Resolving race conditions in asynchronous partial order scenarios by Mitchell, Bill
Resolving Race Conditions in
Asynchronous Partial Order Scenarios
Bill Mitchell
Abstract—Scenario-based requirements specifications are the industry norm for defining communication protocols. However, such
scenarios often contain race conditions. A race condition occurs when events are specified to occur in a particular order, but in
practice, this order cannot be guaranteed. The paper considers UML/MSC scenarios that can be described with standard partial order
theoretic asynchronous behavioral semantics. We define these to be partial order scenarios. The paper proves there is a unique
minimal generalization of a partial order scenario that is race free. The paper also proves there is a unique minimal race free refinement
of the behavioral semantics of a partial order scenario. Unlike the generalization, the refinement cannot be realized in the form of a
partial order scenario, although it can always be embedded in one. The paper also proves the results can be generalized to a subclass
of iterative scenarios.
Index Terms—Requirements analysis, formal methods, distributed programming.

1 INTRODUCTION
PRACTITIONERS commonly specify asynchronous commu-nication protocols for distributed systems as a collection
of scenarios. UML sequence diagrams [32], Message
Sequence Charts (MSCs) [31], and Live Sequence Charts
(LSCs) [15] are popular for defining such scenarios. Such
languages are intuitive and simple to use. Unfortunately,
such languages can also beguile the overworked practi-
tioner struggling with product deadlines.
In general, requirements specifications have been shown
to be a significant source of defects. Published case studies
[11], [19], [20], [24], [33] have shown that about a third of
significant behavioral defects can be traced to requirements
specifications. This situation is no different for distributed
communication systems that use sequence diagrams to
define behavioral aspects of the system.
Scenario specification languages have become quite
sophisticated and expressive. Despite this sophistication,
basic scenarios are still the mainstay of industrial specifica-
tions. A basic scenario diagram is one whose behavioral
semantics can be defined in terms of a partial order
(Definition 1) on the events in the scenario. This is the
semantics defined in the MSC standard [31] and now
adopted as the core semantics for UML sequence diagrams
[32]. The partial order restricts the order in which events
can occur in any system trace. This partial order is called the
causal ordering (Definition 4). The intuition is that the
partial order is specifying the causality between events in a
scenario. We refer to basic scenario diagrams as partial
order scenarios to emphasize this point (Definition 3). It is
possible to define other behavioral semantics for sequence
diagrams, for example, by constraining behavior with UML
architecture diagrams. This is beyond the scope of this
paper and we only consider partial order scenarios.
A causal order not only specifies that certain events must
be ordered in a particular way, but also that certain events
are independent of one another. This can be the case even
for events within the same process. Therefore, a partial
order scenario specifies separate concurrent threads of
activity and at what points these threads must be
synchronized.
Causal orders can specify an almost arbitrary partial
ordering on events within a process. However, they may
only order events from different processes as a result of
message passing between those processes. Hence, an
arbitrary partial order over the set of events in a scenario
does not necessarily itself correspond to a partial order
scenario.
There are varieties of errors that can creep into scenario-
based specifications. The purpose of a protocol scenario is
to define message exchanges between processes in order for
them to achieve some common goal. Messages can easily be
added between the wrong processes, accidentally added in
the wrong direction, or just missed altogether. This type of
static error is generally picked up by routine document
inspections or through automated checks by software tools,
such as with Telelogic’s TAU G2 tool [27], and, as such, do
not require significant effort to resolve. However, behavior-
al inconsistencies are more difficult to detect and resolve. In
this paper, we focus on one common behavioral incon-
sistency known as a race condition. Essentially, a race
condition asserts a particular order of events will occur
because of the causal ordering, when, in practice, this order
cannot be guaranteed to occur. Because the standard partial
order semantics places almost no constraint on how the
causal order is constructed, it is very easy to inadvertently
introduce race conditions into a scenario. [12], [13] give the
original formal description of race conditions within the
MSC context.
IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. 31, NO. 9, SEPTEMBER 2005 767
. The author is with the Department of Computing, University of Surrey,
Guildford, Surrey GU2 7XH, UK. E-mail: w.mitchell@surrey.ac.uk.
Manuscript received 16 Feb 2005; revised 12 June 2005; accepted 20 June
2005; published online 15 Sept. 2005.
Recommended for acceptance by N. Maiden.
For information on obtaining reprints of this article, please send e-mail to:
tse@computer.org, and reference IEEECS Log Number TSE-0039-0205.
0098-5589/05/$20.00  2005 IEEE Published by the IEEE Computer Society
Scenarios are really best suited for describing exemplary
behavior rather than specifying all possible concurrent
behavior in a distributed system. However, practitioners
find them more intuitive and “easier” to understand than,
say, state machines [29]. The standard partial order
semantics does not attempt to distinguish between exemp-
lary and mandatory behavior or what can be implemented
in practice. LSCs were introduced in an attempt to address
these issues, and UML 2.0 now includes many constructs
that permit greater expressivity in relation to message
flows. Despite these additional constructs, the fundamental
issue still remains: What consistent asynchronous behavior
can be extrapolated from a set of scenarios? Many protocols
start life as partial order scenarios. It is therefore useful to
address the issue at this level. Consistent scenarios that are
subsequently constructed can then be enhanced with
appropriate constructs to describe how they should be
used in the specification as a whole.
It is possible to directly analyze the causal ordering to
automatically detect race conditions [13]. It is also possible
to automatically construct a system trace that describes how
a race occurs. This still leaves the onerous task of deciding
what behavior is possible in practice and actually correcting
the specifications. Complications arise when a scenario
contains multiple interrelated races. Attempting to fix races
piecemeal by examining individual error traces can be
frustrating when the races have a common cause that
should be resolved directly. Section 10 describes two such
examples from a proprietary industrial case study.
1.1 Main Results of the Paper
In the paper, we prove there is a unique minimal general-
ization of a partial order scenario that is race free up to
simulation equivalence (Theorem 1). We refer to this
scenario as the inherent causal scenario. Note that although
the inherent causal scenario is unique, its graphical depic-
tion is not. Within UML and MSC, it is possible to depict the
same behavior in several ways due to the many constructs
that now exist in these languages. We also prove there is a
unique minimal race free refinement of the behavioral
semantics for a partial order scenario (Theorem 3). We refer
to this as the inherent refinement ordering. This refinement
cannot be directly realized as a partial order scenario.
However, messages can be added to the original scenario to
realize the behavioral refinement as a partial order scenario
(Lemma 7), whereas the generalization can be achieved by
introducing greater concurrency, which does not require
any additional messages. Race conditions are studied within
a partial order theoretic framework. Uniqueness results are
first derived purely in terms of partial orders. We then
construct a partial order scenario realization of each partial
order that characterizes a uniqueness result. This is
necessary since an event partial order alone does not
necessarily correspond to a partial order scenario.
The paper also considers how race conditions can occur
in iterative scenarios. These extend partial order scenarios
by adding a loop construct. Loops can be nested, and we
allow iterative scenarios to be weakly composed. Race
conditions can still occur within a partial order scenario as
before (which may or may not be part of an iterative
scenario). However, they can also occur because of loop
constructs, which only become evident when the loops are
unwound. We will refer to the later type of race as an
iterative race.
The paper defines a particular property of partial order
scenarios that we refer to as the convergence property
(Definition 19). The paper proves that as long as an iterative
scenario is constructed from race free partial order scenarios
by means of the loop construct, then it is free of iterative
races if and only if each of its composite partial order
scenarios satisfies the convergence property (Theorem 5).
From this, it is possible to give a constructive algorithm for
adding finitely many messages to an iterative scenario to
remove all iterative races and in such a way that the
message flows within loops are not significantly changed.
Hence, the problem of resolving races in iterative scenarios
can be reduced to that of resolving them in partial order
scenarios.
1.2 Related Work
The study of partial order scenarios has been an active topic
of research for many years. [28] contains an excellent survey
of related work in this area, which we strongly recommend
to the reader. [25] is another excellent survey covering
verification of protocols specified with MSC scenarios. In
light of these, we will not attempt to give a complete list of
all related work here.
The problem addressed in this paper is focused on one
particular aspect of message flows within a sequence
diagram. There is, of course, a wide variety of verification
issues connected with protocol design. Verification of logical
properties fromMSCs andMSC-Graphs has been considered
by [1], [14], [30], amongst others. This work addresses issues
such as deadlock, livelock, and ensuring correct responses to
requests. Much of this work has been based on synthesizing
finite state automata for the purposes of model checking. [7],
[8], [18], [23], [30] consider how to construct state machines
directly from a collection of message sequence charts via
different kinds of compositional semantics. Other work has
considered how to interpolate missing requirements from
scenario based specifications [2], [3], [4], [21], [28]. This work
is useful both in verifying a system and in synthesizing a
more complete specification. Alur et al. [3] introduced the
seminal work that first considered the realizability of
collections of MSCs. In their work, they consider when
MSCs composed via an MSC-Graph can collectively be
implemented. The issue they address is orthogonal to that
considered here, as they implicitly regard race conditions as
benign in their examples. Research into automatic test
generation from partial order scenarios is another active
research area [5], [6], [9], [26].
An interesting variation on mainstream MSC/UML
scenarios is given by live sequence charts (LSCs) [15]. As
mentioned in the introduction, these permit more expressi-
tivity by permitting exemplary and mandatory behavior to
be annotated directly within a scenario. It is also possible to
synthesize state machines from LSCs [16]. Although both
UML and MSC scenarios are widespread in industry, LSCs
have not yet achieved a large following outside of the
academic community.
From our search of the literature, it appears that our
paper is novel in that it proves there exists a unique optimal
768 IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. 31, NO. 9, SEPTEMBER 2005
solution to a specific class of semantic inconsistencies for
sequence diagrams, namely, race conditions. It also appears
to be novel in characterizing the solution purely in partial
order theoretic terms.
