Transitions as Interrupts: A New Semantics for Timed ... - CiteSeerX

Transitions as Interrupts: A New? Semantics for Timed Statecharts Adriano Peron1 and Andrea Maggiolo-Schettini2 Dipartimento di Matematica ed Informatica, Universita di Udine, Via Zanon 6, 33100 Udine, Italy. E mail: [email protected] Dipartimento di Informatica, Universita di Pisa, Corso Italia 40, 56125 Pisa, Italy. E mail: [email protected]

1 2

Abstract. Statecharts is a visual formalism for the speci cation of reactive systems. The formalism has been endowed with a \step-semantics" which heavily bounds the complexity of the reaction in a step, does not model interrupts in a natural way and is not proper for investigating re nement. In this paper, a new model is proposed allowing to overcome the mentioned drawbacks. From a syntactic point of view statecharts are generalized by introducing real time features like delays and timeouts. Though occurrencies of actions are related to a dense time domain, the behaviour of statecharts is forced to be discrete. Classes of statecharts are investigated which intrinsically behave discretely.

1 Introduction Statecharts (see [4]) is a visual speci cation formalism which enriches statetransitions diagrams by a hierarchical structuring of states, explicit representation of parallelism and communication among parallel components. Therefore, statecharts have the visual appeal of formalisms like state-transition diagrams and Petri nets, but, with respect to them, they oer facilities of hierarchical structuring of states and modularity, which allows high level description and stepwise development. In particular, the formalism oers interesting description facilities for reactive systems like hardware components, communication networks, computer operating systems (e.g. see [2, 5]). In [6] statecharts have been originally endowed with a \step-semantics" which enforces a \synchrony hypothesis" like that formulated in [1] for the synchronous speci cation language Esterel (a number of dierent formulations of this stepsemantics can be found in [8, 11, 7, 14]). The environment prompts the statechart with primitive events which are related to a discrete time domain (for instance, natural numbers IN). The history of the prompts of the environment is described as a sequence of sets of primitive events E1; : : :; En; : : :, intending that the primitive events in En are communicated at the n-th instant of time. At a xed instant of time n a statechart \reacts" to the set of communicated primitive events En by performing a number of transitions enabled by En . Actually, the set of oered ?

This work has been partially supported by Project ESPRIT BRA 8130 LOMAPS

events En triggers a chain-reaction since transitions which are enabled by En and are performed may enrich the set of oered events so, instantaneously enabling a richer set of transitions, and so on. The reaction to a set of oered events En is instantaneous and must be nite. The reaction is instantaneous since events have no duration and they can trigger transitions only at the instant of time they have been communicated. The criterium exploited in [6] to guarantee the niteness is that a reaction consists only of a maximal set of transitions, called \step", which are structurally consistent in the sense that a pair of structural consistent transitions aects two dierent modules which are one in parallel with respect to the other. This choice leads to some inconveniences. In general, a statechart is not allowed to exhibit sequential behaviours during an instantaneous reaction. This heavily constraints the exibility of the speci cation formalism since the complexity of the exhibited behaviour within a reaction is a priori bounded and strictly related to the number of parallel modules. As an example, if one wants a sequential reaction be performed in a step, he might arti cially augment the number of parallel components such that a behaviour which is inherently sequential is simulated as performed in parallel, but he would obtain a quite tricky and unnatural speci cation. Another disadvantage is that this kind of semantics does not naturally support some basic notions of re nement. As an example, an obvious way to re ne a state-transition diagram is to replace a transition by means of a sequence of transitions. The problem is now that a transition can be performed instantaneously, but a sequence of transitions cannot. Let us consider also the case of topdown re nement, which is meaningful since the tree-like structuring of states naturally suggests speci cation development by stepwise re nement. Usually one wants a re nement to suitably preserve the behaviour of the starting speci cation and in particular that if one abstracts from the behavioural details of the re ned part of the speci cation, then the behaviour of the non re ned version of the speci cation is recovered. This is not the case in the semantics of Statecharts even for trivial notions of re nement, the cause being again the strict constraint imposed on reactions. Moreover, since states are hierarchically structured and thus a notion on hierarchy is naturally induced on transitions, one would expect that \higher level transitions" have a form of priority over lower level transitions, but again this is not the case (this inconvenience of the semantics of statecharts has been pointed out also in [12]). In this paper we show that, by extending the notion of reaction, the exibility of the speci cation formalism can be improved and all the above mentioned drawbacks are overcome. We give the semantics in an operational style similar to that in [6], in order to easily compare the new model with the original one. We generalize statecharts by introducing real time features like delays and timeouts and by allowing events with duration in order to naturally support speci cation of real time systems. Statecharts have been extended with real time features also in [9], but, opposite to our approach, events have no duration, and delay and timeouts can be associated only with transitions requiring no enabling

event. Moreover, in [9] semantics based on steps is discharged together with the assumption that an enabled transition must be performed as soon as possible. In particular, transitions requiring no enabling event and with an associated delay  and timeout  0 may be performed (nondeterministically) at any time in between  and  0. Semantics in [9] might be classi ed as a \weak time" semantics (see [3] for a discussion in the case of Petri nets). We believe that it makes sense to investigate here the case of \strong time" semantics for timed statecharts, namely a semantics where no transition is arbitrarily delayed and where there may be a nondeterministic choice among transition performances only if these can be really performed at the same time. Another reason to consider this kind of semantics is that, if transitions are not forced to happen as soon as possible and there is no way to control the time when the transitions are performed, then the number of possible behaviours associated with a statechart dramatically explodes (assume, for instance, that a dense time domain is enforced). Such models cannot easily be exploited for concretely verifying speci cation properties. In this paper the performance of transitions is related to a dense time domain (i.e., positive rationals), and the principle that only a nite number of transitions is performed in nite time is ensured by the niteness of the instantaneous reaction and by suitably avoiding to take reactions at arbitrarily close instants of time (discrete behaviours). We de ne also some classes of statecharts which intrinsically exhibit only discrete behaviours. In section 2 statecharts and their semantics are de ned. In section 3 the advantages of the proposed model are shown and discretely behaving statecharts are considered.

