Interpretation of AADL Behavior Annex into synchronous formalism using SSA by Ma, Yue et al.
Interpretation of AADL Behavior Annex into
synchronous formalism using SSA
Yue Ma, Jean-Pierre Talpin, Thierry Gautier
To cite this version:
Yue Ma, Jean-Pierre Talpin, Thierry Gautier. Interpretation of AADL Behavior Annex into
synchronous formalism using SSA. International Symposium on Advanced Topics on Embedded
Systems and Applications (ESA2010), Jun 2010, Bradford, United Kingdom. IEEE Computer
Society, pp.2361-2366, 2010, <10.1109/CIT.2010.406>. <hal-00554416>
HAL Id: hal-00554416
https://hal.archives-ouvertes.fr/hal-00554416
Submitted on 10 Jan 2011
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destine´e au de´poˆt et a` la diffusion de documents
scientifiques de niveau recherche, publie´s ou non,
e´manant des e´tablissements d’enseignement et de
recherche franc¸ais ou e´trangers, des laboratoires
publics ou prive´s.
Interpretation of AADL Behavior Annex into synchronous formalism using SSA
Yue Ma Jean-Pierre Talpin Thierry Gautier
INRIA, Unite´ de Recherche Rennes-Bretagne-Atlantique, Campus de Beaulieu, 35042 Rennes Cedex, France
Email: {Yue.Ma, Jean-Pierre.Talpin, Thierry.Gautier}@irisa.fr
Abstract
This article focuses on the essence and distinctive features
of the AADL behavioral aspects, for which we use the code
generation infrastructure of the synchronous modeling environ-
ment SME. It introduces an effective method for transforming a
behavior specification consisting of transitions and actions into
a set of synchronous equations. We present an approach for this
transformation using SSA as an intermediate formalism. This
interpretation minimizes introducing new state variables and
transitions.
1 Introduction
Nowadays, embedded systems are an integral part of
safety critical systems in various domains, such as avionics,
automotive and telecommunications. Typically, they have
a long life cycle of development and maintenance. In this
process, architecture design and early analysis of embed-
ded systems are two of the major challenges for designers
using modeling languages such as AADL [1] (Architecture
Analysis and Design Language) to describe the systems.
AADL is a language which supports the modeling of
component-based systems as an assembly of software com-
ponents mapped onto execution platforms. The modeling
aspect of system design activity is becoming increasingly
essential, since it allows prototyping and experiments with-
out necessarily having a physical implementation of the sys-
tem. The Behavior Annex is proposed as an extension of
AADL to offer a way to specify the behaviors of compo-
nents. AADL allows a fast design entry and software/ hard-
ware co-design. However, system validation and verifica-
tion is a critical challenge. What we are seeking for is to
use formal methods to ensure the quality of system designs.
Synchronous languages [4], such as Signal [2, 3], have
been used successfully for the design of real-time critical
applications to significantly ease the modeling and valida-
tion of software components. Their associated toolsets pro-
vide formal transformation, automatic code generation, ver-
ification, etc.
Signal is a dataflow relational language that relies on the
polychronous model [3]. Signal handles unbounded series
of typed values ❼xt➁t❃N, called signals, denoted as x and
implicitly indexed by the discrete pace of its clock, noted
xˆ. At a given instant, a signal may be present or absent.
Two signals are synchronous if they are always present (or
absent) at the same instants.
In Signal, a process (written P orQ) consists of the syn-
chronous composition (noted P ❙❙Q) of equations (written
x ✂  y f z) over signals. An equation x ✂  y f z defines the
output signal x by the result of the application of operator
f to its input signals y and z. In addition to the extension to
signals of usual functions on values (e.g., boolean or arith-
metic operations), the specific basic Signal equations are
the delay x ✂  y$1 init v, the sampling x ✂  y when z, and
the merging x ✂  y default z. The reader is referred to [3]
for definitions. The process P ⑦x restricts the lexical scope
of the signal x to the process P . The abstract syntax of a
process P in Signal is defined as:
P,Q ✂✂  x ✂  y f z ❙ P ❙❙Q ❙ P ⑦x
Relying on these bases, we propose an approach to au-
tomatically interpret AADL Behavior Annex into the syn-
chronous formalism Signal. We are concerned with a
method to embed notations of the AADL Behavior Annex
in a suitable model of computation for the purpose of formal
verification and code generation. To model and compile all
distinctive programming features of AADL behaviors, tran-
sitions and actions, we use the code generation infrastruc-
ture of the synchronous modeling environment SME [5].
