Abstract-Modeling and analyzing software architectures are useful for helping to understand the system structures and facilitate proper implementation of user requirements. Despite its importance in the software engineering practice, the lack of formal description and verification support hinders the development of quality architectural models. In this work, we develop an approach for modeling and verifying software architectures specified using Monterey Phoenix (MP) architecture description language. Firstly, we formalize the syntax and operational semantics for MP. This language is capable of modeling system and environment behaviors based on event traces, as well as supporting different architecture composition operations and views. Secondly, a dedicated model checker for MP is developed based on PAT verification framework. Finally, several case studies are presented to evaluate the usability and effectiveness of our approach.
Abstract-Modeling and analyzing software architectures are useful for helping to understand the system structures and facilitate proper implementation of user requirements. Despite its importance in the software engineering practice, the lack of formal description and verification support hinders the development of quality architectural models. In this work, we develop an approach for modeling and verifying software architectures specified using Monterey Phoenix (MP) architecture description language. Firstly, we formalize the syntax and operational semantics for MP. This language is capable of modeling system and environment behaviors based on event traces, as well as supporting different architecture composition operations and views. Secondly, a dedicated model checker for MP is developed based on PAT verification framework. Finally, several case studies are presented to evaluate the usability and effectiveness of our approach.
I. OVERVIEW
Software Architecture plays a vital role in the high level design of a software system. In analogy to the civil engineering, it represents the fundamental structural and behavioral descriptions of the software system during the engineering process. Software Architecture specifications have been widely used in many fields to assist users to get an intuitive understanding of the whole system on one hand, and to facilitate different groups to cooperate together by giving them guidelines and objectives on the other. The challenges in this field have been focused on how to model a system in its early design phase. The development cost can be greatly reduced if mistakes are found early in high-level architecture designs. In order to address the above problems, the model checking technique has been widely used in this field. Model checking is an effective means to verify the system against properties through automatic and exhaustive search space exploration.
Among the various architecture description languages, Monterey Phoenix (MP) [4] , [5] , [6] is a precise and innovative language which describes the system behavior based on rigorous event grammar rules. In this language, the behavior of the system is defined as a set of events (event trace) with two basic relations: precedence and inclusion. The structure of event trace is specified using event grammar rules and other constraints organized into schemas. The structure of the system can be designed based on the behavior model, which provides a topology representation of how the system is composed and operated by users. Despite its flexible features, this language is short of verification support. In this work, we apply model checking technique to MP language for the first time to support a wide range of properties checking including deadlock-freeness, reachability, and Linear Temporal Logic (LTL) properties.
In this paper, we present an automated approach to the modeling and verification of system architectures in the PAT framework [15] , [22] , [14] . Firstly, we cover a rich set of MP syntax to describe concurrent communications between the components and connectors of the system. We formally define the syntax and operational semantics to provide the foundation of formal analysis. Based on the formal semantics, we further developed a dedicated model checker based on PAT verification framework, which supports modeling, simulation and verification of MP models. Finally, we demonstrate our approach with the architecture modeling and verification of the client server, pipe filter and radar weapon system [6] , where the effectiveness and useability of our approach are evaluated.