1.3 Graphical Notation
Although our results apply to any partial order scenarios,
we will use MSC as the graphical language for the paper.
The MSC standard [31] is stable and MSCs are common in
industry. Also, their semantics are targeted at asynchronous
protocols. For the type of elementary scenario we describe
here, the notation is almost identical for UML sequence
diagrams, LSCs, and MSCs. In this section, we give a terse
and intuitive explanation of the constructs we will use. For
formal details, the interested reader is referred to the
standards [31] and [32].
Consider the MSC depicted graphically in Fig. 2. Each
vertical line describes the time-line for a process, where
time increases down the page. Messages are depicted by
arrows. Each message m defines a pair of events ð!m; ?mÞ,
where !m is the send event form and ?m is the receive event
form. Messages in MSCs are always asynchronous since we
are dealing only with asynchronous protocols.
The distance between two events on a time-line does not
represent any literal measurement of time; only that
nonzero time has passed. Events on the same time-line
are ordered linearly down the page, except where they
occur within a coregion. Within a coregion, events are not
locally ordered unless that is directly imposed by a general
order construct (described below). Coregions are depicted
with a dashed line. For process B in Fig. 2 events ?c and ?d
are unordered as they occur within a coregion.
It is possible with MSC and UML notation to describe
message overtaking, as shown in Fig. 1. As is the norm, we
rule out message overtaking in specifications. That does not
mean we attempt to forbid message overtaking in practice,
only that it may not be specified as having to occur as part
of the protocol definition.
The MSC and UML standards include a general ordering
construct, which is a simple graphical notation that
explicitly forces one event to occur before another event.
A general order construct is depicted as a dashed arrow
between the events to be ordered, with arrowhead placed in
the middle of the arrow. For example, the MSC in Fig. 12
contains a general ordering construct between the ?b and !c
events. Where general ordering constructs span processes
in an MSC, as in Fig. 12, the MSC is not strictly a partial
order scenario. Events in different processes may only be
ordered by virtue of interprocess communication, as
explained in Definition 4. We will use the general order
construct in simple MSCs to illustrate scenarios, but we
point out when the MSC is not a partial order scenario.
A parallel construct in a MSC/UML sequence diagram,
denoted by keyword PAR, describes a set of concurrent
threads that occur in the diagram. Dotted lines delineate the
different threads. Hence, events from one thread are not
causally ordered with respect to events from any other
thread. Fig. 20 contains two parallel constructs. The first
parallel construct contains messages a, b, and c in separate
threads, which can therefore occur in any order. The
bounding box of a parallel construct has no effect on the
ordering of events; it solely delineates the scope of the
concurrent threads. For example, receive event ?a0 is
ordered before each of ?a, ?b, and ?c, even though these
events are not ordered with respect of one another since
they are in separate threads. Events within a particular
thread are ordered in the usual way, so, for example, !c1
must be before !c2 in the second parallel construct.
An inline reference, denoted by keyword REF, is a
placeholder for another sequence diagram. The reference
can be replaced by the contents of the other sequence
diagram if desired. The reference is weakly composed with
the referring diagram when inlined. Fig. 20 contains an
inline reference spanning processes A through D.
MSC and UML notations allow a message to be split into
lost and found events. This allows a message to be sent in
one scenario and received in another. The send part of the
message is represented by a lost event and the receive part
by a found event. In this paper, we will only use this
construct to simplify the visual layout of scenarios. Hence,
the found event corresponding to a lost event always occurs
in the same scenario. Fig. 11 gives an example where
messages a and c have been split into lost and found events.
The lost event for !a is depicted by the solid circle
terminating the arrow midprocess. The found event for ?a
is depicted by the empty circle that initiates an arrow into
process B. In this paper, we follow the convention that the
found event given by a message must always occur after the
lost event for the message. The MSC and UML standards do
not make any formal link between a lost event and a found
event; that is, they do not identify them as component parts
of a single message. However, our convention is only used
in simplifying the visual layout of our examples and does
not affect the theoretical results in any way.
2 BASIC PARTIAL ORDER SPECIFICATIONS
In this section, we define the causal ordering semantics for
partial order scenarios. We use the same message semantics
MITCHELL: RESOLVING RACE CONDITIONS IN ASYNCHRONOUS PARTIAL ORDER SCENARIOS 769
Fig. 1. Message overtaking. Fig. 2. Race hidden by coregion.
as the MSC 2000 standard [31]. Hence, a partial order
scenario defines a set of message exchanges between
processes with asynchronous communication channels.
Definition 1.
. A partial order over a set E is a binary relation < such
that
. < is irreflexive, :ðx < xÞ for any x 2 E,
. < is transitive, x < y and y < z implies x < z,
and
. < is asymmetric, there are no elements x; y 2 E
such that x < y and y < x.
. We write :ðx < yÞ to denote that it is not the case that
x < y.
. Two elements x and y of E are unordered if :ðx < yÞ
and :ðy < xÞ.
When this is the case, we write x ½<Un y. We
define a set to be unordered if every pair of distinct
elements from that set are unordered.
Often in the literature, this type of partial order is
referred to as a strict partial order. Virtually all the partial
orders considered in this paper are strict, so we adopt the
convention of taking partial orders as strict unless other-
wise stated. A nonstrict partial order in the usual sense is
antisymmetric rather than asymmetric. The antisymmetric
condition states that if x < y and y < x, then x ¼ y.
Definition 2.
. A total order over the set E is a partial order on E
where, for any two distinct elements a and b, either
a < b or b < a.
. A total extension of a partial order < is any total order
<1 such that x < y implies x <1 y.
. The trace of a total order <1 on the set E is the unique
sequence of the form
e0  e1     en;
where E ¼ fei j 1  i  ng and ei <1 eiþ1 for each i.
. A trace of the partial order < is the trace of any total
extension of < .
Let P be a set of processes. A message m between
processes is a pair ð!m; ?mÞwhere !m is the send event form
and ?m is the receive event for m. We regard !m as
belonging to the sending process and ?m as belonging to the
receiving process. Let E be the set of all send and receive
events between all processes. Each event has a label, let
l : E ! L be the labeling function. For a message m,
lð!mÞ ¼ lð?mÞ. Within the MSC standard, there are many
other kinds of events such as action boxes and condition
symbols, but here we only consider message events to
simplify proofs as much as possible. It is possible to
generalize the results to include these other events.
Definition 3. A partial order scenario M on processes P is
. a collection of disjoint sets EðP Þ  E for each P 2 P
that defines the message events belonging to P , and
. a set of partial orders <P , where <P is a partial order
on EðP Þ that defines the local ordering of events for
process P .
These local partial orders must be subject to the
constraint that for each send event !m in a set EðP Þ the
corresponding receive event ?m occurs in some set EðQÞ.
Note that messages are allowed to be sent from a process to
itself, so we allow P ¼ Q. We treat a partial order as a
binary relation that can be represented as the set of pairs
that are ordered by the relation. Hence, we can take the
union of partial orders, which is just the set theoretic union
of the sets that represent the relevant order relations. It is
important to note that the local orders are not necessarily
total, but can be any partial order. In the literature, it is
sometimes assumed basic scenario diagrams have total local
orderings, so it is worth emphasizing this does not have to
be the case.
Let Msg be the set of messages defined as the set of send
and receive event pairs:
fð!e; ?eÞ j !e 2 EðP Þ and
?e 2 EðQÞ for some P; Q 2 Pg:
Definition 4. The causal ordering <C on a partial order scenario
is the transitive closure of the relation given by
 [
P2P
ð<P Þ

[Msg:
Note that all causal orderings are irreflexive, so that
messages must be received after they are sent. The causal
ordering defines the set of all possible system traces that are
given by the partial order scenario. A system trace is any
total order extension of <C . Recall that a total order on a
set S is a partial order < on S where, for any distinct
elements x; y 2 S, either x < y or y < x.
Definition 5. The set of system traces defined by a causal
ordering <C is the set of traces for the causal order <C .
Definition 6. Let M be a partial order on events EM , processes
PM , and process orders f<MP j P 2 PMg. Let N be a partial
order on events EN , processes PN , and process orders
f<NP j P 2 PNg. Scenario M is embedded in N if
. PM  PN ,
. EM  EN , and
. for all x, y 2 EM and processes P 2 PM
x <MP y, x <NP y:
Consider the MSC depicted graphically in Fig. 2. The
local partial orders defined by this MSC are given in Fig. 3
where we draw the ordering downwards, so that !a <B !b,
for example. In this case, the causal ordering <C is given in
Fig. 4.
3 RACE CONDITIONS
Fig. 2 illustrates a race condition. The causal ordering
asserts that !b <C ?c. If this MSC is taken as a specification, it
asserts that after C receives a it must send c so that it arrives
after b is sent. It is not possible for C to know for sure when
!b occurs without querying B. Hence, it is quite possible if
this scenario is implemented naively that c will arrive
before b is sent, contradicting the specification. This error
770 IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. 31, NO. 9, SEPTEMBER 2005
can occur even though each of the processes locally
implements the specification correctly.
Definition 7. A partial order < on E is defined to be race free
when, for every event x and message e,
x < ?e ) ðx < !e or x ¼ !eÞ:
An MSC is defined to be race free when its causal ordering
is race free.
That is, < is race free if the following holds: When <
orders an event x before the receive event of some
message e, then it also orders x to be before the send event
of e. Note that Fig. 2 is not race free since !b <C ?c, but
!b 6<C !c.
Fig. 5 shows another typical kind of race condition. This
is a greatly simplified version of a scenario from a Motorola
case study. Two other examples from this case study are
considered in detail in Section 10. In this scenario, A is
transmitting messages to C via process B. The only function
for B is to forward the messages. A race condition occurs
here between !b and ?c. The race occurs since !b <C ?c, but
!b 6<C !c.