2 Statecharts: Syntax and Semantics We introduce the main features of statecharts by showing the speci cation of a system controlling the assignment of two equal devices to three concurrent agents requiring them. It will be our running example. The i-th agent sends a request (signal ai ) and waits for an acknowledgement and the name of the assigned device from the arbiter (signal ai ok and devj st, respectively, with i = 1; 2; 3 and j = 1; 2). When an agent releases the j-th device, it communicates a signal devj end. When a request is issued by an agent, the arbiter accepts it and looks for an available device by prompting the two devices (signal av?). If the j-th device is available, it communicates its willingness (signal devj ) and the controller assigns it to the agent (signal devj st). If both the devices are available, the choice is nondeterministic. If no device is available the accepted request is pending and is serviced as soon as a device becomes available. When more than one request are issued simultaneously, as many agents are serviced (the choice is nondeterministic) as devices are available, and at most one request may be pending. An agent may require (and obtain) a device even if it is currently using the other device. The statechart specifying the described system is depicted in Fig.1.

SY S

 R? @ 6 

t12 t9 t10

I

t11 t13

DEV1

@ V R R t@ R  1

t2

S

ARB

  -? 6  t14

W

t15

O

DEV2



t3 -

t4

T

R@ Z @R t - t D  E t 5

t6

7

F

8

t1 ; fav?g; fdev1 g t2 ; ;; ; t3 ; fdev1 stg; ; t6 ; ;; ; t4 ; fdev1 endg; favg t5 ; fav?g; fdev2g t8 ; fdev2 endg; favg t9 ; fa1 g; fav?; a1 okg t7 ; fdev2 stg; ; t10 ; fa2 g; fav?; a2 okg t11 ; fa3 g; fav?; a3 okg t12 ; fdev1 g; fdev1 stg t15 ; ;; ; t13 ; fdev2 g; fdev2 stg t14 ; favg; fav?g

Fig. 1. A speci cation example The graphical convention is that states are depicted as boxes, and the box of a substate of another state is drawn inside the area of the box of that state. States are either of type OR, called or-states, or of type AND, called and-states. And-states are depicted as boxes whose area is partitioned by dashed lines. Each element of the partition is the root state of a statechart describing a \parallel component" of the and-state. When the system is in an or-state, it is in one and only one of its immediate substates, and when it is in an and-state, it must be in all of its immediate substates simultaneously. With reference to Fig.1, the root state in the tree-like structure on states is the and-state SY S (all the other states are or-states) consisting of three parallel components representing the arbiter (state ARB) and the controllers of the two devices (states DEV1 and DEV2 ). The substate I of state ARB is entered when the arbiter is idle; the substate W is entered when the arbiter is waiting for the availability of a device to be assigned to the agent it is servicing; the substate O is entered when a device has become available. The substate V of DEV1 is entered when the

device is available and the substate T is entered when it is not (the case of DEV2 is analogous). Transitions are represented graphically by arrows and are labelled by a quadruple delay-timeout-event-action, where delay and timeout are two rational numbers, an event is a set of primitive events and the action is a set of pairs, each consisting of a primitive event and a rational number. Primitive events are interpreted as pure signals communicated by the environment. A transition is \enabled" if an amount of time greater than or equal to the delay and less than or equal to the timeout has elapsed, since the source state of the transition has been entered, and if the set of primitive events of the event part of the label are currently communicated. When a transition t is performed, the set of primitive events in the action part of the label of t is instantaneously communicated, thus augmenting the set of primitive events oered by the environment. Opposite to [6], communicated events may have a duration (the rational associated to each primitive event in the action part of the label). With reference to Fig.1, transition labels are listed under the gure. Since, for sake of simplicity, in our example we do no exploit delays, timeouts and duration of communicated events, we describe a label as two primitive events sets, the former being the event part of the label and the latter being the action part (without durations) intending that timeouts are unbounded and delays and primitive event durations are null. When a transition is performed and the target state is not a leaf in the hierarchy of states, then entering the target state causes entering also some of its substates: if it is an and-state, all of its immediate substates are entered, otherwise only the \default" immediate substate is entered (the graphical convention is that the default substate of an or-state is the target of a dangling arc). With reference to Fig.1, when the state SY S is entered, ARB, DEV1 and DEV2 are entered. The default entrance for V is the state R, so when the state V is entered by means of transition t4 also state R is simultaneously entered.

De nition1. A statechart is a tuple Z = (BZ ; Z ; Z ; TZ ; inZ ; outZ ; PZ ; Z ; Z ),

where: 1. 2.

