Synthesis of Reo circuits from scenario-based interaction specifications  by Meng, Sun et al.
Science of Computer Programming 76 (2011) 651–680
Contents lists available at ScienceDirect
Science of Computer Programming
journal homepage: www.elsevier.com/locate/scico
Synthesis of Reo circuits from scenario-based interaction specifications
Sun Meng a,∗, Farhad Arbab a, Christel Baier b
a CWI, Amsterdam, The Netherlands
b Institute for Theoretical Computer Science, Technische Universität Dresden, Dresden, Germany
a r t i c l e i n f o
Article history:
Received 29 January 2009
Received in revised form 19 February 2010
Accepted 2 March 2010
Available online 20 March 2010
Keywords:
Connector
Reo circuits
Scenario-based specification
UML
Synthesis
a b s t r a c t
It is difficult to construct correct models for distributed large-scale service-oriented
applications. Typically, the behavior of such an application emerges from the interaction
and collaboration of multiple components/services. On the other hand, each component,
in general, takes part in multiple scenarios. Consequently, not only components, but
also their interaction protocols are important in the development process for distributed
systems. Coordination models and languages, like Reo, offer powerful ‘‘glue-code’’ to
encode interaction protocols. In this paper we propose a novel synthesis technique, which
can be used to generate Reo circuits directly from scenario specifications. Inspired by the
way UML2.0 sequence diagrams can be algebraically composed, we define an algebraic
framework for merging connectors generated from partial specifications by exploiting the
algebraic structure of UML sequence diagrams.
© 2010 Elsevier B.V. All rights reserved.
1. Introduction
Service-oriented applications consisting of services that may run on large-scale distributed platforms are notoriously
difficult to construct. It is well-known that most service-oriented applications rely on a collaborative behavior among
their constituent services/components, and this implies complex coordination. Therefore, construction of these applications
crucially depends on deriving a correct coordination model that specifies the precise order and causality of the actions of
their constituent services. For example, in an online banking scenario, a user can log into the system only after the account
information such as the account number and password are verified to be valid. Given the strong role that coordination of
components/services plays in such applications, important questions from the software engineering perspective include:
• What are the connectors in an application that coordinate the behavior of its components/services?
• What does a service oriented development process look like?
• How can one systematically generate connectors from interaction specifications?
In this paperwe address these questions byusingReo as the coordination language in service oriented applications, and show
how correct Reo circuits (connectors) can be synthesized automatically from scenario-based interaction specifications.
Scenarios represent a global view of interactions among the components (in the broadest sense) within a system. Each
scenario corresponds to a single temporal sequence of interactions among system components/services and provides a
partial system description. Scenarios are close to users’ understanding and they are often employed to refine use cases
and provide an abstract view of the system behavior. In recent years, scenario based languages such as UML Sequence
Diagrams (SDs) [30], message sequence charts (MSCs) [17,18], and Live Sequence Charts (LSCs) [13], have become popular
∗ Corresponding author.
E-mail addresses:M.Sun@cwi.nl (S. Meng), Farhad.Arbab@cwi.nl (F. Arbab), baier@tcs.inf.tu-dresden.de (C. Baier).
0167-6423/$ – see front matter© 2010 Elsevier B.V. All rights reserved.
doi:10.1016/j.scico.2010.03.002
652 S. Meng et al. / Science of Computer Programming 76 (2011) 651–680
Fig. 1. Behavior Skeleton of processes in EnterPwd Scenario.
for expressing behavioral requirements of applications. In this paper we focus on scenarios represented as UML sequence
diagrams. However, our synthesis approach can be easily generalized to use other alternatives, such as HMSC [28].
The idea of using scenario descriptions, such as UML SDs, to generate operational models and/or executable code, of
course, is not new [15,16,25,32]. We briefly describe some related work in this area in Section 6. However, most of the
existing work takes an endogenous approach for coordination.
As an example, consider a use case scenario in a simple bank ATM, that involves a user, an ATM, and a number of remote
processes, including a PIN verifier. The scenario describes that after feeding his card into the ATM, (1) the ATM asks the user
to enter his PIN; (2) the ATM sends the user ID and his PIN to the PIN verifier; (3) the PIN verifier verifies the PIN to determine
the validity of the access request; (4) the PIN verifier sends its (Allow/Deny/Confiscate) response back to the ATM; and (5)
depending on the content of the response, the ATM proceeds to either allow or deny user access, or confiscates his card,
presumably, after 3 unsuccessful attempts entering a wrong PIN. The common view of the transformation of this scenario
to executable code yields an ATM process and a PIN verifier process that directly communicate with each other: the ATM
process contains a ‘‘send ⟨ID, PIN⟩ to PINverifier’’ instruction somewhere in its code, implementing step 2; and the
PIN verifier process contains a ‘‘send response to ATM’’ instruction somewhere in its code, implementing step 4, above.
These direct communication instructions implement the coordination protocol described in the scenario in an endogenous
form.
Endogenous models implement/express a protocol only implicitly, through fragments of code in disparate entities that
are hardwired to specifically realize that protocol. Suppose now that in a later version of this system, it is decided that the
messages sent to the PIN verifier process must also be sent to some monitoring process, or instead of the PIN verifier to
another more sophisticated process (e.g., one that tells the ATM to confiscate the user’s card if the number of successive
wrong PIN access attempts by the same card ID through all involved ATMs within, say, a 24 h sliding window, exceeds
a threshold). Such changes to the protocol can easily be reflected in the SD specifications. However, implementing them
requires invasive changes to a variety of independent software units that comprise the participating processes; worse, these
changes may necessitate other less obvious changes that affect other software units and processes that are not directly
involved in the modified portion of the protocol. Thus, small, ‘‘local’’ changes to a protocol can propagate through large
spans of software units, touching them in ways that may invalidate their previously verified properties. Not only are such
invasivemodifications generally undesirable, in many cases they are impractical or even impossible, e.g., when they involve
legacy code or third party providers.
Alternatively, the exogenous view of a scenario (e.g., the EnterPwd SD in the top right corner of Fig. 4) imposes a purely
local interpretation on each inter-process communication, implementing it as a pure I/O operation on each side, that allows
processes to communicate anonymously, through the exchange of untargeted passive data. For instance, Fig. 1 shows the
behavior skeleton of the four processes involved in the EnterPwd SD, mentioned above. Observe that these processes
are not hardwired to directly communicate with each other. Replacing exchanges of targeted messages with simple I/O
localizes the range of their impact. This makes processes engaged in a protocol oblivious to changes in the protocol and
their peers that do not directly impact their own behavior. Having expunged all communication/coordination concerns out
of the parties involved, exogenous models relegate the task of conducting the required coordination to a (centralized or
distributed) coordinator glue code that establishes the necessary communication links among the parties and engages them
in the specified protocol. Reo is a good example of an exogenous coordination language that can be used to develop such
glue code.
The scheme that we advocate in this paper for generating coordination models from UML sequence diagrams uses the
exogenous view in its interpretation of these scenario specifications. To our knowledge, this approach is novel and no
other work has considered scenario specifications for exogenous coordination. Our approach is structural and embodies
the advantages inherent in the exogenous models of coordination: coordinated processes are strictly isolated from the
dependencies on their environment and the details of the protocol that do not involve their individual behavior. This leads to
more reusable processes, and an independent, explicit coordination protocol that can in turn be reused to coordinate these
or similar processes.
In [4] the problem of synthesizing Reo circuits from given automata specifications is discussed. In [7] we provide
an approach for synthesizing constraint automata from scenario specifications represented as UML sequence diagrams.
However, taking constraint automata as the bridge between scenarios and connectors, may introduce superfluous
serialization in the synthesis process and result in unnecessarily complex Reo circuits, even for simple scenarios. Our work
S. Meng et al. / Science of Computer Programming 76 (2011) 651–680 653
Fig. 2. Some basic channels in Reo.
in the remainder of this paper goes one step further toward bridging the gap between low-level implementations and
scenario-based specifications, by generating Reo circuits directly from UML SDs. This approach can reduce the redundancy
in our previouswork andmake the resulting Reo circuitsmore compact and efficient. Furthermore, the proposed translation
from UML SDs to Reo circuits in this paper is structural and therefore preserves the nature of the interaction specification
inherent in a UML SD. This is an advantage over the translation from constraint automata to Reo circuits which cannot
recover parallelism. In fact, in constraint automata, parallelism is lost and impossible to retract.
There is plenty of research on providing semantics for UML2.0 sequence diagrams [14,26,33]. Hereweuse the coalgebraic
approach in [33] for defining the semantics of basic sequence diagrams and formally define the operators for combining
sequence diagrams. As pointed out in [33], the coalgebraic approach is compositional, and leads to the coinductive proof
style which provides an elegant way to check the bisimulation and refinement relations between models. On the other
hand, the coalgebraic semantics of Reo is investigated in [6]. However, in [6], the semantics of a Reo circuit is given not
as a single coalgebra, but as a relation on the timed data streams (final coalgebras) on different nodes. This semantics
precisely specifies the initial intuition behind Reo connectors. The declarative, relational nature of this semantics is one
of its strengths; nevertheless, it also makes it difficult to operationalize and build formal proofs of bisimulation/simulation
relations. Fortunately, the operational semantics of Reo has been investigated in [9] by using an automata-based formalism,
called constraint automata. In a constraint automaton, states represent Reo configurations (which are determined by the
contents of the buffers) and transitions encode maximally-parallel stepwise evolution. Transition labels showmaximal sets
of active nodes and sets of data constraints. It is well known that state-based systems such as automata and transition
systems, can be described by coalgebras [19,31]. Therefore, in this paper we adopt such a coalgebraic interpretation of Reo
circuits, where the state space of a coalgebra has the samemeaning as in its constraint automata semantics, which turns the
coalgebra into an abstraction of its corresponding constraint automaton. One benefit of using this coalgebraic interpretation
is that the correctness of the mapping from UML to Reo in our synthesis approach can, in principle, be formally judged by
comparing their semantics.
The remainder of this paper is organized as follows: Section 2 contains a brief summary of Reo. In Section 3we present the
relevant features of UML Sequence Diagrams. We explain the construction of Reo circuits from given scenario specifications
represented by UML Sequence Diagrams in Section 4. In Section 5 we prove the correctness of our synthesis approach by
providing a bisimulation between the coalgebras for UML Sequence Diagrams and the synthesized Reo circuits. In Section 6,
we present related work and compare it with our approach. Finally, Section 7 concludes the paper.
2. Reo
Reo [2] is a channel-based exogenous coordination model wherein complex coordinators, called connectors, are
compositionally constructed from simpler ones. We summarize only the main concepts in Reo here. Further details about
Reo and its semantics can be found in [2,6,9].
Complex connectors in Reo consist of a network of primitive connectors, called channels. A connector provides the
protocol that controls and organizes the communication, synchronization and cooperation among the components/services
that it interconnects. Each channel has two channel ends. There are two types of channel ends: source and sink. A source
channel end accepts data into its channel, and a sink channel end dispenses data out of its channel. It is possible for the
ends of a channel to be both sinks or both sources. Reo places no restriction on the behavior of a channel and thus allows
an open-ended set of different channel types to be used simultaneously together. Each channel end can be connected to at
most one component instance at any given time. Fig. 2 shows the graphical representation of some simple channel types in
Reo. A FIFO1 channel represents an asynchronous channel with one buffer cell which is empty if no data item is shown in
the box (this is the case in Fig. 2). If a data element d is contained in the buffer of a FIFO1 channel then d is shown inside
the box in its graphical representation. A synchronous channel has a source and a sink end and no buffer. It accepts a data
item through its source end iff it can simultaneously dispense it through its sink. A lossy synchronous channel is similar to
a synchronous channel except that it always accepts all data items through its source end. The data item is transferred if
it is possible for the data item to be dispensed through the sink end, otherwise the data item is lost. For a filter channel, its
pattern P ⊆ Data specifies the type of data items that can be transmitted through the channel. Any value d ∈ P is accepted
through its source end iff its sink end can simultaneously dispense d; all data items d /∈ P are always accepted through the
source end, but are immediately lost. The P-producer is a variant of a synchronous channel whose source end accepts any
data item, but the value dispensed through its sink end is always a data element d ∈ P .
There are some more exotic channels permitted in Reo: (A)synchronous drains have two source ends and no sink end. No
data value can be obtained from drains since they have no sink end. A synchronous drain can accept a data item through
one of its ends iff a data item is also available for it to simultaneously accept through its other end as well, and all data
654 S. Meng et al. / Science of Computer Programming 76 (2011) 651–680
a b
Fig. 3. Sequencer.
accepted by the channel are lost. An asynchronous drain accepts data items through its source ends and loses them, but
never simultaneously. (A)synchronous Spouts are duals to the drain channels, as they have two sink ends.
Complex connectors are constructed by composing simpler ones via the join and hiding operations. Channels are joined
together in nodes. A node consists of a set of channel ends. The set of channel ends coincident on a node A is disjointly
partitioned into the setsSrc(A) andSnk(A), denoting the sets of source and sink channel ends that coincide onA, respectively.
Nodes are categorized into source, sink andmixed nodes, depending on whether all channel ends that coincide on a node are
source ends, sink ends or a combination of the two. The hiding operation is used to hide the internal topology of a component
connector. The hidden nodes can no longer be accessed or observed from outside. A complex connector has a graphical
representation, called a Reo circuit, which is a finite graph where the nodes are labeled with pair-wise disjoint, non-empty
sets of channel ends, and the edges represent their connecting channels. The behavior of a Reo circuit is formalized bymeans
of the data-flow at its sink and source nodes. Intuitively, the source nodes of a circuit are analogous to the input ports, and
the sink nodes to the output ports of a component, while mixed nodes are its hidden internal details. Components cannot
connect to, read from, or write to mixed nodes. Instead, data-flow through mixed nodes is totally specified by the circuits
they belong to.
A component can write data items to a source node that it is connected to. The write operation succeeds only if all
(source) channel ends coincident on the node accept the data item, in which case the data item is transparently written
to every source end coincident on the node. A source node, thus, acts as a replicator. A component can obtain data items,
by an input operation, from a sink node that it is connected to. A take operation succeeds only if at least one of the (sink)
channel ends coincident on the node offers a suitable data item; if more than one coincident channel end offers suitable
data items, one is selected non-deterministically. A sink node, thus, acts as a non-deterministic merger. A mixed node non-
deterministically selects and takes a suitable data item offered by one of its coincident sink channel ends and replicates it
into all of its coincident source channel ends. At most one component can be connected to a (source or sink) node at a time.
The I/O operations are performed through interface nodes of components which are called ports.
Example 1 (Sequencer). Fig. 3(a) shows an implementation of a sequencer by composing five synchronous channels and
four FIFO1 channels together. The first (leftmost) FIFO1 channel is initialized to have a data item in its buffer, as indicated
by the presence of the symbol e in the box representing its buffer cell. The actual value of the data item is irrelevant. The
connector provides only the four nodes A, B, C and D for other entities (connectors or component instances) to take from.
The take operation on nodes A, B, C and D can succeed only in the strict left-to-right order. This connector implements a
generic sequencing protocol: we can parameterize this connector to have as many nodes as we want simply by inserting
more (or fewer) Sync and FIFO1 channel pairs, as required.
Fig. 3(b) shows a simple example of the utility of the sequencer. The connector in this figure consists of a two-node
sequencer, plus a pair of Sync channels and a SyncDrain channel connecting each of the nodes of the sequencer to the nodes
A and C , and B and C , respectively. The behavior of the connector can be seen as imposing an order on the flow of the data
items written to A and B, through C: the sequence of data items obtained by successive take operations on C consists of
the first data item written to B, followed by the first data item written to A, followed by the second data item written to B,
followed by the second data item written to A, and so on. 
In the remainder of the paper, we discuss the synthesis problem of Reo circuits where the input specification of the
desired coordination is given by UML sequence diagrams, as presented in the next section.
3. UML sequence diagrams
UML Sequence Diagrams are used tomodel the dynamic behavior of systems. Graphically, a UML SD has two dimensions:
an horizontal dimension representing the components participating in the scenario, and a vertical dimension representing
time. Every component has a vertical dashed line called its lifeline. SDs focus on themessage interchange among a number of
lifelines. An SD describes an interaction by focusing on the sequence of messages exchanged during a system run. See Fig. 4
as an example of sequence diagrams that describe the interactions in the login phase of an online banking scenario. A UML
SD is represented as a rectangular frame labeled by the keyword sd followed by the name of the interaction. The vertical
lines in the SD represent lifelines for the individual participants in the interaction.
A message defines a particular communication between lifelines of an interaction. It can be either asynchronous
(represented by an open arrowhead) or synchronous (represented by a filled arrowhead). Additionally, there are two special
kinds of messages: lost (respectively, found) messages (not shown in Fig. 4), which are denoted by a small black circle at the
S. Meng et al. / Science of Computer Programming 76 (2011) 651–680 655
Fig. 4. Sequence diagrams for the on-line banking example.
end (respectively, the start) of the arrow representing the message. Note that what we are interested in is the coordination
between components/services, so we consider only a subset of the UML2.0 SDs. What is left out of this subset consists of the
following two parts:
(1) The internal behavior of processes represented as actions within the same lifelines in SDs (like the check action in Fig. 4)
will not be considered in the synthesis process. This is justified because we intend the synthesized coordination in our
approach to reflect only the inter-process interaction in a system. We specifically do not wish to obtain a global state
machine that intertwines both the behavior of the components in a system and the interactions among them.
(2) The neg, ignore and critical operators on sequence diagrams. These are not operators for composition of sequence
diagrams, since they take as input a single sequence diagram and ‘‘refine’’ its semantics either by permitting more
behaviors or by ruling out certain behaviors.
The internal behavior or internal actions within a lifeline in an SD (such as check in SD EnterPwd in Fig. 4) constitute
an assumption that the component (Bank in Fig. 4) must fulfill. For the example, the check in EnterPwd means that after
receiving the message verifywithBank, the bank must check the validity of the account number and password pair. This can
be modeled by a constraint automaton for the bank. For the synthesis of the Reo circuit that captures the inter-process
communication in the system, this constraint automaton is irrelevant. However, to verify the UML SD of a system via Reo
model checkers, the automata for the system components (like the bank) may become important as well, for instance, to
prove certain properties using the assume/guarantee paradigm. Given that in this paper we focus on the construction of the
Reo circuit, we ignore such internal behavior, and assume that the automata for the components still can (and will) be used
for the analysis of UML SDs.
3.1. Syntax
The signature of a basic UML sequence diagram is defined as follows:
Definition 1. A basic sequence diagram sd is given by a tuple
(I, Loc•,Mes, Locini, loc, E,≤)
656 S. Meng et al. / Science of Computer Programming 76 (2011) 651–680
where
• I is a set of instance identifiers corresponding to the participants in the interaction described by the diagram;
• Loc is a set of locations, and Loc• = Loc ∪ {•};
• Mes = M×Mtype denotes the set of messages, whereM is a set of message labels, andMtype = {→, }, where→ and
denote asynchronous and synchronous messages, respectively;
• Locini ⊆ Loc is a set of initial locations;• loc : I → 2Loc associates to each instance a set of locations. The function satisfies the following conditions expressing
disjointness and conformity with the initial constraints, respectively,
∀i, j ∈ I, i ≠ j . loc(i) ∩ loc(j) = ∅ (1)
∀i ∈ I . card(loc(i) ∩ Locini) = 1 (2)
where for a set S, card(S) returns the cardinality of S.
• E ⊆ Loc• × Mes × Loc• is a relation such that a tuple (l1, ⟨m, t⟩, l2) ∈ E represents a message m exchanged between l1
and l2, and t denotes the type of the message (synchronous or asynchronous).• ≤ ⊆ Loc × Loc is a partial order capturing the relative positions of locations within each lifeline in the diagram. 
Note that in general, for a relation in E to represent a communication between participants in a sequence diagram, its
source and target locations cannot be the same, i.e., the following property is assumed:
∀(l1, ⟨m, t⟩, l2) ∈ E . l1 ≠ l2
Observe that this assumption does not rule out a process sending a message to itself: it only requires for the source and the
target locations, which may still reside on the same lifeline, to be different.
Within this model the following function returns the next location in a particular lifeline. Formally,
• next : Loc → Loc is defined as
next(l) = l′ iff ∃i ∈ I . l, l′ ∈ loc(i) ∧ l < l′ ∧ ∀l′′ ∈ loc(i).l < l′′ ⇒ l′ ≤ l′′
where< stands, as usual, for the largest irreflexive subset of≤.
Let l1, l2 range over Loc , and Σm be the set of communication events executed concerning messages exchanged in a
sequence diagram sd. For every relation (l1, ⟨m, t⟩, l2) ∈ E, where ⟨m, t⟩ ∈ Mes, there are two events inΣm, corresponding
to the sending and receiving ofm, which occur at locations l1 and l2 respectively. Each event e ∈ Σm has one of the following
forms:
(1) ⟨l1 → l2,m⟩ — l1 sends the asynchronous messagem to l2,
(2) ⟨l1 ← l2,m⟩ — l1 receives the asynchronous messagem from l2,
(3) ⟨l1 l2,m⟩ — l1 sends the synchronous messagem to l2, and
(4) ⟨l1 l2,m⟩ — l1 receives the synchronous messagem from l2.
The cases for lost and foundmessages can be represented by replacing l2 by • in the first two cases. For an arbitrary event
e ∈ Σm,
type(e) ∈ {→,←, , }
denotes the type of the event (sending/receiving for asynchronous messages and sending/receiving of synchronous
messages). The direction of the arrow for type(e) specifies whether e is the sending or receiving event of a message,
while solid-head and open-head arrows represent synchronous and asynchronous messages, respectively. For example,
if e = ⟨l1 ← l2,m⟩, then type(e) =←, which means that e is a receiving event of an asynchronous message.
Since the sending and receiving events for a synchronousmessagemust happen simultaneously, for e = ⟨l1 l2,m⟩ and
its corresponding receiving event e = ⟨l2 l1,m⟩, we use ⟨e, e⟩ to denote the occurrence of such a pair of events, and
Σ = Σm \ {e | type(e) = ∨ type(e) = } ∪ {⟨e, e⟩ | type(e) = }
UML SDsmay contain sub-interactions called interaction fragments that can be structured and combined using interaction
operators. There are several possible operators in UML for composing sequence diagrams, such as alt, opt, strict, par, seq
and loop. Depending on the operator used, an interaction fragment contains of one or more operands. For loop and opt, the
fragment has exactly one operand, while the other operators have several operands.1
1 As mentioned earlier, a few more operators are given in [30] than the ones we consider here, for instance neg, ignore and critical. These operators
take as input a single sequence diagram and ‘‘refine’’ its semantics either by permitting more behaviors or by ruling out certain behaviors, but they are not
used for composition of sequence diagrams. The negative operator neg designates that the fragment represents traces that are invalid; the ignore operator
designates that there are some messages that are not shown within the fragment, which are insignificant and can appear anywhere in the traces; the
critical operator designates that the fragment represents a critical region, which means that the traces of the region cannot be interleaved by other event
occurrences (on those lifelines covered by the region). Such operators provide some sort of coercion which restricts or expands the underlying possible
behaviors. They are useful, for example, for verifying system properties and test case construction. We can easily handle the cases for these operators in
our framework. For simplicity, we will not consider these operators further in this paper.
S. Meng et al. / Science of Computer Programming 76 (2011) 651–680 657
Definition 2. The syntax for sequence diagrams is defined as follows:
SD ::= sd | alt(g1 : SD, g2 : SD) | par(SD, SD) | strict(SD, SD) |
seq(SD, SD) | opt(SD) | loop(g : SD)
where sd denotes a basic sequence diagram, and alt, par, strict, seq, opt and loop are the interaction composition
operators. 
3.2. Semantics
The semantics for a sequence diagram sd = (I, Loc•,Mes, Locini, loc, E,≤) can be defined in terms of coalgebras as
(C, ⟨ϵ, α⟩ : C → P(Σm) × CΣ ), where C is the set of the possible configurations of sd, ϵ : C → P(Σm) denotes the
set of active events in a configuration, and α : C −→ CΣ . Thus, the semantics of a sequence diagram is a coalgebra of the
functor
T = P(Σm)×−Σ (3)
together with an initial configuration c0, which is given by the tuple of initial locations c0 = ∏l∈Locini l. The set of initially
active events is
ϵ(c0) = {e | π(e) ∈ Locini ∧ type(e) ≠←}
A configuration of a sequence diagram denotes a global state, composed of the local states of its participants. For every
configuration, there is a set of active events that may happen in that configuration.
Definition 3. A configuration c of a sequence diagram is a tuple of the local states (locations) of its participants. 
Suppose C denotes the set of all possible configurations, For any event e ∈ Σm, the location at which e happens is defined
by π(e) = l iff e = ⟨l(· · · )⟩. This notation generalizes for a set of eventsΣ ′ ⊆ Σm as πΣ ′ = {π(e) | e ∈ Σ ′}. Here π(e) ∈ c
means π(e) is a location in c. A configuration c is called final and denoted by cF if ϵ(c) = ∅.
Wenowdefineα, the curried version ofα, by enumerating all possible transition schemes. For synchronousmessages, the
eventsmodelling both sending and receiving occur simultaneously (i.e., in an atomic, non interruptible way): no other event
can occur in between. So if the current configuration is c and both the sending event e = ⟨l1 l2,m⟩ and its corresponding
receiving event e = ⟨l2 l1,m⟩ are active, i.e., e ∈ ϵ(c), e ∈ ϵ(c), then we have
α(c, ⟨e, e⟩) = c[next(l1)/l1, next(l2)/l2]
and
ϵ(α(c, ⟨e, e⟩)) = ϵ(c) \ {e, e} ∪

