The latest ITU-T standard syntax of Message Sequence Charts (MSCs) 18] o ers several operators to compose MSCs in a hierarchical, iterating, and nondeterministic way. The new operators are a step towards increasing the applicability of MSCs to more than a trace language. However, current tools operate on MSCs that describe nite, deterministic behavior and none of them uses MSCs as a language for requirements speci cation and design of a system. In this paper, we describe the architecture and the partial implementation of Mesa, an MSC-based tool that supports early phases of the software development cycle. The main functionalities of MESA are: an environment for the composition of system models through MSCs, syntactic and model-based analysis of an MSC model, and resolution of resource related underspeci cations in an MSC model. In addition, an important design decision in MESA is to support synthesis mechanisms as a means to integrate our tool with available tools, e.g., the Xspin model checker and various CASE tools for the design of real-time systems.
Introduction
Message Sequence Charts (MSCs) have been extensively used in the development of telecommunication and reactive systems. They have already been adopted within several software engineering methodologies and tools, e.g., 23 15] .
In this paper we propose the architecture for an MSC-based tool for the requirements and design phases of the life-cycle of reactive systems. In addition, we illustrate how a portion of this architecture has been implemented in the Message Sequence Chart Editor, Simulator and Analyzer (Mesa) tool. The presented tool has several motivations. One is to serve as an integration platform for various tools, which gives software engineers an access to a wider range of design and analysis techniques that can be more e ective due to certain customizations. The integration is facilitated through the standardized syntax of MSCs by the ITU-T in Recommendation Z. 120 18] . In other words, we view Mesa as a front-end to various methods and tools, and hence code synthesis from MSC speci cations is an essential objective. We currently envisage synthesis of SDL 16] , ROOM 25] and Promela 13] , all of which enjoy support by mature, industrial strength CASE tools.
A second motivation for Mesais to extend the usage of MSCs to the requirements speci cation and design phases. Current tools that use MSCs operate on MSC speci cations that describe nite and deterministic system behavior. However, in its recent extension, called high-level MSCs 17] , the MSC language o ers modular and hierarchical operators to describe parallel, sequential, iterating, and non-deterministic execution of basic MSCs. These operators facilitate the speci cation of largescale systems. In addition, MSCs o er essential constructs in a requirements language for reactive systems, e.g., distinction between the system and its environment 26] , communication exchanges, internal actions, and timers along a formal semantics 18, 20] . As a design language, the notion of processes in MSCs along the composition operators can be used to re ect a software architecture. However, iteration and nondeterminism in MSCs require additional, explicit information, e.g., underlying network architecture and interprocess synchronization to resolve nondeterminism 6]. For this, an MSC-based tool for the design of reactive systems must o er analysis techniques to detect instances where such additional information is required and prompts the user for it.
In addition to the above type of design-related analysis, a third motivation for the tool is to provide analysis for high-level MSC models. Currently, tools that support analysis of MSCs operate only on basic MSCs. In particular, the Mesa tool o ers an extension of MSCs with realtime information and supports timing analysis for high-level MSCs. The time extension is based on currently evolving propositions ( 18, 3, 5] .)
Another motivation for our tool is that we believe that assertional reasoning is crucial for any realistic analysis of a system model. For this, we bene t from the integration features in Mesaand use existing model-checkers, more speci cally, by synthesizing code that serves as an input to a model checker, e.g., Promela code for the Xspin tool 12].
Paper organization. Section 2 discusses the suitability of MSCs for requirements speci cation and desing, while Section 3 reviews current usages of MSCs in software engineering tools. Section 5 presents the architecture of Mesa as an MSC-based tool for the requirements and design phases. Section 6 describes the currently implemented version of Mesa through an automatic teller machine example described in Section 4. Section 7 summarizes the paper and outlines future research directions. As an example of an MSC speci cation, consider Figure 1 which describes a simple connection establishment protocol in a telecommunication system. Process P1 is a service provider, P2 is a local and P3 is a remote protocol machine. The iterating branch describes a repeated request to establish the connection. The non-iterating branch describes a successful connection establishment. The semantics of an MSC essentially consists of sequences (or traces) of messages that are sent and received among the concurrent processes in the MSC. The order of communication events (i.e. message sent or received) in a trace is deduced from the visual ow of control within each process in the MSC along with a causal dependency between the event of sending and receiving a message 20].
