Towards a verified transformation from AADL to the formal component-based language FIACRE

O

pen

A

rchive

T

OULOUSE

A

rchive

O

uverte (

OATAO

)

OATAO is an open access repository that collects the work of Toulouse researchers and

makes it freely available over the web where possible.

This is an author-deposited version published in : http://oatao.univ-toulouse.fr/

Eprints ID : 14914

To link to this article : DOI :10.1016/j.scico.2015.03.003

URL : http://dx.doi.org/10.1016/j.scico.2015.03.003

To cite this version : Bodeveix, Jean-Paul and Filali, Mamoun and

Garnacho, Manuel and Spadotti, Régis and Yang, Zhibin Towards a

verified transformation from AADL to the formal component-based

language FIACRE. (2015) Science of Computer Programming, vol.

106. pp. 30-53. ISSN 0167-6423

Any correspondance concerning this service should be sent to the repository

administrator: staff-oatao@listes-diff.inp-toulouse.fr

Towards

a

verified

transformation

from

AADL

to the formal

component-based

language

FIACRE

Jean-Paul Bodeveix

a

,

Mamoun Filali

a

,

Manuel Garnacho

a

,

Régis Spadotti

a

,

Zhibin Yang

a

,

b

a_{IRIT-CNRS,UniversitédeToulouse,Toulouse,France}

b_{CollegeofComputerScienceandTechnology,NanjingUniversityofAeronauticsandAstronautics,Nanjing,China}

a

b

s

t

r

a

c

t

Duringthelastdecade, aadl isanemergingarchitecturedescriptionlanguagesaddressing the modeling of embedded systems. Several research projects have shown that aadl conceptsarewellsuitedtothedesignofembeddedsystems.Moreover, aadl hasaprecise executionmodelwhichhasprovedtobeonekeyfeatureforeffectiveearlyanalysis. Inthispaper,weareconcernedwiththefoundationalaspectsoftheverificationsupport for aadl. More precisely, wepropose a verification toolchain for aadl modelsthrough itstransformationtothe Fiacre languagewhichisthepivotverification languageofthe TOPCASED project: high level models can be transformed to Fiacre models and then model-checked.Then, weinvestigatehowtoprovethecorrectnessofthe transformation fromAADLinto Fiacre andpresentrelatedelementaryingredients:thesemanticsof aadl and Fiacre subsetsexpressedinacommonframework,namelytimedtransitionsystems. Wealsobrieflydiscussexperimentalvalidationofthework.

0. Introduction

Today, it is acknowledged that the design phase of critical systems is an important challenge. In this context, the AerospaceValleyWorldCompetitivenessClusterAESE[3](AéronautiqueEspaceetSystèmesEmbarqués)togetherwith sev-eralaerospaceandspatialactorsfromindustryandacademyhavejoinedtheireffortstodevelopmethodsandtoolsforthe newgenerationofsafesoftware.TheTOPCASED[43]projecthasbeenoneofthemainprojectswithinthisinitiative.

Inordertoaddressarchitecturalaspects ofthedesignphase,theTOPCASEDprojecthasadoptedthe aadl (Architecture andAnalysisDesignLanguage) language. aadl isan architecturedescription languagewhich addressesbothsoftwareand hardwareaspectsofthesystem.IthasbeenusedespeciallyintheavionicsdomainandisnowastandardoftheSAE[38].

Asafety-criticalsystemisoftenrequiredtopassstringentqualificationandcertificationprocessesbeforeitsdeployment andprovide sufficiently strong evidence of its correctness. Moreover, our aim is also to go beyond usual schedulability analysis(RateMonotonicAnalysis,RMAforshort)andconsidertimed-behavioranalysis.Forthispurpose,an aadl modelis oftentransformedtoanotherformal modelforverificationandanalysis.Examplesofsuch transformationsare numerous: translations toBehavior Interaction Priority(BIP)[11],to TLA+ [35],to real-time process algebra ACSR [41],to IF [1], to Real-TimeMaude[33],toLustre[28],toPolychrony[32],etc.Thegoalofsuchatranslationistoreuseexistingverification andanalysistoolsandtheirformalmodelofcomputationandcommunicationforthepurposeofvalidatingthe aadl models.

E-mailaddress: filali@irit.fr (M. Filali). http://dx.doi.org/10.1016/j.scico.2015.03.003

Within theTOPCASED project,the Fiacre language has beenintroduced asan intermediate formalism between high-level modelinglanguages(aadl, SDL,UML, etc.)andverificationengines(CADP, TINA).We verifyfunctional andreal-time propertiessuch asschedulability andtimelinesspropertiesofAADL modelsthrough their transformationto Fiacre.Thus, wepresentherethetransformationfrom aadl to Fiacre.

Inthispaper, weare concernedwiththe foundationalaspects oftheverificationsupportfor aadl.More precisely,we proposeaverificationtoolchainfor aadl modelsthroughits transformationtothe Fiacre language[16]whichisthepivot verificationlanguage of theTOPCASEDproject:highlevel models canbe transformed to Fiacre modelsandthen model-checked.Then, we investigatehow toprove thecorrectness ofthetoolchain andpresentrelatedelementary ingredients: the semanticsof aadl and Fiacre subsetsexpressedin acommonframework, namelytimedtransitionsystems (TTS). Al-thoughall thematerialpresentedinthispaperhasbeenexperimentallyappliedandvalidated,we remarkthatafull aadl verificationenvironmentisalong-termgoal.

Ourworkshouldbeconsideredasacontributiontothestudyofthefollowingpoints:

•

Thechoiceofconcepts,techniquesandtoolsforexpressingtransformationsofreal-timemodelsandtheirvalidation.

•

Thearchitecture ofan aadl verificationtoolchain,basedontheintroductionoftheextension Fiacre∗_{of Fiacre andof}

areal-timelibraryusedtoencode aadl executionmodel.

•

Thesemanticsofasubsetofthe aadl executionmodelandofthetargetlanguage Fiacre.

Therestofthispaperisorganizedintwoparts:Part1isdedicatedtotheverificationof aadl modelsbytransformation to Fiacre.Section 1introduces themainlanguageswe areinterestedin: aadl and Fiacre.Section2 givesanoverviewof thetranslationprocessfrom aadl to Fiacre. Part2isdedicatedtosemanticsaspects relatedto thetransformationofPart 1.Section 3isan overviewofthesemanticsdomains thatwill beused.Section 4givesthe Fiacre kernelmechanization. Section 5details themechanization oftheconsidered aadl subset.Section 6discusses howtoverifythecorrectnessof a transformationbyabisimulation.Afterdiscussingsomerelatedworks,wedrawaconclusion.

Part1. AADLto FIACREtransformation

Thispartdescribessomeelementsofthetoolchainaimingatverifying aadl models.Itisbasedonanexistingreal-time modelcheckingtoolboxtakingasinput Fiacre models.Forthispurpose, aadl modelsaretransformedto Fiacre models,thus defining aformalsemanticsfor aadl.Inthefollowing,wefirstpresentthesubset of aadl acceptedbythetransformation. Then, wepresentthe Fiacre language,whichistheentrypointforthemodelcheckingtoolbox, andits extension Fiacre∗

which provides genericity anditerated constructsused to define a real-time libraryof aadl protocolsintroduced by the aadlexecutionmodel.Weconcludethispartwithapresentationofatranslationfrom aadl to Fiacre.

1. AADLand FIACRE

Thissectionpresentsanoverviewofthe aadl languageandofthesubsetweconsiderformodel-checkingpurpose.Then, thetargetlanguage Fiacre isintroducedtogetherwithitsextension Fiacre∗_.

1.1. aadl

In this section, we present the aadl hardware andsoftware component categories. Then, we elaborate the language subsetthatwewillconsiderformodelchecking.

1.1.1. Overviewofthe aadllanguage

aadldescribesasystemasahierarchyofsoftwareandhardware components.Itoffersa setofpredefinedcomponent categoriesasfollows:

•

Softwarecomponents:thread,subprogram,dataandprocess.

