Fig. 1. ? Research partially supported by Esprit BRA 8130 LOMAPS. ..... Tng,. T = T1;:::;Tn is a step for z in con guration C0, and Cn is the con guration reached ...
Projectable semantics for Statecharts? Andrea Maggiolo-Schettini and Simone Tini Dipartimento di Informatica, Universit�a di Pisa, Corso Italia 40, 56125 Pisa, Italy.
Abstract. Statecharts is a language for the speci cation of reactive systems. Semantics of Statecharts enforcing causality and synchronous hypothesis cannot be modular, and therefore do not allow general bottomup construction of speci cation and reuse of components. In this paper we propose both a global-consistent and a non global-consistent semantics which, in contrast to the known ones, are projectable, in the sense that the behaviour of a system projects into behaviours of subsystems as they result from considering each subsystem in isolation.
1 Introduction Statecharts belongs, together with Esterel ([2]), Lustre ([3]) and Signal ([4]), to the family of Synchronous Languages and is widely used in industry in the development of reactive systems ([7]), i. e. systems that have to continuously react to stimuli from the environment. Statecharts is supported by tools which provide simulation facilities and compilers to traditional languages and VHDL. The rst to be developed has been STATEMATE ([5]). Statecharts are state-transitions diagrams enriched by hierarchical structuring of states, explicit representation of parallelism and broadcast communication of signals.
@R 1 t1
3
a=b
?
2
@R 4 t2
6
a=b
?
5
7
10 11
@R 8 t3
b=a
?
9 z1
Fig.1. ?
Research partially supported by Esprit BRA 8130 LOMAPS.
Fig.1, which shows an example statechart, demonstrates the main features of Statecharts. The graphical convention is that states are represented by boxes, and the box of a substate of another state is drawn inside the area of the box of that state. States are either of type AND, called and-states, or of type OR, called or-states. An or-state has a privileged immediate substate (default state). The area of an and-state is partitioned by dashed lines. Each element of the partition represents a parallel component. The default state of an or-state is pointed to by an arrow without source (dangling arrow). Statechart z1 of Fig. 1 consists of an and-state, state 11, which has states 7 and 10 as components. State 7 is an andstate having states 3 and 6 as components. State 3, 6 and 10 are or-states, each having as substates two basic states (states without substates) and respectively states 1, 4 and 8 as default state. Each transition, represented by an arrow, has a source state and a target state, and is labelled by a set of positive and negative signals triggering the performance of the transition (the trigger) and a set of signals which are communicated when the transition is performed (the action). The interpretation is that a transition can be performed ( re) if all positive signals appearing in the trigger are in the environment, and all negative signals in the trigger are not present. As an example, transition t1 can re only if signal a is not in the environment. In this case signal b is produced and, according to the broadcast paradigm, is sent to the environment and can be sensed by all components of the statechart. A wide spectrum of semantics for Statecharts have been de ned (for a survey see [1]) which enforce causality and synchronous hypothesis ([2]). Causality means that for each signal produced by the statechart there exists a causal justi cation starting from signals produced by the environment. Synchronous hypothesis means that a statechart is faster than the environment, and so it can be supposed that a reaction happens in no time. Now, when using a speci cation formalism, modularity is useful for the bottom-up speci cation of systems. In order to have a modular formalism it is necessary that the interface between two components of a system has the same nature of the interface between the complete system and the environment, so that we cannot distinguish between systems and subsystems. This is not the case for Statecharts: a component of a statechart can be viewed by other components as a reactive environment, while the environment of the complete statechart is not reactive. In [10] it is proved that a semantics cannot enforce causality, synchronous hypothesis and modularity, so we are interested in properties weaker than modularity. We call projectable a semantics such that a reaction of a complete system can be projected into reactions of its subsystems, i. e. each subsystem performs one of its possible reactions to the environment. So projectability ensures that a statechart has the same behaviour either if viewed as a complete system or if viewed as a component of whatsoever system. This fact implies that a statechart, in each context, cannot reach any internal state that is not reachable in the original speci cation, and that can be viewed as an inconsistence state. Let us return to the statechart of Fig. 1. State 11 is obtained by composing two components: state 7 and state 10. State 7 represents a system that is able