BZ is the non-empty, nite set of states; Z : BZ ! 2BZ is the hierarchy function; +Z and Z denote the non re exive and re exive transitive closure, respectively, of Z and it is required that: (a) there exists a unique b 2 BZ , denoted rootZ , s.t. Z (b) = BZ ; (b) b 2= +Z (b), for all b 2 BZ ; (c) if b0 2= +Z (b) and b 2= +Z (b0), then Z (b) \ Z (b0 ) 6= ; implies b = b0 , for all b; b0 2 BZ . The lowest common ancestor of two states b and b0, denoted as lcaZ (b; b0), is the state b 2 BZ such that Z (b)  fb; b0g and b 2 Z (b00), for each b00 with Z (b00 )  fb; b0g; a state b is basic i Z (b) = ;; 3. Z : BZ ! fAND; ORg is the state type function ; 4. TZ is the nite set of transitions ;

5. inZ ; outZ : TZ ! BZ are the source and target functions , respectively; it is required that lcaZ (t) 6= inZ (t), lcaZ (t) 6= outZ (t) and Z (lcaZ (t)) = OR, for all t 2 TZ , where lcaZ (t) stands for lcaZ (inZ (t); outZ (t)); 6. PZ is the nite set of primitive events ; 7. Z : TZ ! Q  Q1  2PZ  2PZ Q is the labeling function , with Q and Q1 denoting the set of non-negative rational numbers and the set of nonnegative rational numbers enriched by 1 acting as their sup, respectively; if DelayZ (t), ToutZ (t), EvZ (t) and ActZ (t) denote the four components of Z (t) (in the order), it must be DelayZ (t)  ToutZ (t). 8. Z : BZ ! BZ is the (partial) default function which is de ned for b 2 BZ i Z (b) = OR and Z (b) 6= ;, and is such that b0 = Z (b) implies b0 2 Z (b). Components DelayZ (t) and ToutZ (t) of Z (t) are a pair of rational numbers representing the delay and the timeout, respectively, associated with t. The component EvZ (t) gives the set of primitive events enabling the performance of transition t. Component ActZ (t) is a set of pairs associating a rational number with a primitive event; it describes the set of primitive events which are communicated when the transition t is performed and the duration of the events. We introduce now the concepts of con guration, microstep and step for a statechart. A maximal set of states which can be simultaneously entered, consistently with the requirements that all of the immediate substates of an entered and-state and only one of the immediate substates of an entered or-state must be entered, is called an \orthogonal" set of states. A con guration consists of an orthogonal set of states, a function giving the time when each state in the set has been entered and a function describing the history of the prompts of the environment. We assume to have a xed statechart Z. De nition2. A set of states D  BZ is orthogonal i: 1. if d 2 D and d 2 Z (d0), for some d0 2 BZ , then d0 2 D; 2. if d 2 D, Z (d) = OR and Z (d) 6= ;, then Z (d) \ D is a singleton; 3. if d 2 D and Z (d) = AND, then Z (d)  D. A con guration is a triple (D; en; test), where: 1. D  BZ is an orthogonal set of states; 2. en : D ! Q is the entering function ; 3. test : Q ! 2PZ is the test function . A con guration C = (D; en; test) is initial i Z (b) 2 D, for all non-basic orstates, and en(b) = 0, for all b 2 D. Example 1. An initial con guration for the statechart Z depicted in Fig.1 is the triple (D; en; test), where: 1. D = fSY S; ARB; I; DEV1 ; V; R; DEV2; Z; Dg; 2. en(d) = 0, for all d 2 D; 3. test() = fa1 ; a2g, for 0   < 1, test() = fa1; a2; a3g, for 1   < 2; test() = fdev1 end; a1; a2; a3g, for  = 2, test()  2PZ , for  > 2.

Function test describes how the three agents (i.e., the environment) prompt the system (for sake of simplicity we specify the function only in the interval of time [0; 2]). The rst two agents require a device continuously during interval [0; 2]. The third agent requires a device continuously during interval [1; 2]. We assume that the rst device is assigned at time 0 and it is released at time 2 (event dev1 end). Transitions, in order to be performed, must be enabled. There are two kinds of enablings to be ful lled: time and event enablings. As concerns time enabling, we require that an amount of time has elapsed from the entering of the source state of the transition, which is greater than (or equal to) the delay and less than (or equal to) the timeout associated with the transition. As concerns event enabling, we require that all the primitive events required in the label of the transitions have been communicated during the current instant of time.

De nition3. A transition t is enabled at time  2 Q in a con guration C = (D; en; test) i: 1. outZ (t) 2 D (t is relevant in C); 2.   en(d), for all d 2 D; 3. en(outZ (t)) + DelayZ (t)    en(outZ (t)) + ToutZ (t); 4. EvZ (t)  test(); Two transitions t and t0 are structurally consistent i lcaZ (lcaZ (t); lcaZ (t0 )) is an and-state. A nonempty set of transitions is a microstep at time  from a con guration C i it is a set of transitions enabled at time  in C and each pair of (dierent) transitions in is structurally consistent. Two transitions are structurally consistent whenever the two sets of states they aect (i.e., entered and exited states) belong to parallel components of the statechart. A microstep is a set (non necessarily maximal) of enabled transitions which can be performed in parallel. We consider now how a con guration changes due to the performance of a microstep. When a transition t is performed, all the currently entered substates of the source state of t are exited together with all the ancestors of the transition source up to lcaZ (t). States are entered which are in the \downward closure" of the set of ancestors of the target state of t which are substates of lcaZ (t). The downward closure of a set of states K is the least superset of K ful lling the requirements that, for every and-state in the closure, all its immediate substates are in the closure and, for every or-state in the closure having no immediate substate in K, its default immediate substate is in the closure.