In practice, it may be that the latency of messages from A
to B is large so that B has plenty of time to forward a before
c is received. However, the semantics do not reflect this. As
specified, there is no mechanism for B to guarantee that b
can be sent before c is received. Such implicit assumptions
based on an existing system can cause problems later when
networks are upgraded and the assumptions are no longer
valid. Scenario-based specifications are intended for proto-
col designs that are independent of low-level properties of
the underlying network. One of the useful side effects of
correcting race conditions is that it tends to focus the design
at a higher level of abstraction.
4 PARTIAL ORDER PROCESSES
In this section, we define a process algebra semantics of
system traces. This is a standard result for partial orders,
but we present it in a slightly nonstandard format for ease
of use later in the paper. The process algebra term
characterizes the system behavior up to simulation equiva-
lence (this follows from Lemma 3). In Section 5, we describe
the system behavior as a finite state automaton whose states
are the unordered subsets of E. This allows us to link the
behavioral description here with earlier work of [1].
First, we set up some notation for defining sets of events
that are important in generating system and process traces.
Definition 8. Let < be a partial order on a set of events E. For a
set S  E, define
nðS;<Þ ¼ fx 2 E j 9 y 2 S : y < x;
and :9 z 2 E : y < z < xg
minðS;<Þ ¼ fx 2 S j :9 y 2 S : y < xg
maxðS;<Þ ¼ fx 2 S j :9 y 2 S : x < yg
cnsða; S;<Þ ¼ minððS  fagÞ [ nðfag; <Þ<Þ:
The set nðS;<Þ is those events that are a least upper
bound for some element in S. The set minðS;<Þ is just the
set of minimal elements of S.
Note that cnsða; S;<Þ is always an unordered set since
the minimal elements of a set are themselves always
unordered. The set cnsða; S;<Þ defines what events may
be consecutive to a in a system trace, when S describes a set
of events that are eligible to occur concurrently with a at a
given point of the system execution. Suppose we have a
system trace t that is a total extension of < . Let a be some
event in t, so that t is of the form t0  a  t1 (where  denotes
concatenation). Let S be the set of minimal events from the
set of all events not in t0  a. Then, t1 must be of the form
b  t2, where b 2 cnsða; S;<Þ. We can formally prove this
result in the following proposition:
Lemma 1. Let < be a partial order on E, a 2 E and
S ¼ fx j x½<Unag.
1. If there is a trace for < of the form t0  a  b  t1, then b
is an element of cnsða; S Ba;<Þ, where Ba is the set
of events in t0.
2. For any b 2 S, there is some trace of the form
t0  a  b  t1.
Proof.
1. Proof of 1.
Let t be a trace of the form t0  a  b  t1. We need
to prove that b 2 cnsða; S Ba;<Þ. Since a occurs
MITCHELL: RESOLVING RACE CONDITIONS IN ASYNCHRONOUS PARTIAL ORDER SCENARIOS 771
Fig. 3. Process partial orders.
Fig. 4. Causal ordering.
Fig. 5. Message forwarding race condition.
before b in a trace of < , it follows that :ðb < aÞ.
Therefore, either a < b or a½<Unb.
a. Consider the case where a < b. Since there is
a trace where b is consecutive to a, there can
be no event c where a < c < b. Hence,
b 2 nðfag; <Þ:
If it is not the case that
b 2 cnsðaS Ba;<Þ;
then there must be some e where e < b and
e½<Una. However, if e < b, then e must have
occurred at some point in t0 and, hence,
e 2 Ba. This leads to a contradiction, so we
must have that b 2 cnsða; S Ba;<Þ.
b. Consider the case where a½<Unb. Just as in the
previous case, if there is any e 2 Ewhere e < b
and e½<Una, then e must occur in t0. Hence, b
must be an element of minðS Ba;<Þ. So, by
definition, b 2 cnsða; S Ba;<Þ. This com-
pletes the proof of 1.
2. Proof of 2.
This case is very straightforward and is
included for completeness. Choose any b 2 S. Let
X ¼ fx 2 E j x < a or x < bg:
Let
Y ¼ E  fa; bg X:
Let t0 be any trace of < restricted to X. Let t1 be
any trace of < restricted to Y . Clearly, t0  a  b  t1
is a trace of < .
That completes the proof of the lemma. tu
The first element in a trace of < has to come from
minðE;<Þ. Hence, we can define the system behavior for a
causal ordering as follows:
Definition 9. For a set S  E, define a recursive process algebra
term by
P ðS;<Þ ¼
X
fa2Sg
a  P ðcnsða; S;<Þ; <Þ
and P ð;; <Þ ¼ 0.
Where a  P denotes the usual sequential composition of
action and process, and the summation is nondeterministic
choice (as standard in both CCS and CSP [22], [17]).
Definition 10. For a partial order < on events E, define the
observable behavior of < to be the process:
P< ¼ P ðminðE;<Þ; <Þ:
Define the observable behavior for partial order scenario M
with causal ordering <C to be the process:
P ðMÞ ¼ P<C :
Lemma 2. Let < be a partial order on events E. The traces of
process P< are exactly the traces of < .
Proof.
. Theproof of Lemma2 is immediate fromLemma1.
For processes P and Q, we use the notation
P !a Q to denote that P is strong bisimulation
equivalent to a Qþ P 0 for some process P 0. Let
a0  a1    an
be a trace for the partial order < .
To prove the lemma, it is enough to prove that
thereareprocessesPiwherePi!ai Piþ1,P ðMÞ ¼ P0,
and Pnþ1 ¼ 0, where 0 is the empty process. Define
. UðaiÞ ¼ fe 2 E j e½<Unaig,
. Aj ¼ fai j 0  i  jg, and
. Siþ1 ¼ cnsðai; UðaiÞ Aj;<Þ.
It follows from Lemma 2 that we may define
Piþ1 ¼ P ðSiþ1; <Þ. Note that Snþ1 ¼ ;, so that
Pnþ1 ¼ 0. This completes the proof. tu
In [10], a process algebra semantics is defined for basic
MSCs (which we refer to as partial order scenarios) that
characterizes system traces. In that work, they provide an
algebraic semantics for each of the various constructs for
basic MSCs. They also define a particular form of con-
current composition that reflects the asynchronous com-
munication between processes defined by the MSC
standard [31]. This is unnecessary for our purposes. We
only require a process that captures the system behavior
directly from the causal order. This allows us to use the
more elementary definitions given in this paper.
5 AUTOMATA OF UNORDERED SETS
From the definition for P ðMÞ, we can construct a finite state
automaton AðMÞ that also defines the traces of the system.
The states of the automaton are unordered sets S  E. The
initial state is S0 ¼ minE<C, and ; is the accepting state. For
each a 2 S, there is a transition
S !a cnsða; S;<CÞ:
From the recursive definition of P ðMÞ, we can also give a
recursive construction for AðMÞ. Define Statesi and Transi
recursively as follows:
. States0 ¼ fS0g, Trans0 ¼ ;.
. Define Statesnþ1 to be the sets cnsða; S;<CÞ, where
S 2 Statesn and a 2 S. Define Transnþ1 to be the
transitions S !a cnsða; S;<CÞ for S 2 Statesn and
a 2 S.
The states of AðMÞ are the union of all the Statesi. The
transitions of AðMÞ are the union of all the Transi. The
language accepted by AðMÞ is exactly the set of traces given
by P ðMÞ. The proof of Lemma 2 essentially defines the
correspondence between the traces of the automaton and
the traces of the process.
Fig. 6 gives an example of the automaton for events
fa; b; c; dg with causal order
a < c; b < c; b < d:
The start state in Fig. 6 is fa; bg.
772 IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. 31, NO. 9, SEPTEMBER 2005
The automaton AðMÞ also reflects a lattice structure on
the unordered sets of <C . Define a (nonstrict) partial order
 on unordered sets as follows. Let
S ¼ S [ fx j 9y 2 S : x >C yg:
Define S1  S2 when
S1  S2:
The order  defines a lattice structure over the
unordered sets. It turns out that there is a transition
S !a S0 in AðMÞ if and only if S  S0 and there is no
unordered set U where S  U  S0. Hence, we can construct
the Hasse diagram for  directly from AðMÞ.
For U  E, U is referred to as an upper section if U ¼W
for some W  E. In [1], an automaton A0ðMÞ is defined
with states given by the upper sections of E. Transitions are
given by U !a ðU  fagÞ for each a 2 minðU;<CÞ. It turns
out that A0ðMÞ is isomorphic to AðMÞ. The isomorphism
works as follows:
Given a stateU inA0ðMÞ, this maps to the stateminðU;<CÞ
inAðMÞ. A state S inAðMÞmaps to S inA0ðMÞ. A transition
S !a S0 maps to S !a S0. This gives an isomorphism since,
for any upper section U , U ¼ minðU;<CÞ. Also, for any
unordered set S, S ¼ minðS<CÞ.
In this paper, we use unordered sets to construct the
system behavior, rather than upper sections, since they give
a clearer description of possible consecutive events at each
point of a system trace. That gives us greater insight into
how races can occur, which is what we require for the
proofs of the main results.
6 INHERENT CAUSAL BEHAVIOR
A partial order < on events preserves the message ordering
when !e < ?e for every message e. Let <C be the causal
ordering for a partial order scenario.
Definition 11. The inherent causal ordering <I of <C is defined
to be the transitive closure of the following binary relation < .
For every event x and message e, define:
1. x < !e() x <C !e.
2. !e < ?e.
Note that, when regarding a partial order as a set of
pairs, we have
ð<IÞ  ð<CÞ:
Fig. 7 gives a graphical depiction of the inherent ordering
for Fig. 2.
