Realistic Implementation of Message Sequence Charts by Jard, Claude et al.
Realistic Implementation of Message Sequence Charts
Claude Jard, Rouwaida Abdallah, Lo¨ıc He´loue¨t
To cite this version:
Claude Jard, Rouwaida Abdallah, Lo¨ıc He´loue¨t. Realistic Implementation of Message Sequence
Charts. [Research Report] RR-7597, INRIA. 2011. <inria-00584530>
HAL Id: inria-00584530
https://hal.inria.fr/inria-00584530
Submitted on 8 Apr 2011
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destine´e au de´poˆt et a` la diffusion de documents
scientifiques de niveau recherche, publie´s ou non,
e´manant des e´tablissements d’enseignement et de
recherche franc¸ais ou e´trangers, des laboratoires
publics ou prive´s.
appor t  

de  r ech er ch e
IS
S
N
02
49
-6
39
9
IS
R
N
IN
R
IA
/R
R
--
75
97
--
FR
+E
N
G
Thème COM
INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET EN AUTOMATIQUE
Realistic Implementation
of Message Sequence Charts
Claude Jard — Rouwaida Abdallah — Loïc Hélouët
N° 7597
March 2011

Centre de recherche INRIA Rennes – Bretagne Atlantique
IRISA, Campus universitaire de Beaulieu, 35042 Rennes Cedex
Téléphone : +33 2 99 84 71 00 — Télécopie : +33 2 99 84 71 71
Realistic Implementation
of Message Sequence Charts
Claude Jard , Rouwaida Abdallah , Lo¨ıc He´loue¨t
The`me COM — Syste`mes communicants
E´quipes-Projets DistribCom
Rapport de recherche n° 7597 — March 2011 — 23 pages
Re´sume´ : Ce travail e´tudie le proble`me de la synthe`se de programmes a` partir
des spe´cifications de´crites par des High-level Message Sequence Charts. Nous
montrons d’abord que, dans le cas ge´ne´ral, la synthe`se par une simple projec-
tion sur chaque composante du syste`me permet plus de comportements dans
l’imple´mentation que dans la specification. Nous montrons ensuite que les com-
portements supple´mentaires viennent d’une perte d’ordre entre les messages au
moment de la projection, et que ces nouveaux comportements peuvent eˆtre e´vite´s
en ajoutant des controˆleurs de communication qui interceptent les messages et
qui y ajoutent des informations de controˆle avant de les envoyer au processus,
pre´servant ainsi l’ordre de´crit dans la spe´cification initiale.
Mots-cle´s : Message Sequence Charts, Communicating Finite State Machines,
ge´ne´ration de code, Promela, Sofat
Realistic Implementation
of Message Sequence Charts
Abstract: This work revisits the problem of program synthesis from specifi-
cations described by High-level Message Sequence Charts. We first show that
in the general case, synthesis by a simple projection on each component of the
system allows more behaviors in the implementation than in the specification.
We then show that differences arise from loss of ordering among messages, and
show that behaviors can be preserved by addition of communication controllers,
that intercept messages to add stamping information before resending them,
and deliver messages to processes in the order described by the specification.
Key-words: High-level Message Sequence Charts, Communicating Finite State
Machines , code generation, Promela, Sofat
Realistic Implementation of Message Sequence Charts 3
Table des matie`res
1 Introduction 4
2 Definitions 5
3 Local HMSCs 8
4 The synthesis Problem 10
5 Implementing HMSCs with message Controllers 12
5.1 Distributed architecture . . . . . . . . . . . . . . . . . . . . . . . 13
5.2 Tagging mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . 13
5.3 Proof of correctness . . . . . . . . . . . . . . . . . . . . . . . . . 16
6 A prototype implementation 18
7 Conclusion 22
RR n° 7597
4 Jard & Abdallah & He´loue¨t
1 Introduction
Message Sequence Charts (MSCs for short)) [13] is a formal language ba-
sed on composition of finite communication sequences. MSCs are made of two
layers of specification. At the lowest level, basic MSCs describe the behavior of
a finite set of processes that can communicate via asynchronous messages. At
the higher level, basic MSCs are composed using High-level MSCs (HMSCs for
short), a finite automaton labeled by basic MSCs. The language is then very
simple and needs only to learn few concepts to be able to model behaviors of dis-
tributed systems. It has met considerable interest, both from an academic and
industrial point of view. Indeed, this model has raised new theoretical problems
(verification, synthesis, ...) but also renewed the interest for existing problems
and solutions in other concurrency models such as traces [15]. From an indus-
trial point of view, MSCs or their UML variant (sequence diagrams) have also
been used to model requirements in distributed systems [4], and have proved
to be efficient modeling tools to discover errors at early stages of system de-
sign. HMSCs are very expressive. The usual verification techniques that usually
apply to finite state machines (model checking of temporal logic formulae, inter-
secting two specifications) are in general undecidable for HMSCs. Fortunately,
several syntactic classes of HMSCs with more decidable problems have been
characterized [3, 6, 9]. The restriction to these classes should however remain a
reasonable limitation of the expressive power of HMSCs that does not impact
the usability of the model. Restricting to bounded HMSCs [3], for instance, re-
duces the expressive power of HMSCs to that of finite automata, which is in
general too restrictive for the kind of asynchronous applications that are usually
modeled with scenarios. The other difficulty is that in general, HMSCs are not
implementable. It means that system designers can not synthesize a distributed
program from HMSCs, and hence can not reuse all the modeling and verifi-
cation work performed on HMSCs to guarantee correctness of the synthesized
implementation.
Again, designers can rely on syntactic subclasses of HMSCs that can be im-
plemented. However, proposed classes until now are not general enough. The
reconstructible HMSCs of [11] impose restrictions on the way loops and choices
are used, and the solution in [9] imposes conditions on the set of active pro-
cesses in a basic MSC. Other implementation techniques implement exactly the
language of a bounded HMSC, but with deadlocks [14], or avoid deadlocks but
need several initial states in the synthesized machines [5]. In our opinion, dead-
locks should not be allowed in an implementation of an HMSC : it amounts to
deciding at runtime that an ongoing execution is not valid, as it does not belong
to the specification. In this work, we consider that a realistic implementation
of HMSCs should not allow deadlocks, at least in distributed systems that do
not allow compensation and backtracking. We furthermore consider that a dis-
tributed system implements an HMSC if the prefix closure of the behaviors of
the original specification and of the synthesized machines are identical.
This paper proposes an implementation mechanism for local message se-
quence charts, that is HMSC specifications that do not require distributed
consensus to be implementable. The proposed technique is to project an HMSC
on each process participating to the specification. It is well known that this
solution produces programs with more behaviors than in the specification [11].
We then compose these projections with local controllers, that intercept mes-
INRIA
Realistic Implementation of Message Sequence Charts 5
sages between processes and tag them with sufficient information to avoid the
additional behaviors that appear in the sole projection. The main result of this
work is that the projection of the behavior of the controlled system on events
of the original processes is equivalent (up to a renaming) to the behavior of the
original HMSC.