De nition4. For K  BZ , the downward closure of K, denoted by +K, is the least superset of K such that 1. Z (d)  +K, for all and-states d 2 +K; 2. Z (d) 2 +K, for all non basic or-states d 2 +K, such that Z (d) \ K = ;.

De nition5. For two states b; b0 2 BZ , the path from b to b0 is the set of states Zbb = fb00 : b00 2 Z (b) and b0 2 Z (b00 )g. 0

If C = (D; en; test) is a con guration and is a microstep at time  from C, then the con guration reached by is C 0 = (D0 ; en0 ; test0 ), where: S lcaZ (t) )- S + (lca (t)); 1. D0 = (D [ t2 +Zin Z t2 Z Z (t) 2. en0 (d) = en(d), for all d 2 D \ D0 , en0 (d) = , for all d 2 D0 ? D; 3. test0 ( 0 ) = test( 0 ) [ fe : (e; ) 2 ActZ (t), t 2 ,    0   + g, for all  0 2 Q. It is easy to see that the set of states D0 , as de ned above, is an orthogonal set. A statechart instantaneous reaction, called a \step", is a maximal sequence of microsteps where each transition occurs at most in one microstep. De nition6. A step S at time  from a con guration C to a con guration C 0 is a (possibly null) sequence of pairwise disjoint transition sets 0 ; : : :; n such that there exists a sequence of con gurations C0; : : :; Cn+1, with: 1. C0 = C, Cn+1 = C 0 and Ci+1 is reached from Ci by microstep i at time , for 0  i  n; 2. if there exists a microstep at time  from C 0 , then \ j 6= ;, for some 0  j  n. The empty sequence is a step at time  from a con guration C whenever there is no transition enabled in C at time . A remark. The de nition of step we give, generalizes the notion of step in [6], whereSthe sequence of microsteps 0 ; : : :; n must satisfy also the constraint that set ni=1 i be a pairwise structurally consistent set of transitions. The fact that a transition cannot occur more than once in a step ensures that a step is nite (a statechart has a nite number of transitions). Example 2. With reference to the statechart of Fig.1, the sequence of microsteps S = ft9 g; ft1; t5g; ft2; t6; t12g; ft3; t10g; ft13g; ft7g is a step at time 0 from con guration C = (D; en; test) of Ex.1. The reached con guration is C 0 = (D0 ; en0; test0 ), where: 1. D0 = fSY S; ARB; I; DEV1 ; T; DEV2 ; F g; 2. en0 (d) = 0, for all d 2 D0 ; 3. test0 (0) = fa1; a2; av?; a1 ok; a2 ok; dev1; dev2; dev1 st; dev2 stg; test0 () = test(), for all  > 0. The sequence of microsteps S is maximal since the transitions enabled in C 0 at time 0 are t9 and t10 which already occur in S . During step S the arbiter assigns the rst and the second device to the rst and the second agent, respectively. Notice that an agent, for instance the rst one, cannot be serviced twice instantaneously since transition t9 cannot be performed twice instantaneously. Analogously, a device cannot be assigned to two dierent agents instantaneously. In the semantics given in [6] S10 = ft9g; ft1; t5g and S20 = ft10g; ft1; t5g are steps from C since only transitions belonging to parallel components can be performed simultaneously.

If a step has been performed at time , the problem is now to determine the time at which the next step will be performed. With reference to Ex.2, t9 (and t10) is enabled in C 0 at time , for all 0    1. So, the next step containing transitions t9 (and t10) might be performed at a time belonging to the left-open interval of time (0; 1] (at time 0 t9 and t10 have been already performed). The problem is that a step containing t9 cannot be performed as soon as possible since the interval (0; 1] has not minimum. Actually, diculties in determining the next reaction time are strictly related to the continuous enabling of transitions during an interval of time. A possible solution is assuming that a reaction may occur at a time  only if there exists a transition t which is enabled at time  and it is not enabled during an interval whose least upper bound is  (such a time is called a \triggering time"). So, if a reaction occurs at time , the next reaction occurs at the least triggering time (strictly) greater than . Notice that reactions are triggered either by changes in the set of communicated events or simply by owing of time in the case there are relevant transitions (with respect to the considered con guration) with non-zero delays associated. In the former case the reaction is forced \externally" (i.e., by the environment) and in the latter is forced \internally" (i.e., by the statechart itself). De nition7. Let C = (D; en; test) be a con guration;  2 Q is a trigger in C i  > maxfen(d) : d 2 Dg and there exists a transition t and a rational  2 Q, with  > 0, s.t. t is enabled in C at time  and t is not enabled in C at time  0, for all  ?    0 <  with  0  0. A behaviour from an initial con guration C is a sequence S0 ; : : :; Sn, with Si a sequence of transition sets for 0  i  n, such that there exists a sequence of con gurations C0; : : :; Cn+1, with: 1. C0 = C and Si is a step at time i from Ci to Ci+1 , for 0  i  n; 2. i = minf :  > i?1;  is a trigger in Ci g, for 0  i  n. Notice that each step Si in a behaviuor is a non-null sequence since the time when Si is performed is a trigger (i.e., there exists some transition enabled in Ci). Example 3. The least trigger in the con guration C 0 of the Ex.2 is time 1, when the event a3 is communicated. In this case, the reaction from C 0 is taken at time 1. Since all of the agents concur for a device, there are three possible steps at time 1, namely S2 = ft9g, S20 = ft10g and S200 = ft11g corresponding to accepting the request of the rst, second and third agent, respectively. No device is available and so the accepted request is pending. If the step S200 is performed the reached con guration is C 00 = (D00 ; en00; test00), where: 1. D00 = fSY S; ARB; W; DEV1 ; T; DEV2 ; F g; 2. en00 (d) = 1 if d = W, en00(d) = 0 otherwise; 3. test00 () = fa1; a2; a3; av?; a3 okg if  = 1, test00 () = test0 () otherwise. The least trigger in the con guration C 00 is time 2. A step at time 2 is S3 = ft4g; ft14g; ft1; t15g; ft2; t12g; ft3; t10g. During step S3 the device released by the