The inherent ordering is the causal order of some partial
order scenario. This follows from the next theorem:
Theorem 1. The inherent causal ordering <I of a partial order
scenario with processes P is the transitive closure of the
following binary relation <0 . For every event x and message e,
define:
1. x <0 !e() 9P 2 P such that x <P !e.
2. !e <0 ?e.
Proof. Recall that <I is the transitive closure of the binary
relation <1 defined by:
1. x <1 !e() x <C !e.
2. !e <1 ?e.
Clearly, <I is an extension of <0 so it only remains to
prove that <I is contained in the transitive closure of
<0 . Let <

0 be the transitive closure of <0 . For a partial
order < on E, let a <þ b denote that a < b and there is no
event w where a < w < b.
Suppose we have x, y 2 E, where x <I y. The proof
now splits depending on whether y is a send or receive
event.
1. Consider the case where y ¼ !e. In this case,
x <I !e if and only if x <C !e.
Let ui be events where
x <þC u1 <
þ
C u2    <þC un <þC !e:
We prove this case by induction on n.
If x and !e are part of the same process, we are
done. So, we may assume this is not the case. Let
!e belong to process P . Let i be the minimal value
such that ui also belongs to P .
Suppose that ui ¼ !f for some message f . By
definition, ui1 does not belong to P . We therefore
have ui1 <þC !f , but uiþ1 and !f are on different
processes. However, if for any events g and h on
different processes, we have g <þC h, then h ¼ ?k
and g ¼ !k for some k. Hence, ui cannot be a send
event.
MITCHELL: RESOLVING RACE CONDITIONS IN ASYNCHRONOUS PARTIAL ORDER SCENARIOS 773
Fig. 6. Automaton representation of partial order behavior.
Fig. 7. Inherent Ordering of Fig. 2.
We may then suppose that ui ¼ ?f for some
message f . It follows from what we have just said
that ui1 ¼ !f . We have thus constructed a
sequence:
x <þC u1 <
þ
C u2    <þC ui1 ¼ !e:
We may now apply the induction hypothesis
to prove that x <0 ui1. By definition, we also
have ui1 <0 ui and ui <0 !e. Hence, by transitiv-
ity, x <0 !e. This completes the induction step.
The base case is when x <þC u1 <
þ
C !e and u1
belongs to P , but x does not. This can only be true
if u1 ¼ ?f and x ¼ !f for some f . In which case, it
follows that x <0 u1 <0 !e by definition. That
completes the proof by induction.
2. Consider the case where y ¼ ?e.
From the definition for <I , this can only be if
x <I !e <I ?e:
Hence, by case 1, we are done since !e <0 ?e. tu
In Fig. 8, we have illustrated the inherent causal scenario
of Fig. 2 in the form of an MSC using a parallel construct.
With the parallel construct, we have separated message c
into one concurrent thread and messages b and d into
another. The dotted line delineates the two threads within
the PAR construct. Note that, since !a is outside the parallel
construct, it must still occur before both ?c and !b. The
illustrations used in the paper for inherent causal scenarios
can be automatically generated from their inherent causal
orders, but we will not describe that process here, as it is a
distraction from the central theme of the paper.
The inherent causal order for Fig. 5 is shown in Fig. 9.
This is isomorphic as a partial order to the inherent causal
order in Fig. 7. However, because of the partitioning of
events between processes the inherent causal scenario for
Fig. 5 is very different to that of Fig. 2.
One graphical depiction for the inherent causal scenario
for Fig. 5 is given in Fig. 10. In this depiction, all the events
of process B are placed in a single coregion. This decouples
?b and ?c, which removes the race. By placing all the events
in a coregion, we must reintroduce desired orderings
between events on that process by use of general ordering
constructs. Hence, there is a general order construct to
ensure ?a <I !b and another to force ?c <I !d.
In this particular case, it is not possible to use a parallel
construct in the same way we did earlier to depict the
inherent causal scenario. It is not as straightforward in this
example to separate the concurrent behavior into separate
linear threads.
Each message forwarded by B is essentially treated
independently. Hence, the behavior of B is independent of
the order that messages are sent to it by A. We can emphasis
this more clearly, and simplify the inherent causal scenario
at the same time, by using lost and found messages.
Fig. 11 gives an alternative depiction of the inherent
causal scenario for Fig. 5. It specifies exactly the same causal
order as Fig. 10. With our convention, outlined in Section 1,
of only using lost and found events to provide a graphical
means of splitting a message, we have not lost any
information by depicting a and c in this way. However,
by splitting a and c into lost and found events, we can
parcel up the rest of the scenario into two concurrent
linearly ordered threads within a parallel construct.
Visually, this more clearly describes the concurrent struc-
ture of the inherent causal scenario than Fig. 10.
774 IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. 31, NO. 9, SEPTEMBER 2005
Fig. 8. Inherent causal scenario of Fig. 2 as MSC.
Fig. 9. Inherent ordering of Fig. 5.
Fig. 10. Inherent causal scenario of Fig. 5.
Fig. 11. Alternative depiction for inherent causal scenario of Fig. 5.
7 CANONICAL INHERENT PROCESSES
Recall in Section 4 that we defined the observable process
behavior P ðMÞ of a partial order scenario M.
Definition 12. The inherent process behavior of a partial order
scenario M is defined to be
PIðMÞ ¼ P ðminðE;<IÞ; <IÞ:
Let t denote the standard simulation relation for process
algebras. That is, P t Q iff
. for every transition Q !a Q0, there exists a transition
P !a P 0 where P 0 t Q0:
Theorem 2.
. ð<IÞ  ð<CÞ and PIðMÞ t P ðMÞ.
. For any race free partial order< that preserves message
ordering, let P< ¼ P ðminðE;<Þ; <Þ. Then, P< t
P ðMÞ iff ð<Þ  ð<IÞ  ð<CÞ and P< t PIðMÞ.
That is, PIðMÞ is the canonical process that simulates
P ðMÞ and is race free. To say that ð<1Þ  ð<2Þ means that,
for every x and y in E, when x <1 y, then x <2 y.
This theorem proves that the order <I describes the
maximal ordering with respect to simulation equivalence
that is a race free weakening of <C . Hence, constructing an
MSC that has partial order semantics given by <I defines a
new MSC that corrects any race conditions in M and
weakens the causal ordering of M as little as possible. It is
straightforward to construct such an MSC.
The theorem is a consequence of the following lemmas
together with Lemma 2. For any partial order < (which is
not necessarily race free), let T ð<Þ be the set of total
extensions of < .
Lemma 3. For partial orders <1 and <2 , where
P<1 t P<2 ;
then ð<1Þ  ð<2Þ
Proof. Note that x < y iff for every trace in T ð<Þ, x occurs
before y in the trace. When P<1 t P<2 , then the set of
traces for P<2 is contained in the set of traces for P<1 , that
is, T ð<2Þ  T ð<1Þ.
x <1 y) x occurs before y in every trace of T ð<1Þ
) x occurs before y in every trace of T ð<2Þ
) x <2 y:
Hence, ð<1Þ  ð<2Þ, which concludes the proof. tu
Lemma 4. Given two partial orders<1 and<2 , T ð<1Þ  T ð<2Þ
iff P<1 u P<2 :
Proof. Note that T ð<1Þ  T ð<2Þ iff ð<2Þ  ð<1Þ.
Given ð<2Þ  ð<1Þ, to prove P<1 u P<2 , it is enough to
prove that for any S  E and a 2 E,
cnsða; S;<1Þ  cnsða; S;<2Þ: ð1Þ
Let
m1 ¼ minððS  fagÞ [ nðfag; <1Þ; <1Þ
m2 ¼ minððS  fagÞ [ nðfag; <2Þ; <2Þ:
We write U  V for sets U; V  E when, for each
u 2 U , there is some v 2 V such that u  v. Note that
since ð<2Þ  ð<1Þ, then nðfag; <2Þ  nðfag; <1Þ.
For a contradiction, suppose that x 2 m1 and x 62 m2.
This implies there is some y 2 m2 such that x <2 y. First
consider if y 2 S  fag. Then, x <1 y 2 S  fag, hence,
x 62 m1. This is a contradiction, hence, we must have
y 2 nðfag; <2Þ.
Since nðfag; <2Þ  nðfag; <1Þ, there is some y0 2
nðfag; <1Þ such that x <2 y <1 y0. Therefore,
x <1 y
0 2 nðfag; <1Þ;
and so x 62 m1. Again, a contradiction as required to
complete the proof of (1). The proof that T ð<1Þ  T ð<2Þ
implies P<1 u P<2 , is completed once we note that
minE<1  minE<2.
The converse implication for the lemma is straightfor-
ward. It is true for any processes P and Q that, if P t Q,
then the set of traces of Q is contained in the set of traces
for P . Since the traces of P<i are exactly T ð<iÞ, the result
is then immediate. That completes the proof of the
lemma. tu
Lemma 5. For a partial order < that preserves message ordering
and is race free,

ð<Þ  ð<CÞ

)

ð<Þ  ð<IÞ  ð<CÞ

:
Proof. For this it is enough to prove that, whenever x < y,
then x <I y. The proof splits into cases depending on
whether y is a receive or send event.
. First, suppose that y ¼ !e for some message e.
Then, x < !e implies x <C !e since ð<Þ  ð<CÞ. By
definition of <I , x <C !e implies x <I !e.
. The other case is where y ¼ ?e for some message
e. Since < is race free, x < ?e implies that x < !e.
As above, this implies x <I !e. The ordering <I
preserves message ordering and, hence, x <I ?e.
This completes the proof of the lemma. tu
8 INHERENT REFINEMENT BEHAVIOR
In this section, we define the inherent refinement ordering.