e′
 
k=1,2
π(e′) = next(lk) ∧ type(e′) ≠←

For asynchronous messages, however, when the sending event occurs, the location of the sender will be updated to
the next location in its lifeline, while the locations of the other participants remain unchanged. The sending event is
therefore removed from the set of active events. On the other hand, the corresponding receiving event will be added to
this set. Furthermore, the events at the next location of the sender’s lifeline will become active in the new configuration. If
e = ⟨l1 → l2,m⟩ is active in configuration c , we have
α(c, e) = c[next(l1)/l1]
and
ϵ(α(c, e)) = ϵ(c) \ {e} ∪ {⟨l2 ← l1,m⟩} ∪ {e′ | π(e′) = next(l1) ∧ type(e′) ≠←}
Dually, when an asynchronous message is received, the receiver changes to the next location in its lifeline, while the
locations of all other participants remain unchanged. Formally, if e = ⟨l1 ← l2,m⟩ is active in configuration c , we have
α(c, e) = c[next(l1)/l1]
and
ϵ(α(c, e)) = ϵ(c) \ {e} ∪ {e′ | π(e′) = next(l1) ∧ type(e′) ≠←}
The case of a lost message, represented by the event e = ⟨l → •,m⟩, is similar to the asynchronous communication:
the sender updates its location and e is removed from the set of active events. However, no corresponding receiving event
becomes active. Similarly, for a found message, when a receiving event e = ⟨l ← •,m⟩ occurs, only the location of the
receiver is updated and e is removed from the set of active events. Both cases are, therefore, handled by
α(c, e) = c[next(l)/l]
658 S. Meng et al. / Science of Computer Programming 76 (2011) 651–680
and
ϵ(α(c, e)) = ϵ(c) \ {e} ∪ {e′ | π(e′) = next(l) ∧ type(e′) ≠←}
assuming the corresponding events are enabled in configuration c .
Additionally, note that for a coregion in one lifeline in a sequence diagram the order of event occurrences is not significant.
In our model, a coregion is taken as one location. Let l be the location for a coregion, we use
Σl = {e | π(e) = l}
to denote all the events that are active in the coregion. If e ∈ Σl, then
α(c, e) = let Σl = Σl \ {e} in