•

Hardwarecomponents:processor,memory,bus,device,virtualprocessorandvirtualbus.

•

Systemcomponentswhichrepresentcompositesetsofsoftwareandhardwarecomponents.

Acomponentisdescribed byitstype anditsimplementation.Thetype specifiesthecomponent’sexternalinterface in terms of features. Features can be ports, server subprograms or data accesses dependingon the chosen communication paradigm. Implementations specify the internal structure of the components in terms of a set ofsubcomponents, their connections, modesthat representoperational statesofcomponents, andpropertiesthat support specializedarchitecture analysis.

However, systembehaviorsdonot onlyrely onthe structuredefinedby thecomponents described abovebutalso on theruntimeenvironment(like operatingsystemorvirtualmachine)[15]. aadl offersanexecutionmodelthatcoversmost of theruntime needs ofreal-time systems through (1)a set ofexecutionmodel attributesthat can be attachedto each aadldeclaration,such asthreaddispatchprotocols,communicationprotocols,schedulingpolicies,mode changeprotocols,

thread implementation t _ s e n d e r . i subcomponents v : data V . i ; annex b e h a v i o r _ s p e c i f i c a t i o n { ∗∗ s t a t e s s t : i n i t i a l complete s t a t e; s f : complete s t a t e ; t r a n s i t i o n s s t −[on a ’ count = 0]→s t { v . b : = t r u e ; d ! ( v ) ; computation( 1ms, 2ms ) ; }; s t −[a ? ( t r u e )]→s f ; s t −[a ? ( f a l s e )]→s t { v . b : = t r u e ; d ! ( v ) ; }; s f −[on a ’ count = 0]→s f { v . b : = f a l s e ; d ! ( v ) ; computation( 1ms, 2ms ) ; }; s f −[a ? ( f a l s e )]→s t ; s f −[a ? ( t r u e )]→s f { v . b : = f a l s e ; d ! ( v ) ; }; ∗∗ }; end t _ s e n d e r . i ;

Fig. 1.Behavior annex of the sender in the alternating bit protocol.

Fig. 2.The alternating bit protocol in aadl.

partitionmechanisms,etc.;and(2)anexecutionmodelthatusestheseattributestodescribetheruntimebehaviorof aadl models.

Moreover, the behavior annex [39] describesmore precisely the behaviorsof threads andsubprograms. The behavior annexhasanindependentsyntaxandsemantics.Asanexample,Fig. 1illustratestheuseofthebehaviorannextodescribe thesenderthreadactivityofthealternatingbitprotocol[30].Theprotocolsendsataggedbooleanmessageonchannel d and waitsforan acknowledgmentonchannel a.Ittransitsfromthestates st to sf andconverselyiftheawaitedacknowledged tagis received.Ifnoacknowledge hasbeenreceived themessageis sentagain. Thisoperation issupposed totake some durationbetween1and2milliseconds.Thisbehaviorisrepeatedateachperiodofthethread.

1.1.2. Theconsideredsubsetof aadl

aadlexecutionmodelhassynchronousandasynchronousaspects[38,13,12].A synchronousexecutionmodelisobtained by consideringlogically synchronizedperiodic threads communicating throughregisters (or sharedvariables)atfixed in-stants.Intheasynchronousone,itisalsopossibletoraiseevents,tospecifysporadicandaperiodicthreads,communication throughsharedvariables,andremoteprocedurecalls,etc.Inthispaper,formodelcheckingpurposes,weconsiderasubset ofthesoftwarepartof aadl,illustratedbyFig. 2.

Periodic&sporadicthreads aadlsupportstheclassicalthreaddispatchprotocols:Periodic,Sporadic,Aperiodic,Timed,Hybrid

andBackground.PeriodicandSporadicdispatchprotocolsareconsideredinthispaper.Severalpropertiescanbeassignedto thesethreads,suchas:aperiodgivenbythePeriodpropertyintheformofPeriod

⇒

100 ms,executiontimethroughthe

Compute_Execution_Timeproperty orthe

computation(BCET,

WCET)

statement ofthebehavioralannex,andDeadline. Bydefault,whenthedeadlineisnotspecifieditequalstheperiod.AthreadmayalsobeassignedaPrioritythatisusedby theschedulingprotocol,supposedtobefixedpriority.

Ports A threadhas input portsandoutput portsforreceiving andsending messages. aadl defines threetypes ofports: data,eventandeventdataports. Eventandeventdataportssupportqueueingbuffers, urgencycanbe associatedtosuch ports,butdataportsonlykeepthelatestdata.

Port-basedcommunications Portconnections linkports, such asdata,eventandeventdataports, toenable theexchange ofmessagesamongcomponents.Inordertoensuredeterministic datacommunicationbetweenthedataportsofperiodic threads, aadl offers two communication protocols: Immediate andDelayed. For an immediate connection, the execution ofthe recipientthreadissuspended untilthesending threadcompletes itsexecutionwhenthe dispatchesofsender and receiver threadsare simultaneous.Fora delayedconnectiontheoutput ofthesending threadis nottransferred untilthe sendingthreaddeadline,typicallytheendoftheperiod.Notethattheyhavenotnecessarilythesameperiod,whichallows over-samplingandunder-sampling.Apotentiallynondeterministicmodelcanuseshareddataorevent-based communica-tionswheremessagesmaybesentatanytimeduringtheexecutionofathread.Suchmessagesmaybebuffereduntilthe

Queue_Size limit associatedto in event(or eventdata) ports. Overflows can be managed accordingto the Overflow_Han-dling_Protocolbyeitherdeletingthenewestortheoldestmessage,orbysignalinganerror.

Shareddata aadlcomponents can communicate throughshared data.Such data isdeclared indata subcomponents and linked tothreads via dataports. Theaccessto shareddatacan becontrolled by theConcurrencyControlProtocol property sothatexclusiveaccesscanbegrantedtosome threads.However,thisdeclarationisnotsupportedbyourtranslation.The mostpessimisticbehaviorisconsideredwhereinterleavingbetweenthreadsofidenticalprioritymayoccuratanytime.

Behaviorannex aadldoesnotsupporttheexpressionoftheprecisebehaviorofthreads,whichissupposed tobedefined usingtheimplementationlanguage(C,Ada)andisthushardtoanalyze.ThisbehaviorisabstractedbyitsWCETinorderto performtiminganalysisforexample.Inordertoallowmoreprecisedatadependentanalyses,thebehaviorannexhasbeen proposed.Thisannexdescribesthroughanextendedtransitionsystembasiccomputationandportaccesses,thusdescribing an abstractview oftherealbehaviorofa subprogramora thread.Thebehaviorannex canthus benondeterministicand cancontainWCETinformationrelatedtofullyabstractedcomputations.

1.2. Fiacre

Fiacreisaformalspecificationlanguagedesignedtorepresentbothbehavioralandreal-timeaspectsofconcurrent sys-tems.Ithasbeendesignedtosupportefficientmodelcheckingoflinearorbranchingtimepropertiesthroughitstranslation toTimePetriNets. Fiacre definestwobasicconcepts:

•

Processesthatdescribethebehaviorofsequentialcomponents.Aprocessisdefinedbyasetofcontrolstates(or loca-tions),eachassociated witha pieceofprogrambuiltfromdeterministicconstructsavailable inclassicalprogramming languagesornondeterministicconstructsforspecificationpurposes.

•

Components that describe the composition of processes.A component is defined asa parallel composition of com-ponents and/or processes communicating through synchronous communicationchannels[24] (componentports) and throughsharedvariables.Thenotionofcomponentalsoallowstorestricttheaccessmodeandvisibilityofshared vari-ables andports,to associatetimingconstraints(time intervals)withcommunications,andtodefine prioritybetween communicationevents.

Amorecompletepresentationof Fiacre canbefoundinthecompanionpaper[44].

1.3. Fiacre∗

Fiacre∗ is a syntacticextension of Fiacre designedto help writinggeneric librariesof protocolsasfor example com-municationandschedulingprotocolsusedby the aadl runtime.Ithelpsalsotoeaseaonetoonetranslationofhighlevel languagesto Fiacre.Theseextensionscoverthefollowingpoints:

•

Genericity:processesandcomponentscanbeparameterizedbytypes,constantsortypeconstructors.

