...,Cn)
[[C ′2]]C1,...,Cn ‖S(C′1,C′3;C1,...,Cn)∪S(C′2,C′3;C1,...,Cn) . . .
. . . ‖n′−1∪
i=1
S(C′i,C′n′ ;C1,...,Cn)
[[C ′n′ ]]C1,...,Cn
18
where S(C ′j , C ′g;C1, . . . , Cn) = S(C ′j ;C1, . . . , Cn) ∩ S(C ′g;C1, . . . , Cn) is the pairwise synchronization set of
C ′j and C
′
g with respect to {C1, . . . , Cn}, with S(C ′j ;C1, . . . , Cn) = ϕC′j ;C1,...,Cn(LIC′j ;C1,...,Cn) being the
synchronization set of C ′j with respect to {C1, . . . , Cn}.
Finally, the semantics of an architectural type A formed by the set of AEIs {C1, . . . , Cn} is defined as
follows:
[[A]] = [[C1, . . . , Cn]]C1,...,Cn
Example 2.3 Consider again the client-server system of Ex. 2.1. Then the semantics of the entire descrip-
tion is given by the following process term:
[[S]][receive request 1 7→ C 1.send request#S.receive request 1,
send response 1 7→ S.send response 1#C 1.receive response,
receive request 2 7→ C 2.send request#S.receive request 2,
send response 2 7→ S.send response 2#C 2.receive response]
‖{C 1.send request#S.receive request 1,
S.send response 1#C 1.receive response}
[[C 1]][send request 7→ C 1.send request#S.receive request 1,
receive response 7→ S.send response 1#C 1.receive response]
‖{C 2.send request#S.receive request 2,
S.send response 2#C 2.receive response}
[[C 2]][send request 7→ C 2.send request#S.receive request 2,
receive response 7→ S.send response 2#C 2.receive response]
where [[S]], [[C 1]], and [[C 2]] have been shown in Ex. 2.2.
3 Semi-Synchronous and Asynchronous Interactions
The interactions occurring in a PADL description can be involved only in synchronous communications,
hence input and output interactions represent blocking operations. In order to increase the expressiveness
of PADL, within the interface of each AET we will provide support for distinguishing among synchronous,
semi-synchronous, and asynchronous interactions. The usability of the language will be preserved by means
of suitable synchronicity-related qualifiers that are made available to PADL users.
In this section – in which we use the same client-server running example as the previous section – we first
enrich the textual and graphical notations in order to express nonsynchronous interactions (Sect. 3.1). Then,
we discuss the treatment of semi-synchronous interactions through additional semantic rules (Sect. 3.2) and
of asynchronous interactions through additional implicit AEIs (Sect. 3.3). Finally, we revise the semantics
accordingly (Sect. 3.4). The nine resulting forms of communication are summarized by Fig. 1, with the first
one being the only one originally available in PADL.
3.1 Enriching PADL Textual and Graphical Notations
In the textual notation of PADL, we introduce a third qualifier for each interaction, to be used in the
definition of the AETs. Such a qualifier establishes whether the interaction is synchronous (keyword SYNC),
semi-synchronous (keyword SSYNC), or asynchronous (keyword ASYNC).
While a synchronous interaction blocks the AEI executing it as long as the interactions attached to it
are not ready, this is not the case with nonsynchronous interactions. More precisely, a semi-synchronous
interaction raises an exception if it cannot take place immediately due to the (temporary or permanent)
unavailability of the interactions attached to it, so that the AEI executing it can proceed anyway. Likewise,
in the case of an asynchronous interaction, the beginning and the end of the communication are decoupled,
hence the AEI executing the interaction will never block.
A boolean variable s.success is associated with each semi-synchronous interaction s. This implicitly
declared variable is automatically set at each execution of s and is made available to PADL users in order
to catch exceptions. In this way, it is easy to model different behaviors to be undertaken depending on the
outcome of the execution of s.
19
C1
C1
C1
C1
C1
C1
C1
C1
C1
C2
C2
C2
C2
C2
C2
C2
C2
C2
C .o_exception1
C .i_exception2
C .i_exception2
C .i_exception2
C .i_exception2
i
o
i
o
i
o
i
o
i
o
i
o
i
o
i
o
i
o
||{1P
||{1P
||{1P
||{1P
( ||{1P 1 arrive}
C .o#C .i1 2 } 2P
C .o#C .i1 2 } 2P
C .o#C .i1 2 } 2P
C .o#C .i1 2 } 2P
1 2
1 2
C .o_/C .i_exc.
C .o_/C .i_exc.
C .o#OAQ.
||{1P 1 arrive}C .o#IAQ.
||{1P 1 arrive}C .o#IAQ.
( ||{1P 1 arrive}C .o#OAQ. OAQ.Queue(0))
( ||{1P 1 arrive}C .o#OAQ. OAQ.Queue(0))
)Queue(0)OAQ.
||{ depart arrive}OAQ.               #IAQ.
(IAQ.Queue(0)|| )2P{ depart 2 }IAQ.              #C .i
(IAQ.Queue(0)||{ depart 2 )2P}IAQ.              #C  .i
( Queue(0)||{ depart 2 )2P}IAQ.              #C  .iIAQ.
||{ 2depart } 2POAQ.              #C .i
||{ 2depart } 2POAQ.              #C .i
Figure 1: Forms of communications available in the extension of PADL
In the graphical notation, a semi-synchronous interaction is depicted by extending the small circle/square
of the interaction with an arc inside the AEI box. An asynchronous interaction, instead, is depicted by
extending the small circle/square with a buffer inside the AEI box.
Example 3.1 Consider once more the client-server system of Ex. 2.1. Since the server has no buffer for
incoming requests, each client may want to send a request only if the server is not busy, so that the client can
keep working instead of passively waiting for the server to become available. This can be achieved by trans-
forming send request into a semi-synchronous interaction and by redefining the behavior of Client Type
as follows:
ARCHI_ELEM_TYPE Client_Type(void)
BEHAVIOR
Client_Internal(void; void) =
process . Client_Interacting();
Client_Interacting(void; void) =
send_request .
choice
{
cond(send_request.success = true) ->
receive_response . Client_Internal(),
cond(send_request.success = false) ->
keep_processing . Client_Interacting()
}
INPUT_INTERACTIONS SYNC UNI receive_response
OUTPUT_INTERACTIONS SSYNC UNI send_request
On the other hand, the server should not make any assumption about the status of its clients, as these may
be much more complicated than the description above. In particular, when sending out a response to a
client, the server should not be blocked by the temporary or permanent unavailability of that client, as this
would decrease the quality of service. This can be achieved by using keyword ASYNC in the declaration of
output interaction send response within the definition of Server Type.
20
3.2 Semantics of Semi-Synchronous Interactions: Additional Rules
A local semi-synchronous interaction s executed by an AEI C gives rise to a transition labeled with C.s
within [[C]], and hence to the setting of the related success variable to true. However, in an interacting
context, this transition has to be relabeled with C.s exception if s cannot immediately participate in a
communication. This is accomplished by means of additional semantic rules encoding a context-sensitive
variant of the relabeling operator.
Suppose that the local output interaction o of an AEI C1 is attached to the local input interaction i of
an AEI C2, where C1.o#C2.i is their fresh name. Let P1 (resp. P2) be the process term representing the
current state of [[C1]]C1,C2 (resp. [[C2]]C1,C2) and S = S(C1, C2;C1, C2).
If o is synchronous and i is semi-synchronous – which is the second form of communication depicted in
Fig. 1 – then the following additional semantic rule is necessary for handling exceptions:
P1 6
C1.o#C2.i−−−−−−−−→ P ′1 P2
C1.o#C2.i−−−−−−−−→ P ′2
P1 ‖S P2
C2.i exception−−−−−−−−→ P1 ‖S P ′2 C2.i.success = false
In the symmetric case in which o is semi-synchronous and i is synchronous – which corresponds to the
fourth form of communication depicted in Fig. 1 – the following additional semantic rule is necessary for
handling exceptions:
P1
C1.o#C2.i−−−−−−−−→ P ′1 P2 6
C1.o#C2.i−−−−−−−−→ P ′2
P1 ‖S P2
C1.o exception−−−−−−−−→ P ′1 ‖S P2 C1.o.success = false
Finally, in the case in which both o and i are semi-synchronous – which corresponds to the fifth form of
communication depicted in Fig. 1 – we have the previous two additional semantic rules together.
3.3 Semantics of Asynchronous Interactions: Additional Implicit AEIs
While semi-synchronous interactions are dealt with by means of suitable semantic rules accounting for
possible exceptions, asynchronous interactions need a different treatment because of the decoupling between
the beginning and the end of the communications in which those interactions are involved.
After the or-rewriting process, for each local asynchronous uni-/and-interaction of an AEI C we have
to introduce additional implicit AEIs that behave like unbounded buffers, thus realizing the third, sixth,
seventh, eighth, and ninth form of communication depicted in Fig. 1. As shown in Fig. 2, in the case of a
local asynchronous and-interaction, it is necessary to introduce as many additional implicit AEIs as there
are attachments involving the and-interaction.1
Each additional implicit input asynchronous queue (IAQ) and output asynchronous queue (OAQ) is of
the following type, where arrive is an always-enabled input synchronous uni-interaction while depart is an
output synchronous uni-interaction enabled only if the buffer is not empty:
ARCHI_ELEM_TYPE Async_Queue_Type(void)
BEHAVIOR
Queue(int n := 0;
void) =
choice
{
cond(true) -> arrive . Queue(n + 1),
cond(n > 0) -> depart . Queue(n - 1)
}
INPUT_INTERACTIONS SYNC UNI arrive
OUTPUT_INTERACTIONS SYNC UNI depart
1In [10], a single additional implicit AEI was introduced even in the case of a local asynchronous and-interaction, thus
determining an unnecessary synchronization among the AEIs attached to the and-interaction.
21
C
i
C
i
C
o
C
o
departarrive i
C
departarrive
1
larrive depart
i
o
C
departarrive
o
C
1
departarrive
larrive depart
C
IAQ
IAQ
IAQ
OAQ
OAQ
OAQ
Figure 2: Topological management of local asynchronous uni-/and-interactions
In the case of a local input asynchronous uni-/and-interaction i of C, each local output uni-interaction
originally attached to i is implicitly re-attached to the arrive interaction of one of the additional implicit
IAQs. By contrast, the depart interaction of each additional implicit IAQ is implicitly attached to i, which
is implicitly converted into a semi-synchronous interaction. Note that i becomes semi-synchronous because
the communications between the depart interactions and i must not block C whenever some buffers are
empty.
In the case of a local output asynchronous uni-/and-interaction o of C, this interaction is implicitly
converted into a synchronous interaction and re-attached to each arrive interaction of the additional implicit
OAQs. Note that o is never blocked because all arrive interactions are always enabled. By contrast, the
depart interaction of each additional implicit OAQ is attached to one of the input interactions originally
attached to o.
3.4 Revising PADL Semantics
Due to the way nonsynchronous interactions have been managed, we only need to revise the definition of
the semantics of an AEI in isolation, while all the subsequent definitions given in Sect. 2.3 are unchanged.
More precisely, we only have to take into account the possible presence of additional implicit AEIs acting as
unbounded buffers for local asynchronous interactions.
Definition 3.2 Let C be an AET, fp1, . . . , fpm be its m ∈ N≥0 formal parameters, and E be a sequence
of defining equations giving its behavior. Let C be an AEI of type C with actual parameters ap1, . . . , apm
consistent by order and type with the formal parameters. Suppose that C has:
22
• h ∈ N≥0 local input asynchronous uni-interactions i1, . . . , ih handled through the related additional
implicit AEIs IAQ1, . . . , IAQh;
• h′ ∈ N≥0 local input asynchronous and-interactions i′1, . . . , i′h′ , where each i′j is handled through the
attach-no(C.i′j) = il j related additional implicit AEIs IAQj,1, . . . , IAQj,ilj ;
• k ∈ N≥0 local output asynchronous uni-interactions o1, . . . , ok handled through the related additional
implicit AEIs OAQ1, . . . ,OAQk;
• k′ ∈ N≥0 local output asynchronous and-interactions o′1, . . . , o′k′ , where each o′j is handled through the
attach-no(C.o′j) = ol j related additional implicit AEIs OAQj,1, . . . ,OAQj,olj .