The SME environment is a front-end of Polychrony [7]
(which is a toolset for Signal) in the Eclipse environment
based on Model-Driven Engineering (MDE) technologies.
The model transformation specified here relies on an in-
ductive SSA (static single assignment) [6] transformation
algorithm across transitions/actions, that produces interme-
diate representation. A program is said to be in SSA form
whenever each variable in the program appears only once
on the left hand side of an assignment. Only one new value
of a variable x should at most be defined within an in-
stant. The SSA form of a program replaces assignments
of a program variable x with assignments to new versions
of x, uniquely indexing each assignment. The φ opera-
tor is needed to choose the value depending on the pro-
gram control-flow, where a variable can be assigned in both
branches of a conditional statement or in the body of a loop.
As SSA is an intermediate representation, the introduction
of the φ-function will not consume execution cost. The
compilation will optimize the final execution code. It intro-
duces an effective method for transforming behavior spec-
ifications consisting of transitions and actions into a set of
synchronous equations. This transformation minimizes the
needed state variables and component synchronization.
In this paper, we show how to not only translate the core
imperative programming features into equations, but also
extend it to the mode automata that control the activation
of such elementary transitions and actions. We give an
overview of AADL and Behavior Annex in Section 2.
The principles of the interpretation from AADL Behavior
Annex to Signal are described in Section 3. Experimental
results are provided by a case study. Some related works
and conclusions are given in Section 4 and Section 5.
2 AADL and Behavior Annex
AADL is an SAE standard aimed at high level design
and evaluation of the architecture of embedded systems.
The language employs formal modeling concepts for the de-
scription of software and hardware architecture. It focuses
on the description of systems using the component-based
paradigm. A set of predefined components are offered:
❨ Application software components include process,
thread, thread group, subprogram, and data components.
❨ Execution platform components model the hardware
part of the system. This includes the processor, memory,
device, and bus components.
❨ Composite components model components consisting
of both hardware and software. A system component mod-
els a component containing execution platform, application
software and other composite components.
The AADL Behavior Annex [8] is an extension of the
core of the standard to offer a way to specify the local func-
tional behavior of the components. It supports describing
precisely the behaviors, such as port communication, com-
putation, timing, etc. A Behavior Annex can be attached to
a thread or a subprogram: threads or subprograms start from
an initial state, and a transition to a complete (resp. return)
state ends a thread (resp. subprogram). Transitions may be
guarded by conditions, and actions may be attached.
Figure 1 is a behavior specification of a door handler
thread from a SDSCS (Simplified Doors and Slides Con-
trol System) [9]. It comprises two transitions with an initial
state s0 which is also a complete state. The thread will exe-
cute the transitions depending on the guarded conditions.
We will formalize the semantics of AADL behavior
annex by isolating the core syntactic categories that charac-
terize its expressive capability: transitions and actions.
Behavior specifications The behavior specification
defines a transition system. A behavior specification
behavior spec x A describes system transitions from a
source state s to a destination state t. A transition can be
guarded with events or boolean conditions, and actions S
Figure 1. Behavior Annex example
can be attached. When a behavior spec is first triggered, it
starts execution from an initial state, specified as s : initial
state, and ends with a complete (return for subprogram)
state, specified as t : complete state (return state). From
state si, it may perform a transition A to a new state sj ,
written si
 g✆
  sj➌S➑, if the guard g is true.
behavior spec x A where A ✂✂  si
 g✆
  sj➌S➑ ❙ A1❨A2
and g ✂✂   on exp✆  e✆  when exp✆ ❙ exp,
and s ✂✂  ❼initial ❙ complete ❙ return➁ state
❨ The guard g can either be an expression exp or contain
an optional event or event data receipt e and an optional
boolean condition ([on exp] [when exp]).
❨ The condition may depend on the received data, and it
can be split in two parts: the on part expresses conditions
over the current state, and the when part expresses a condi-
tion over the data to be read.