Related Work In the past decade, model checking techniques have been applied to software architecture designs [25] , which aimed at achieving precise specification and rigorous verification of the intended structures and behaviors in the design. The advantage of verification is to determine whether a modeled structure can satisfy a set of given properties derived from the requirements of a system. Furthermore, automated verification provides an efficient and effective means for checking the correctness of the architecture design. A considerable number of architecture description languages have been proposed in the past years, e.g., Wright [2] , [3] , ACME [9] , and CHAM [8] , [11] . Wright and ACME capture the properties and structures of systems by composing components which interact through connectors, whereas, CHAM models system architecture in terms of molecules and transformation rules. The drawback of many existing approaches lies in the limited verification support to the software architecture models specified in those notations. For example, Wright is considered as the prominent language in modeling the component and connector structures. It makes the explicit use of parameterizing the specific behaviors of a particular type. This language is partially encoded into the FDR model checker [17] , where only a subset of the language is supported and the verification is limited by the FDR tool (e.g., only compatibility checking and deadlock analysis are available). In comparison, much more properties such as reachability, and Linear Temporal Logic (LTL) properties checking are supported in our approach. Our recent work [24] on direct verification of extended Wright language improves [2] , [3] with support of reachability and LTL. For ACME language, it is intended to support mapping from one architecture description language to an intermediate logical formalism and adopts an open semantic framework to reason about the model. Kim and Garlan [13] proposed the modeling and verification of architecture styles using the Alloy language and analyzer. In their approach, a few architecture styles based on ACME descriptions were translated to Alloy and verified. Although it offers a useful insight to the ability of applying Alloy in automating the verification of architecture descriptions, the performance issue is a practical limitation. In our approach, we support the simulation and verification of MP models directly without extra transitions which can save the overhead to a large extent compared with the translation approach adopted by Wright and ACME languages. The CHAM language has an effective way to express system properties but with no verification support. In addition to the above mentioned specific architecture description languages, a considerable amount of work has involved the Z [19] specification language and CSP [10] language. Z language is a model-based, set-theoretic formalism which is developed to be highly expressive. The system described in Z notations includes a set of system states and different operations. There are also the Object-Z [18] and TCOZ [16] languages proposed to extend Z with object-oriented styles and timing primitives. In contrast, CSP language is one of the process algebra languages. It defines system behaviors based on process modeling and formal reasoning about these models. The Wright language uses a subset of CSP to specify the behaviors of connected elements of a system. In particular, the concept of schemas in Z notations and the process expressions of CSP language provide inspiration and insight for formalizing and refining the behavior models in MP.
Organization The rest of the paper is organized as follows. Section II introduces the basic concepts and language features of MP language. Section III defines the syntax and operational semantics for MP. Section IV illustrates different properties we can verified based on MP models. Section V demonstrates several case studies using the MP model checker with evaluation results. Section VI concludes the paper and discusses the future work.
II. BASIC CONCEPTS OF MP
In this section, we introduce the basic concepts and language features of Monterey Phoenix language. The software architectures are specified based on behavior models. The behavior of a system is defined as a set of events (event trace) with two basic relations: precedence (PRECEDES) and inclusion (IN). In case of precedence, it means two events are ordered in time. One event should happen before the other event. In case of inclusion, it represents one event appears inside another event. Under this relation, events can be defined in an appropriate level of granularity and with hierarchical structures. The two basic relations define a partial order between events. Two events may happen concurrently if they are not ordered. The basic relations are transitive, noncommutative, non-reflexive, and distributive.
A. Event Grammar
The structure of event trace is specified by the event grammar rules in terms of PRECEDES and IN relations. The grammar rules have a form of:
where A stands for event type name. The following event patterns are used in the right hand part of grammar rules, where B, C, D stand for event type names or event patterns. The fourth rule denotes a set of zero or more events satisfying event pattern B without an ordering relation between them. Similar to scope sequence rule, users can set a particular scope for this rule in the following way: "A : { * < startScope − endScope > B * }; ", where startScope and endScope are nonnegative integers. A valid scenario for this rule is shown in Figure 4 : The behavior model of a software system is specified using a set of event traces together with some constraints organized in a schema. The concepts of MP schema is inspired by Z schemas and the architectural concept of configuration. For a traditional configuration, it usually contains a collection of components and connectors, where components capture the behavior of each part of the system and connectors specify the interactions among components. In terms of MP model, both components and connectors are expressed by root events, while other events are used to specify the event structures and interactions. The detailed structure of MP schema will be introduced in Section III.
B. Share All
In addition to the basic grammar rules, MP also provides a mechanism for synchronizing root event behaviors through specific share all constraint. This operation plays a role similar to the event synchronization in CSP. The following shows two examples of the share all constraint: 
C. Slice
For the assertion language, MP proposes a useful clause Slice to represents a set of concurrent events with in the event trace.