to recognize the missed production of a signal a by the environment. If a is not produced transitions t1 and t2 re, so an allarm message is produced (represented by signal b), and states 2 and 5 are entered. We imagine that states 2 and 5 represent two procedures which run in parallel and must be activated because of the allarm. Now, component 10 plays the following role: when the allarm message is sensed, transition t3 res and signal a is produced, in order to send it to someone that expects it. Following the semantics of [9], which is usually assumed in the so called non-global consistent approach, when state 7 and 10 are composed in parallel to form state 11, the behaviour of state 7, explained above, is not respected, as it is possible that only transition t1 res, b is sent to the environment and transition t3 res. So signal a is in the environment and therefore t2 cannot re anymore. This means that one of the two procedures is not activated. In order to avoid this it is necessary to have a projectable semantics which ensures that if transition t1 res then also transition t2 res, in agreement with the original speci cation of state 7. One has an analogous problem with a global consistent semantics, such as those of [14] and [13], as we shall see. Moreover, only with a projectable semantics, if we de ne an equivalence relation between statecharts such that exactly all components having the same behaviour are in the same equivalence class, we are sure that the equivalence is preserved by composition. So projectability is useful for bottom-up construction of systems, reuse of prede ned components and substitution of equivalent components. As all semantics referred to in [1] do not enforce projectability, our aim is to de ne projectable semantics. The paper is organized as follows. In section 2 we give an introduction to the language Statecharts, in section 3 we deal with non global-consistent semantics and in section 4 with global-consistent semantics. Finally, in section 5 we discuss other approaches.
2 Statecharts We give now the formal de nition of Statecharts. De nition1. A statechart Z is a tuple
hBz ; �z ; �z ; �z ; Tz ; inz ; outz ; Pz ; �z i; where : 1. 2.
Bz is the non-empty, nite set of states. �z : Bz ! 2Bz is the hierarchy function; for s 2 Bz , ��z (s) denotes the least S � Bz such that s 2 S and �z (s0 ) � S for all s0 2 S, and �+z (s) denotes ��z (s) ? fsg; �z describes a tree-like structure, namely: (a) There exists a unique b 2 Bz , denoted rootz , s. t. ��z (b) = Bz . (b) b 62 �+z (b), for b 2 Bz . (c) If ��z (b) \ ��z (b0) 6= ;, then either b0 2 ��z (b) or b 2 ��z (b0 ), for b; b0 2 Bz . A state b is basic i� �z (b) = ;.
3. �z : Bz ! fAND; ORg is the (partial) state type function de ned only for all non-basic states. 4. �z : Bz ! Bz is the (partial) default function de ned only for or-states, so that b0 = �z (b) implies that b0 2 �z (b). 5. Tz is the nite set of transitions. 6. inz ; outz : Tz ! Bz ? frootz g are the target and the source functions. It is required that for each t 2 Tz there exists a state b 2 Bz such that �z (b) = OR and inz (t); outz (t) 2 �z (b). 7. Pz is the nite set of signals. For each a 2 Pz , a denotes the absence of a. For each Y � Pz , Y is the set faja 2 Y g, and for each a 2 Pz , a = a. 8. �z : Tz ! 2Pz [Pz � 2Pz is the labelling function; the rst component of �z (t) is denoted by trigger(t) and is the trigger of t, the second component of �z (t) is denoted by action(t) and is the action of t. Given states b1 ; b2 of a statechart z, lcaz (b1; b2) denotes the state b such that b1 ; b2 2 ��z (b), and for each b0 6= b ful lling the same requirement, b 2 �+z (b0 ). For a transition t, lcaz (t) denotes the state lcaz (inz (t); outz (t)). We do not consider transitions that cross borders of states, i. e. the source and the target state of a transition are both immediate substates (in the tree-like structure) of the same or-state. This limiting assumption seems to be natural if one wants bottom-up speci cation. In each instant a statechart is in a con guration, where a con guration is a maximal set of states ful lling the requirements that if an and-state is in the con guration, then all its substates are in it, and if an or-state