❨ An event e can be a receipt from an event port (p?), or
from an event data port (p?❼x➁) where x is a state variable
or a data subcomponent.
Actions Actions are sequences of operations on variables
that are performed during the execution of transitions.
(action) S ✂✂  x ✂  f❼y, z➁ ❙ p? ❙ p?❼x➁ ❙ p! ❙ p!❼x➁
❙ if x then S1 else S2 ❙ for ❼x inX➁ S
❙ delay❼min, max➁ ❙ computation❼min, max➁ ❙ S1;S2
❨ An assignment x ✂  f❼y, z➁ defines the value of x from
the function f of the current values of y and z.
❨ The conditional if x then S1 else S2 executes S1 if
the current value of x is true, otherwise executes S2.
❨ The finite loop for ❼x in X➁ S allows iterations over
finite integer ranges or over unparameterized types, which
are specified by a data classifier.
❨ The timing actions delay❼min, max➁ and
computation❼min, max➁ specify non-deterministic
waiting time and computation time intervals. The differ-
ence is that computation❼min, max➁ consumes CPU,
while delay❼min, max➁ does not.
❨ The message sending or receiving actions express the
communication of messages. A statement p! calls the send
service on an event or event data port p. The event is im-
mediately sent to the destination with the stored data if any.
p!❼x➁writes data x to the event data port p and calls the send
service. p? dequeues an event from event port p. p?❼x➁ de-
queues a data in the variable x.
❨ Sequences of actions S1;S2 are executed in order.
3 Interpretation and semantics of AADL Be-
havior Annex
In this section, we will present general rules to interprete
the AADL Behavior Annex into Signal. This interpretation
uses SSA as an intermediate formalism. The transitions and
actions are transformed into a set of synchronous equations.
In order to distinguish between the transitions of differ-
ent interpretation stage, we use S ❃ S to represent the gen-
eral action in the original transition T ❃ T , B ❃ B to repre-
sent the basic actions attached to the intermediate transition
U ❃ U , and A ❃ A to represent the SSA form actions at-
tached to the SSA form transitionW ❃ W . We introduce a
notation def❼A➁ ✂  x referring the left hand side of an as-
signmentA (x ✂  f❼y, z➁), and use❼A➁ ✂  f❼y, z➁ referring
the right hand side.
B ❄ B ✂✂  x ✂  f❼y, z➁ ❙ p? ❙ p?❼x➁ ❙ p! ❙ p!❼x➁ ❙ B1;B2
S ❄ S ✂✂  B ❙ if x then S1 else S2 ❙ for ❼x inX➁ S
❙ delay❼min, max➁❙ computation❼min, max➁❙ S1;S2
A ❄ A ✂✂  x ✂  f❼y, z➁ ❙ A1;A2
where ➛x ❃ def❼A➁, x occurs at most once in A
T ❄ T ✂✂  s
c
  t➌S➑ ❙ T1 Õ T2
U ❄ U ✂✂  s
c
  t➌B➑ ❙ U1 Õ U2
W ❄W ✂✂  s
c
  t➌A➑ ❙W1 ÕW2
Because actions are attached to transitions, we must take
into consideration the states which they depart from and
enter in, when interpreting the actions. We use ■❼T ➁ to
note the interpretation of a transition T to Signal process.
The transformation ■❼T ➁ of the AADL transitions/actions
to Signal is addressed in three steps:
■❼T ➁ ✂ T ■TÐ  U ■UÐ  W ■WÐ  P
❨ Step 1: T
■T
Ð  U . Each transition T ❃ T with
attached sequence of general actions S ❃ S , is decomposed
into sets of basic transitions U ❃ U , in which all the actions
are basic actions B ❃ B.
❨ Step 2: U
■U
Ð  W . For each intermediate transi-
tion U ❃ U , the basic actions B ❃ B are depicted in SSA
form A ❃ A . Each use of an original variable x is replaced
by a new version, so that the actions can be executed in the
same instant.
❨ Step 3: W
■W
Ð  P . Translate the SSA form actions
A ❃ A to Signal equations.