Then the semantics of C is the result of a cascade of function applications:
[[C]] = o-andk
′
olk′ (...o-and
1
ol1(o-unik(i-and
h′
ilh′ (...i-and
1
il1(i-unih(C))...)))...)
where, denoted by f(C) the current result, we define:
i-uni0(C) = or-rewrite∅(C.E{ap1 ↪→ fp1, . . . , apm ↪→ fpm}) [ϕC,async]
i-uni j(C) = IAQj .Queue(0) [ϕC,async] 1 ≤ j ≤ h
‖{IAQj .depart#C.ij} (i-uni j−1(C))
i-and j1(f(C)) = IAQj,1.Queue(0) [ϕC,async] 1 ≤ j ≤ h′
‖{IAQj,1.depart#...#IAQj,ilj .depart#C.i′j} (f(C))
i-and jj′(f(C)) = IAQj,j′ .Queue(0) [ϕC,async] 2 ≤ j′ ≤ il j
‖{IAQj,1.depart#...#IAQj,ilj .depart#C.i′j} (i-and
j
j′−1(f(C)))
o-uni0(f(C)) = f(C)
o-uni j(f(C)) = (o-uni j−1(f(C))) ‖{C.oj#OAQj .arrive}
OAQj .Queue(0) [ϕC,async] 1 ≤ j ≤ k
o-and j1(f(C)) = (f(C)) ‖{C.o′j#OAQj,1.arrive#...#OAQj,olj .arrive}
OAQj,1.Queue(0) [ϕC,async] 1 ≤ j ≤ k′
o-and jj′(f(C)) = (o-and
j
j′−1(f(C))) ‖{C.o′j#OAQj,1.arrive#...#OAQj,olj .arrive}
OAQj,j′ .Queue(0) [ϕC,async] 2 ≤ j′ ≤ ol j
with relabeling function ϕC,async transforming the originally asynchronous local interactions of C and the
local interactions of the additional implicit AEIs attached to them into the respective fresh names occurring
in the synchronization sets above.
Example 3.3 Consider the variant of the client-server system described in Ex. 3.1. With respect to Ex. 2.2,
[[S]] changes as follows due to the presence of its two local output asynchronous uni-interactions:
RewSer[S.send response 1 7→ S.send response 1#OAQ 1.arrive,
S.send response 2 7→ S.send response 2#OAQ 2.arrive]
‖{S.send response 1#OAQ 1.arrive}
OAQ 1.Queue(0)[OAQ 1.arrive 7→ S.send response 1#OAQ 1.arrive]
‖{S.send response 2#OAQ 2.arrive}
OAQ 2.Queue(0)[OAQ 2.arrive 7→ S.send response 2#OAQ 2.arrive]
As a consequence, with respect to Ex. 2.3, the semantics of the whole description changes as follows, where the
roles of S.send response 1 and S.send response 2 are now played by AOQ 1.depart and AOQ 2.depart,
respectively:
23
[[S]][receive request 1 7→ C 1.send request#S.receive request 1,
OAQ 1.depart 7→ OAQ 1.depart#C 1.receive response,
receive request 2 7→ C 2.send request#S.receive request 2,
OAQ 2.depart 7→ OAQ 2.depart#C 2.receive response]
‖{C 1.send request#S.receive request 1,
OAQ 1.depart#C 1.receive response}
[[C 1]][send request 7→ C 1.send request#S.receive request 1,
receive response 7→ OAQ 1.depart#C 1.receive response]
‖{C 2.send request#S.receive request 2,
OAQ 2.depart#C 2.receive response}
[[C 2]][send request 7→ C 2.send request#S.receive request 2,
receive response 7→ OAQ 2.depart#C 2.receive response]
4 Modifying Architectural Checks
The objective of the architectural checks for PADL developed in [1] is to infer certain architectural properties
like correct component coordination from the properties of the individual AEIs. The idea is to verify the
absence of coordination mismatches resulting in property violations through a topological reduction process
based on equivalence checking. Given an architectural description, the starting point is constituted by an
abstract variant of its enriched flow graph, where vertices correspond to AEIs and two vertices are linked
by an edge if and only if attachments have been declared among their interactions. From a topological
viewpoint, the resulting graph is a combination of possibly intersecting stars (see Sect. 4.2) and cycles (see
Sect. 4.3), which are thus viewed as basic topological formats.
The strategy then consists of applying specific checks locally to all stars and cycles occurring in the
abstract graph. Each check verifies whether the star/cycle contains an AEI behaviorally equivalent to
the whole star/cycle, in which case the star/cycle can be replaced by that AEI. The process successfully
terminates when the whole graph has been reduced to a single behaviorally equivalent AEI, as at that
point it is sufficient to verify whether that AEI satisfies the given property or not. In case of failure, the
mentioned checks provide diagnostic information useful to pinpoint components responsible for possible
property violations within a single star/cycle.
In order to be applicable, the strategy requires the existence of a behavioral equivalence that possesses
the following characteristics. Firstly, the equivalence must preserve the property of interest – i.e., it cannot
relate two models such that one of them enjoys the property whereas the other one does not – which is
fundamental for enabling the topological reduction process. Secondly, it must be a congruence with respect
to static operators, thus allowing the topological reduction process to be applied to single portions of the
topology of an architectural description – which is more efficient than considering the entire topology at once
– without affecting the possible validity of the property. Thirdly, it must be able to abstract from internal
actions, as an architectural property is typically expressed in terms of the possibility/necessity of executing
local interactions in a certain order. Fourthly, it must have a modal logic characterization, which is necessary
for producing diagnostic information in case of failure of the topological reduction process.
In this section, after introducing some further notation (Sect. 4.1), we show how to modify the compati-
bility check for stars (Sect. 4.2) and the interoperability check for cycles (Sect. 4.3) in such a way that both
checks can still be applied in the presence of nonsynchronous interactions. Then, the two revised checks
are exemplified on the architectural description of an applet-based simulator for a cruise control system
(Sect. 4.4). Although these checks are conceived for an entire class of properties characterizable through
behavioral equivalences that meet the four constraints mentioned above, for the sake of simplicity here
the considered property is deadlock freedom and the behavioral equivalence chosen among those preserving
deadlock freedom is weak bisimilarity ≈B introduced in Sect. 2.1.
24
4.1 Revising Closed Interacting Semantics
Before applying the architectural checks to a star/cycle given by the set of AEIs {C1, . . . , Cn}, for each AEI
Cj in the set we have to hide all of its internal actions and architectural interactions as well as all of its
local interactions that are not attached to {C1, . . . , Cn}. The reason is that these actions cannot result in
mismatches within the star/cycle, but may hamper the topological reduction process if left visible. Following
the terminology of [1], we thus have to consider closed variants of the interacting semantics of the AEIs in
the set, in which the mentioned actions are made unobservable.
In the framework of PADL enriched with nonsynchronous interactions, for each AEI Cj in the set we also
have to hide all of its additional implicit AEIs that are not attached to {C1, . . . , Cn}, as those additional
implicit AEIs are necessary only in the presence of the AEIs not in {C1, . . . , Cn} to which they are attached.
Therefore, the only actions that remain observable are those in LICj ;C1,...,Cn and those in OALICj . The
latter set contains the originally asynchronous local interactions of Cj together with the local interactions
of the related additional implicit AEIs to which they have been re-attached, including the exceptions that
may be raised by the local input semi-synchronous interactions in the set corresponding to local input
asynchronous interactions. We point out that OALICj is disjoint from LICj , as it essentially comprises the
action names forming the composite names occurring in the synchronization sets of the semantics of an AEI
in isolation provided in Def. 3.2.
In order to set the visibility of each action of Cj according to the needs of the topological reduction
process, we introduce a partially closed variant of the interacting semantics of an AEI defined at the end of
Sect. 2.3, in which we hide all the actions not in LICj ;C1,...,Cn ∪OALICj . Since in many cases we also have
to hide all the actions in OALICj , we introduce a totally closed variant too. Thus, unlike [1], we have two
closed variants of the interacting semantics of an AEI. Both variants are parameterized with respect to a set
of AEIs {C ′′1 , . . . , C ′′n′′}, n′′ ∈ N, determining the additional implicit AEIs to be included.
Definition 4.1 Let C be an AET, fp1, . . . , fpm be its m ∈ N≥0 formal parameters, and E be a sequence of
defining equations giving its behavior. Let Cj ∈ {C1, . . . , Cn} be an AEI of type C with actual parameters
ap1, . . . , apm consistent by order and type with the formal parameters. The interacting semantics of Cj with
respect to {C1, . . . , Cn} without buffers for its originally asynchronous local interactions is defined as follows:
[[Cj ]]
wob
C1,...,Cn
= or-rewrite∅(Cj .E{ap1 ↪→ fp1, . . . , apm ↪→ fpm})
[ϕCj ,async] [ϕCj ;C1,...,Cn ]
We denote by [[Cj ]]
#C′′1 ,...,C
′′
n′′
C1,...,Cn
the variant of [[Cj ]]
wob
C1,...,Cn
including the buffers for the originally asynchronous
local interactions of Cj attached to {C ′′1 , . . . , C ′′n′′}.
Definition 4.2 Let Cj ∈ {C1, . . . , Cn}. The partially closed interacting semantics of Cj with respect to
{C1, . . . , Cn} including its buffers attached to {C ′′1 , . . . , C ′′n′′} is defined as follows:
[[Cj ]]
pc;#C′′1 ,...,C
′′
n′′
C1,...,Cn
= [[Cj ]]
#C′′1 ,...,C
′′
n′′
C1,...,Cn
/ (Name − VCj ;C1,...,Cn)
with VCj ;C1,...,Cn = ϕCj ;C1,...,Cn(LICj ;C1,...,Cn)∪ϕCj ,async(OALICj ) and we write [[Cj ]]pc;wobC1,...,Cn if n′′ = 0.
Definition 4.3 Let {C ′1, . . . , C ′n′} ⊆ {C1, . . . , Cn}. The partially closed interacting semantics of {C ′1, . . . , C ′n′}
with respect to {C1, . . . , Cn} including their buffers attached to {C ′′1 , . . . , C ′′n′′} is defined as follows:
[[C ′1, . . . , C
′
n′ ]]
pc;#C′′1 ,...,C
′′
n′′
C1,...,Cn
=
[[C ′1]]
pc;#C′′1 ,...,C
′′
n′′
C1,...,Cn
‖S(C′1,C′2;C1,...,Cn)
[[C ′2]]
pc;#C′′1 ,...,C
′′
n′′
C1,...,Cn
‖S(C′1,C′3;C1,...,Cn)∪S(C′2,C′3;C1,...,Cn) . . .
. . . ‖n′−1∪
i=1
S(C′i,C′n′ ;C1,...,Cn)
[[C ′n′ ]]
pc;#C′′1 ,...,C
′′
n′′
C1,...,Cn
where the synchronization sets are built as at the end of Sect. 2.3.
25
Definition 4.4 Let Cj ∈ {C1, . . . , Cn}. The totally closed interacting semantics of Cj with respect to
{C1, . . . , Cn} including its buffers attached to {C ′′1 , . . . , C ′′n′′} is defined as follows:
[[Cj ]]
tc;#C′′1 ,...,C
′′
n′′
C1,...,Cn
= [[Cj ]]
pc;#C′′1 ,...,C
′′
n′′
C1,...,Cn
/ϕCj ,async(OALICj )
and we write [[Cj ]]
tc;wob
C1,...,Cn
if n′′ = 0.
Definition 4.5 Let {C ′1, . . . , C ′n′} ⊆ {C1, . . . , Cn}. The totally closed interacting semantics of {C ′1, . . . , C ′n′}
with respect to {C1, . . . , Cn} including their buffers attached to {C ′′1 , . . . , C ′′n′′} is defined as follows:
[[C ′1, . . . , C
′
n′ ]]
tc;#C′′1 ,...,C
′′
n′′
C1,...,Cn
=
[[C ′1]]
tc;#C′′1 ,...,C
′′
n′′
C1,...,Cn
‖S(C′1,C′2;C1,...,Cn)
[[C ′2]]
tc;#C′′1 ,...,C
′′
n′′
C1,...,Cn
‖S(C′1,C′3;C1,...,Cn)∪S(C′2,C′3;C1,...,Cn) . . .
. . . ‖n′−1∪
i=1
S(C′i,C′n′ ;C1,...,Cn)
[[C ′n′ ]]
tc;#C′′1 ,...,C
′′
n′′
C1,...,Cn
where the synchronization sets are built as at the end of Sect. 2.3. The variant totally closed up to
{C ′′′1 , . . . , C ′′′n′′′} ⊂ {C ′1, . . . , C ′n′}, i.e., in which [[C ′′′j ]]
pc;#C′′1 ,...,C
′′
n′′
C1,...,Cn
is considered in place of [[C ′′′j ]]
tc;#C′′1 ,...,C
′′
n′′
C1,...,Cn
,
is denoted by [[C ′1, . . . , C
′
n′ ]]
tc;#C′′1 ,...,C
′′
n′′ ;C
′′′
1 ,...,C
′′′
n′′′
C1,...,Cn
.
4.2 Adapting Architectural Compatibility for Stars
A star is a portion of the abstract enriched flow graph of an architectural description, which is not part of
a cyclic subgraph. It is formed by a central AEI K and a border BK = {C1, . . . , Cn} including all the AEIs
attached to K. As explained in [1], the validity of an architectural property over a star can be investigated
by analyzing the interplay between the central AEI K and each of the AEIs in the border, as there cannot be
attachments among AEIs in the border. In order to achieve a correct coordination between K and Cj ∈ BK ,
the actual observable behavior of Cj should coincide with the observable behavior expected by K. In other
words, the observable behavior of K should not be altered by the insertion of Cj into the border of the star.