rst agent is assigned to the third agent whose request was pending. The request of the second agent is accepted and is pending. The sequence of steps S1 ; S200; S3 is a behaviour from the con guration C of Ex.1.

3 Properties of the Semantics The semantics de ned in the previous section implicitly endows the set of transitions with a notion of priority naturally induced by the hierarchical structure of states. As an example, let us consider the statechart Z in Fig.2b. Transition t2 is of higher level than transition ti , with i = 3; 4; 5, in the sense that lcaZ (ti ) 2 Z (outZ (t3 )) and, analogously, t1 has higher level than transition ti , with i = 6; 7; 8. A natural interpretation of transitions like t1 and t2 is that they are interrupts for the activities associated with states B and A, respectively, in the sense that as soon as t2 is enabled, it is performed preempting the performance of lower level transitions inside A. The semantics de ned in the previous section supports this interpretation. In particular, if during a step there is an enabled transition t which has higher level than all the other enabled transitions, then that transition is surely performed. Enabled transitions having lower level may be performed but are not necessarily performed. The interpretation is that if the highest level transition represents an interrupt enabled at time , the interrupt takes eect at time  avoiding the subsystem to continue its current activity at a time strictly greater than . The activity of the subsystem which can be performed at time , can be (nondeterministically) interrupted at every stage of its advancement (this seems to have quite a reasonable physical interpretation).

@R R  @ A

t2

3

-

B

a

 

B @ @ R R t  A B t t t t ? ? - B  B A  A

A

I t1

 

I

1

3

t5

1

4

2

6

t2

1

3

t8

7

2

b

ti ; fag; ;; for i = 1; 2; ti ; fbg; ;; for i = 3; 4; 5; ti ; fcg; ;; for i = 6; 7; 8;

Fig. 2. A re nement example Example 4. Let C = (D; en; test) be a con guration for the statechart of Fig.2b, where D = fI; A; A1g, en(d) = 0, for all d 2 D; test(0) = fa; bg, test() = ;, for all  > 0. The possible steps from C at time 0 are:

1. S1 = ft2 g; ft1g; ft4g; ft5g; ft3g 2. S2 = ft4 g; ft2g; ft1g 3. S3 = ft4 g; ft5g; ft2g; ft1g 4. S4 = ft4 g; ft5g; ft3g; ft2g; ft1g. Notice that transition t2 occurs in each step. The steps from C in the classical semantics are S10 = ft2 g and S20 = ft4 g. A remark. The classical semantics does not support the interpretation of transitions as interrupts. Actually, two transitions t and t0, where t has higher level than t0 are structurally inconsistent, and so they cannot occur in the same step. The choice of performing either t or t0 is nondeterministic and an enabled interrupt is not necessarily performed. For instance, consider the case of transitions t2 and t4 in Ex.4. The step S20 has no occurrence of t2 .

Proposition1. Let S be a step from a con guration C0 with a sequence of microsteps 0 ; : : :; n and a corresponding sequence of reached con gurations C0; : : :; Cn+1. If there exists a transition t which Sisn enabled in Cj , for some 0  j  n, and lcaZ (t0 ) 2 Z (outZ (t)), for all t0 2 i=j i such that t0 6= t and lcaZ (t) ) \ + (Z lca(t ) ) 6= ;, then t 2 Sn . +Z (Zout Z outZ (t ) i=0 i Z (t) 0

0

Proof. The proof is by contradiction. Assume that t 2=

Sn . If t is enabled in i i =0

Cj , then outZ (t) 2 Dj (assume that Ci = (Di ; eni ; testi ), for 0  i  n+1). Since lcaZ (t) ) \ + (Z lcaZ (t ) ) 6= ; lcaZ (t0 ) 2SZ (outZ (t)), for each t0 6= t such that +Z (Zout Z outZ (t ) Z (t) and t0 2 nl=j l , it holds that outZ (t) 2 Di , for all j  i  n + 1, namely t is enabled in Ci for all j  i  n + 1. This implies that the sequence of microsteps S is not maximal, thus leading to a contradiction. ut As it has been shown in Ex.4, the proposition does not hold in the semantics given in [6]. Moreover, the semantics we have de ned gives a greater freedom than that in [6] for considering structural transformations for statecharts. As an example, we shall consider the case of a basic re nement technique which preserves behaviour (under suitable conditions) in our semantics and which does not preserve behaviour in the classical one. We allow to re ne a basic state by drawing a statechart into it. For instance, consider the two statecharts in Fig.2. The statechart in Fig.2b is obtained from the statechart of Fig.2a by re ning states A and B. De nition8. A statechart Z2 is a re nement of a statechart Z1 i BZ1  BZ2 , TZ1  TZ2 , there exists b 2 BZ1 such that Z1 (b) = ; and BZ2 ? BZ1 = +Z2 (b), Z1 (b0 ) = Z2 (b0 ) and Z1 (b0) = Z2 (b0 ), for all b0 2 BZ1 ? fbg and lcaZ2 (t) 2 Z2 (b), for all t 2 TZ2 ? TZ1 , inZ1 = inZ2 eTZ1 , outZ1 = outZ2 eTZ1 , PZ1  PZ2 , Z1 = Z2 eTZ1 , Z1 = Z2 eBZ1 (e is a restriction operation). Given a statechart Z1 and a re nement Z2 of Z1 , if the performance of any transition in Z2 which is not in Z1 does not enable transitions which are also in Z1 , then the part of a behaviour of Z2 determined by transitions which are in Z1 0