The interpretation of transitions T1 Õ T2 can be parallel:
■❼T1 Õ T2➁   ■❼T1➁ Õ ■❼T2➁
■❼T ➁   ■W ❼W ➁ whereW   ■U❼U➁, and U   ■T ❼T ➁
Each step of the interpretation ■T ,■U ,■W will be ex-
plained in detail in the following subsections.
3.1 Actions to basic actions
A transition from a source state s when condition c is
satisfied, to a destination state t, with attached general ac-
tion S, noted as s
c
  t➌S➑, can be decomposed into a set
of intermediate transitions U ❃ U , in which the actions in
each new transition are basic actions B ❃ B.
s
c
  t➌S➑ ■TÐ  U
where U   si
ci
  sj➌Bi➑ ❙ U1 Õ U2, and Bi ❃ B
We use ■T ❼T ➁ to represent this interpretation from a
general transition T ❃ T to basic transition U ❃ U . The
interpretation of the transitions can be parallel.
■T ❼T1 Õ T2➁   ■T ❼T1➁ Õ ■T ❼T2➁
We also use the notation ■TS to note this transformation,
the action S is decomposed into B;S➐, where B is the basic
actions from the beginning of S, and S➐ is the rest.
■T ❼s c  t➌S➑➁   ■TS❼s, c, t, S➐,B➁   U
where S   B;S
➐
, and B ❃ B, and U ❃ U
❨ At the very beginning of the interpretation, there is no
basic action before S.
■T ❼s c  t➌S➑➁   ■TS❼s, c, t, S, φ➁
❨ Suppose S➐   S1;S2 where S1 is the first action of
S➐. If action S1 is a basic action S1 ❃ B, then it can be
merged to the previous basic action set B. Otherwise, if
B is empty, decompose S1 and S2 respectively, and apply
the defined rules for each one. IfB is not empty, introduce a
new transition for actionB, and decompose S1, S2 similarly
to the previous case.
■TS❼s, c, t, S1;S2,B➁  
➣➝➝➝➛➝➝➝↕
■TS❼s, c, t, S2,B;S1➁ if S1 ❃ B❼ U1 Õ U2➁ if S1 ➯ B and B   φ
❼s c  s1➌B➑ Õ U3 Õ U4➁ if S1 ➯ B and B ① φ
where
➣➝➝➝➝➝➛➝➝➝➝➝↕
❼U1, s1➁   ■ ➐T ❼S1, c, s➁
U2   ■TS❼s1, true, t, S2, φ➁❼U3, s2➁   ■ ➐T ❼S1, true, s1➁
U4   ■TS❼s2, true, t, S2, φ➁
The transformation for the composite action S ❃ S and
S ➯ B, noted as ■ ➐T ❼S, c, s➁   ❼U, t➁ (where s
c
  t➌S➑ is the
original transition with composite action S, U is the result-
ing basic transition), will be represented in the following
subsections.
■
➐
T ❼S, c, s➁   ❼U, t➁ where S ❃ S , and S ➯ B, and U ❃ U
❨ If there is no action following S in the interpretation,
which means that the action S is already a basic action S ❃
B, then the resulting transition is the same as the original
one.
■TS❼s, c, t, φ, S➁   ❼s c  t➌S➑➁
Next, we will interpret each of the composite actions S,
(S ❃ S and S ➯ B). We write ■ ➐T ❼S, c, s➁   ❼U, t➁ for
the action S from source state s, with guard c. It returns
an intermediate transition U (the actions in U are the basic
actions), and an exit state t.
3.1.1 Condition
A conditional evaluates S1 with the condition x to U1 and
S2 with condition not x to U2.
■
➐
T ❼if x then S1 else S2, c, s➁  
➆➊➊➊➊➈
➆➊➊➊➊➈
s
c and x
Ð  s1
Õ s
c and not x
Ð  s2
Õ U1
Õ U2
➇➋➋➋➋➉
, u
➇➋➋➋➋➉
where ■TS❼s1, true, u, S1, φ➁   U1, ■TS❼s2, true, u, S2, φ➁   U2
3.1.2 Loop
A loop statement for ❼x in X➁ ➌S➑ allows iterations over
finite integer ranges or over unparameterized enumerated
types, which are specified by a data classifier.
Integer range For an integer range, i in M..N , which
means thatM andN are two integers andM ❅ N , the loop
statement can be refined as:
■
➐
T ❼for ❼i inM..N➁ ➌S➑, c, s➁  
➆➊➊➊➊➊➊➊➈
➆➊➊➊➊➊➊➊➈
s
c
  t➌i ✂ M➑
Õ U
Õ u  v➌i ✂  i ✔ 1➑
Õ v
i❇N
Ð  t
Õ v
i❆N
Ð  w
➇➋➋➋➋➋➋➋➉
,w
➇➋➋➋➋➋➋➋➉
,where ■TS❼t, true, u, S, φ➁   U
Enumeration range For an iteration over unparameter-
ized enumeration, x inX , in whichX is a data classifier of
enumerated type X   ➌x1, x2, ..., xn➑, the loop statement
can be translated as:
■
➐
T ❼for ❼x inX➁ ➌S➑, c, s➁  
➆➊➊➊➊➊➊➊➈
➆➊➊➊➊➊➊➊➈
s
c
  t➌i ✂  1;x ✂  x1➑
Õ U
Õ u  v➌i ✂  i ✔ 1;x ✂  xi➑
Õ v
i❇n
Ð  t
Õ v
i❆n
Ð  w
➇➋➋➋➋➋➋➋➉
, w
➇➋➋➋➋➋➋➋➉
whereX   ➌x1, x2, ..., xn➑, ❙X ❙   n, and ■TS❼t, true, u, S, φ➁   U
3.1.3 Computation(m,n)
Computation(m,n) expresses the use of CPU for a pos-
sibly non-deterministic period of time between m and n.
For this non-deterministic choice, we introduce a function
random❼m,n➁ to choose a random period r (m ❅ r ❇ n)
while translating. In each iteration of i, a synchronization
with a physical tickms? is performed.
■
➐
T ❼computation ❼m,n➁, c, s➁  
➆➊➊➈
➆➊➊➈
s
c
  t ✂ ➌i ✂  1➑
Õ t
i❅r
Ð  t ✂ ➌ms?; i ✂  i ✔ 1➑
Õ t
i r
Ð  u
➇➋➋➉ , u
➇➋➋➉
where r   random❼m,n➁,
andms? synchronizes with the physical tick
3.1.4 Delay(m,n)
The difference between delay and computation is that
computation consumes CPU, while delay does not, which
means that, when a thread delays some time interval, other
threads can execute during this time.
The interpretation of delay is more complicated, for it
will request for rescheduling. We can represent the delay
using a finite loop if its period can be determined by a ran-
dom choice:
■
➐
T ❼delay ❼m,n➁, c, s➁   ■ ➐T ❼❼for i in 1..r➁➌ms?➑, c, s➁   ❼U, t➁
where r   random❼m,n➁,
andms? synchronizes with the physical tick
3.2 Basic actions to SSA form actions
Only one new value of a variable x should at most be
defined within an instant in SSA form. An operation x ✂ 
f❼y, z➁ takes the current value of y and z to define the new
value of x by the product with f . A statement p!❼x➁ sends
the value x to p. Execution may continue within the same
symbolic instant unless a second emission is performed. A
statement p?❼x➁ waits a signal from p.
We use the notation ■U to note the intermediate transi-
tion U ❃ U (with actions B ❃ B) to be represented in SSA
formW ❃ W (with actions A ❃ A ).
s
c
  t➌B➑ ■UÐ  W where
➣➝➝➝➛➝➝➝↕
B ❃ B
W ❄W   si
ci
  sj➌Ai➑ ❙W1 ÕW2
Ai ❃ A
We use an environmentE to associate each variable with
its definition, an expression that locates it,E ✂ X  X . The
environment of x is noted E❼x➁, and the domain of E is
noted ❱❼E➁. The restriction of a variable x to environment
E is noted E⑦x, which satisfies:
φ⑦x   φ
❼E✬➌y ✭ z➑➁⑦x   ➐ E if y   x❼E⑦x➁✫➌y ✭ z➑ if y ① x
Wewrite useE❼x➁ for the expression that returns the def-
inition of the variable x in environment E, and defE❼x➁
for the environment E storing variable x with its associated
definition.