Σl = ∅ ⇒ c[next(l)/l]
Σl ≠ ∅ ⇒ c
The semantics of an interaction fragment depends on the operator used in its definition, as informally described in the
UML superstructure specification [30]. These operators have been formally investigated in [33], which leads to an algebra
for building new sequence diagrams from existing ones. The denotations given in the following paragraphs are similar to
those in [33] for the operators. However, since the functor type is different than the one in [33],2 the definitions of all the
operators are also changed. Let [[sdi]] = (Ci, ⟨ϵi, αi⟩, c i0) for i = 1, 2, the definitions are given as follows:
Strict sequential composition: strict(sd1, sd2)
The transition structure in3
[[strict(sd1, sd2)]] = (C, ⟨strict(ϵ1, ϵ2), strict(α1, α2)⟩, c0)
is defined over C = C1 ∪ C2 \ {c | c ∈ C1 ∧ ϵ1(c) = ∅} and c0 = c10 as follows
strict(ϵ1, ϵ2)(x) =

x ∈ C1 ∧ ϵ1(x) ≠ ∅ ⇒ ϵ1(x)
x ∈ C2 ⇒ ϵ2(x)
strict(α1, α2)(x, e) =

x ∈ C1 ⇒ let x′ = α1(x, e) in ϵ1x′ = ∅ ⇒ c20
otherwise x′
otherwise α2(x, e)
Parallel: par(sd1, sd2)
In this case we consider C = {(c1, c2) | for i = 1, 2, ci ∈ Ci} and c0 = (c10 , c20 ) in
[[par(sd1, sd2)]] = (C, ⟨par(ϵ1, ϵ2), par(α1, α2)⟩, c0)
where the transition structure is defined as
par(ϵ1, ϵ2)(x) = ϵ1(π1x) ∪ ϵ2(π2x)
par(α1, α2)(x, e) =

e ∈ Σ1 ⇒ let x′ = α1(π1x, e) in (x′, π2x)
e ∈ Σ2 ⇒ let x′ = α2(π2x, e) in (π1x, x′)
otherwise x
Option: opt(sd1)
The purpose of opt(sd1) is to offer an alternative between an empty scenario (in which ‘nothing happens’) and the activation
of its (sole) operand, sd1. To formalize its meaning we need to introduce a new event – skip – to capture the absence of
effective behavior. The event skip does nothing but terminates successfully. Then
[[opt(sd1)]] = (C, ⟨opt(ϵ1), opt(α1)⟩, c0)
where C = C1 and c0 = c10 . The transition structure is defined as
opt(ϵ1)(x) =

x = c0 ⇒ ϵ1(x) ∪ {skip}
otherwise ϵ1(x)
opt(α1)(x, e) =

x ≠ c0 ∧ e ∈ Σ1 ⇒ α1(x, e)
x = c0 ∧ e = skip ⇒ let x′ ∈ C in ϵx′ = ∅ ⇒ x′
x = c0 ∧ e ∈ Σ1 ⇒ α1(c0, e)
otherwise x
2 The reasons for the difference are: (1) the functor used in [33] also takes internal actions within one lifeline into consideration, but this is not useful for
our synthesis of connectors; (2) the functor makes explicit that a set of enabled events is present in the initial state, i.e., before any interaction occurs; and
(3) the carrier of the corresponding final coalgebra takes a quite simple form ν =P(Σm)Σ∗ , i.e., functions that relate eachΣ-trace to the set of enabled
events upon completion of its execution.
3 To avoid an excessive notational burden, we use the same syntax for the combinator over sequence diagrams and its denotation in the proposed
semantics.
S. Meng et al. / Science of Computer Programming 76 (2011) 651–680 659
Semantically, an option is equivalent to a nondeterministic choice between twooperandswhere one operandhas non-empty
content and the other is empty. So when opt(sd1) is at c0, the choice between skip and e ∈ Σ1 is nondeterministic.
Choice: alt(g1 : sd1, g2 : sd2)
Denoting an alternative form of aggregation of sequence diagrams, it requires that c10 = c20 , and c1F = c2F , and that if gi is
satisfied at the initial configuration c0, then all events inΣ i0 become active in c0. If neither guard condition is satisfied in the
initial configuration, then neither sd1 nor sd2 becomes active, and an empty scenario (represented by the skip event) will be
executed. Therefore, c0 = c10 , cF = c1F and C = {c0, cF } ∪ (C1 \ {c10 , c1F }) ∪ (C2 \ {c20 , c2F }). Formally,
[[alt(g1 : sd1, g2 : sd2)]] = (C, ⟨alt(ϵ1, ϵ2), alt(α1, α2)⟩, c0)
with
alt(ϵ1, ϵ2)(x) =

x = c0 ∧ c0  (g1 ∧ g2)⇒ Σ10 ∪Σ20
x = c0 ∧ c0  g1 ∧ c0 2 g2 ⇒ Σ10
x = c0 ∧ c0  g2 ∧ c0 2 g1 ⇒ Σ20
x = c0 ∧i=1,2 c0 2 gi ⇒ {skip}
x ∈ C1 \ {c10 , c1F } ⇒ ϵ1(x)
x ∈ C2 \ {c20 , c2F } ⇒ ϵ2(x)
x = cF ⇒ ∅
alt(α1, α2)(x, e) =

x = c0 ∧ c0  gi ∧ e ∈ Σi ⇒ αi(c i0, e) for i = 1, 2
x = c0 ∧i=1,2 c0 2 gi ∧ e = skip ⇒ cF
x ∈ C1 \ {c10 } ∧ e ∈ Σ1 ⇒ α1(x, e)
x ∈ C2 \ {c20 } ∧ e ∈ Σ2 ⇒ α2(x, e)
otherwise x
where x is a configuration in C , and e is an event in eitherΣ1 orΣ2.
Weak sequential composition: seq(sd1, sd2)
The case for weak sequential composition seq(sd1, sd2) for sdi, i = 1, 2 is a bit more demanding because its definition de-
pends onwhether the operands share any lifelines. If such is the case, then for every identifier s ∈ I1∩I2, all event occurrences
on s in sd1 must happen before those on s in sd2. However, all other events in sd1 and sd2 on lifelines not in I1 ∩ I2 may occur
in any order. Note that if the operands involve disjoint sets of participants (i.e., I1 ∩ I2 = ∅), the weak sequencing reduces
to a parallel merge.
Assume an identifier s, such that I1 ∩ I2 = {s}, and the functions loc1 and loc2 assigning locations to the instances in sd1
and sd2, respectively. Let loc(s) = loc1(s) ∪ loc2(s). Furthermore, and without loss of generality, let C1 = loc1(s) × L and
C2 = loc2(s)×K be the set of configurations for sd1 and sd2 respectively, where L =∏i∈I1\{s} loc1(i) and K =∏j∈I2\{s} loc2(j).
Then, define
[[seq(sd1, sd2)]] =

(C, ⟨seq(ϵ1, ϵ2), seq(α1, α2)⟩, c0) if I1 ∩ I2 = {s}
[[par(sd1, sd2)]] if I1 ∩ I2 = ∅
with C = loc(s)× L× K and c0 = (⟨π1, π2⟩c10 , π3c20 ).
The transition structure is given by
seq(α1, α2)(x, e) = let {s} = I1 ∩ I2

π(e) ∩ loc1(s) ≠ ∅ ∧ ⟨π1, π2⟩x ∈ C1 ⇒
let x′ = α1(⟨π1, π2⟩x, e), in
π1x′ = π1c1F ⇒ (π1c20 , π2x′, π3x)
otherwise (π1x′, π2x′, π3x)
π(e) ∩ loc2(s) ≠ ∅ ∧ ⟨π1, π3⟩x ∈ C2 ⇒
let x′ = α2(⟨π1, π3⟩x, e) in (π1x′, π2x, π2x′)
π(e) ∩ loc(s) = ∅ ⇒
e ∈ Σ1 ⇒⟨π1, π2⟩x ∈ C1 ⇒ let x′ = α1(⟨π1, π2⟩x, e) in (π1x′, π2x′, π3x)
otherwise let x′ = α1((π1c1F , π2x), e) in (π1x, π2x′, π3x)
e ∈ Σ2 ⇒⟨π1, π3⟩x ∈ C2 ⇒ let x′ = α2(⟨π1, π3⟩x, e) in (π1x′, π2x, π2x′)
otherwise let x′ = α2((π1c20 , π3x), e) in (π1x, π2x, π3x′)
660 S. Meng et al. / Science of Computer Programming 76 (2011) 651–680
We use ϵ as an abbreviation for seq(ϵ1, ϵ2), and for any c ∈ C ,
ϵ(c) =

(ai,πi+1c)∈Ci,i=1,2
ϵi((ai, πi+1c)) \ {e | π(e) ∈ loc(s) ∧ π(e) ≠ π1(c)}
where ai ∈ loci(s), i = 1, 2 are two locations such that
(a1, π2c) ∈ C1 ∧ (a2, π3c) ∈ C2 ∧ (π1c = a1 ∨ π1c = a2)
This definition can be easily generalized to an arbitrary number of shared lifelines in sd1 and sd2.
Loop: loop(g : sd1)
Finally, the semantics of the iteration combinator is given by
[[loop(g : sd1)]] = (C, ⟨loop(ϵ1), loop(α1)⟩, c0)
over C = C1 and c0 = c10 , and with the following transition structure
loop(ϵ1)(x) =