is in the con guration, then exactly one of its substates is in it. The default con guration is the con guration such that for each or-state in it, its default-state is also in the con guration. The environment prompts the statechart with signals which are related to a discrete time domain. The statechart is supposed to evolve from the default con guration by reacting to the set of signals communicated by the environment at the rst instant of time or in the absence of certain signals in the environment (this is represented by negative signals). Reacting means performing a set of transitions called a step. Given a set of signals a transition is triggered if its positive triggering signals belong to the set and the negative ones do not. Two transitions are consistent if they belong to parallel components, are compatible if in the action of one of the transitions there is no signal appearing negative in the trigger of the other. A transition is relevant in a con guration if its source state is in the con guration. When performed, a transition communicates instantaneously signals, which can (instantaneously) trigger new transitions (an instantaneous chain reaction). So the set of transitions in a step are triggered either by signals communicated by the environment or by signals communicated by the actions of transitions in the same step, provided that the trigger of each transition can be causally justi ed starting from signals communicated by the environment. Finiteness of the reaction is ensured by requiring that any two transitions in a step are consistent. The execution of a step causes a new con-
guration to be reached, from which a new chain reaction can start at a next instant, triggered by a new set of signals. We de ne maximal a semantics according to which during a reaction all triggered transitions re. Let us consider the statechart of Fig. 1. Causality and synchronous hypothesis imply that if the environment supplies the empty set of signals, transition t1 is triggered and causes also transition t3 to re, so signal a is produced. There are semantics that do not permit to have, in the same instant, the absence of signal a (which triggers t1 ), and signal a (produced by t3 ). Such semantics ([13], [14]) are global-consistent semantics and are not maximal. Another approach is followed in non global-consistent semantics ([9]), where transitions t1 and t3 can re in the same instant. The interpretation is that the presence of a is successive to the absence of a, but the time elapsed during this change is negligible respect the time that occurs to the environment to change. Finally, we de ne formally what means that a semantics is projectable. De nition2. A semantics is projectable i� given a statechart z, a state b 2 Bz and a set of transitions T � Tz , if T is a step for z and T b = ft 2 T j lcaz (t) 2 ��z (b)g then T b is as step of the statechart having b as root-state.
3 Non global-consistent semantics The idea of the semantics de ned in [9] is that a step is a sequence of microsteps. When the environment supplies the statechart with a set of signals, a set of triggered, consistent and relevant transitions form a microstep. So, a new con guration is entered and a new set of signals are in the environment as signals produced by transitions of the microstep are added to the signals of the environment. Now we have a new microstep formed by a set of relevant and triggered transitions that are pairwise consistent and consistent with transitions of the microsteps executed before. A step is a maximal sequence of microsteps. To see that the semantics in [9] is not projectable, let us consider statechart z1 of Fig.1 in its default con guration. If the environment supplies the empty set of signals, an admissible microstep is t1 . The ring of t1 produces signal b that triggers t3 , that forms the next microstep (another admissible choice is that the second microstep is formed by transition t2 ). Now, transition t2 is not triggered anymore, because signal a is in the environment. But there does not exist any environment � for which the statechart having state 7 as root-state can perform step ft1g. In fact it is impossible that the environment does not supply signal a at the beginning of a reactions and, during the same reaction, produces it. So such subsystem enters a con guration that does not belong to its con gurations as an isolated system. We have the following proposition: Proposition3. The semantics of [9] is not projectable.
We have a stronger result which regards all non global-consistent semantics.
Proposition4. There does not exists any non global-consistent semantics that is projectable and maximal.
