1. 02/04/2008 A Concrete Syntax for UML 2.1 Action Semantics Using +CAL 13th IEEE International Conference on Engineering of Complex Computer Systems – ICECCS 2008 UML&AADL’2008 Workshop Isabelle Perseil, Laurent Pautet TELECOM ParisTech, LTCI,UMR 5141 CNRS

2. Page 2 – UML&AADL’ 2008 – 02/04/2008 Agenda  Context  State-of-the Art  Issues  Goals  Proposed approach  Application of the approach  Conclusions

3. Page 3 – UML&AADL’ 2008 - 02/04/2008 Context  The role of executable modeling (xUML) Subset of UML + ASL  runs models, generation of safe code (computationally complete language) Bridge the gap between the analysis, design and programming steps  From xUML to other executable modeling languages Multiple views, multiple aspects : define all elements for implementation, without overloading one single model and mismatch the abstraction level  Ada (better for system analysis)  AADL  Ada (better for system deployment)

4. Page 4 – UML&AADL’ 2008 - 02/04/2008 State-of-the Art – part I : the OMG RFP  The UML specifies how many types of models can be expressed it lacks a concrete syntax for describing actions Users of the UML can add operations and states to their models, but there is no standard concrete syntax to describe how objects are created and changed by those operations and states.  The RFP solicits proposals for Concrete syntax for describing actions in the UML 2.1 action semantics and activities

5. Page 5 – UML&AADL’ 2008 - 02/04/2008 State-of-the Art – part II : Action languages Definition : An action is some computation, such as executing a function, sending a signal, reading or writing data, and iterating over a set  an action is a statement or a sequence of statements that is executed when the object takes the transition Existing action languages  SMALL (very limited precursor)  TALL (functional)  Bridge-Point Object  iUML from Kennedy Carter (industrially used) Answer to the RFP, but not formal enough

6. Page 6 – UML&AADL’ 2008 - 02/04/2008 State-of-the Art : example of the Lamport Bakery statechart Condition connector actions [guard] action boolean condition : must be true for the transition to be taken incoming transition [guard] if false it exits (not going to the next state “Trying”) process a_process ∈ 1..N Only the smallest ticket can enter in the critical section

7. Page 7 – UML&AADL’ 2008 - 02/04/2008 And its code (Mutex.adb) with “ Rhapsody in Ada ” -generation of one procedure : procedure Trying_Process_Event (this : in out Mutex_t; e : in out Class_Hierarchy_Specific_Event.Class ) is begin …. if Q < N then ……. ); Trying_Exit (this); ….. Q:=Q+1; …….. ); if (Rank( Q )=0 or (Rank(A_Process) > Rank( Q ) ) or (A_Process > Q )) then ……… ); --+[ transition --+] ……… ); Critical_Entry (this); ……….. ); --+[ transition Rank(A_Process) := 0; --+] …………… ); Idle_Entry (this); ……… end if; end Trying_Process_Event;  Automatically generates entry actions and exit actions for each state  The code is not labeled  no parameterization  difficult to locate the origin  difficult to read (tool code simulation)

8. Page 8 – UML&AADL’ 2008 - 02/04/2008 Issues  Use a high-level programming language : have many more features than necessary to describe actions in a model (C++, Java, Ada…)  The action semantics should provide just enough semantics to enable the specification of computation  Genericity and interoperability between different action languages (if, for some reasons, we would have to work with several action languages)

9. Page 9 – UML&AADL’ 2008 - 02/04/2008 Goals  Create a standard language with which users can write a complete and unambiguous functional description of the actions of operations and states with the following properties : Statements are readable and intuitive Statements resemble existing languages for common functions (e.g. if statements, assignment, comparison) Users can include comments Users can assign marks to individual statements in the language The language can be extended to include new features

10. Page 10 – UML&AADL’ 2008 - 02/04/2008 Our Goals The action language answers to the mandatory requirements, with particular strengths  Preserves the level of abstraction of the action semantic language, adds formal capabilities  Defines primitives, simple constructs  Provides for the specifications of systems in sufficient detail so that they can be executed

11. Page 11 – UML&AADL’ 2008 - 02/04/2008 Proposed Approach  Requires a mapping from the structure of the specification to the structure of the implementation  But executing a single diagram is not sufficient If the whole code is obtained from one (flat) diagram, then the execution of the model == a translation from one programming language to another one (i.e. a bijection)

12. Page 12 – UML&AADL’ 2008 - 02/04/2008 PCALToAda (1) +CAL algorithm --algorithm bakery variables Extraction = [k ∈ 1..N |-> FALSE], Rank= [m ∈ 1..N|-> 0]; process a_process ∈ 1..N variable q; begin Extraction[a_process]:= TRUE; Rank[a_process]:= 1 + max(Rank[1]..Rank[N]); Extraction[a_process]:= FALSE; q:=1; while q ≠ N+1 do while (Extraction[q]) do skip; end while; while ((Rank[q]≠ 0) ∧ ((Rank[q], q) < (Rank[a_process],a_process))) do skip; end while; q:=q+1; end while; \*The critical section Rank [a_process]:=0; \* non-critical section... end process end algorithm The “for” loop does not exist attribution of the ticket … ” busy waiting” (trying) wait until other processes with higher priorities have finished their job other processes know if some number requests are in progress or not number of the request check on pid process labeled actions

13. Page 13 – UML&AADL’ 2008 - 02/04/2008 PCALToAda (2) Ada pgm ANTLR Translator From +CAL  Ada 2005 (in progress) procedure Entering (A_Process : in Proc_Index) is begin Extraction(A_Process) := True ; Rank(A_Process) := 1 + Maximum; Extraction(A_Process) := False ; for Q in 1..N loop loop delay 0. 1 ; exit when not Extraction(Q) ; exit when Rank (Q)=0 or else Rank (A_Process) > Rank (Q) or else (A_Process > Q) end loop ; end Entering ; −− −− Exit Protocol procedure Way_Out (A_Process : in (Proc_Index) is begin Rank (A_Process) := 0; end Way_Out ; guards wait exit of the loop

14. Page 14 – UML&AADL’ 2008 - 02/04/2008 +CAL extensions : answer to mandatory requirements (  TLA+ expressions) - Stephan Merz’s works  The expressions in +cal algorithms can be any TLA+ expressions  TLA+ records (also called structs) [field1, field2]  Concurrent object “a” == record contains :  one field for every attribute of class A  a field q m for every message type m ∈ Meth A defined in class A (representing the queue of waiting requests to execute method m)  The action receive(a,m,x) describes the receipt of a message of type m by an object a with parameter tuple x

15. Page 15 – UML&AADL’ 2008 - 02/04/2008 +CAL extensions : answer to mandatory requirements (  TLA+ expressions)  It represents some difficulties as we need to properly embed TLA+ :  On one hand, +CAL is simple because : it has no pointers, no objects, no types  On the other hand, the way to extend the capabilities is to use TLA+ expressions  To re-define a class and formalize its behavior in TLA is not simple  But, thanks to TLA we may represent a “next- state” relation for any attribute (actions defined for the given class)  So we may represent the changes during the receipt of a new message

16. Page 16 – UML&AADL’ 2008 - 02/04/2008 Application of the approach TLA+ generation and assertion A simple command java pcal.trans Algorithm translate into TLA+  The translation introduces a new variable pc pc value is label of next statement to be executed  The invariant to check is no 2 process are in state cs  isMutex == ∀ i,k ∈ 1.. N : (i /= k) ) : => ¬((pc[i ] = "cs") ∧ (pc[k] = "cs"))  IsMutex is a TLA+ operator defined just after the algorithm, Then : we put assert answer = isMutex to check the algorithm with TLC we simulate the algorithm (run)

17. Page 17 – UML&AADL’ 2008 - 02/04/2008 Application of the approach Use of extended +CAL into state machines diagrams algorithm Implementation Operation Body : process a_process \in 1..N variable q; begin … labeled actions while q /= N+1 do …. end while; cs: Rank [a_process]:=0; nd process Labeled specification Ada generation : procedures (PCALToAda translator) Invariance checking in TLA+ (with TLC) State machine in +CAL specification Specification Certification of the produced code sequence of steps (labels) Extraction[q]

18. Page 18 – UML&AADL’ 2008 - 02/04/2008 Conclusions and future works  In order to formerly specify DRE Systems behavior Lamport specifies synchronization in terms of state machines (“Time, clocks and the ordering of events in a distributed system”)  formal state machines  We have shown how +CAL can be executed in the context of state machines and activity diagrams  To answer to the Action Language RFP mandatory requirements We need some Extensions to +CAL : Class and object manipulations and signal generation  animate UML models  +CAL brings genericity  labels (allows to divide multi- threaded pgm into atomic steps), multiple languages generation  +CAL can be used via a co-modeling methodology enabling TLA+ actions model-checking Safety properties of concurrent systems are satisfied

19. Page 19 – UML&AADL’ 2008 - 02/04/2008 Questions ? Mail to : isabelle.perseil@telecom-paristech.frisabelle.perseil@telecom-paristech.fr