•

Arraysofports:aprocess orcomponentcanbe parameterizedby anindexedfamilyofportsthusallowingtoconnect itthroughone-to-oneconnectorswithanunknownnumberofprocesses.

•

Indexed selection andindexed parallel operator:these n-ary Fiacre operatorsare extended to supportan undefined numberofstatements(resp.sub-components).

•

Universalandexistentialquantification:thisistheindexedcounterpartofthebinaryconjunctionanddisjunction oper-ators.

•

Multiplexedports:thisextensionallows topassaseffectiveparametera setofportswhen auniqueport isrequired. Synchronizationwillbeperformedwithoneoftheseports.

Notethat,indexedconstructsareclosetotheoneintroducedinCSP[24]. 2. FromAADLto FIACRE

Inthissection,wepresentanoverviewofaModeltoTexttranslationofasubsetof aadl to Fiacre∗_{.Morespecifically,this}

Table 1

Overviewofstructuralcomponentmappingbetween aadl and Fiacre∗_.

aadl Fiacre∗

system component

process ∅

thread process

event data port port+variable

data port variable

data record

Table 2

Overviewoftypemappingbetween aadl and Fiacre∗_.

aadl Fiacre∗

behavior:integer int

behavior::bool bool

Data record

thestructuralandbehavioralaspectsofthetranslation.Thenwepresentalibraryof Fiacre∗_{componentstomodelthe aadl}

runtime.Finally,weconcludewithabriefpresentationofaprototypeimplementationforthistranslation.

2.1. Overviewofthetranslation

aadlsystemsarecomposedofavarietyofdifferentcomponentsnestedwithinone another.The Fiacre∗ _languagealso

offers components,though more primitivethan their aadl counterparts. In the considered aadl subset, atypical system isrepresented asa composition ofprocesses andthreads. Communication is achievedthrough ports. Shared dataaccess betweencomponentsisalsosupported.Table 1summariesthestructuralmappingbetween aadl componentsand Fiacre∗

components.Note that the translation doesnot preserve the hierarchyof the componentcomposition. Forinstance, the notionof aadl process isabsent in the Fiacre∗ _{translation.Consequently,the resulting Fiacre}∗ _{systemcan be seen asa}

flattened aadl systemwhereonlyendpointsarepreserved.

Intheremainingofthissection,wedescribesuccinctlythetranslationforthemain aadl componentsoftheconsidered subset,namely Data, Thread and System.

Data components are translatedto a record type in Fiacre∗_{. Eachsubcomponent in a Data component is mapped to}

a field in the resulting record and the translation continues recursively on each Data subcomponent. Mapping of types betweenbothlanguagesissummarizedinTable 2.

A Thread istranslatedtoa Fiacre∗ _{process.Eventports,sharedandlocalvariablesdeclaredinthe Thread aresomewhat}

preservedduringthetranslation.InSection2.2.1wegiveamoredetaileddescriptionofthistranslation.

Finally,a System instanceistranslatedtoasingle Component (seeSection2.2.3)in Fiacre∗ _{mainlycomposedof:}

•

portdeclarationswithtimingconstraints

•

variabledeclarations

•

parallelcompositionofprocesses

2.2.Thetranslation

Nowthatwe knowmoreaboutthemappingofcomponentsfrom aadl to Fiacre∗_{,weshalldetailhowtheinnerparts}

of aadl components are translated. Note that both structuraland behavioralaspects of aadl components are takeninto account.In thefollowing, we onlyconsider Thread and System components becauseevery componentin-between is not preservedbythetranslationprocess.

2.2.1. Threads

Asmentionedbefore,an aadl Thread istranslatedtoa Fiacre∗ _{process.However,fewdetailshavebeengivenregarding}

thecorrespondencebetweena Thread interfaceandimplementationwiththeresulting process.First,wepresentthe trans-lationoftheinterfaceofa Thread (mainlycomposedofport declarationsanddispatchprotocol)thenwegiveanoverview ofthetranslationofitsimplementation,namelytheBehaviorAnnex.

A process headeriscomposedofportdeclarationsfollowedwithargumentdeclarations.Argumentsmaybe passedby valueorbyreference,thusenablingsharedvariables.Notethatdifferenttranslationrulesapplywhenthedispatchprotocol ofathreadiseitherperiodicorsporadic.Fig. 3describestheportmappingsforathreadineachcase.Inthefollowing,we shallmainlycommentonFig. 3andemphasizethedifferencesbetweenbothdispatchprotocols.

Ontheonehand,considerthefirstmappingfortheperiodicthread.Eachoutgoingevent(data)portismappedtoboth aportandasharedvariable.Theportisusedtoperformsynchronizationwhereasthesharedvariablecontainsthedatato

Fig. 3.Ports mapping for periodic and sporadic threads.

betransmitted.However,incomingevent(data)portsareonlyrepresentedwithsharedvariables.Thisisjustifiedbythefact thatincomingdataisonlyavailableatdispatchtime(following aadl semantics),thusthereisnoneedtosynchronizeport communicationwithintheprocessitself.Notethatthesynchronizationshalltakeplaceatthegloballevelviaportcontrollers. Inaddition,the process interfaceisextendedwithfouradditionalportstoconformwiththe aadl threadexecutionmodel where:

•

d:dispatcheventport

•

e:executeeventport

•

c:completeeventport

•

dl:deadlineeventport

On theother hand,thetranslation procedure isslightlydifferent whendealing withsporadic Threadsince a dispatch eventmaybetriggeredbyacommunicationonanyincomingevent(data)port.Asaresult,thedispatchport d carriesthe identityoftheincomingevent(data)port.Thisismodeledin Fiacre∗_{by givingatype}

_τ

_{totheport d where}

_τ

_isdefined

asthesumofall incomingevent(data)ports.Forinstance,givenincomingeventandeventdataportse1

,

e2

,

ed2

,

ed3 the

type

τ

isdefinedas uniontype e1

|

e2

|

ed2

|

ed3end.

Finally,each dataport(incomingoroutgoing),independentlyofthe dispatchprotocol, ismappedtoa sharedvariable. ThiscaseisomittedinFig. 3.

2.2.2. Behaviorannex

The Behavior Annex (BA) allows to attach a behavioralspecificationto aadl components. Thisspecification ismainly expressed withastate/transition automatondecoratedwithactionsandcommunications(see Fig. 1). Intheremaining of thissection,wepresentanoverviewofthetranslationofthisautomaton.

Localvariables Inadditiontodatasubcomponents,theBAoffers thepossibilitytodeclarelocalvariables.Thus,eachdata subcomponentandeachlocalvariableintheBAismappedtoalocal process variable(var declarationin Fiacre∗_).Thetype

Fig. 4.Graphical representation of a 2-state behavior annex specification to Fiacre∗_.

Automatontranslation InFig. 4,wegiveagraphicalexampleofthetranslationofthestate/transitionautomatonto Fiacre∗_.

Note that the translation is almost direct as the Fiacre∗ _{language offers syntactic constructs that are close to the ones}

definedintheBA. Atthe processlevel,we haveto dealexplicitlywiththe threadexecutionmodel,thereforethe thread automaton

A

T is embedded within alarger automaton

A

P that specifiesthe interactions withthecommunicationports d, e, c and dl. Initial statesof

A

_T aremoved to thedispatchstates (sfd andstd) in

A

P andterminal statesaremoved to

completestates(sfc andstc)in

A

P.Finally,thegenerationofthe Fiacre∗ automatoniscompletedbytranslatingguardsand actionsofeachtransition.

2.2.3. Maincomponentgeneration

Thefinalstepofthetranslationconsistsingeneratinga Fiacre∗_{Componentmodelingthe aadl System instance.} Notations Asmentioned before,thetranslationtakes asinput an aadl model andproducesan Fiacre∗ _{source file.In an}

attempttogiveasomewhatformalpresentationweintroducesomenotations.