0

is a behaviour of Z1 . That is, if we abstract from the details of the re nement, the behaviour of Z1 is preserved. This is not the case in the classical semantics due to the global constraint a step must ful ll. The problem is that the performance of a transition in the re ned part of a statechart may preempt the performance of a transition in the non-re ned part of the statechart. Example 5. Let C = (D; en; test) be the con guration of Ex.4 for the statechart of Fig.2b. Let C 0 = (D0 ; en0; test0 ) be a con guration for the statechart of Fig.2a with D0 = fI; Ag, en0 (d) = 0, for all d 2 D0 , test0 (0) = fag, test0 () = ;, for all  > 0. If the classical semantics is considered, then S = ft4 g is a step from C, but the empty sequence (t4 does not belong to the non re ned statechart) is not a step from C 0. Proposition2. Let statechart Z2 be a re nement of statechart Z1 , and let C = (D; en; test) and C 0 = (D0 ; en0; test0 ) be two con gurations for Z1 and Z2 , respectively, such that D  D0 , en = en0 eD and test() = test0 () \ PZ1 , for all  2 Q. If [ [ ( 1(ActZ2 (t))) \ ( (1) EvZ1 (t))  test() t2TZ2 ?TZ1

t2TZ1

(1 denotes the projection on the rst component of a pair), then S 0 = 00 ; : : :; n0 is a step at time  2 Q from C 0 i S = 0 ; : : :; m is a step at time  from C , where m  n and S is obtained from the sequence of sets 00 \ TZ1 ; : : :; n0 \ TZ1 by removing empty sets. Proof. Assume that S = 0 ; : : :; m is a step from C leading to the con g-

uration Cm+1 = (Dm+1 ; enm+1 ; testm+1 ). It is easy to see that 0 ; : : :; m is also a sequence of microsteps from C 0 leading to the con guration Cm0 +1 = (Dm0 +1 ; en0m+1 ; test0m+1 ), where Dm0 +1 = +Dm+1 , en0m+1 (d) = enm+1 (d), for all d 2 Dm+1 , en0m+1 (d) = enm+1 (d0) with d0 the lowest ancestor of d such that d0 2 Dm+1 , for all d 2 Dm0 +1 ? Dm+1 , test0m+1 ( 0) = test0 ( 0 ) [ testm+1 ( 0 ), for all  0 2 Q. The step S = 0 ; : : :; m fromSnC may be extended to a step S 0 = 0 ; : : :; m ; m+1 ; : : :; n from C 0 . Now, i=m+1 i  T2 ? T1 as a consequence of condition 1 and the maximality of S . On the contrary, assume that S 0 = 00 ; : : :; n0 is a step at time  2 Q from C 0 and C00 ; : : :; Cn0 +1 is the corresponding sequence of reached con gurations with C00 = C 0 and Ci0 = (Di0 ; en0i; test0i ), for 0  i  n. Let S = 0 ; : : :; m be the sequence obtained from S 0 as in the assertion and let k : f0; : : :; mg ! f0; : : :; ng be the map such that k(i) = j i i = j0 \ T1 . Condition 1 guarantees that S is a sequence of microsteps from C, and the corresponding sequence of reached con gurations is C1; : : :; Cm+1, where Ci = (Di ; eni; testi ) with Di = Dk0 (i) \ BZ1 , S eni = en0 eD1 and testi () = test() [ fe : (e; ) 2 ActZ1 (t); t 2 ij?=01 j g (we recall that, by Def.8, there exists a basic b 2 BZ1 such that lcaZ2 (t) 2 Z2 (b), for all t 2 TZ2 ? TZ1 ). We have to show that S is a maximal sequence. Assume that S is not maximal and that there exists a transition t enabled in Cm+1 which does not occur in S . So, transition t does not occur in S 0 , but outZ1 (t) 2 Dn0 +1

i outZ1 (t) 2 Dm+1 , enm+1 (outZ1 (t)) = en0n+1 (outZ1 (t)) and, by condition 1, EvZ1 (t)  testn+1 () i EvZ1 (t)  test0m+1 (). Therefore, t is enabled in Cm0 +1 and does not occur in S 0 , thus contradicting the maximality of S 0 . ut Theorem above does not hold in the case of the classical semantics in [6], as it has been shown in Ex.5. In the remaining part of this section we shall consider again the question of discrete behaviours. We have ensured that statecharts behaviours are discrete by requiring that steps are triggered as soon as there exists a transition which is enabled after having been continuously disabled. We have seen in Ex.3 that, under this assumption, there are transitions which are continuously enabled during an interval of time but which are performed at most once during that interval (for instance, transitions t9 and t10 ). In such cases we say that transitions \collapse". In the case one does not want such fenomenon to occur, he could focus his attention on statecharts whose behaviour is inherently discrete. In the following, we shall give some conditions on the test function and on statechart structure which are sucient to guarantee that a statechart behaves discretely. De nition9. Let C and C 0 be con gurations such that C 0 is reached by step S at time  from C. A transition t collapses in C 0 i there exists  2 Q,  > 0 such that t is enabled at time  0 in C 0, for each    0   + . An initial con guration C allows collapsing transitions i there exists a behaviour S0 ; : : :; Sn from C to a con guration C 0 and there is a transition collapsing in C 0. In the following we shall consider only two kinds of interaction between a statechart and its environment, namely either the case in which event communication is discrete or the case in which an event may be communicated continuously during a (closed) interval of time. For instance, test function, as de ned in Ex.1, belongs to the latter kind. De nition10. A function test : Q ! 2PZ is a discrete test function i, for all  2 Q, test() 6= ; implies there exists  2 Q with  > 0 such that test( 0 ) = ;, for all  0 2 Q such that  0 6=  and  ?    0   + . A function test : Q ! 2PZ is an interval test function i for each  for which e 2 test() with e 2 PZ , there are 1 ; 2;  2 Q, with  > 0, 0  1    2 such that e 2 test( 0 ), for all 1   0  2 and e 2= test( 0 ), for all 1 ?    0 < 1 , with  0  0, and for all 2 <  0  2 + . We can force a statechart to inherently behave discretely either by using a discrete test function or by suitably associating delays and timeouts with transitions. As an example, if every transition requires the communication of a primitive event in order to be enabled, a discrete test function is enough to guarantee a discrete behaviour. On the contrary, when interval test functions are considered, only delays and timeouts can be exploited. In more detail, a transition t collapsing in a con guration C reached by step S at time  is a transition which

has been performed in S and which has been enabled again due to a sequence of transitions occurring in S and determining a cycle (the source of t is exited and then entered again due to such a performance sequence). Therefore, if any cycle cannot be performed instantaneously (e.g. delays are associated with transitions) or if no transition in a cycle can be continuously enabled (e.g. timeouts associated with transitions equals delays), then transitions cannot collapse. In order to de ne the notion of sequence (and cycle) of transition performances we need to introduce two relations ! and ). The former describes causality among transitions, two transitions t and t0 being related whenever the source state of t0 belongs to the set of states entered by performing t. The latter, relates t and t0 whenever t0 is an interrupt for t. So, if either t ! t0 or t ) t0, then t0 is surely relevant immediately after the performance of t, and so, compatibly with time and event enablings, performance of t0 can be sequentialized to that of t. De nition11. For K  BZ , the closure of K, written as CK is the least superset of K such that: 1. Z (b)  C K, for all and-states b 2 C K; 2. Z (b)  C K, for all or-states b 2 C K such that Z (b) is a singleton. The relations !; )  TZ  TZ are de ned as follows: lcaZ (t) ? flca (t)g: (t; t0) 2 ! i outZ (t0) 2 +Zin (2) Z Z (t)

rootZ : (3) (t; t0) 2 ) i outZ (t0 ) 2 C Zlca Z (t) A cycle is a sequence of transitions t1 ; : : :; tn such that ti 6= tj , for all 1  i < j  n, either ti ! ti+1 or ti ) ti+1 , for all 1  i  n ? 1 and either tn ! t1 or tn ) t1. Theorem 3. If Z is a statechart with ActZ (t) 2 PZ  f0g, for all t 2 TZ , and such that, for each cycle t1 ; : : :; tk , one of the following conditions is satis ed 1. EvZ (ti ) 6= ;, for all 1  i  n, 2. DelayZ (ti ) 6= 0, for some 1  i  n, and if ti ) ti+1 (resp.: tk ) t1 ), then DelayZ (ti ) 6= 0 (resp.: DelayZ (tk ) 6= 0), for all 1  i  k ? 1, 3. DelayZ (ti ) = ToutZ (ti ), for all 1  i  n, then each initial con guration C = (D; en; test) for Z , where test is a discrete

function, does not allow collapsing transitions. Proof. The proof is by contradiction. Let us assume that there is a behaviour

S0 ; : : :; Sn and a sequence of con gurations C0; : : :; Cn+1 such that C0 is an initial con guration with discrete test function, Ci = (Di ; eni ; testi ) and Ci+1 is reached from Ci by means of step Si at time i . Let us assume that there is a transition t collapsing in Cn+1 . So, t is relevant in Cn+1 and there exists  > 0 such that t is enabled at  0, for all n   0  n + . The sequence Sn is maximal and since t is enabled at time n , t must occur in Sn . Therefore, there must be a cycle t; t1; : : :; tk of transition occurring in Sn = 0 ; : : :; m

such that t occurs in j , for some j < m and ti 2 f (i) , for all 1  i  k with f : f1; : : :; kg ! fj + 1; : : :; mg the map such that f(i) = l i ti 2 l (note that f is injective and monotone). By hypothesis test0 is a discrete test function, and since ActZ (t) 2 PZ f0g, for all t 2 TZ , also testi is a a discrete test function, for all 0  i  n + 1. Therefore, the fact that testn+1 is discrete and t is enabled at  0, for all n   0  n + , implies that EvZ (t) = ;. Let us prove that the cycle does not ful ll the second condition. If t ) t1, then DelayZ (t) 6= 0 and so the fact that enn+1 (outZ (t)) = n contradicts that t is enabled at time n in Cn+1. So, we have that t ! t1 and DelayZ (t) = 0. Let C00 ; : : :; Cm0 +1 be the sequence of con gurations corresponding to the sequence of microsteps 0 ; : : :; m with C00 = Cn, Cm0 +1 = Cn+1 and Ci0 = (Di0 ; en0i; test0i ), for 0  i  m + 1. That t ! t1 and t1 2 f (1) implies that en0f (1) (outZ (t1)) = n and so it must be DelayZ (t1) = 0 since t1 is enabled in Cf (1) at time n. As a consequence, we have that t1 ! t2. In the same way it is possible to prove that ti ! ti+1 , for all 1  i  k ? 1, tk ! t and that DelayZ (ti ) = 0, for all 1  i  k. Finally, we show that also the third requirement is not satis ed. In the previous point we have shown that DelayZ (t) = DelayZ (ti ) = 0, for all 1  i  k and so ToutZ (t) = ToutZ (ti ) = 0, for all 1  i  k follows. This contradicts the fact that t is enabled in Cn+1 at time  0 with n <  0  n +  with  > 0. ut The conditions are sucient but not necessary. As an example, consider a statechart having a cycle of transitions which satis es none of the conditions above and such that all the source states of the transitions in that cycle are unreachable.

Theorem4. If a statechart Z is such that for each cycle t ; : : :; tk , one of the following conditions are satis ed

1

1. DelayZ (ti ) 6= 0, for some 1  i  n, and if ti ) ti+1 (resp.: tk ) t1), then DelayZ (ti ) 6= 0 (resp.: DelayZ (tk ) 6= 0), for all 1  i  k ? 1, 2. DelayZ (ti ) = ToutZ (ti ), for all 1  i  n, then each initial con guration C = (D; en; test) for Z , where test is an interval function, does not allow collapsing transitions. Proof. It is analogous to that of Theorem 3.

ut

4 Conclusions We have proposed an extended step semantics for timed statecharts which has been shown to improve (with respect to the classical one) the exibility of the speci cation language and to be suitable for investigating structural transformations. A version in denotational style of the proposed semantics can be found in [13]. In that case, the chosen semantical domain, namely, Timed Con guration Systems (see [10]), allows to exploit the large number of equivalence studied in this domain for de ning a wide range of dierent behaviour preservation notions.

In such mathematical framework the original semantics of statecharts and the one proposed here can be formally compared also with respect to the dierent sets of behaviour preserving structural transformations they support.

References 1. Berry, G., Cosserat, L.: The Synchronous Programming Language Esterel and its Mathematical Semantics, Lecture Notes in Computer Science 197, Springer, Berlin, 1985, pp. 389{449. 2. Drusinsky, D., Harel, D.: Using Statecharts for Hardware Description and Synthesis, IEEE Transactions on Computer-Aided Design 8 (1989), pp. 798{807. 3. Ghezzi, C., Mandrioli, D., Morasca, S., Pezze, M.: A Uni ed Hight Level Petri Net Formalism for Time Critical Systems, IEEE Transactions on Software Engineering 17 (1991), pp. 160{172. 4. Harel, D.: Statecharts: A Visual Formalism for Complex Systems, Science of Computer Programming 8 (1987), pp. 231{274. 5. Harel, D., Lachover, H., Naamad, A., Pnueli, A., Politi, M., Sherman, R., ShtullTrauring, A., Trakhtenbrot M.: Statemate: A Working Environment for the Development of Complex Reactive Systems, IEEE Transations on Software Engineering 16 (1990), pp. 403{414. 6. Harel, D., Pnueli, A., Schmidt, J., P., Sherman, R.: On the Formal Semantics of Statecharts, Proc. 2nd IEEE Symposium on Logic in Computer Science, IEEE CS Press, New York, 1987, pp. 54{64. 7. Huizing, C., Gerth, R.: Semantics of Reactive Systems in Abstract Time, Lecture Notes in Computer Science 600, Springer, Berlin, 1992, pp. 291{314. 8. Huizing, C., Gerth, R., de Roever, W.P.: Modelling Statechart Behaviour in a Fully Abstract Way, Lecture Notes in Computer Science 299, Springer, Berlin, 1988, pp. 271{294. 9. Kesten, Y., Pnueli A.: Timed and Hybrid Statecharts and their Textual Representation, Lecture Notes in Computer Sciences 571, Springer, Berlin, 1992, pp. 591{620. 10. Maggiolo-Schettini, A., Winkowski, J.: Towards an Algebra for Timed Behaviours, Theoretical Computer Science 103 (1992), pp. 335{363. 11. Maggiolo-Schettini, A., Peron, A.: Semantics for Statecharts Based on Graph Rewriting, in: Prinetto, P., Camurati, P., (Eds.), Correct Hardware Design Methodologies, North-Holland, Amsterdam, pp. 91{114, 1992. 12. Maraninchi, F.: Argonaute: Graphical Description, Semantics and Veri cation of Reactive Systems by Using a Process Algebra, Lecture Notes in Computer Science 408, Springer, Berlin, 1990, pp. 38{53. 13. Peron, A.: Synchronous and Asynchronous Models for Statecharts, Dipartimento di Informatica, Universita di Pisa, PhD Thesis, TD 21/93, 1993. 14. Pnueli, A., Shalev, M.: What is in a Step: On the Semantics of Statecharts, Lecture Notes in Computer Science 525, Springer, 1991, Berlin, pp. 244{464.

This article was processed using the LaTEX macro package with LLNCS style