x = c0 ⇒ ϵ1(x) ∪ {skip}
x ∈ C \ {c0} ⇒ ϵ1(x)
loop(α1)(x, e) =

x = c0 ∧ c0 2 g ∧ e = skip ⇒ cF
(x ≠ c0 ∨ (x = c0 ∧ c0  g)) ∧ e ∈ ϵ1(x)⇒
let x′ = α1(x, e) in
loop(ϵ1)(x′) = ∅ ∧ x′  g ⇒ c0
otherwise x′
otherwise x
4. From UML sequence diagrams to Reo
We now address the issue of constructing Reo circuits from scenario specifications represented by UML SDs. Since the
source and the sink nodes of a Reo circuit are used for components to exchange data through write and take operations, we
first need to identify the node setN of a circuit involved in an interaction. Assume the participants (components) involved
in the interaction are represented by the set of lifelines L = {p1, . . . , pn}. For simplicity, and without loss of generality, we
assume every component has only one input and one output port connected to the corresponding sink and source nodes of
the Reo circuit. Therefore, our starting point is a description of a component connector by its source nodes C1, . . . , Cn and
sink nodes D1, . . . ,Dn, such that each component pi can write messages to the node Ci and take messages from the node Di.
Additionally, the interaction behavior coordinated by the connector is described by a set of UML SDs.
In the sequel, letN = {C1, . . . , Cn} ∪ {D1, . . . ,Dn} contain all nodes attached to the components involved in a scenario
specification,wherewe assume that the Ci’s are source nodes and theDj’s are sink nodes. Our goal is to construct a Reo circuit
Rwith source nodes C1, . . . , Cn and sink nodes D1, . . . ,Dn, such that the behavior represented by the scenario specification
is permitted by the communication protocol encoded in R.
For the construction of R, we first consider the construction of Reo circuits for basic sequence diagrams without
interaction operators. Assume that there are n lifelines p1, . . . , pn in a basic SD. Every lifeline pi represents an individual
participant in the interaction, and we can derive an order of event occurrences along the lifeline, which is significant as it
denotes the order in which these events occur.
4.1. Reo circuits for individual participants
The first step in our synthesis approach consists of deriving a sequencer for every lifeline pi in a basic sequence diagram.
If there are k events (sending and receiving of messages) on a lifeline pi (and thus k locations l1, . . . , lk), then the sequencer
corresponding to pi also has k nodes (e.g., A1, . . . , Ak), the order of which corresponds to the order of the events/locations on
pi. Without loss of generality, we assume here that the component/service/process that implements the behavior described
by pi produces/consumes all of the k messages corresponding to these k events through two separate, dedicated I/O ports
(e.g., Ci for output port and Di for input port). Next, we link each of the two ports of the process that implements pi to
its corresponding nodes of the sequencer using synchronous drains and either synchronous or filter channels. If the event
corresponding to a location lj involves the sending of a message m, then a filter with pattern m is used to link the node
(output port) Ci to the synchronous drain channel connected to that location’s respective sequencer node Aj. On the other
hand, if the event involves receiving a message, then a synchronous channel is used to link the node (input port) Di to the
synchronous drain channel connected to that location’s respective sequencer node Aj. Note that when a lifeline has only one
location, i.e., there is only one sending or receiving event on the lifeline, there is no need for a sequencer; in other words, a
one-node sequencer (and its attached synchronous drain) all degenerate into a single node.
S. Meng et al. / Science of Computer Programming 76 (2011) 651–680 661
Fig. 5. Introducing sequencers for individual lifelines in a scenario (1).
Fig. 6. Introducing sequencers for individual lifelines in a scenario (2).
Fig. 7. Reo circuit for a scenario.
Fig. 5 shows an example of our approach. There are two participants p1 and p2 involved in the scenario. The interaction
between them is shown by the messages m1, m2 and m3, which are all synchronous in this example. We first consider p1,
whose behavior involves first sendingmessagem1, then receivingmessagem2 and finally sendingmessagem3, sequentially.
There are three events happening on the lifeline, so we introduce a 3-node sequencer, where the first and the last nodes
are connected to the node C1 by two filters respectively, and the node in the middle is connected to D1 via a synchronous
channel. The patternsm1 andm3 on the filters ensure that p1 canwrite only these twomessages out, and the synchronization
between the nodes of the sequencer and the nodes of the channels connected to C1 and D1 ensures that the sending of m1
happens first. Note that on the p1 side, there is no restriction on the channel A2D1, like a filter, to ensure that the message
received through this channel ism2. This is guaranteed by the filter in the synthesized part for p2, as shown in Fig. 6. In other
words, the type of a message is always guaranteed by its sender.
4.2. Reo circuits for basic SDs
After we derive the sequencers for all participants from their respective lifelines in isolation, we can connect their
respective nodes Ai, Bj, . . . pairwise by synchronous or asynchronous Reo channels, according to the types and the order
of messages, as defined in a basic SD. If (l1, ⟨m, t⟩, l2) ∈ E represents the exchange of a messagem between location l1 and
l2, m is a synchronous (respectively, asynchronous) message, then a synchronous (respectively, asynchronous) channel is
used to link the nodes corresponding to l1 and l2. The direction of the channel is consistent with the direction of themessage
exchange, i.e., the source (respectively, sink) node of the channel corresponds to the source (respectively, target) location of
the message.
For example, the Reo circuit on the right-hand-side in Fig. 7 is the result of composing the Reo circuits in Figs. 5 and 6,
according to the basic SD on the left-hand-side of Fig. 7, where all messages are synchronous. In the synthesized connector
for the whole SD, source nodes Ci and sink nodes Di are attached to pi respectively. Component p1 can write messages m1
andm3 to the source node C1, and receive messagem2 from the sink node D1. The filter connected to C1 and the sequencer
ensure that p1 receives some message after it sends out the message m1 and before it sends out the message m3. From the
synchronous channel between A2 and B2, and the filter C2B2, we know that the message received by p1 ism2.
Messages in a UML SD can also be asynchronous, which are graphically represented by open arrowheads, such as the
message displayindexpage and displayonlineBank in the SD UserArrives in Fig. 4. There are different possibilities for the
ordering of events for asynchronous messages, as shown in Fig. 8.
662 S. Meng et al. / Science of Computer Programming 76 (2011) 651–680
a b c
Fig. 8. Asynchronous messages.
Fig. 9. Connectors for different orders of asynchronous messages.
a b
Fig. 10. Connectors for asynchronous messages in a coregion.
Fig. 11. Same message to different lifelines.
Since the order of asynchronousmessage passingmay be different, it is not possible to use only one asynchronous channel
for all asynchronous communications. In Fig. 9, we give the Reo circuits for the scenarios in Fig. 8(a) and (b) respectively.
The FIFO1 channels are used for asynchronous messages, where the ordering of events is controlled by the topology of the
Reo circuits.
There can be a coregion area in a lifeline in UML SDswhere the order of event occurrences on the lifeline is not significant.
Fig. 8(c) shows an example of a coregion. In this case, the corresponding Reo circuit is as shown in Fig. 10(a), in which an
exclusive router EXR is needed, which is, in turn, composed of five synchronous channels, two lossy synchronous channels
and a synchronous drain, as shown in Fig. 10(b).
One participant in a scenario can send the samemessagemultiple times. Fig. 11 shows an example. In this case, an exclu-
sive router EXR can be used on the side of the sender, where themessages through the two sink nodes of EXR are ordered by
the sequencer, and connected to the nodes corresponding to the different receivers, respectively. Another possible solution
is to use lossy synchronous channels on the sender side where every time when the message m1 is sent by p1, it can be
transmitted through only one of the branches, and lost by the other ones. The order is decided, again, by the sequencer.
Messages in UML SDs can be lost. Lost messages are messages with known sender, but the reception of the message does
not happen. Such a situation can be captured by the Lost connector as shown in Fig. 12, where the source node Blost can
S. Meng et al. / Science of Computer Programming 76 (2011) 651–680 663
Fig. 12. Reo circuit for lost and found messages.
Fig. 13. Reo circuit for basic SDs.
Fig. 14. General structure of the Reo circuit in Fig. 7.
take a message from outside, and lose it in the synchronous drain. Such a component can be integrated in the synthesized
connector by connecting the node Blost to the node Ai synchronized with the sequencer for the sender of the lost message.
A message can also be found. A found message is a message whose receiving event occurrence is known, but has no
sending event occurrence. This is because the origin of the message is outside the scope of the participants. We can describe
such messages by the Found connector in Fig. 12 whose found message ism. The sink node Afound can be connected to some
node Bi for the receiver of the messagem in the corresponding Reo circuit.
4.3. Composing Reo circuits following UML operators
So far our Reo circuits focused on basic SDs. Next, we describe our compositional construction of the Reo circuits of basic
SDs following a structural induction approach. To structure the connectors according to the operators in UML SDs, we use
a general structure for the Reo circuits as shown in Fig. 13: Rsd is the Reo circuit for a basic SD sd, which is obtained as in
the previous section. In this construction, six (3× 2) more nodes are added to Rsd:Asd andBsd are two nodes synchronized
with the nodes of the sequencers inside Rsd, that correspond to the first sending event and the last receiving event in sd,
respectively.4 If the source node Asd is fed from outside with some data element, then it is put into the buffer between Asd
and Asd. As soon as Asd takes the data element from the buffer, the subcircuit Rsd is ‘‘activated’’ by the first message received
through some Ci. Similarly, the communication via the subcircuit stops as soon as a data element arrives at Bsd, which puts
it into the buffer between Bsd and Bsd. Thus, data-flow at the sink node Bsd can be viewed as a signal that Rsd has terminated.
As an example, the generalized Reo circuit for the connector in Fig. 7 is shown in Fig. 14.
Assume we have already constructed the circuits for the interaction fragments (basic SDs) of a sequence diagram SD. We
now explain how to construct a Reo circuit RSD for the whole diagram. Note that in the transformation rules for alt, par,
strict and seq, we only consider the case for two operands. In fact, using the graph transformation approach proposed in
[20,24] to instantiate parameterized Reo circuits, these rules extend to an arbitrary number of operands.
4 For simplicity, we assume here a total order on the events. In fact, we can handle the general case as well. If there are n sending events and any of them
can happen as the first one, then we can use an exclusive router EXR with n sink nodes as in Fig. 10, and connect each of the sink nodes in EXR with one
node corresponding to one such sending event by a synchronous drain. Similarly, we can deal with the case for multiple receiving events.
664 S. Meng et al. / Science of Computer Programming 76 (2011) 651–680
Fig. 15. Transformation rule for alternatives.
Fig. 16. Transformation rule for option.
Fig. 17. Transformation rule for parallel composition.
For SD = alt(g1 : sd1, g2 : sd2), the Reo circuit RSD is obtained by combining Rsd1 and Rsd2 with a replicator connected
to three filters and one exclusive router. The patterns on the filters correspond to the two guard conditions g1, g2, and the
conjunction of ¬g1 and ¬g2. The data item d to be transmitted via the channel ASDASD is related to the guard condition that
may be obtained from other nodes (i.e., g1 and g2 in Fig. 15). In this case, there is another Reo circuit R connected to ASD, in
which a FIFO channelAsdBsd is used for the control flow (see Fig. 14 as an example). If a data item (message) d is used as a
parameter in the guard condition g1 and g2, and it is transmitted through node Ai in R, then we canmove the source channel
end of the FIFO1 channelAsdBsd in R from nodeAsd to node Ai to get the data item d related to the guard conditions, so that it
can be used in the alternative choice. If only one guard condition is satisfied, then the corresponding Reo circuit (Rsd1 or Rsd2)
will be activated. If both conditions are satisfied, the token will flow through the exclusive router, then a non-deterministic
choice will be made at the exclusive router, and one of the two subcircuits will be activated by the corresponding filter and
synchronous drain. If neither condition is satisfied, the token will go through the filter with pattern ¬g1 ∧ ¬g2 from ASD to
BSD directly.
For SD = opt(sd), the Reo circuit RSD is obtained by combining Rsd and a FIFO1 channel with an exclusive router that
chooses to either activate the behavior of the operand sd or skip the fragment while nothing happens (Fig. 16).
For SD = par(sd1, sd2), the Reo circuit is obtained by combining Rsd1 and Rsd2 with a replicator, which represents a
parallel activation of both operands, where the internal FIFO channels in Rsd1 and Rsd2 (those connected to Asdi and Bsdi
inside the boxes, which are not drawn in the picture) ensure that in the combination, the events in the two branches can be
interleaved.
In parallel composition, if there exists some common participant pi in sd1 and sd2, then Rsd1 and Rsd2 should also have
shared nodes Ci and Di, which are obtained by merging the nodes with the same name in the two Reo circuits (as shown in
Fig. 18(a)). For the source node Ci, if there is some message m sent by pi in both sd1 and sd2 (as shown in Fig. 18(c)), then
in the resulting Reo circuit RSD, the filters will be replaced by one filter and one exclusive router, as shown in Fig. 18(b). For
all the filters with source end Ci whose pattern P does not appear in another operand, they will be kept the same in the
resulting circuit RSD.
For SD = strict(sd1, sd2), the Reo circuit is obtained by combining Rsd1 and Rsd2 as in Fig. 19, where the FIFO channels in
Rsd1 and Rsd2 ensure that in the combined connector none of the events in sd2 can happen before the communication in sd1
has finished.
The case for weak sequencing seq(sd1, sd2) is more complex, because the definition of the seq operator depends on
whether the operands share some lifelines. If a common lifeline pi exists in both sd1 and sd2, then all the event occurrences
on pi in sd1 must happen before those on pi in sd2. However, for the event occurrences on different lifelines in the two
operands, they may occur in any order. If the operands involve disjoint sets of participants, the weak sequencing reduces to
S. Meng et al. / Science of Computer Programming 76 (2011) 651–680 665
a b c
Fig. 18. Transformation rule for parallel composition with same participant pi .
Fig. 19. Transformation rule for strict sequencing.
Fig. 20. Transformation rule for weak sequencing.
Fig. 21.Weak sequencing optimization.
a parallel merge, as shown in Fig. 17. Otherwise, suppose they share a lifeline pi, and the sequencers in the circuits for sd1
and sd2 for pi have n1 and n2 nodes, respectively. Then we can add two more nodes Aw and Bw to the two Reo circuits Rsd1
and Rsd2, respectively, and synchronize them with the nodes of the sequencers inside the two Reo circuits such that they
correspond to the last event on lifeline pi in Rsd1 and the first event on pi in Rsd2. The two nodes Aw and Bw are ordered by
adding a FIFO1 channel and a SynchDrain between them, as shown in Fig. 20.
Note that the resulting Reo circuit in Fig. 20 for weak sequencing can be optimized by replacing the two sequencers in
Rsd1 and Rsd2 corresponding to the same lifeline pi with one sequencer with n1 + n2 nodes, where the first n1 nodes are
synchronized with the n1 nodes of the sequencer for pi in Rsd1 using synchronous drains, and the last n2 nodes are similarly
synchronized with the n2 nodes of the sequencer for pi in Rsd2. The two sequencers Sequencer isd1 and Sequencer
i
sd2 together
with the synchronous drains connecting them can then be removed in the resulting Reo circuit RSD since the ordering
information is now kept by the new sequencer, as shown in Fig. 21.
For SD = loop(sd), the Reo circuit is obtained from Rsd as in Fig. 22. The connector gEXR is a variant of the exclusive router
in Fig. 10(b), wherewe replace the lossy synchronous channels by two filters with the patterns g and¬g respectively, where
g is the guard condition of the loop. If g is satisfied, then the loop iterates, otherwise, it stops.
666 S. Meng et al. / Science of Computer Programming 76 (2011) 651–680
Fig. 22. Transformation rule for loop.
b
c
a
Fig. 23. Reo circuit for the online banking example.
Example 2. To illustrate our approach, we consider the sequence diagram for the on-line banking example in Fig. 4. The
generated Reo circuit is given in Fig. 23. Note that for simplicity, we do not give the Reo circuit for the whole scenario.
Instead, we show the structure of the connector for thewhole scenario in Fig. 23(a) and give one subcircuit RLogin in Fig. 23(c),
which corresponds to the basic sequence diagram Login. Fig. 23(b) shows the internal structure of the guarded exclusive
router gEXR used in Fig. 23(a). Details of the other building blocks (subcircuits) in Fig. 23(a) are similar to Fig. 23(c), and can
be easily obtained by our synthesis approach. 
4.4. One step further
Our construction can be easily extended to treat timing constraints in UML SDs. Since the semantics of UML on such
messages is ambiguous and can have different meanings, we shall not be exhaustive here, but rather suggest a possible step
in this direction, and investigate the approach in our future work. As an example, we consider a message m{0..t} which
states that the message m is constrained to last between 0 and t time units. If the receiver of the message is not ready to
accept it in t time units, the message can either be lost or be stored in some queue, waiting for the receiver to process it.
We assume that the message with a time constraintm{0..t} can always be successfully transmitted to the receiver side and
waits to be processed. For such an interpretation, we just need to connect the nodes Ai and Bj which are internal nodes of
the synthesized circuit under construction, to the nodes for the sender and the receiver of the message, respectively via a
P-producer (where P is the singleton data set {expire}), a synchronous drain and a timer channel with early expiration.5
5 See [3] for more details of timer channels.
S. Meng et al. / Science of Computer Programming 76 (2011) 651–680 667
Fig. 24. Timed Reo circuit for duration constraint of a message.
Such a timer channel allows the timer to produce its timeout signal through its sink end and reset itself when it consumes a
special ‘‘expire’’ value through its source [3]. As an example, we replace the messagem1 in Fig. 8(a) bym1{0..10}, and show
the resulting Reo circuit in Fig. 24.
5. Correctness
To provide a soundness proof of our approach, we use the framework of coalgebraic bisimulations. For this purpose, we
provide a coalgebraic interpretation for the Reo circuit of a sequence diagram and then establish a homomorphism from the
coalgebra semantics of a sequence diagram to the coalgebra assigned to its Reo circuit. The bisimulation relation between
the coalgebras for sequence diagrams composed by interaction operators and the corresponding Reo circuits can be obtained
from the bisimulations between the component coalgebras. Recall that the denotational semantics of a sequence diagram
can be viewed as a coalgebra (C, ⟨ϵ, α⟩)where C is the set of possible configurations.
Let sd = (I, Loc•,Mes, Locini, loc, E,≤) be a sequence diagram that contains no interaction operators. Rsd is the Reo circuit
synthesized from sd. The semantics of Rsd, denoted by [[Rsd]], can also be given as a coalgebra, where the state space of [[Rsd]]
is decided by the buffers of the FIFO channels. The FIFO channels in the synthesized Reo circuits can be separated into two
categories: channels for the control structure and channels for the communication behavior. Taking Fig. 24 as an example,
the channels AsdAsd, BsdBsd,AsdBsd and the FIFO channels in the sequencers are for the control structure, while the channels
A1B1 and A2B2 are for the communication behavior.While defining the coalgebra [[Rsd]], we consider the actual values of data
elements only in the case of channels that contribute to the communication behavior, i.e., the messages. Since the actual
data values in the buffers of the channels that comprise its control structure cannot be observed through the ports of the
synthesized connector circuit, we abstract away from these data values and consider only the empty or non-empty status of
such FIFO channels as the indicator of a state. Then the behavior preservation for the synthesized circuit can be witnessed
by the bisimulation relation between the two coalgebras [31]. Note that here the coalgebraic interpretation for Reo circuits
is different than the coalgebraic semantics defined in [6], where the semantics is expressed in terms of relations on infinite
Timed Data Streams, i.e., relations on final coalgebras. Our approach uses one coalgebra, instead of a relation on multiple
coalgebras, for the semantics of a Reo circuit, and this coalgebra is an abstraction of the constraint automaton that captures
the operational semantics of the Reo circuit [9].
In the sequence diagram sd, for every lifeline pi corresponding to the instance i ∈ I , suppose card(loc(i)) = n, then
according to the construction in Section 4.1, the sequencer on the pi side also has n external nodes and n FIFO channels inside.
Let Ai1, . . . , A
i
n be the nodes linked to the external nodes of the sequencer by synchronous drains, and denote the buffers
of the FIFO channels in the sequencer by buf i1, . . . , buf
i
n, respectively. Suppose loc(i) = {li1, . . . , lin}, and next(lij) = lij+1 for
j = 1, . . . , n − 1. According to the construction, if there is a synchronous message msg from lij to lkm, then the nodes Aij and
Akm are linked by a synchronous channel, A
i
j is linked to Ci by a filter over {msg}, and Akm to Dk by a synchronous channel.
When buf ij and buf
k
m are filled with the tokens, ⟨lij lkm,msg⟩ and ⟨lkm lij,msg⟩ become active and the communication can
happen. On the other hand, if there is an asynchronous messagemsg from lij to l
k
m, then the nodes A
i
j and A
k
m are linked by a
FIFO channel, with the buffer denoted by buf i,kj,m. The buffer is filled withmsg after themessage is sent out via A
i
j and becomes
empty again after the message is consumed via Akm.
Let Buf be the set of all the buffers inside Rsd, then
[[Rsd]] = (U, ⟨ρ, β⟩, u0)
where U = 2Buf , ρ : U → P(Σm), β : U × Σ → U , u0 = {buf i1 | i ∈ I}. For a state u ∈ U and a buffer buf ∈ u, elem(buf )
returns the element in buf . Thus the function ρ is defined as
ρ(u) = {⟨lij ← lkm,msg⟩ | buf k,im,j ∈ u ∧ elem(buf k,im,j) = msg} ∪
buf ij ∈u
{e | π(e) = lij ∧ type(e) ≠←}
668 S. Meng et al. / Science of Computer Programming 76 (2011) 651–680
In an arbitrary state u, if buf ij , buf
k
m ∈ u, and Aij and Akm are linked by a synchronous channel (assume it is from Aij to Akm),
then the circuit is ready to both accept a synchronous message msg from Ci (the source node linked to Aij) and consume it
via Dk, and the tokens in the buffers buf ij , buf
k
m will move to the next ones. So,
β(u, ⟨⟨lij lkm,msg⟩, ⟨lkm lij,msg⟩⟩) = u \ {buf ij , buf km} ∪ {buf ij+1, buf km+1}
Similarly, if Aij and A
k
m are linked by an asynchronous channel (assume it is a FIFO channel from A
i
j to A
k
m), then when the
buffer buf i,kj,m is empty, and buf
i
j ∈ u, the circuit in state u is ready to accept an asynchronous message msg from Ci and put
it into the buffer buf i,kj,m. So,
β(u, ⟨lij → lkm,msg⟩) = u \ {buf ij } ∪ {buf ij+1, buf i,kj,m | elem(buf i,kj,m) = msg}
When elem(buf i,kj,m) = msg , and the buffer buf km ∈ u, the circuit in state u is ready to consumemsg via Dk.
β(u, ⟨lkm ← lij,msg⟩) = u \ {buf km, buf i,kj,m} ∪ {buf km+1}
For a lost message ⟨lij → •,msg⟩, the circuit is ready to consume themessage when buf ij ∈ u, and the token in buf ij is moved
to buf ij+1.
β(u, ⟨lij → •,msg⟩) = u \ {buf ij } ∪ {buf ij+1}
For a foundmessage ⟨lij ← •,msg⟩, let bufF and buf ′F be the two buffers in the circuit Found as in Fig. 12. Initially, let bufF ∈ u.
The circuit is ready to take the message when buf ij ∈ u. After the event occurs, the token in buf ij is moved to buf ij+1, and the
message in bufF is moved to buf ′F and then enters bufF again. Since the flow of message in bufF and buf
′
F is in the black-box,
we can assume that the buffer bufF is in u after ⟨lij ← •,msg⟩.
β(u, ⟨lij ← •,msg⟩) = u \ {buf ij } ∪ {buf ij+1}
Proposition 1. [[sd]] ∼ [[Rsd]].
Proof. We prove bisimulation equivalence of the coalgebras of sd and its Reo circuit Rsd by establishing a homomorphism
h : C → U . For a configuration c =∏i∈I,0≤j<|loc(i)| lij, let
h(c) = {buf ij | lij ∈ c} ∪ {buf k,im,j | (∃e = ⟨lij ← lkm, elem(buf k,im,j)⟩ ∈ ϵ(c))}
All we have to prove is that h is a coalgebra homomorphism, i.e., that
h · α(c, e) = β(h(c), e) (4)
ϵ(c) = ρ(h(c)) (5)
We first give the proof for Eq. (4). Let c =∏i∈I,0≤j<|loc(i)| lij, for e = ⟨⟨lij lkm,msg⟩, ⟨lkm lij,msg⟩⟩,
h · α(c, e) = h(c[lij+1/lij, lkm+1/lkm])
= {buf i′j′ | li
′
j′ ∈ c[lij+1/lij, lkm+1/lkm]} ∪
{buf k′,i′m′,j′ | (∃e = ⟨li
′
j′ ← lk
′
m′ , elem(buf
k′,i′
m′,j′)⟩ ∈ ϵ(c[lij+1/lij, lkm+1/lkm]))}
= {buf i′j′ | li
′
j′ ∈ c[lij+1/lij, lkm+1/lkm]} ∪
{buf k′,i′m′,j′ | (∃e = ⟨li
′
j′ ← lk
′
m′ , elem(buf
k′,i′
m′,j′)⟩ ∈ ϵ(c))}
= ({buf i′j′ | li
′
j′ ∈ c} \ {buf ij , buf km} ∪ {buf ij+1, buf km+1}) ∪
{buf k′,i′m′,j′ | (∃e = ⟨li
′
j′ ← lk
′
m′ , elem(buf
k′,i′
m′,j′)⟩ ∈ ϵ(c))}
= β(h(c), e)
for e = ⟨lij → lkm,msg⟩,
h · α(c, e) = {buf i′j′ | li
′
j′ ∈ c[lij+1/lij]} ∪ {buf k
′,i′
m′,j′ | ∃⟨li
′
j′ ← lk
′
m′ , elem(buf
k′,i′
m′,j′)⟩ ∈ ϵ(α(c, e))}
= {buf i′j′ | li
′
j′ ∈ c} \ {buf ij } ∪ {buf ij+1} ∪ {buf i,kj,m | elem(buf i,kj,m) = msg} ∪
{buf k′,i′m′,j′ | ∃⟨li
′
j′ ← lk
′
m′ , elem(buf
k′,i′
m′,j′)⟩ ∈ ϵ(c)}
= h(c) \ {buf ij } ∪ {buf ij+1} ∪ {buf i,kj,m | elem(buf i,kj,m) = msg}
= β(h(c), e)
S. Meng et al. / Science of Computer Programming 76 (2011) 651–680 669
for e = ⟨lij ← lkm,msg⟩,
h · α(c, e) = {buf i′j′ | li
′
j′ ∈ c[lij+1/lij]} ∪ {buf k
′,i′
m′,j′ | ∃⟨li
′
j′ ← lk
′
m′ , elem(buf
k′,i′
m′,j′)⟩ ∈ ϵ(α(c, e))}
= {buf i′j′ | li
′
j′ ∈ c} \ {buf ij } ∪ {buf ij+1} ∪ {buf k
′,i′
m′,j′ | ∃⟨li
′
j′ ← lk
′
m′ , elem(buf
k′,i′
m′,j′)⟩ ∈ ϵ(c) \ {e}}
= {buf i′j′ | li
′
j′ ∈ c} \ {buf ij } ∪ {buf ij+1} ∪ {buf k
′,i′
m′,j′ | ∃⟨li
′
j′ ← lk
′
m′ , elem(buf
k′,i′
m′,j′)⟩ ∈ ϵ(c)} \ {buf k,im,j}
= h(c) \ {buf ij } ∪ {buf ij+1} \ {buf k,im,j}
= β(h(c), e)
The corresponding results for lost and found messages and co-region location can be similarly obtained.
We now provide the proof for Eq. (5) using the induction principle. As the basis of induction, we regard the initial
configuration c0. Since u = h(c0) does not contain an element of the form buf k,im,j we have:
ρ(h(c0)) =