This paper is organized as follows. Section 2 defines the formal models that
will be used in the next sections. Section 3 characterizes an interesting syntactic
class of HMSCs called local HMSCs. Section 4 defines the projection opera-
tion, that generates communicating finite state machines from an HMSC, and
shows that an HMSC and its projection are not equivalent in general. Section 5
proposes a solution based on local control and message tagging to implement
properly an HMSC. Finally, section 6 presents a small prototype before conclu-
sion.
2 Definitions
MSCs is a partial-order based standard formalism. It is a visual notation,
which clearly expresses interactions among concurrent processes. It consists es-
sentially of a finite set of processes (also called instances) denoted I, that run
in parallel and exchange messages in a one-to-one, asynchronous fashion. MSCs
and their variants are widely used to capture use cases and requirements during
the early design stages of distributed systems. They have been adopted within
several software engineering methodologies and tools for concurrent, reactive
and real-time systems. e.g. [1, 2, 8, 16].
A basic MSC is a diagram that defines a simple communication scenario
between instances. The life lines of instances are drawn vertically from top to
bottom and define sequences of events. An event can be a message sending or
reception, or a local action. Horizontal arrows represent asynchronous messages
from one instance to another. Examples of bMSCs are shown in Figure 1.
Definition 1 (bMSCs) A bMSC is a tuple M = (E,≤, C, φ, t,m) where :
– E is a finite set of events.
– φ : E −→ I localizes events on the different instances. E can be split into
a disjoint union unionmultip∈IEp, where Ep = {e ∈ E | φ(e) = p} is the set of
events occurring on instance p. E can also be considered as the disjoint
union SunionmultiRunionmultiL in order to distinguish send events (e ∈ S), receive events
(e ∈ R) or local actions (e ∈ L).
– C is a finite set of message contents and action names.
– t : E −→ Σ gives a type to each event, with
Σ = {p!q(a), p?q(a), a | p, q ∈ I, a ∈ C}. We have t(e) = p!q(a) if e ∈
Ep∩S is a send event of message a from p to q, t(e) = p?q(a) if e ∈ Ep∩R
is a receive event of message a by p from q and t(e) = a if e ∈ Ep ∩ L is
a local action, named a located on p.
– m : S −→ R is a bijection that matches send and receive events. If m(e) =
f , then t(e) = p!q(a) and t(f) = q?p(a) for some p, q ∈ I and a ∈ C.
– ≤ ⊆ E2 is a partial order relation (the “causal order”). It is required that
events of the same instance are totally ordered : ∀(e1, e2) ∈ E2 φ(e1) =
φ(e2) implies that (e1 ≤ e2) ∨ (e2 ≤ e1). For an instance p, let us call ≤p
RR n° 7597
6 Jard & Abdallah & He´loue¨t
this total order. ≤ must also reflect the causality induced by the message
exchanges, i.e. ≤= ( ⋃
p∈I
≤p ∪ m)∗
bMSC   M1
HMSC H1
bMSC   M2
MachineA MachineB MachineC MachineA MachineD MachineC
m1 m2 m3 m4
Figure 1 – An example of High-level Message Sequence Chart.
For a bMSC M , we will denote by
min(M) = {e ∈ E | ∀e′ ∈ E, e′ ≤ e ⇒ e′ = e}, the set of minimal events of
M , and by minp(M) the first event located on instance p ∈ I (if it exists). An
instance is called minimal if it carries a minimal event. Similarly, we will denote
by max(M) = {e ∈ E | ∀e′ ∈ E, e ≤ e′ ⇒ e′ = e} the set of maximal events of
M .
Standard notation of bMSCs also allows for the definition of a zone on an
instance axis called co-region. It describes the absence of ordering along an ins-
tance axis. MSCs also allow behaviors with message overtaking, i.e. in which
messages are not received in the order of their emission. Without loss of genera-
lity, we do not consider these aspects : co-regions can be simulated by adding a
finite number of alternatives in an HMSC containing the interleaving of events
within coregions, and message crossing can not occur within the targeted ar-
chitecture. We then suppose that all bMSCs are FIFO, that is for two sending
events e, e′ such that p = ϕ(e) = ϕ(e′), q = ϕ(m(e)) = ϕ(m(e′)) we always have
e ≤p e′ ⇐⇒ m(e) ≤q m(e′).
Definition 2 Let M = (E,≤, C, φ, t,m) be a bMSC. A prefix of M is a tuple
(E′,≤′, C ′, φ′, t′,m′) such that E′ is a subset of E closed by causal precedence
(i.e. e ∈ E′ and f ≤ e implies f ∈ E′) and ≤′, C ′, φ′, t′,m′ are restrictions
of ≤, C, φ, t,m to E′. A suffix of M is a tuple (E′,≤′, C ′, φ′, t′,m′) such that
E′ is closed by causal succession (i.e. e ∈ E′ and e ≤ f implies f ∈ E′)
and ≤′, C ′, φ′, t′,m′ are restrictions of ≤, C, φ, t,m to E′. A piece of M is the
restriction of M to a set of events E′ = E \X \ Y , such that the restriction of
M to X is a prefix of M and the restriction of M to Y is a suffix of M .
Note that prefixes, suffixes and pieces are not always bMSCs, as the message
mapping m is not necessarily a bijection from sending events to receiving events.
In the rest of the paper, we will denote by Pref(M) the set of all prefixes of a
bMSC M .
INRIA
Realistic Implementation of Message Sequence Charts 7
Definition 3 (Sequencing) The sequencing operator ◦ for two bMSCs M1 =
(E1,≤1, C1, φ1, t1,m1) and M2 = (E2,≤2, C2, φ2, t2,m2) consists in concate-
nation of the two bMSCs instance by instance. M1 ◦ M2 = (E,≤, C, φ, t,m),
where :
– E = ϕ1(E1)unionmultiϕ2(E2) where ϕ1 and ϕ2 are two isomorphisms with disjoint
images.
– ∀e, e′ ∈ E, e ≤ e′ iff ϕ−11 (e) ≤1 ϕ−11 (e′) or ϕ−12 (e) ≤2 ϕ−12 (e′) or ∃(e1, e2) ∈
E1 × E2 : φ1(e1) = φ2(e2) ∧ ϕ−11 (e) ≤1 e1 ∧ e2 ≤2 ϕ−12 (e′)
– ∀e ∈ E, φ(e) = φ1(ϕ−11 (e)) if e ∈ ϕ1(E1) or φ(e) = φ2(ϕ−12 (e)) if e ∈
ϕ2(E2) and m(e) = m1(ϕ
−1
1 (e)) if e ∈ ϕ1(E1) or m(e) = m2(ϕ−12 (e)) if
e ∈ ϕ2(E2).
An example of concatenation is shown in Figure 2. In the next sections, we
will also need to concatenate prefixes and pieces of bMSCs. Prefix and piece
concatenation is defined alike bMSC concatenation with an additional phase
that rebuilds the message mappings. Let O1 be a prefix of a bMSC, and O2 be
a piece of MSC. Then, the concatenation of O1 and O2 is denoted by O1 ◦O2 =
(E,≤, C, φ, t,m), where E,≤, C, φ, and t are defined as in definition 3 and m is
a function that associates the nth sending event from p to q to the nth reception
from p on q for every pair of processes p, q ∈ I. Note that this sequencing is
not defined if for some p, q, n, the types of the nth sending and reception do
not match, that is one event is of the form p!q(m) and the other one q?p(n)
with n 6= m. In particular, we will denote by O ◦ {a} the prefix obtained by
concatenation of a single event a to a prefix O.