In order to cope with the presence of nonsynchronous interactions, we modify the architectural compat-
ibility check for stars as follows.
Definition 4.6 Given an architectural description A, let K be the central AEI of a star of A, BK =
{C1, . . . , Cn} be the border of the star, Cj be an AEI in BK , HK,Cj be the set of interactions of additional
implicit AEIs of K that are attached to interactions of Cj , and EK,Cj be the set of exceptions that may
be raised by semi-synchronous interactions involved in attachments between K and Cj . We say that K is
compatible with Cj iff:
([[K]]
pc;#Cj
A ‖S(K,Cj ;A) [[Cj ]]tc;#KK,BK ) / (HK,Cj ∪ EK,Cj ) ≈B [[K]]
pc;wob
A
All possible originally asynchronous local interactions of Cj and all of its interactions possibly attached
to AEIs outside the star have been hidden by taking the totally closed interacting semantics of Cj with
respect to the AEIs inside the star. We also observe that HK,Cj ∪ EK,Cj = ∅ whenever there are no
local nonsynchronous interactions involved in attachments inside the star, in which case all partially closed
interacting semantics between [[K]]pc;#AA and [[K]]
pc;wob
A coincide with [[K]]
tc;wob
A .
We now extend the compatibility theorem of [1] to nonsynchronous interactions. This provides a sufficient
condition for reducing the deadlock verification of the entire star to the deadlock verification of its central
AEI.
Theorem 4.7 Let A, K, BK , Cj , HK,Cj , and EK,Cj be the same as Def. 4.6. Whenever K is compatible
with every Cj ∈ BK , then:
26
[[K,BK ]]tc;#K,BK ;KK,BK /
n∪
j=1
(HK,Cj ∪ EK,Cj ) ≈B [[K]]pc;wobA
hence [[K,BK ]]tc;#K,BK ;KK,BK /
n∪
j=1
(HK,Cj ∪ EK,Cj ) is deadlock free iff so is [[K]]pc;wobA .
Proof Since there cannot be attachments between interactions of the AEIs of BK , it turns out that
[[K,BK ]]tc;#K,BK ;KK,BK /
n∪
j=1
(HK,Cj ∪ EK,Cj ) is given by:
([[K]]pc;#BKA ‖S(K,C1;A) [[C1]]tc;#KK,BK ‖S(K,C2;A) [[C2]]
tc;#K
K,BK
‖S(K,C3;A) . . . ‖S(K,Cn;A) [[Cn]]tc;#KK,BK )/
n∪
j=1
(HK,Cj ∪ EK,Cj )
Since each local asynchronous and-interaction is dealt with by introducing as many additional implicit
AEIs as there are attachments involving the and-interaction, HK,Cj ∩HK,Cg = ∅ for all j 6= g. Hence, every
hiding set HK,Cj can be distributed in such a way that it is applied as soon as possible. Similarly, every hiding
set EK,Cj can be anticipated too, because EK,Cj is independent from EK,Cg for all j 6= g due to the fact that
any exception is raised locally at a single AEI. As a consequence, [[K,BK ]]tc;#K,BK ;KK,BK /
n∪
j=1
(HK,Cj ∪ EK,Cj )
can be rewritten in the following way:
(. . . (([[K]]pc;#BKA ‖S(K,C1;A) [[C1]]tc;#KK,BK ) / (HK,C1 ∪ EK,C1)
‖S(K,C2;A) [[C2]]tc;#KK,BK ) / (HK,C2 ∪ EK,C2)
‖S(K,C3;A) . . . ‖S(K,Cn;A) [[Cn]]tc;#KK,BK ) / (HK,Cn ∪ EK,Cn)
Denoted by IAQK,Cj (resp. OAQK,Cj ) the parallel composition of the behaviors of the input (resp. out-
put) asynchronous queues of K attached to Cj – whose local interactions are relabeled according to ϕK,async
and ϕK;A – and by OALI inputK,Cj (resp. OALI
output
K,Cj
) their local interactions attached to K, it turns out that
[[K]]pc;#BKA is given by:
IAQK,Cn ‖ϕK,async(OALIinputK,Cn )
(· · ·
(IAQK,C2 ‖ϕK,async(OALIinputK,C2 )
(IAQK,C1 ‖ϕK,async(OALIinputK,C1 )
[[K]]pc;wobA
‖ϕK,async(OALIoutputK,C1 ) OAQK,C1)‖ϕK,async(OALIoutputK,C2 ) OAQK,C2)· · ·)
‖ϕK,async(OALIoutputK,Cn ) OAQK,Cn
Since from the point of view of Cj and Cg the asynchronous queues of K attached to Cj are independent
from the asynchronous queues ofK attached to Cg for all j 6= g, we have that [[K,BK ]]tc;#K,BK ;KK,BK /
n∪
j=1
(HK,Cj∪
EK,Cj ) can be rewritten in the following way:
(IAQK,Cn ‖ϕK,async(OALIinputK,Cn )
(· · ·
(IAQK,C2 ‖ϕK,async(OALIinputK,C2 )
(IAQK,C1 ‖ϕK,async(OALIinputK,C1 )
[[K]]pc;wobA
‖ϕK,async(OALIoutputK,C1 ) OAQK,C1 ‖S(K,C1;A) [[C1]]
tc;#K
K,BK ) / (HK,C1 ∪ EK,C1)
‖ϕK,async(OALIoutputK,C2 ) OAQK,C2 ‖S(K,C2;A) [[C2]]
tc;#K
K,BK ) / (HK,C2 ∪ EK,C2)
· · ·)
‖ϕK,async(OALIoutputK,Cn ) OAQK,Cn ‖S(K,Cn;A) [[Cn]]
tc;#K
K,BK ) / (HK,Cn ∪ EK,Cn)
27
Since IAQK,C1 ‖ϕK,async(OALIinputK,C1 ) [[K]]
pc;wob
A ‖ϕK,async(OALIoutputK,C1 ) OAQK,C1 is precisely [[K]]
pc;#C1
A and
([[K]]pc;#C1A ‖S(K,C1;A) [[C1]]tc;#KK,BK ) / (HK,C1 ∪ EK,C1) ≈B [[K]]
pc;wob
A due to the compatibility of K with C1,
by virtue of the congruence property of ≈B with respect to static operators – and also with respect to
the context-sensitive variant of the relabeling operator governing exceptions as it encodes an injective re-
labeling function over actions in dot notation, which thus preserves action qualifiers – it turns out that
[[K,BK ]]tc;#K,BK ;KK,BK /
n∪
j=1
(HK,Cj ∪ EK,Cj ) is weakly bisimilar to:
(IAQK,Cn ‖ϕK,async(OALIinputK,Cn )
(· · ·
(IAQK,C2 ‖ϕK,async(OALIinputK,C2 )
[[K]]pc;wobA
‖ϕK,async(OALIoutputK,C2 ) OAQK,C2 ‖S(K,C2;A) [[C2]]
tc;#K
K,BK ) / (HK,C2 ∪ EK,C2)
· · ·)
‖ϕK,async(OALIoutputK,Cn ) OAQK,Cn ‖S(K,Cn;A) [[Cn]]
tc;#K
K,BK ) / (HK,Cn ∪ EK,Cn)
By reasoning in the same way for each of the other AEIs C2, . . . , Cn of BK , we end up with
[[K,BK ]]tc;#K,BK ;KK,BK /
n∪
j=1
(HK,Cj ∪ EK,Cj ) ≈B [[K]]pc;wobA . The second part of the result then follows from
the fact that ≈B preserves deadlock freedom.
(An induction on the size of BK is hampered by the variability of the set of AEIs with respect to which
the interacting semantics are defined.)
4.3 Adapting Architectural Interoperability for Cycles
A cycle is a closed simple path in the abstract enriched flow graph of an architectural description, which
traverses a set Y = {C1, . . . , Cn} of n ≥ 3 AEIs. As explained in [1], the validity of an architectural
property over a cycle cannot be investigated by analyzing the interplay between pairs of AEIs, because of
the possible presence of arbitrary interferences among the various AEIs in the cycle. In order to achieve a
correct coordination between any Cj and the rest of the cycle, the actual observable behavior of Cj should
coincide with the observable behavior expected by the rest of the cycle. In other words, the observable
behavior of Cj should not be altered by the insertion of Cj itself into the cycle.
In order to cope with the presence of nonsynchronous interactions, we modify the architectural interop-
erability check for cycles as follows.
Definition 4.8 Given an architectural description A, let Y = {C1, . . . , Cn} be the set of AEIs traversed
by a cycle of A, Cj be an AEI in the cycle, HCj ,Y be the set of interactions of additional implicit AEIs
of Cj that are attached to Y, and ECj ,Y be the set of exceptions that may be raised by semi-synchronous
interactions involved in attachments between Cj and Y. We say that Cj interoperates with the other AEIs
in the cycle iff:
[[Y]]tc;#Y;CjA / (Name − VCj ;A) / (HCj ,Y ∪ ECj ,Y) ≈B [[Cj ]]pc;wobA
All possible originally asynchronous local interactions of the other AEIs in the cycle and all of their
interactions that are not attached to Cj have been hidden by taking the totally closed interacting semantics
of those AEIs and by leaving visible only the actions in VCj ;A. We also observe that, whenever Cj has no
local nonsynchronous interactions and is not attached to semi-synchronous interactions of other AEIs in the
cycle, then HCj ,Y ∪ ECj ,Y = ∅ and both [[Cj ]]pc;#YA and [[Cj ]]pc;wobA coincide with [[Cj ]]tc;wobA .
We now extend the interoperability theorem of [1] to nonsynchronous interactions. This provides a
sufficient condition for reducing the deadlock verification of the entire cycle to the deadlock verification of
one of its AEIs.
Theorem 4.9 Let A, Y, Cj , HCj ,Y , and ECj ,Y be the same as Def. 4.8. Whenever Cj interoperates with
the other AEIs in the cycle, then [[Y]]tc;#Y;CjA /(Name − VCj ;A) / (HCj ,Y ∪ ECj ,Y) is deadlock free iff so is
[[Cj ]]
pc;wob
A .
28
Proof A straightforward consequence of Def. 4.8 and of the fact that ≈B preserves deadlock freedom.
4.4 Case Study: An Applet-Based Simulator for a Cruise Control System
In this section, we discuss the application of the modified architectural checks by revisiting the cruise control
system considered in [32, 11].
Once the engine has been turned on, this system is governed by the two standard pedals of the automobile
– accelerator and brake – and by three additional buttons – on, off, and resume. When on is pressed, the
cruise control system records the current speed and maintains the automobile at that speed. When the
accelerator, the brake, or off is pressed, the cruise control system disengages but retains the speed setting. If
resume is pressed later on, then the system is able to accelerate or decelerate the automobile to the previously
recorded speed.
The cruise control system is formed by four software components: a sensor, a speed controller, a speed
detector, and a speed actuator. The sensor detects the driver commands and forwards them to the speed
controller, which in turn triggers the speed actuator. The speed detector periodically measures the number
of wheel revolutions per time unit. The speed actuator adjusts the throttle on the basis of the triggers
received from the controller and of the speed measured by the detector.
Let us describe the cruise control system with PADL. The sensor AET is defined as follows:
ARCHI_ELEM_TYPE Sensor_Type(void)
BEHAVIOR
Sensor_Off(void; void) =
detected_engine_on . turn_engine_on . Sensor_On();
Sensor_On(void; void) =
choice
{
detected_accelerator . press_accelerator . Sensor_On(),
detected_brake . press_brake . Sensor_On(),
detected_on . press_on . Sensor_On(),
detected_off . press_off . Sensor_On(),
detected_resume . press_resume . Sensor_On(),
detected_engine_off . turn_engine_off . Sensor_Off()
}
INPUT_INTERACTIONS SYNC UNI detected_engine_on; detected_engine_off;
detected_accelerator; detected_brake;
detected_on; detected_off; detected_resume
OUTPUT_INTERACTIONS SYNC UNI press_accelerator; press_brake;
press_on; press_off; press_resume
AND turn_engine_on; turn_engine_off
The speed controller triggers the speed actuator on the basis of the commands forwarded by the sensor.