Concurrent(x, y) ≡ ¬(x PRECEDES y)∧¬(y PRECEDES x)
Slice is a set of events from the event trace, such that
It can be viewed as a special relation used in assertions.
III. FORMAL SYNTAX AND SEMANTICS OF MP
After introducing the basic concepts of MP language, we are ready to present the formal syntax and operational semantics in this section. As introduced in Section II, system behaviors in MP are described based on behavior models. Different event traces can be extracted from the well built behavior model. Each trace represents a valid execution case of the abstract system machine. Events in MP are the basic elements and defined at different levels of granularity. According to the language features, we classify all events into three categories. They are root events, middle events and leaf events respectively. Among them, root events and middle events can be viewed as composite events defined by pattern-lists; leaf events are the atomic events, which are executed at each step during the process of simulation or verification. Both middle events and leaf events can appear in the pattern-lists. The behavior model in MP is expressed via the MP schema which is organized as a set of root events without PRECEDES or IN relations between them. Different root events can be synchronized through the share all constraint.
A. Syntax of MP Schema
The syntax of MP schema is formalized in this subsection. We start with the formalization of the MP Schema definition as follows.
Definition 1 (MP Schema):
A MP Schema is a 4-tuple S = (Var, Init, P, C), where Var is a set of global variables; Init is the initial valuation of the variables; P denotes all the pattern-lists of root events; C is the share all constraint.
In the above Schema, multiple root events can have several leaf events in common. The common leaf events are provided by share all constraint. All the root events should execute their common leaf events simultaneously. For the respective other events, they are executed in interleave order. The structure of root event is defined via the When structure which has a form as below:
-when structure where e r is the root event,
The When structure is similar to the interrupt operation in CSP or the exception handling construct in traditional programming languages such as C# and JAVA. Event e i (1 ≤ i ≤ n) may be inserted in the event trace at any place within the root trace, then the trace is continued with events specified by pattern-list Q i . Users can also attach a RESTART clause after the When construct so as to resume the trace from the beginning of the pattern-list for the root after the interruption.
In MP, the behavioral aspects of the root events or middle events are described through pattern-list which is the key part of this language. Next, we will show the syntax of pattern-list. Most of the syntax is derived from the event grammar rules given in Section II.
where e l denotes the leaf event which is atomic and indivisible, e m denotes middle event, b is a boolean expression, the capital letters P and Q represent pattern-lists. In addition, we need to define the scope for the scope set and iterative pattern-lists in order to make the event trace finite when doing model checking. Therefore, a 1 and a 2 are two nonnegative integers that define the lower bound and upper bound of the scope.
An atomic leaf event e l is executed individually. Special event {program} is a paragraph of sequential program which is a statement block containing variable assignment, if-thenelse or while structures. The right hand part of assignment is arithmetic or boolean operation. Special event is considered as an atomic event and executed in one step. The Skip event is a successful termination event. This event means a patternlist finishes successfully without deadlock. Both special event and termination event are regraded as leaf events. P Q is the sequence pattern. It behaves as pattern-list P first until its termination and then behaves as pattern-list Q. The alternative pattern (P 1 | P 2 | .... | P n ) is made internally and nondeterministically where any P i (1 ≤ i ≤ n) may execute subsequently. The set pattern {P 1 , P 2 , ..., P n } denotes interleaving execution where any P i (1 ≤ i ≤ n) may perform their local actions without referring to each other. The scope set { * < a 1 − a 2 > P * } defines several same pattern-list P execution without PRECEDES order. In contrast, iterative pattern ( * < a 1 − a 2 > P * ) defines several pattern-list P execution in PRECEDES order, where each P must perform when the previous one has been finished. The number of pattern-list P must fall in the predefined scope in both iterative patterns. The if b {P} else {Q} is a conditional branching, when the boolean expression b is evaluated to be true, the system performs P, else performs Q. All the variables in expression b are global variables. Similarly, the while loop while b {P} behaves continuously as pattern-list P or finishes the while loop immediately according to the value of b. A middle event can be referenced in the pattern-list.