Machine A Machine B Machine C Machine D
m1
m2
m3
m4
Figure 2 – The bMSC obtained by concatenation of M1 and M2 in Fig. 1.
HMSC diagrams are automata that compose basic MSCs or other HMSCs.
The whole language contains iteration, choice, and parallel composition. In this
paper, we restrict to HMSCs without parallel frames, and suppose without loss
of generality that our HMSCs comprise only one hierarchical level, i.e. they are
automata labeled by bMSCs.
Definition 4 (HMSCs) A HMSC is a graph H = (I,N,→,M, n0), where
– I is a finite set of instances.
– N is a finite set of nodes and n0 ∈ N is the initial node of H.
– M is a finite set of bMSCs which participating instances belong to I, and
defined on disjoint sets of events.
– →⊆ N ×M×N is the transition relation.
Figure 1 shows a complete HMSC. In the rest of the paper, and without loss
of generality, we will consider that all nodes, except possibly the initial node and
RR n° 7597
8 Jard & Abdallah & He´loue¨t
the sink nodes are choice nodes, i.e. have several successors by the transition
relation (by finite concatenation of bMSCs, an HMSC can be always transformed
in such a canonical form). We also require HMSCs to be deterministic (this can
be ensured by the standard determinization procedure of finite automata).
Definition 5 (HMSC behavior) As usual, for an HMSC H, we define as
Paths(H) the set of paths of H starting from the initial node. We will say that
a path is acyclic if and only if it does not contain twice the same transition.
A path ρ ∈ Paths(H) defines a sequence of M∗ and thus the corresponding
bMSC formed by concatenation and denoted by Oρ. Let us denote by L(H) =⋃
ρ∈Paths(H) Pref(Oρ), the set of behaviors of the HMSC H.
Note that our definition of the language of an HMSC H includes all pre-
fixes of bMSCs generated by H. A correct implementation of an HMSC H is a
distributed system which reproduces exactly (and nothing more) L(H).
3 Local HMSCs
A bMSC can have several minimal instances, called deciding instances. The
set of deciding instances in a bMSC M is simply φ(Min(M)). They carry the
first events that happen in M . Obviously, these events cannot be message recep-
tions. So the deciding instances can choose to perform exactly the same scenario
at a choice node. The other non-deciding instances have to conform to the cho-
sen scenario. This raises a problem : if the outgoing transitions of a choice node
are labeled by bMSCs with distinct deciding instances, then, without synchro-
nization among them in the distributed implementation, one instance might
decide to perform one scenario M1, and another instance an incompatible sce-
nario M2. There are two solutions to avoid this bad situation : either impose
synchronization of all processes before each choice with more than one deciding
instance to elect the next scenario to perform, or restrict to HMSCs in which
a single instance decides at each choice (the so-called local-choice HMSCs [6]).
The first solution has the drawback that it adds synchronization and consensus
mechanisms to the implementation, and hence modifies the specification. We
will show later in the paper that working with local-choice HMSCs does not
always guarantee that the implementation is correct.
Definition 6 (Local choice node) Let H = (I,N,→,M, n0) be an HMSC,
and let c ∈ N . Choice c is local if and only if for every pair of (non necessarily
distinct) paths ρ = c
M1−→ n1 M2−→ n2 . . . nk and ρ′ = c M
′
1−→ n1 M
′
2−→ n′2 . . . n′k there
is a single minimal instance in Oρ and in Oρ′ (i.e. φ(Min(Oρ)) = φ(Min(O
′
ρ))
and |φ(Min(Oρ))| = 1). H is called a local-choice HMSC if all its choices are
local.
Intuitively, the local-choice property [6] guarantees that every choice is control-
led by a unique instance.
Theorem 1 (Deciding locality) Let H be an HMSC. H is not local iff there
exists a node c and a pair of acyclic paths ρ, ρ′ originating from c, such that
Oρ and Oρ′ have more than one minimal instance.
INRIA
Realistic Implementation of Message Sequence Charts 9
Proof : one direction is straightforward : if we can find a node c and two (acyclic)
paths with more than one deciding instance, then obviously, c is not a local
choice, and H is not local. Let us suppose now that for every node c, and for
every pair of acyclic paths of H originating from c, we have only one deciding
instance. Now, let us suppose that there exist a node c1 and two paths ρ1,
ρ′1 such that at least one (say ρ1) of them is not acyclic. Then ρ1 has a finite
acyclic prefix w1. The set of minimal instances in Ow1 and in Oρ1 is the same, as
φ(min(M ◦M)) = φ(min(M)). Hence, c, ρ1, ρ′1 are witnesses for the non-locality
of H iff c, w1, ρ
′
1 are also such witnesses. 
Theorem 2 (Complexity of local choice) Deciding if an HMSC is local-
choice is in co−NP .
Proof : the objective is to find a counter example, that is two paths originating
from the same node with distinct deciding instances. One can choose in linear
time in the size of H a node c and two finite acyclic paths ρ1, ρ2 of H starting
from c, that is sequences of MSCs of the form M1 . . .Mk. One can compute
a concatenation O = M1 ◦ · · · ◦ Mk in polynomial time in the total size of
the ordering relations. Note that to compute minimal events of a sequencing
of two bMSCs, one does not have to compute the whole causal ordering ≤,
and only has to ensure that maximal and minimal events on each instance in
two concatenated MSCs are ordered in the resulting concatenation. Hence it is
sufficient to recall a covering of the local ordering ≤p on each process p ∈ I
plus the message relation m. Then finding the minimal events (or equivalently
the minimal instances) of O can also be performed in polynomial time in the
number of events of O, as Min(M) = E \ {f | ∃e, e ≤p f ∨ f = m(e)}. 
From theorem 1, an algorithm that checks locality of HMSCs is straightfor-
ward. It consists in a width first traversal of acyclic paths starting from each
node of the HMSC. If at some time we find two paths with more than one mi-
nimal instance, then the choice from which these path starts is not local. Note
that minimal instances need not be computed for the whole MSC labeling each
path, and can be updated at the same time as paths. Indeed, if ρ = ρ1.ρ2 is a
path of H, then φ(Min(Mρ)) = φ(Min(Mρ1))∪ (φ(Min(Mρ2)) \ φ(Mρ1)). It is
then sufficient for each path to maintain the set of instances that appear along
this path, and the set of minimal instances, without memorizing exactly the
scenario played. As we consider only acyclic paths of the HMSC the following
algorithm terminates.
The following algorithm was proposed in [11]. It builds a set of acyclic paths
starting from each node of an HMSC. A non-local choice is detected if there is
more than one deciding instance for a node c. The algorithm remembers a set of
acyclic paths P , extends all of its members with new transitions when possible,
and places a path ρ in MAP as soon as the set of transitions used in ρ contains
a cycle.
RR n° 7597
10 Jard & Abdallah & He´loue¨t
Algorithm 1 LocalChoice(H)
for c node of H do
P = {(t, I, J) | t = (c,M, n) ∧ I = φ(min(M)) ∧ J = φ(M)}
MAP = ∅ /*Maximal acyclic Paths*/
while P 6= ∅ do
MAP = MAP ∪ {(w.t, I ′) | w = t1...tk ∧ tk = (nk−1,Mk, nk), t =
(nk,M, n) ∧ t ∈ w ∧ (w, I, J) ∈ P ∧ I ′ = I ∪ (φ(min(M))− J)}
P = {(w.t, I ′, J ′) | (w, I, J) ∈ P,w = n1...nk ∧ tk = (nk−1,Mk, nk), t =
(nk,M, n) ∧ t 6∈ w ∧ J ′ = J ∪ φ(M) ∧ I ′ = I ∪ (φ(min(M))− J)}
end while
DI =
⋃
(w,I)∈MAP
I /*Deciding Instances*/
if | DI | >1 then
H contains a non-local choice c
end if
end for
4 The synthesis Problem
In this section, we introduce our implementation model, namely Communica-
ting Finite State Machines (CFSM) [7]. A CFSM A is a network of finite state
machines that communicate over unbounded, non-lossy, error-free and FIFO
communication channels. We will write A = ‖
i∈I
Ai to denote that A is a network
of machines describing the behaviors of a set of machines {Ai}i∈I . A commu-
nication buffer B(i,j) is associated to each pair of instances (p, q) ∈ I2. Buffers
will implement messages exchanges defined in the original HMSC. Now that
HMSCs (a global specification) and communicating finite state machines (a set
of local reactive machines, without global control) are defined, we can describe
the synthesis problem as follows : given an HMSC H over a set of instances I,
build a set of communicating state machines A1, . . . A|I| which behaves exactly
as L(H).
An obvious solution is to project the original HMSC on each instance. Un-
fortunately, this solution does not work for all HMSCs. Consider for instance
a non local HMSC that contains a choice c, such that c
M1→ n1 and c M2−→ n2,
and M1 and M2 have two distinct deciding instances p and q. Then, the pro-
jection of H on its instances produces automata that can behave exactly as in
H up to choice c, and then p decides to execute scenario M1 while q decides
to execute scenario M2. Clearly, this execution was not defined in H. Hence,
the projection of an HMSC on its instances can define more behaviors than the
original specification, but can also deadlock. In the rest of the paper, we will
only consider local-choice HMSCs. However, we will show in this section that
this is not sufficient to ensure correctness. We will also consider that two MSC
labeling distinct transitions of a local HMSC start with distinct messages. This
assumption will be used to differentiate distinct choices at runtime. It is not
essential in our framework, as we may enforce instances to tag their messages
with the transition of the HMSC currently executed by the instance. However,
it greatly simplifies the notations and proofs.
INRIA
Realistic Implementation of Message Sequence Charts 11
The principle of projection is to copy the original HMSC on each instance,
and to remove all the events that do not belong to the considered instance. By
construction, we keep the structure of the HMSC automaton. Each transition
is a sequence (possibly empty) of events. This object can be considered as a
finite state automaton by adding intermediary states in sequences of events.
Empty transitions can be removed by the usual ε-closure procedure for finite
state automata.
Definition 7 (Projection) Let us consider an HMSC H = (I,N,→,M, n0).
The set of events of a bMSC M is denoted by EM , and the set of events of
M located on instance i by EMi. States can be coded by tuples Q = N ×
M × N × N, the first three components designating an HMSC transition and
the last one designating the rank of the event on the considered instance in
the bMSC labeling this transition. For an instance i ∈ I, we define the fi-
nite state automaton Ai, result of the projection of H onto the instance i by
Ai = (Q,→i, Ei ∪ {ε}, n0) with Ei =
⋃
M∈MEMi. The set EMi is totally
ordered. We denote its elements by e1, · · · , e|EMi|. With the convention that
(n,M, n′, 0) ≡ n and (n,M, n′, |EMi|) ≡ n′, →i is the smallest set such that
∀n, n′ ∈ N, ∀M ∈M, if EMi = ∅, (n, ε, n′) ∈→i, else
⋃
1≤k≤|EMi|((n,M, n
′, k−
1), ek, (n,M, n
′, k)) ∈→i.
Each run of this set of communicating machines defines a prefix, that can be
built incrementally starting from the empty prefix, and appending one executed
event after the other (i.e. it is built from a total ordering of all events occurring
on the same process, plus a pairing of messages sending and receptions). From
this definition, the language L(A) of a set of communicating machines is the set
of all prefixes associated to runs of A.
A!B(m1)
D!C(m4)
D?A(m3)
?C?D(m4)C?B(m2)
?
B?A(m1)
B!C(m2)
A!D(m3)
Figure 3 – The instance automata projected from the HMSC of Fig. 1.
Let us consider the projections of H in Figure 1 on all its instances given in
Figure 3. A correct behavior of H is shown in the left part of Figure 4, while
a possible but incorrect behavior of the distributed interaction of the projected
RR n° 7597
12 Jard & Abdallah & He´loue¨t
machines is shown in the right part. We can see that message m3 sent by machine
A to machine D can be delayed and received after message m4 from machine
D, hence mixing two different basic MSCs. Machine C does not have enough
information to decide to delay the reception of m4 according to the HMSC
semantics.
m4
A
B
C
D
m1
m2 m3
m4
m1
m2
m3
Figure 4 – A correct behavior of the HMSC of Fig. 1, and a possible distortion
due to the distributed interaction of the projected instances.
This example proves that in general, even for local HMSCs, the synthesis by
projection is not correct. It is however proved [11] that the set of behaviors of
the synthesized specification contains the set of behaviors of the original spe-
cification. The machines synthesized by projection allow more behaviors than
the original global specification because some global ordering among actions is
lost during projection. A subclass of local HMSCs called reconstructible HM-
SCs that avoids this problem has been proposed [11]. This reconstructibility
condition says that local ordering among events from two consecutive choices
originating from the same node can be deduced from the FIFO property and
from the ordering among minimal events in each chosen MSC. However, recons-
tructibility is easily lost when two instances communicate indirectly through
distinct sets of instances, as in the example of figure 1. Another solution pro-
posed by [9] restricts to a class of local HMSCs in which all processes take
part in every branch. Both approaches are restrictive, as they constrain the way
processes are used in each branch of an HMSC.
In the next section, we take a different approach, and show that adding
information to messages is sufficient to obtain a correct synthesis in the general
case of local HMSCs.
5 Implementing HMSCs with message Control-
lers
We propose a new implementation mechanism, that will allow for the imple-
mentation of any local HMSC H, without syntactic restriction. The architecture
is as follows : for each process, we compute an automaton, as shown in previous
section by projection of H on each of its instances. The projection is the same as
previously, with the slight difference that the synthesized automaton communi-
cates with his controller, and not directly with other processes. To differentiate,
we will denote by K(Ai) the ”controlled version” of Ai, keeping in mind that Ai
and K(Ai) are isomorphic machines. Then, we add to each automaton K(Ai)
a controller Ci, that will receive all communications from K(Ai), and tag them
INRIA
Realistic Implementation of Message Sequence Charts 13
with a stamp. Similarly, each controller will receive all tagged messages desti-
nated to K(Ai), and decide with respect to its tag whether a message must be
sent immediately to K(Ai) or delayed. Automata and their controller commu-
nicate via FIFO channels, which defines a total ordering on message receptions
or sendings. In this section, we first define the distributed architecture and the
tagging mechanism that will allow for preservation of the global specification.
We then define control automata and their composition with synthesized auto-
mata. We then show that for local HMSCs the controlled local system obtained
by projection behaves exactly as the global specification (up to some renaming
and projection that hides the controllers).
5.1 Distributed architecture
We consider the n = |I| automata {K(Ai)}1≤i≤n obtained by projection of
the original HMSC on the different instances. These automataK(Ai) are connec-
ted via a bidirectional FIFO channel (port P ) to their associated controller Ci
(port Pi). The controllers are themselves interconnected via a complete graph of
bidirectional FIFO channels (for all i 6= j, port Pj of controller Ci is connected
to the port Pi of controller Cj). This is illustrated in Figure 5. This architecture
is quite flexible : all the components run asynchronously and exchange mes-
sages, without any other assumption on the way they share resources, memory
or processors.
P
K(Ak)
K(Aj)
K(Ai)
Pi
P
Ci Pj
Pk Pi Cj
Pk
Pj P
Pi
Ck Pj
Pk
Figure 5 – The distributed controlled architecture.
5.2 Tagging mechanism
Definition 8 Let H be a local HMSC. We set an ordering C on all nodes of
H, and adopt a lexicographical ordering Cl on labels of Σ. A branch of H is a
transition (c,M, n) of H, such that c is a choice node. We will denote by BH
all branches of H. For a given choice node c, we will suppose that all branches
RR n° 7597
14 Jard & Abdallah & He´loue¨t
stemming from c are pairwise distinguishable from their minimal actions, that
is if (c,M, n) and (c,M ′, n′) are two branches, then t(min(M)) 6= t(min(M ′)).
The ordering on nodes extends to branches : we will say that b1 = (c1,M1, n1)
precedes b2 = (c2,M2, n2) and write
b1 C b2 iff

c1 C c2, or
c1 = c2 and n1 C n2, or
c1 = c2 and n1 = n2
and t(min(M1))Cl t(min(M2))
Definition 9 ( Choice clocks) A choice clock of an HMSC H is a vector of
NBH . Let ρ = n0
M1−→ n1 M2−→ n2 . . . Mk−→ nk be a path of H. The choice clocks
labeling of Oρ is a mapping τ : EOρ −→ NBH such that for every i ∈ 1..k, e ∈
Mi, τ(e)[b] is the number of occurrences of branch b in n0
M1−→ n1 M2−→ n2 . . . Mi−→
ni
The usual terminology and definitions on vectors apply to choice clocks. A
vector V2 is an immediate successor of a vector V1 of same size, denoted V1lV2,
if there is a single component b such that V1[b]+1 = V2[b], and V1[b
′] = V2[b′] for
all other entries b′. Vectors V1 and V2 are equal if V1[b] = V2[b] for every entry,
and V2 is greater than V1 iff V1[b] = V2[b] for some entries b, and V1[b] < V2[b]
for all others.
For a given path ρ = n0
M1−→ n1 M2−→ n2 . . . Mk−→ nk, we will call the choice
events of Oρ the minimal events in every Mi, i ∈ 1..k. It is rather straightforward
to see that when an HMSC H is local, then for every path ρ of H, the set of
choice events in Oρ is totally ordered. Note also that for a pair of events e, f
in Oρ, τ(e) = τ(f) if and only if e, f belong to the same MSC Mi. From these
facts, the following proposition is straightforward :
Proposition 1 Let H be a local HMSC, and ρ be a path of H. Let ≺ be the
usual ordering on integer vectors. Then (τ(EOρ),≺) is a totally ordered set.
This proposition is important : it means that if one is able to maintain
locally a consistent tagging of messages, then a local automaton that receives
two messages can always decide which message should be received first.
Definition 10 (Concerned instances) Let b = (c,M, n) be a branch of an
HMSC H. We will say that instance p ∈ I is concerned by branch b if and only
if there exists an event of M on p (EMp 6= ∅). Let K ∈ NBH be a choice clock,
and let p ∈ I be an instance of H. The vector of choices that concern p in K is
the restriction of K to branches that concern p, and is denoted by [K]p.
For a given instance i, the controller Ci associated with the projected au-
tomaton K(Ai) will receive the messages sent by K(Ai) and by the other
controllers. We consider that messages exchanged between the automata and
the controllers are triple (j,m, b) where j ∈ I is the destination automaton,
m ∈ C is the message name, and b the branch in which the sending event has
occurred. In other words, in our controlled architecture, an automaton executes
p!Cp(q,m, b) instead of p!q(m). The messages exchanged between controllers are
tagged and represented by pairs (m, τ) where m is a message name and τ ∈ NBH
a choice vector. In addition, the controller Ci maintains several local variables :
INRIA
Realistic Implementation of Message Sequence Charts 15
– τi ∈ NBH , its local known choices vector. It is initialized to the null vector,
and updated upon consumption of incoming messages.
– nbevt, which counts the remaining number of communication events of the
instance i to be treated in the current branch that is being processed.
– Rec is a sequence of reception events. nbevt and Rec are initialized with
constant values (that depend on the chosen branch) when dealing with
the first event of a branch on process i.
– currentb, which memorizes the branch of H that is currently executed by
process i.
In the rest of the paper, we will denote by pii(M) the sequence of events
obtained by projection of M on instance i ∈ I, and by pii,?(M) the restriction of
this sequence to receptions. The generic algorithm for a controller Ci is composed
of two rules, which are continuously active. Rule 1 applies to communications
from K(Ai) to Ci. First case corresponds to minimal events controlled by the
projected automaton K(Ai). When dealing with the first event of the bMSC
(branch b) to be processed, the only role of the controller is to compute the tag
(increment of the corresponding component of τi) and to initialize the variables
nbevt and Rec. The currently processed branch is stored in variable currentb.
The other case deals with communications from K(Ai) that are not choices
of K(Ai). These events are generated in correct order by construction of the
projection.
The second rule applies for every port Pj , j 6= i, and aims at controlling
the order of the different receptions. This is the rationale of the controller.
There are three cases. The first case occurs when a branch of H has already
been started, that is a controller Ci has received (i.e. consumed) a message
indicating the choice performed by the deciding instance of this branch, and a
valid message arrives. In this situation, all the components concerning K(Ai)
of the current tag τi and of the tag τ labeling the incoming message must be
equal, and this incoming message must be the next expected message (i.e. the
next reception in Rec) in currently executed branch. Then the message can be
consumed by Ci and forwarded to K(Ai). The fact that there is only one FIFO
channel between the controller Ci and the projected automaton K(Ai) ensures
the correct order of receptions on this automaton. The second case is when
the incoming message is the first communication signaling a new choice. The
controller then checks if the received message defines the next branch of H that
must be executed by K(Ai). This is done by verifying if the received tag is the
next tag to be treated (considering only the components that concern K(Ai)),
that is [τi]i l [τ ]i. In that case, the current tag can be updated. The current
branch is retrieved by considering the component that differs between [τ ]i and
[τi]i. Then the remaining number of events that should be executed within this
branch (the number of events on the instance i in the bMSC of the current
branch, minored by one) is set, as well as the expected sequence of receptions,
before transmission of the message to K(Ai). The third case applies when none
of the above situations hold, that is the incoming message on port Pj can not
yet be consumed, either because it is not the next reception expected (another
reception on another port should occur before this one) or the incoming message
signals that a new choice has been started, but more events must occur before
consuming it. In such case, the controller does nothing, and waits for other
messages on other ports.
RR n° 7597
16 Jard & Abdallah & He´loue¨t
Algorithm 2 Controller Ci
RULE 1 : when (j,m, b) available on port Pi
consume (j,m, b)
if nbevt = 0 then
τi[b]++
nbevt = |Πi(Mb)| − 1
Rec = Πi,?(Mb)
send (m, τi) on port Pj
else
nbevt - -
send (m, τi) on port Pj
end if
RULE 2 : when (m, τ) available on port Pj
if ([τi]i = [τ ]i) ∧ (Rec = Ai?Aj(m).w) then
consume (m, τ)
nbevt - -
send (j,m) on port Pi
Rec = w
else
if (nbevt = 0) ∧ ([τi]i l [τ ]i) then
consume (m, τ)
τi = τ
currentb = b s.t. [τ ][b]− [τi][b] 6= 0
nbevt = |Πi(Mcurrentb)| − 1
Rec = Πi,?(Mcurrentb)[2..nbevt]
send (j,m) on port Pi
end if
end if
5.3 Proof of correctness
Definition 11 Let O = (E,≤, t, φ,m) be a prefix in L(||K(Ai)|Ci). The res-
triction of O to non-control events is a restriction of O to events located on
K(Ai)’s. We will denote by Unc(O) this restriction. The uncontroling of O =
(E,≤, t, φ,m) is a renaming function Ru() that replaces communications to and
from the controller of a process by direct communications with the process concer-
ned by the sent/received message, and builds the message mapping. Ru(O) =
(E,≤, t′, φ,m′), where t′(e) = p!q(m) if t(e) = p!Cp(m, q, c), t′(e) = p?q(m) if
t(e) = p?Cp(m, q), and t
′(e) = t(e) otherwise. Function m′ maps the ith sending
from p to q with the ith reception on q from p for every pair of processes.
Note that for a prefix O in L(||K(Ai)|Ci), the message mapping in Unc(O)
is an empty relation.
Theorem 3 Let H be an HMSC, and let ||K(Ai)|Ci be its controlled synthesis.
Then, Ru(Unc(L(||K(Ai)|Ci))) = L(H).
Proof : We will prove this theorem by showing inclusion in the two directions.
We will also need a technical lemma that shows that the tagging mechanism is
the same in an HMSC and in its implementation.
INRIA
Realistic Implementation of Message Sequence Charts 17
Lemma 1 For all H, local choice HMSC, the choices events in any behavior of
the synthesized communicating machines are totally ordered.
proof : We will prove this property by induction. Let us denote by Pn the pro-
perty : for all H, local choice MSC, the choices in any behavior of the synthesized
communicating machines in a run containing n choices are totally ordered.
Let us first verify this property for n = 2. As H is local choice, then there is
only one CFM that can perform an action (a message sending) from the initial
configuration. The next choice can then only be played after the first one. Hence,
the first two choices are ordered.
Let us suppose the property verified up to n, and prove that it also holds for
n+1. Let us suppose a prefix O◦O′ from L(||K(Ai)|Ci) with n+1 choices, such
that O contains n choices. Then, O is of the form O = {c1} ◦ O1 . . . {cn} ◦ On,
where each ci is a choice event, and such that {c1} ◦ O1 is a prefix of the first
MSC M1 played in this run. Then, O◦O′ can be completed by piece P1 such that
O ◦O′ ◦ P1 contains a complete execution of the first MSC M1 (so far, nothing
forces M1 to be completely executed). O ◦O′ ◦P1 can be equivalently rewritten
as O◦O1,1◦. . . O1,n◦P1◦{c2}◦O′2 . . . {cn}◦O′n◦O′, where each O1,i is the part of
Oi that belongs to M1 and O
′
i = Oi \O1,i, as events in {c2} . . . {cn}◦O′n ◦O′ do
not need to wait for the execution of any event in P1 to be fireable. Note that P1
is ensured to be a legal continuation of O ◦O′ as no machine can start executing
events with tag greater than 0BH before executing its task in M1. Let us denote
by P2,n = {c2} . . . {cn}◦O′n◦O′ the tagged piece starting at choice event c2, and
by P ′2,n the same piece, where all tags are decremented on component M1. P
′
2,n
is a run with n choices of an HMSC H ′, which is a copy of H where the initial
node is the node reached in H after M1. Hence, all choices in P
′
2,n are ordered,
and so are choices in w′. Hence, all choices in O ◦O′ are totally ordered.
As choice events are the only moment when a tag is updated, this lemma
also means that the set of tags that can appear in an execution is the set of
tags labeling choice events, and hence that the tags produced in any run that
belongs both to L(H) and L(||K(Ai)|Ci) are the same. We are now ready to
prove the two inclusions.
I) First let us show that Ru(Unc(L(||K(Ai)|Ci))) ⊆ L(H) (rewritten for short
as L1 ⊆ L2).
Suppose that there exists a prefix O ◦ {a} ∈ L1 such that O ∈ L2, but
O ◦ {a} 6∈ L2. Suppose that a is a sending event from p to q, i.e. a = p!q(m) for
some m. O brings the CFSM in a configuration CA and H in a configuration
CH . The automaton K(Ap) is in a state from which a can be fired, that is all
predecessors of a on p have been executed both in CA and CH . Hence, action
a is also allowed from CH , as projection preserves sequences of events on each
process. Contradiction. A similar case holds for atomic actions. Hence, a can
only be a receive action, i.e. a is of the form a = p?q(m) for some q,m. Then,
there exists a prefix O′ ∈ L(||K(Ai)|Ci) such that RU(Unc(O′)) = O, and O′
is of the form O1 ◦ {a′} ◦ .O2, where O1 is a prefix, and O2 a piece of bMSC.
Action a′ is of the form a′ = Cp?Cq(m, τ, b), otherwise a can not be played after
O. O1 is of the form O1 = P1.{b}.P2.{b′}.P3 where b = K(Aq)!Cq(m, p, b) and
b′ = Cq!Cp(m, τ, b), with the same tag τ as in a′.
After O, the automata are in a configuration where the FIFO queue from
Cp to K(Ap) has a message m as head. In configuration CH corresponding to O
there is a message sent but not received from q to p. If a is not allowed in CH ,
RR n° 7597
18 Jard & Abdallah & He´loue¨t
then it is not because the message to be received was not sent, but rather because
there exists some former events on process p to be executed (i.e. there is piece of
bMSC Oa such that a can be played from CH only after Oa has been played. Let
us get back to the communicating automaton K(Ap). K(Ap) has reached a state
s in CA. As there exists a transition by a from K(Ap) and as we know that there
exists also several events in Oa that can be executed from the configuration CH ,
then state s is a choice, from which a and the minimal event of Oa on instance p
are possible. Oa and a are hence consequences of different choices, and we have
that τ(Oa) 6= τ(a). From lemma 1 we know that all choices in an execution of the
communicating automata are ordered. As all choices are totally ordered, the tags
associated to an execution of an HMSC and to an execution of communicating
automata are the same. We then have τ(Oa) < τ(a). As Oa and a are events
of choices that concern p, the communication Cq!Cp(m, τ(a)) that must occur
in O before a can not be played as the message received is tagged by a vector
which is not the expected successor tag on Cp. We then have a contradiction,
and L1 ⊆ L2.
II) Let us now prove the reverse direction : L2 ⊆ L1.
Let us suppose there exists O ◦ {a} such that O ◦ {a} ∈ L2, O ∈ L1 but
O ◦ {a} 6∈ L1. If a is a sending of a message or an atomic action, then all
preceding events on the same process have been executed in the CFM, and
hence a can be fired, as atomic actions and sendings can be fired as soon as
the considered process is in a state that enables it, without considering queues
contents. Contradiction.
Then, a is a reception a = p?q(m), and the sending m−1(a) from q to
p has been executed in O, that is both in H and in the CFM. A message
m from p to q is translated in a CFM execution as a sequence of actions :
s1 = K(Aq)!Cq(m, p, b), r1 = Cq?K(Aq)(m, p, b), s2 = Cq!Cp(m, τ, b), r2 =
Cp?Cq(m, τ, b), s3 = Cp!K(Ap)(m), r3 = K(Ap)?Cp(m). As O ∈ L1, we know
that r1 has been executed. Similarly, the automaton K(Ap) is in a sate from
which r3 can be fired, because all predecessors of a on process p have been
executed by K(Ap). Then, r3 can not be executed iff r1, s2, r2 or s3 has not
been executed. Similarly, if all communications from K(Aq) to Cq took place in
RU−1(Unc−1(w)), then r1 is either fired or fireable, and as a consequence s2 can
also be fired. Let us suppose that Cp is blocked at r2. Then it means that the
message to receive is not properly tagged, or that Cp still have to perform some
interactions from previous choices with K(Ap). This can only be receptions of
messages from K(Ap), as otherwise, all events in O would not be executed on
K(Ap). Hence, Cp can always consume these messages before playing r2. Now,
let us suppose that the tag of the message sent in s3 is not the expected tag
on Cp. Then it means that Cp should observe other tagged messages from a
former choice ; The actions to be performed by Cp can only be receptions, and
all the message sendings that should have occurred indeed occurred, for the
same reasons as before. Hence, all these events can be executed by Cp before
executing r2 and then s3. Hence the reception can not be blocked in L2.
6 A prototype implementation
We have integrated our synthesis method to the SOFAT toolbox, a scena-
rio manipulation environment [10]. SOFAT provides some procedures to decide
INRIA
Realistic Implementation of Message Sequence Charts 19
whether an HMSC is bounded, local choice, etc. When possible, SOFAT also
proposes to animate the HMSC and builds the corresponding chronograms.
The code generated by our synthesis algorithm is written in Promela, the
input language of the SPIN model-checker [12]. In Promela, we can easily des-
cribe the distributed architecture and the behavior of each component using
the notion of Promela process and guarded commands. Using SPIN, it is then
possible to simulate the target code, and output the result of a simulation as
a bMSC. Spin also allows to model-check some properties (up to some bound
on the contents of channels). The text below shows the Promela code generated
from the HMSC of Figure 1 and an example of scenario (in a bMSC layout)
as produced by the SPIN simulator is shown in Figure 6. We have also model-
checked this code to prove that the order of receptions provided by our algorithm
is correct on this example.
A:5
29
Cont:1
31
1!1,m1,0
36
Cont:2
40
9!m1,1,0
46
B:6
47
22!0,m1
48
50
2!2,m2,-1
53
Cont:3
58
14!m2,1,0
64
65
67
1!3,m3,1
72
Cont:4
76
17!m3,1,1
82
D:8
83
24!0,m3
84
86
4!2,m4,-1
89
C:7
94
23!1,m2
100
16!m4,1,1
106
107
23!3,m4
107
107
Figure 6 – A bMSC produced by SPIN during simulation of the Promela
generated code, implementing our synthesis method.
RR n° 7597
20 Jard & Abdallah & He´loue¨t
/* A Promela implementation of a CFSM generated
from an HMSC example.
Includes the tagging algorithm -- */
#define CMAX 5 /* max size of channels */
#define NBC 2 /* number of MSCs (choices) */
#define AUTNUM 4 /* the number of automata*/
#define next (((t.T[0]-tau.T[0])*Mask[i].T[0]+\
(t.T[1]-tau.T[1])*Mask[i].T[1])==1)
#define same (((t.T[0]-tau.T[0])*Mask[i].T[0]+\
(t.T[1]-tau.T[1])*Mask[i].T[1])==0)
#define update tau.T[0]=t.T[0]; tau.T[1]=t.T[1]
#define diff (t.T[1]-tau.T[1])*Mask[i].T[1]
#define MAXEVTNUM 1 /* the max nb of rec in a bMSC */
#define Shift_Rec /* A macro that shifts the Rec table*/
typedef tagtype { int T[NBC]; }
typedef com_Num { int T[AUTNUM];}
com_Num PI[NBC]; /* number of comm events in a bMSC */
typedef order_recpt{int recpt[MAXEVTNUM]} /* required seq */
typedef aut_choice{order_recpt theAUT[AUTNUM]}
aut_choice PIC[NBC];
typedef chan_col {chan PP[AUTNUM]=[CMAX] of {mtype,tagtype};}
chan_col P [AUTNUM]; /* channels between controllers */
chan Aut_Cont[AUTNUM]=[CMAX] of {int,mtype,int};
chan Cont_Aut[AUTNUM]=[CMAX] of {int,mtype};
mtype = {m1,m2,m3,m4} /* message types in the system */
com_Num Mask[AUTNUM]; /* selection of concerned instances */
proctype A()
{sa0: if :: Aut_Cont[0]!1,m1,0; goto sa0
:: Aut_Cont[0]!3,m3,1 fi}
proctype B()
{sb0: if :: Cont_Aut[1]?0,m1; goto sb1 fi;
sb1: if :: Aut_Cont[1]!2,m2,-1 fi}
proctype C()
{sc0: if :: Cont_Aut[2]?1,m2; goto sc0
:: Cont_Aut[2]?3,m4 fi}
proctype D()
{sd0: if :: Cont_Aut[3]?0,m3; goto sd1 fi;
sd1: if :: Aut_Cont[3]!2,m4,-1 fi}
INRIA
Realistic Implementation of Message Sequence Charts 21
proctype Cont(int i) /* The generic controller */
{tagtype tau,t; int nbevt, currentb; int j=0;
int b; mtype m; order_recpt Rec;
do
/* RULE 1 */ :: Aut_Cont[i]?<j,m,b>;Aut_Cont[i]?j,m,b ->
if :: (nbevt==0) -> tau.T[b]++; nbevt=PI[b].T[i]-1;
Rec.recpt[0]=PIC[b].theAUT[i].recpt[0];
P[j].PP[i]!m,tau
:: else -> nbevt--; P[j].PP[i]!m,tau fi;
/* RULE 2 */ :: P[i].PP[j]?<m,t> ->
if :: (same && (Rec.recpt[0]==j)); P[i].PP[j]?m,t ->
nbevt--; Cont_Aut[i]!j,m ; Shift_Rec
:: else -> if :: ((nbevt==0) && next);
P[i].PP[j]?m,t ->
update;
currentb=diff; nbevt=PI[currentb].T[i]-1;
Rec.recpt[0]=PIC[currentb].theAUT[i].recpt[0];
Cont_Aut[i]!j,m fi;
fi;
:: j=(j+1)%AUTNUM
od
}
init{ /* Constant values obtained from the HMSC parsing */
PI[0].T[0]=1; PI[0].T[1]=2; PI[0].T[2]=1;
PI[1].T[0]=1; PI[1].T[2]=1; PI[1].T[3]=2;
PIC[0].theAUT[0].recpt[0]=-1; PIC[0].theAUT[1].recpt[0]=0;
PIC[0].theAUT[2].recpt[0]=1; PIC[0].theAUT[3].recpt[0]=-1;
PIC[1].theAUT[0].recpt[0]=-1; PIC[1].theAUT[1].recpt[0]=-1;
PIC[1].theAUT[2].recpt[0]=3; PIC[1].theAUT[3].recpt[0]=0;
Mask[0].T[0]=1; Mask[0].T[1]=1; Mask[1].T[0]=1;
Mask[2].T[0]=1; Mask[2].T[1]=1; Mask[3].T[1]=1;
run Cont(0); run Cont(1); run Cont(2); run Cont(3);
run A(); run B(); run C(); run D()
}
RR n° 7597
22 Jard & Abdallah & He´loue¨t
7 Conclusion
We have proposed a synthesis framework that produces an implementation
for local choice HMSCs. This synthesis works with additional processes that tag
messages and delay them to ensure correct ordering of message receptions. To
keep the construction of CFSM simple, we have supposed FIFO semantics of
communications, and we will hence suppose that the HMSCs that we implement
do not contain message overtaking. However, the extension of our implementa-
tion to models that allow message overtaking should be easy. One fact worth
mentioning again is that the controllers are purely asynchronous, which leaves
a lot of freedom to choose a particular architecture. In a real implementation,
one may suppose that a process and its controller are implemented on the same
machine, but this is not mandatory. Controllers are designed to need as little
information as possible to ensure that the processes they control are always exe-
cuting a valid run of the specification : each process executes its task as defined
in the projection of the specification, and controllers ensure coordination. In the
future, we would like to study whether asynchronous controllers can in addition
guarantee properties such as boundedness of some buffers, avoidance of a given
configuration, etc.
INRIA
Realistic Implementation of Message Sequence Charts 23
Re´fe´rences
[1] B. Algayres, Y. Lejeune, F. Hugonment, and F. Hantz. The avalon project :
a validation environment for sdl/msc descriptions. In Proc. of SDL’93,
pages 221–235, 1993.
[2] R. Alur, G.J. Holzmann, and D. Peled. An analyser for mesage sequence
charts. In TACAS, volume 1055 of LNCS, pages 35–48, 1996.
[3] R. Alur and M. Yannakakis. Model checking of message sequence charts.
In CONCUR, pages 114–129, 1999.
[4] P. Baker, P. Bristow, C. Jervis, D.J King, and B. Mitchell. Automatic
generation of conformance tests from message sequence charts. In SAM,
pages 170–198, 2002.
[5] N. Baudru and R. Morin. Synthesis of safe message-passing systems. In
FSTTCS, pages 277–289, 2007.
[6] H. Ben-Abdallah and S. Leue. Syntactic detection of process divergence
and non-local choice in message sequence charts. In Proc. of TACAS’97,
volume 1217 of LNCS, pages 259 – 274, April 1997.
[7] D. Brand and P. Zafiropoulo. On communicating finite state machines.
Technical Report RZ1053, IBM Zurich Research Lab, 1981.
[8] Rational Software Corporation. Uml notation guide. Technical report,
Rational Software Corporation, 1997. www.rational.com/uml.
[9] B. Genest, A. Muscholl, H. Seidl, and M. Zeitoun. Infinite-state high-level
mscs : Model-checking and realizability. In ICALP, volume 2380 of LNCS,
pages 657–668, 2002.
[10] L. Helouet. Sofat : Scenario formal analysis toolbox. Technical report,
INRIA Rennes. www.irisa.fr/distribcom/Prototypes/SOFAT/.
[11] L. He´loue¨t and C. Jard. Conditions for synthesis of communicating auto-
mata from hmscs. In 5th International Workshop on Formal Methods for
Industrial Critical Systems (FMICS), 2000.
[12] G.J Holzmann. The model checker spin. IEEE Trans. Software Eng.,
23(5) :279–295, 1997.
[13] ITU-T. Z.120 : Message sequence charts (msc). 1998.
[14] M. Mukund, K.N. Kumar, and M. Sohoni. Synthesizing distributed finite-
state systems from mscs. In CONCUR, pages 521–535, 2000.
[15] A. Muscholl, D. Peled, and Z. Su. Deciding properties for message sequence
charts. In FoSSaCS, volume 1378 of LNCS, pages 226–242, 1998.
[16] B. Selic, G. Gullekson, and P.T. Ward. Real-time object-oriented modelling.
John Wiley & Sons, Inc, 1994.
RR n° 7597
Centre de recherche INRIA Rennes – Bretagne Atlantique
IRISA, Campus universitaire de Beaulieu - 35042 Rennes Cedex (France)
Centre de recherche INRIA Bordeaux – Sud Ouest : Domaine Universitaire - 351, cours de la Libération - 33405 Talence Cedex
Centre de recherche INRIA Grenoble – Rhône-Alpes : 655, avenue de l’Europe - 38334 Montbonnot Saint-Ismier
Centre de recherche INRIA Lille – Nord Europe : Parc Scientifique de la Haute Borne - 40, avenue Halley - 59650 Villeneuve d’Ascq
Centre de recherche INRIA Nancy – Grand Est : LORIA, Technopôle de Nancy-Brabois - Campus scientifique
615, rue du Jardin Botanique - BP 101 - 54602 Villers-lès-Nancy Cedex
Centre de recherche INRIA Paris – Rocquencourt : Domaine de Voluceau - Rocquencourt - BP 105 - 78153 Le Chesnay Cedex
Centre de recherche INRIA Saclay – Île-de-France : Parc Orsay Université - ZAC des Vignes : 4, rue Jacques Monod - 91893 Orsay Cedex
Centre de recherche INRIA Sophia Antipolis – Méditerranée : 2004, route des Lucioles - BP 93 - 06902 Sophia Antipolis Cedex
Éditeur
INRIA - Domaine de Voluceau - Rocquencourt, BP 105 - 78153 Le Chesnay Cedex (France)
http://www.inria.fr
ISSN 0249-6399
