Lecture 12: Core State Machines II

Software Design, Modelling and Analysis in UML Lecture 12: Core State Machines II 2015-12-15 12 2015-12-15 main Prof. Dr. Andreas Podelski, Dr. Bernd Westphal Albert-Ludwigs-Universität Freiburg, Germany

Contents & Goals Last Lecture: Basic causality model Ether/event pool System configuration This Lecture: Educational Objectives: Capabilities for following tasks/questions. What does this State Machine mean? What happens if I inject this event? Can you please model the following behaviour. What is: Signal, Event, Ether, Transformer, Step, RTC. 12 2015-12-15 Sprelim Content: System configuration cont d Transformers Step, Run-to-Completion Step 2/47

System Configuration 3/47 12 2015-12-15 main

System Configuration Definition. Let S 0 = (T 0, C 0,V 0,atr 0, E)beasignaturewithsignals, D 0 astructure of S 0, (Eth,ready,,,[ ]) an ether over S 0 and D 0. Furthermore assume there is one core state machine M C per class C C. A system configuration over S 0, D 0, and Eth is a pair where S = (T 0 {S MC C C 0 }, C 0, (σ,ε) Σ D S Eth V 0 { stable : Bool,,true, } { st C : S MC,+,s 0, C C} { params E : E 0,1,+,, E E 0 }, 12 2015-12-15 Sstmscnf {C atr 0 (C) {stable,st C } {params E E E 0 } C C}, E 0 ) D = D 0 {S MC S(M C ) C C}, and σ(u)(r) D(E 0 ) = for each u dom(σ) and r V 0. 4/47

System Configuration: Example C x : Int S 0 = (T 0, C 0,V 0,atr 0, E), D 0 ; S = (T 0 {S MC C C}, C 0, (σ,ε) Σ D S Eth where c 0..1 signal E b : Bool V 0 { stable : Bool,,true, } { st C : S MC,+,s 0, C C} { params E : E 0,1,+,, E E 0 }, {C atr 0 (C) {stable,st C } {params E E E 0 } C C}, E 0 ) D = D 0 {S MC S(M C ) C C}, and σ(u)(r) D(E 0 ) = for each u dom(σ) and r V 0. signal F a : Int 12 2015-12-15 Sstmscnf SM C : s 1 s 2 s 3 5/47

System Configuration Step-by-Step We start with some signature with signals S 0 = (T 0, C 0,V 0,atr 0, E). A system configuration is a pair (σ,ε) which comprises a system state σ wrt. S (not wrt. S 0 ). Such a system state σ wrt. S provides, for each object u dom(σ), values for the explicit attributes in V 0, values for a number of implicit attributes, namely a stability flag, i.e. σ(u)(stable) is a boolean value, a current (state machine) state, i.e. σ(u)(st) denotes one of the states of core state machine M C, 12 2015-12-15 Sstmscnf a temporary association to access event parameters for each class, i.e. σ(u)(params E ) is defined for each E E. For convenience require: there is no link to an event except for params E. 6/47

Stability Definition. Let (σ,ε) be a system configuration over some S 0, D 0, Eth. We call an object u dom(σ) D(C 0 ) stable in σ if and only if σ(u)(stable) = true. 12 2015-12-15 Sstmscnf 7/47

Where are we? SM C : C x : Int E[n ]/x := x+1;n!f s 1 s 2 F/x := 0 s 3 p 0..1 /n := n 0..1 D F/ s 1 s 2 /p!f signal E signal F :SM D (σ 1,ε 1 ) ({E},{F}) u 1 (σ 2,ε 2 ) (, ) u 1 (σ 3,ε 3 ) ({F}, ) u 2 (σ 4,ε 4 ) 12 2015-12-15 Sstmscnf u 1 : C x = 27 st = s 1 stb = 1 p n u 2 : D st = s 1 stb = 1 u 3 : E to u 1 u 1 : C x = 28 st = s 2 stb = 0 p n u 2 : D st = s 1 stb = 1 u 4 : F to u 2 u 1 : C x = 28 st = s 3 stb = 0 p u 2 : D st = s 1 stb = 1 u 4 : F to u 2 u 1 : C x = 28 st = s 3 stb = 0 p u 2 : D st = s 2 stb = 0 8/47

