This paper discusses a method for automatic code generation in real-time Java for real-time reactive systems developed in TROMLAB, a rigorous framework for the development of real-time reactive systems. The method is illustrated for the railroad crossing problem, a bench-mark example studied by researchers in real-time systems community. The novelty lies in the creation of generic real-time Java libraries and an implementation model that form the platform on which Java code for any application developed in TROMLAB can be generated.
Introduction
Real-time reactive systems are characterized by two important properties: stimulus synchronization: the process always reacts to a stimulus from the environment;
response synchronization: the time elapsed between a stimulus and its response is acceptable to the relative dynamics of the environment, so that the environment is still receptive to the response.
Examples of such systems include avionic control systems, nuclear reactors and communication network switches. They are among the most difficult systems to design and implement because of their complex functional and timing requirements. Timed Reactive Object Model(TR0M) [2] is a threetiered object-oriented formalism for designing real-time reactive systems. TROMLAB [l] is a framework for a rigorous development of real-time reactive systems that satisfy authoritative TROM specifications. The framework includes components to validate the design through simulation and formally verify the design for safety properties through a formal verifier [6]. This paper presents an automatic code University, Santa Clara, CA 95053, U.S.A *Visiting Professor, Department of Computer Engineering, Santa Clara generation method, adding one more significant component to TROMLAB framework. We provide a methodology for automatic generation of code in real-time Java for reactive systems specified in TROM formalism. We have tested the correctness and efficiency of the code generation method by comparing the manual implementation with the code generated by our method for a generalized rail-road crossing problem, a bench-mark example studied in the real-time systems community.
Abstract Reactive Models
TROM formalism is founded on a three-tiered structure, where the tiers independently specify abstract data types, classes of reactive objects and reactive subsystems. The first tier defines abstract data types as LSL traits [3]. The second tier defines classes of reactive objects; each class corresponds to a TROM model, and may include abstract data types defined in the first tier. A TROM is a finite state machine augmented with ports, attributes, logical assertions on the attributes, and timing constraints. The postcondition associated with a transition leading to a state describes data computations in that state. Postconditions may involve port identifiers and terms from the LSL traits included in the class specification. A port is an abstraction of an access point for communication and is uniquely defined by the set of external events that can occur at the port. An intemal event occurs at the null port of the class. Port condition, if true, signifies the occurrence of an event at a port. An enabling condition is an assertion on the attributes that must be fulfilled for the event received at a port to enable a state change. It is possible to compose TROM classes; however the composed class is not a TROM. The third tier specifies subsystems configured with objects instantiated from reactive classes defined in the second tier. Subsystems may import other subsystems, providing a composition mechanism at subsystem level. The objects in a subsystem communicate using a synchronous message passing mechanism. Timing constraints may be associated with a transition to describe the time-constrained response to a stimulus. All extemal events are shared by objects in a system; however, timing constraints and functionalities are encapsulated within each TROM object.
A Generic Reactive Model
Formally, a generic reactive object is an 8-tuple (P, E , 0, X , C, @, A, Y) such that: P is a finite set of port-types; & is a finite set of events and includes external events, internal events, and the silent-event tick 0 is a finite set of states;
X is a finite set of typed attributes; C is a finite set of LSL traits introducing the abstract data types used in X; @ is a function-vector (as, Gat) Our interest is to generate code for this correct design, thereby testing the correctness of our code generator. The formal specifications shown in Figure 1 , Figure 2 , Figure 3 are taken from their design. The specification of a railroad system with 5 trains, 2 gates, and 2 controllers, in which a controller controls only one gate but a train may cross more than one gate, is shown in Figure 4 . The code for this subsystem is given in the Appendix.
Automatic Code Generation
Automatic code generation is one of the most promising concepts in the software development process, because it allows for design models to retain their usefulness throughout the product's life-cycle. However, automatic code generation is not a deeply researched area. In particular, we have not seen any work reported for generating code automatically from real-time reactive system specifications.
Overview of Implementation Model
The goal of the implementation phase is to automate the code generation process so that the resulting program is correct and efficient. A good implementation must also seamlessly mesh with the design and be resilient to changes in the design. This quality depends upon the expressive power of the programming language that can implement the design notations.
An implementation environment consists of two parts: a programming environment (including a programming language) and a run-time environment (usually an operating system kemel on a specific hardware platform) that supports some (1) An object-oriented language will be used for implementation: (2) Some form of lightweight concurrency unit or thread is supported by the underlying kernel; (3) In TROM model thread synchronization is unnecessary, since there is no shared memory between TROM objects; (4) An asynchronous message passing is supported at least; (5) Priority scheduling is supported; and (6) All memory references are local to a TROM object.
Many major programming languages, such as C++, do not provide any facilities for concurrent programming. Some extended languages, such as Smalltalk, and Java, provide high-level concurrent programming facilities. Communication mechanisms in those languages that support concurrent programming may be different since there is no general standard on the "right" facilities for concurrent programming. Moreover, a program written in a specific programming language may have different behaviors in different operating systems since thread scheduling may depend on the operating system. As a solution to these problems we have developed a real-time run-time library over the programming language chosen for implementing the system. In this library, an object interface for creating a thread and an interprocess communication mechanism are provided. This library facilitates the system to run exactly the same manner in different operating systems.
Real-time Reactive Model An implementation level reactive model that makes a reactive system behave identically in different operating systems is shown in Figure 5 . In this model, a super thread has the highest task priority. It controls task scheduling and message passing of other threads. Every thread controlled by the super thread is a TROM reactive ob-
ject. When a thread wants to send an event to another thread, it sends the event to the outgoing message queue. The super thread sends this event to the inner event queues of both the sender and the receiver, and then decides the execution sequence of threads. Once the algorithms for task scheduling and message passing are prescribed, the behaviors of reactive systems will become independent of the features of any programming language and operating system. A global clock is defined in the model for providing a logical clock to every thread. TROMs is based on synchronous message passing, also known as rendezvous. Therefore, the sender of a message should react with this message after the receiver of this message finishes its reaction in response to this message, or both the sender and the receiver should react together. Moreover, occurrences of messages in the system are partially ordered. This implies that it is necessary for the scheduling algorithm to satisfy the requirement of synchronization and maintain the partial order of messages. We use a non-preemptive dynamic scheduling algorithm that enforces synchronous message passing. Since the partial ordering on events should be maintained in the execution order, a time constrained event in an execution order will always be executed in order to satisfy its time constraints before executing unconstrained events.
Mapping TROM Models into Real-Time Environment In order to seamlessly mesh the design with the implementation we have conceived a three-tiered implementation framework. These tiers respectively correspond to the three levels in the design formalism: the lower tier implements Abstract Data Model, the middle tier implements Timed Reactive Object Model and the top-most tier implements System Configuration Specification. The implementation of the three tiers can be done in parallel, provided we follow the important design rule separation of concerns in the implementation level as well.
Abstract Data Type Implementation An abstract data type can be defined as a trait in Larch Shared Language (LSL).
Given the level of abstraction of a trait, a direct implementation of an abstract data type from its trait specification will result in a non-standard implementation. That is, different implementations may be produced by different programmers for the same trait. Consequently, an implementation of the middle tier cannot begin until the implementation of the first tier traits are completed. To standardize the implemented behavior of abstract data types and to promote non-interference with the implementation work at the other levels, we provide interface specifications and function specifications written in the programming language of the implementation before the implementation begins. We exploit the interface specification tier of Larch, called Larch Interface Language (LIL) tier, to achieve our goal. The specification of a function in the interface documents its behavior. This can be understood without reference to other functions in the interface. TROM Implementation Model A formal definition of TROM, as given in Section 2.1, is an 8-element description of its structure. But not all of them are the attributes of a TROM reactive object in the implementation level, since some of the elements, such as attribute functions, a set of events and a set of traits, describe the implied properties. Therefore in our implementation model a TROM object consists of only a set of ports, a set of states, a set of typed attributes, a set of transitions, and a set of time constraints. System Implementation and Refinemennt Every reactive object in the SCS is created and initialized. The interaction relationship between objects and a super thread for the system are provided. The class PortPara provides the interaction relationship between the reactive objects.
High Level Behavior
Three forms of constrained inheritances based on subtyping, such as behavioral inheritance, extensional inheritance, and polymorphic inheritance are defined in [l] . These refinements correspond to behavior preservation, context-free substitutability, and context-sensitive substitutability of the subclass with respect to the superclass. Whenever the code generator fails to generate the code corresponding to a design, it only suggests that the design lacks sufficient explicit information. A remedy is to refine the design and then rerun the code generator. No change to the code generator is necessary because the major behaviors of the design refinements are accounted for in the current implementation. The allowed design refinements and their implementation (in italics) are as follows: (1 We have developed a simple LarcWJava interface language to serve as LIL for the abstract data type implementation.
Based upon the relationship between C++ and Java, we have designed the syntax and semantics of Larch/Java language from Larch/C++ [5]. Figure 6 shows the interface specification for Set data type in Larch/Java. The functions insert, delete, member, size, and isEmpty are LSL terms. The LSL trait for Set is borrowed from [I] . The syntax of LarcNJava is a combination of two styles: the first style has Java notation for declaring names and functions; the second style has Larch/C++ notation for describing the behavior of the functions. The statements that begin with "\\ @" can be regarded as comments in a Java program, and as informal explanation of functions in the interface file. Thus LarcNJava notation increases the reusability of abstract data types and decreases the association between Abstract Data Type Implementation in a postcondition, which is a conjunction of predicates, the execution order of functions corresponding to the conjuncts should be such that the behavior is preserved. For example,
where Q is a queue, specifies that the first member of the queue is copied in A and then the first member is deleted from the queue Q.
Assume that LIL functions head and jail correspond to the signatures head and tail. The predicate A' = head(Q) can be translated to A = Q.head(), and the predicate Q' = tail(Q) can be translated to Q.tail(). To preserve the intended behavior, the functionA = Q.head() should be executed before executing the function Q.tail(). So we must assure that the code for A' = head(Q) is generated before the code for Q' = tail(Q) is generated. and TROM Implementation Model. Automatic code generation is simplified if function names are not overloaded in the interface specification.
Code generation cannot be automated when the predicates do not explicitly provide sufficient information for an imple-
mentation. The predicate inset' = i n s e r t b i d , i n s e t ) ex-
The code for a TROM specification is generated in four parts: transition class generation, state class generation, reactive class generation, and system class generation.
Transition Class Generation Transition classes are subclasses of the class Transition. The predicates in a postcondition implicitly describe the action associated with a transition. Program code for an action is an operational translation of these predicates. Moreover, the port-condition and the enplicitly states the modification of the attribute i n s e t due to the invocation of the operation corresponding to the abstract term insert. However, the predicate member (pid, inset') implicitly asserts the same action, but provides no clue to implement the operation that produces the modification. To force explicit specification, the postcondition conform to the grammar shown in Table   abling condition from a transition are translated to provide the choice points in the program description. To transform assertions which compare attributes we replace the design attributes in TROM specification with attributes defined in TROM implementation within the syntax of Java. er' = pid + ((Train) 
crc).cr = ( ( T r a i n ) c r c ) . P I D ;
Although the two predicates have the same operator "=", the generated codes are different: "=" in a precondition should be interpreted as equality predicate, and in a postcondition it should be interpreted as assignment. Transforming an assertion in which abstract data type signatures occur is more complicated. First, we have to find out which function in LIL corresponds to the signature used in the predicate. Second, we have to translate the signature to a function call. The relationships between parameters of the function and parameters of the signature must be established.
Both port-condition and enabling condition may contain disjunctions and conjunctions; they do not modify attribute values. However, a postcondition cannot contain a disjunction, but may modify attribute values. For example, the postcondition A' = 1 V A' = 2 non-deterministically modifies the attribute A, and consequently no code for a deterministic computation can be generated. In transforming predicates Reactive Class Generation A reactive class is a subclass of Common Reactive Class (CRC). Generating a reactive class is to translate attributes in TROM design model into data members of this reactive class and generate the code for adding ports, states, transitions, and time-constraints into this reactive class. The algorithm is shown in Figure 7 .
System Class Generation A reactive system consists of a group of reactive objects. The code for a system class defines the communication links between reactive objects and initializes them. An algorithm for generating system class from a SCS specification is shown in Figure 8 . 
Implementation of Train-Gate-Controller
The AST of the Train-Gate-Controller design given in Section 3 is input to the code generator, which then extracts the information on abstract data types. TROM objects, and the subsystem. The code generator generates Java code for implementing Set from its interface and behavior specifications ( Figure 6 ). The code generator generates code for transitions, states, and time constraints for each reacive class. Code generated for Train class is given in the Appendix. The code for implementing the reactive objects in the subsystem inherits the code from respective classes. The code generated for the railroad system with 5 trains, 2 controllers, and 2 gates is shown in the Appendix. The code generated by our methodology scales up -we have experimented with a large railroad system with 20 trains, 5 controllers, and 5 gates.
Conclusions and Future Work
Real-time reactive systems are time-critical. Hence efficiency of implementation is more important than in other systems. Responding to situations where all the timing constraints cannot be met and meeting the timing requirements that may change dynamically are two of the most difficult issues to satisfy in an implementation. In practice, it is impossible to design and implement systems which will guarantee that the appropriate output will be generated at the appropriate time under all possible conditions. In this paper we have not considered factors such as processor speeds and spare resources in order to ensure that "worst-case behavior" do not produce any unwelcome delays. We have focused on two major implementation issues: 0 using Real-time Java as a high-level implementation language TROM specifications 0 automating the code generation in Real-time Java from
The correctness of the generated code with respect to the TROM specifications are informally justified through the mapping between the models in the specification tier and the models in the implementation tier. The logic behind the algorithms that generate code from the specifications closely follow the operational and logical semantics of TROM. Since a formal proof of correctness may be too hard to achieve we are planning to test the generated code against the specification.
The language Java is a natural choice of implementation for the following reasons: (1) it fits with the rest of the tools in TROMLAB framework (2) The design notation is objectoriented and Java is a pure 00 language. This makes the mapping of the design constructs to the language constructs, in an automatic code generation exercise, easy to comprehend, maintain, and verify. (3) The program is independent of the hardware on which it runs; however the hardware resources that the program should manipulate (such as environmental objects) are closely tied to the program behavior. (4) The modularity that is present in the design is preserved in the implementation model. Consequently, it is easy to identify the component in the implementation that can be tested with test data associated with the test templates generated from a design specification component. In addition to unit testing, concurrent and communicating sequential activities can be tested with the test templates generated from the subsystem configuration specification for which the unit under test is the implementation.