It can be inactive (when the engine is off), active (when the engine is on), cruising (after pressing the on
button in the active state or the resume button in the suspended state), or suspended (after pressing any
pedal or button different from on/resume in the cruising state):
ARCHI_ELEM_TYPE Controller_Type(void)
BEHAVIOR
Inactive(void; void) =
turned_engine_on . Active();
Active(void; void) =
choice
{
pressed_accelerator . Active(),
pressed_brake . Active(),
pressed_on . trigger_record . Cruising(),
pressed_off . Active(),
pressed_resume . Active(),
turned_engine_off . Inactive()
};
Cruising(void; void) =
29
choice
{
pressed_accelerator . trigger_disable . Suspended(),
pressed_brake . trigger_disable . Suspended(),
pressed_on . Cruising(),
pressed_off . trigger_disable . Suspended(),
pressed_resume . Cruising(),
turned_engine_off . trigger_disable . Inactive()
};
Suspended(void; void) =
choice
{
pressed_accelerator . Suspended(),
pressed_brake . Suspended(),
pressed_on . trigger_record . Cruising(),
pressed_off . Suspended(),
pressed_resume . trigger_resume . Cruising(),
turned_engine_off . Inactive()
}
INPUT_INTERACTIONS SYNC UNI turned_engine_on; turned_engine_off;
pressed_accelerator; pressed_brake;
pressed_on; pressed_off; pressed_resume
OUTPUT_INTERACTIONS SYNC UNI trigger_record; trigger_resume;
trigger_disable
The speed detector periodically communicates the number of wheel revolutions per time unit to the speed
actuator:
ARCHI_ELEM_TYPE Detector_Type(void)
BEHAVIOR
Detector_Off(void; void) =
turned_engine_on . Detector_On();
Detector_On(void; void) =
choice
{
measure_speed . signal_speed . Detector_On(),
turned_engine_off . Detector_Off()
}
INPUT_INTERACTIONS SYNC UNI turned_engine_on; turned_engine_off
OUTPUT_INTERACTIONS SYNC UNI signal_speed
The speed actuator adjusts the throttle on the basis of the triggers received from the controller and of
the speed measured by the detector. It can be disabled (until the on/resume button is pressed) or enabled
(until any pedal or button different from on/resume is pressed):
ARCHI_ELEM_TYPE Actuator_Type(void)
BEHAVIOR
Disabled(void; void) =
choice
{
signaled_speed . Disabled(),
triggered_record . record_speed . Enabled(),
triggered_resume . resume_speed . Enabled()
};
Enabled(void; void) =
choice
{
signaled_speed . adjust_throttle . Enabled(),
triggered_disable . disable_control . Disabled()
}
INPUT_INTERACTIONS SYNC UNI triggered_record; triggered_resume;
triggered_disable; signaled_speed
OUTPUT_INTERACTIONS void
30
Suppose we want to design an applet-based simulator for the cruise control system. The applet must
contain a panel with seven software buttons – corresponding to turning the engine on/off, the two pedals,
and the three hardware buttons – and a text area showing the sequence of buttons that have been pressed.
When pressing one of the seven software buttons, the corresponding operation either succeeds or fails. In
the first case, the panel can interact with the sensor and the text area is updated accordingly. In the second
case – think, e.g., of pressing the accelerator button when the engine is off – the panel cannot interact with
the sensor, rather it emits a beep.
In order not to block the simulator when the pressure of a software button fails, we need to model several
operations of the panel through semi-synchronous interactions, as shown below:
ARCHI_ELEM_TYPE Panel_Type(void)
BEHAVIOR
Unallocated(void; void) =
init_applet . start_applet . Active();
Active(void; void) =
choice
{
signal_engine_on . Checking(signal_engine_on.success),
signal_accelerator . Checking(signal_accelerator.success),
signal_brake . Checking(signal_brake.success),
signal_on . Checking(signal_on.success),
signal_off . Checking(signal_off.success),
signal_resume . Checking(signal_resume.success),
signal_engine_off . Checking(signal_engine_off.success),
stop_applet . Inactive()
};
Checking(boolean success; void) =
choice
{
cond(success = true) -> update . Active(),
cond(success = false) -> beep . Active(),
};
Inactive(void; void) =
choice
{
start_applet . Active(),
destroy_applet . Unallocated()
}
INPUT_INTERACTIONS SYNC UNI init_applet; start_applet;
stop_applet; destroy_applet
OUTPUT_INTERACTIONS SSYNC UNI signal_engine_on; signal_engine_off;
signal_accelerator; signal_brake;
signal_on; signal_off; signal_resume
where all the input interactions are related to user commands for starting/stopping the simulator.
The topology of the overall system is described through the enriched flow graph of Fig. 3. As can be
noted, it is an intersection of a cycle and a star, where the cycle traverses AEIs S, C, D, and A.
Suppose we wish to verify whether the applet-based simulator is deadlock free. First of all, we observe
that all the AEIs are deadlock free. Then, we consider the cycle and we apply to it the interoperability check.
Since there are no nonsynchronous interactions within the cycle, applying the modified interoperability check
to the cycle boils down to applying the original check. The outcome is thus known from [11]: S interoperates
with C, D, and A, hence the cycle can be reduced to [[S]]pc;wobP,S,C,D,A (Thm. 4.9).
Now, it is easy to see that S is compatible with the only AEI in the only acyclic portion of the topology
– P – because all the exceptions that the semi-synchronous interactions of P may raise are hidden when
applying the check. Therefore, we can conclude that the entire architectural description can be reduced to
[[S]]pc;wobP,S,C,D,A, and hence it is deadlock free because so is [[S]]
pc;wob
P,S,C,D,A (Thm. 4.7).
31
   
   


   
   


   
   


   
   


s
ig
na
l_
en
gi
ne
_o
n
s
ig
na
l_
en
gi
ne
_o
ff
s
ig
na
l_
ac
ce
le
ra
to
r
s
ig
na
l_
br
ak
e
s
ig
na
l_
on
s
ig
na
l_
of
f
s
ig
na
l_
re
su
me
de
te
ct
ed
_o
ff
p
r
e
s
s
_
a
c
c
e
le
ra
to
r
p
r
e
s
s
_
br
ak
e
p
r
e
s
s
_
o
n
p
r
e
s
s
e
d_
ac
ce
le
ra
to
r
p
r
e
s
s
e
d_
br
ak
e
p
r
e
s
s
e
d_
on
p
r
e
s
s
_
o
ff
p
r
e
s
s
e
d_
of
f
p
r
e
s
s
_
r
e
s
u
m
e
de
te
ct
ed
_a
cc
el
er
at
or
de
te
ct
ed
_b
ra
ke
S:
S
e
ns
o
r
_T
y
p
e(
)
de
te
ct
ed
_o
n
t
u
r
n
e
d_
en
gi
ne
_o
ff
t
u
r
n
e
d_
en
gi
ne
_o
n
A
:
A
c
t
u
a
t
o
r
_
T
y
p
e
()
D
:
D
e
t
e
c
t
o
r
_
T
y
p
e
()
s
ig
na
l_
sp
ee
dpr
e
s
s
e
d_
re
su
me
de
te
ct
ed
_r
es
um
e
de
te
ct
ed
_e
ng
in
e_
of
f
de
te
ct
ed
_e
ng
in
e_
on
t
u
r
n
_
e
n
g
in
e_
of
f
t
u
r
n
_
e
n
g
in
e_
on
t
u
r
n
e
d_
en
gi
ne
_o
n
t
u
r
n
e
d_
en
gi
ne
_o
ff
t
r
ig
ge
r_
re
co
rd
t
r
ig
ge
re
d_
re
co
rd
t
r
ig
ge
r_
di
sa
bl
e
t
r
ig
ge
re
d_
di
sa
bl
e
t
r
ig
ge
r_
re
su
me
t
r
ig
ge
re
d_
re
su
me
C
:
C
o
n
t
r
o
ll
er
_T
yp
e(
)
in
it
_a
pp
le
t
s
t
a
r
t
_
a
p
p
le
t
s
t
o
p
_
a
p
p
le
t
de
st
ro
y_
ap
pl
et
P
:
P
a
n
e
l_
Ty
pe
()
s
ig
na
le
d_
sp
ee
d
Figure 3: Enriched flow graph of the cruise control system simulator
32
5 Code Generation
The architectural description of a software system should be used not only for modeling and verification
purposes, but also for guiding subsequent stages of the software development process. In particular, it should
serve as a basis for synthesizing the software system itself. As an attempt to bridge the gap between system
modeling/verification and system implementation, we propose an approach that automatically generates
multithreaded Java software from PADL descriptions containing an arbitrary combination of synchronous,
semi-synchronous, and asynchronous interactions.
Similar to [32], the choice of Java as target language is made for two reasons. First, Java supports
multithreading and offers a set of mechanisms for the well-structured management of threads and their
shared data, which should simplify the code generation task given the concurrency inherent in process
algebraic architectural descriptions. Second, its object-oriented nature – and specifically its encapsulation
capability – makes Java an appropriate candidate for coping with the high level of abstraction typical of
process algebraic architectural description languages. In fact, as can be expected, the translation of PADL
descriptions into Java software cannot be complete, and hence will require the intervention of the software
developer in specific positions of the generated code, e.g., for inserting the Java statements corresponding to
internal actions.
Another good reason for selecting Java is that it is equipped with software model-checking tools – like,
e.g., Java PathFinder [39] – that complement the analysis conducted on PADL descriptions by making it
possible the verification of property preservation at the code level. In fact, although property preservation is
guaranteed under certain constraints as we will see, an inappropriate intervention of the software developer
on the generated code may lead to the violation of properties proved at the architectural level.
In order to compare our approach with related work for automatically generating code from architectural
descriptions, it is worth recalling two families distinguished on the basis of the distance between the formalism
used for describing software architectures (in our case, PADL) and the implementation language in which
code is generated (in our case, Java). The first family, characterized by an exogenous transformation, is the
long-distance one. In this family, the formalism is kept well separated from the implementation language
and descriptions are entirely translated into code. To this family belong architectural description languages
endowed with code generation facilities like Aesop [24], C2SADEL [33], and Darwin [31]. The second family,
characterized by a semi-endogenous transformation, is the short-distance one. In this family, the formalism
is embedded in the implementation code in form of special comments, as in SyncGen [21], or in form of
special keywords and statements, as in ArchJava [2]. In this case, only special symbols are translated into
implementation code, while the rest is left unchanged.
While the latter transformation can offer a flexible support to software developers – as classical pro-
gramming techniques and patterns can be applied when designing systems – the level of abstraction of the
underlying architectural formalism is usually low. In the case of process algebraic architectural description
languages, the transformation typically adopted for generating code is the former. The reason is that such
languages are specifically conceived for abstracting high-level properties of entire software systems, hence
they are distant from implementation languages.
One of the ideas at the basis of our approach is the provision of a library of software components –
a Java package called Sync – for adding architectural capabilities to the target programming language,
in order to shorten the distance from the architectural description language from which the code will be
generated. Hence, our approach can be viewed as a semi-exogenous transformation, as opposed to the semi-
endogenous one. Based on the classification given in [20], we can say that if the target model is considered
as a text, a semi-endogenous transformation can be simply realized as a model-to-text, template-based
transformation. Unfortunately, this transformation cannot be applied with the same simplicity to our semi-
exogenous approach, as the distance from model to text is still long. However, thanks to the presence of
a package like Sync, a model-to-text transformation can be implemented very easily based on the pattern
Visitor [22].
In this section, we present the two phases of our approach by illustrating them on the same architectural
description of an applet-based simulator for a cruise control system as the previous section. In the first
phase, we develop an architecture-driven technique for thread coordination management based on package
33
Sync (Sect. 5.1). In the second phase, we handle the translation of the process-algebraically-specified behavior
of individual software components into threads (Sect. 5.2). Then, we focus on the preservation at the code
level of the properties proved at the architectural level (Sect. 5.3).
5.1 First Phase: Thread Coordination Management
The first phase of our approach to the generation of multithreaded Java code from PADL descriptions deals
with the thread coordination management. This is accomplished by developing a Java package called Sync,
which automatically takes care of the details of thread synchronization. Both the implementation of the
package and the use of its units for coordinating threads are guided by architecture-level abstractions.
In the following, we present a reference thread communication model and then we illustrate the structure
and the usage of Sync.
5.1.1 Thread Communication Model
The thread communication model adopted by package Sync, which fully complies with the interaction qual-
ifiers of PADL, relies on two roles (sender and receiver) and encompasses two different dimensions.
The first dimension – thread communication synchronicity – comprises nine values arising from all pos-
sible combinations of a synchronous, semi-synchronous, or asynchronous activity on the sender side with
a synchronous, semi-synchronous, or asynchronous activity on the receiver side. Similar to PADL, in a
synchronous-to-synchronous communication both threads wait for the other to become ready. In the semi-
synchronous case, the thread checks whether the other is ready and, if not, raises an exception without
blocking. In the asynchronous case, the thread simply sends/receives a signal or message through a buffer
and then proceeds independently of the status of the other thread (an exception is raised at the asynchronous
receiving side if no signal or message is available in the buffer).
The second dimension – thread communication multiplicity – comprises the following five values: uni-
to-uni, and-to-uni, uni-to-and, or-to-uni, uni-to-or. As with PADL, in a uni-to-uni communication only
two threads are involved (unicast). In an and-to-uni/uni-to-and communication, a thread simultaneously
communicates with several other threads (multicast). Finally, in an or-to-uni/uni-to-or communication a
thread communicates with only one thread selected out of a set of other threads (server-clients).
5.1.2 Structure of Package Sync
The Java package Sync, which adheres to the above mentioned communication model, is structured into
four conceptual layers: Connector, Port, RunnableElem, and RunnableArchi. Each of them corresponds
to a different architectural abstraction and comprises a set of components realized through Java classes and
interfaces, some of which are visible by the software developer. The related class diagrams are shown in
Fig. 4.