Transformer 9/47 12 2015-12-15 main

Recall The (simplified) syntax of transition annotations: annot ::= [ event [ [ guard ] ] [ / action ] ] Clear: event is from E of the corresponding signature. But: What are guard and action? UML can be viewed as being parameterized in expression language (providing guard ) and action language (providing action ). Examples: Expression Language: OCL Java, C++,...expressions... 12 2015-12-15 Strafo Action Language: UML Action Semantics, Executable UML Java, C++,...statements (plus some event send action)... 10/47

Needed: Semantics In the following, we assume that we re given an expression language Expr for guards, and an action language Act for actions, and that we re given a semantics for boolean expressions in form of a partial function I (, ) : Expr Σ D S D(C) B which evaluates expressions in a given system configuration, 12 2015-12-15 Strafo Assuming I to be partial is a way to treat undefined during runtime. If I is not defined (for instance because of dangling-reference navigation or division-by-zero), we want to go to a designated error system configuration. a transformer for each action: for each act Act, we assume to have t act D(C) (Σ D S Eth) (Σ D S Eth) 11/47

Transformer Definition. Let Σ D S the set of system configurations over some S 0, D 0, Eth. We call a relation t D(C) (Σ D S Eth) (Σ D S Eth) a (system configuration) transformer. Example: t[u x ](σ,ε) Σ D S Eth is the set (!) of the system configurations 12 2015-12-15 Strafo which may result from object u x executing transformer t. t skip [u x ](σ,ε) = {(σ,ε)} t create [u x ](σ,ε) : add a previously non-alive object to σ 12/47

Observations In the following, we assume that each application of a transformer t to some system configuration (σ,ε) for object u x is associated with a set of observations Obs t [u x ](σ,ε) 2 (D(E) {,+}) D(C). An observation (u e,u dst ) Obs t [u x ](σ,ε) 12 2015-12-15 Strafo represents the information that, as a side effect of object u x executing t in system configuration (σ,ε), the event u e has been sent to u dst. Special cases: creation ( ) / destruction ( + ). 13/47

A Simple Action Language In the following we use Act S = {skip} {update(expr 1,v,expr 2 ) expr 1,expr 2 Expr S,v atr} {send(e(expr 1,...,expr n ),expr dst ) expr i,expr dst Expr S,E E} {create(c,expr,v) C C,expr Expr S,v V} {destroy(expr) expr Expr S } and OCL expressions over S (with partial interpretation) as Expr S. 12 2015-12-15 Sactlang 14/47

Transformer Examples: Presentation 12 2015-12-15 Sactlang abstract syntax concrete syntax op intuitive semantics... well-typedness... semantics ((σ,ε),(σ,ε )) t op [u x ] iff... or t op [u x ](σ,ε) = {(σ,ε ) where...} observables Obs op [u x ] = {...} (error) conditions Not defined if... 15/47

Transformer: Skip abstract syntax skip intuitive semantics well-typedness semantics observables (error) conditions do nothing./. t skip [u x ](σ,ε) = {(σ,ε)} Obs skip [u x ](σ,ε) = concrete syntax 12 2015-12-15 Sactlang 16/47

Transformer: Update abstract syntax concrete syntax update(expr 1,v,expr 2 ) intuitive semantics Update attribute v in the object denoted by expr 1 to the value denoted by expr 2. well-typedness expr 1 : T C and v : T atr(c); expr 2 : T; expr 1,expr 2 obey visibility and navigability semantics t update(expr1,v,expr 2 )[u x ](σ,ε) = {(σ,ε)} where σ = σ[u σ(u)[v I expr 2 (σ,u x )]] with 12 2015-12-15 Sactlang u = I expr 1 (σ,u x ). observables Obs update(expr1,v,expr 2 )[u x ] = (error) conditions Not defined if I expr 1 (σ,u x ) or I expr 2 (σ,u x ) not defined. 17/47

Update Transformer Example SM C : /x := x+1 s 1 s 2 t update(expr1,v,expr 2 )[u x ](σ,ε) = (σ = σ[u σ(u)[v I expr 2 (σ,u x )]],ε), u = I expr 1 (σ,u x ) σ: u 1 : C x = 4 y = 0 u 1 : C x = 5 y = 0 :σ 12 2015-12-15 Sactlang ε: :ε 18/47

Transformer: Send 12 2015-12-15 Sactlang abstract syntax concrete syntax send(e(expr 1,...,expr n ),expr dst ) intuitive semantics Object u x : C sends event E to object expr dst, i.e. create a fresh signal instance, fill in its attributes, and place it in the ether. well-typedness E E; atr(e) = {v 1 : T 1,...,v n : T n }; expr i : T i, 1 i n; expr dst : T D, C,D C \ E; all expressions obey visibility and navigability in C semantics (σ,ε ) t send(e(expr1,...,expr n ),expr dst )[u x ](σ,ε) if σ = σ {u {v i d i 1 i n}}; ε = ε (u dst,u); if u dst = I expr dst (σ,u x ) dom(σ); d i = I expr i (σ,u x ) for 1 i n; u D(E) a fresh identity, i.e. u dom(σ), and where (σ,ε ) = (σ,ε) if u dst dom(σ). observables Obs send [u x ] = {(u e,u dst )} (error) conditions I expr (σ,u x ) not defined for any expr {expr dst,expr 1,...,expr n } 19/47

Send Transformer Example SM C : /n!f(x+1) s 1 s 2 t send(exprsrc,e(expr 1,...,expr n ),expr dst )[u x ](σ,ε) (σ,ε ) iff ε = ε (u dst,u); σ = σ {u {v i d i 1 i n}}; u dst = I expr dst (σ,u x ) dom(σ); d i = I expr i (σ,u x ), 1 i n; u D(E) a fresh identity; σ: u 1 : C x = 5 :σ 12 2015-12-15 Sactlang ε: :ε 20/47

Sequential Composition of Transformers Sequential composition t 1 t 2 of transformers t 1 and t 2 is canonically defined as with observation (t 2 t 1 )[u x ](σ,ε) = t 2 [u x ](t 1 [u x ](σ,ε)) Obs (t2 t 1 )[u x ](σ,ε) = Obs t1 [u x ](σ,ε) Obs t2 [u x ](t 1 (σ,ε)). Clear: not defined if one the two intermediate micro steps is not defined. 12 2015-12-15 Sactlang 21/47

Transformers And Denotational Semantics Observation: our transformers are in principle the denotational semantics of the actions/action sequences. The trivial case, to be precise. Note: with the previous examples, we can capture empty statements, skips, assignments, conditionals (by normalisation and auxiliary variables), create/destroy (later), but not possibly diverging loops. 12 2015-12-15 Sactlang Our (Simple) Approach: if the action language is, e.g. Java, then (syntactically) forbid loops and calls of recursive functions. Other Approach: use full blown denotational semantics. No show-stopper, because loops in the action annotation can be converted into transition cycles in the state machine. 22/47

References 46/47 12 2015-12-15 main

References Harel, D. and Gery, E. (1997). Executable object modeling with statecharts. IEEE Computer, 30(7):31 42. OMG (2011a). Unified modeling language: Infrastructure, version 2.4.1. Technical Report formal/2011-08-05. OMG (2011b). Unified modeling language: Superstructure, version 2.4.1. Technical Report formal/2011-08-06. 12 2015-12-15 main 47/47