Text written witha sans-seriffontrefers to the target language, namely Fiacre∗_{.Expressions enclosed in brackets}

_[

_]

_,

calledprintersareexpandedas Fiacre∗ _{sourcecodeaspartofthetranslationprocess.Tosummarize,any string expressions}

maybeusedasaprinter

[

s

]

.Inthefollowing,wepresentsome extensionsonprintersinordertoworkwithcollectionof values.

GivenaniterablecollectionC

= {

c1

,

. . . ,

cn

}

andaC-indexedfamilyoffunctions f,alsodenotedas[ fc

|

c

∈

C ] tomake explicit itsindexset,wewrite[ fc

|

c

∈

C]⋆fortheprinter whichexpandseachelement c

∈

C with f separatedby

⋆

.For

example,theexpressionbelowisexpandedasfollows:

[ fc

|

c

∈

C]⋆

❀

£

fσ(c1)

¤ ⋆ £

fσ(c2)

¤ ⋆ · · · ⋆

£

fσ(cn)

¤

whereC

= {

c1

,

. . . ,

cn

}

and

σ

∈

Sn isaninternally chosenpermutationof

{

1

,

. . . ,

n

}

.Asa result,theorderofexpansionis notspecified.

WhenthecollectionC isorderedoverarelation

¹

,writtenC¹,theexpressionbelowisexpandedas:

£

fc

|

c

∈

C¹

¤

⋆

❀

£

fc1

¤ ⋆ £

fc2

¤ ⋆ · · · ⋆

£

fcn

¤

giventhatc1

¹

c2

¹ · · · ¹

cn.

Inaddition,wedefinethe

⊕

operatoras:

[ fa

|

a

∈

A]

⊕

[ gb

|

b

∈

B]

,

·

x

7→

½

fx if x

∈

A gx if x

∈

B

|

x

∈

A

⊎

B

¸

Finally,wenote

T

forthesetofthreadsinan aadl system,andgivenathreadt wenote

P

t thesetofitsportsand

D

t itsdataaccessfeatures.

Variabledeclarationsection Each port declared on a thread is associated with a variable in order to desynchronize port communication(sender/receiver)toconformto aadl semantics.Variablesarealsousedtoimplementdataaccess.Thus,for eachdatasubcomponentthatprovidesadataaccessweassociateavariable.Finally,allthesevariablesaresharedbetween processesandcontrollers.

Portdeclarationsection Portsaredeclaredinasimilarfashionasvariables.Themaindifferenceliesinthefactthattiming constraintscanbeassociatedtoeachport.Forexample,theportdeclaration p

:

τ

in

[

a

,

b

]

specifiesthat phastype

τ

with atimingconstraintof

[

a

,

b

]

.Inthecontextofthistranslation,timingconstraintsareusedtomodelthe Period and Dispatch propertiesassociatedtothreads,asdescribedinFig. 5.

componentmain var £ varp:τp|t∈ T ∧p∈ Pt¤, [ data_accessd:τd|t∈ T ∧d∈ Dt] port

[ dispatcht:none in[0,0] |t∈ T ],[ executet:none in[0,0] |t∈ T ], [ completet:none in[0,0] |t∈ T ],[ deadlinet:none in[0,0] |t∈ T ], [ wait_periodt:none in[periodt,periodt] |t∈ T ],

[ wait_deadlinet:none in[deadlinet,deadlinet] |t∈ T ∧has_deadline(t)], [ portt:τin[0,0] |t∈ T ] priority £ dispatcht|t∈ T¹d ¤ >, £ deadlinet|t∈ T¹d ¤ >, £ executet|t∈ T¹π ¤ >, [ deadlinet|t∈ T ]|>[ dispatcht|t∈ T ]|, [ dispatcht|t∈ T ]|>[ executet|t∈ T ]|, ([ wait_periodt|t∈ T ]⊕[ wait_deadlinet|t∈ T ]⊕[ pt|t∈ T ∧p∈ Pt])| > ([ dispatcht|t∈ T ]⊕[ executet|t∈ T ]⊕[ pt|t∈ T ∧pt∈ Pt])|, [ wait_periodt|t∈ T ]> >[ wait_deadlinet|t∈ T ]>>[ pt|t∈ T ∧p∈ Pt]> par* in [hti (. . .) |t∈ T ]k

k [hperiodic_controllerti (. . .) |t∈ T ∧is_periodic(t)]

k [hsporadic_controllerti (. . .) |t∈ T ∧is_sporadic(t)]

k [hurgency_controllerti (. . .) |t∈ T ∧is_sporadic(t)∧has_urgency(t)]

k £ ­

port_controllerp® (. . .) |t∈ T ∧p∈ Pt¤

k hscheduleri (. . .) end

Fig. 5. Fiacre∗_{component definition.}

Portprioritiessection In addition to timing constraints, prioritiescan be specified on port-based communications. Fig. 5 contains an exampleofsuch specification.Some prioritiesarespecifiedto conformtothesemantics ofthe aadl runtime, forinstance,dispatch eventsaremeant to bebefore executeevents andassuch, are declaredwitha higherpriority. We write

£

p

|

p

∈

P¹p

¤

foranarbitrarytotalorder

¹

pamongportsintheset P .Sucharbitrarytotalordersareusedtoprevent state spaceexplosion formodel-checking basedverification. A specialtotal order

¹

π is usedto orderportsaccording to thethreadpriorityproperty(SEI::Priority).Finally,we write[ p

|

p

∈

P ]|

>

[ q

|

q

∈

Q ]| tospecifythatanyportin P hasa

greaterprioritythananyportinQ.

Portcontrollers Eachportdeclared attheinterface levelofan aadl threadisassociatedwithaportcontrollerin Fiacre∗_.

Differentcontrollersareavailabledependingonthepropertiesattachedtoaportdeclaration.Thepropertiesconsideredare:

• Urgency

• Queue size

• Overflow Handling Protocol

• Immediate / Delayed

The

Urgency

controllerissomewhatspecialbecauseitisnotavailablein Fiacre∗_{RTlibraryandmustbegeneratedfor}

eachsporadicthreadwithincomingevent(data)portspecifyinganurgencyproperty.Tothisend,weuseaspecialconstruct availablein Fiacre∗ _{whichallowstoexpressanorderamongnon-deterministic choices.Forexample,thefollowing Fiacre}∗

statementthatusesthisconstruct s e l e c t

t r a n s i t i o n _ 1 [ ] t r a n s i t i o n _ 2

unless

t r a n s i t i o n _ 3

end

specifies that a transition in the group (

transition_1

and

transition_2

) is possible only if the transition

transition_3

is not possible. As a result, it suffices to partition the set of incomingevent (data) port according to the

Urgency

propertyvalueandusethe

select ... unless ... end

statementtoforcetransitionsintheintended order.

Parallelcompositionsection Thelaststepofthetranslationconsistsincomputingtheparallelcompositionofprocesses.This compositionisexpressedwith

par

6

in p1

k · · · k

pnend

Fig. 6.A simplified view of the periodic controller.

InFig. 5,weuse

6

= ∗

toindicatethatwewanttoperformasynchronousparallelcompositionoverallportsdeclared inthe Component.

Finally,processesobtainedfrom aadl threads throughtranslationareinstantiatedalongwiththeirportandshared vari-ablearguments.Eachprocessisassociatedwithitscorrespondingprocesscontroller:

periodic_controller

forperiodic threadsand

sporadic_controller

forsporadicthreads.The Fiacre∗ _{code forthe}

_{periodic_controller}

_{is given}

atSection 2.3.1.Then, theconnections betweenport,shared variablesandport propertiesareperformedby instantiating thecorresponding

port_controller

.Again,anexampleofsuchcontrollerisgivenatSection 2.3.3.Finally,ascheduler processisinstantiated.