useE❼x➁   ➐ E❼x➁ if x ❃ ❱❼E➁
x otherwise
defE❼x➁   ❼E⑦x➁✬➌x✭ x➐➑ where x➐ ➯ ❱❼E➁
We depict sequence of basic actionsB   B1;B2 attached
to an intermediate transition U defined in environment E to
a set of new SSA form transitionsW with an updated envi-
ronment F , in which all the new actionsA are in SSA form,
and can be executed in the same instant. We use ■U❼U➁
to note this interpretation from an intermediate transition to
SSA form transitionW ❃ W , and we introduce another no-
tation ■ ➐U to define the transformation rules:
■U❼s c  t➌B➑➁  W where ➐ ■ ➐U❼B1,B2, s,E➁   ❼W, t,F ➁
B   B1;B2
The following transformations can be defined:
❨ For a single assignment basic action x ✂  f❼y, z➁ in a
transition with environment E, the new transition will take
its SSA form assignment: the final version of variable x
and the definition of y and z defined in E are used, the new
environment F only stores the final value of x defined in E.
■
➐
U❼x ✂  f❼y, z➁, φ, s,E➁   ❼s  t➌a ✂  f❼b, c➁➑, t, F ➁
where a   F ❼x➁, b   useE❼y➁, c   useE❼z➁, F   defE❼x➁
❨ p?❼x➁ transfers a data received from port p to the vari-
able x. If no other action is placed before or after it, convert
it to SSA form action attached to the transition. The envi-
ronment is updated as defE❼x➁.
■
➐
U❼p?❼x➁, φ, s,E➁   ❼s  t➌F ❼x➁ ✂  p➑, t, F ➁
where F   defE❼x➁
❨ p!❼x➁ writes data x to event or event data port p, and
calls the Send service. A new unique version p➐ of p (➌p ✭
p➐➑) is added to update the original environment E.
■
➐
U❼p!❼x➁, φ, s,E➁   ❼s  t➌p➐ ✂  useE❼x➁➑, t, F ➁
where F   E✬➌p✭ p➐➑, and p➐ ➯ ❱❼E➁
In the same way, we have the following transformations:
❨ An assignment can be rewritten in SSA form, and
merged to the previous basic action set B1.
■
➐
U❼B1, ❼x ✂  f❼y, z➁;B2➁, s,E➁
  ■
➐
U ❼❼B1;a ✂  f❼b, c➁➁,B2, s, F ➁ where
➣➝➝➝➝➝➛➝➝➝➝➝↕
a   F ❼x➁
b   useE❼y➁
c   useE❼z➁
F   defE❼x➁
❨ The receive message action is represented in SSA form,
and merged to the previous B1.
■
➐
U❼B1, ❼p?❼x➁;B2➁, s,E➁
  ■
➐
U❼❼B1;F ❼x➁ ✂  p➁,B2, s, F ➁ where F   defE❼x➁
❨ The send message action can be merged if p has not
been defined in E, and ➌p ✭ p➑ is added to update E. Oth-
erwise, create a transition attached with the actions B1 and
the final values of all variables x defined in E. And apply
the transformation rules for the rest of the actions with an
environment ➌p✭ p➑.
■
➐
U❼B1, ❼p!❼x➁;B2➁, s,E➁  
➐ ■ ➐U❼B➐1,B2, s,E✫➌p✭ p➑➁ if p ➯ ❱❼E➁❼s  t➌B1;B➐➑➁ ÕW otherwise
where
➣➝➝➝➝➝➛➝➝➝➝➝↕
B➐1   B1;p ✂  useE❼x➁
B➐  ▲➛x❃❱❼E➁ x ✂  defE❼x➁;
where ▲ is the composition of final value of x
■
➐
U❼p!❼x➁,B2, t,➌p✭ p➑➁   ❼W,u,F ➁
3.3 SSA to Signal
Finally, all the transitions/actions can be represented in
the following form:
W ❄W ✂✂  s
c
  t➌A➑ ❙W1 ÕW2
where ➛x ❃ def❼A➁, x occurs at most once in A
A ❄ A ✂✂  x ✂  f❼y, z➁ ❙ A1;A2
The interpretation ■A❼A➁
g
E   ❼P,F ➁ of an SSA form ac-
tionA takes as parameters the environmentE and the guard
g that leads to it. It returns a process P , and an updated en-
vironment F .