We present two MP schemas to illustrate the syntax more clearly. One is the Client Server schema in Figure 9 and the other is the Pipe Filter schema in Figure 10 . Both of the schemas are defined in the scope of case 2. In the Client Server schema, the Client can request information from the Server and then block itself to wait for the reply. When the Server receives requests, it will process them and send back the results to Client. After receiving the results, the Client will unblock itself and continue executing. The Connector is used to restrict the order of event between Client and Server. This structure is quite commonly used in nowadays applications such as the Browser/Server structure. The second one is the Pipe Filter schema which models a system whose execution is driven by data flow. There are two Filter components and one Pipe component in this system. Both of the Filters can receive data, process data and send out data. The Pipe is responsible for transmitting data from one Filter to another and keep the data flow direction. The Connector here is restricting the order of event, where the Filter One sending out data must be performed before the Pipe getting data in and the Filter Two receives data only after the data is sent out from the Pipe. This structure is also popular which can find its applications in many industrial examples, such as the data flow applications, Map-reduce model in cloud computing and Yahoo! Pipes.
B. Operational Semantics
In this subsection, we will present the operational semantics, which translates a model into a Labeled Transition System (LTS). The sets of behaviors can be extracted from the operational semantics accordingly. We start with the definition of system configuration. It captures the global system state during system executions.
Definition 2 (Configuration):
A system configuration is composed of two components (V, P), where V is the current valuation of all global variables, P is the current pattern-list expression.
The operational semantics for pattern-list is presented as firing rules associated with each pattern-list construct. Let ΣP denote a set of shared events of pattern-list P defined by share all constraint. Let ξ{P 1 + · · · + P n } denote a set of events shared by a union of pattern-lists from P 1 to P n defined by share all constraint. If a leaf event e l ∈ ξ{P 1 + · · · + P n }, we can derive that e l ∈ ΣP i (1 ≤ i ≤ n). For simplicity, a function upd(V, prog), to which given a sequential program and valuation V, returns the modified valuation function V according to the semantics of the program. We write V b (or V b) to denote that condition b evaluates to be true (or false) given V. denotes an empty event which performs no action. Figure 11 illustrates the firing rules. In event rule, the model behaves as an atomic leaf event e l . An atomic event is performed in one step during the process of simulation or verification. The program rule is defined for the special event which is a paragraph of sequential program. The system will update the values of global variables according to the semantics of the program in this rule. The alternative rule is a multiple choice rule. The system can choose any pattern-list P i (1 ≤ i ≤ n) to execute subsequently. In sequence rules (sequence 1 and sequence 2 ), the system executes pattern-list P first. When P is found to be finished, the model will continue to execute pattern-list Q. The three share rules (share 1 , share 2 and share 3 ) define the behavior of the root pattern-lists under the share all constraint. The shared leaf events of multiple pattern-list unions should be executed simultaneously. For other unshared events, they are performed without specific order. Assuming that we have two pattern-list unions: {P 1 + · · · + P n } and {Q 1 + · · · + Q m }, which share all leaf event e l . When the system executes rule share 3 , one pattern-list P i (1 ≤ i ≤ n) from union {P 1 + · · · + P n } and the other pattern-list Q j (1 ≤ i ≤ m) from union {Q 1 + · · · + Q m } are chosen to execute the event e l simultaneously. If event e l is not a shared event, it can be executed without any specific order, which is defined by rule share 1 and rule share 2 . The two when rules (when 1 and when 2 ) denote a root pattern-list which can be interrupted by multiple pattern-lists. When the system executes the when rules, the first event of pattern-list 