Message Sequence Charts o er several advantages to the requirements and design phases of the development of reactive systems. One is the intuitive, graphical notation of MSCs which helps a designer to visualize the system's structure and interfaces. In addition, as a requirements speci cation language an advantage of MSCs is the level of abstraction they o er by merely describing the message ow between processes (which is the core of reactive systems) and abstracting out process behavior. This is to be contrasted to other speci cation techniques, e.g., SDL and ROOM, which explicitly specify the process behavior and leave the message ow implicit. Anthor advantage of MSCs as a requirements language is the distinction between the actions of the system and its environment 26]: MSCs visually distinguish between the actions the system produces or initiates from those produced by the environment, which facilitates the identi cation of the interface between the two system components. For example, in Figure 1 the environment sends a message of type data in to the system through the process P1; the system sends a message of type data out to the environment through the process P1. As a design language, MSCs are suitable through their notions of processes and composition operators which facilitate the description of the system's software architecture. Due to the focussed expressiveness of MSCs, it is unrealistic to build a CASE tool exclusively on MSCs. A tool based on MSCs should be a front-end to other CASE tools, supporting early lifecycle requirements capture and validation capabilities (see also 3, 14] ). In addition, an MSC-based tool should support a number of functionalities including:
Analysis of MSC speci cations for \things that can go wrong". The graphical appeal and perceived clarity of MSC specifcations contrasts limits in their expressiveness, which in turn may lead to ambiguities due to underspeci cations. For example, in the presence of nondeterminism and iteration in an hMSC, explicit information is required about inter-process synchronization and the underlying network architecture and queuing strategies 6]. The lack of this information may lead to discrepancies between an MSC speci cation and its interpretation and thus any potential implementation 6]. Thus, it is essential to support analysis mechanisms that detect such ambiguities and suggest to the designer possible extensions to resolve them. Figure 2 illustrates the positioning of Mesa in the software lifecycle. For the purpose of this description we assume a waterfall lifecycle combined with an iterative requirements model.
MSCs in Software Engineering Tools
In our review of current tools (c.f. 4]) that use MSCs, we examined the following set of requirements we nd important in the requirements and design phases as previously described.
1. The use of MSCs in the description of reactive systems makes constructs to support branching and iterating indispensable. 2. Overall compliance with a syntactic convention like Recommendation Z.120 or the UML 9] notation is desirable. 3. While a translation from MSCs into a di erent formalism, e.g., for analysis purposes may be necessary, we require that as little semantic bias as possible be included. In particular, we criticise the interpretation of MSCs based on SDL, as sometimes proposed, because of SDL's heavily constraining message passing semantics. 4. In a notation that bene ts from graphical appeal and visual allusion to such an extent as MSCs, it is mandatory to have semantic assumptions explicitly represented in the speci cation. Allowing implicit semantic assumptions would defeat the purpose of using MSCs during the requirements and design phases where precise speci cations are vital. We call this requirement the \what-you-see-is-what-you-get" (WYSIWYG) requirement w.r.t. the semantics given to MSCs as described by their visual representation. 5. A requirements tool needs to provide for means to check the consistency of the requirements speci ed. 6. Executing or simulating MSCs can greatly enhance the debugging of a speci cation, and thus simulation should be provided by an MSC-based tool.
Assessment of Existing Tools
We have analyzed a sizable subset of the tools that support MSC speci cations (c.f. 4]). su er from a heavy bias towards an assumed SDL semantics. For instance, an MSC could be agged as deadlocking even though it will not deadlock unless one assumes the rather constraining SDL semantics. The SDL-based semantic assumption contradicts our WYSIWYG requirement. We conclude that none of the above reviewed tools satisfactorily meets the requirements we outlined earlier.
MSC Speci cation Example: an ATM System
In the remainder of this paper, we will use an Automated Teller Machine (ATM) example 1 to illustrate the functionalities of Mesa. Figures 3, 4 and 5 illustrate the MSC-based speci cation of the ATM example. All diagrams were generated through the editor component of Mesa.
Due to space limitations, we brie y review the example; for more detail see 5, 7] . The ATM system consists of three concurrent components: the system's user interface that communicates with potential customers represented by the User process, the ATM controll software which is represented by the ATM process, and a host computer in a central bank o ce that is represented by the Bank process. Each one of he bMSCs in Figures 4 and 5 represents a scenario or`use-case' of the system. The hMSC graph in Figure 3 speci es a successor relationship between these scenarios.