The first layer, called Connector, is a set of invisible Java classes and interfaces that are used within
Sync to perform synchronizations and data transfers between two threads. As sketched in Fig. 4, there are
nine classes realizing – consistently with the adopted thread communication model – the nine combinations
of communication synchronicities.
This layer is inspired by the traditional producer-consumer model, where the producer and the consumer
represent the sender and receiver threads, respectively. This is implemented by equipping every Connector
class with a buffer shared only by the two related threads. Each such class also has two interface methods
– send() and receive() – for accessing the buffer in a mutually exclusive way and two interface methods
– obsSnd() and obsRcv() – for observing the status of the threads using a Connector object in the case of
nonasynchronous and-/or-interactions.
The second layer, called Port, is a set of Java classes and interfaces that realize the abstraction corre-
sponding to a set of statements through which a thread interacts with possibly many other threads. As
sketched in Fig. 4, there are eighteen classes combining – through Connector objects – the three cases of
34
Layer Connector
Layer Port
Layer RunnableElem
Layer RunnableArchi
SemisyncUniSenderPort
BaseConnector
BasePort
ReceiverPort SenderPort
UniReceiverPort AndReceiverPort OrReceiverPort UniSenderPort AndSenderPort OrSenderPort
SyncUniSenderPort AsyncUniSenderPort
java.lang.Runnable
run()
attach(
attach(
attach(
attach(
attach(
s : UniSenderPort,
s : UniSenderPort,
s : UniSenderPort,
s : AndSenderPort,
s : OrSenderPort,
r : UniReceiverPort )
r : AndReceiverPort )
r : OrReceiverPort )
r : UniReceiverPort )
r : UniReceiverPort )
choice( acts: ChAct [*] )
RunnableElem
start()
join()
RunnableArchi
ElemMeth
ArchiMeth
_Connector
Sync_to_Semisync
_Connector _Connector
Sync_to_Async
_Connector
Sync_to_Sync
_Connector
Async_to_AsyncSemisync_to_Sync
Figure 4: Class diagrams of the conceptual layers of Sync
35
communication multiplicity with the three cases of communication synchronicity both on the receiver side
and on the sender side.
This layer gives rise to suitable objects, each of which will be attached either to a single Connector object
– if representing a uni-interaction – or to several Connector objects – if representing an and-/or-interaction.
Every Port object must be instantiated by specifying its owner thread in the Port constructor. Each of the
nine Port classes related to the sender side is equipped with a send() method, whereas each of the nine Port
classes related to the receiver side is equipped with a receive() method. Each of the two methods makes use
of the homonymous method of the associated Connector objects and raises an UnattachedPortException
whenever the Port object is not connected to any other Port object. This happens if the interaction associ-
ated with the Port object is an architectural interaction not attached to any other interaction. A different
exception, SemisyncPortNotReadyException, is raised if the associated interaction is semi-synchronous and
the connected Port objects are not ready to communicate. Both exceptions are defined as derived classes of
a base class called SyncException defined within Sync.
The third layer, called RunnableElem, is an interface derived from the standard Runnable interface
that realizes the abstraction corresponding to a thread in a concurrent Java program. This layer provides
support for the generation of Java threads from the process-algebraically-specified behavior of AETs in a
PADL description. In particular, as shown in Fig. 4, it is also equipped with a class called ElemMeth, which
defines a static method called choice() used for the translation of alternative compositions.
The fourth layer, called RunnableArchi, is a RunnableElem-derived interface that realizes the abstraction
corresponding to a concurrent Java program. The compatibility of RunnableArchi with RunnableElem
provides support for hierarchical software development. As shown in Fig. 4, in order to avoid the direct
handling of Connector objects, this layer is also equipped with a class called ArchiMeth, which defines a
family of five static methods called attach(). Each of them receives two parameters, which must be a sender
Port object and a receiver Port object, and connects them by creating a Connector object only if they refer
to two different owner threads according to one of the five combinations of communication multiplicities
admitted by the adopted thread communication model.
5.1.3 Usage of Package Sync
From a code generation viewpoint, package Sync is a repository of architectural abstractions ensuring the
correct and transparent handling of synchronizations and data exchanges among the threads of the software
system being designed. The structure of the generated code is shown in Fig. 5.
Starting from a PADL description of the system, it is necessary to create a RunnableArchi object for
the overall system, together with as many RunnableElem objects as there are AEIs in the PADL description
(see the upper part of Fig. 5). Then, it is necessary to create as many Port objects as there are interactions
in the AEIs synthesized as RunnableElem objects. Afterwards, it is necessary to create all the Connector
objects that are needed to make the AEIs synthesized as RunnableElem objects communicate – according
to the attachments in the PADL description – through their interactions synthesized as Port objects.
The lower part of Fig. 5 shows stub classes to be manually filled in. As we will see in the sec-
ond phase, these stubs are generated for managing the internal actions of the AETs (IAS) and for han-
dling exceptions that may be raised by the interactions of the instances of those AETs (EHS) – i.e.,
UnattachedPortException and SemisyncPortNotReadyException.
Fig. 5 also shows a package called Structs. The reason is that most of the data types provided by PADL
– such as boolean, (bounded) integer, real, list, and array – can be trivially translated into built-in Java
data types. However, the record data type and the generic object data type provided by PADL need ad-hoc
classes and interfaces made available through Structs.
Each of the classes generated by PADL2Java for a given PADL description is stored into a distinct .java
file. All these files are contained in a single package with the same name as the PADL description source
file. Further .java files may be generated depending on the specified translation option.
Fig. 5 shows the various options that are available at code generation time: -c, -p, and -a. The default
option -c stands for the generation of the package depicted in the figure, with no additional classes. Option
-p stands for the synthesis of a full Java program. This can be achieved through the generation of a further
36
Sync
...
...
...
−implementing classes
0..1 0..1
0..1 0..1 0..1
0..1
1 2 n
1RE 2 nRE RE
IAS IAS IAS
Structs
EHS1 2EHS nEHS
RunnableArchi
RunnableElem
−implementing class
RA
generated Java
package (    )−c
data structures
automatically
complex
stubs to be manually filled in
(threads)
−a−pprogram (    ) / applet (    ) wrapper class
Figure 5: Structure of the Sync-based generated code
public class that contains only method main(), which acts as a wrapper for the RunnableArchi-implementing
class. Option -a stands for the synthesis of a Java applet. This can be achieved through the generation
of a further public class derived from the standard JApplet class, which gives rise to a wrapper for the
RunnableArchi-implementing class.
Both for -p and for -a, the wrapper class creates an instance of the RunnableArchi-implementing class
and declares a SyncUniSenderPort or SyncUniReceiverPort object for each architectural interaction de-
clared in the RunnableArchi-implementing class. In this way, the wrapper is allowed to dispatch suitable
commands to the right RunnableElem objects whenever necessary. Moreover, in the -a case the wrapper
class defines a number of stubs related to the initialization, activation, deactivation, and destruction of the
applet, which will be filled in by the software developer if needed.
Example 5.1 Consider the cruise control system simulator of Sect. 4.4 and suppose we want to synthesize
it as multithreaded Java software from its PADL description. Since it is an applet-based simulator, we need
to generate an applet wrapper. The following .java file contains the JApplet-derived class synthesized for
the wrapper, where Cruise Control System package is the package for the cruise control system:
import Sync.*;
import Cruise_Control_System_package.Cruise_Control_System;
import javax.swing.JApplet;
public class MainAppletClass extends JApplet {
//---------- DECLARING ARCHITECTURE -----------//
Cruise_Control_System archiInstance = null;
//---------- DECLARING APPLET PORTS -----------//
SyncUniSenderPort to_P_init_applet;
SyncUniSenderPort to_P_start_applet;
SyncUniSenderPort to_P_stop_applet;
SyncUniSenderPort to_P_destroy_applet;
//---------- DEFINING APPLET MEMBERS ----------//
public void init() {
if (archiInstance == null) {
archiInstance = new Cruise_Control_System();
37
// to_P_init_applet = new SyncUniSenderPort(this);
// to_P_start_applet = new SyncUniSenderPort(this);
// to_P_stop_applet = new SyncUniSenderPort(this);
// to_P_destroy_applet = new SyncUniSenderPort(this);
// try {
// ArchiMeth.attach(to_P_init_applet,
// archiInstance.P_init_applet);
// ArchiMeth.attach(to_P_start_applet,
// archiInstance.P_start_applet);
// ArchiMeth.attach(to_P_stop_applet,
// archiInstance.P_stop_applet);
// ArchiMeth.attach(to_P_destroy_applet,
// archiInstance.P_destroy_applet);
// } catch(BadAttachmentException e) {}
archiInstance.start();
// FILL IN THE FINAL PART OF THE METHOD BODY IF NEEDED
}
public void start() {
// FILL IN THE METHOD BODY IF NEEDED
}
public void stop() {
// FILL IN THE METHOD BODY IF NEEDED
}
public void destroy() {
// FILL IN THE INITIAL PART OF THE METHOD BODY IF NEEDED
archiInstance = null;
}
}
As can be noted, for each of the four architectural input interaction of AEI P, we have the declaration
of a sender port whose name coincides with the name of the corresponding architectural input interaction
prefixed by to (the prefix is from in the case of an architectural output interaction). Each such sender
port will manage the commands given by the user of the applet-based simulator when initializing, starting,
stopping, or destroying the applet-based simulator itself depending on how the software developer fills in the
body of the methods associated with those operations.
As far as method init() is concerned, the initial part of its body includes some commented statements
for instantiating the applet ports and attaching them to the corresponding architectural interactions. Those
statements are commented because, in general, it is not necessarily the case that all the architectural in-
teractions must be attached to the corresponding ports in the wrapper. For instance, some of them should
be attached to other software units. It is the responsibility of the software developer to uncomment the
statements that are appropriate for the specific system.
38
5.1.4 Structure of the RunnableArchi-Implementing Class
When using package Sync in the translation process, the Java class synthesized to implement the RunnableArchi
interface for the overall system has the same name as the architectural type and is structured as follows:
public class /architectural type name. implements RunnableArchi {
/Declaring Runnable Elements.
/Declaring Architectural Interactions.
/Defining Constructor.
/Building Architecture. :
/Instantiating Runnable Elements.
/Assigning Architectural Interactions.
/Attaching Local Interactions.
/Running Architecture.
}
The first section, Declaring Runnable Elements, declares an object of a
RunnableElem-implementing class – without instantiating it – for each AEI declared in the PADL description.
The second section, Declaring Architectural Interactions, declares a public Port object for each archi-
tectural interaction declared in the PADL description. Such objects are public because the architectural
interactions are the interfaces of the whole system, hence support must be provided for them to be used for
the hierarchical or compositional modeling of complex systems as well as within wrapper classes.
The third section, Defining Constructor, defines the class constructor together with its parameters, which
coincide with the parameters of the architectural type.
The fourth section, Building Architecture, defines a method called
buildArchiTopology() that constructs the architecture topology in a way similar to the architectural topol-
ogy section of the PADL description. First, it instantiates the previously declared RunnableElem objects.
Second, it assigns the previously declared public Port objects through the corresponding Port objects of the
newly instantiated RunnableElem objects. Third, it invokes the method attach() defined within Sync in or-
der to connect the Port objects of the newly instantiated RunnableElem objects according to the attachments
declared in the PADL description.
Finally, the fifth section, Running Architecture, declares the thread associated with the class itself. More-
over, it defines the public methods start(), which starts the previously declared thread, join(), which
allows other threads to wait for the end of the execution of the previously declared thread, and run(), which
starts all the previously instantiated RunnableElem objects and then waits for their termination.
Example 5.2 We now continue Ex. 5.1. The following .java file contains the RunnableArchi interface for
the cruise control system:
package Cruise_Control_System_package;
import Sync.*;
public class Cruise_Control_System implements RunnableArchi {
//-------- DECLARING RUNNABLE ELEMENTS --------//
Panel_Type P;
Sensor_Type S;
Controller_Type C;
Detector_Type D;
Actuator_Type A;
//--- DECLARING ARCHITECTURAL INTERACTIONS ----//
public SyncUniReceiverPort P_init_applet;
public SyncUniReceiverPort P_start_applet;
public SyncUniReceiverPort P_stop_applet;
public SyncUniReceiverPort P_destroy_applet;
39
//----------- DEFINING CONSTRUCTOR ------------//
Cruise_Control_System() {
buildArchiTopology();
}
//----------- BUILDING ARCHITECTURE -----------//
void buildArchiTopology() {
// INSTANTIATING RUNNABLE ELEMENTS:
P = new Panel_Type();
S = new Sensor_Type();
C = new Controller_Type();
D = new Detector_Type();
A = new Actuator_Type();
// ASSIGNING ARCHITECTURAL INTERACTIONS:
this.P_init_applet = P.init_applet;
this.P_start_applet = P.start_applet;
this.P_stop_applet = P.stop_applet;
this.P_destroy_applet = P.destroy_applet;
// ATTACHING LOCAL INTERACTIONS:
try {
ArchiMeth.attach(P.signal_engine_on,
S.detected_engine_on);
ArchiMeth.attach(P.signal_engine_off,
S.detected_engine_off);
ArchiMeth.attach(P.signal_accelerator,
S.detected_accelerator);
ArchiMeth.attach(P.signal_brake,
S.detected_brake);
ArchiMeth.attach(P.signal_on,
S.detected_on);
ArchiMeth.attach(P.signal_off,
S.detected_off);
ArchiMeth.attach(P.signal_resume,
S.detected_resume);
ArchiMeth.attach(S.turn_engine_on,
C.turned_engine_on);
ArchiMeth.attach(S.turn_engine_on,
D.turned_engine_on);
ArchiMeth.attach(S.turn_engine_off,
C.turned_engine_off);
ArchiMeth.attach(S.turn_engine_off,
D.turned_engine_off);
ArchiMeth.attach(S.press_accelerator,
C.pressed_accelerator);
ArchiMeth.attach(S.press_brake,
C.pressed_brake);
ArchiMeth.attach(S.press_on,
C.pressed_on);
ArchiMeth.attach(S.press_off,
C.pressed_off);
ArchiMeth.attach(S.press_resume,
C.pressed_resume);
ArchiMeth.attach(C.trigger_record,
A.triggered_record);
ArchiMeth.attach(C.trigger_resume,
A.triggered_resume);
ArchiMeth.attach(C.trigger_disable,
A.triggered_disable);
ArchiMeth.attach(D.signal_speed,
A.signaled_speed);
} catch(BadAttachmentException e) {}
40
}//----------- RUNNING ARCHITECTURE ------------//
Thread th_Cruise_Control_System = null;
public void start() {
(th_Cruise_Control_System = new Thread(this)).start();
}
public void join() throws InterruptedException {
th_Cruise_Control_System.join();
}
public void run() {
P.start();
S.start();
C.start();
D.start();
A.start();
try {
P.join();
S.join();
C.join();
D.join();
A.join();
} catch(InterruptedException e) {}
}
}
Note that it faithfully implements the topology of Fig. 3.
5.1.5 Structure of RunnableElem-Implementing Classes
Similar to the case of RunnableArchi, each of the Java classes synthesized to implement the RunnableElem
interface corresponding to an AET has the same name as the AET and is structured as follows:
class /architectural element type name. implements RunnableElem {
/Declaring Behavioral Equations Interfaces.
/Instantiating Interactions.
/Declaring Stubs.
/Defining Constructor.
/Defining Behavior.
/Running Element.
}
The first section, Declaring Behavioral Equations Interfaces, defines an interface called
BehavioralEquationInterface and declares an equation object of such an interface for each behavioral
equation occurring in the AET definition.
The second section, Instantiating Interactions, instantiates various Port objects of various types (see the
second layer of Fig. 4) on the basis of the interactions occurring in the AET definition and their qualifiers.
The third section, Declaring Stubs, declares two stub objects to be manually filled in later on. As already
mentioned, one stub object is for the translation of the internal actions occurring in the AET definition,
while the other stub is for handling exceptions related to the interactions occurring in the AET definition.
The fourth section, Defining Constructor, defines the class constructor together with its parameters,
which coincide with the parameters of the AET. The constructor declares the parameters as nonpublic
members in order to store their values and make them available throughout the thread execution. Then, the
constructor invokes the method defined in the next section.
The fifth section, Defining Behavior, creates instances of anonymous classes implementing
BehavioralEquationInterface and assigns them to the previously mentioned equation objects. Each
41
anonymous class translates a different behavioral equation occurring in the AET. The only method declared
by the interface, behavEqCall(), is defined here for each equation object and will be discussed in the second
phase.
Finally, the sixth section, Running Element, declares the thread associated with the class itself. Moreover,
it defines the public methods start(), which starts the previously declared thread, join(), which allows
other threads to wait for the end of the execution of the previously declared thread, and run(), which
instantiates the two stub classes and executes the various equation objects.
Example 5.3 We now continue Ex. 5.1 and Ex. 5.2. The following .java file contains the RunnableElem
interface for Panel Type:
package Cruise_Control_System_package;
import Sync.*;
class Panel_Type implements RunnableElem {
//- DECLARING BEHAVIORAL EQUATIONS INTERFACES -//
interface BehavioralEquationInterface { void behavEqCall(); }
BehavioralEquationInterface Unallocated,
Active,
Checking,
Inactive;
BehavioralEquationInterface nextBehavEq;
Object[] actualPars;
//-------- INSTANTIATING INTERACTIONS ---------//
SyncUniReceiverPort init_applet = new SyncUniReceiverPort(this);
SyncUniReceiverPort start_applet = new SyncUniReceiverPort(this);
SyncUniReceiverPort stop_applet = new SyncUniReceiverPort(this);
SyncUniReceiverPort destroy_applet = new SyncUniReceiverPort(this);
SemisyncUniSenderPort signal_engine_on = new SemisyncUniSenderPort(this);
SemisyncUniSenderPort signal_engine_off = new SemisyncUniSenderPort(this);
SemisyncUniSenderPort signal_accelerator = new SemisyncUniSenderPort(this);
SemisyncUniSenderPort signal_brake = new SemisyncUniSenderPort(this);
SemisyncUniSenderPort signal_on = new SemisyncUniSenderPort(this);
SemisyncUniSenderPort signal_off = new SemisyncUniSenderPort(this);
SemisyncUniSenderPort signal_resume = new SemisyncUniSenderPort(this);
//-------------- DECLARING STUBS --------------//
IAS_Panel_Type internal_Panel_Type;
EHS_Panel_Type exception_Panel_Type;
//----------- DEFINING CONSTRUCTOR ------------//
Panel_Type() {
defineBehavEquations();
}
//------------- DEFINING BEHAVIOR -------------//
void defineBehavEquations() {
...
}
//-------------- RUNNING ELEMENT --------------//
Thread th_Panel_Type = null;
public void start() {
(th_Panel_Type = new Thread(this)).start();
}
public void join() throws InterruptedException {
th_Panel_Type.join();
}
42
public void run() {
...
}
}
As can be noted, the definitions of methods defineBehavEquations() and run() have been omitted
because they are strictly related to the synthesis of the thread behavior. Therefore, they will be shown after
presenting the second phase of our approach.
5.2 Second Phase: Thread Behavior Generation
The second phase of our approach to the generation of multithreaded Java code from PADL descriptions
deals with the translation of the process algebraic specification of the behavior of the AETs into thread
classes. Due to the different level of abstraction of an architectural description language and of a program-
ming language, only a partial translation based on stubs is possible, with the preservation of architectural
properties depending on the way in which the stubs are filled in by the software developer.
In the following, we introduce a reference thread generation model and we show how to synthesize thread
method run() and how to translate process algebraic operators consistent with the adopted model in order to
synthesize method defineBehavEquations(). We also show how to synthesize stubs for handling exceptions
and internal actions.
5.2.1 Thread Generation Model
A finite state machine model is adopted to guide the generation of a thread from the description of an AET
made out of a sequence of process algebraic defining equations. Large conditional statements or table-based
approaches do not guarantee high efficiency when many conditions or associations have to be checked at run
time for each invocation of a behavioral equation. Therefore, we generate code on the basis of the behavioral
pattern State [22].
As shown in Sect. 5.1.5, each AET is translated into a class implementing the interface RunnableElem.
Each state of the behavior of the AET is defined as an inner class implementing the interface
BehavioralEquationInterface and defining the method behavEqCall(). The idea is that every behav-
ioral equation is translated into an inner state class having the same name as the equation. The code for
an inner state class is generated by proceeding by induction on the syntactical structure – stop, behavioral
invocation, action prefix, and choice – of the process algebraic term occurring on the right-hand side of the
corresponding behavioral equation.
The class associated with an AET also defines the member nextBehavEq, a reference to an object imple-
menting BehavioralEquationInterface, and the member actualPars, a reference to an array of objects.
These references, which are shared and visible by all the inner state classes, are in charge of defining the
state transitions, i.e., the next behavioral equation to be executed and the actual parameters to be passed.
We conclude by observing that a different treatment is needed for action prefixes depending on whether
the related actions are interactions or internal actions. An interaction is involved in communications, hence
it is automatically managed via package Sync. However, as we have seen in Sect. 5.1.1, the execution of
an interaction may result in two kinds of exception, whose handling is left to the software developer. Our
thread generation model thus includes the possibility of associating an exception handling stub (EHS) with
each interaction, to be filled in by the software developer. By contrast, an internal action is not involved
at all in communications, as it takes place inside an AET. In this case, the architectural description does
not provide any information about how to translate the action into a sequence of Java statements. As a
consequence, our thread generation model also includes the possibility of associating an internal action stub
(IAS) with each internal action, to be filled in by the software developer.
43
5.2.2 Synthesizing Thread Method run()
The class corresponding to an AET comprises the constructor and method run(). While the former instan-
tiates the inner state classes by calling method defineBehavEquations(), as shown below the latter first of
all instantiates the EHSs and the IASs declared as members of the class:
public void run() {
/EHS instantiation.
/IAS instantiation.
nextBehavEq = /first behavioral equation .;
actualPars = /actual parameters of the first behavioral equation .;
while (nextBehavEq != null)
nextBehavEq.behavEqCall();
}
Method run() then assigns the state class instance representing the first behavioral equation to nextBehavEq
and the related parameters to actualPars. A while statement carries out the execution of the behavioral
equations starting from the first one, by repeatedly invoking method behavEqCall() on the state class
instance referenced by nextBehavEq. When nextBehavEq is set to null, the execution of method run()
terminates.
Example 5.4 We complete the second omitted part of Ex. 5.3 by showing the definition of method run()
for the class associated with Panel Type:
public void run() {
internal_Panel_Type = new IAS_Panel_Type();
exception_Panel_Type = new EHS_Panel_Type();
nextBehavEq = Unallocated;
actualPars = null;
while (nextBehavEq != null)
nextBehavEq.behavEqCall();
}
5.2.3 Translating stop
Process term stop represents the situation in which no further action can be executed. It is therefore
translated by assigning null both to nextBehavEq and to actualPars. As a consequence, when encountering
stop, method run() terminates its execution.
5.2.4 Translating Behavioral Invocations
The behavioral invocation B(e) represents a process term that behaves as the behavioral equation whose
identifier is B, when passing the possibly empty sequence of actual parameters e. A behavioral invocation,
which can occur only within the scope of an action prefix operator, is not translated into a method call, as
this may result in the generation of inefficient code in case of recursion. Instead, a behavioral invocation is
translated into an assignment to nextBehavEq of an instance of the inner state class that corresponds to the
next behavioral equation, followed by an assigment to actualPars of the actual parameters needed by the
next behavioral equation.
5.2.5 Translating Action Prefixes
The action prefix operator is used to represent a process term that can execute an action and then behaves as
described by another process term. As already mentioned, the translation of the action depends on whether
it is an interaction or an internal action.
44
In the first case, the action is translated into an invocation of method send() – if it is an output interaction
– or method receive() – if it is an input interaction – of the corresponding Port object. If the interaction
is semi-synchronous or architectural, its translation must then be completed by filling in the related method
in an EHS.
In the second case, the action translation is completely left to the software developer, as internal actions
cannot be treated automatically at all. A method for each of them is placed in a distinct IAS, which has
to be filled in by the software developer with the corresponding Java statements. As a consequence, every
occurrence of an internal action is translated into an invocation of the related method in an IAS.
Example 5.5 We now continue Ex. 5.1, Ex. 5.2, and Ex. 5.3. The following .java file contains the exception
handling stubs for Panel Type:
package Cruise_Control_System_package;
class EHS_Panel_Type {
EHS_Panel_Type() {
// FILL IN THE CONSTRUCTOR BODY IF NEEDED
}
void signal_engine_on_ssyncEH() {
// FILL IN THE METHOD BODY IF NEEDED
}
void signal_engine_off_ssyncEH() {
// FILL IN THE METHOD BODY IF NEEDED
}
void signal_accelerator_ssyncEH() {
// FILL IN THE METHOD BODY IF NEEDED
}
void signal_brake_ssyncEH() {
// FILL IN THE METHOD BODY IF NEEDED
}
void signal_on_ssyncEH() {
// FILL IN THE METHOD BODY IF NEEDED
}
void signal_off_ssyncEH() {
// FILL IN THE METHOD BODY IF NEEDED
}
void signal_resume_ssyncEH() {
// FILL IN THE METHOD BODY IF NEEDED
}
void init_applet_archiEH() {
// FILL IN THE METHOD BODY IF NEEDED
}
void start_applet_archiEH() {
// FILL IN THE METHOD BODY IF NEEDED
}
void stop_applet_archiEH() {
// FILL IN THE METHOD BODY IF NEEDED
}
void destroy_applet_archiEH() {
// FILL IN THE METHOD BODY IF NEEDED
}
45
}We have a method for each semi-synchronous interaction of Panel Type, together with a method for each
architectural interaction of P. Note that each method of the first (resp. second) group has the same name as
the corresponding interaction augmented with suffix ssyncEH (resp. archiEH).