Proof. Let us consider statechart z2 in Fig. 2 in its default con guration, and assume that the environment supplies the empty set of signals. It is immediate to see that if we have a maximal semantics, transitions t1 , t4 and t2 must re. In fact t1 is initially triggered and, when res, produces signal b which triggers t4 . Signals c and a are now in the environment, so t2 must be performed and t3 is not triggered. If we consider the statechart having state 11 as root-state, we see that there does not exist any environment � such that ft1 g and ft2g form a step, because the execution of t1 and t2 implies that t3 is triggered and must re. 2
@R 4
@R 1 t1
a=b
?
2
t2
6
7
c=
@R 8 t3
?
5
10 11
ac=
?
9
14 15
@R 12 t4
b=ac
?
13
z2
Fig. 2. We introduce now some technical notations. Given a state b 2 Bz , def(b) and config(b) denote, respectively, the default con guration and the set of all the con gurations of b (i. e. of the statechart having b as root-state), trans(b) is the set ft j t 2 Tz ^ lcaz (t) 2 ��z (b)g of the transitions of b. We give now our projectable semantics. De nition5. For a statechart z in a con guration C, S a sequence of red sets
of transitions T = T1 ; : : :; Tk and a set of signals � � t2T action(t), a set T 0 is a microstep i�: 1. for each t 2 T 0, t is triggered by �; 2. for each t; t0 2 T [ T 0 , t and t0 are consistent; 3. for each state b 2 C, it holds that if trans(b) \ (T [ T 0) 6= ; then there does not exist any transition t such that: (a) t 62 T [ T 0 ; S (b) tSis triggered by the set of signals Pz \( t2T \trans(b)(trigger(t)[action(t)) [ t2T \trans(b) trigger(t)); 0
(c) 9a 2 Pz j a 2 trigger(t) ^ 9t0 2 T \ trans(b): a 2 trigger(t0 ) ^ 9t00 2 (T [ T 0 ) ? trans(b): a 2 action(t00 ); 4. for each state b 2 C, it holds that if t 2 T \ trans(b), t0 2 T 0 \ trans(b), a 2 Pz \ trigger(t0 ), a 2 trigger(t), then there exists t00 2 T \ trans(b) with a 2 action(t00). Con guration C 0 = C ?f��z (outz (t)) j t 2 T 0g[ def(inz (t)) is reached from C by means of T 0 . The idea of Def. 5 is that components put in parallel with a state b must be prevented from creating a reactive environment that cannot be simulated by a non reactive one. Both conditions 3 and 4 ensure that a signal a created by a transition in T 0 is not assumed to be absent in the environment because in this case no (non reactive) environment can produce it during the reaction. Condition 3 ensures that given transitions t; t0 2 trans(b), a 2 Pz S both having in their trigger, and triggered by the set of signals ( (trigger(t) [ t2T \trans(b) S action(t)) [ t2T \trans(b) trigger(t)) \ Pz , with t 62 T [ T 0 and t0 2 T [ T 0 , then there does not exist any transition t00 62 trans(b) with t00 2 T [ T 0 and a 2 action(t00), otherwise the production of a prevents t from ring. Condition 4 ensures that given transitions t; t0 2 trans(b) with t 2 T and t0 2 T 0 and a signal a 2 Pz with a 2 trigger(t0 ) and a 2 trigger(t), then signal a is produced by another transition of b. De nition6. Given con gurations C0; C1; : : :; Cn, a set of signals �, a set of transitions T1 ; : : :; Tn such that: 1. T1 is a microstep for z in con guration C0, set of transitions ;, set of signals �; 2. Ti+1 is a microstep for z in con guration Ci, sets of transitions T1 ; : : :; Ti, set of signals � [ factions(t)jt 2 T1 [ : : : [ Ti g, 1 � i � n ? 1; 3. Ci+1 is reached from Ci by means of Ti+1 , 0 � i � n ? 1; 4. there does not exist any microstep T 6= ; for z in con guration Cn , set of transitions T1 ; : : :; Tn, set of signals � [ factions(t)jt 2 T1 [ : : : [ Tng, T = T1 ; : : :; Tn is a step for z in con guration C0 , and Cn is the con guration reached from C0 by means of T. As an example, let us consider statechart z2 in Fig. 2 in its initial con guration. If the environment prompts the empty set of signals, the rst admissible microstep is ft1g, the next is ft4g. Now ft1g; ft4g is a step, insofar as, after microsteps ft1g and ft4g, only transition t2 is triggered, but all positive signals appearing in the trigger and in the action of t1 and in the trigger of t2 , trigger t3 which is not triggered due to the presence of signal a produced by t4 , so t2 is not an admissible microstep. 0
Proposition7. The semantics of de nitions 5 and 6 is projectable.