2.3. Fiacre∗_RTlibrary

Themain Fiacre∗ _{componentproducedbythetranslationdependsonlibrarycomponentswhichdefineprotocols}

intro-ducedbythe aadl runtime. Theyareoftengenericandusethe Fiacre∗ _{extensions.Thesecomponentscanbeclassifiedas}

follows:

•

Threaddispatchcontrollers:theyaimatsendingadispatcheventtoapplicativethread.Thiseventissentperiodically forperiodicthreadsorafteraneventhasbeenreceivedandtheminimalperiodhaselapsedforasporadicthread.The controllerchecksalsothatcompletionoccursintime.Otherwise,anerrorissignaled.

•

Schedulers:thesecomponentsgrantprocessoraccesstodispatchedthreads,dependingontheschedulingprotocol.

•

Inputportsbuffers:thesecomponentsstoreinputmessagesanddeliverthemtothethreadatthetime definedbythe

protocol(atdispatch, ondemand,. . . ).Input overflows andfreshnessofmessagearedetected andmanaged bythese components.

•

Connectors:thesecomponentstransmitdatafromoutputbufferstoinputbuffersatthetimespecifiedbytheprotocol. Inthefollowing,weconsideronerepresentativeforeachfamilyofprotocol.

2.3.1. Threaddispatchcontrollers

Thedispatchcontrollerissynchronizedwiththecontrolledapplicativethreadthroughitsdispatch(d),completion(c)and

deadline(dl)ports.Anadditionalport(w)isusedasatimerandallowsasynchronizationonitateachperiod.Thebehavior ofthecontrollerisillustratedbyFig. 6.Itsinterfaceisthefollowing:

process p e r i o d i c _ c o n t r o l l e r [ d : none , c : none , d l : i n none , w : none ]

•

In the rdy state, the controller waits for the thread to synchronize on the dispatch port d. This synchronization is supposedtobepossiblewithoutdelay.Then,thecontrollerwaitsforeitherthecompletionofthethread(portc)orfor theendoftheperiod(portw).Intheformercase,thecontrollertransitstotheidlestate.Inthelattercase,anerroris detected(deadlineisnotrespected).

•

In the idle state, the controller waits for the end of the period (on port w), which is also herethe instant of the deadlineandofthenext dispatch.Itthentransitsbacktotherdystateandsendsadeadlineevent(portdl)totrigger datatransfers.

Itisimportanttonotethatthecorrectnessofthismodeldependsonthefollowingpoints:

•

Theenvironment(theapplicativethread)acceptstheeventsd,c anddlrepeatedlyandinthisorder.

•

Theenvironmentdoesnotdelaythesynchronizationonportd.

•

Thew portisnotdelayedbytheenvironmentandistimed

[

T

,

T

]

,whereT isboththeperiodandthedeadlineofthe thread.

2.3.2. Schedulers

Theschedulerinteractswiththe applicativethreads throughtheportsexecuteandcomplete. Asynchronizationonthe formerportmeansarequestfortheprocessorresource.Asynchronizationonthelatterportmeanstheresourceisreleased.

The followingcodemodels avery simpleschedulerwhichonlyguarantees thatthe processorisallocatedto atmostone thread.Theallocatorisgeneric,parameterizedbythenumberofclientthreads.Eachthreadcommunicateswiththe sched-ulerthroughaprivateport.Aprioritycanbeassociatedtothreadsthroughtheuseofprioritieson Fiacre ports.In Fiacre, anenabledtransitiononaportpreventsexecutionofanytransitionsonlowerpriorityports.

process s c h e d u l e r < |N| > [ e : array N of i n out none , c : array N of i n out none ] i s

s t a t e s f r e e , busy var x : 0 . . N−1 : = 0 i n i t to f r e e from f r e e s e l e c t i of [ N ] e [ i ] ; x : = i end; to busy from busy c [ x ] ; to f r e e 2.3.3. Inputportbuffers

Input portbuffersstoreincomingmessagesanddeliverthemtothethreadatthetimedefinedbythe aadl semantics. Severallibraryelements orparameters adaptthe behaviorof theport withrespectto thekindofthe ports(event,data, eventdata); theschedulingprotocoloftheattachedthread;themanagement ofoverflowsorthequeuingprotocol. Asan example,weconsideraninputeventportattachedtoaperiodicprocess.ItissupposedtohaveacapacityofN eventswhich are deliveredone atatime, andto blockon overflowinorderto makeiteasy tocheck. Theeventisreceived througha synchronizationon port e.The eventcounter isthen incremented.Whenthe attachedthreadis dispatched,one eventis transmitted,ifavailable,throughthesharedvariablereferencedbyip.Thus,ipreceiveseitherthevalue 0,orthevalue 1,in whichcasethecounterisdecremented.

process p e r _ i e p o r t _ o n e _ o v f < |N| > [ e , d : none ] ( & i p : 0 . . 1 ) i s

s t a t e s s0 , o v f var e v t : 0 . . N : = 0 from s0 s e l e c t e ; on e v t < N ; e v t : = e v t + 1 ; to s0 [ ] e ; on e v t = N ; to o v f [ ] i p : = e v t > 0 ? 1 : 0 ; d ; e v t : = ( evt >0? e v t − 1 : e v t ) ; to s0 end 2.3.4. Connectors

Connectorstransmitmessagesfromoutputportstoinputports.Severallibraryelementsorparametersareusedtoselect thedesiredprotocol.Asanexample,weconsideragenericprocessimplementingadelayedconnection.Itisparameterized bythetype T oftransferreddata.Ittakesasparametertwoportssynchronizedrespectivelytothedeadlineoftheemitting threadandtothedispatchofthereceivingthread,andreferencestosharedvariablescontaining respectivelyatmostone incomingmessage(in ip),theoutgoingmessage(ino_v) andits freshness(in o_ f ). Onemitter deadline,afreshmessage istakenfromthequeue(ifnon-empty)andstoredlocally.Onreceiverdispatch, thestoredmessageanditsfreshnessare transmitted.Thestoredmessagebecomesnotfresh.

process delayed_connection < | T| >

[ dl_o , d _ i : none ] ( & i p : queue 1 of T , &o_v : T , &o _ f : bool ) i s

s t a t e s s0 var x : T , f : bool : = f a l s e i n i t to s0 from s0 s e l e c t d l _ o ; on n o t ( empty ( i p ) ) ; x : = f i r s t ( i p ) ; i p : = { | | } ; f : = t r u e ; to s0 [ ] d l _ o ; on empty ( i p ) ; to s0 [ ] o_v : = x ; o _ f : = f ; d _ i ; f : = f a l s e ; to s0 end 2.4. Prototypeimplementation

Following the translation procedure presented in the previous section, we realized a prototype implementation of a translatorfroman aadl modelto Fiacre.Intherestofthissection,wepresentthetoolsweusedandgiveanoverviewof thetoolchain.

Thetranslationfrom aadl to Fiacre is atwo-stepsprocess (Fig. 7).Wefocusourattentiontothefirststep.The devel-opment environment we used to implementour translatoris based on the Eclipse platform andparticularlythe Eclipse ModelingTools.

Fig. 7.Toolchain overview of the translator from aadl to Fiacre.

Fig. 8.Part 2map.

Oneofthe mainplug-in weused isOsate (version1.5.8)whichis anopen-source plug-in thatprovides a setoftools basedonthe EclipseModeling Framework(EMF).Osategives accessto aset ofservicessuch as:aparser forthe textual aadlrepresentation, toolsto analyze aadl model,semantics checker,andit offers thepossibility toextract a modeland instancemodelofasystemdescribedasatextualmodelin aadl language.Thismodelandinstancemodelrepresentationis describedinfileformatcalledXMI(XMLMetadataInterchange)whichisthestartingpointofourtransformationto Fiacre∗_.

Anothertoolweusedisaplug-incalledAcceleo[17](version3.0)whichisanimplementationoftheModeltoText(M2T) asdefinedbytheObjectManagementGroup (OMG).From ametamodelandamodel(represented inXMIformat)wecan use Acceleo to produce text-based output, in our case an Fiacre∗ _{file. Model to Text is based around two fundamental}

primitives: templates and queries. In short, templates are used to produce a textual output whereas queries are used to extractinformationout ofthemodelinadeclarativemanner. Finally,the translationfrom Fiacre∗ _{to Fiacre isdone with}

javaand tom[29]. tom isarewritingenginewhichprovidessyntaxextensionsto java todefinetransformations.