may be inserted in the event trace at any place within the root trace, then the trace is continued with events specified by pattern-list Q i . For restart rule, users can choose to put a RESTART clause after the interruption pattern-list Q i (1 ≤ i ≤ n). It defines that the event trace can restart from the beginning of the root pattern-list after the interruption. The iterative rules (iterative 1 and iterative 2 ) describe a scope sequence operation which implies the pattern-list P can happen sequentially for a number of times. Integer a is randomly chosen between a 1 and a 2 in order to specify the number of iteration times. If the value of a is chosen to be 0, the system has no behavior. Otherwise, it will behave as rule iterative 1 . The set rule denotes a set of various pattern-lists execute concurrently without an ordering relation between them. The pattern-lists in set are executed without PRECEDES order. The middle rule denotes that you can place a pattern-list P behind a middle event M. This rule captures the behavior of the IN relation. The middle event can be regarded as a pattern-list reference. The scope rules (scope 1 and scope 2 ) denote a number of pattern-list P execute concurrently without PRECEDES order. Rules scope 1 and scope 2 are defined according to the value of a. The two condition (condition 1 and condition 2 ) rules define how to execute the conditional choice. If expression b is evaluated to be true, the pattern-list P is executed, otherwise pattern-list Q is executed. The two while (while 1 and while 2 ) rules define how the while loop works. If the value of expression b is true, the model behaves continuously as pattern-list P. Otherwise, it will finish the loop.
The MP Schema is translated into the Label Transition System (LTS) to perform simulation and verification. The definition of LTS is given as below.
Definition 3 (Label Transition System (LTS)):
Label Transition System (LTS) is represented by a 3-tuple M = (S, init, Tr) where S denotes the set of states; init denotes the initial state which belongs to S; Tr is the transition relation which has the form of (S, e, S ) where e is a leaf event, S and S are system configurations before and after the transition. 
IV. VERIFICATION
The Process Analysis Toolkit (PAT) [15] , [22] , [14] is designed to apply state-of-the-art model checking techniques for system analysis. Our MP model checker is dedicated implemented based on PAT framework to support the MP model analysis and verification. It comes with user friendly interfaces, featured model editor and animated simulator. The user friendly simulator can interactively and visually simulates system behaviors by random simulation, user-guide step by step simulation, complete state graph generation and counterexample visualization. Most importantly, it implements various verification techniques catering for different properties including deadlock-freeness, reachability, Linear Temporal Logic (LTL) properties (with or without fairness assumptions) and refinement checking [20] .
There are two types of properties we are concerned with Logic is a good candidate because the MP model makes explicit use of the events, states and variables. Moreover, the LTL provides a very intuitive and very mathematically precise notation for expressing properties about the Linear Temporal relation between the states/events in execution [7] .
In MP model checker, we implement two searching strategies: Depth-first-search (DFS) and Breadth-first-search (BFS) to support the deadlock-freeness and reachability checking. 
Such properties are very important in demonstrating the normal operations of systems. The integrated LTL formula [21] is defined as follows:.
where p ranges over a set of propositions (formulated via predicates on global variables in MP) and a ranges over the events. Let π = s 0 , e 0 , s 1 , e 1 , · · · , e i , s i , · · · be an infinite execution. Let π i be the suffix of π starting from s i .
A model satisfies φ if and only if every infinite trace satisfies φ. A variety of properties can be expressed in LTL formulaes very concisely. In MP model checker, users can verify LTL properties with or without fairness. Moreover, different levels of fairness are supported including global fairness, event-level strong fairness and weak fairness. Interested readers could refer to [23] and [22] for more details.
V. CASE STUDY AND EVALUATION

A. Modeling and Verifying Radar Weapon System
In this section, we apply our approach to model and verify the Radar Weapon system [6] to demonstrate the MP language as well as the MP model checker implemented in PAT. The Radar Weapon system is described via five components. Each of them represents a subsystem modeled by root event. The five subsystems are Generator, Radar, Weapon, Control and Enemy Missile respectively. The Generator is in charge of supplying power for Radar and Weapon when both of them are deployed. The Radar is responsible for detecting the Enemy missile. If the enemy is detected, it will activate the Weapon. When the Weapon attacks the enemy, it can either hit or miss it. The Control subsystem is used to coordinate the behaviors of Generator and Radar. The Radar must start working only after the Generator is launched. The environment is represented by Enemy Missile which may either approach or hit any of Generator, Radar, or Weapon. If the Generator is hit, the consequence is causing termination of energy production or consumption correspondingly. If the Radar and Weapon are hit, they can be repaired and resume work afterwards. The MP code of this system is given in Figure 12 .