Initially, the ATM waits to receive a message that signals that a customer has inserted her/his bank card. Once this message is received, the system then behaves in two possible ways: either the ATM controller receives a request to cancel the transaction EndTrans, or the ATM receives the customer's pin number seconds (bMSC ProcessPin). After the pin has been validated (GetOption), the customer is asked for a processing option, and the system will execute the desired transaction (GetBalance, Withdraw or EndTrans). Note that the hMSC graph can encode limited counting: the customer may try to enter a valid pin at most twice, after which the ATM con scates the customer's card { see the path from the bMSC RefusePin to ConfiscateCard in Figure 3 . Figure 7 shows the hMSC editor displaying the hMSC graph of the ATM example. Double clicking with the mouse on one of the boxes that represents a bMSC opens an editor window for the bMSC that is linked to this box. Figure 8 shows the bMSC editor windows for the DispenseCash and Withdraw bMSCs.
Editing
The Mesa editor allows the user to textually input, draw and manipulate both the hMSC and bMSC components of an MSC speci cation. In addition, it allows the user to load and store MSC speci cations.
Syntactic Checks. There were two design goals for the editing component within Mesa. First, users should be guided in following the graphical syntax of Z.120 18]. Second, we were interested in leaving users the freedom to choose compliance with the Z.120 standard to some extent.
Slope of message arrows: Z.120 requires message arrows to be either downwards sloping or horizontal. In 6] we showed that this is a su cient syntactic condition to avoid deadlocks in Well-formedness of graphical speci cations and compliance with Z.120: Mesa checks bMSCs for compliance with the following constraints: 1. Each process must be given a unique name within the scope of a bMSC; 2. each message type must always be sent and consumed by the same pair of processes within an MSC speci cation; 3. a message arrow may not be directed upwards; and 4. two messages may not originate from the exact spot on a process axes to avoid ambiguities in the interpretation of the event ordering. For hMSCs, Mesa checks the following consistency requirements: 1. All references to bMSCs must be de ned; 2. all referenced bMSCs must be legal according to the above bMSC rules; 3. there must be exactly one start node; 4. the hMSC graph must be connected; and 5. the list of process names for each bMSC that is referenced in an hMSC must be identical in all bMSCs. In addition, Mesa veri es whether an MSC speci cation is normalized, i.e. that after a branching in the hMSC graph no two bMSCs have an identical message exchange pre x. (Normalization is needed for some analyses 6], facilitates enforcement of the delayed choice semantics, and could avoid redundant speci cation.) instance User /* x=72 length=280*/; out WITHDRAW to ATM /* y=76 */; in REQ_AMOUNT from ATM /* y=110 */; out ENT_AMOUNT to ATM /* y=146 */; delay 0, 0]; endinstance; instance ATM /* x=190 length=280*/; in WITHDRAW from User /* y=76 */; out REQ_AMOUNT to User /* y=110 */; in ENT_AMOUNT from User /* y=146 */; set T1 (10) /* y=187*/; out APPROVE_AMT to Bank /* y=217 */; endinstance; instance Bank /* x=304 length=280*/; in APPROVE_AMT from ATM /* y=217 */; endinstance; endmsc; Extended Z.120 textual fomat. The strict textual representation of MSCs is insu cient to completely re ect the information content of bMSCs as we use them. Therefore, the syntactic representation that we use extends the strict Z.120 syntax as follows.
1. Layout information. This information is essential to reproduce chart layouts that the user has previously chosen. Mesa extends the Z.120 textual syntax with formatting information that is bracketed by comment symbols`/*' and`*/'. The layout information consists of the coordinates of the various MSC components relative to the upper left corner of the Mesa editing canvas, which means that this information may be meaningless for other tools. Figure 9 shows the automatically generated textual Z.120 extended with layout representation for the bMSC Withdraw of Figure 5 . A similar technique is chosen to represent layout information for hMSC graphs. Graphical Editor The GUI-based editor provides an icon-based drawing palette with the basic components of the bMSC and hMSC languages. The GUI-based editor is implemented with an object-oriented interface. One mouse click on a drawn object shows a menu of actions associated with the object. For example, clicking on a message arrow displays a menu of actions: rename the message, add a delay label, and delete the message arrow. Along the common, graphical editing functions (e.g., move, delete, and drag), the Mesa editor allows the simultaneous use of hMSC and bMSC editors to accommodate modular speci cation.
Syntactic Property Analysis
It is often less expensive to verify properties of a speci cation syntactically as opposed to analyzing the speci cation's model. Currently, Mesa implements three types of properties that can be eciently checked syntactically: process divergence, non-local branching choice and timing consistency (c.f. 6, 5]). Process divergence. When processes iterate in an MSC speci cation, the asynchronous nature of communication can lead to process divergence: a system execution where one process sends a message an unbounded number of times ahead of the receiving process. Since an MSC speci cation makes no assumption about the speed of its processes, in the absence of a hand-shake mechanism, a sender process can run \faster" than a receiver process { possibly ooding the receiver with messages.
As an example of process divergence, consider the MSC speci cation of Figure 10 (b) . One possible execution of this MSC speci cation is the in nite trace !req1 !req2 !req1 !req2 which is the result of process P1 sending messages without process P2 receiving any one. To handle such a potential execution, the implementation must answer several questions: What is the network architecture between the processes P1 and P2? Is there any queuing mechanism and protocol and if so, what is the capacity of the channels? How are multiple copies of a not-yet received message handled, are they overwritten or are they bu ered? Regardless of the answers to the above questions, none of them is based on information explicitly described in the given MSC speci cation. In addition, di erent answers may result in di erent implementations. Further, while the above questions seem pertinent to the implementation phase, we view process divergence as unintended behavior of the speci cation that must be rather detected and brought to the designer's attention. This allows the designer to decide either to modify the speci cation to resolve the problem (e.g., by adding explicit hand-shakes), or to postpone the problem to the implementation phase which re nes the speci cation. We have syntactically characterized process divergence and developed an algorithm (now implemented in Mesa) that runs in a time linear with the number of messages in an MSC speci cation 6]. The algorithm basically examines the bMSCs involved in a loop (thus constitute one thread of execution) and veri es that the processes within the bMSCs communicate through a hand-shake.
Non-local branching. Figure 1 illustrates an example which describes a system where MSC1 is followed by either MSC2 or MSC3. At this level of abstraction, all current interpretations assume that all processes choose the same alternative ow of control so that the overall system behavior is described by one basic MSC at a time. As argued in 6], in terms of implementation of individual processes, such an assumption can however be non-trivial as it requires additional, dynamic information about which alternative other processes in the speci cation took. For example, consider the speci cation in Figure 1 . Assume that, after executing the Dreq event, process P1 is the rst process to decide whether to go`left', i.e., the next bMSC to execute is MSC1. In order to implement properly the semantics of choice, the processes P2 and P3 must be informed about P1's decision so that they branch accordingly. However, neither the MSC semantics as presented in Annex B of Z.120 18] nor hMSC graphs provide an explicit way to handle such an information exchange.
Mesa implements our algorithm to detect non-local branching choices and which executes in a time linear with the number of messages in an MSC speci cation 6]. The basic idea behind our algorithm is to examine the bMSCs involved in a choice and verify that they all have the same, unique process which sends the rst event. In case an MSC speci cation contains a non-local branching choice, our syntactic analysis produces the bMSCs that are involved in the non-local branching. This allows the user to resolve the choice by modifying the relevant bMSCs. Timing Analysis. The usage of timing constraints may lead to speci cations that have no timed execution, i.e. the speci cation is timing inconsistent 7] . Consider the bMSC in Figure 11 . Obviously, the minimum time that passes from sending message request until receiving message reply when following the messages and the processing within process Server is at least 12 seconds. However, within process Client it is assumed that timer T1, which is set to 10 seconds right before sending request, is not expiring before reply is received. This means that the conjunction of all timing constraints is not satis able by any system execution. Mesa implements our timing analysis algorithm for branching and iterating MSC speci cations in 5, 7] which is based on work in 3, 10].
Analysis Results. Results of the syntactic analysis are displayed in the graphical MSC specication by highlighting the parts of an MSC that violate the analysis conditions. We will illustrate the reporting of analysis results in the context of the ATM example in Section 4.
Using Mesa in the Analysis of the ATM System
The automatic analysis of the ATM example shows that there are no syntactic anomalies and inconsistencies with Z.120 syntax in this speci cation. This analysis ensures that the subsequent analysis algorithms deliver meaningful results.
Non-local Choice. Figure 12 illustrates how Mesa reports the presence of a non-local choice situation in the ATM System. The non-local choice lies in the hMSC branching point that following the bMSC ProcessPin: in RefusePin and GetOption it is the Bank process which carries out the rst action, i.e. sending of INVALID or VALID, respectively; whereas in TryAgain it is the ATM that sends the rst message. The analysis reveals the danger that processes proceed in di erent directions at this branching point. Mesa tags the respective parts of the hMSC graph which allows the user to localize the potential underspeci cation. The non-local choice situation here could be resolved in case it was not left up to the ATM process to send an ABORT message, but if the Bank was enabled to do so. The purpose of this analysis is to make the user aware of potential underspeci cations, and to hint that synchronization mechanisms must be added, for instance, before code synthesis can proceed. Process Divergence. The reporting of a Process Divergence situation in the ATM system is illustrated in Figure 13 . The Process Divergence occurs in a loop in the hMSC that is formed by the bMSCs StartTrans, GetPin, ProcessPin and TryAgain. In this cycle, User and ATM exchange messages in both directions, while the Bank only receives messages. This satis es the condition of a Process Divergence situation. Depending on the speed of the processes, the ATM may be racing ahead of the Bank and send a large number of VERIFY and ABORT messages to Bank. This indicates that in an implementation must carefully design the communication channel between ATM and Bank. A possible remedy of this Process Divergence situation is to increase the level of synchronization between the three processes. For example, the TryAgain scenario could be extended sos that after sending the ABORT message to Bank the ATM process would only proceed after it had received a CONFIRM ABORT message from Bank.
Timing Consistency. In the basic version shown in Figures 3, 4 and 5 all the timing assignments are consistent. But let us assume that we are more concerned about analyzing the timings in the example. Assume that we change the original speci cation of the ATM system as indicated in Figure  14 : the transmission of APPROVE AMT takes 4; 7) seconds, the computations of Bank to determine that the amount cannot be approved take 3; 5] seconds, and the transmission of the NOT APPROVED message consumes 4; 7) seconds. The question is now whether these new timing constraints are consistent with the remainder of the timing constraints in the system. Timing analysis in Mesa shows that these timing constraints are in con ict with the 10 second timer setting of T1 in Withdraw and the pre-expiry reset of this timer in RefuseWith. Figure 15 illustrates how Mesa reports the presence of a timing inconsistency by displaying a list of simple loop paths through the hMSC graph that have a timing inconsistency. Mesa allows the user to tag some or all of the timing inconsistent loops in order to localize the timing inconsistencies. In Figure 15 we have tagged the loop # 4, which directly connects Withdraw and RefuseWith. For the ATM system, the timing analysis takes about 10 seconds of runtime on a Sun Sparc Ultra 1 
Conclusion
We have proposed an architecture of a tool for the requirements speci cation and design of reactive systems based on Message Sequence Charts. We have described the Mesa toolset as a partial implementation of this architecture. Mesa is designed to be a research testbed for a large variety of algorithms and methods developed around the MSC notation.
Implementation of Mesa. Currently, we are preparing the public release of version 1.0 of Mesa.
It consists of those parts marked as \currently implemented" in Figure 6 . At the time of writing we have spent approximately 6 man-months on code development for Mesa, excluding basic research e ort. The tool consists of approximately 15,000 lines of C++ and 3,000 lines of Tcl/Tk code. While the system is currently based on Unix Solaris operating system, we intend to port it to a number of di erent platforms. Part of the documentation has been done using OMT 24] object modeling diagrams to accommodate the particular needs of the volatile University environment in which this system is being developed. As an \o -the-shelf" component we used the LEDA C++ library 11] for data structures like graphs and strings. While this has saved us some considerable implementation e ort, the strings attached to the LEDA research licensing will restrict the dissemination in the research community not completely, but to some extent.
Extensions of Mesa. The e ectiveness of the practical use of Mesa hinges upon the reporting mechanism for analysis results. We currently work on extending the timing analysis reporting such that not only the timing inconsistent loops in the hMSC are displayed, but also events involved in timing inconsistent loops together with the amount of timing inconsistency. We will furthermore allow the use of symbolic variables in timing constraints. The reporting of process divergence will be extended by displaying the coordination relation for a given simple loop in the HMSC graph (c.f. 6]). To accommodate the underspeci cation of networking resources and branching synchronization mechanism we will allow the user to specify communication channels including including capacities and history variables as rst suggested in 21]. Removing underspeci cation of these aspects is crucial in generating the code skeletons that we alluded to earlier. We are currently developing algorithms to synthesize SDL and ROOM code. We are also currently implementing the synthesis of Promela code as suggested in 21]. Finally, to support model analysis and simulation capabilities we will pursue two routes: First, the translation into Promela together with the Xspin model checking tool can accommodate for both features. Ultimately we would like to implement a generic simulator and model checker for MSC speci cations based on Mesa, which could be more e cient when based directly on the MSC objects.