ThecombinationofthesetoolsallowsustoobtainaworkingprototypefullyintegratedwithintheEclipseplatform.We haveexperimentedthetoolchainonsomecasestudies.Asanexample,wepresentinthecompanionpaper[44]theAPOTA casestudywhichisafiletransferprotocolusedintheavionicsdomain.Themodelcheckingresultscanbe foundin[42]. TheyillustratetheverificationofsomeLTLpropertiessuperposedtothegenerated Fiacre code.

Inaddition,thehigh-levelconstructsprovidedby Fiacre∗ _{alongwithits RTlibraryhaveconsiderablyeasedtheprocess}

oftranslating aadl to Fiacre.

Part2. OnthecorrectnessoftheAADLto FIACREtransformation

The objectiveof thispartis to give hintson how the toolchain presentedin Part 1 could be verified.Verifying such atoolset isa longtermgoal.We mainlyinvestigate hereone element ofthetoolchain whichis thetransformationfrom aadl to Fiacre. Verifyingsuch a transformation means ensuring that the truth or falsity ofproperties expressed on an aadl modelis preservedby the transformation.We consider lineartemporal logic propertiesandbi-simulation between behavioralmodelsofthesourceandtargetmodels,whichisknowntopreservethisclassofproperties.Inordertocompare the behavior of the source aadl model and of the resulting Fiacre model, we introduce a common framework: timed transitionsystems[23](tts forshort,seeDefinition 6).Then,weexpressthesemanticsofanabstractview of Fiacre andof areducedsubsetof aadl intermsoftimedtransitionsystems.Lastly,wediscussabouttheverificationofthetransformation. ThesestepsarerepresentedbyFig. 8wheredashedlinesareleftforfuturework.

3. Commonsemanticsdomain

Thepresentsectionrecallsthebasisoftransitionsystemstheory,andextendsclassicalLabeled TransitionSystems[4]by distinguishinggloballabelsfromlocalones.Indeed,globallabelsareneededto specifycommunicationorsynchronization withothercomponentswhilelocallabelsareusedtospecifyinternalactions.Thesetofalllabelsofatransitionsystemis

Ldef

=

L_G

⊎

L_L,whereL_Listhesetoflocallabels(ortau)ofthesystem.

Also,wedistinguishsharedmemoryfromprivate.Weassume thatallthetransitionsystemsshareasetofglobalstates

S_G andhaveeach their ownset oflocalstates S_L.Shared memoryallowsprocesses toexchange dataandcommunicate withoutneedtosynchronizeanduseports.Insomecasesitmaybeveryconvenienttousesharedmemoryaslongastwo processesneverwriteatthesamelocationatthetime.Thisisespeciallytrueforsharedmemoryarchitectures.

Ourformalizationofthememoryoftransitionsystemsconsiders thatlocalstatesaredependenttoglobalstates.Thus, we split S_L withrespectto S_G suchthat S_L

=

S

g∈SG

Sg_L.Thesetofstatesofagiventransitionsystem(mixingsharedand

privatememory)isoftheformofSdef

= {(

g

,

l

)

|

g

∈

S_G

∧

l

∈

S_Lg

}

.

Then, becauseofourdesireto defineacompositionalmodel,weintroducea partialfunctionmrg

:

S_G

×

S_G

→

S_G that computes themerge oftwo shared states.This function cannot be definedherebecause S_G is not structured (byset of shared variablesforexample) andwe merely specifyit.Thereby,we considerthat mrgshouldbe commutative,associative

andidempotent.Formallyitmeansthatwhateverthedefinitionofmrg,itmustsatisfythefollowingconstraintswhenterms aredefined:

• ∀

g1

,

g2

∈

SG

,

mrg

(

g1

,

g2

)

=

mrg

(

g2

,

g1

)

• ∀

g1

,

g2

,

g3

∈

SG

,

mrg

(

g1

,

mrg

(

g2

,

g3

))

=

mrg

(

mrg

(

g1

,

g2

),

g3

)

• ∀

g

∈

S_G

,

mrg

(

g

,

g

)

=

g

Asan example,we candefine S_G asthesetofpartialvaluationsofasetofglobalvariables XG inadomain D: SG

def

=

XG

9

D.Thenmrg

(

g1

,

g2

)

willbetheoverloadingfunctionwheng1andg2 arecompatible,i.e.whentheyarebothdefined

onavariable,theyassignitthesamevalue.

3.1. Labeled transitionsystems

Theclassicalmodeloflabeled transitionsystems[4](lts forshort)isusuallyusedtogiveamathematicalrepresentation to programs andmore recentlyto component-based systems.We introduce now this modelin a shared/private memory context.

Definition1(Labeled transitionsystems).An lts definedover L_G andS_G (introducedabove)isa4-tupleltsdef

= h

L_L

,

S_L

,

init, next

_i

_,where:

•

L_L isthesetoflocallabelsoflts.

•

S_L

(=

S

g∈S_G

S_Lg

)

isasetoflocalstates(orstores)andwedefine Sastheset

{(

g

,

l

)

|

g

∈

S_G

∧

l

∈

S_Lg

}

.

•

init_{isapredicateover} Sthatdefinestheinitialstatesoflts.

•

next isapredicateoverS

×

L

×

S;next definesthesetoftransitionsofltsthataretripletsoftheform

(

s

,

ℓ,

s′

₎

_,where sisthesourcestate,

ℓ

isthetakenlabelands′_{thetargetstateofthetransition.}

Fromnow,inthisgeneralsetting,weconsiderthatallthe lts aredefinedoversomegivensetsL_G and S_G.

Definition2 (Enabledlabels). Assuming an lts

h

L_L

,

S_L

,

init,next

i

, a label

ℓ

∈

L is enabled froma state s

∈

S, ifthere is a state s′

_∈

_{S such that the triplet}

₍

_s

_,

_ℓ,

_s′

₎

_{belongs to next. Formally, we define the predicate enabled over S}

_×

_{L as}

enabled_s

(ℓ)

def

= ∃

s′

_∈

_S

_,

_next

₍

_s

_,

_ℓ,

_s′

₎

_.

Definition 3 (SimulationrelationsonLTS). Given two ltss, namely lts♭ (the concrete) and lts♮ (the abstract), defined as

h

Li

L

,

SiL

,

initi

,

nexti

i

fori

∈ {♭,

♮}

,lts♭ issimulatedbylts♮throughrelationsRS

⊆

S♭

×

S♮andRL

⊆ (

L♭

×

L♮

)

if:

∀

s♭

∈

S♭

,

init♭

(

s♭

)

⇒ ∃

s♮

,

init♮

(

s♮

)

∧ (

s♭

,

s♮

)

∈

RS

V

∀

s♭s′♭

∈

S♭

,

∀

s♮

∈

S♮

,∀ℓ

♭

∈

LG

∪

L ♭ L

,

(

next_♭

₍

_s♭

_{, ℓ}

_♭

_,

_s′ ♭

)

∧ (

s♭

,

s♮

)

∈

RS

)

⇒

(∃

s′_♮

∈

S♮

_,∃ℓ

♮

∈

LG

∪

L ♮ L

,

next♮

(

s♮

, ℓ

♮

,

s′♮

)

∧

(

s′ ♭

,

s′♮

)

∈

RS

∧ (ℓ

♭

, ℓ

♮

)

∈

RL

).

Weformallywriteitbylts♭

⊑

(RS,RL)lts ♮_.

Definition4(BisimilarLTSs).Giventwo ltss,namelylts♭_andlts♮_,definedas

_h

_Li

L

,

SiL

,

initi

,

nexti

i

fori

∈ {♭,

♮}

,lts♭isbisimilar tolts♮ ifthereexiststworelations RS

⊆

S♭

×

S♮andRL

⊆

L♭

×

L♮,suchas:

lts♭

⊑

(RS,RL)lts ♮

∧

lts♮

⊑

_(R−1 S ,R−L1)lts ♭ Weformallywriteitbylts♭

≃

lts♮.

