Software architectures and modular composition help in constructing large-scale software systems. Current programming languages provide only insufficient support for software architecture. "Architectural programming" overcomes the problem of architectural erosion in implementations by integrating concepts of software architecture into programming languages. We present the new programming language JAVA/A as an instance for Java-based architectural programming and show how JAVA/A integrates architectural notions such as components, connectors, and assemblies into Java. A main asset of JAVA/A is its underlying abstract component model which provides the basis for reasoning about software components and assemblies. We give a formalisation of the abstract component model in terms of transition systems and states as algebras, and prove a consistency result for assemblies.
Architecture description languages (ADLs), like Wright, Darwin, or Rapide, provide means to model and analyse both the static and dynamic properties of software architectures. ADL models, however, are mainly employed in the analysis and design steps of the classical software development phases. The implementation step is, at best, only supported by code generation facilities (for an ADL comparison and overview, see, e.g., [11] ). Common implementation environments are not capable of representing architectural notions properly. Thus, a hand-coded implementation from an ADL model inevitably tends to loose its connection to the intended architectural structure during the maintenance steps; the same issue will hold for generated code tampered with by hand when not strictly adhering to the model-driven development discipline. The result is "architectural erosion" [14] .
In order to counter architectural erosion in the implementation and maintenance phases, we propose the inclusion of architectural notions, like components, ports with provided and required interfaces as well as protocols, connectors, and assemblies, into a programming language and we call such a language an architectural programming language.
We present the new programming language JAVA/A [7] as an instance for a Java-based architectural programming language, show how JAVA/A integrates architectural notions into Java, and present the abstract component model which forms the semantical basis underlying JAVA/A. In JAVA/A components are strongly encapsulated behaviours of which only the exchange of messages with their environment according to well-defined provided and required operation interfaces can be observed. Hence, component reuse and replaceability is fostered. The component interfaces are bound to ports which regulate message exchange by protocols and ports can be linked by connectors establishing a communication channel between their owning components. Thus, safe communication can be specified and verified. A set of components whose ports are linked by connectors forms an assembly. The number of ports a component offers, the linkage of ports between components, and the number of components in an assembly can vary dynamically, providing basic means for dynamic reconfiguration. JAVA/A is supported by a compiler which translates JAVA/A programs to Java classes and includes the possibility to check port protocols for compatibilty, i.e., that two connected ports will only exchange messages the communication partner understands, and the trace of messages will not lead to a deadlock.
It may be noted that traditional component frameworks like EJB, JavaBeans, COM+, CORBA, &c. do not qualify as architectural programming languages, since these techniques do not properly support the concepts of (required) interfaces, connectors, and assemblies. However, the inclusion of interface protocols into programming languages has been discussed for quite a long time [20, 13] . On the other hand, ArchJava [1] , an architectural extension of Java, introduces the structural features of architectural programming languages, such as components and ports, into a programming language, but does not give any support for controlling the dynamic behaviour of ports by e.g. port protocols.
A main asset of JAVA/A is its underlying abstract component model which has strongly influenced the design of JAVA/A and which provides the basis for reasoning on assemblies and port compatibility. The abstract component model is formalised using the interface automata approach [2] to I/O-transition systems for describing the observable behaviour and the "states-as-algebras" approach [4] for representing the internals of components and assemblies. In particular, component and port types are modelled as sorts in order to ease dynamic reconfiguration and dynamic creation and deletion. The paper is structured as follows: In Sect. 2, we introduce architectural programming with JAVA/A, present the component metamodel of JAVA/A, illustrate the architectural concepts by an example and show how dynamic reconfiguration at runtime is supported by JAVA/A. In Sect. 3 we present the semantic basis for the main constituents of our component model and give mathematical formalisations of components, ports, and assemblies. As an example of a consistency result, we prove in Sect. 4 that model checking deadlock-freedom of port protocols induces deadlock-freedom of the corresponding assembly, provided that its components correctly refine the respective port protocol state machines. In the remaining sections 5 and 6 we compare our approach with related work and discuss ongoing and future work.