■A❼x ✂  f❼y, z➁➁gE   ❼x   f❼awhen g, b when g➁, F ➁
where
➣➝➝➝➛➝➝➝↕
a   y if y ❃ E, else y$1
b   z if z ❃ E, else z$1
F   E ✽ ➌x➑
■A❼A1;A2➁gE   ❼P ❙Q,G➁ where ➐ ■A❼A1➁
g
E   ❼P,F ➁
■A❼A2➁gF   ❼Q,G➁
We use the notation ■W ❼W ➁
st to represent the interpre-
tation from the SSA form transition W ❃ W to Signal pro-
cess. A local signal st is introduced to represent the state
variable, and nst represents the next state.
■W ❼W1 ÕW2➁st   ■W ❼W1➁st ❙ ■W ❼W2➁st
■W ❼s c  t➌A➑➁st   ❼P ❙ nst   twhen g➁
where ➐ ❼P,E➁   ■A❼A➁gφ
g   cwhen ❼st   s➁
Following the three steps’ interpretation, the behavior
specification behavior spec x X , can now be represented
as behavior spec x ❼W Õ initial state s0➁, (W ❃ W ). The
interpretation for the behavior specification can be written
as:
■❼behavior spec x ❼T Õ initial state s0➁➁
  ■W ❼behavior spec x ❼W Õ initial state s0➁➁
whereW   ■U❼U➁, and U   ■T ❼T ➁
■W ❼behavior spec x ❼W Õ initial state s0➁➁
  ❼P ❙ st   nst $ init s0➁ ⑦ st, nst, where P   ■W ❼W ➁st
3.4 A Case study
The intermediate generated code of the basic transi-
tions/actions (step T
■T
Ð  U ) for the door handler
thread (previously presented in Figure 1) is depicted in Fig-
ure 2. It contains a transformation of the transitions as
well as their attached actions. The interpretation introduces
two intermediate states: STATE 0, STATE 1. The first three
transitions rewrite the first original one. A transition is in-
troduced for each branch of the condition action.
Figure 2. Intermediate Behavior code
In this example, the SSA form of transitions is the same
as depicted in Figure 2, since all the variables are already
uniquely defined in each of the transitions. Each transition
will then be interpreted to Signal equations. The gener-
ated code for the first SSA form transition is listed here,
the guard and state variables (st, nst) are added.
❙ warn diff pres ✂  true when ❼st   s0➁
when (❼dps ❆ 3➁ and handle)
❙ door info ✂  locked when ❼st   s0➁ when (❼dps ❆ 3➁and handle)
❙ nst ✂  STATE 0 when ❼st   s0➁ when (❼dps ❆ 3➁ and handle)
❙ st ✂  nst $ 1 init s0
The program is translated into Signal following the gen-
eral rules described above. Then simulation code (C code)
is generated with the help of the Polychrony toolset. Traces
can be added to be able to follow the simulation. Properties
can be checked using Sigali which is a Signal companion
model-checker. Similar experiments have been described
in [10] for Signal code obtained through SSA from C/C++
parallel programs.
4 Related Works
A few approaches for defining the semantics or for inter-
preting the behavior annex of AADL have been proposed.
AADL2BIP [11] studies a general methodology for trans-
lating AADL and behavior annex specification into BIP. It
supposes the actual behaviors are described using the im-
plementation language, so the actions are not considered,
while the translation of the transitions is shown roughly. In
our transformation, the transitions and actions are both pre-
sented. [12] proposes a formal semantics for a subset of
AADL behavior annex using Timed Abstract State Machine
(TASM). It defines the synchronization actions (remote sub-
program call) which have not been considered in our ap-
proach, however, it does not present how the basic actions
are translated. In AADL2Fiacre [13], the transformations
from AADL and behavior annex to Fiacre are illustrated on
a small example, but the semantics are not formally defined.
Our approach and tools are based on the studies and ex-
perimental results on the translation of C/C++ parallel codes
into synchronous formalism using SSA transformation [10].