3.2.CompositionofLTSs

Reasoningaboutconcurrentsystemsrequiresinterpretationofprocesscompositioninthechosensemanticdomain.For suchapurpose,wedefineabinarysynchronousproductof ltss.

Definition5 (CompositionofLTSs). The composition of two ltss, namely lts1 andlts2,defined as

h

LiL

,

SiL

,

initi

,

nexti

i

for

i

∈ {

1

,

2

}

,overasetofsynchronizablelabelsLS

⊆

L_G,isan lts,

(

lts1

k

LSlts2

)

def

= h

L_L

,

S_L

,

init,next

i

,where:

•

L_Ldef

=

L1_L

⊎

L2_L

•

S_L isdefinedastheset S1_L

×

S2_L

•

init

(h

g

,

(

l1

,

l2

)i)

def

=

init1

(h

g

,

l1

i)

∧

init2

(h

g

,

l2

i)

•

next

_(h

_g

_{, (}

_l1

_,

_l2

_{)i, ℓ, h}

_g′

_{, (}

_l′ 1

,

l′2

)i)

def

=

_



























(

1

) ℓ

∈

L1_L

∧

next₁

_(h

g

,

l1

i, ℓ, h

g′

,

l′₁

i) ∧

l2

=

l′₂

(

2

) ℓ

∈

L2_L

∧

next₂

_(h

g

,

l2

i, ℓ, h

g′

,

l′₂

i) ∧

l1

=

l′₁

(

3

) ℓ

∈

L_G

∧ ℓ 6∈

LS

∧

next1

(h

g

,

l1

i, ℓ, h

g′

,

l′₁

i) ∧

l2

=

l′₂

(

4

) ℓ

∈

L_G

∧ ℓ 6∈

LS

∧

next2

(h

g

,

l2

i, ℓ, h

g′

,

l′2

i) ∧

l1

=

l′1

(

5

) ℓ

∈

LS

∧ ∃

g₁′g′₂

∈

S_G

,

V







g′

₌

_mrg

₍

_g′ 1

,

g′2

)

next₁

_(h

_g

_,

_l1

_{i, ℓ, h}

_g′ 1

,

l′1

i)

next₂

_(h

g

,

l2

i, ℓ, h

g2′

,

l′2

i)

































3.3.Timedtransitionsystems

WerecallnowthedefinitionofTimedTransitionSystemswhichiscommonlyusedtodefinethesemanticsof component-basedsystemwhichembeds real-timefeaturesas aadl architecturesdo.

Definition6(Timedtransitionsystems).ATimedTransitionSystem(tts forshort)isan lts,

h

L_L

,

S_L

,

init

,

t_{_next}

i

,definedover

L_G

∪ R

+_andS

G.Thus,therearetwokindsoftransitionrelations:discreteanddelay.Delaytransitionsarerequiredtoobey

thefollowingproperties:

•

zerodelay:

∀

sto

∈

S

,

sto

−→

0 sto

•

determinism:

∀

sto

,

sto′

,

sto′′

∈

S

,

∀δ ∈ R

+,

sto

−→

δ sto′

∧

sto

−→

δ sto′′

⇒

sto′

=

sto′′

•

additivity:

∀

sto

,

sto′

,

sto′′

∈

S

,

∀δ,

δ

′

∈ R

+_,

sto

−→

δ sto′

∧

sto′ δ

′

−→

sto′′

⇒

stoδ+δ

′

−→

sto′′

•

continuity:

∀

sto

,

sto′′

_∈

_S

_,

_∀δ

′

_,

_δ

′′

_{∈ R}

+_,

stoδ

′_+δ′′

−→

sto′′

⇒ ∃

sto′

,

sto δ

′

−→

sto′

∧

sto′ δ

′′

−→

sto′′

Wenote

(

sto

−→

δ sto′

)

fort_{_next}

(

sto

,

δ,

sto′

)

.

3.4.CompositionofTTSs

Weconsiderthecompositionoperationon ttss,whichisusedtodefinethesemanticsofan aadl modelasthe compo-sitionofthesemanticsofitsconstituents.

Definition7 (CompositionofTTSs). The composition of two ttss, namely tts1 and tts2, defined as

h

LiL

,

SiL

,

initi

,

t_nexti

i

, for i

∈ {

1

,

2

}

, over a set of synchronizable ports LS

⊆

L_G, is a tts defined as a composed lts,

(

tts1

k

LS tts2

)

def

=

⋄

t_next

(h

g

, (

l1

,

l2

)i, ℓ, h

g′

, (

l′1

,

l′2

)i)

def

=

_



























(

1

) ℓ

∈

L1_L

∧

t_{_next1}

_(h

_g

,

l1

i, ℓ, h

g′

,

l′₁

i) ∧

l2

=

l′₂

(

2

) ℓ

∈

L2_L

∧

t_next2

(h

g

,

l2

i, ℓ, h

g′

,

l′₂

i) ∧

l1

=

l′₁

(

3

) ℓ

∈

L_G

∧ ℓ 6∈

LS

∧

t_next1

(h

g

,

l1

i, ℓ, h

g′

,

l′₁

i) ∧

l2

=

l′₂

(

4

) ℓ

∈

L_G

∧ ℓ 6∈

LS

∧

t_next2

(h

g

,

l2

i, ℓ, h

g′

,

l′₂

i) ∧

l1

=

l′₁

(

5

) ℓ

∈

LS

∧ ∃

g₁′g′₂

∈

S_G

,

V







g′

₌

_mrg

₍

_g′ 1

,

g′2

)

t_next1

(h

g

,

l1

i, ℓ, h

g′₁

,

l′₁

i)

t_next2

(h

g

,

l2

i, ℓ, h

g′₂

,

l′₂

i)

































⋄

t_next

(h

g

, (

l1

,

l2

)i, δ, h

g′

, (

l′1

,

l′2

)i)

def

=

δ

∈ R

+

∧ ∃

g₁′g₂′

∈

S_G

,

^







g′

₌

_mrg

₍

_g′ 1

,

g2′

)

t_{_next1}

_(h

_g

,

l1

i, δ, h

g′₁

,

l′₁

i)

t_{_next2}

_(h

_g

_,

_l2

_{i, δ, h}

_g′ 2

,

l′2

i)







Inotherwords,wetreatdiscretetransitionsanddelaytransitionsseparately. 4. FIACREkernelmechanization

Followingthe principleofthepivotlanguage Fiacre,we haveintroduceda semanticmodelmidwaybetween Fiacre and tts.Indeed,thismodeldescribespriorityandtimefeaturesassyntacticconstraints(whiletimeisspecifieddynamicallyin ttss)butontheotherhanditspecifiessystemsinmathematicalterms(whileitisprogrammingin Fiacre).

Thepurposeistogive amechanizedsemanticstothekernelof Fiacre inaproof-assistantinordertobeabletoreason formallyabout Fiacre systemsandprovethetransformationfrom aadl to Fiacre.Wepresentinthefollowingofthissection thissemanticmodelascloseaspossibleofitsmechanizationinthe Coq proofassistant.

4.1. Timeconstrainedtransitionsystems

Asforthe lts (seeDefinition 3.1),wedistinguishgloballabels(orevents)fromlocaloneshere.Buthere,weintroducea

finitesetofportsundertheinfinitesetoflabels.Amongothers,thisdistinctionisneededtogofromopensystemswhichcan communicate orsynchronizewithothersto closedsystemsthat only haveinternal (orlocal) actions.Doing sorequiresto

hidethesetofglobaleventsbutsincethissetmaybeinfinite,wehandlethistaskthroughtheircorrespondingportswhich arefiniteinnumber.Thus,inthefollowingweassumethatanytransitionsystemisdefinedoverafinitesetofglobalports

P_G whichinducesanimplicitsetofgloballabelsL_G.Weassumealsothatthesetofallportsofanytransitionsystemisof theformPdef

=

P_G

⊎

P_L whereP_L isthesetoflocalportsofthegiventransitionsystem(seeDefinition 8).