Architectural Programming
The basic idea of architectural programming is to preserve a software architecture throughout the software development process in a decent way. For instance, in the analysis phase the components of an architecture are implied by the system boundaries of a use case model. In the design, architectures may be represented with UML component diagrams or by a model in an architecture description language. In the implementation, an architecture should be implemented in an architectural programming language, like JAVA/A.
After giving a brief introduction to JAVA/A and its features, we illustrate the language by means of a (simplified) Bank-ATM example. Moreover, we discuss the reconfiguration possibilities offered by JAVA/A. Figure 1 summarises the component metamodel of JAVA/A. A component has ports, and each port has a provided and required interface and may have a protocol associated with it to describe the sequence of messages allowed for that port. A component is either a simple component or a composite component. A composite component consists of an assembly which contains components and connectors. A connector links two components by connecting ports they own. In order to support strong encapsulation of components, a composite component is not directly composed out of subcomponents and connectors, instead a composite component is built from an assembly by hiding the internal structure of how the composite component is constructed. JAVA/A extends Java by providing support for these architectural concepts, introducing keywords port, required, provided, simple and composite component, and assembly, and including port protocol descriptions as UML state machines. The JAVA/A compiler transforms JAVA/A components into pure Java code which can be compiled to byte code using the Java compiler. The generated Java classes are integrated into the JAVA/A component framework, which provides general operations that are common to all JAVA/A components, serving, for instance, for reconfiguration support. Each component can be compiled and deployed on its own, since the component's dependencies on the environment are encapsulated in ports. The correctness of an assembly, i.e., that for every connected port the required interface is satisfied by the provided interface of the connected counterpart and their protocols are compatible, can be assured using the UML state machine model checker HUGO [10] , which is integrated with the JAVA/A compiler.
JAVA/A

Example: Bank-ATM
We will illustrate our approach to architectural programming and the programming language JAVA/A by a simplified Bank-ATM example. In this example, a varying number of ATMs may be connected to a bank. An ATM can send an IBAN and a PIN to the bank in order to withdraw money. Then the bank asks a clearing company whether the IBAN together with the PIN is valid. If this is the case the ATM can withdraw an amount of money.
The design of the Bank-ATM system is shown in the component diagram in Fig. 2(a) where the composite component BankATM contains an assembly of three components ClearingCompany, Bank, and ATM whose ports are wired by appropriate connectors. The stacked boxes depicting port BA of component Bank indicates that it is a dynamic port which can have an arbitrary number of port instances. In contrast, static ports (like CB, BC and AB) must have a single instance at any time. Fig. 2(b) shows an admissible system configuration with two ATM instances whose ports (of type AB) are linked to different port instances of type BA. Port protocols are specified with UML state machines. A protocol describes the order and dependencies of messages which are sent and received by a port. Figure 3 displays the protocol of the port BC which specifies that each time the bank sends a message verifyPIN via BC it will wait for either a response pinOK or pinNotOk at the port BC before it can send another message verifyPIN. In lines 2-5 component attributes are declared and initialised. The attributes of the component hold account balances (balance), a queue of verifyPIN requests (pending), the port instance of the currently processed request (current), and a set of port instances with already verified IBANs and PINs (verifieds). In lines 6-44, the ports BA and BC are defined. Each port declaration contains a set of provided operations (forming the provided interface) and a set of required operations (forming the required interface). Provided operations with the keyword signal are asynchronous, all other operations are synchronous. Port protocols are specified by UML state machines which are textually represented using the notation UTE [8] . For instance, lines 30-43 show the UTE represention of the UML state machine of port BC (see Fig. 3 ).
Every operation which is declared in a provided interface of a port must be implemented in the body of the port's owning component. For instance, the operation verifyPIN provided by the port BA is implemented as follows: 
The parameter list of the implementing method is extended by a parameter incoming of the port type BA in order to allow the implementer to distinguish the source of a message in case of a dynamic port with multiple instances. To validate a PIN to an IBAN, the bank uses the clearing company which is connected to the bank at the port BC. Requests to verify a PIN on port BC (l. 16) must be sequentialised to comply with the protocol of BC (Fig. 3) , hence the queue pending is used to keep requests that cannot be processed immediately. In case the port is not connected, the invocation of an operation declared in the port's required interface results in throwing a ConnectionException.
The implementation of the operation pinOk provided by the port BC reads as follows. As the component Bank will always have exactly one port instance of the type BC it is not necessary to extend the parameter list of pinOk by a parameter of type BC. First, the port instance of type BA of the currently processed request which is held in the field current is added to the set of already verified port instances. Next, a message pinOk is sent out via the port instance current. The component BankATM contains an assembly and therefore in l. 3-7 all component and connector types which will be used in the initial configuration and in future reconfigurations are declared (according to the component diagram given in Fig. 2(a) ). The initial configuration (see Fig. 2 (b)) is built up in lines 9-20. The connector type Connector is provided by the JAVA/A framework and realises message transportation with local procedure calls. The framework provides also a SOAP-based RPC connector.
Reconfiguration with JAVA/A
The term dynamic reconfiguration summarises changes to a component-based system at runtime, concerning creation and destruction of components and building up and removing connections between ports. JAVA/A supports each of these reconfiguration variants.
A possible reconfiguration in the Bank-ATM example is the connection and disconnection of ATMs. An idle ATM disconnects from the Bank and reconnects whenever a customer enters his bank card. Figure 4 shows a configuration where one ATM (atm 1 ) is disconnected from the bank. When a customer enters his bank card the ATM executes the following code which realises the (re)connection of an ATM to the bank. The JAVA/A framework provides the operations componentLookUp, getPort, and reconfigurationRequest. The first retrieves a component using its identifier, getPort fetches a port instance from a component, and the last operation sends the reconfiguration request to the containing assembly, which performs the reconfiguration if it approves the request. The class ConnectionRequest is also provided by the JAVA/A framework; its constructor has parameters which indicate the originating component of the request, both affected components and their ports, and the connector to use. If the request is not approved by the containing assembly, a reconfiguration exception is thrown. The other reconfiguration variants are realised in JAVA/A following a similar scheme.
A Semantical Model for Architectural Programming
We present a semantical model for the main constituents of our component metamodel of JAVA/A (see Fig. 1 ). The semantical model uses a states-as-algebras approach [4] for representing the internals of components and assemblies, and the interface automata approach [2] to I/O-transition systems for describing the observable behaviour. Algebraic operation interfaces specify which operations are provided and required by a port. Port protocols are given by I/O-transition systems with input and output labels over the operations the port provides and requires. Note that the semantics does not distinguish between simple components and composite components. The semantics of both, a simple component and a composite component, is a component which is defined through its internal, algebraic state space and the declaration of the ports it offers; I/O-transition systems with input and output labels over the port operations describe the possible component behaviours. The semantics of a composite component is given by first taking the semantics of its assembly and then by hiding the internal structure of how that assembly is built.
Assemblies are given by an internal, algebraic state space and a declaration of the components and connectors between component ports which may occur; the assembly behaviour is again described by an I/O-transition system whose labels reflect the observations on component ports that are not connected and the synchronisation of connected component ports. The internal state of a component stores which ports it currently offers thus providing means for changing ports dynamically; similarly, the internal state of an assembly records the current components and connectors, which may vary over time.
Preliminaries
We first summarise some basic definitions on algebras and I/O-transition systems. In particular, we recall the notion of algebraic signatures, algebras, and reducts, see [19] . For I/O-transition systems [2] , we define relabellings and products.
Algebras
A signature Σ = (S, F ) consists of a set S of sorts and a set F of function symbols f :
If A is a Σ-algebra and X = (x i : s i ) i∈I is an S-sorted set of variables, a valuation ρ : X → A assigns to each variable x of sort s ∈ S a value in s A .
I/O-transition systems
An I/O-labelling (I, O, T ) consists of three mutually disjoint sets of input (or provided) labels I, output (or required) labels O, and internal labels T . An I/Otransition system A = (Q, B, ∆) over an I/O-labelling (I, O, T ) is given by a set of states Q, a set of initial states B ⊆ Q and a transition relation
is the relabelled I/O-transition system over L with respect to λ, written as Aλ.
Two
and A 2 = (Q 2 , B 2 , ∆ 2 ) be I/O-transition systems over composable I/O-labellings L 1 L 2 , respectively. The product of A 1 and A 2 , written as A 1 ⊗ A 2 , is given by the I/O-transition system (Q, B, ∆) over the product I/O-labelling L 1 ⊗ L 2 defined as follows:
Interfaces and ports
Interfaces describe a set of accepted messages by declaring operations over a data signature. Formally, an interface is given by a pair (Σ, Op) of a signature Σ and a set of operations Op over Σ, where an operation op ∈ Op takes the form nm(x 1 : s 1 , . . . , x k : s k ) with nm the operation name and var(op) = x 1 : s 1 , . . . , x k : s k the typed formal parameters with sorts in Σ. A message for an operation op over Σ is a pair (op, ρ) with ρ : var(op) → σ a valuation from the operation's formal parameters to a Σ-algebra σ. The class of messages for a set of operations Op over a signature Σ is denoted by Msg Σ (Op).
For instance, the provided interface of port BA of component Bank in our running example has the signature (S BA , F BA ) with sorts S BA = {int, IBAN, Money} and F BA comprising basic functions on integers, amounts of money, &c.; the declared operations are verifyPIN(iban : IBAN, pin : int) and withdraw(iban : IBAN, amount :
Ports represent the windows of a component, prescribing which messages are accepted at a port by specifying a provided interface and which messages must be understood from a port by specifying a required interface. Thus we define a port signature Σ P to be a pair (I, O) consisting of a provided interface I = (Σ pro P , Op A port declaration P : Σ P consists of a name P and a port signature Σ P . Figure 5 shows an excerpt of a possible I/O-transition system for port BC of component Bank which reflects the UML state machine specifying the port protocol in Fig. 3 . 
Components
A component has an internal data state and declares ports. Formally, a component signature Σ C is a pair (Σ, (P : Σ P ) P ∈P ) where Σ is the state signature of Σ C and (P : Σ P ) P ∈P the family of port declarations of Σ C satisfying the following requirements:
(i) all P ∈ P are sorts of Σ;
(ii) Σ pro P , Σ req P ⊆ Σ for all P ∈ P. Note that the port names used in the port declarations are required to be sorts in the state signatures. This allows for dynamic ports, where each port is represented by an element of appropriate sort given by the port declarations. We write Σ state C for the state signature of the component signature Σ C ; and Ports C for the names of the port declarations P of Σ C . A component declaration C : Σ C consists of a name C and a component signature Σ C .
The behaviour of a component is given by an I/O-transition system. The states of the transition system have the function of control states (cf. [6] ) as they determine the behaviour of the component. A state operator maps each control state to a data state which is an algebra over the state signature of the component. The labels of the transitions are either the internal label or I/O-labels corresponding to the messages sent and received via ports.
The state space State C of a component signature Σ C is given by Alg(Σ state C ). A label for a component signature Σ C and a state pair (σ, σ ) ∈ State C × State C is either (i) an input label p.i/ ∈ Label pro C (σ, σ ) with p ∈ P σ for some P ∈ Ports C and i = (op, ρ) ∈ Msg(Op pro P ) where ρ : var(op) → σ Σ pro P ; or (ii) an output label /p.o ∈ Label req C (σ, σ ) with p ∈ P σ for some P ∈ Ports C and o = (op, ρ) ∈ Msg(Op 
∆.
A model of a component signature Σ C is given by a pair (H, ς) such that H is an I/O-transition system for Σ C and ς is state operator for Σ C and H. The class of models of Σ C is denoted by Mod(Σ C ).
An example of a model for the component Bank is given in Fig. 6 . The control states, q 0 , q 1 , . . . , are shown in the upper part of the state boxes and the associated data states in the lower part.
From an I/O-transition system H = (Q, B, ∆) of a component it is possible to generate the behaviour of the component observable at a given port p of sort P ∈ Ports C as an I/O-transition system over the signature of that port. The states of this reduct of H to p are given by all states of the component in which the port lives. The transitions of the reduct are the transitions from the component where the prefix p. in the labels involving port p is removed and all other labels are converted to internal transitions. The start states include all the start states of the component H if port p exists in these states, as well as the states where p starts to exist.
The reduct of H to p via ς, denoted by H ς p, is the I/O-transition system (Q ς p, B ς p, ∆ ς p) over the I/O-labelling (Label
Connectors
A connector connects two ports. The signatures of the ports connected by a connector are given by the connector's signature. These port signatures need to be compatible, i.e., the provided interface of each port needs to subsume the required interface of the other port.
A connector signature Σ A is a pair (P 1 : Σ P 1 , P 2 : Σ P 2 ), where Σ P 1 = (I 1 , O 1 ) and Σ P 2 = (I 2 , O 2 ) are the left and right port signatures of Σ A such that I 2 subsumes O 1 and I 1 subsumes O 2 where an interface I = (Σ , Op ) subsumes an interface I = (Σ, Op), written as I I , if Σ ⊆ Σ and Op ⊆ Op . A connector declaration A : Σ A consists of a name A and a connector signature Σ A . We write Ports A for the set {P 1 , P 2 } with the port names used in the connector declaration.
Assemblies
Additional to comprising component and connector declarations, an assembly has an algebraic state signature such that the names of components used in the component declarations and the names of the connectors used in the connector declarations correspond to sorts in the state signature. Then components and connectors are represented by elements of these sorts. Similarly to ports, this allows for adding and removing components and connectors to the assembly at runtime.
An assembly signature Σ Γ is a triple (Σ, (C : Σ C ) C∈C , (A : Σ A ) A∈A ) where Σ is the state signature of Σ Γ , (C : Σ C ) C∈C is the family of component declarations of Σ Γ and (A : Σ A ) A∈A is the family of connector declarations of Σ Γ satisfying the following requirements:
(i) All C ∈ C are sorts of Σ;
(ii) for all C ∈ C all port names P ∈ Ports C are sorts in Σ;
(iii) all A ∈ A are sorts of Σ; (iv) for all A ∈ A with Σ A = (P 1 : Σ P 1 , P 2 : Σ P 2 ) there are C 1 , C 2 ∈ C such that P 1 ∈ Ports C 1 and P 2 ∈ Ports C 2 .
(v) for all A ∈ A with Σ A = (P 1 : Σ P 1 , P 2 : Σ P 2 ) there are function symbols π 1,A : A → P 1 and π 2,A : A → P 2 in Σ;
We write Σ state Γ for the state signature of the assembly signature Σ Γ ; Comp Γ for the names of the component declarations C of Σ Γ ; and Conn Γ for the names of the connector declarations A of Σ Γ .
As with ports and components, the behaviour of an assembly is again an I/Otransition system (Q, B, ∆). As with components, there is a state operator mapping each state in Q to an algebra over the state signature of the assembly. In addition, there is a component reduct functor which, given a component c, maps an algebra over the state signature of the assembly to an algebra over the state signature of the component c. The labels of the transition system have the form /, c.p.i/, /c.p.o, and (c 1 .p 1 , c 2 .p 2 ) .m, corresponding to the internal label, to messages i sent by component c via port p, to messages o received by component c via port p, and to messages m, where the sending of message m by component c 1 via port p 1 and the reception of that message by component c 2 via port p 2 are synchronised, respectively. Synchronisation labels can only occur, and are bound to occur, if compatible ports of components are linked by a connector.
Let Σ Γ be an assembly signature. The state space State Γ for Σ Γ is given by Alg(Σ
state Γ
). An element of State Γ is called a configuration. A component reduct operator for Σ Γ is a function ∈ Πσ ∈ State Γ . ΠC ∈ Comp Γ . Πc ∈ C σ . State C . A label for an assembly signature Σ Γ , a component reduct operator , and a state pair (σ, σ ) ∈ State Γ × State Γ is either 
Similarly to the reduct of components to ports in Sect. Let H = (Q, B, ∆) be an I/O-transition system for an assembly signature Σ Γ and a component reduct operator and let ς be a state operator for Σ C , H, and . Let C ∈ Comp Γ and c ∈ {C ς(q) | q ∈ Q}. The reduct of H to c via ς, denoted by H ς c, is the I/O-transition system (Q ς c, B ς c, ∆ ς c) over the I/Olabelling (Label
The reduct of to c via ς, denoted by ς c, is given by λq . (ς(q))(C)(c).
A model of an assembly signature is given by an I/O-transition system H plus a state operator, mapping a state of the transition system to an algebra over the state signature of the assembly, and a component reduct operator, extracting an algebra over the state signature of a component from an algebra over the state signature of the assembly. Each reduct of the assembly to a component is required to be a model of the corresponding component signature. Furthermore, existing ports in a data state of the assembly have to also exist in the data state of exactly one component of the assembly.
A model for the assembly Bank-ATM is shown in Fig. 7 . As with component models, the control states, q 0 , q 1 , . . . , are shown in the upper part of the state boxes, the associated data states in the lower part. The data states are parameterised over the component instances, such that current(b) = null represents the valuation of the attribute current of Bank instance b.
A model of an assembly signature Σ Γ is given by a triple ( , H, ς) where is a component reduct operator Σ Γ , H = (Q, B, ∆) is an I/O-transition system for Σ Γ and , and ς is a state operator for Σ Γ , H, and such that (i) for all C ∈ C and all c ∈ {C
(ii) if q ∈ Q with p ∈ P ς(q) for some P ∈ Ports C for some C ∈ Comp Γ , then there is a unique c ∈ C ς(q) such that p ∈ P (ς(q))(C)(c) ;
(iii) if q ∈ Q with p ∈ P (ς(q))(C)(c) for some P ∈ Ports C for some C ∈ Comp Γ and some c ∈ C ς(q) , then p ∈ P ς(q) .
The class of models of Σ Γ is denoted by Mod(Σ Γ ). For a model M = ( , (Q, B, ∆), ς) ∈ Mod(Σ Γ ), a C ∈ Comp Γ and a c ∈ {C ς(q) | q ∈ Q} we write M c for ((Q, B, ∆) ς c, ς c).
From assemblies to components
As shown in Fig. 1 , the semantics of a composite component is given by its assembly by hiding the internal structure of the assembly, i.e., its subcomponents and connectors. The state signature of the component is given by the state signature of the assembly, and the ports of the component are all the ports of the assembly which are not connected within that assembly. Let Σ Γ = (Σ, (C : Σ C ) C∈C , (A : Σ A ) A∈A ) be an assembly signature, then the corresponding component signature BuildComp(Σ Γ ) is (Σ, (P : Σ P ) P ∈P ) where (P : Σ P ) belongs to (P : Σ P ) P ∈P if (P : Σ P ) is a port declaration in the component signature Σ C for some component declaration (C : Σ C ) of Σ Γ such that P is not a port name in A∈A Ports A . The I/O-transition system of the component determined by an assembly is given by the transition system for the assembly with labels properly renamed, i.e., the component prefix c. is removed from I/O labels and all other labels (i.e., synchronisation labels and the internal label) are mapped to the internal label /.
Let ( , H, ς) be a model of an assembly signature Σ Γ and H an I/O-transition system for Σ Γ . Then BuildComp (( , H, ς) 
Deadlock-free components
Based on the semantical component model, we prove that model checking port protocols, as described in Sect. 2.1, leads to correct results: If the protocols are compatible, i.e., the provided interface of one port subsumes the required interface of the other port and vice versa, and the product of the two port protocol machines is deadlock-free, then a component built from an assembly is deadlock-free provided that the components of the assembly refine the respective port protocol state machines.
Refinement
We first introduce a special notion of refinement of I/O-transition systems which preserves deadlock-freedom and extends the definition of alternating simulation refinement [2] .
Let A = (Q, B, ∆) be an I/O-transition system over (I, O, T ) and q ∈ Q. The internal closure of q, written closure A (q) is the smallest set E ⊆ Q such that (1) q ∈ E and (2) if q ∈ E and (q , l, q ) ∈ ∆ with l ∈ T then q ∈ E. The enabled labels of q are given by the set enabled A (q) = {l ∈ I ∪ O | ∃q ∈ closure A (q) . ∃q ∈ Q . (q , l, q ) ∈ ∆}. The states reachable by an enabled label l in q are given by the set reach A (q, l) = {q | ∃(q , l, q ) ∈ ∆ . q ∈ closure A (q)}; the states reachable by enabled transitions from q are given by the set reach A (q) = {reach A (q, l) | l ∈ enabled A (q)}. The dead states reachable by internal labels from q are given by the set dead A (q) = {q ∈ closure A (q) | ¬∃(q , l, q ) ∈ ∆}. 
Model Checking
Deadlock-freedom of the parallel composition of two finite port protocols can be checked using the UML state machine model checker HUGO [10] . Which additional verification and abstraction techniques to apply to check infinite port protocols is beyond the scope of this paper. For example, the semantics of the UML state machine in Fig. 3 is the I/O-transition system in Fig. 5 , which has infinitely many transitions from Idle to Verifying given by all possible arguments to the operation verifyPin. To apply HUGO to such a system, we may use as an appropriate abstraction the finite state machine in Fig. 9 where all operations are parameter-free. It is easy to see that since the transitions in the original I/O-transition system do not depend on arguments, deadlock-freedom of the abstracted, finite system implies deadlock-freedom of the original system. 
Related Work
Architectural programming languages, and thus JAVA/A, transfer long standing ideas from architecture description languages into programming. ADLs [11] support the modelling and, partially, the analysis of component-based systems; furthermore, some ADLs also provide code generation facilities (see, e.g. [15] ). Architectural programming languages, however, aim directly at the implementation level and the representation of a system architecture in the code preventing architectural erosion in the implementation and maintenance phases. Therefore, APLs can be seen as a complement to ADLs. More recently, ArchJava [1] has been proposed as a programming language integrating architectural concepts into Java, similar to JAVA/A. However, ArchJava lacks port protocols or other abstract means to specify component behaviour. Thus, reasoning about communication integrity is limited to analysis on the interface level. Furthermore, ArchJava does not provide a formal semantics.
A different approach to the implementation of software architectures is followed by the component models SOFA [16] and Fractal [3] and the work by Pavel et al. [13] : The structural definition of components, their ports, and assemblies is separated from the behaviour of these components and assemblies. The implementation of component-based software systems is based on frameworks and development guidelines; SOFA also offers a code template generation tool. However, neither approach integrates architectural concepts into a programming language.
There is a variety of technologies to support the implementation of components. Unlike APLs, ADLs, or component models, these technologies-among them Enterprise JavaBeans, COM+, CORBA [17] -leave the structural aspects of software architectures mostly implicit. Moreover, they do not properly support the concepts of (required) interfaces, connectors, and assemblies.
Conclusions
We have presented the principles of the architectural programming language JAVA/A which supports component-based implementations of large-scale software systems. The formal foundation of the semantics of JAVA/A given by an abstract component model which uses algebras to denote states and I/O-transition systems to model the behaviour of components. In addition to the JAVA/A implementation 2 a prototype 3 serving as a test bed for our semantic model has been implemented in VisualWorks Smalltalk [18] .
Our study provides the basis for challenging, future tasks concerning the consolidation of our component model, the development of a comprehensive specification framework for components and the investigation of correctness notions for component realisations and refinements. For the consolidation of the component model we are particularly interested to integrate complex (n-ary) connectors and to model global reconfigurations and shared objects. Concerning component specifications our approach actually supports the definition of port protocols which focus on the external (black box) views of components. While black-box views are important for the user of a component, glass-box views are important for the implementor of a component. An important issue is to extend our approach to the specification of glass-box views describing the internal behaviour of a component. On this basis we can then define a correctness notion for JAVA/A programs such that a JAVA/A program is a correct realisation of a component specification if it satisfies the required internal behaviour.