In the ANR project SPACIFY, [14] proposes an approach
to model notations of the Synoptic language and to embed
them in a suitable model of computation for the purpose of
formal verification and code generation. It consists of an
inductive SSA transformation algorithm across a hierarchy
of blocks that produces synchronous equations.
5 Conclusion
We have presented in this paper the principle and imple-
mentation that interpret AADL behavior annex into a syn-
chronous data-flow and multi-clocked model of computa-
tion. This interpretation is based on the use of SSA as an
intermediate format. It gives a thorough description of an
inductive SSA transformation algorithm across a hierarchy
of transitions that produce synchronous equations.
Our technique uses the underlying model of computa-
tion of the SME platform. We obtain an effective method
for transforming a hierarchy of behavior specifications con-
sisting of transitions and actions into a set of synchronous
equations. The impact of this transformation technique has
a big advantage: it minimizes the number of state variables
across hierarchical automata and hence creates a minimal
number of transitions in the generated code.
For future works, we intend to implement an automatic
transformation. Since the intermediate SSA form is very
simple, the implementation can focus on optimizations and
performances. One extension is to model the scheduling
policy as well as a rescheduling algorithm when a system
service is requested. Furthermore, an extension to compos-
ite state specified in Behavior Annex jointly with the actions
would be interesting. Another extension study is the valida-
tion of message communication optimization.
References
[1] SAE. Architecture Analysis & Design Language (stan-
dard SAE AS5506), September 2004, http://www.sae.org
[2] P. Le Guernic, T. Gautier, M. Le Borgne, C. Le Maire. Pro-
gramming Real-Time Applications with SIGNAL, Pro-
ceedings of the IEEE 79(9), Sep 1991
[3] P. Le Guernic, J.-P. Talpin, J.-C. Le Lann. Polychrony for
System Design, Journal for Circuits, Systems and Comput-
ers, April 2003
[4] A. Benveniste, P. Caspi, S. A. Edwards, N. Halbwachs, P.
Le Guernic, R. De Simone, The Synchronous Languages
Twelve Years Later, Proceedings of the IEEE, 2003
[5] C. Brunette, J.-P. Talpin, A. Gamatie´, T. Gautier. A meta-
model for the design of polychronous systems, Journal of
Logic and Algebraic Programming, Special Issue on Apply-
ing Concurrency Research to Industry. Elsevier, 2008
[6] R. Cytron, J. Ferrante, B. K. Rosen, M. N. Wegman, F.
K. Zadeck. Efficiently computing static single assignment
form and the control dependence graph, ACM Transac-
tions on Programming Languages and Systems, Oct 1991
[7] INRIA Espresso Team, Polychrony tool,
http://www.irisa.fr/espresso/Polychrony
[8] P. Dissaux, J.P. Bodeveix, M. Filali, P. Gaufillet, F. Vernadat,
AADL Behavioral annex, DASIA, 2006
[9] O. Laurent, F. Pouzolz, Airbus generic pilot application
Aircraft doors management system, CESAR report, 2009
[10] L. Besnard, T. Gautier, M. Moy, J.-P. Talpin, K. Johnson, F.
Maraninchi,Automatic translation of C/C++ parallel code
into synchronous formalism using an SSA intermediate
form, AVOCS’09, Sep 2009
[11] M. Y. Chkouri, A. Robert, M. Bozga, J. Sifakis, Translating
AADL into BIP - Application to the Verification of Real-
time Systems, MODELS’08, Toulouse, France, Sep 2008
[12] Z. Yang, K. Hu, D. Ma, L. Pi, Towards a Formal Semantics
for the AADL Behavior Annex, DATE’09, 2009
[13] B. Berthomieu, J.-P. Bodeveix, P. Farail, M. Filali, H. Gar-
avel, P. Gaufillet, F. Lang, F. Vernadat, Fiacre: an Inter-
mediate Language for Model Verification in the TOP-
CASED Environment, INRIA report, 2008
[14] J.-P. Talpin, J. Ouy, T. Gautier, L. Besnard, Modular inter-
pretation of heterogeneous modeling diagrams into syn-
chronous equations using static single assignment, INRIA
report, September 2009