buf ij ∈h(c0)
{e | π(e) = lij ∧ type(e) ≠←}
=

lij∈c0
{e | π(e) = lij ∧ type(e) ≠←}
= {e | π(e) ∈ c0 ∧ type(e) ≠←}
= {e | π(e) ∈ Locini ∧ type(e) ≠←}
= ϵ(c0)
As the induction step, we assume that ρ(h(c)) = ϵ(c) and show that for any e, ρ(h · α(c, e)) = ϵ(α(c, e)).
We first consider e = ⟨⟨lij lkm,msg⟩, ⟨lkm lij,msg⟩⟩, and therefore
ρ(h · α(c, e)) = {⟨li′j′ ← lk
′
m′ ,msg⟩ | buf k
′,i′
m′,j′ ∈ h · α(c, e) ∧ elem(buf k
′,i′
m′,j′) = msg} ∪
buf i
′
j′ ∈h·α(c,e)
{e′ | π(e′) = li′j′ ∧ type(e′) ≠←}
= {⟨li′j′ ← lk
′
m′ ,msg⟩ | buf k
′,i′
m′,j′ ∈ β(h(c), e) ∧ elem(buf k
′,i′
m′,j′) = msg} ∪
buf i
′
j′ ∈β(h(c),e)
{e′ | π(e′) = li′j′ ∧ type(e′) ≠←}
= {⟨li′j′ ← lk
′
m′ ,msg⟩ | buf k
′,i′
m′,j′ ∈ h(c) ∧ elem(buf k
′,i′
m′,j′) = msg} ∪ 
buf i
′
j′ ∈h(c)
{e′ | π(e′) = li′j′ ∧ type(e′) ≠←}
 {e′ | (π(e′) = lij ∨ π(e′) = lkm) ∧
type(e′) ≠←} ∪ {e′ | (π(e′) = lij+1 ∨ π(e′) = lkm+1) ∧ type(e′) ≠←}
= ρ(h(c)) \ {e′ | (π(e′) = lij ∨ π(e′) = lkm) ∧ type(e′) ≠←} ∪
{e′ | (π(e′) = lij+1 ∨ π(e′) = lkm+1) ∧ type(e′) ≠←}
= ϵ(c) \ {e′ | (π(e′) = lij ∨ π(e′) = lkm) ∧ type(e′) ≠←} ∪
{e′ | (π(e′) = lij+1 ∨ π(e′) = lkm+1) ∧ type(e′) ≠←}
= ϵ(c) \ {⟨lij lkm,msg⟩, ⟨lkm lij,msg⟩} ∪
{e′ | (π(e′) = lij+1 ∨ π(e′) = lkm+1) ∧ type(e′) ≠←}
= ϵ(α(c, e))
670 S. Meng et al. / Science of Computer Programming 76 (2011) 651–680
For e = ⟨lij → lkm,msg⟩,
ρ(h · α(c, e)) = {⟨li′j′ ← lk
′
m′ ,msg⟩ | buf k
′,i′
m′,j′ ∈ h · α(c, e) ∧ elem(buf k
′,i′
m′,j′) = msg} ∪
buf i
′
j′ ∈h·α(c,e)
{e′ | π(e′) = li′j′ ∧ type(e′) ≠←}
= {⟨li′j′ ← lk
′
m′ ,msg⟩ | buf k
′,i′
m′,j′ ∈ β(h(c), e) ∧ elem(buf k
′,i′
m′,j′) = msg} ∪
buf i
′
j′ ∈β(h(c),e)
{e′ | π(e′) = li′j′ ∧ type(e′) ≠←}
= {⟨li′j′ ← lk
′
m′ ,msg⟩ | (buf k
′,i′
m′,j′ ∈ h(c) ∨ buf k
′,i′
m′,j′ = buf i,kj,m) ∧
elem(buf k
′,i′
m′,j′) = msg} ∪

buf i
′
j′ ∈h(c)
{e′ | π(e′) = li′j′ ∧ type(e′) ≠←} \
{e′ | π(e′) = lij ∧ type(e′) ≠←} ∪ {e′ | π(e′) = lij+1 ∧ type(e′) ≠←}
= {⟨li′j′ ← lk
′
m′ ,msg⟩ | buf k
′,i′
m′,j′ ∈ h(c) ∧ elem(buf k
′,i′
m′,j′) = msg} ∪
{⟨lkm ← lij,msg⟩} ∪

buf i
′
j′ ∈h(c)
{e′ | π(e′) = li′j′ ∧ type(e′) ≠←} \
{e′ | π(e′) = lij ∧ type(e′) ≠←} ∪ {e′ | π(e′) = lij+1 ∧ type(e′) ≠←}
= ρ(h(c)) ∪ {⟨lkm ← lij,msg⟩} \ {e′ | π(e′) = lij ∧ type(e′) ≠←} ∪
{e′ | π(e′) = lij+1 ∧ type(e′) ≠←}
= ϵ(c) \ {e} ∪ {⟨lkm ← lij,msg⟩} ∪ {e′ | π(e′) = lij+1 ∧ type(e′) ≠←}
= ϵ(α(c, e))
For e = ⟨lij ← lkm,msg⟩,
ρ(h · α(c, e)) = {⟨li′j′ ← lk
′
m′ ,msg⟩ | buf k
′,i′
m′,j′ ∈ h · α(c, e) ∧ elem(buf k
′,i′
m′,j′) = msg} ∪
buf i
′
j′ ∈h·α(c,e)
{e′ | π(e′) = li′j′ ∧ type(e′) ≠←}
= {⟨li′j′ ← lk
′
m′ ,msg⟩ | buf k
′,i′
m′,j′ ∈ β(h(c), e) ∧ elem(buf k
′,i′
m′,j′) = msg} ∪
buf i
′
j′ ∈β(h(c),e)
{e′ | π(e′) = li′j′ ∧ type(e′) ≠←}
= {⟨li′j′ ← lk
′
m′ ,msg⟩ | (buf k
′,i′
m′,j′ ∈ h(c) \ {buf k,im,j}) ∧ elem(buf k
′,i′
m′,j′) = msg} ∪
buf i
′
j′ ∈h(c)\{buf ij }∪{buf ij+1}
{e′ | π(e′) = li′j′ ∧ type(e′) ≠←}
= {⟨li′j′ ← lk
′
m′ ,msg⟩ | buf k
′,i′
m′,j′ ∈ h(c) ∧ elem(buf k
′,i′
m′,j′) = msg} \
{⟨lij ← lkm,msg⟩} ∪

buf i
′
j′ ∈h(c)
{e′ | π(e′) = li′j′ ∧ type(e′) ≠←} \
{e′ | π(e′) = lij ∧ type(e′) ≠←} ∪ {e′ | π(e′) = lij+1 ∧ type(e′) ≠←}
= ρ(h(c)) \ {⟨lij ← lkm,msg⟩} \ {e′ | π(e′) = lij ∧ type(e′) ≠←} ∪
{e′ | π(e′) = lij+1 ∧ type(e′) ≠←}
= ϵ(c) \ {e} ∪ {e′ | π(e′) = lij+1 ∧ type(e′) ≠←}
= ϵ(α(c, e))
The proof for lost and found messages and co-region can be similarly obtained. 
S. Meng et al. / Science of Computer Programming 76 (2011) 651–680 671
We obtain the equivalence result for arbitrary sequence diagrams by an induction on the structure of the sequence
diagrams as in the following theorem. There is a slight change in the proof style used for Theorem 1 and Proposition 1. For
Proposition 1, the bisimulation between each sequence diagram and its translation is shown by means of a homomorphism
between their corresponding coalgebras. In the proof of Theorem 1, however, we construct the concrete bisimulation
relation directly instead of using the graph of a homomorphism.
Note that the composed Rsd has the general structure as in Fig. 13, which has three FIFO channels besides the ones in the
sequencers and for the message passing between the external ports. Let bufAA, bufAB, and bufBB be the corresponding buffers
in these channels. Then the semantics of Rsd can be defined as
[[Rsd]] = (U, ⟨ρ ′, β ′⟩, u0)
where U = 2Buf∪{bufAA,bufAB,bufBB}, ρ ′ : U → P(Σm), β ′ : U ×Σ → U , u0 = {buf i1 | i ∈ I} ∪ {bufAA}. In any state u ∈ U , there
is at most one element from {bufAA, bufAB, bufBB} in u. State uF = {buf i1 | i ∈ I} ∪ {bufBB} is called the final state. Thus the
functions ρ ′ and β ′ are defined as
ρ ′(u) =

bufAA ∈ u ⇒ ρ(u0 \ {bufAA})
bufAB ∈ u ⇒ ρ(u \ {bufAB})
bufBB ∈ u ∨ u ∩ {bufAA, bufAB, bufBB} = ∅ ⇒ ∅
β ′(u, e) =

u = u0 ⇒ β(u0 \ {bufAA}, e) ∪ {bufAB}
bufAB ∈ u ∧ ρ(β(u \ {bufAB}, e)) ≠ ∅ ⇒ β(u \ {bufAB}, e) ∪ {bufAB}
bufAB ∈ u ∧ ρ(β(u \ {bufAB}, e)) = ∅ ⇒ β(u \ {bufAB}, e) ∪ {bufBB}
Furthermore, the function h′ : C → U is defined as
h′(c) =

