02/04/2008
A Concrete Syntax for UML 2.1 Action Semantics Using +CAL
13th IEEE International Conference on Engineering of Complex Computer Systems – ICECCS 2008
UML&AADL’2008 Workshop
Isabelle Perseil, Laurent Pautet TELECOM ParisTech, LTCI,UMR 5141 CNRS
Page 2 – UML&AADL’ 2008 – 02/04/2008
Agenda
Context
State-of-the Art
Issues
Goals
Proposed approach
Application of the approach
Conclusions
Page 3 – UML&AADL’ 2008 - 02/04/2008
ContextThe role of executable modeling
(xUML)• Subset of UML + ASL runs models,
generation of safe code (computationally complete language)
• Bridge the gap between the analysis, design and programming steps
From xUML to other executable modeling languages
• Multiple views, multiple aspects :define all elements for implementation, without overloading one single model and mismatch the abstraction level
Ada (better for system analysis) AADL Ada (better for system deployment)
Page 4 – UML&AADL’ 2008 - 02/04/2008
State-of-the Art – part I : the OMG RFP
The UML specifies how many types of models can be expressed
• it lacks a concrete syntax for describing actions
• Users of the UML can add operations and states to their models, but there is no standard concrete syntax to describe how objects are created and changed by those operations and states.
The RFP solicits proposals for Concrete syntax for describing actions in the UML 2.1 action semantics and activities
Page 5 – UML&AADL’ 2008 - 02/04/2008
State-of-the Art – part II : Action languages
Definition : An action is some computation, such as executing a function, sending a signal, reading or writing data, and iterating over a set
an action is a statement or a sequence of statements that is executed when the object takes the transition
Existing action languages
SMALL (very limited precursor)
TALL (functional)
Bridge-Point Object
iUML from Kennedy Carter (industrially used)• Answer to the RFP, but not formal enough
Idle
Trying
[Extraction(a_process) := true ;]/proc_index:= a_process;Rank (a_process) := Rank(q) + 1;Extraction(a_process) := false ;
[Extraction(a_process) := true ;]/proc_index:= a_process;Rank (a_process) := Rank(q) + 1;Extraction(a_process) := false ;
Critical
/Rank (a_process) := 0;/Rank (a_process) := 0;
[q < N]/q:=q+1;[q < N]/q:=q+1;
[else]/Rank (a_process) := 0;
[Rank ( q )=0 or (Rank (a_process) > Rank ( q ) ) or (a_process > q ))]
[else]/Rank (a_process) := 0;
[Rank ( q )=0 or (Rank (a_process) > Rank ( q ) ) or (a_process > q ))]
Page 6 – UML&AADL’ 2008 - 02/04/2008
State-of-the Art : example of the Lamport Bakery statechart
Condition connector
actions
[guard]
[guard]
action
boolean condition :must be true for the transitionto be taken
incoming transition
[guard] if false it exits (not going to the nextstate “Trying”)
process a_process ∈ 1 . .N
Only the smallest ticket can enterin the critical section
Page 7 – UML&AADL’ 2008 - 02/04/2008
And its code (Mutex.adb) with “Rhapsody in Ada”-generation of one procedure :
procedure Trying_Process_Event (this : in out Mutex_t; e : in out Class_Hierarchy_Specific_Event.Class ) is begin …. if Q < N then ……. ); Trying_Exit (this); ….. Q:=Q+1; …….. ); if (Rank( Q )=0 or (Rank(A_Process) > Rank( Q ) ) or (A_Process > Q )) then ……… ); --+[ transition --+] ……… ); Critical_Entry (this); ……….. ); --+[ transition Rank(A_Process) := 0; --+] …………… ); Idle_Entry (this); ……… end if; end if; end Trying_Process_Event;
Automatically generatesentry actions and exit actionsfor each state
The code is not labeledno parameterizationdifficult to locate the origin
difficult to read(tool code simulation)
Page 8 – UML&AADL’ 2008 - 02/04/2008
Issues
Use a high-level programming language : have many more features than necessary to describe actions in a model (C++, Java, Ada…)
The action semantics should provide just enough semantics to enable the specification of computation
Genericity and interoperability between different action languages (if, for some reasons, we would have to work with several action languages)
Page 9 – UML&AADL’ 2008 - 02/04/2008
Goals
Create a standard language with which users can write a complete and unambiguous functional description of the actions of operations and states with the following properties :Statements are readable and intuitiveStatements resemble existing languages
for common functions (e.g. if statements, assignment, comparison)
Users can include commentsUsers can assign marks to individual
statements in the languageThe language can be extended to include
new features
Page 10 – UML&AADL’ 2008 - 02/04/2008
Our Goals
The action language answers to the mandatory requirements, with particular strengths
Preserves the level of abstraction of the action semantic language, adds formal capabilities
Defines primitives, simple constructs
Provides for the specifications of systems
in sufficient detail so that they can be executed
Page 11 – UML&AADL’ 2008 - 02/04/2008
Proposed Approach
Requires a mapping from the structure of the specification to the structure of the implementation
But executing a single diagram is
not sufficient • If the whole code is obtained from one
(flat) diagram, then the execution of the model == a translation from one programming language to another one (i.e. a bijection)
Page 12 – UML&AADL’ 2008 - 02/04/2008
PCALToAda (1) +CAL algorithm
--algorithm bakery
variables Extraction = [k ∈ 1..N |-> FALSE],
Rank= [m ∈ 1..N|-> 0];
process a_process ∈ 1..N variable q; begin Extraction[a_process]:= TRUE; Rank[a_process]:= 1 + max(Rank[1]..Rank[N]); Extraction[a_process]:= FALSE; q:=1; while q ≠ N+1 do while (Extraction[q]) do skip; end while;
while ((Rank[q]≠ 0) ∧ ((Rank[q], q) < (Rank[a_process],a_process))) do skip; end while; q:=q+1; end while; \*The critical section Rank [a_process]:=0; \* non-critical section...end processend algorithm
The “for” loop does not exist
attribution of the ticket … ” busy waiting” (trying)
wait until other processeswith higher prioritieshave finished their job
other processes know if some
number requests are in progress or not
number of the request
check on pid process
labeled actions
Page 13 – UML&AADL’ 2008 - 02/04/2008
PCALToAda (2) Ada pgm
ANTLR TranslatorFrom +CAL Ada 2005(in progress)
procedure Entering (A_Process : in Proc_Index) isbegin Extraction(A_Process) := True ; Rank(A_Process) := 1 + Maximum; Extraction(A_Process) := False ; for Q in 1 . .N loop loop delay 0 . 1 ; exit when not Extraction(Q) ; exit when Rank (Q)=0 or else Rank (A_Process) > Rank (Q) or else (A_Process > Q) end loop ; end loop ;end Entering ;−−−− Exit Protocolprocedure Way_Out (A_Process : in (Proc_Index) isbegin Rank (A_Process) := 0;end Way_Out ;
guardswait
exit of the loop
Page 14 – UML&AADL’ 2008 - 02/04/2008
+CAL extensions : answer to mandatory requirements ( TLA+ expressions) - Stephan Merz’s works
The expressions in +cal algorithms can be any TLA+ expressions
TLA+ records (also called structs)[field1, field2]
Concurrent object “a” == record contains : one field for every attribute of class A a field qm for every message type m ∈
MethA defined in class A (representing the queue of waiting requests to execute method m)
The action receive(a,m,x) describes the receipt of a message of type m by an object a with parameter tuple x
Page 15 – UML&AADL’ 2008 - 02/04/2008
+CAL extensions : answer to mandatory requirements ( TLA+ expressions)
It represents some difficulties as we need to properly embed TLA+ : On one hand, +CAL is simple because : it has
no pointers, no objects, no types On the other hand, the way to extend the
capabilities is to use TLA+ expressions To re-define a class and formalize its behavior
in TLA is not simple But, thanks to TLA we may represent a “next-
state” relation for any attribute (actions defined for the given class) So we may represent the changes during the
receipt of a new message
Page 16 – UML&AADL’ 2008 - 02/04/2008
Application of the approach TLA+ generation and assertion
A simple command java pcal.trans Algorithm translate into
TLA+
The translation introduces a new variable pc• pc value is label of next statement to be executed
The invariant to check is no 2 process are in state cs
isMutex == ∀ i ,k ∈ 1 .. N : (i /= k) ) : => ¬((pc[i ] = "cs") ∧(pc[k] = "cs"))
IsMutex is a TLA+ operator defined just after the algorithm,• Then : we put assert answer = isMutex to check the
algorithm with TLC• we simulate the algorithm (run)
Idle
trigger1[Extraction[a_process]:= TRUE;]/ Rank[a_process]:= 1 + max(Rank[1]..Rank[N]); Extraction[a_process]:= FALSE;
Trying
trigger1[Extraction[a_process]:= TRUE;]/ Rank[a_process]:= 1 + max(Rank[1]..Rank[N]); Extraction[a_process]:= FALSE;
last_trigger/Rank (a_process) := 0;
Critical
last_trigger/Rank (a_process) := 0;
trigger2[q < N]/q:=q+1;trigger2[q < N]/q:=q+1;
[else]/Rank (a_process) := 0;
[((Rank[q]= 0) V ((Rank[q], q) < (Rank[a_process],a_process))) ]
[else]/Rank (a_process) := 0;
[((Rank[q]= 0) V ((Rank[q], q) < (Rank[a_process],a_process))) ]
Page 17 – UML&AADL’ 2008 - 02/04/2008
Application of the approachUse of extended +CAL into state machines
diagrams algorithm Implementation
Operation Body :
process a_process \in 1..N variable q; begin …labeled actions while q /= N+1 do …. end while; cs: Rank [a_process]:=0; nd process
Labeled specification
Ada generation :procedures(PCALToAda translator)
Invariance checking in TLA+ (with TLC)
State machine in +CAL
specificationSpecification
Certification of the produced code
sequenceof steps(labels)
Extraction[q]
Bakery::Mutex
q:Integer
trigger1():v oidlast_trigger():v oidtrigger2():v oid
Page 18 – UML&AADL’ 2008 - 02/04/2008
Conclusions and future works
In order to formerly specify DRE Systems behavior• Lamport specifies synchronization in terms of state
machines (“Time, clocks and the ordering of events in a distributed system”) formal state machines
We have shown how +CAL can be executed in the context of state machines and activity diagrams
To answer to the Action Language RFP mandatory requirements
• We need some Extensions to +CAL :• Class and object manipulations and signal generation
animate UML models
+CAL brings genericity labels (allows to divide multi-threaded pgm into atomic steps), multiple languages generation
+CAL can be used via a co-modeling methodology enabling TLA+ actions model-checking
• Safety properties of concurrent systems are satisfied