Moreover, introducing priorities can be useful to control, preserve and try to guarantee, for example, the deadlock-freedom of such systems [19]. Thus, we provideto our TransitionSystembased model (Definition 8) a priority relation, whichisastrictpartialorderoverportssothatonlylabelslinkedtoportswithmaximalprioritycanbefiredatsomepoint oftheexecution.Themeaningofapriorityrelationovertwoports pandp′ _{ofatransitionsystem,isthat ifphaspriority}

over p′_{then everytransitionthrough p}′_{cannot betakenifalabelthrough p isenabled. Weformalizeinourframework}

apriorityrelation,

≺

,asanirreflexiveandtransitiverelation.Consequently,apriorityrelationisalsoacyclic.Animportant propertyoverpriorityrelationsthatourtransitionsystemsmustsatisfy,isthatportsthathavepriorityoverothersmustbe local.Withoutthisconstraint,oursemanticmodelisnolongercompositional.

Then,wehaveassociatedtimeintervalconstraintstotheportsofthemodel,inthesamewayasT. Henzingeretal.[22] forlabels. Moreover,we add theso-calledresetrelationto thismodelthat enablesustospecify whichclocks(or timers) are reset after the firing of a given transition. That reset relation is helpful to model directly the semantic differences betweenthetwoconstructsof Fiacre thatallowtopasstransitions(i.e.

loop

and

to

,seetheperiodiccontrollerofPart 1, Section 2.3.1,forexample).We namethismodelTimeConstrainedTransitionSystems (tcts forshort)since thetermtts is overloadedandalreadyusedhereandbecausetimefeaturesareonlyexpressedassyntactictimedconstraintsontransitions. Definition8.ATimeConstrainedTransitionSystem,namelytcts,isa 8-tupledefinedoverasetofvaluesV,afinitesetof globalports P_G andasetofstatesoversharedvariables S_G,

h

P_L

,

T

,

S_L

,

val

,

prt

,

init

,

next

,

R,

I

≺i

,where:

•

P_L isthe(finite)setofportsoftcts.Wedefine P

=

P_L

∪

P_G.

•

T isthesetof(thenamesof)transitionsoftcts.

•

S_L isthesetofstates(orstores)oftcts.

•

prtisafunctionfromT toP,thatassociatestoeverytransitionauniqueport.

•

val isafunction fromT

×

S to V,thatassociates foralltransition, inevery state,a value.Itdefines, together witha portoftheconsideredtransition,thelabelofthetransition.Thus,thesetLoflabelsisdefinedhereby P

×

V.

process Pattern [ p : T ](& v : T ) i s ports p ’ in [m,M] var x : T s t a t e s s , i n i t s from s s e l e c t [ ]n i tri end

where[]istheparalleloperatorof Fiacre andforalli≤n(nisthenumberofconcurrent transitionsfroms),trihasoneofthefourfollowingpatterns:

•T1: on g; stm1; p!e; stm2; to s •T2: on g; stm1; p!e; stm2; to loop •T3: on g; p’; stm; to s

•T4: on g; p’; stm; to loop

Fig. 9.Patterns of Fiacre transitions illustrated by a minimal process.

•

init _{isanon-emptysubsetof}Sthatdefinestheinitialstatesoftcts.

•

nextdefinesthesetoftransitionsoftctsthataretripletsoftheform

(

sto

,

tr

,

sto′

)

∈

S

×

T

×

S,alsodenotedassto

−→

tr sto′,where sto

∈

S isthe sourcestate, tr

∈

T is thenameofthe takentransitionandsto′

∈

S thetarget state ofthe transition.

• R

isthe reset transitionrelation.

(

tr

,

tr′

₎

_{∈ R}

_{statesthat at execution,the firingof tr resets the implicitclock oftr}′_.

Otherwise,theimplicitclockassociatedtotr′_{keepsrunning.Foralltr}

_∈

_T,

₍

_tr

_,

_tr

₎

_{∈ R}

₍

_R

_{isreflexive).}

•

Iisafunctionthatassignstoeveryport p

∈

P anon-emptyintervalof

R

+_.Ip (orI

(

p

)

)specifiesbothminimal(lower) andmaximaldelay(upperbound)toelapseonceatransitionthrough phasbeenenabled

• ≺

is a priorityrelationover P.The meaning ofthepriority relationover twoports pand p′ _{ofa transitionsystem,}

isthat if p haspriorityover p′ _{then everytransitionthrough p}′ _{cannot be takenifan other transitionthrough p is}

enabled.

4.2.Semanticsof FiacretransitionsintermsofTCTS

Weillustrate inthissection what isa standard Fiacretransition andwhatis its semanticsin theTCTSrepresentation. Thus, a Fiacre transition is defined following one of the four patterns of the process defined on Fig. 9, where

s

is a location,

g

(theguard)isabooleanexpression,

p

and

p’

are ports,

stm

,

stm1

and

stm2

(thestatements)are sequences ofimperativeinstructions.

stm1

willbe executedbeforethesynchronizationon

p

and

stm2

thereafter.Inorderto avoid conflicts,weassume somerestrictionsabout

stm1

and

stm2

:Both hastobedefinedonlyoverlocalvariables(only

x

in ourexample)oftheprocesswhile

stm

canassignsharedvariables(only

v

inourexample)ofthewholesystem.Also,

e

is anexpressionoftype

T

thatisusedtoencodethedataexchangedwithanotherprocess.

Intransitionsoftype T1 orT2,

p

isaglobalport,usedforsynchronizationortheexchangeofdatabetweenprocesses,

whilein T3 and T4

p’

is local,only usedinordertodelayedtheaction ofthe transitions.Atime could beassociatedto

p

intheenvironment (thecomponent)wherethisprocess willbeputininteraction withotherprocesses.Atimeinterval intervalhastobeassociatedto

p’

intheprocessotherwiselocalportsareuselesssincetheyonlyservetodelaytransition. Heretheintervalis

[m,M]

meaninginonehandthattransitionsoftype T3 orT4 haveto becontinuouslyenabledforat

least

m

unitsoftime andontheotherhandhavetobetakenbefore

M

unitsoftimewhilebeingcontinuously enabledfor thatlong.

Regardingtotheexchange ofdata,thestandardreceptionsymbol

-?-

(asin CSP)issubstitutedherebya

-!-

andan assignment inadvance.Forinstance, theinstruction

hp?xi

iswritten

hx := any; p!xi

in Fiacre,where

hx := anyi

canbeinterpretedasanon-deterministicassignmentto

x

.Nevertheless,onlyonevalueassignedto

x

willmatchwiththe valueofthesenderprocessandsynchronizationaredoneifandonlyiftheportandthevalue(ofthegivenexpression)are thesameonbothsideofacommunication.Forinstance,

hp!3i

meansthatthevalue 3 hasto beobservedontheport

p

(butthiswillhavenoeffectonanyvariableoftheprocess).Also,

hp!xi

meansthat thevalue of

x

hastobeobservedon bothsideoftheport

p

(butthiswillalsohavenoeffectonanyvariableoftheprocess,either

x

).However,inthiscaseon oneside(ofthereceiver)thisinstructionshallbeprecededby

hx := anyi

andontheotherside(ofthesender)therewill benothingmore.

Furthermore,eachofthetransitionsoftheprocess(thetri,where1

≤

i

≤

nwithn

∈ N

)hasitsownclockalthoughthey arebuiltonly ontwo differentportshere. Whentaken, transitionsoftype T1 or T3 resettheclock ofall thetransitions

whichcould betakenfrom

s

, whilethoseof theform T2 andT4 onlyreset theirown clock (i.e.they preservethe time

alreadywaitedbytheothersinconcurrence).

Inordertoformalizethesemanticsofthisprocess

Pattern

whichdefine thedifferentformsof Fiacre transitions,we cangiveamathematicalrepresentationofitwiththe tcts

h

P_L

,

T

,

S

,

val

,

prt

,

init,next,

R,

I

≺i

,where: