Abstract| Rapide is an event-based concurrent, objectoriented language speci cally designed for prototyping system architectures. Two principle design goals are 1 to provide constructs for de ning executable prototypes of architectures, and 2 to adopt an execution model in which t h e concurrency, synchronization, data ow, and timing properties of a prototype are explicitly represented. This paper describes the partially ordered event set poset execution model and outlines with examples some of the event-based features for de ning communication architectures and relationships between architectures. Various features of Rapide are illustrated by excerpts from a prototype of the X Open distributed transaction processing reference architecture.
I. Introduction R APIDE is an event-based concurrent object-oriented language speci cally designed for prototyping architectures of distributed systems. Such systems typically consist of many components executing independently under various timing constraints. Rapide allows the simulation and behavioral analysis of architectures of such systems at an early stage in the system development process. The primary design criteria for Rapide are 1 to provide architecture c onstructs that permit system architecture to be expressed in an executable form for simulation before implementation decisions are made, 2 to adopt an execution model which captures distributed behavior and timing as precisely as possible, 3 to provide formal constraints and mappings to support constraint-based de nition of reference architectures and testing of systems for conformance to architecture standards, and 4 to address some of the issues of scalability involved in modelling industry system architectures.
In this paper we rst describe in general terms Section II the Rapide concept of architecture. We give a n overview of how Rapide supports the use of architecture as a plan" or framework" that drives the development o f software systems at all stages from design and early prototyping through to validation of production systems.
The architecture de nition features of Rapide are then described in Section IV. These features include the eventbased poset execution model Section IV-A, event patterns Section IV-E, interface t y p es Section IV-B, architecture c onnections Section IV-C, formal constraints Section IV-F and pattern mappings Section IV-C.2. Section V illustrates the use of these features on an example of an industry standard, the X Open distributed transaction processing architecture, expressed in Rapide. The X Open example has been chosen in order to show t h e a pplicability o f Rapide to industrial problems. Section VI uses X Open to illustrate a possible future application of Rapide mappings and constraints to test actual systems for conformance to an executable reference architecture. Finally in section VII we describe some of the related work and sources for Rapide. Many features of Rapide, such a s c l o c ks and time, are not discussed at all in this paper. Some features, such a s the object-oriented type system and pattern constraints, are only discussed in enough detail to understand their application to architecture and the X Open example. The reader is referred to other reports and papers 1 , 2 , 3 4 , 5 for more details. An experimental tool-set for an early version of Rapide is described in 6 . Language reference manuals for Rapide are in preparation and an industry-scale simulator is being implemented. Future Rapide tools will support mappings from systems in other languages to reference architectures in Rapide.
II. Architecture as a Framework for System Development
Object-oriented languages and tools provide a technology for componentalization constructing, manipulating and reusing components of systems. However, what is missing from this technology is a global view" the plan of how the components t together. Rapide is aimed at capitalizing on object oriented methods by using architecture as a framework for composing sets of components into systems. The key phrase is using architecture". There are currently many tools for constructing graphical pictures of architecture. But few, if any, p r o vide capabilities to validate, execute and measure the performance of architectures before the system is built, or to test the conformance of a system to a prede ned standard architecture. To a c hieve these goals an architecture" must be de ned in a form that permits one or more of a variety of automatable analysis techniques to be applied to it, ranging from execution and simulation on one hand, to runtime constraint c hecking and formal proof on the other.
In Rapide an architecture consists of a set of speci-cations called interfaces of modules, a set of connection rules that de ne direct communication between the interfaces, and a set of formal constraints that de ne legal and or illegal patterns of communication. An interface is a de nition of the features e.g., functions or actions provided to the architecture and required from the architecture by modules that conform to the interface. Section IV-B presents the Rapide language features for describing interfaces. An interface may c o n tain an abstract de nition of the behavior of modules. Behaviors are de ned by executable reactive rules. Typically, a n i n terface behavior speci es relationships between data received and data generated by a module. By omitting algorithmic details from the behavior, many di erent m o d u l e s m a y satisfy an interface. Connections de ne either synchronous or asynchronous communication of data between interfaces, also in a simple reactive executable form. Section IV-C describes the Rapide features for de ning connections between interfaces. Formal constraints specify restrictions on various aspects of interfaces and connections e.g., ordering of communication, relations between data, etc. Rapide language features for formal constraints are described in Section IV-F.
These architecture constructs have a n e v ent-based execution model, called the poset model, explained below. Interface behaviors execute by w aiting to receive certain sets of events and then reacting by generating new events. An interface de nes the visible event activity of modules and hides what goes on inside. Connections de ne how e v ents generated at some interfaces cause other events to be received at other interfaces. Again, connections are de ned by simple reactive rules. Constraints place restrictions on event activity, both in interfaces and over the set of connections. Constraints are checkable | i.e., poset executions can be checked for constraint violations. Figure 1 shows a system of modules connected through its architecture. The shaded parallelograms represent i nterfaces, the thick lines represent connections and the boxes represent modules. The architecture is shown as the set of interfaces and connections; the system is shown as the set of modules wired together by the architecture. The system in Figure 1 di ers from a program written using Ada packages or C++ classes in that the modules communicate only if there are architecture connections between their interfaces. In rapide the architecture is de ned before the modules are written. It is a framework for composing modules, and it also constrains the communication between the modules of the system.
If the system is written in Rapide the reader may i m a gine it executing by e v ents owing up from the modules to their interfaces, along the architecture wires to other interfaces, and down into the receiving modules, and so on. Each module and connection can execute independently and concurrently. The events at each i n terface must satisfy the constraints in that interface, and the events at all interfaces must satisfy the architecture constraints.
The architecture in Figure 1 i.e., the interfaces and connections can be written in Rapide to support di erent analysis methods. It can be executable to allow s i m ulation, or it can be a purely constraint-based de nition of the set of allowable behaviors of the system, or it can be written to allow both simulation and constraint c hecking. Some of the intended applications of Rapide architecture features and tools in developing large scale distributed systems are described in the following three sections.
A. Using Architectures to Monitor System Development.
An architecture is a template for a family of systems. An interface in an architecture can be assigned a module conforming to that interface. The resulting architecture is called an instance of the original one. As an analogy, architectures can be viewed as printed circuit boards in which i n terfaces play the role of sockets into which c o mponent module chips can be plugged, and connections play the role of wires between the sockets. Figure 1 depicts a fully instantiated architecture in which e a c h i n terface has been assigned a module.