The following .java file instead contains the internal action stubs for Panel Type:
package Cruise_Control_System_package;
class IAS_Panel_Type {
IAS_Panel_Type() {
// FILL IN THE CONSTRUCTOR BODY IF NEEDED
}
void update() {
// FILL IN THE METHOD BODY
}
void beep() {
// FILL IN THE METHOD BODY
}
}
In this case, we have a method for each of the two internal actions of Panel Type, which must necessarily
be filled in by the software developer.
5.2.6 Translating choice
The choice operator expresses a selection among a certain number of alternative behaviors described through
process terms. A choice-based process term is translated into a switch-case statement, whose condition is
given by an invocation of the static method choice() defined in the class ElemMeth of package Sync.
There are two cases that must be addressed in order to translate the choice operator. The first one
is the case where every process term involved in the choice starts with an action prefix operator. In this
case, the method choice() is directly employed, which accepts as input an array of objects of class ChAct,
each of which contains a boolean guard expressing the possible constraint under which the corresponding
starting action is enabled (default value true). Should one of the starting actions be an interaction, an
additional piece of information is contained in the corresponding object, which is a reference to the Port
object associated with the interaction. Method choice() returns the index (within the array) of the starting
action selected for execution.
A starting action is enabled (and hence can be selected for execution) if its guard evaluates to true and –
in the case of a synchronous interaction – the corresponding Port object is ready to communicate. If all the
starting actions with guard evaluating to true are synchronous interactions, method choice() waits – and
the thread that contains it passivates – until one of the associated Port objects is ready to communicate. If all
the guards of the starting actions evaluate to false, method choice() returns a negative value. Normally, at
most one starting action is enabled, as the guards associated with alternative actions are usually in conflict
with each other. Should this not be the case, i.e., if several starting actions are enabled, a probabilistic
mechanism is applied to select one of those actions. This is useful when generating code from quantitative
variants of PADL like Æmilia [5], in which the probability or the duration of actions can be expressed.
Based on the index returned by choice(), the switch-case statement invokes the method associated
with the execution of the selected starting action. This method is send() or receive() in the case of an
interaction, whereas for an internal action it is the corresponding method in the related IAS. The invocation
of this method is followed in turn by the translation of the process term prefixed by the selected action. In
the default clause, which comes into play when a negative value is returned by choice(), process term stop
is invoked by assigning null both to nextBehavEq and to actualPars.
46
The second case is the one in which some of the process terms involved in the choice do not start with
an action prefix operator. If one of these process terms is stop, then nothing has to be added for it in the
ChAct array and the switch-case statement, because it is selected by default whenever the other involved
process terms cannot be selected. If instead one of these process terms is a nested choice, then a flattening
of the nested choice takes place during the translation.
Example 5.6 We complete the first omitted part of Ex. 5.3 by showing the definition of method
defineBehavEquations() for the class associated with Panel Type:
void defineBehavEquations() {
Unallocated = new BehavioralEquationInterface() {
public void behavEqCall() {
_Unallocated();
}
private void _Unallocated() {
try {
init_applet.receive();
} catch(UnattachedPortException e) {
exception_Panel_Type.init_applet_archiEH();
}
try {
start_applet.receive();
} catch(UnattachedPortException e) {
exception_Panel_Type.start_applet_archiEH();
}
nextBehavEq = Active;
actualPars = null;
}
};
Active = new BehavioralEquationInterface() {
public void behavEqCall() {
_Active();
}
private void _Active() {
switch (
ElemMeth.choice(
new ChAct[] {
new ChAct(true, signal_engine_on),
new ChAct(true, signal_accelerator),
new ChAct(true, signal_brake),
new ChAct(true, signal_on),
new ChAct(true, signal_off),
new ChAct(true, signal_resume),
new ChAct(true, signal_engine_off),
new ChAct(true, stop_applet)
}
)
)
{
case 0:
try {
signal_engine_on.send();
} catch(NotReadyPortException e) {
exception_Panel_Type.signal_engine_on_ssyncEH();
}
nextBehavEq = Checking;
actualPars = new Object[] {signal_engine_on.success()};
break;
case 1:
try {
signal_accelerator.send();
} catch(NotReadyPortException e) {
47
exception_Panel_Type.signal_accelerator_ssyncEH();
}
nextBehavEq = Checking;
actualPars = new Object[] {signal_accelerator.success()};
break;
case 2:
try {
signal_brake.send();
} catch(NotReadyPortException e) {
exception_Panel_Type.signal_brake_ssyncEH();
}
nextBehavEq = Checking;
actualPars = new Object[] {signal_brake.success()};
break;
case 3:
try {
signal_on.send();
} catch(NotReadyPortException e) {
exception_Panel_Type.signal_on_ssyncEH();
}
nextBehavEq = Checking;
actualPars = new Object[] {signal_on.success()};
break;
case 4:
try {
signal_off.send();
} catch(NotReadyPortException e) {
exception_Panel_Type.signal_off_ssyncEH();
}
nextBehavEq = Checking;
actualPars = new Object[] {signal_off.success()};
break;
case 5:
try {
signal_resume.send();
} catch(NotReadyPortException e) {
exception_Panel_Type.signal_resume_ssyncEH();
}
nextBehavEq = Checking;
actualPars = new Object[] {signal_resume.success()};
break;
case 6:
try {
signal_engine_off.send();
} catch(NotReadyPortException e) {
exception_Panel_Type.signal_engine_off_ssyncEH();
}
nextBehavEq = Checking;
actualPars = new Object[] {signal_engine_off.success()};
break;
case 7:
try {
stop_applet.receive();
} catch(UnattachedPortException e) {
exception_Panel_Type.stop_applet_archiEH();
}
nextBehavEq = Inactive;
actualPars = null;
break;
default:
nextBehavEq = null;
actualPars = null;
}
}
};
48
Checking = new BehavioralEquationInterface() {
public void behavEqCall() {
_Checking((Boolean)actualPars[0]);
}
private void _Checking(boolean success) {
switch (
ElemMeth.choice(
new ChAct[] {
new ChAct(success == true, null),
new ChAct(success == false, null)
}
)
)
{
case 0:
internal_Panel_Type.update();
nextBehavEq = Active;
actualPars = null;
break;
case 1:
internal_Panel_Type.beep();
nextBehavEq = Active;
actualPars = null;
break;
default:
nextBehavEq = null;
actualPars = null;
}
}
};
Inactive = new BehavioralEquationInterface() {
public void behavEqCall() {
_Inactive();
}
private void _Inactive() {
switch (
ElemMeth.choice(
new ChAct[] {
new ChAct(true, start_applet),
new ChAct(true, destroy_applet)
}
)
)
{
case 0:
try {
start_applet.receive();
} catch(UnattachedPortException e) {
exception_Panel_Type.start_applet_archiEH();
}
nextBehavEq = Active;
actualPars = null;
break;
case 1:
try {
destroy_applet.receive();
} catch(UnattachedPortException e) {
exception_Panel_Type.destroy_applet_archiEH();
}
nextBehavEq = Unallocated;
actualPars = null;
break;
default:
49
nextBehavEq = null;
actualPars = null;
}
}
};
}
As can be noted, we have a BehavioralEquationInterface for each of the four behavioral equations of
Panel Type.
5.3 Preservation of Architectural Properties
We conclude by discussing the issue of guaranteeing that the properties proved at the architectural level
– through the techniques illustrated in Sect. 4 – are preserved at the code level. Since we have taken an
approach based on automatic code generation, property preservation should be achieved by construction.
In other words, the translation from PADL to Java illustrated before should have been defined in a way
that ensures property preservation. We now investigate this by separately considering the code generated
for thread coordination, the code generated for translating behavioral equations, and the code provided for
filling in stubs.
The code generated for coordinating threads cannot infringe the preservation of architectural properties,
up to the methods for handling the exceptions that semi-synchronous or architectural interactions may raise.
In fact, the code for thread coordination is completely generated in an automatic way by means of package
Sync. As far as the system topology is concerned, this is built in the RunnableArchi-implementing class
in the same way as prescribed by the second section of the PADL description. Moreover, both PADL and
Sync adhere to the same communication model. On the PADL side, each interaction is given three qualifiers:
input vs. output, synchronous vs. semi-synchronous vs. asynchronous, uni vs. and vs. or. Each interaction
is then translated into an invocation of method receive() or send() defined in the corresponding Port
object, depending on whether it is an input or an output interaction, respectively. Additionally, the kind of
this Port object – synchronous vs. semi-synchronous vs. asynchronous, uni vs. and vs. or – is the same as
that of the interaction.
Each behavioral equation occurring in an AET definition is translated into an inner state class of the
corresponding RunnableElem-implementing class. The translation proceeds by induction on the syntactical
structure of the process term occurring on the right-hand side of the behavioral equation. The way in which
the translation is carried out, together with the way in which the thread execution flow proceeds according
to the order established by the invocations of the behavioral equations, ensures the preservation of the AET
behavior, up to the methods for translating internal actions.
As a consequence, the preservation of architectural properties critically depends on the way in which
the software developer manually fills in EHSs and IASs. Here we shall consider only IASs, as EHSs can be
treated similarly.
1
2
1
2
m m
stat
stat
abstraction
stat
refinement
a
a
a
a
Figure 6: Refinement of an internal action and related statement abstraction
In order to be able to reason about architectural property preservation, we have to compare the internal
actions and the corresponding sequences of Java statements on the same process algebraic ground. As shown
in Fig. 6, each of the Java statements into which an internal action is refined during the translation process
can be abstractly viewed as a fresh action. The following theorem provides a sufficient condition for ensuring
the preservation of an architectural property. For the sake of simplicity, as mentioned at the beginning of
50
Sect. 4, we concentrate on deadlock freedom. Below, we denote by 'B the observational equivalence of [34],
which is a refinement of ≈B that turns out to be a congruence with respect to alternative composition too.
Theorem 5.7 Let T be the process algebraic description of the behavior of a thread and a be an internal
action occurring in T . Let a1, a2, . . . , am be the fresh actions abstracting the statements into which a is
translated and T ′ be the process algebraic description of the behavior of the thread obtained from T by
replacing every occurrence of a . with a1 . a2 . . . . . am . . Let H be the set of internal actions occurring in T
or T ′. Whenever T is deadlock free and a . stop/H 'B a1 . a2 . . . . . am . stop/H, then T ′ is deadlock free as
well.
Proof Since 'B is a congruence with respect to all the process algebraic operators, from a . stop/H 'B
a1 . a2 . . . . . am . stop/H it follows that T/H 'B T ′/H, hence T/H ≈B T ′/H because ≈B is coarser than
'B. Since T is deadlock free, ≈B preserves deadlock freedom, and deadlock freedom is expressed in terms
of interactions (which cannot belong to H), it follows that T ′ is deadlock free as well.
Note that, in the theorem above, it is not necessarily the case that all of the actions a1, a2, . . . , am
associated with the Java statements provided by the software developer belong to H. As an example, one of
such actions may correspond to an invocation of send() or receive() or of a method such as behavEqCall()
belonging to a state class. Fortunately, in practice both cases are prevented from occurring by the fact that
the Port objects – which contain methods send() and receive() – and the RunnableElem-implementing
class instances – which contain the state classes – are not visible within the stubs.
In order to preserve architectural properties, we provide some guidelines that the software developer
should follow when filling in the stubs for handling exceptions and internal actions. The purpose of these
guidelines is to achieve as much as possible the benefits of code generation, i.e., speeding up system imple-
mentation in a way that conforms by construction to the architectural model of the system:
• No synchronized or thread control methods – like wait() and notify() – should be invoked within
the stubs, as their invocations would be internal to the threads but at the same time could affect the
way threads communicate with each other.
• No further thread should be created within the stubs, as this would have an observable impact on the
system topology and on thread coordination.
• There should be no variables/objects that are visible from several stub classes. This means that all
the data shared by several threads should be exchanged only through suitable units of package Sync.
• The stub method associated with the first internal action following an invocation of send() or receive()
should copy every object passed in that invocation, and all the stub methods associated with the sub-
sequent internal actions should work on those copies of the objects. This would avoid interferences
among threads stemming from the fact that send() always keeps a reference to the passed objects –
so that it can be defined within Sync in a way that supports arbitrarily many parameters of arbitrary
types – and such objects may be modified by the stub method associated with some internal action.
• All the exceptions that can be raised when executing a stub method should be caught – or prevented
from being raised – inside the method, rather than propagating to the RunnableElem-implementing
class.
• Nonterminating statements should not occur within stub methods.
We conclude by observing that we have found stubs more appropriate than abstract classes because the
former allow the generated code to be compiled, including invocations of stub methods as they are concrete.
In order to effectively remind the software developer to fill in the stubs, it would suffice to automatically
introduce a statement in the definition of each stub method, which prints out an explicative message whenever
an empty stub method is invoked at run time.
51
6 Conclusion
In this paper, we have extended a typical process algebraic architectural description language by including
semi-synchronous interactions – handled by means of suitable semantic rules – and asynchronous interac-
tions – managed by adding implicit buffer-like components. Besides enhancing the expressiveness of the
language without compromising its usability, we have shown that the architectural compatibility check and
the architectural interoperability check can be easily adapted to cope with the presence of nonsynchronous
interactions. Moreover, we have illustrated an architecture-inspired approach to the generation of mul-
tithreaded object-oriented code from process algebraic architectural descriptions containing an arbitrary
combination of synchronous and nonsynchronous interactions in such a way that properties proved at the
architectural level are preserved at the code level.
On the modeling and verification side, our work constitutes – as far as we know – the first systematic
attempt to deal with semi-synchronous and asynchronous communications in process algebraic architectural
description languages. Although we have focused on PADL (the interested reader is referred to [1] for a
comparison with similar notations), we believe that our ideas can be applied to the other process algebraic
architectural description languages appeared in the literature with minor modifications.
Concerning future work, we observe that, in the case of asynchronous interactions, the semantic model
underlying a process algebraic architectural description may have infinitely many states due to the additional
implicit components behaving like unbounded buffers. As shown in [13], it is hard to reason about component-
based systems under an asynchronous semantics, because many properties such as deadlock freedom are
undecidable. In order for the modified architectural checks to be effectively applicable in this case, one
option is to allow users to limit the size of buffers statically. Another option is to derive sufficient conditions
under which the state space is guaranteed to be finite, which requires further investigation.
On the code generation side, there are several related work. First of all we mention ArchJava [2]. This
is an extension of Java aiming at the unification of software architecture with implementation, in order to
ensure that the implementation conforms to the architectural specification with respect to communication
integrity. According to this property, each component in the implementation may only communicate directly
with the components to which it is connected in the architecture.
Our approach differs from ArchJava in several ways. First, it does not extend Java, but generates Java
code from process algebraic architectural descriptions. In our approach the developer is then required to fill
in some stubs to complete the code for the behavior of the threads, thus giving a certain degree of flexibility.
The price to be paid is that the guidelines may be violated, whereas a similar situation is not possible in
ArchJava. Second, our approach adopts a richer communication model, implemented and transparently made
available through package Sync. This guarantees a property even stronger than communication integrity:
implementation threads directly communicate only with the threads they are connected to in the architectural
description in the way prescribed by the architectural description itself with respect to communication
synchronicity (synchronous, semi-synchronous, asynchronous) and communication multiplicity (uni, and, or).
Third, since it keeps the architectural description language separated from the implementation language,
our approach provides a higher-level support than ArchJava for the preservation of behavioral properties.
On the other hand, the strong integration between architecture and implementation endows ArchJava with
useful dynamic capabilities, like run-time creation of components – although communication integrity places
restrictions on the way in which their instances can be used – and connections among them.
We then mention C2SADEL [33]. This is an architectural description language tied to the C2 style,
which combines the usual architectural concepts with type theory. Type checking is used to analyze the
architectural descriptions for consistency by unifying corresponding operations required and provided by
different components. Moreover, Java code can be automatically generated from C2SADEL descriptions.
Since type checking is a static analysis technique, while the architectural features on which we focus are
behavioral and concerned with a rich communication model, we believe that our approach can guarantee the
preservation of more complex properties than C2SADEL.
In the future, we plan to investigate the combination of our approach with those discussed before. In
particular, we would like to investigate the applicability of our approach to C2SADEL, in order to take
advantage of both type checking and behavioral analysis from the architectural level to the code level.
52
Similarly, we would like to experiment our approach with ArchJava – by generating ArchJava code instead
of Java code – in order to exploit the complementary strengths of the two approaches.
On the application side, we recall that the performance-oriented version Æmilia [5] of PADL is the input
language of TwoTowers [7], an open-source software tool for the functional verification, security analysis,
and performance evaluation of software architectures. TwoTowers is being extended in order to include
the capability of expressing semi-synchronous and asynchronous interactions, as well as to investigate the
absence of architectural mismatches through the modified compatibility and interoperability checks. More-
over, we have recently implemented another tool called PADL2Java, which translates PADL descriptions
into multithreaded Java code according to the approach presented in this paper. PADL2Java will soon
be integrated in TwoTowers, in order to construct an architecture-centric toolset encompassing modeling,
verification, and implementation of software architectures. This will allow us to investigate the effectiveness
and the scalability of our techniques when tackling larger case studies.
With regard to our toolset, we would like to integrate it with software model checking tools, like Java
PathFinder [39], and to define specific rules for static analysis tools, like TPTP [28]. The reason is that
the preservation at the code level of the properties proved at the architectural level is guaranteed only if
(the underlying platform is correct and) the software developer follows the guidelines provided in Sect. 5.3
when filling in IAS and EHS stubs. Having a software model checker such as PathFinder – possibly driven
by techniques like, e.g., those developed in [36, 26, 17] – available within TwoTowers would permit the
verification of the overall system after the possible intervention of the software developer, whereas customized
static analysis tools such as TPTP may be exploited for guiding the previously mentioned intervention.
References
[1] A. Aldini and M. Bernardo, “On the Usability of Process Algebra: An Architectural View”, in Theoretical
Computer Science 335:281–329, 2005.
[2] J. Aldrich, C. Chambers, and D. Notkin, “ArchJava: Connecting Software Architecture to Implementation”,
in Proc. of the 24th Int. Conf. on Software Engineering (ICSE 2002), IEEE-CS Press, pp. 187–197, Orlando
(FL), 2002.
[3] R. Allen, R. Douence, and D. Garlan, “Specifying and Analyzing Dynamic Software Architectures”, in Proc. of
the 1st Int. Conf. on Fundamental Approaches to Software Engineering (FASE 1998), Springer, LNCS 1382:21–
37, Lisbon (Portugal), 1998.
[4] R. Allen and D. Garlan, “A Formal Basis for Architectural Connection”, in ACM Trans. on Software Engi-
neering and Methodology 6:213–249, 1997.
[5] S. Balsamo, M. Bernardo, and M. Simeoni, “Performance Evaluation at the Software Architecture Level”,
in [12]:207–258.
[6] J.A. Bergstra, A. Ponse, and S.A. Smolka (eds.), “Handbook of Process Algebra”, Elsevier, 2001.
[7] M. Bernardo, “TwoTowers 5.1 User Manual”,
http://www.sti.uniurb.it/bernardo/twotowers/, 2006.
[8] M. Bernardo and E. Bonta`, “Generating Well-Synchronized Multithreaded Programs from Software Architecture
Descriptions”, in Proc. of the 4th Working IEEE/IFIP Conf. on Software Architecture (WICSA 2004), IEEE-
CS Press, pp. 167–176, Oslo (Norway), 2004.
[9] M. Bernardo and E. Bonta`, “Preserving Architectural Properties in Multithreaded Code Generation”, in Proc.
of the 7th Int. Conf. on Coordination Models and Languages (COORDINATION 2005), LNCS 3454:188–203,
Namur (Belgium), 2005.
[10] M. Bernardo and E. Bonta`, “Non-Synchronous Communications in Process Algebraic Architectural Description
Languages”, in Proc. of the 2nd European Conf. on Software Architecture (ECSA 2008), LNCS 5292:3–18,
Paphos (Cyprus), 2008.
[11] M. Bernardo, P. Ciancarini, and L. Donatiello, “Architecting Families of Software Systems with Process Alge-
bras”, in ACM Trans. on Software Engineering and Methodology 11:386–426, 2002.
[12] M. Bernardo and P. Inverardi (eds.), “Formal Methods for Software Architectures”, LNCS 2804, 2003.
53
[13] D. Brand and P. Zafiropulo, “On Communicating Finite-State Machines”, in Journal of the ACM 30:323–342,
1983.
[14] C. Canal, E. Pimentel, and J.M. Troya, “Specification and Refinement of Dynamic Software Architectures”,
in Proc. of the 1st Working IFIP Conf. on Software Architecture (WICSA 1999), Kluwer, pp. 107–126, San
Antonio (TX), 1999.
[15] C. Canal, E. Pimentel, and J.M. Troya, “Compatibility and Inheritance in Software Architectures”, in Science
of Computer Programming 41:105–138, 2001.
[16] A. Carzaniga, D.S. Rosenblum, and A.L. Wolf, “Design and Evaluation of a Wide-Area Event Notification
Service”, in ACM Trans. on Computer Systems 19:332–383, 2001.
[17] S. Chaki, E.M. Clarke, A. Groce, S. Jha, and H. Veith, “Modular Verification of Software Components in C”,
in IEEE Trans. on Software Engineering 30:388–402, 2004.
[18] E.M. Clarke, O. Grumberg, and D.A. Peled, “Model Checking”, MIT Press, 1999.
[19] R. Cleaveland and O. Sokolsky, “Equivalence and Preorder Checking for Finite-State Systems”, in [6]:391–424.
[20] K. Czarnecki and S. Helsen, “Feature-Based Survey of Model Transformation Approaches”, in IBM Systems
Journal 45:621–645, 2006.
[21] X. Deng, M.B. Dwyer, J. Hatcliff, and M. Mizuno, “Invariant-based Specification, Synthesis, and Verifica-
tion of Synchronization in Concurrent Programs”, in Proc. of the 24th Int. Conf. on Software Engineering
(ICSE 2002), ACM Press, pp. 442–452, Orlando (FL), 2002.
[22] E. Gamma, R. Helm, R. Johnson, and J. Vlissides, “Design Patterns: Elements of Reusable Object-Oriented
Software”, Addison-Wesley, 1995.
[23] D. Garlan, “Formal Modeling and Analysis of Software Architectures: Components, Connectors, and Events”,
in [12]:1–24.
[24] D. Garlan, R. Allen, and J. Ockerbloom, “Exploiting Style in Architectural Design Environment”, in Proc.
of the 2nd ACM SIGSOFT Int. Symp. on Foundations of Software Engineering (FSE 1994), ACM Press,
pp. 175–188, New Orleans (LA), 1994.
[25] D. Gelernter, “Generative Communication in Linda”, in ACM Trans. on Programming Languages and Sys-
tems 7:80–112, 1985.
[26] D. Giannakopoulou, C.S. Pasareanu, and J.M. Cobleigh, “Assume-Guarantee Verification of Source Code with
Design-Level Assumptions”, in Proc. of the 26th Int. Conf. on Software Engineering (ICSE 2004), IEEE-CS
Press, pp. 211–220, Edinburgh (UK), 2004.
[27] R.J. van Glabbeek, “The Linear Time - Branching Time Spectrum I”, in [6]:3–99.
[28] S. Gu¨tz and O. Marquez, “TPTP Static Analysis Tutorial”, http://www.eclipse.org/tptp/, 2006.
[29] C.A.R. Hoare, “Communicating Sequential Processes”, Prentice Hall, 1985.
[30] P. Inverardi, A.L. Wolf, and D. Yankelevich, “Static Checking of System Behaviors Using Derived Component
Assumptions”, in ACM Trans. on Software Engineering and Methodology 9:239–272, 2000.
[31] J. Magee, N. Dulay, S. Eisenbach, and J. Kramer, “Specifying Distributed Software Architectures”, in Proc. of
the 5th European Software Engineering Conf. (ESEC 1995), LNCS 989:137–153, Barcelona (Spain), 1995.
[32] J. Magee and J. Kramer, “Concurrency: State Models & Java Programs”, Wiley, 1999.
[33] N. Medvidovic, D.S. Rosenblum, and R.N. Taylor, “A Language and Environment for Architecture-Based
Software Development and Evolution”, in Proc. of the 21st Int. Conf. on Software Engineering (ICSE 1999),
IEEE-CS Press, pp. 44–53, Los Angeles (CA), 1999.
[34] R. Milner, “Communication and Concurrency”, Prentice Hall, 1989.
[35] F. Oquendo, “pi-ADL: An Architecture Description Language Based on the Higher-Order Typed pi-Calculus
for Specifying Dynamic and Mobile Software Architectures”, in ACM Software Engineering Notes 29(3):1–14,
2004.
[36] P. Parizek, F. Plasil, and J. Kofron, “Model Checking of Software Components: Combining Java PathFinder
and Behavior Protocol Model Checker”, in Proc. of the 30th IEEE/NASA Software Engineering Workshop
(SEW-30), IEEE-CS Press, pp. 133–141, Columbia (MD), 2007.
54
[37] A. Poggi and G. Rimassa, “An Efficient and Flexible C++ Library for Concurrent Programming”, in Software
Practice and Experience 28:1437–1463, 1998.
[38] M. Shaw and D. Garlan, “Software Architecture: Perspectives on an Emerging Discipline”, Prentice Hall, 1996.
[39] W. Visser, K. Havelund, G.P. Brat, S. Park, and F. Lerda, “Model Checking Programs”, in Automated Software
Engineering Journal 10:203–232, 2003.
55