c = c0 ⇒ h(c) ∪ {bufAA}
c = cF ⇒ h(c) ∪ {bufBB}
otherwise h(c) ∪ {bufAB}
Theorem 1. For sequence diagrams sd1 and sd2, if [[sdi]] ∼ [[Rsdi ]], then
• [[strict(sd1, sd2)]] ∼ [[Rstrict(sd1,sd2)]]• [[par(sd1, sd2)]] ∼ [[Rpar(sd1,sd2)]]• [[opt(sd1)]] ∼ [[Ropt(sd1)]]• [[alt(g1 : sd1, g2 : sd2)]] ∼ [[Ralt(g1:sd1,g2:sd2)]]• [[seq(sd1, sd2)]] ∼ [[Rseq(sd1,sd2)]]• [[loop(g : sd1)]] ∼ [[Rloop(g:sd1)]]
Proof. Assume that [[Rsdi ]] = (Ui, ⟨ρ ′i , β ′i ⟩, ui0), and [[sdi]] = (Ci, ⟨ϵi, αi⟩, c i0) for i = 1, 2. Note that for weak sequential
composition we consider only the case for I1 ∩ I2 ≠ ∅, the case for I1 ∩ I2 = ∅ can be obtained by the proof for parallel
composition.
strict: strict(sd1, sd2)
The semantics of Rstrict(sd1,sd2) is given by the coalgebra (U, ⟨ρ,β⟩, u0), where
U = {u ∪ {buf i21 | i2 ∈ I2} | u ∈ U1} ∪ {u ∪ {buf i11 | i1 ∈ I1} | u ∈ U2} ∪ {u0, uF }
u0 = {buf i11 | i1 ∈ I1} ∪ {buf i21 | i2 ∈ I2} ∪ {bufASDASD}
uF = {buf i11 | i1 ∈ I1} ∪ {buf i21 | i2 ∈ I2} ∪ {bufBSDBSD}
ρ(u) =

u = u0 ∨ u = uF ⇒ ∅
u = u1 ∪ {buf i21 | i2 ∈ I2} ∧ u1 ∈ U1 ⇒ ρ ′1(u1)
u = u2 ∪ {buf i11 | i1 ∈ I1} ∧ u2 ∈ U2 ⇒ ρ ′2(u2)
β(u, e) =

u = u1 ∪ {buf i21 | i2 ∈ I2} ∧ u1 ∈ U1 ∧ ρ ′1(β ′1(u1, e)) ≠ ∅ ⇒
β ′1(u1, e) ∪ {buf i21 | i2 ∈ I2}
u = u1 ∪ {buf i21 | i2 ∈ I2} ∧ u1 ∈ U1 ∧ ρ ′1(β ′1(u1, e)) = ∅ ⇒
{buf i11 | i1 ∈ I1} ∪ {buf i21 | i2 ∈ I2} ∪ {bufBsd1Bsd1 }
u = u2 ∪ {buf i11 | i1 ∈ I1} ∧ u2 ∈ U2 ⇒
β ′2(u2, e) ∪ {buf i11 | i1 ∈ I1}
672 S. Meng et al. / Science of Computer Programming 76 (2011) 651–680
Because of the structure of Rstrict(sd1,sd2), when the circuit is in state u0, since the sink end of ASDASD is connected to the source
end of Asd1Asd1 by a synchronous channel, andρ(u0) = ∅, the circuit can take an internal transition by transmitting the token
in the buffer bufASDASD to the buffer bufAsd1Asd1 , whichmakes the state change to {buf
i1
1 | i1 ∈ I1}∪{buf i21 | i2 ∈ I2}∪{bufAsd1Asd1 }.
Similarly, when the circuit is in state {buf i11 | i1 ∈ I1}∪ {buf i21 | i2 ∈ I2}∪ {bufBsd1Bsd1 }, there is an internal transition in which
the token in bufBsd1Bsd1 moves to bufAsd2Asd2 , and the state changes to {buf
i1
1 | i1 ∈ I1} ∪ {buf i21 | i2 ∈ I2} ∪ {bufAsd2Asd2 }. And
when there is a token in bufBsd2Bsd2 , it moves to bufBSDBSD , and the state changes to uF .
According to the construction, we have the coalgebra homomorphisms hi : [[sdi]] → [[Rsdi ]]. From the definition of
strict(sd1, sd2), we know that the final configuration of sd1 is merged with the initial configuration of sd2 in the strict
sequential composition. Let B1 = {buf i11 | i1 ∈ I1} and B2 = {buf i21 | i2 ∈ I2}, and the relation ≈⊆ C × U be defined
as follows:
≈ = {(c0, B1 ∪ B2 ∪ {bufASDASD}), (c0, B1 ∪ B2 ∪ {bufAsd1Asd1 })} ∪
{(c, h1(c) ∪ {bufAsd1Bsd1 } ∪ B2) | c ∈ C1 \ {c0, c1F }} ∪
{(c20 , B1 ∪ B2 ∪ {bufBsd1Bsd1 }), (c
2
0 , B1 ∪ B2 ∪ {bufAsd2Asd2 })} ∪
{(c, h2(c) ∪ {bufAsd2Bsd2 } ∪ B1) | c ∈ C2 \ {c20 , c2F }} ∪
{(c2F , B1 ∪ B2 ∪ {bufBsd2Bsd2 }), (c
2
F , B1 ∪ B2 ∪ {bufBSDBSD})}
From the above discussion, we know that there is an internal transition from B1∪B2∪{bufASDASD} to B1∪B2∪{bufAsd1Asd1 }.
For u = B1 ∪ B2 ∪ {bufAsd1Asd1 },β(u, e) = β ′1(B1 ∪ {bufAsd1Asd1 }, e) ∪ B2
= β1(B1, e) ∪ {bufAsd1Bsd1 } ∪ B2
= β1(h1(c0), e) ∪ {bufAsd1Bsd1 } ∪ B2
= h1(α1(c0, e)) ∪ {bufAsd1Bsd1 } ∪ B2
and
ρ(u) = ρ ′1(B1 ∪ {bufAsd1Asd1 })
= ρ1(B1)
= ρ1(h1(c0))
= ϵ1(c0)
= strict(ϵ1, ϵ2)(c0)
According to the definition of [[strict(sd1, sd2)]], we have
(strict(α1, α2)(c0, e),β(u, e)) = (α1(c0, e), h1(α1(c0, e)) ∪ {bufAsd1Bsd1 } ∪ B2)
{let c = α1(c0, e)} ∈≈
Let u = h1(c) ∪ {bufAsd1Bsd1 } ∪ B2 for c ∈ C1 \ {c0, c1F }, and e ∈ρ(c), if ρ ′1(β ′1(h1(c) ∪ {bufAsd1Bsd1 }, e)) ≠ ∅,β(u, e) = β ′1(h1(c) ∪ {bufAsd1Bsd1 }, e) ∪ B2
= β1(h1(c), e) ∪ {bufAsd1Bsd1 } ∪ B2
= h1(α1(c, e)) ∪ {bufAsd1Bsd1 } ∪ B2
and
ρ(u) = ρ ′1(h1(c) ∪ {bufAsd1Bsd1 })
= ρ1(h1(c))
= ϵ1(c)
= strict(ϵ1, ϵ2)(c)
S. Meng et al. / Science of Computer Programming 76 (2011) 651–680 673
if ρ ′1(β
′
1(h1(c) ∪ {bufAsd1Bsd1 }, e)) = ∅,β(u, e) = B1 ∪ B2 ∪ {bufBsd1Bsd1 }, according to the definition of ρ ′ and β ′, we have
ρ1(β1(h1(c), e)) = ∅. Therefore, ϵ1(α1(c, e)) = ∅ and strict(α1, α2)(c, e) = c20 . In both cases, we have
(strict(α1, α2)(c, e),β(u, e)) ∈≈
Similarly, we can prove that for any (c, u) ∈≈, (strict(α1, α2)(c, e),β(u, e)) ∈≈ andρ(u) = strict(ϵ1, ϵ2)(c). So ≈ is a
bisimulation relation and (c0, u0) ∈≈. Therefore,
[[strict(sd1, sd2)]] ∼ [[Rstrict(sd1,sd2)]]
par: par(sd1, sd2)
The semantics of Rpar(sd1,sd2) is given by the coalgebra (U, ⟨ρ,β⟩, u0), where
U = {u1 ∪ u2 | u1 ∈ U1 ∧ u2 ∈ U2} ∪ {u0, uF }
u0 = {buf i11 | i1 ∈ I1} ∪ {buf i21 | i2 ∈ I2} ∪ {bufASDASD}
uF = {buf i11 | i1 ∈ I1} ∪ {buf i21 | i2 ∈ I2} ∪ {bufBSDBSD}
ρ(u) = u = u0 ∨ u = uF ⇒ ∅
u = u1 ∪ u2 ∧ u1 ∈ U1 ∧ u2 ∈ U2 ⇒ ρ ′1(u1) ∪ ρ ′2(u2)
β(u, e) = u = u1 ∪ u2 ∧ u1 ∈ U1 ∧ u2 ∈ U2 ∧ e ∈ ρ ′1(u1) ⇒ β ′1(u1, e) ∪ u2
u = u1 ∪ u2 ∧ u1 ∈ U1 ∧ u2 ∈ U2 ∧ e ∈ ρ ′2(u2) ⇒ β ′2(u2, e) ∪ u1
There is an internal transition from u0 to u10 ∪ u20, in which the token in bufASDASD is copied by the replicator in node ASD.
The tokens move to bufAsd1Asd1 and bufAsd2Asd2 respectively, and the state changes to u
1
0 ∪ u20. Similarly, in state u1F ∪ u2F , the
two tokens in bufBsd1Bsd1 and bufBsd2Bsd2 are synchronously consumed in the syncdrain Bsd1Bsd2 . One of the tokens is non-
deterministically chosen by the merger in node BSD and moved to the buffer bufBSDBSD while the other one is lost in the lossy
channel. Let the relation≈⊆ C × U be defined as follows:
≈ = {(c0, u0), (c0, u10 ∪ u20)} ∪ {(c, h′1(π1c) ∪ h′2(π2c)} ∪
{(cF , uF ), (cF , B1 ∪ B2 ∪ {bufBsd1Bsd1 } ∪ {bufBsd2Bsd2 })}
We haveρ(u10 ∪ u20) = ρ ′1(u10) ∪ ρ ′2(u20)
= ρ1({buf i11 | i1 ∈ I1}) ∪ ρ2({buf i21 | i2 ∈ I2})
= ρ1(h1(c10 )) ∪ ρ2(h2(c20 ))
= ϵ1(c10 ) ∪ ϵ2(c20 )
= par(ϵ1, ϵ2)(c0)
and if e ∈ ρ ′1(u10),β(u10 ∪ u20, e) = β ′1(u10, e) ∪ u20
= β1({buf i11 | i1 ∈ I1}, e) ∪ {bufAsd1Bsd1 } ∪ u20
= β1({buf i11 | i1 ∈ I1}, e) ∪ {bufAsd1Bsd1 } ∪ {buf i21 | i2 ∈ I2} ∪ {bufAsd2Asd2 }
since ρ ′1(u
1
0) = ρ1({buf i11 | i1 ∈ I1}) = ϵ1(c10 ), we have
par(α1, α2)(c0, e) = (α1(π1c0, e), π2c0)
Furthermore,
h1(α1(π1c0, e)) = β1({buf i11 | i1 ∈ I1}, e)
h2(π2c0) = {buf i21 | i2 ∈ I2}
So (par(α1, α2)(c0, e),β(u10 ∪ u20, e)) ∈≈. For the case e ∈ ρ ′2(u20), the result can be similarly obtained. Analogously, we can
obtain that for any (c, u) ∈≈, (par(α1, α2)(c, e),β(u, e)) ∈≈ andρ(u) = par(ϵ1, ϵ2)(c). So ≈ is a bisimulation relation,
and
[[par(sd1, sd2)]] ∼ [[Rpar(sd1,sd2)]]
674 S. Meng et al. / Science of Computer Programming 76 (2011) 651–680
Option: opt(sd1)
The semantics of Ropt(sd1) is given by the coalgebra (U, ⟨ρ,β⟩, u0), where
U = U1 ∪ {u0, uF }
u0 = {buf i11 | i1 ∈ I1} ∪ {bufASDASD}
uF = {buf i11 | i1 ∈ I1} ∪ {bufBSDBSD}
ρ(u) =

u = u0 ⇒ {skip}
u = uF ⇒ ∅
u ∈ U1 ⇒ ρ ′1(u)
β(u, e) = u ∈ U1 ⇒ β ′1(u, e)
u = u0 ∧ e = skip ⇒ uF
When the circuit is in state u0, it has a nondeterministic choice between the behavior of Rsd1 and an empty behavior
(denoted by skip). In other words, there are two internal transitions with u0 as source state, and the target states are uF
and {buf i11 | i1 ∈ I1} ∪ {bufAsd1Asd1 } respectively. Furthermore, when the circuit is in state {buf
i1
1 | i1 ∈ I1} ∪ {bufBsd1Bsd1 },
there is no active event and it can move to state {buf i11 | i1 ∈ I1} ∪ {bufBSDBSD} by an internal transition. Define the relation≈⊆ C × U as:
≈ = {(c0, u0), (c0, u10)} ∪ {(c, h1(c) ∪ {bufAsd1Bsd1 }) | c ∈ C \ {c0, cF }} ∪
{(cF , {buf i11 | i1 ∈ I1} ∪ {bufBsd1Bsd1 }), (cF , uF )}
According to the semantics, we haveρ(u10) = ρ ′1(u10)
= ρ1({buf i11 | i1 ∈ I1})
= ϵ1(c10 )
and
ρ(u0) = {skip}
so,
ρ(u10) ∪ρ(u0) = opt(ϵ1)(c0)
Additionally,β(u0, skip) = {buf i11 | i1 ∈ I1} ∪ {bufBSDBSD}
= uF
and for e ∈ Σ1, if ρ1(β1({buf i11 | i1 ∈ I1}, e)) ≠ ∅, thenβ(u10, e) = β ′1(u10, e)
= β1({buf i11 | i1 ∈ I1}, e) ∪ {bufAsd1Bsd1 }
= h1(α1(c0, e)) ∪ {bufAsd1Bsd1 }
So we have
(opt(α1)(c0, e),β(u10, e)) ∈ ≈
and
(opt(α1)(c0, skip),β(u0, skip)) ∈ ≈
Similarly, we can obtain that for any (c, u) ∈≈,
(opt(α1)(c, e),β(u, e)) ∈≈ρ(u) = opt(ϵ1)(c)
S. Meng et al. / Science of Computer Programming 76 (2011) 651–680 675
So≈ is a bisimulation relation, and
[[opt(sd1)]] ∼ [[Ropt(sd1)]]
Choice: alt(g1 : sd1, g2 : sd2)
The semantics of Ralt(g1:sd1,g2:sd2) is given by the coalgebra (U, ⟨ρ,β⟩, u0), where
U = {u ∪ {buf i21 | i2 ∈ I2} | u ∈ U1} ∪ {u ∪ {buf i11 | i1 ∈ I1} | u ∈ U2} ∪ {u0, uF }
u0 = {buf i11 | i1 ∈ I1} ∪ {buf i21 | i2 ∈ I2} ∪ {bufASDASD}
uF = {buf i11 | i1 ∈ I1} ∪ {buf i21 | i2 ∈ I2} ∪ {bufBSDBSD}
ρ(u) =

u = u0 ⇒ {skip}
u = uF ⇒ ∅
u = u1 ∪ {buf i21 | i2 ∈ I2} ∧ u1 ∈ U1 ⇒ ρ ′1(u1)
u = u2 ∪ {buf i11 | i1 ∈ I1} ∧ u2 ∈ U2 ⇒ ρ ′2(u2)
β(u, e) =

u = u0 ∧ e = skip ⇒ uF
u = u1 ∪ {buf i21 | i2 ∈ I2} ∧ u1 ∈ U1 ⇒ β ′1(u1, e) ∪ {buf i21 | i2 ∈ I2}
u = u2 ∪ {buf i11 | i1 ∈ I1} ∧ u2 ∈ U2 ⇒ β ′2(u2, e) ∪ {buf i11 | i1 ∈ I1}
When the circuit is in state u0, and the token in ASDASD satisfies gi, the token can be transmitted through the filter ASDAsdi by
an internal transition, which changes the state from u0 to {buf i11 | i1 ∈ I1} ∪ {buf i21 | i2 ∈ I2} ∪ {bufAsdiAsdi }. This activates the
circuit Rsdi . If Rsdi arrives at its final state, there is an internal transition in which the token in bufBsdiBsdi moves to bufBSDBSD ,
and the state changes to uF . Define the relation≃⊆ C × U as follows:
≃ = {(c0, u0)} ∪
{(c, h′1(c) ∪ {buf i21 | i2 ∈ I2}) | c ∈ C1 \ {c10 , c1F }} ∪
{(c, h′2(c) ∪ {buf i11 | i1 ∈ I1}) | c ∈ C2 \ {c20 , c2F }} ∪
{(cF , {buf i11 | i1 ∈ I1} ∪ {buf i21 | i2 ∈ I2} ∪ {bufBsd1Bsd1 })} ∪
{(cF , {buf i11 | i1 ∈ I1} ∪ {buf i21 | i2 ∈ I2} ∪ {bufBsd2Bsd2 })} ∪
{(cF , uF )}
and the relation≈ as
≈=

c0  g1 ∧ g2 ⇒ ≃ ∪{(c0, u10 ∪ {buf i21 | i2 ∈ I2}), (c0, u20 ∪ {buf i11 | i1 ∈ I1})}
c0  g1 ∧ ¬g2 ⇒ ≃ ∪{(c0, u10 ∪ {buf i21 | i2 ∈ I2})}
c0  g2 ∧ ¬g1 ⇒ ≃ ∪{(c0, u20 ∪ {buf i11 | i1 ∈ I1})}
If neither of the guard conditions is satisfied by the token in bufASDASD , then skip happens, which moves the token in bufASDASD
to bufBSDBSD , and the state changes from u0 to uF . In this case, we have
(alt(α1, α2)(c0, skip),β(u0, skip)) = (cF , uF ) ∈≈
If c0  g1 ∧ ¬g2, the token in bufASDASD moves to bufAsd1Asd1 , the state of the circuit changes to u = u
1
0 ∪ {buf i21 | i2 ∈ I2}.
According to the definition, we haveρ(u) = ρ ′1(u10)
= ρ1({buf i11 | i1 ∈ I1})
= Σ10
= alt(ϵ1, ϵ2)(c0)
and if e ∈ Σ10 ,β(u10 ∪ {buf i21 | i2 ∈ I2}, e) = β ′1(u10, e) ∪ {buf i21 | i2 ∈ I2}
= β1({buf i11 | i1 ∈ I1}, e) ∪ {bufAsd1Bsd1 } ∪ {buf i21 | i2 ∈ I2}
676 S. Meng et al. / Science of Computer Programming 76 (2011) 651–680
from alt(α1, α2)(c0, e) = α1(c10 , e) and β1({buf i11 | i1 ∈ I1}, e) = h1(α1(c10 , e)), we have
(alt(α1, α2)(c0, e),β(u10 ∪ {buf i21 | i2 ∈ I2}, e)) ∈ ≈
For the case c0  g2 ∧ ¬g1 and c0  g1 ∧ g2, the results can be similarly derived. We can also obtain that for any (c, u) ∈≈,
(alt(α1, α2)(c, e),β(u, e)) ∈≈ andρ(u) = alt(ϵ1, ϵ2)(c). So≈ is a bisimulation relation, and
[[alt(g1 : sd1, g2 : sd2)]] ∼ [[Ralt(g1:sd1,g2:sd2)]]
Weak sequential composition: seq(sd1, sd2)
Assume that i ∈ I1 ∩ I2 is an identifier in both sd1 and sd2, and for any j, buf 1j1, . . . , buf 1jnj1 are the buffers in the sequencer
Sequencer jsd1 , and buf 2
j
1, . . . , buf 2
j
nj2 are the buffers in the sequencer Sequencer
j
sd2
. We consider the Reo circuit Rseq(sd1,sd2) as
given in Fig. 20. Its semantics is given by the coalgebra (U, ⟨ρ,β⟩, u0) as follows, where u1 ∈ U1, u2 ∈ U2.
U = {u1 ∪ u2 | buf 1i1 ∈ u1 ∧ buf 2i1 ∈ u2}∪{u1 ∪ u2 | buf 1i1 ∈ u1 ∧ buf 2i1 /∈ u2}∪{u1 ∪ u2 | buf 1i1 /∈ u1 ∧ buf 2i1 ∈ u2}∪{u1 ∪ u2 ∪ {bufAwA′w } | buf 1i1 ∈ u1 ∧ buf 2i1 ∈ u2} ∪ {u0, uF }
u0 = {buf 1i11 | i1 ∈ I1} ∪ {buf 2i21 | i2 ∈ I2} ∪ {bufASDASD}
uF = {buf 1i11 | i1 ∈ I1} ∪ {buf 2i21 | i2 ∈ I2} ∪ {bufBSDBSD}
ρ(u) =

u = u0 ∨ u = uF ⇒ ∅
u = u1 ∪ u2 ∧ buf 2i1 ∈ u2 ⇒ ρ ′1(u1) ∪ (ρ ′2(u2) \ {e | π(e) = li1})
u = u1 ∪ u2 ∧ buf 2i1 /∈ u2 ⇒ (ρ ′1(u1) \ {e | π(e) = li1}) ∪ ρ ′2(u2)
u = u1 ∪ u2 ∪ {bufAwA′w } ⇒ (ρ ′1(u1) \ {e | π(e) = li1}) ∪ ρ ′2(u2)
β(u, e) =

π(e) ∈ loc(i)⇒
u = u1 ∪ u2 ∧ buf 2i1 ∈ u2 ∧ π(e) ∈ loc1(i)⇒
π(e) = lin1 ⇒ β ′1(u1, e) ∪ u2 ∪ {bufAwAw′ }
π(e) ≠ lin1 ⇒ β ′1(u1, e) ∪ u2
u = u1 ∪ u2 ∧ buf 1i1 ∈ u1 ∧ π(e) ∈ loc2(i)⇒ β ′2(u2, e) ∪ u1
u = u1 ∪ u2 ∪ {bufAwA′w } ∧ π(e) ∈ loc2(i)⇒ β ′2(u2, e) ∪ u1
π(e) /∈ loc(i)⇒
e ∈ Σ1 ⇒
u = u1 ∪ u2 ∧ buf 2i1 ∈ u2 ⇒
β ′1(u1, e) ∪ u2
otherwise β ′1(u1 \ {buf 1i1} ∪ {buf 1ini1}, e) ∪ u2
e ∈ Σ2 ⇒
u = u1 ∪ u2 ⇒ β ′2(u2, e) ∪ u1
u = u1 ∪ u2 ∪ {bufAwA′w } ⇒ β ′2(u2, e) ∪ u1 ∪ {bufAwA′w }
There is an internal transition from u0 to u10 ∪ u20, in which the token in bufASDASD is copied by the replicator in node ASD.
The tokens move to bufAsd1Asd1 and bufAsd2Asd2 respectively, and the state changes to u
1
0 ∪ u20. Similarly, in state u1F ∪ u2F , the
two tokens in bufBsd1Bsd1 and bufBsd2Bsd2 are synchronously consumed in the syncdrain Bsd1Bsd2 . One of the tokens is non-
deterministically chosen by the merger in node BSD and moved to the buffer bufBSDBSD while the other one is lost in the lossy
channel. Define the relation≈⊆ C × U as follows:
≈ = {(c0, u0), (c0, u10 ∪ u20)} ∪
{(c, h′1(⟨π1, π2⟩c) ∪ h′2((π1c20 , π3c))) | π1c ∈ loc1(i) \ {π1c1F }} ∪
{(c, h′1((π1c1F , π2c)) ∪ h′2(⟨π1, π3⟩c)) | π1c ∈ loc2(i)} ∪
{(c, h′1(⟨π1, π2⟩c) ∪ h′2((π1c20 , π3c)) ∪ {bufAwA′w }) | π1c = π1c1F } ∪
{(cF , uF ), (cF , u1F ∪ u2F )}
S. Meng et al. / Science of Computer Programming 76 (2011) 651–680 677
We have
ρ(u10 ∪ u20) = ρ ′1(u10) ∪ (ρ ′2(u20) \ {e | π(e) = li1})
= ρ1({buf i11 | i1 ∈ I1}) ∪ (ρ2({buf i21 | i2 ∈ I2}) \ {e | π(e) = li1})
= ρ1(h1(c10 )) ∪ (ρ2(h2(c20 )) \ {e | π(e) = li1})
= ϵ1(c10 ) ∪ (ϵ2(c20 ) \ {e | π(e) = li1})
= ϵ1(c10 ) ∪ ϵ2(c20 ) \ {e | π(e) ∈ loc(i) ∧ π(e) ≠ π1c10 }
= ϵ1(c10 ) ∪ ϵ2(c20 ) \ {e | π(e) ∈ loc(i) ∧ π(e) ≠ π1c0}
= seq(ϵ1, ϵ2)(c0)
and if e ∈ ρ ′1(u10),β(u10 ∪ u20, e) = β ′1(u10, e) ∪ u20
= β1({buf i11 | i1 ∈ I1}, e) ∪ {bufAsd1Bsd1 } ∪ u20
= h′1(α1(c10 , e)) ∪ u20
= h′1(α1(c10 , e)) ∪ h′2(⟨π1, π2⟩c20 )
= h′1(α1(c10 , e)) ∪ h′2((π1c20 , π3c0))
= h′1(⟨π1, π2⟩seq(α1, α2)(c0, e)) ∪ h′2((π1c20 , π3c0))
= h′1(⟨π1, π2⟩seq(α1, α2)(c0, e)) ∪ h′2((π1c20 , π3seq(α1, α2)(c0, e)))
So (seq(α1, α2)(c0, e),β(u10 ∪ u20, e)) ∈≈. For the case e ∈ ρ ′2(u20), the result can be similarly derived. Analogously, we can
obtain that for any (c, u) ∈≈, (seq(α1, α2)(c, e),β(u, e)) ∈≈ andρ(u) = seq(ϵ1, ϵ2)(c). So ≈ is a bisimulation relation,
and
[[seq(sd1, sd2)]] ∼ [[Rseq(sd1,sd2)]]
Loop: loop(g : sd1)
The semantics of Rloop(g:sd1) is given by the coalgebra (U, ⟨ρ,β⟩, u0), where
U = U1 ∪ {u0, uF }
u0 = {buf i11 | i1 ∈ I1} ∪ {bufASDASD}
uF = {buf i11 | i1 ∈ I1} ∪ {bufBSDBSD}
ρ(u) =

u = u0 ⇒ {skip}
u = uF ⇒ ∅
u ∈ U1 ⇒ ρ ′1(u)
β(u, e) = u = u0 ∧ e = skip ⇒ uF
otherwise β ′1(u, e)
When the circuit is in state u0, and the token in ASDASD satisfies g , there is an internal transition from state u0 to {buf i11 | i1 ∈
I1}∪{bufAsd1Asd1 }, inwhich the token in bufASDASD is transmitted to bufAsd1Asd1 and the circuitmoves to state u
1
0.When the circuit
is in state u0, and the token in ASDASD does not satisfy g , the token moves to bufBSDBSD by skip, and the state changes to uF .
When the circuit is in u1F and the token in bufBsd1Bsd1 satisfies g , then it is transmitted via gEXR and the synchronous channels
to bufAsd1Asd1 by an internal transition, and the circuit moves to state u
1
0 again. Otherwise, the token moves to bufBSDBSD by an
internal transition, and the state changes to uF . Define the relation≈⊆ C × U as follows:
≈ = {(c0, u0), (c0, u10)} ∪
{(c, h1(c) ∪ {bufAsd1Bsd1 }) | c ∈ C1 \ {c10 , c1F }} ∪
{(c1F , {buf i11 | i1 ∈ I1} ∪ {bufBsd1Bsd1 })} ∪
{(c1F , uF )}
678 S. Meng et al. / Science of Computer Programming 76 (2011) 651–680
According to the definition, we haveρ(u10) ∪ρ(u0) = ρ ′1(u10) ∪ {skip}
= ρ1({buf i11 | i1 ∈ I1}) ∪ {skip}
= ϵ1(c10 ) ∪ {skip}
= ϵ1(c0) ∪ {skip}
= loop(ϵ1)(c0)
If e ∈ ϵ1(c0), thenβ(u10, e) = β1({buf i11 | i1 ∈ I1}, e) ∪ {bufAsd1Bsd1 }. From loop(α1)(c0, e) = α1(c10 , e) (here we assume that
loop(ϵ1)(α1(c0, e)) ≠ ∅) and β1({buf i11 | i1 ∈ I1}, e) = h1(α1(c10 , e)), we have
(loop(α1)(c0, e),β(u10, e)) ∈ ≈
Furthermore, (loop(α1)(c0, skip),β(u10, skip)) = (cF , uF ), where cF = c1F . So
(loop(α1)(c0, skip),β(u10, skip)) ∈ ≈
Similarly, we can derive that for any (c, u) ∈≈,
(loop(α1)(c, e),β(u, e)) ∈≈ρ(u) = loop(ϵ1)(c)
So≈ is a bisimulation relation, and
[[loop(g : sd1)]] ∼ [[Rloop(g:sd1)]] 
6. Related work
One closely related work is the synthesis of adapters in component based systems. The authors of [39] propose an
approach to modify the interaction mechanisms that are used to glue components together by integrating the interaction
protocol into components. However, this approach acts only at the signature level. The work reported in [8,34] goes
beyond the signature level and supports protocol transformations in the synthesis process, but the initial coordinator being
synthesized behaves only as the ‘‘no-op’’ coordinator, which requires the assembly of new components to enhance its
protocol for communication.
Brogi et al. [12] set a formal foundation for the adaptation of heterogeneous components that may present mismatching
interaction behavior. Session types are used to cope with heterogenous descriptions of component interfaces. An adaptor
can be automatically generated from an adaptor specification, which establishes a correspondence between messages in
different components. However, the adaptor specification in their approach requires a good deal of implementation details
such as correspondences among methods (and their parameters) of different components.
In [10], an approach to scheduler synthesis for discrete event physical systems using supervisory control is proposed,
where supervisors are defined as processes and the allowable executions of a system are specified as a set of traces. The
supervisory controller interacts with the running system and makes it conform to the specification, which is given as a
collection of languages that can be intersected to yield a global specification. A supervisor is synthesized to restrict the
system’s behavior by synchronizing the events in the system. Our approach goes beyond behavioral restriction, and our
synthesized circuits can interact with system components through different communicating mechanisms encoded in the
channels.
A number of approaches for the synthesis of state-based models from scenario descriptions have been developed. For
example, the authors of [23] present a state-chart synthesis algorithm, but their approach does not support High-Level
Message Sequence Charts (HMSC), which provide a composition mechanism very close to UML2.0 SDs. The authors of [36,
37] propose an approach to synthesize LTS models from MSC specifications, where the mechanism for communication
among components is synchronous. The authors of [25] use MSCs for service specifications and propose an algorithm for
synthesizing component automata from specifications. In [15,16], the problem of synthesizing state machines from LSC
models was tackled by defining the notion of consistency of an LSC model. A global system automaton can be constructed
and then decomposed. However, this approach suffers from the state explosion problemdue to the construction of the global
system automaton, which is often huge in size because of the underlyingweak partial ordering semantics of LSC. The authors
of [32] combine the LSC notation with Z, and propose a synthesis approach for generating distributed finite state designs
from the combined specifications.
The authors of [27] propose an interactive algorithm that can be used to generate flat state-charts from UML sequence
diagrams. In [22], the authors also provide an interactive algorithm to generate state-charts from multiple scenarios
expressed as UML collaborations. In [35], the existing LTS synthesis algorithms are extended to produce Modal Transition
Systems from the combination of properties (expressed in temporal logic) and scenarios. An algebraic approachwas adopted
S. Meng et al. / Science of Computer Programming 76 (2011) 651–680 679
in [40] to synthesize state-charts of components from sequence diagrams, but it takes only the operators alt, seq and loop
into account, and does not consider any of the other UML2.0 operators on SDs.
Regardless of the scenario notations used (MSC, LSC or UML), all scenario-based synthesis approaches focus only
on generating the state-based models for separate components, or a global state machine for the whole system. These
approaches differ from ours as (1) we are concerned about the coordination aspects in distributed applications instead
of the behavior models for separate individual components, and (2) our synthesized connectors also provide the actual
protocols used for communication among components/services in the system, and our components do not need to contain
any protocol information. Therefore, changes in the communication protocol caused by system evolution require us to
change only the connector implementation, without changing any of the components that are not directly involved in the
evolution. Furthermore, the framework of synthesizing Reo circuits from scenario specifications provides a certain flexibility
in the synthesis process. Whenwemodify the scenario specification (for example, adding, removing or changing a sequence
diagram), part of the previous synthesized Reo circuits can be reused. Since every scenario described by UML SDs captures
only a possible system behavior and it is possible to add more scenarios during the development, the specification can be
taken as complete at some point, after which we can block whatever is not given in the specification.
7. Conclusion
In this paperwehave presented a novel approach for constructing Reo circuits fromscenario specifications represented as
UML sequence diagrams. This work extends our previous work described in [4] that presents an algorithm for automatically
synthesizing Reo circuits from constraint automata specifications, and the results in [7] that show the synthesis of constraint
automata from UML sequence diagrams. The method described in this paper allows us to derive a Reo circuit as the
implementation of the coordinator for a concurrent system directly from UML scenario specifications, which can have
greater structural fidelity compared to the connectors generated by using CA as a bridge, and thus higher reusability.
In [4], we have shown how to synthesize Reo circuits from constraint automata specifications. On the other hand, an
algebraic approach for generating constraint automata from scenario specifications has been proposed in [7]. However,
like most program-generated code, the synthesis of a Reo circuit from a constraint automaton, as reported in [4], generally
yields verbose circuits that do not ‘‘look natural’’ to the human eye. Therefore, generating a Reo circuit from a constraint
automaton synthesized from UML2 SDs yields Reo coordinator circuits that may not easily correlate back to their original
SD specifications. The merit of synthesizing Reo circuits directly from SDs lies in the greater structural fidelity between the
resulting Reo circuits in this approach and their original SD specifications. The new contribution in this paper is that we
go one step further and generate Reo circuits directly from scenario specifications represented by UML sequence diagrams.
There is substantial benefit in this work which bridges the gap between requirements and implementation of coordination
in the development of large-scale, distributed systems. From the presentation of the synthesis approach, we can easily
conclude that the size of the generated Reo circuit, i.e., the number of channels in the circuit, is linear to the size of the
corresponding sequence diagrams in terms of the number of lifelines and messages.
Among our next steps is the automation of the synthesis approach described in this paper. We already have a set
of integrated, visual tools to support coordination of components/services, including graphical editors, animation and
simulation tools, code generators, and model checkers [1,11,21,38]. We expect our tool to be useful in model-based
development of service oriented applications. Our aim is to aid designers who are interested in complex coordination
scenarios by enabling them to use UML SDs as the basis for generating implementations automatically using our synthesis
approach. Once the Reo circuit is generated from a scenario specification, we can also apply the existing tools, for example,
the Reomodel checker [21], to check for containment and equivalence of connectors. It would also be interesting to consider
extensions of UML, for example, the UML Profile for Schedulability, Performance and Time (UML-SPT) [29], which can be
used to provide appropriate representation of QoS aspects in UML, and their connection with quantitative Reo circuits [5].
Another future direction is to establish a formal consistency result for our translation from UML SDs to Reo circuits and
the synthesis algorithm of constraint automata from UML SDs suggested in [7]. The proof obligation will be to show that
the constraint automaton of the Reo circuit constructed from a given UML SD is (bisimulation) equivalent to the constraint
automaton obtained by the techniques of [7] for the same UML SD. As both approaches are based on structural induction, we
may use inductive arguments to establish this consistency result. The investigation on the link between timing constraints
in UML and the verification methods for timed constraint automata [3] is in the scope of our future work as well.
Acknowledgements
Comments of the anonymous referees are gratefully acknowledged. We are indebted to Luis Barbosa and Jan Rutten for
the fruitful discussions regarding the coalgebraic semantics of UML sequence diagrams, and to all the members of SEN3
for helpful discussions. We are particularly grateful for Erik de Vink’s interest in this work and his help on improving the
paper. Parts of this paper have been presented in the Proceedings of FOCLASA’08. We are thankful for the attention and
discussion with the participants in FOCLASA’08, and to the anonymous reviewers for their valuable comments. The work
reported in this paper is supported by a grant from the GLANCE funding program of the Dutch National Organization for
Scientific Research (NWO), through project CooPer (600.643.000.05N12), and the DFG-NWO-project SYANCO.
680 S. Meng et al. / Science of Computer Programming 76 (2011) 651–680
References
[1] Eclipse coordination tools. http://reo.project.cwi.nl/.
[2] Farhad Arbab, Reo: A channel-based coordination model for component composition, Mathematical Structures in Computer Science 14 (3) (2004)
329–366.
[3] Farhad Arbab, Christel Baier, Frank de Boer, Jan Rutten, Models and temporal logical specifications for timed component connectors, Software &
Systems Modeling 6 (2007) 59–82.
[4] Farhad Arbab, Christel Baier, Frank de Boer, Jan Rutten,Marjan Sirjani, Synthesis of Reo circuits for implementation of component-connector automata
specifications, in: J.-M. Jacquet, G.P. Picco (Eds.), COORDINATION 2005, in: LNCS, vol. 3454, Springer, 2005, pp. 236–251.
[5] Farhad Arbab, Tom Chothia, Sun Meng, Young-Joo Moon, Component connectors with QoS guarantees, in: A.L. Murphy, J. Vitek (Eds.), Proceedings of
9th International Conference on Coordination Models and Languages, Coordination’07, in: LNCS, vol. 4467, Springer, 2007, pp. 286–304.
[6] Farhad Arbab, Jan Rutten, A coinductive calculus of component connectors, in:M.Wirsing, D. Pattinson, R. Hennicker (Eds.), Recent Trends in Algebraic
Development Techniques: 16th International Workshop, WADT 2002, Frauenchiemsee, Germany, September 24–27, 2002, Revised Selected Papers,
in: LNCS, vol. 2755, Springer-Verlag, 2003, pp. 34–55.
[7] Farhad Arbab, SunMeng, Synthesis of connectors from scenario-based interaction specifications, in: M.R.V. Chaudron, C. Szyperski (Eds.), Proceedings
of 11th International Symposium on Component Based Software Engineering, CBSE’08, in: LNCS, vol. 5282, Springer, 2008, pp. 114–129.
[8] Marco Autili, Michele Flammini, Paola Inverardi, Alfredo Navarra, Massimo Tivoli, Synthesis of concurrent and distributed adaptors for component-
based systems, in: V. Gruhn, F. Oquendo (Eds.), EWSA 2006, in: LNCS, vol. 4344, Springer, 2006, pp. 17–32.
[9] Christel Baier, Marjan Sirjani, Farhad Arbab, Jan Rutten, Modeling component connectors in Reo by constraint automata, Science of Computer
Programming 61 (2006) 75–113.
[10] Silvano Balemi, Gérard J. Hoffmann, Paul Gyugyi, H. Wong-Toi, Gene F. Franklin, Supervisory control of a rapid thermal multiprocessor, IEEE
Transactions on Automatic Control 38 (7) (1993) 1040–1059.
[11] Tobias Blechmann, Christel Baier, Checking equivalence for Reo networks, Electronic Notes in Theoretical Computer Science 215 (2008) 209–226.
[12] Antonio Brogi, Carlos Canal, Ernesto Pimentel, Behavioural types and component adaptation, in: C. Rattray, S. Maharaj, C. Shankland (Eds.), Algebraic
Methodology And Software Technology, 10th International Conference, AMAST’04, Proceedings, in: LNCS, vol. 3116, Springer, 2004, pp. 42–56.
[13] Werner Damm, David Harel, LSCs: breathing life into message sequence charts, Formal Methods in System Design 19 (1) (2001) 45–80.
[14] Christoph Eichner, Hans Fleischhack, Roland Meyer, Ulrik Schrimpf, Christian Stehno, Compositional semantics for UML 2.0 sequence diagrams using
Petri Nets, in: A. Prinz, R. Reed, J. Reed (Eds.), SDL 2005, in: LNCS, vol. 3530, Springer, 2005, pp. 133–148.
[15] David Harel, Hillel Kugler, Synthesizing state-based object systems from LSC specifications, Foundations of Computer Science 13 (2002) 5–51.
[16] David Harel, Hillel Kugler, Amir Pnueli, Synthesis revisited: generating statechartmodels from scenario-based requirements, in: Proc. FormalMethods
in Software and Systems Modeling, 2005, pp. 309–324.
[17] ITU-TS. Recommendation Z.120 : Message Sequence Chart (MSC), Geneva, 1996.
[18] ITU-TS. Recommendation Z.120(11/99) : MSC 2000, Geneva, 1999.
[19] Bart Jacobs, Jan J.M.M. Rutten, A tutorial on (Co)Algebras and (Co)Induction, Bulletin of EATCS 62 (1997) 222–259.
[20] Christian Koehler, Farhad Arbab, Erik de Vink, Reconfiguring distributed Reo connectors, in: WADT 2008, in: LNCS, vol. 5486, Springer, 2009,
pp. 221–235.
[21] Sascha Klüppelholz, Christel Baier, Symbolic model checking for channel-based component connectors, Electronic Notes in Theoretical Computer
Science 175 (2) (2007) 19–37.
[22] Ismaïl Khriss, Mohammed Elkoutbi, Rudolf K. Keller, Automating the synthesis of uml statechart diagrams from multiple collaboration diagrams,
in: The Unified Modeling Language, UML’98: Beyond the Notation, First International Workshop, in: LNCS, vol. 1618, Springer, 1998, pp. 132–147.
[23] Ingolf Krüger, Radu Grosu, Peter Scholz, Manfred Broy, From mscs to statecharts, in: Distributed and Parallel Embedded Systems, Kluwer, 1999,
pp. 61–72.
[24] Christian Koehler, Alexander Lazovik, Farhad Arbab, Connector rewriting with high-level replacement systems, Electronic Notes in Theoretical
Computer Science 194 (4) (2008) 77–92.
[25] Ingolf H. Krüger, ReenaMathew, Component synthesis from service specifications, in: S. Leue, T.J. Systä (Eds.), Scenarios, in: LNCS, vol. 3466, Springer,
2005, pp. 255–277.
[26] Juliana Küster-Filipe, Modelling concurrent interactions, Theoretical Computer Science 351 (2006) 203–220.
[27] Erkki Mäkinen, Tarja Systä, Mas — an interactive synthesizer to support behavioral modeling in uml, in: Proceedings of the 23rd International
Conference on Software Engineering, ICSE 2001, IEEE Computer Society, 2001, pp. 15–24.
[28] Sjouke Mauw, Michel A. Reniers, High-level message sequence charts, in: A. Cavalli, A. Sarma (Eds.), SDL ’97: Time for Testing, SDL, MSC and Trends
— 8th International SDL Forum, Evry, France, 23-29 September 1997, Proceedings, Elsevier, 1997, pp. 291–306.
[29] ObjectManagement Group, UML Profile for Schedulability, Performance, and Time, Version 1.1, 2005. http://www.omg.org/cgi-bin/doc?formal/2005-
01-02.
[30] Object Management Group, Unified modeling language: superstructure — version 2.1.1, 2007. http://www.uml.org/.
[31] Jan J.M.M. Rutten, Universal coalgebra: A theory of systems, Theoretical Computer Science 249 (1) (2000) 3–80.
[32] Jun Sun, Jin Song Dong, Design synthesis from interaction and state-based specifications, IEEE Transactions on Software Engineering 32 (2006)
349–364.
[33] Sun Meng, Luís Soares Barbosa, A coalgebraic semantic framework for reasoning about uml sequence diagrams, in: Proceedings of 8th International
Conference on Quality Software, QSIC’08, IEEE Computer Society, 2008, pp. 17–26.
[34] Massimo Tivoli, Marco Autili, SYNTHESIS, a Tool for synthesizing correct and protocol-enhanced adaptors, RSTI L’object 12 (2006) 77–103.
[35] Sebastian Uchitel, Greg Brunet, Marsha Chechik, Behaviour model synthesis from properties and scenarios, in: 29th International Conference on
Software Engineering, ICSE 2007, IEEE Computer Society, 2007, pp. 34–43.
[36] Sebastian Uchitel, Jeff Kramer, A workbench for synthesising behaviour models from scenarios, in: Proceedings of International Conference on
Software Engineering, ICSE’01, IEEE Computer Society, 2001, pp. 188–197.
[37] Sebastian Uchitel, Jeff Kramer, Jeff Magee, Detecting implied scenarios in message sequence chart specifications, in: Proceedings of the 9th European
Software Engineering Conference and 9th ACM SIGSOFT International Symposium on the Foundations of Software Engineering, ESEC/FSE’01, ACM,
2001, pp. 74–82.
[38] Vereofy, http://www.vereofy.de/.
[39] Daniel M. Yellin, Robert E. Strom, Protocol specifications and component adaptors, ACM Transactions on Programming Languages and Systems 19 (2)
(1997) 292–333.
[40] Tewfik Ziadi, Loïc Hélouët, Jean-Marc Jézéquel, Revisiting statechart synthesis with an algebraic approach, in: 26th International Conference on
Software Engineering, ICSE 2004, 23–28 May 2004, Edinburgh, United Kingdom, IEEE Computer Society, 2004, pp. 242–251.