Rapide tools allow the gradual instantiation of an architecture, module-by-module, into a system. One may start with the architecture in Figure 1 and gradually develop the fully instantiated system. The architecture and each instance can be executed and analyzed. The language denes the conformance rules by means of interface types and constraints that determine which modules may be plugged into which i n terfaces. Whenever a module is assigned to an interface, it becomes the executable component and the behavior in the interface is a constraint o n t h e b e h a vior of the module. The conformance of a system to its architecture is checked by tools; some checking is done at compile time e.g., type checking and other checks are performed when a system is executed e.g., constraint c hecking.
Architecture execution also called simulation together with conformance checking can be applied throughout system development, e.g., i to do early prototyping of the architecture to test consistency of the interfaces and connections, and to discover various aspects of the architec-ture's behavior e.g., concurrency, resource contention, and timing, ii to test that each module performs according to its interface speci cations, and iii to test that communication in an instance satis es the architectural constraints. Examples of simulation and conformance checking using current Rapide tools are given in Section V. Future Rapide tools are planned which w i l l a l l o w m o d u l e s to be programmed in various languages such a s V erilog 7 , Ada 8 , or C++ 9 and plugged into architectures de ned in Rapide. Architectures are particular kinds of module in Rapide. Therefore an architecture can be assigned to an interface as a component of another architecture. This provides a simple capability t o d e v elop a hierarchically structured architecture rather than one at communication structure.
Rapide architectures are not restricted to the static hardware paradigm. Connection rules are de ned using event pattern matching Section IV-E. This provides the expressive p o wer to de ne both static and dynamic architectures. A static architecture has a xed number of components and the conditions under which they communicate do not vary | the printed circuit board example. A dynamic architecture may contain varying numbers of components and the conditions under which they communicate can vary | an air tra c control system is an example of a dynamic architecture with varying numbers of aircraft and communication conditions.
B. Simulation and Analysis of Distributed Systems
One of the important features of Rapide is the kind of result generated by simulation. A Rapide architecture simulation is the set of events that are generated together with the causal history of the events and their timing. Since causality and timing are partial orders on the events, these executions are called posets partially ordered sets of events. Causality b e t ween events results from an interface behavior or module or from a connection | some events received at an interface, module or connection cause others to be generated. Causal dependencies between events provide an accurate record of the behavior of an architecture of a distributed or concurrent system. Often, causal dependencies are critical data in detecting problems that could not be detected using event traces produced by presentday e v ent-based simulators. Moreover, formal constraints in Rapide can specify event dependencies which cannot be speci ed by constraints on a sequence of events. Section IV-A describes the Rapide POSET execution model and Sections IV-F, V give examples of constraints involving event dependencies. The general theory of posets is treated in 10 , 11 , 12 , and e cient implementation of poset simulators is discussed in 13 .
C. Reference A rchitectures
A prominent issue with industrial standards is to develop technology for validating or verifying systems for compliance to standards. A reference a r chitecture, g e nerally speaking, is a precise or formal de nition of an industry standard architecture. If a system is claimed to be compliant with a given reference architecture it is called an instance architecture.
Reference architectures in Rapide rely heavily on constraints to de ne the bounds on acceptable system behavior. In addition, Rapide provides event pattern mappings to de ne how a system is related to a reference architecture. For reasons discussed below, event pattern mappings provide a very general way of de ning relationships between architectures. Essentially, e v ent pattern mappings are used to de ne mappings of executions of an instance architecture into executions of a reference architecture. The mapped executions can be checked for conformance to the reference architecture's constraints. A system builder supplies both the supposed instance and the mappings de ning how i t s executions are to be interpreted as executions of the reference architecture. If constraint violations occur during testing, then either the mappings are incorrect or the instance does not conform to the reference architecture.
In general, the mapping features to support this use of reference architectures mu s t b e a b l e t o c o p e w i t h i nstances that di er widely from the reference architecture e.g., there is no one-to-one correspondence between components or connections. Indeed, the same problem | widely di ering architectures | occurs between architectures for the same system at di erent levels of abstraction in hierarchical design.
Relationships between architectures can be de ned by Rapide event pattern mappings Sections IV-C.2 and VI which allow one to map posets of events in one architecture into posets in another. This is a powerful feature for relating architectures which m a y possibly di er widely so that, e.g., many sets of events in one might correspond to a single event in the other. Event pattern mappings were rst used experimentally on VHDL simulations in 14 .
D. Issues
One of software architecture's major goals is to enable the construction of very large system architectures. Scalability i s o b viously of prime importance. For example, large numbers of connections, dynamic creation of components and dynamically selectable connections, support for a hierarchical design process. Others issues relate more to the process of constructing architected systems:
testing and validation of partially instantiated architectures, exibility in allowing modules to be assigned to interfaces, interoperability with other languages. Rapide's approach to some of these issues will be outlined below b y means of the not completely trivial X Open example. It is fair to say that these issues are still subjects of active research a n d Rapide's approach m a y c hange or be extended in the future.
III. A Distributed System Architecture
We illustrate the specifcation and analysis of system architecture in Rapide using the X Open distributed transaction processing DTP standard. The X Open DTP standard architecture is described in a series of publications of X Open Ltd. 15 , 16 , 17 , 18 . The standard describes a particular set of component i n terfaces, and sequences of interactions between the components. Components may b e v arious application programs, resource managers such as databases, le systems, mailers, etc. and transaction managers. The purpose is to de ne a standard communication architecture through which m ultiple application programs may share resources while coordinating their work into transactions which appear to be atomic. Transactions, which m a y execute concurrently, can contain many operations on resources. Atomicity means that after a transaction executes, either all or none of its operations take e ect.
The X Open description is informal, consisting of English text together with interfaces given in C. The important features of the standard are 1 the interfaces, 2 the architecture the ways of connecting together components which satisfy the standard, and 3 the protocols calling sequences for using the interfaces. The calling sequences are described in terms of a single thread of control and C function calls. Many di erent systems with various applications and resources may satisfy this standard. Ones that do are hopefully easier to combine together, thus promoting the goal of open" systems.
Overall, the X Open DTP documents total 900 pages. Even so, the standard attempts to ensure only the atomicity property of transaction systems, and does not so far address the other ACID properties consistency of states, isolation of transactions, and durability under failures 19 . A simple version of the X Open architecture 1 consists of one application program AP, one transaction manager TM, and one or more resource managers RMs connected together as shown in Figure 2 . The boxes indicate the component i n terfaces, and the lines indicate the communication between them. The label TX indicates a complex connection and protocol de ning communication between any application module and any transaction manager. The TX connection contains connections between nine functions for initiating and nalizing transactions. Communication is always initiated by the application and then enters a series of calls back and forth until communication is completed. Similar complex connections exist between the application and every resource the AR connection, and between the transaction manager and every resource manager the XA connection. The XA connection involves the well-known two-phase commit protocol for ensuring atomicity.
This example contains a sizeable numberofinterface constituents and fan-out" connections, and interesting protocol constraints. It enables us to illustrate some of the Rapide solutions to scalability issues raised in Section II. 1 X Open calls this architecture a local instance architecture.
In the remainder of this paper we g i v e a n o verview of Rapide with examples drawn from the X Open model, and summarize some of the results of analyzing the Rapide model.
IV. Overview of Rapide
Rapide consists of ve major parts: the types language for describing the interfaces of components, the architecture language for describing the ow o f e v ents between components, the speci cation language for writing abstract constraints on the behavior of components, the executable language for writing executable modules, and the pattern language for describing patterns of events.
The ve parts or sublanguages" satisfy certain compatibility requirements e.g., they have the same visibility, scoping and naming rules, and underlying execution model. However, Rapide is de ned in a modular manner such that each of the ve parts can be studied and learned separately, a n d e a c h can be changed in many w ays without requiring changes to the others.
In this section we rst give a n o verview of the poset execution model, and then give a b r i e f o verview of each o f the sublanguages. In each case we indicate in general terms how they support modeling and specifying architectures of distributed systems by means of posets using X Open as a source of examples.
A. POSET Execution Model
Executing a Rapide architecture or its instances produces a poset that represents the dependencies between events Section II-B. 2 By contrast, other concurrent event-based simulation languages, such as VHDL, have e xecutions that are linear traces of events that do not encode dependency between events. In fact, there may b e s e v eral orderings over the events in a poset, timing being another one.
When an architecture executes it generates a poset which is observed, and reacted to, by a set of processes. E a c h of the architecture's components may consist of multiple processes. A Rapide process may b e a behavior transition in an interface behavior, a connection in an architecture, or a process in a module. A process is a single thread of control. Rapide processes may a wait the generation of a set of events, and react execute some code in response to the generation of those events. Dependency between events results as follows:
An event B depends on an event A written A ! B if:
1. A and B are generated by the same process and A is generated before B. Processes are sequential. 2. A process observes A and then generates B. 3. A process generates A and then writes to a variable v.
Another process reads v before any i n tervening write to v, and then generates B. Intuitively, i f a n e v ent B depends on an event A, then A must have happened before B B depends on A. Alternatively, A causes B.
For the sake of brevity, w e purposely avoid details such as the precise de nition of what it means for a process to observe e v ents. Intuitively, a process has available to it a poset. A process contains an event pattern called its trigger. The trigger describes subsets of interest in the poset. When such a subset is observed, the trigger matches the subset, the process reacts to it, and generates a new poset. The execution of the process then repeats, observing and reacting to further events, until some termination condition is reached.
Other orderings express timing between events with respect to each clock in the prototype. A consequence of the rules of time and dependency is that there is a consistency relation between dependency order and time orders: an event cannot occur earlier by a n y clock than an event that it depends on. Because timing is not used in our presentation of the X Open model, we will not discuss timing and clocks further in this paper.
Events are generated by executing calls to particular constructs in Rapide that model communication between modules. Such constructs include actions that model asynchronous communication b e t ween modules, and functions that model synchronous communication between modules. An event contains information such as the process and module generating the event, the name of the operation being invoked, data being passed, the event's place in the dependency order, and time intervals duration of the event with respect to various clocks.
Consider a graphical picture, Figure 3 , of a small part of the execution of X Open. Nodes represent e v ents and are labeled with action names. Edges depict the dependency relation between events; there is no temporal ordering given in this depiction.
Notice rst that pairs of xa prepare call and xa prepare return events form a linearly ordered chain. This would happen, for example, if a single process reacted to the xa prepare call and generated the xa prepare return as actually occurs in this example. Next, notice that each x a prepare call event depends on the tx commit call event, but that the xa prepare call events are not dependent o n e a c h other. They could execute in any order or concurrently. This could result, for example, if two processes both reacted to the tx commit call event and each generated an xa prepare call.
This example shows how posets represent true concurrency. The partially ordered execution in Figure 3 is equivalent to a set of linear traces, each trace being a possible output for the same input by a trace-based prototyping system. The linear order in each such trace must be consistent with the partial order. Two example linear orders are given in Figure 4 . Figure 4 , one might be tempted to hypothesize that one xa prepare call event has to happen before the other.
Since prototyping is an experimental activity, it is essential that prototypes of concurrent systems yield as much information as possible. For this reason, we h a ve adopted the poset model of execution to support simulation and analysis of architectures Section II-B. However, the use of posets involves dealing with two problems, since the amount of information in posets is potentially very large: i e cient implementation methods must be found, and ii useful analysis tools must be developed. The rst problem is beyond the scope of this paper, but is addressed in 22 , 13 . A graphical, interactive partial order browser with extensive query capabilities was developed to address the second problem 6 . Additionally, the linguistic tool of machine-checkable formal constraints, as discussed in Section IV-F, greatly aids analysis.
B. Types language
A system component consists of two separate parts see, e.g., Figure 1 : an interface de ning those features through which i t i n teracts with other components, and a module that either encapsulates an executable prototype of the component, or hierarchically de nes the component a s a n architecture of other components. Component i n terfaces are de ned in the types language; modules may be de ned in the executable language for general implementations or the architecture language for hierarchical architectures.
The types language supports both object-oriented and abstract data type styles of de ning interfaces, and multiple inheritance methods of reusing old interfaces to de ne new ones. Subtyping of interfaces is based on the idea of substitutability. An existing component m a y be replaced by a new one if the ty p e o f t h e n e w c o m p o n e n t i s a s u btype of the existing component. Automated checking of correct use of subtypes is based on the form of interfaces similar to structural type-checking rather than the use of type names as in, say, P ascal or Ada. The overview of the types language presented here will be limited to those features necessary for understanding its use in the X Open example in this paper. The reader is referred to 1 , 23 , 24 for more details.
An interface de nes a type. The objects or values of the type are the modules that satisfy the interface. Informally, a module satis es an interface if it de nes all the items declared in the interface. There may be many m o dules with di erent i n ternal implementations that satisfy the same interface. Static semantic analysis of modules for conformance to interfaces is the rst line" of analysis for correctness of architecture instances, and is performed by the Rapide semantic analysis tools at compile time Section II-A.
Interface types are declared using the following syntax 3 : Interface declarative items consist of type declarations, derivation declarations, function declarations, and action declarations. The visibility of constituents depends on whether they are declared in a public, extern, or private part. Public constituents are those provided by modules of the interface type for use outside the module. Public actions are similar to input ports in HDLs. Extern constituents are those that the module calls and assumes are provided by other modules in the containing architecture. Extern actions are similar to output ports in HDLs. An architecture must bind the constituents named in the extern part to modules. Private constituents are provided by t h e module, but are only visible to other modules of the same type.
As a rst step in constructing X Open Figure 2 , one would begin with very primitive v ersions of its interfaces, such as this :
type Application is interface extern action Requestp : params; public action Resultsp : params; end Application; This interface type speci es a particular capability o f an Application module i.e., a module having this interface as its type to make requests for wo r k t o b e d o n e b y t h e transaction and resource managers, and to receive the results. The interface speci es that an Application module must provide a Results action to the outside world. Connections in the containing architecture called a parent c a n call this action and generate events which a n Application receives and observes. Also, the interface speci es an extern action Request which Application modules can call; such calls generate request events which the parent a r c hitecture receives and can pass on to other components by m e a n s o f its connections.
An interface may contain constraints written in the speci cation language. Interface constraints de ne the visible behavior of modules, and can be viewed as a visible contract" between modules of that type and other modules. More important for our discussion, interface constraints can be used to automatically check the poset computations of modules. This provides runtime detection of violations of interface conformance by modules as part of checking architecture instances for correctness Section II-A. Constraints are described further in Section IV-F.
Types may be parameterized, in which case they are type constructors. When a type constructor is applied to appropriate arguments the result is a type. Common types and constructors e.g., integer, array, and record typically seen in Algol-style languages can be de ned in Rapide as interface types or type constructors. A standard preamble de nes a typical set of such t ypes and type constructors in this manner see 25 .
Interfaces can reuse or inherit constituents of previous interfaces using a derivation declaration. In most objectoriented languages inheritance implies derivation of both interface and implementation. Inheritance in Rapide interfaces di ers in that it does not imply code reuse| inheritance of implementation is separate from inheritance of interface. The CORBA IDL 26 is an example of another interface language that separates inheritance of interface from inheritance of implementation.
B.1 Behaviors
Interfaces may c o n tain a behavior part, written in the architecture behavior language. A behavior is a state machine like constraint on the execution of modules of the interface type.
The di erence between constraints written in the specication language and a behavior is that a behavior is written in a structured, restricted form that permits the Rapide tools to synthesize an implementation satisfying the behavior. If an object is declared to be of an interface type, and no module is given for the object, the Rapide tools can synthesize a module from a behavior in the interface. If a module is provided e.g., by writing one in the Rapide executable language, the execution of the module is checked against the behavior e.g., the behavior is used as a constraint. Speci cation language constraints are more general than behaviors, and can be satis ed by m a n y di erent implementations. Executions are checked for constraint v iolations by the current t o o l s .
A b e h a vior consists of of a set of transition rules. A transition rule has two parts, a trigger and a body. I n tuitively, a transition rule is similar to a nite state machine transition rule. When the trigger occurs, the body is executed, transitioning to the next state. In the case of Rapide the trigger is an event pattern Section IV-E describing a poset to observe. The body is a pattern which describes a set of events to generate in response to the trigger.
For An architecture is a module of an interface type de ned by t h e return type expression in the syntax below. It declares a set of components interfaces, possibly with modules assigned to them and a set of connections between extern and public constituents of interfaces of components.
As a result of a connection, i events generated by o n e module cause events to be received at another module, or ii functions called by one module are executed by another module. In this way, architectures de ne data ow and synchronization between modules using only their interfaces.
Similarly, a n a r c hitecture can also de ne connections between its own interface constituents and its components' interface constituents. The simplest kind of connection relates two patterns. Whenever events or function calls happen at some components' extern interfaces that match a connection's left side pattern, it reacts or triggers; placeholders are bound to their values in the match see Section IV-E, thus de ning an instance of the right side pattern; the connection causes the events or function calls in the right pattern instance to be generated at other components' public interfaces. A connection thus de nes a causal ow o f e v ents between sets of components, or remote function calls between components. A connection can also relate events happening at the interface of the architecture to events at its component's interfaces, and conversely thus de ning data ow into and out of the architecture. Connections trigger and execute concurrently.
For example, a second step in developing X Open might be to connect an Application interface to a Resource interface Figure 2, The functions are declared in the interfaces of AP and RM. The functions must be type-compatible 1 . This connection has the e ect that whenever AP calls its external function, the call is aliased to a call to RM's public function with the same arguments; the return values are returned to AP as the result if its call. A crucial point is that any connection depends only upon the interfaces of component modules of a system, and not upon the actual modules that might be implementing those interfaces see Figure 1 . Rapide architectures are communication networks, de ned independently of actual implementations.
The use of patterns in connections provides a powerful feature for specifying both static and dynamic connections between components see Section II-A. Often, communication between sets of components in a system can be speci ed by a single Rapide connection. For example, to connect Application modules to a number of Resource modules as shown in Figure 2, Application and ?M type String A pattern matches some subset, S, of a poset if, when each existential placeholder is replaced at all of its occurrences in the pattern by t h e same value, the pattern matches S. Placeholder declarations appear within patterns so the replacement c a n b e restricted to subpatterns.
Placeholders beginning with !" are called universal placeholders because of their similarity to the logical quanti er 8. U n i v ersal placeholders represent a set of objects of the type of the universal placeholder. They are often used on the right-hand side of connections to express fan out. Here !R names all Resources. On the right-hand side of the connection, the jj" operator in the !R placeholder declaration indicates that the generated Receive events should be causally independent of each other. Each Receive event i s d e p e n d e n t u p o n t h e Request event that triggered the rule, but is independent of any of the other Receive events. Details of the seman-tics of triggering and execution of connection rules, e.g., in presence of concurrent Request events, can be found in 3 .
Large xed architecture structures can also be created using generate statements. Often related constituents in an interface can be grouped into disjoint sets. For example, an Application in X Open has a set of constituents for interacting with Transaction Managers the TX set, Figure 2 and another set for interacting with Resource Managers the AR set. Interface constraints relate members within a set, but the two sets are almost independent. It is convenient to structure such i n terfaces into separate sets of constituents so that it is clear how i n terface constraints apply. But more importantly, w e can capitalize on this structuring of interfaces to de ne large numbers of connections correctly in large architectures.
In Rapide complex interfaces can be structured into sets of related constituents called services. An architecture can connect together dual services in component i n terfaces.
Such a connection denotes sets of basic connections, one between each pair of constituents with the same name in the two services.
Consider Mappings provide a powerful feature for de ning relationships between pairs of architectures, or between systems i.e., instances of architectures and architectures. They support automated checking of systems for conformance to reference architectures Section II-C, and consistency checking of architectures at di erent l e v els in a design hierarchy.
The main idea in mappings is to de ne how e v ents in one system correspond to events in another. In many cases, there is quite a wide di erence between systems. For example, when two systems are at di erent levels of abstraction many e v ents in one may correspond to just one event i n the other as is often the case in hierarchical design. Patterns provide the necessary expressive p o wer to de ne these kinds of mappings.
Syntax of the map construct is: results in a system which executes by transforming posets of events generated by X into posets of events of Y which are then checked against the constraints of Y. Y itself does not execute. Events are mapped from the execution of X and treated as if Y had generated them. In Section VI, an example is given showing the use of maps to relate a particular system to the X Open reference architecture, and to test whether the system satis es the formal constraints of X Open.
D. Executable language
The executable language provides concurrent, reactive programming constructs for writing modules. Modules are de ned by a set of processes that observe e v ents and react to them by executing arbitrary code that in turn may generate new events. Modules are a general construct for encapsulating the implementation o f a c o m p o n e n t. Consequently, modules can be either values of a small" type such a s I n teger, or values of a large" type such a s a m ultithreaded subsystem.
Because the focus of this paper and the X Open example is on the architecture features of Rapide, not the general reactive programming features, we will not describe the executable language further. The reader is referred to 2 and 4 for more information. A basic pattern is simply the name of an action, with optional parameter associations. For example, the basic pattern Send a" is only matched by Send events whose rst parameter is the string a".
The pattern operators have the following informal semantics: dependent: P , P 0 . A match of patterns P and P 0 where all of the events which m a t c hed P 0 depend on all of the events which m a t c hed P.
both: P and P 0 . A match of patterns P and P 0 . distinct: P P 0 . A match of patterns P and P 0 where all of the events which m a t c hed P are distinct from the events which matched P 0 .
either: P or P 0 . A match of pattern P or a match o f pattern P 0 .
independent: P jj P 0 . A m a t c h of patterns P and P 0 where none of the events which m a t c hed P are dependent o n a n y of the events which m a t c hed P 0 and vice versa. equivalent conjunction: P = P 0 . A match for P that is also a match f o r P 0 .
iteration: P^iterexp op w h e r e iterexp is one of zero or more, + one or more, or n exactly n copies of P , each copy being related to the others by op, which i s a n y of the preceding binary operations.
restriction: P where E. A match of pattern P where the boolean expression E is true. The expression is evaluated when the last of the events matching P is received.
temporal restriction: P duringm; n. A match for P where all the events of the match start and nish within the time interval m to n, inclusive. As an example, consider the pattern xa prepare ret jj xa commit call This matches two subsets of the poset in Figure 3 . The two matches are indicated in Figure 5 by surrounding the set of events in each match with dashed and dotted lines respectively. Each match consists of an xa prepare ret event and an xa commit call that are independent. The speci cation language uses a combination of algebraic constraints and pattern constraints. Algebraic constraints are similar to those appearing in 30 , 31 , 32 and so will not be discussed further here.
A constraint placed in an interface constrains visible executions of modules of the type. Constraints may also be placed in architectures, where they constrain the internal execution.
Constraints in an interface include constraints on parameter values of the interface functions and actions, algebraic constraints on the abstract state of the interface, and pattern constraints on the posets of events that can be generated and observed from the interface. Interface constraints provide a contract specifying i how to use a module of that type e.g., by constraining parameter values of public functions, or posets and timing of events that it can receive as a consequence of calls to its public actions, and ii what a module of the type promises to do e.g., by constraining parameter values of extern functions, and posets and timing of extern events that it can generate.
An This constraint implies that all, and only, messages taken in are delivered. We explain it as follows. The only kinds of events visible at the Resource's interface are Receive a n d Results. They are constrained to occur in dependent pairs as indicated by , ", any n umber of these pairs may occur as indicated by ", and the Results of a pair has the same parameter as the Receive as indicated by ?S". Further, these dependent pairs of events must themselves Constraints inside a module constrain the internal computation of the module. This could be an architecture of component modules. Thus constraints can be used to specify data ow b e t ween modules.
Formal constraints can be applied in many w ays in prototyping, e.g., design capture in the process of re ning system designs, formal de nition of component i n terfaces, and automated analysis of a prototype's behavior for violations of speci cations. The Rapide model has several advantages over the published X Open standard Section III. First of all, it is a precise formal model of the architecture: the component interfaces, communication between the interfaces, and constraints on that communication protocols. Secondly, b ehaviors can be included in the interfaces of the Rapide architecture so that it can be executed alternatively, t h e interfaces can be assigned modules. An executable architecture together with runtime checking of behaviors for conformance to constraints, provides a powerful simulation and analysis tool. It can be used to explore properties of various alternative f o r m ulations of the standard's constraints | e.g., the accuracy of the constraints to detect errors involving event dependencies, consistency of the constraints, and their correctness with respect to the intentions of the standard. Thirdly, as will be shown when we illustrate pattern mappings, it can be used as a reference" to check conformance of other systems to the X Open protocols thus the term, reference a r chitecture.
Broadly speaking, a simple method has been used to formalize the X Open standard as a Rapide reference architecture. i Interfaces in the X Open description are formalized as interface types in Rapide. ii English descriptions of calling sequence protocols are formalized as connection rules and pattern constraints in Rapide. 4 A. Rapide X Open Interfaces Interfaces for the application program AP, transaction manager TM and resource managers RMs are structured into services see Figure 2 . The TX service is shared" between the TM and the AP in the sense that their interfaces contain respectively public and extern services of type TX, and the architecture connects those services. Similarly the AP shares an AR service with each o f the RMs, and the TM shares an XA service with each o f the RMs. Next we describe each of these services.
A.1 Service Interfaces
The TX service 16 speci es the communication between any AP and the TM. An AP can call the TX service constituents in its interface to open and close RMs, and begin, commit or rollback global transactions. These constituents will be connected to dual constituents in the TM's interface Section IV-C.1. In our example, we represent these capabilities as pairs of actions thus modelling the interactions betwe e n a n A p a n d a T M b y a s y n c hronous communication. Communication is initiated by the AP; i.e., all call events e.g., open call are generated by the AP. It will receive back a return event e.g., open ret from the TM. Dual TX services appear in the AP and TM interfaces, a public copy in the TM interface, and an extern copy in the AP interface. Consequently processes to react to call events must all be provided by TM modules and processes to react to return events must be provided by A P m o d u l e s . Here we h a ve made some simpli cations of the actual Rapide TX interface 33 , such as reducing the number of arguments in actions, and elements in the enumeration type, return code, which de nes error statuses. Each call event results in a return event with an error status.
The X Open standard uses transaction identi ers or xids to associate individual operations with a global transaction. An xid is a string which identi es a global transaction. 5;6 When the application requests to begin a new transaction by generating a begin call event, the transaction manager response should be a begin ret event containing a fresh xid. The application will use the xid x when it makes requests to the resources to identify the transaction associated with the request. To conclude transaction x, the application may commit by calling commit callx or abort by calling rollback callx. The application receives the results of the commitment or rollback via the commit ret and rollback ret events. The AR service speci es communication between the AP and the RMs. In this paper we m a k e a simplifying assumption that this is the same for all RMs, and that the communication is by a pair of actions Request and Results. The essential detail is that the xid is a parameter; other parameters are omitted. Each RM has a public service of type AR, and the AP has a matching extern service for each RM.
type AR Service is interface public action Requestx : xid; extern action Resultsx : xid; end AR Service;
A.2 Component I n terfaces
The interface types for APs, TMs, and RMs are structured into sets of the services, TX, XA, and AR Figure We omit discussion of constraints and behaviors for the resource manager interface.
A transaction manager has a public TX service for communication with the AP, and a set of extern XA services, one for each RM. Thus the TM interface is de ned in Rapide An abstract behavior for the transaction manager in-cludes a simple prototype implementation of the two-phase commit protocol using behavior transition rules see Section V-E.
The communication by the transaction manager through its XA interfaces is subject to a numb e r o f i n teresting constraints that logically imply requirements of the X Open standard. These constraints, such as the coordination constraint described in Section V-D, require dependencies between certain events.
A.3 Representing Functions by Actions
In these examples the C interface functions described in the X Open standard are represented as pairs of actions, a call and a return action. Actions model asynchronous communication and allow more parallelism in the formal model than functions which model synchronous communication. If needed, blocking to await the return event can be specied by constraints. These pairs of actions may be coupled together in a service with the constraints: type f servicetype params; type rc is interface public action callp:params; extern action retp:params; r:rc; end; By using paired actions and constraints we can formally specify precisely parallelism that could be allowed by t h e standard and eliminate any unnecessary dependence upon C semantics. The service interfaces above can be structured into sets of f service services, one for each pair of actions.
B. Rapide X Open Architecture
The X Open architecture declares objects with these interfaces its components and the connections between them. The return type of the architecture, called X Open, is a user interface and is not discussed in our examples. The architecture shown here does not assign any m o d u l e s to its interfaces. It can be instantiated by assigning to the interfaces in their declarations modules that are of the interface types. This allows gradual instantiation see Section II.
The architecture of Figure 6 speci es the X Open architecture illustrated in Figure 2 . There is one AP, o n e TM, and a set of RMs. The connection rules connect dual services in di erent i n terfaces. The rst connection is between the TX services in the application and transaction manager. This service connection is shorthand for a set of basic connection rules as explained in Section IV-C. end architecture X Open Architecture; When the architecture is called with a parameter value for NumRMs a module containing an AP, a TX, NumRMs copies of RM, and the connections is elaborated and starts execution. Each component receives a single start event from the runtime system which can trigger its interface behavior or any module assigned to it. For example, the application program can have a b e h a vior which is triggered by start and then generates transactions. A user can also interact with the X Open module through its interface. 7 The components and connections then execute by triggering on events and generating events. They execute independently unless programmed to synchronize. The result is a simulation consisting of a poset of events such a s i n Figure 7 . Constraints in the interfaces are checked for violation by e v ents at those interfaces, and constraints on the architecture are checked for violation by all the events at all of the interfaces.
One of the architecture constraints for X Open is atomicity. A tomicity of transactions requires that the e ects of all of the operations on RMs must be made permanent commitment, or that all of the e ects of the transaction must be undone rollback. 8 Atomicity is expressed in the Rapide architecture as a constraint on the behavior of all RMs in the architecture. It states that a xid, ?x, should never be an argument o f a c o m m i t ret event and a rollback ret event. Such e v ents could be generated by a n R M calling one of its XA commit ret actions in its interface, and also an RM possibly a di erent one calling one of its XA rollback ret actions. If the event b e h a vior of the arhcitecture satis es atomicity, a n y transaction is always either committed by all RM's or none.
C. Simulation Figure 7 is an execution of an X Open module with two resource managers resulting when the application program's behavior generates some transactions. 9 The center column shows events generated by the AP or TM using the their TX service, while the right and left columns have e v ents received or generated by t wo resource managers. The pre xes, xa etc., denote the service involved.
A T X begin call event from the AP to the TM causes it to generate XA start calls with a new xid to the two RMs. The start rets from the RMs are received by t h e TM, which then generates a TX begin ret to the AP with the xid. The AP then enters the transaction with the RMs using the AR requests center of poset, shown as ar request and ar results events. These events are all dependent u p o n the TX begin ret which c o n tains the xid of the transaction. Eventually the AP generates a TX commit call event t o the TM. The resulting XA events are communication following a two-phase commit protocol between the TM and the RMs, resulting nally in a TX commit return event b eing sent to the AP.
The poset shows the parallelism in the event generation, and the event dependencies required for the two-phase commit to be correctly executed | i.e., all XA commit calls events from the TM to the RMs must depend upon all the prepare returns from the RMs Section V-E.
D. Coordination
The X Open standard speci es that communication between the RMs and the TM to commit a transaction be coordinated in two phases. The premise behind this two phase commit protocol is that the decision to commit must be based upon agreements from all of the resources.
As Figure 7 shows, a correct commit protocol should require certain event dependencies: all commit call events generated by the TM to the RMs must depend upon all the prepare rets from the RMs. These events occur at the TM interface and their coordination must be implemented by the TM. So coordination is a constraint on the TM, and can be expressed very simply using event dependency: for any transaction a commit call event m ust not occur independently of a prepare ret event for the same transaction.
never ?x in xid?i, ?j in 1 .. NumRMs XAs?i .prepare ret?x, xa ok jj XAs?j . commit call?x; 9 Only some of the events in the poset execution are shown. Coordination will detect violations of the two phase commit protocol and thereby the X Open standard, even when those violations do not result in violating atomicity. 10 
E. Two Phase Commit Protocol
The two phase commit protocol speci es a behavior by which the TM coordinates all the RMs to attempt to ensure atomicity. Communication between the TM and RMS to commit a transaction is performed in two phases. In the polling phase the TM polls each R M 11 by sending it a prepare call event with the xid. When all RMs have responded, the decision phase is entered. If all RMs respond with a prepare ret with an ok argument, then the TM will generate commit call events to all RMs. Otherwise the TM will generate rollback call events to the RMs. When the second phase is nished the TM generates a TX commit ret which noti es the AP of the result see Figure 7 .
The two-phase commit protocol can be speci ed as a behavior in the interface of the TM. See Section IV-B for interface behaviors. The behavior consists of three concurrent pattern triggered rules. They specify what events the TM generates in response to events it receives. The rst rule describes the polling phase. Upon receiving a tx commit call event with an xid as its data, it will generate an xa prepare call event with the same xid as data for each XA service resource, such that the generated events are causally independent from each other but each dependent on the tx commit call.
Upon receiving an prepare ret event from each of the XAs NumRMs of them such that the events are all associated with the same transaction, ?x, and all vote to commit i.e., xa ok, the second rule will trigger causing NumRMs commit call events to be generated, one for each XA ser- 10 The X Open documents do not describe coordination e v en though it is implied by the two phase commit protocol, because they do not refer to the dependencies b e t ween communication. 11 More accurately, each RM associated with the transaction.
vice. Again, each of the generated commit call events will be dependent upon all of the prepare ret events which p a rticipated in the triggering. This implements the decision to commit the transaction. However if the TM receives a response from a resource which indicates an error condition xa error i.e., a vote to abort the transaction, the third rule will trigger. Upon triggering the this rule will generate rollback call events similarly to the second rule's generation of commit call events.
VI. Testing Conformance to a Reference Architecture
The constraints expressed in the Rapide X Open DTP architecture can be used in conjunction with event pattern maps to automate testing of systems for conformance to the standard Section II-C. Here we g i v e an example to illustrate this application of constraint-based architecture. It shows how e v ents generated by a system can be mapped into a poset of events in X Open and tested for violations of the coordination constraint. Violations of coordination involve e v ent dependencies and would be di cult to detect using event traces.
As an example, the system to be tested is a combination of two stand alone X Open DTP subsystems. The rst subsystem schedules patients for doctors' appointments, and the second bills patients using accounting operations like crediting and debiting patient accounts. The two subsystems have separate resources and separately follow X Open protocols. However, the combined system is loosely coupled; instead of direct communication between their separate TMs the programming of which m a y b e costly and di cult there is a top level communication between the application programs. When the scheduling subsystem begins a local scheduling transaction it noti es the billing subsystem, which m a y then begin a related local billing transaction. The architecture for the combined system is shown in Figure 8 , and an execution is shown in Figure 9 . The rst event is a request to begin a new scheduling transaction in the scheduling subsystem. This causes by t h e The combined system should appear globally to conform to X Open, even though it has a di erent a r c hitecture. This means 1. there should be a correspondence between posets in the combined system and posets in X Open, 2. the X Open posets corresponding to combined system posets should satisfy the X Open constraints. Rapide event pattern mappings Section IV-C.2 are used to de ne corresponding posets. When the combined system is executed the posets it generates are mapped into the corresponding posets which are then checked for conformance to the X Open constraints. The target X Open architecture is not executed. The mapped events, which appear to be events it has generated, are checked.
To k eep the example simple we d e a l o n l y w i t h c hecking the coordination constraint. There are three steps. 1 We m ust recognize transactions in the combined system. These may consist of pairs of related transactions in the subsystems. 2 We m ust decide which e v ents in the combined system let us call them coordination events c o rrespond to prepare ret events and commit call events in X Open. 12 Then we map the coordination events in any transaction in the combined system which m a y b e p a i r of related transactions in the subsystems into prepare ret and commit call events in a single transaction of X Open call these mapped events. 3 Dependencies between the mapped events must be induced by the mapping from the dependencies of the triggering events.
The target X Open architecture in which the events are generated by the map is very simple. It has only one RM and one XA serivce in its TM interface. Since it isn't executed it needs no interface behaviors.
The pattern triggered mapping below de nes the correspondence of events. It triggers on posets of events in the combined system and generate events in an X Open reference architecture. Events in the separate subsystems will contain separate xid's for transactions in those systems.
Step 1 above requires that, when two xid's are found that are names of related transactions, one in each subsystem, a new xid for the uni ed transaction should be constructed as a function of the two xid's. The function, Common This map has three concurrent rules, each triggering on a poset in the combined system and either modifying the map's local state or generating an event in the reference architecture. The map generates events at the TM's interface, either prepare ret or commit call with a common xid. The patterns on the left of the = symbol are the triggers of the rules. The rst rule triggers only when su cient dependent events have occurred in the subsystems to identify two related transactions going on, one in each subsystem. Its trigger binds both xids in the match. It then constructs a fresh common xid. T h i s v alue is saved in an array A 13 in locations indexed by the xids of the related scheduling and billing transactions. In this way, i f x is a scheduling xid with a related billing xid, y, then A x and A y will refer to the same xid in the X Open architecture, Commonx,y.
The second and third rules trigger on coordination events in the combined system. They generate an event that is the instance of their right side pattern corresponding to the match of the trigger. The generated events are X Open events in a transaction whose xid is the common function of two separate xid's. These are the mapped events.
Mapped events have a dependency relation induced by dependencies between the posets that triggered them. Brie y, if posets P,Qtrigger mapping rules that generate events E, F, and every event i n Q is either in P or depends upon every event i n P, t h e n F depends upon E. Figure 10 is the mapped events and their induced dependencies resulting when the example map above is applied to Figure 9 . Since all of the events contain the same xid, they are part of the same X Open transaction and violate coordination. Consequently the pair of related transactions in the combined system that corresponds to this transaction were not coordinated correctly.
Notice that atomicity is not violated since all of the resources are committed no rollback. A coordination violation indicates an incorrect commit protocol which indicates a possibility of violating atomicity in some other execution. Atomicity violations can be detected by e v ent traces but coordination violations cannot.
The Correspond map has several properties, proofs of which are beyond the scope of this paper. For example, if the combined system's execution were coordinated correctly, possibly by combining the separate TMs into one, the mapped poset would violate neither the atomicity n o r the coordination constraints. 13 The array is initialized to be the identity function.
VII. Related Work
Many e v ent-based languages for describing and simulating systems are already in industrial use. In the area of hardware description languages HDLs VHDL 34 and Verilog 7 are notable examples. In the software and systems area languages such as LOTOS 35 for modeling communication protocols and Esterel 36 for modeling synchronous systems are well-known. These languages are event-based reactive languages. They provide simple features for programming behaviors of components by triggering on or reacting to single events or Boolean combinations of events, possibly with predicate guards.
The hardware languages provide the clearest notion of communication architecture. For example, in VHDL component i n terfaces entity declarations can be wired up in structural architectures prior to being bound in a con guration to an implementation. An architecture in VHDL may h a ve many di erent bindings con gurations of its components e.g., to di erent library units, but all instances have the same communication network i.e., architecture". VHDL architectures are restricted to being static the number of components and their interconnections are determined at compile time.
Rapide is best viewed as being evolved from several sources: a VHDL for event-based and architecture concepts, b ML 37 and C++ 9 for type systems, and c TSL 38 for event patterns and formal constraints on concurrent behavior expressed in terms of patterns of events.
The evolutionary steps can be summarized as follows. First, Rapide departs from previous event-based languages by explicitly representing dependencies between events. Other event-based languages do not express the dependency relation so that models in those languages produce a linear trace of events when they execute. Rapide models produce posets.
Second, the Rapide sublanguage for triggering on events the language of event patterns has increased power compared with, say, VHDL or LOTOS or CSP 39 to express patterns that can match posets. Other event-based languages can use only single events, or guarded Boolean combinations of events, as reactive process triggers. The pattern triggers of Rapide processes can require dependencies between events or independence of events, in addition to Boolean combinations of events, in order to react. Event patterns play a basic role in features for de ning both reactive behaviors and formal constraints. The key point i s that a Rapide model both produces a poset as an execution result, and dynamically reacts to the poset it is producing.
Third, the VHDL concept of entity declaration is generalized in Rapide t o a t ype | i.e., interface types. An interface type can have many di erent module implementations essentially it de nes the set of objects implementing the type. Thus Rapide modules analogous to VHDL entity bodies can be parameters of functions, for example. Interface types can inherit from other types using objectoriented methods, and are related by a notion of structural subtyping 1 .
Fourth, structural connections in VHDL, expressed by port maps that bind the ports of component instances to signals in an architecture, are generalized in Rapide to event pattern connection rules. This feature allows dynamic connections in architectures. Along with dynamic instantiation of compnents, it allows fully dynamic architectures.
Finally, e v ent patterns are used in Rapide to de ne mappings between architectures, allowing for hierarchical and comparative s i m ulation as described in our earlier work on VAL+ 14 .
Rapide may w ell bene t from and bene t related work in the growing eld of software architectures. Garlan and Shaw 40 and Perry and Wolf 41 have w orked on specifying and classifying software architectures. Con guration systems such as Conic 42 allow graphical composition of objects with simple kinds of connections. The process of transforming an abstract software architecture into an instance architecture correctly and incrementally via re nements is described in 43 In the future, Rapide tools may well leverage o of tools developed in other e orts such a s these.
VIII. Conclusions
Generally speaking, event-based languages provide convenient formalisms for writing models of distributed systems because the components of such systems communicate by means of messages" or events". Moreover, eventbased languages represent the behavior of a program as a detailed history of the events occurring during execution. This wealth of detail is essential in analyzing early life cycle models prototypes.
The features of Rapide for de ning both executable and constraint-based architectures have been outlined, and the use of poset executions to analyze behavior of distributed systems has been illustrated. Scalability issues related to large distributed system architectures have been discussed, and the Rapide features for dealing with scalability issues, such a s e v ent pattern connections, generate connection macros and interface services have been described and illustrated by the X Open example. Finally, w e h a ve outlined how reference architectures can be de ned using Rapide poset-based constraints and applied in conjunction with event pattern mappings to test conformance of systems.
Approaches to scalability o f a r c hitecture de nition languages, whether graphical, simulation or constraint-based, are critical research topics. Currently, an industry-scale Rapide toolset is being constructed, including a simulator and constraint c hecker, to support prototyping and conformance checking. We hope the availability o f e v ent-based architecture de nition languages such a s Rapide will result in a more discplined, architecture-based approach t o software development, closer to present hardware design practices.