This is the dual of the inherent causal order in that it
characterizes the minimal refinement of a causal order that
is race free. This is proved by Theorem 3, which is the dual
result of Theorem 2. However, it is not the case that we can
prove the dual result to Theorem 1. That is, the inherent
refinement ordering cannot necessarily be defined as the
causal order for some partial order scenario. In Lemma 6,
we give a counter example and prove that the refinement
order of this example can never be the causal order of a
partial order scenario. In Lemma 7, we prove that every
refinement order can at least always be embedded in a race
free partial order scenario.
Definition 13. The inherent refinement ordering <R of a causal
ordering <C is defined to be the transitive closure of the
MITCHELL: RESOLVING RACE CONDITIONS IN ASYNCHRONOUS PARTIAL ORDER SCENARIOS 775
following binary relation < . For every event x and message e,
define:
. x < !e() x <C ?e.
. !e < ?e.
First note that <R is race free. Since it is clear from the
definition that x <R ?e implies that x <R !e or x ¼ !e. Also,
notice that the refinement order only extends <C by forcing
particular send events to be delayed so that other events
may occur first and, hence, is implementable.
If the partial order scenario is represented as an MSCM,
then the inherent refinement ordering can be constructed by
adding suitable general orderings toM. These general order
constructs cause appropriate send events to wait until the
relevant receive events have occurred.
For example, the MSC in Fig. 12 describes the inherent
refinement order for the partial order scenario in Fig. 2.
Note that Fig. 12 is not a partial order scenario. The general
order construct here acts across processes and not within a
single process. The causal order for a partial order scenario
can impose an arbitrary ordering within a process, but
events in separate processes can only be ordered because of
inter-process communication. The general ordering in
Fig. 12 is clearly not the result of any interprocess
communication. In fact, we prove in Lemma 6 that the
refinement order for Fig. 2 can never be the causal order for
a partial order scenario.
Lemma 6. Let <0R be the refinement order of the partial order
scenario given by the MSC in Fig. 2. Then, there is no partial
order scenario whose causal order is an extension of <0R .
Proof. Recall from Definition 4 that the causal order for a
partial order scenario is defined as the transitive closure
of the relation given by
 [
P2P
ð<P Þ

[Msg;
where <P are the various process orders for the
scenario. The process orders for A, B, and C inferred
by <0R are just those defined by Fig. 3. Any partial order
scenario that extends <0R has to be the result of
extending the process partial orders <A , <B , and <C .
Note that <A and <C are total orders and so cannot
be extended any further. Hence, any causal order that is
an extension of <0R must extend <B .
However, it is clear that no extension of <B can cause
!b to be ordered before !c in the resulting causal order.
That is, there are no extensions of <A , <B , and <C that
result in a causal order that extends <0R as required to
complete the proof. tu
Although the inherent refinement order is not a true
causal order, we can embed it within a race free partial
order scenario. That is, it is possible to add messages to a
partial order scenario so that the resultant scenario is race
free. In addition, when restricted to the events of the
original scenario, the new scenario defines exactly the same
process orders and its causal order is exactly the inherent
refinement ordering of the original scenario. This is
precisely stated in Lemma 7.
Lemma 7. Let M be a partial order scenario on events E, with
processes P and process ordering <P for each P 2 P. Let <R
be the inherent refinement order for M.
There is a race free partial order scenario Mm on events
Em, with processes P, process orderings <mP for each P 2 P,
and causal order <mC such that
1. For each P 2 P, EðP Þ  EmðP Þ.
2. For each P 2 P and each x, y 2 EðP Þ
x <P y() x <mP y:
3. For each x, y 2 E
x <R y() x <mC y:
Proof.We initializeMm to beM and add new messages and
modify the process ordering as follows:
Recall that the refinement order is defined by adding
x <R !e whenever x <C ?e.
For each such pair where x 2 P1 and !e 2 P2, we
define a new message mxe , where we add !m
x
e to E
mðP1Þ
and ?mxe to E
mðP2Þ.
The set Em consists of E together with all such new
events.
For each such pair, add x <mP1 !m
x
e and ?m
x
e <
m
P2
!e.
The causal order for Mm restricted to E is exactly <R
and the process orders forMm restricted to E are exactly
the same as for M, as required. tu
Fig. 13 shows one way in which the refinement order for
Fig. 2 can be embedded in a partial order scenario. This
scenario is given by the construction outlined in the proof of
Lemma 7.
The refinement order itself is the unique minimal race
free refinement of a causal order, as proved below in
Theorem 3. However, the choice of embedding for the
refinement order is not unique. The UML and MSC
standards contain other constructs that could be used to
embed the refinement ordering in a scenario. In this paper,
we do not further address the problem of choosing how to
embed a refinement order within a scenario. Such a choice
is best left to system designers who will want to use
constructs suited to their particular circumstances.
Lemma 8.
ð<CÞ  ð<RÞ:
Proof. To prove this, suppose x <C y. The proof is split into
two cases depending on whether y is a send or receive
776 IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. 31, NO. 9, SEPTEMBER 2005
Fig. 12. Inherent refinement ordering of Fig. 2 as MSC.
event. If y ¼ !e for some e, then y <C ?e. Hence, from the
definition, x <C ?e, and, hence, x <R !e. That is, x <R y.
When y ¼ ?e, then x <R !e. Also, !e <R ?e, hence, by
transitive closure, x <R ?e ¼ y. This completes the proof
of the lemma. tu
Lemma 9. For any race free transitive partial order < that
preserves messages and where ð<CÞ  ð<Þ, then
ð<CÞ  ð<RÞ  ð<Þ:
Proof. To prove this, first consider an event x and message e
where x 6¼ ?e and x <C ?e. Therefore, x <R !e. Since
ð<CÞ  ð<Þ, we have x < ?e. Since < is race free, we have
x < !e. Hence, if x <R !e, then x < !e. Since < preserves
messages, it trivially follows that !e <R ?e implies
!e < ?e. Hence, as < is transitive, we have proven that
ð<RÞ  ð<Þ. tu
Given the lemmas already proven in Section 7, we have
thus proven the following theorem, which is the dual to
Theorem 2.
Theorem 3. Let PRðMÞ ¼ P ðminE<R;<RÞ, then
. ð<CÞ  ð<RÞ and P ðMÞ t PRðMÞ:
. For any race free partial order< that preserves message
ordering, let P< ¼ P ðminðE;<Þ; <Þ. Then, P ðMÞ t
P< iff ð<CÞ  ð<RÞ  ð<Þ and PRðMÞ t P<:
Hence, <R is the canonical refinement of the causal
order that corrects all race conditions in the specification.
9 INLINE ITERATION
In this section, we extend the notion of partial order
scenarios with weak compositional iteration. Iterative
scenarios cannot be characterized by a single partial order
scenario and instead define a set of partial order scenarios.
This set can be infinite if the iteration is unbounded. The
semantics defined here is the same as the MSC/UML
semantics for iterative scenarios.
First, we define inline composition of partial order
scenarios. Let E1 and E2 be disjoint sets of events and let
l : E1 [E2 ! L be the labeling function. LetM1 be a partial
order scenario defined over E1 consisting of processes P1
and M2 be a partial order scenario over E2 consisting of
processes P2. Note that there is no particular relationship
between P1 and P2, i.e., they do not have to be identical and
may even be distinct. Although the event sets are distinct
the events can have the same labels. Let <iP denote the local
order for process P in scenario Mi.
Definition 14. For partial orders <1 on S1  E1 and <2 on
S2  E2, define the ordering ð<1;<2Þ to be the transitive
closure of:
. For a; b 2 Si, að<1;<2Þb iff a <i b:
. For all a 2 S1 and b 2 S2, að<1;<2Þb:
Definition 15. The inline composition M ¼M1; M2 is defined
to be the partial order scenario consisting of events E1 [E2
and processes P1 [ P2.
The local order <P for M splits into the following cases:
. For P 2 P1  P2, ð<P Þ ¼ ð<1P Þ.
. For P 2 P2  P1, ð<P Þ ¼ ð<2P Þ.
. For P 2 P1 \ P2, ð<P Þ ¼ ð<1P ;<2P Þ.
We write M;M to denote the inline composition of
two copies of M where we have renamed all the events in
the second copy to be distinct from the first copy, while
preserving the local orderings and labels. The expressionMn
is defined to be n copies ofM composed inline:M;M; . . . ;M.
It is important to realize that the causal order forM1; M2,
in general, is not ð<C1 ;<C2Þ. The inline composition of
two partial order scenarios represents the graphical intui-
tion of concatenating two scenarios by visually attaching
one after the other, as can be seen by examining the MSC
example shown in Fig. 14.
Iteration will be specified in terms of sets of partial order
scenarios. Hence, we need to extend the definition of
composition to cater for this.
Definition 16. An extended scenario S is defined to be a finite set
of partial order scenarios. Define the traces of S to be the union
of the traces for the partial order scenarios contained in S .
Definition 17. Let S 1 and S 2 be extended scenarios. Define
S 1; S 2 to be
fðM1; M2Þ jM1 2 S 1; M2 2 S 2g:
We can now define inline iteration for extended
scenarios as follows:
Definition 18. The nth iteration for extended scenario S is
defined to be the set
S n ¼ fMi1 ; . . . ;Min jMij 2 Sg:
MITCHELL: RESOLVING RACE CONDITIONS IN ASYNCHRONOUS PARTIAL ORDER SCENARIOS 777
Fig. 13. Refinement ordering embedded in partial order scenario. Fig. 14. M1, M2, and ðM1;M2Þ.
Define the inline iterative loop construct loophm;niðS Þ to be
the union
[i¼n
i¼m
S i:
looph0;1iS denotes the union of all finite iterations of S .
Note that this is an infinite set of partial order scenarios
and so not an extended scenario.
For a partial order scenario M, we will adopt the
convention of writing loophm;niðMÞ as short hand for
loophm;niðfMgÞ. When m and n are finite, loophm;niðMÞ is
also finite.When resolving races for loophm;niðMÞ, we could
simply resolve the races in each separate iteration Mk. The
resultmay no longer be a simple iteration, depending on how
the races are resolved.However, the result is still an extended
scenario. Therefore, from a theoretical perspective, resolving
races in bounded loops does not pose a serious problem since
it can be reduced to resolving races in a finite set of partial
order scenarios. An unbounded loop looph0;1iðMÞ denotes
an iteration that can occur any finite number of times, but
where it is not known in advance how many times. For
example, unbounded loops can be used to represent “do
until” iterations. This type of iteration could occur for
example where a base station is attempting to reestablish a
dropped connection and is repeatedly sending a connect
request. It will continue to send the request until it gets an
acknowledgement. The question that remains for the rest of
the section is how to resolve races in unbounded loops.
Fig. 15 gives the graphical depiction for looph0;1iðMÞ
whenM contains only a single message x between processA
and B. In this example, note that M2 will contain a race. As
we now have distinct messages that can have the same label,
we are no longer free to identify a message with its label as
we did in earlier examples. In this example, let there be
events ?e1 and ?e2 with lðe1Þ ¼ lðe2Þ ¼ x. Then, ?e1 <C ?e2,
but :ð?e1 <C !e2Þ, which defines a race. ForMn, there will be
n consecutive copies of the message x from A to B, resulting
in nðn 1Þ=2 race conditions. This example illustrates that
even when a basic scenario is race free the iteration of the
scenario may well not be.
Definition 19. An iterative scenario is defined recursively as
. any partial order scenario, or
. any scenario of the form S 1; looph1;1iðS 2Þ; S 3,
where S 1, S 2 and S 3 are iterative scenarios.
For brevity,wewillwriteS1 as shorthand for looph1;1iðS Þ
from now on.
Notice that, since S 1, S 2, or S 3 could be the empty set in
this definition, we are free to combine extended scenarios
by adding infinite loops whenever we wish. This definition
restricts those infinite sets of partial order scenarios we
wish to consider so that they must be the result of the loop
construct. Note that we constrain unbounded loops so that
they iterate at least once. This is done to avoid unnecessary
detail in the proofs and can be done without loss of
generality.
Lemma 10. There is no generalization of the iterative scenario in
Fig. 15 that is race free.
Proof. In this case, it is only possible to generalize the
iteration by generalizing the body of the loop. Clearly,
the loop body can not be any further generalized. The
only partial order weaker than !x < ?x is the unordered
set f!x; ?xg. This, however, is not a partial order scenario.
Such scenarios must preserve message ordering; hence,
there is no generalization possible for the iteration. tu
This lemma proves that the idea of weakening an
iterative scenario to remove races is not possible in general.
The problem stems from the fact that iteration semantics are
defined via weak composition of the iterations of the loop
body. Therefore, the events for a process P in iteration n
are, by definition, always ordered before the events of P in
iteration nþ 1. However, to resolve races between events
from different iterations by generalization requires some
way to specify a weakening of the local process orders
across these different iterations. In order to proceed further,
we need to characterize race conditions in iterative
scenarios in a manner that can be easily checked.
Definition 20. Let M be a partial order scenario over events E
and causal order <C .
For x 2 E, let x ¼ fxg [ fy 2 E j x <C yg and let
x ¼ fxg [ fy 2 E j y <C xg. For an event x, let P ðxÞ be the
process P , where x 2 EðP Þ. For a set of events S  E, let
P ðSÞ be fP ðxÞ j x 2 Sg.
Define M to be convergent if whenever there are events e
and ?x, where P ð?xÞ 2 P ðeÞ, then
P ð!xÞ \ P ðeÞ 6¼ ;:
Notice that the definition of convergence is constructive.
Hence, it is straightforward to check if a scenario is
convergent or not. The notion of convergence has simila-
rities with the notion of boundedness defined in [1], [3],
[21]. For a partial order scenario M, define a graph G that
has nodes given by the processes in M. Define an edge
between nodes P and Q exactly when there is a message
from P to Q.M is bounded if G is strongly path connected.
That is, there are paths between any two nodes in both
directions. In [1], property checking for an arbitrary
iterative message sequence chart (MSC) is proved to be
undecidable. They prove that when the body of every
iterative loop in an MSC is bounded then property checking
becomes decidable.
Although the convergent and bounded definitions have
similarities, they define distinct sets of partial order
scenarios. Fig. 16 shows a partial order scenario that is not
convergent, but is bounded. It is not convergent since we
have P ð!bÞ \ P ð!dÞ ¼ ; but P ð?bÞ 2 P ð!dÞ. Fig. 17 shows a
partial order scenario that is convergent, but is not
bounded.
778 IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. 31, NO. 9, SEPTEMBER 2005
Fig. 15. Unbounded iterative loop.
Theorem 4. LetM be a race free partial order scenario. Then, M
is convergent if and only if M1 is race free.
Proof. First, we prove that, if M is convergent, then M1 is
race free. Fora contradiction, suppose thatM is convergent
and there is a race inM1. For an event e 2 E, wewill write
en to denote the occurrence of e in the nth iteration of the
loop. We use the notation
en <1C h
nþm
to denote that event e in the nth iteration is less than h in
the ðnþmÞth iteration according to the causal order for
Mnþm.
If M1 has a race (since M is race free), there must be
events e and ?x such that en <1C ð?xnþmÞ and :ðen <1C
ð!xnþmÞÞ for some m > 0.
Consider any events u and v, where :ðu <C vÞ and
un <1C v
nþ1. Then, there must be events u1 and v1 where
u <C u1, v1 <C v, and P ðu1Þ ¼ P ðv1Þ. This is exactly the
condition that P ðuÞ \ P ðvÞ 6¼ ;.
Since en <1C ð?xnþmÞ, there must be some g 2 E where
en <1C g
nþm1 <1C ð?xnþmÞ:
Consider if gnþm1 <1C ð!xnþmÞ. Then, trivially, there is
no race between e and ?x, which is a contradiction.
Therefore, :ðgnþm1 <1C ð!xnþmÞÞ. That is, gnþm1 and
!xnþm are in a race. In which case, we must also have
that g1 and !x2 are in a race. This last deduction is not
vital for the proof, but it makes the notation much less
cumbersome as we proceed.
Let ?x belong to process P . Consider if P 62 P ðgÞ.
Then, there must be a process Q and events h1,
h2 2 EðQÞ, where g <C h1 and h2 <C ?x. Since there is a
race between g1 and !x2, we have that h2 6<C !x. Therefore,
we have constructed a race between h2 and ?x. This is a
contradiction as M is race free. Therefore, P 2 P ðgÞ.
Since M is convergent, this implies P ð!xÞ \ P ðgÞ 6¼ ;.
From our earlier observation, this can only be true when
g1 <1C ð!x2Þ. This contradicts that there is a race between
g and ?x, which in turn contradicts that there is a race
between e and ?x. Hence, we have proved that, if M is
convergent, then M1 is race free.
To prove the converse, we prove that if M is not
convergent, then there is a race in M1. Suppose that
we have events e and ?x where P ð?xÞ 2 P ðeÞ but
P ð!xÞ \ P ðeÞ ¼ ;.
Since P ð?xÞ 2 P ðeÞ, we have that e1 <1C ð?x2Þ. As we
observed earlier in the proof, un <1C v
nþ1 if and only if
P ðuÞ \ P ðvÞ 6¼ ;. Therefore P ð!xÞ \ P ðeÞ ¼ ; can only be
true if e1 6<C ð!x2Þ. Hence, we have a race between e and
?x in M1. This concludes the proof. tu
This result gives us a precise characterization of when a
loop will generate a race purely in terms of the causal
ordering for the body of the loop. Theorem 4 will enable us
to resolve races that occur as a result of iteration solely by
modifying the body of the loop. This can usually be done by
adding suitable messages to the loop body to ensure the
result is convergent, as we shall demonstrate in the
remainder of the section. First, we extend the notion of
convergence.
Definition 21. LetM andN be partial order scenarios. We define
M to be convergent with respect toN when, for every e 2 EðMÞ
and ?x 2 EðNÞ, if P ð?xÞ 2 P ðeÞ, then P ð!xÞ \ P ðeÞ 6¼ ;.
This version of convergence precisely captures when the
composition of two race free partial order scenariosM;N is
also race free. WhenM is not convergent with respect to N ,
thenusually it is possible to embedM in someM 0 so thatM 0 is
then convergent with respect to N and soM 0;N is race free.
Lemma 11. When M and N are race free partial order scenarios,
then M;N is race free if and only if M is convergent with
respect to N .
The proof of this lemma is immediate from the definition
of the causal order for M;N .
Definition 22. Let M be a partial order scenario with events E
and causal order <C . We define f!mi 2 E j 1  i  ng to be a
virtual lower cycle when:
. !mi 2 minðE<CÞ for 1  i  n,
. ?mi 2 minEðP ð?miÞÞ<C for 1  i  n,
. P ð?miÞ ¼ P ð!miþ1Þ for 1  i  n 1, and
. P ð?mnÞ ¼ P ð!m1Þ.
We define f!mi 2 E j 1  i  ng to be a virtual upper cycle
when:
. !mi 2 maxðE<CÞ for 1  i  n,
. ?mi 2 maxEðP ð?miÞÞ<C for 1  i  n,
. P ð?miÞ ¼ P ð!miþ1Þ for 1  i  n 1, and
. P ð?mnÞ ¼ P ð!m1Þ.
Scenario M contains no virtual cycles when it contains no
upper or lower virtual cycles.
Fig. 19 shows an example of a partial order scenario that
contains a lower and upper virtual cycle, both given by !a,
!b, and !c. Let U be the scenario in Fig. 19. The virtual cycle
means there is no race free partial order scenario that we
can embed U into. To make progress we will need to avoid
such scenarios.
MITCHELL: RESOLVING RACE CONDITIONS IN ASYNCHRONOUS PARTIAL ORDER SCENARIOS 779
Fig. 16. Bounded and not convergent scenario.
Fig. 17. Convergent and not bounded scenario.
Lemma 12. LetM andN be race free partial order scenarios. IfN
contains no virtual lower cycles, then we can embed M in a
race free scenario M # N which is convergent with respect to
N . Hence,
ðM # NÞ;N
is race free.
If M contains no virtual upper cycles, then we can embed
N in a race free scenario M " N so that M is convergent with
respect to M " N . Hence,
M; ðM " NÞ
is race free.
Proof.We will proveM # N exists by construction. Let <M
be the causal order forM and <N be the causal order for
N . Let EM be the events for M and EN be the events for
N . Define a pair ?x 2 EN and e 2 EM to be divergent
when P ð?xÞ 2 P ðeÞ but P ð!xÞ \ P ðeÞ ¼ ;.
We initialize M # N to be M and add messages as
follows: Let ?x 2 EN and e 2 EM be a divergent pair. Let
u 2 maxEM<M , where e <M u. Let P ð!xÞ ¼ P and
P ðuÞ ¼ Q. Add a new message w to M # N , where !w 2
EðQÞ and ?w 2 EðP Þ. It may be necessary to add P to
PM if this is not already present. Modify the process
ordering in M # N for P so that u <P !w.
By adding ?w to P , we have forced e < !x, where < is
the causal order for ðM # NÞ;N . However, we may have
now introduced a race since it is possible that there is
some ?x1 2 minP<N . If this is so, we must introduce
another message w1 to M # N . Add !w1 to P and add
?w < !w1. Also, add ?w1 to process P ð!x1Þ. This removes
the race between ?x1 and ?w. However, there may be
?x2 2 minEðP ð!x1ÞÞ<N . In which case, we have intro-
duced a race between ?w1 and ?x2. We continue to add
extra messages wi until all such races are removed. Since
N has no virtual lower cycles, there will be some value k
such that, after the addition of wk, we do not introduce
further races. Notice that all the new messages wi are
added to the end ofM, so that a <M b if and only if a < b
for every a, b 2 EM .
For each divergent pair, add new messages to M # N
as described. The final scenario is by construction
convergent with respect to N . Also by construction, M
has been embedded in M # N .
The construction forM " N is dual to the construction
of M # N . Initialize M " N to N . Let ?x and e be a
divergent pair. Let u 2 minEN<N where u <N !x. Add a
new message wwhere !w is added to process P ðeÞ and ?w
is added to process P ð!xÞ ¼ P . Change the process order
in M " N so that ?w <P !x. As before, we may have
added a race condition in introducing this new message.
Just as before, we repeatedly add new messages wi until
no new races are introduced. SinceM contains no virtual
upper cycles, this process is guaranteed to terminate. By
adding new messages in this way for each divergent
pair, we construct M " N as required. tu
Lemma 12 gives us the construction we need to resolve
all races within an iterative scenario, provided it has no
virtual cycles.
Theorem 25. Let S be an iterative scenario composed of race free
partial order scenarios that contain no virtual cycles. Then we
can resolve all race conditions in S by embedding each
composite partial order scenario within a convergent scenario.
Proof. The proof is by recursion. Suppose we cannot write S
in the form M1; S
0;M2 for some partial order scenarios
M1,M2 and iterative scenario S
0. In that case, S can only
be of the formM1 orM for some partial orderM. When
S is a partial order scenario, then we can replace it by an
embedding of the refinement causal order. Consider the
case S ¼M1. By the hypothesis, M contains no virtual
cycles. Therefore,M #M is convergent with respect toM.
That is,M #M is convergent in the sense of Definition 20.
Hence, ðM #MÞ1 is race free by Theorem 4. That
completes the proof for the base case.
Consider the casewhere S is of the form S 1; S
1
2 ; S 3 and
each S i is race free. Write S 1 ¼ S 01;M1 and S 3 ¼M3; S 03.
Suppose S 2 ¼ N1; S 02;N2. Then,
S 01; ðM1 # ðN1 " N2ÞÞ;
ððN1 " N2Þ; S 02;N2Þ1;
ðN2 "M3Þ; S 03
is a race free resolution for S . If S 2 ¼M1, then we can
assume M is convergent without loss of generality. In
this case,
S 01; ðM1 #MÞ;M1; ðM "M3Þ; S 03
is race free. This completes the proof. tu
Notice that we do not claim this resolution is canonical.
This is still an active area of research and it is not yet clear
what will be the optimal resolution for races that are caused
by iteration of partial order scenarios. Fig. 18 illustrates one
example of a convergent embedding for Fig. 16.
780 IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. 31, NO. 9, SEPTEMBER 2005
Fig. 18. Convergent embedding of Fig. 16.
Fig. 19. Virtual cycle.
10 INDUSTRIAL CASE STUDY EXAMPLES
In collaboration with Motorola Research Labs, we have
been conducting a number of case studies [5], [23] into
automating pathology detection in MSC telecommunication
specifications. The two examples examined in this section
come from a proprietary study involving roughly one
hundred UML 2.0 sequence diagrams. These formed part of
the specification for a High Speed Downlink Packet Access
(HSPDA) protocol stack.
There were approximately fifteen diagrams containing
multiple race conditions found in the study. Of these, five
contained multiple race conditions caused by iterative
loops. The two examples included in this section contained
the most complex race conditions from the study. As a
result of the positive feedback from the case studies,
Motorola is planning to incorporate the research presented
here into a prototype tool suitable for larger scale evalua-
tions with engineering groups and to conduct further
research into extending the results to more general UML
sequence diagrams.
Fig. 20 is an anonymized example from the Motorola
case study, which contains multiple race conditions. The
original diagram is a UML 2.0 sequence diagram that
describes traffic channel allocation and activation between
various processes for the HSPDA protocol. Process A has
delegated the task of determining what resource to allocate
to process B. The inline reference in the MSC is a linear
ordering of some events not shown here. These events can
be ignored for the purposes of the example because they are
linearly ordered.
In total, we have the following six race conditions in
Fig. 20. Event ?a1 is in a race with !b and also with !c.
Event ?c2 is in a race with !a and also with !b. Also, event ?b2
is in a race with !a and also with !c. It may be that the
authors implicitly assumed the downlink latency from B is
much shorter than the uplink latency for the other
processes. If this were true, it may be possible in practice
for the specification to be realizable. However, it is far safer
to rewrite the specification without these race conditions.
One way to remove these races would be to regroup the
messages within a single parallel construct. Messages a and
a1 could be grouped within the same thread of a parallel
construct. Similarly b, b1, b2, and the inline reference could
be grouped in a second thread. Finally c, c1, and c2 could be
grouped in the third thread. Fig. 21 depicts this solution. It
seems reasonable to suppose this will not contradict what
the authors originally intended.
Fig. 21 is exactly the inherent causal scenario of Fig. 20. In
this case, the inherent causal order for Fig. 20 would seem to
represent the specification intended by the authors, rather
than the causal order of Fig. 20 itself.
Fig. 22 describes a second anonymized example from a
case study where several race conditions were contained in
a single scenario. This example can be viewed as multiple
interacting threads that represent different features within
one scenario.
Altogether, there are seven races in the scenario. Receive
event ?f is in a race with each of ?a, !b, !c, and !d. The
remaining three races occur between each of ?b, ?i, and ?j.
This example illustrates the value of resolving all the race
conditions in a single global solution. For example,message f
is independent of d (in that it can be sent at any time after ?e,
and e is one of the initial messages in the scenario). Resolving
this race by itself would not resolve the races between ?f and
?a, !b, and !c. Rather, it would complicate the process of
identifying a solution to the other races. The inherent causal
order for this scenario separates a, b, c, and d into one
MITCHELL: RESOLVING RACE CONDITIONS IN ASYNCHRONOUS PARTIAL ORDER SCENARIOS 781
Fig. 20. UML 2.0 case study example with multiple race conditions.
concurrent thread and messages e and f into a different
thread. Adding this concurrent region resolves all four races
simultaneously. One graphical depiction for the inherent
causal scenario of Fig. 22 is given in Fig. 23. We have again
used lost and found events as a graphical convenience to
simplify the diagram.
Finally, we provide an embedding of the refinement
order for Fig. 22 into a partial order scenario. This
characterizes the minimal strengthening of Fig. 22 that can
be achieved by adding new messages in order to impose the
refinement ordering. In this depiction, we have resolved the
race conditions by introducing three new messages. These
are x from process B to C, y from processD to B, and z from
D to G. The embedding is given in Fig. 24. Message x has
resolved the races between ?f and ?a, !b, !c, and !d.
Message x ensures that process C is informed when B has
sent messages !b, !c, and !d and that it is now safe to send f .
We include a coregion around ?x and ?e in order to avoid
introducing new race conditions into the scenario.
Messages y and z resolve the races between ?b, ?i, and ?j.
Message y ensures that b has been received before message i
is sent and z ensures that i is received before j is sent. Note
that we have to place y in a concurrent thread separate from
c, d, e, f , and x or else we would be introducing several new
race conditions into the scenario. Similarly, we include a
coregion around ?z and ?h for the same reason.
The inherent causal ordering and the refinement order-
ing provide the practitioner with useful insight into the
semantically consistent behavior that can be extrapolated
from the scenario. However, the practitioner may decide to
combine the two orderings in some bespoke way to
construct a solution that fits their own circumstances.
In this example, it is possible that a combination of Fig. 23
and Fig. 24 give the appropriate solution to the race
conditions in the original scenario. In the original scenario,
it could be that e and f are meant to be in a separate thread
to a, b, c, and d. However, the races between b, i, and j could
be the omission of coordinating messages which should
have been included. Deciding which parts of the inherent
causal and refinement orderings the author intended to
782 IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. 31, NO. 9, SEPTEMBER 2005
Fig. 21. Inherent Causal Scenario for Fig. 20 as MSC.
Fig. 22. Second industrial case study example.
combine is not something that can be automated. Providing
the practitioner with both solutions allows them to under-
stand with greater clarity what semantically consistent
behavior is captured by the specification.
11 CONCLUSION
The paper has proven that there is a canonical solution for
correcting all race conditions within a partial order scenario
by weakening the causal relationship. The inherent causal
ordering that defines the solution can also be presented in
MSC or UML format by use of coregion, parallel, and
general ordering constructs.
The paper has also proven the dual result, that there is a
canonical refinement of the specifications that corrects all
race conditions. This is the inherent refinement ordering.
Unlike the inherent causal order, the inherent refinement
ordering cannot be represented by a partial order scenario.
However, we can embed it within a partial order scenario,
although the embedding is not unique. Together, these
inherent orderings provide a useful insight into the
semantically consistent specifications that are possible for
a distributed system. The construction of the inherent
refinement ordering is based on the premise that additional
messages are required to coordinate concurrent threads.
Whereas the inherent causal ordering construction is based
on the premise that concurrent threads have been synchro-
nized at a given point when this should not occur.
Both the inherent causal and inherent refinement order-
ings can be automatically generated within a scenario
authoring tool, particularly one that supports UML 2.0
MITCHELL: RESOLVING RACE CONDITIONS IN ASYNCHRONOUS PARTIAL ORDER SCENARIOS 783
Fig. 23. Inherent Causal Scenario for Fig. 22 as MSC.
Fig. 24. Embedding of refinement order for Fig. 22 as MSC.
sequence diagrams. The graphical depiction of a partial order
scenario is not unique and, so, there is great choice in
deciding how to automate the construction of the inherent
causal scenario. The paper has used illustrations, which can
be automatically generated, that emphasize the concurrency
within the inherent scenarios by maximizing the use of
coregions and parallel constructs. It is also possible to
automate the construction for the embedding of the refine-
ment order into some partial order scenario. It is not yet clear
if there is a canonical way to achieve this. Note that this is a
different problem than representing the refinement order as a
UML/MSC sequence diagram. In that case, the representa-
tion is straightforward to automate since we are free to use
general order constructs across processes as necessary.
Inherent and refinement orderings are likely to be of
most use in complex scenarios that contain several race
conditions that have a common cause, such as the examples
in Section 10. Practitioners are not intended to view the
inherent and refinement orderings as prescriptive. The
intention is that, by providing these solutions to the
practitioner, they will be able to appreciate what semanti-
cally consistent behavior can be extrapolated from their
specifications. In the case study, the most useful aspect of
the inherent and refinement orderings from the practi-
tioners perspective was that they clearly illustrated what
was possible in an asynchronous distributed environment
and helped to identify where constraints would be needed
to realize their intended design. Generating error traces that
identify individual race conditions would not have pro-
vided this overview because of the complex interrelation-
ships between the race conditions.
REFERENCES
[1] R. Alur and M. Yannakakis, “Model checking of Message
Sequence Charts,” Proc. 10th Int’l Conf. Concurrency Theory, 1999.
[2] R. Alur, K. Etessami, and M. Yannakakis, “Inference of Message
Sequence Charts,” Proc. 22nd Int’l Conf. Software Eng., pp. 304-313,
2000.
[3] R. Alur, K. Etessami, and M. Yannakakis, “Realizability and
Verification of MSC Graphs,” Proc. 28th Int’l Colloquium Automata,
Languages, and Programming, pp. 797-808, 2001.
[4] H. Ben-Abdhallah and S. Leue, “Syntactic Detection of Process
Divergence and Non-Local Choice in Message Sequence Charts,”
Proc. Third Int’l Conf. Tools and Algorithms for the Construction and
Analysis of Systems, pp. 259-274, 1997.
[5] P. Baker, P. Bristow, C. Jervis, D. King, and B. Mitchell,
“Automatic Generation of Conformance Tests from Message
Sequence Charts,” Proc. Third SAM Workshop 2002, The Broader
Applicability of MSC and SDL, pp. 170-198, 2002.
[6] M. Beyer, W. Dulz, and F. Zhen, “Automated TTCN-3 Test Case
Generation by Means of UML Sequence Diagrams and Markov
Chains,” Proc. 12th Asian Test Symp., 2003.
[7] Y. Bontemps and P.-Y. Schobbens, “Synthesis of Open Reactive
Systems from Scenario-Based Specifications,” Proc. Int’l Conf.
Application of Concurrency to System Design, 2003.
[8] Y. Bontemps and P. Heymens, “Turning High-Level Live
Sequence Charts into Automata,” Proc. Scenarios and State
Machines: Models Algorithms and Tools, 24th Int’l Conf. Software
Eng., May 2002.
[9] S. Chung, H.S. Kim, H.S. Bae, Y.R. Kwon, and B.S. Lee, “Testing of
Concurrent Programs Based on Message Sequence Charts,” Proc.
Int’l Symp. Software Eng. Parallel and Distributed Systems, pp. 72-82,
1999.
[10] T. Gehrke, M. Hilhn, and H. Wehrkeim, “An Algebraic Semantics
for Message Sequence Chart Documents,” Proc. FORTE/PSTV‘98,
pp. 3-18, 1998.
[11] T. Gilb, Principles of Software Engineering Management. Addison
Wesley Longman, 1988.
[12] G.J. Holzmann and D.A. Peled, “Message Sequence Chart
Analyzer,” United States Patent, 5,812,145, 1993.
[13] G.J. Holzmann, D.A. Peled, and M.H. Redberg, “An Analyzer for
Message Sequence Charts,” Software Concepts and Tools, vol. 17,
no. 2, 1996.
[14] E. Gunter, A. Muscholl, and D. Peled, “Compositional Message
Sequence Charts,” Proc. Int’l Conf. Tools and Algorithms for the
Construction and Analysis of Systems, 2001.
[15] D. Harel, “Werner Damm LSCs: Breathing Life into Message
Sequence Charts,” Formal Methods in System Design, vol. 19, pp. 45-
80, 2001.
[16] D. Harel and H. Kugler, “Synthesizing State-Based Object Systems
from LSC Specifications,” Proc. Fifth Int’l Conf. Implementation and
Application of Automata, 2000.
[17] C.A. R. Hoare, Communicating Sequential Processes. Prentice Hall,
1985.
[18] S. Leue, L. Mehrmann, and M. Rezai, “Synthesizing Software
Architecture Descriptions from Message Sequence Chart Specifi-
cations,” Proc. 13th IEEE Int’l Conf. Automated Software Eng., 1998.
[19] R. Lutz, “Targeting Safety-Related Errors During Software
Requirements Analysis,” Proc. First ACM SIGSOFT Symp. Founda-
tions of Software Eng., 1993.
[20] R. Lutz, “Analyzing Software Requirements Errors in Safety-
Critical, Embedded Systems,” Proc. IEEE Int’l Symp. Requirements
Eng., pp. 126-133, 1993.
[21] M. Lohrey, “Safe Realizability of High-Level Message Charts,”
Proc. 13th Int’l Conf. Concurrency Theory, 2002.
[22] R. Milner, Communication and Concurrency. Prentice Hall, 1989.
[23] B. Mitchell, R. Thomson, and C. Jervis, “Phase Automaton for
Requirements Scenarios,” Feature Interactions in Telecomm. and
Software Systems VII, pp. 77-84, 2003.
[24] M. Nelson, J. Clark, and M.A. Spurlock, Curing the Software
Requirements And Cost Estimating Blues, PM: Nov.-Dec. 1999.
[25] D. Peled, “Specification and Verification Using Message Sequence
Charts,” Proc. IFIP Int’l Conf. Formal Description Techniques for
Distributed Systems and Communication Protocols, 2000, and
Electronic Notes in Theoretical Computer Science, vol. 65, no. 7, 2002.
[26] E. Rudolph, I. Schieferdecker, and J. Grabowski, “Development of
a MSC/UML Test Format,” Formale Beschreibungstechniken fur
verteilte Systeme, pp. 153-164, Verlag Shaker, 2000.
[27] Telelogic, Tau Documentation, http://www.telelogic.com, 2005.
[28] S. Uchitel, J. Kramer, and J. Magee, “Incremental Elaboration of
Scenario-Based Specifications and Behavior Models Using Implied
Scenarios,” ACM Trans. Software Eng. and Methodology, vol. 13,
no. 1, pp. 37-85, 2004.
[29] J. Whittle, J. Saboo, and R. Kwan, “From Scenarios to Code: An Air
Traffic Control Case Study,” Proc. 25th Int’l Conf. Software Eng.,
2003.
[30] J. Whittle and J. Schumann, “Generating Statechart Designs from
Scenarios,” Proc. 22nd Int’l Conf. Software Eng., 2000.
[31] Z.120 (11/99)ITU-T Recommendation—Message Sequence Chart
(MSC), 1999.
[32] Object Management Group (OMG), Unified Modeling Language
(UML): Superstructure, Version 2.0, http://www.omg.org, 2003.
[33] E. Wong, J.R. Horgan, W. Zage, D. Zage, and M. Syring,
“Applying Design Metrics to a Large-Scale Software System,
(Motorola),” Proc. Ninth Int’l Symp. Software Eng. Reliability, Nov.
1998.
Bill Mitchell received the PhD degree from
Manchester University in 1987. He lectured
there in computer science until 1999. After four
years at Motorola Research Labs, he is now a
lecturer at the University of Surrey in the
Computing Department.
. For more information on this or any other computing topic,
please visit our Digital Library at www.computer.org/publications/dlib.
784 IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. 31, NO. 9, SEPTEMBER 2005