In this system, if the Generator is hit by the Enemy Missile, the deployed Radar, Weapon will get in the critical state of missing the power supply. If the system is in the critical state, the Radar and Weapon should stop working in a real word situation. Therefore, we want to guarantee that after the system entering critical state, the Radar and Weapon cannot be launched anymore. In order to check the designed system, we express the above properties in LTL formulaes as follows:
The first property means whenever the Generator is hit, the Weapon will not be launched eventually. Similarly, the second property means whenever the Generator is hit, the Radar can not be launched eventually. We verify these two properties in MP model checker. Both of the verification are done in the scope of case 2. The verification results reveal that the first property is valid. However, the second property is not satisfied. One counterexample is displayed as follows:
From the trace of the counterexample, we can see that after being hit, the Generator can be repaired and restart work. Therefore the Radar can be launched after the Generator is hit. Whereas, the Weapon On event is simultaneously synchronized by the Radar, Weapon and Enemy Missile. Even if the Radar is launched, the Weapon still cannot be triggered after the Generator is hit. We can modify the system schema by removing the Repair event and the RESTART clause from the Generator root event to make the properties of the system desirable. The modification means that the Generator cannot be repaired after it is hit by Enemy Missile. We continue to verify the above two properties in MP model checker, both of the properties turn out to be valid in this situation.
B. Performance Evaluation
We conducted experiments on the client server, pipe filter and radar weapon system to evaluate the performance. In order to compare with other tools, we model the client server and pipe filter structures both in PAT and Alloy [12] . In case of the client server structure, the property that each request performed by the client will be responded by the server eventually is verified. For the pipe filter structure, the property that data received by one filter is transferred to and dispatched by another filter is checked. 9 number of states in hours. Alloy uses SAT solvers as the verification engine, which is often less scalable for big systems and the performance is highly constrained by the capability of the SAT solvers. The models can be precisely constructed through MP schemas. But in Alloy, users have to explicitly model the relations between events which is complex and tedious.
We further evaluate the performance of our approach through much bigger cases of the radar weapon system. The experiment results is displayed in Table II , where one of the LTL properties that whenever the Generator is hit, the Weapon will not be launched eventually is verified in PAT. The results show that PAT performs reasonably well and can handle large scope cases in short time. Models used in the experiments can be download from the web page http://www.comp.nus.edu.sg/~pat/mp/. PAT can be downloaded from [1] . Note that we compare PAT with Alloy only because there is no other verification support for MP.
VI. CONCLUSIONS AND FUTURE WORK
In this paper, we presented an automated approach for the modeling and verification of MP models in the PAT framework. We first defined the formal syntax and operational semantics of the MP architecture specification language. This language is capable of modeling system and environment behaviors based on event traces, as well as supporting different architecture composition operations and views. Based on the formal semantics we implemented a dedicated model checker for MP in the PAT framework. Finally, we demonstrate the effectiveness of our approach through modeling and verification of client server, pipe filter and radar weapon system. In addition, performance evaluations were presented to measure the scalability of the approach.
In the future, we plan to extend MP language with real-time and probabilistic properties to capture the quantitative time and uncertainty factors of different components in a software system. We will also develop a Graphic User Interface (GUI) to assist the visual design of the software architectures in MP model checker. The GUI should provide diagram representations of the architecture models as well as support the definitions of the formal specifications. In addition, we can further our work via designing an architecture style library which embodies a set of commonly used architecture styles to facilitate the modeling process. Some hot architecture styles such as cloud computing and Service-oriented architectures can be included.