Proof. Let us suppose that T = T1 ; : : :; Tn is a step from con guration S C of statechart z, where b 2 C. Now let us consider the set of signals � = t2T \trans(b)fa 2
(trigger(t) [ action(t)) \ Pz j 6 9 t0 2 T \ trans(b): a 2 trigger(t0 )g. For such environment state b viewed as a complete statechart can execute the sequence of microsteps trans(b)\T1 ; : : :; trans(b)\Tn . (Conditions 3 and 4 are trivially satis ed.) Now, if such sequence is not maximal, there exists a transition t 2 trans(b), t 62 T, which is triggered by � [ fa j 9t0 2 T \ trans(b): a 2 action(t)g. So there must be a 2 trigger(t) \ Pz such that a 2 action(t0 ) for some t0 2 T ? trans(b). Now there can be two cases: 1. 6 9t00 2 T \ trans(b) with a 2 trigger(t00 ). In this case we put � = � [ a and reiterate the reasoning. 2. 9t00 2 T [ trans(b) with a 2 trigger(t). In this case condition 3 is not satis ed for T. 2
@R 1 t3
3
b=a
?
2
@R 4 t1
6
a=b
?
5
7
10 11
@R 8 t2
a=b
?
9 z3
Fig. 3. If we consider statechart z1 of Fig. 1, from the default con guration and the empty set of signals, all possible chains of admissible microsteps form the step consisting of transitions t1 ; t2 and t3. If we consider statechart z3 of Fig. 3, a step that can be performed from the default con guration for the empty set of signals is T = ft1g; ft3g. Now, with the ordinary semantics statecharts z1 and z3 are equivalent to statechart z4 in Fig. 4, which is not the case with our semantics. This shows that with our semantics the and composition is not associative. An and-state that is a descendant of another and-state can be interpreted as as speci cation of a component having a behaviour which is already de ned and cannot be modi ed when the component runs in parallel with other components.
4 Global-consistent semantics In global-consistent semantics the step is computed as a xpoint of a recursive equation.
@R 1
@R 4
3
? 2
6
? 5
t1 a=b
t2 a=b
@R 7
9
10
?
t3 b=a
8
z4
Fig.4. Following the semantics of [13] a step is a maximal set of transitions which are relevant, consistent, compatible and triggered, and does not contain any subset ful lling the same requirement.
@R 1 t1
3
a=b
?
2
@R 4 t2
6
b=c
?
5
7
10 11
@R 8 t3
c=a
?
9 z5
Fig.5. Now, consider statechart z5 of Fig. 5 in the default con guration f1; 3; 4; 6;7; 8; 10; 11g. If the environment supplies the empty set of signals, the only step that can be performed is step T = ft1 ; t3g. We note that there does not exist any environment � for which the statechart having state 7 as root-state can execute step ft1 g. In fact the execution of t1 and the maximality of the step cause also t2 to be executed. As a consequence, the con guration containing states 2 and 4 is entered, and this con guration may be viewed as an inconsistent con guration, i. e. a con guration which is not reachable according to the initial speci cation of state 7. From the example above the proposition below follows. Proposition8. The semantics of [13] is not projectable.
Let us consider now the semantics de ned in [14]. According to this semantics, a step is a maximal set of transitions which are relevant consistent and triggered, and does not contain any subset ful lling the same conditions. It is not required that the transitions of a step are compatible. This leads to the possibility of failures. Consider the statechart of Fig. 5 in its default con guration. If the environment produces the empty set of signals, there is no admissible step, so the statechart fails. But either the subsystem having state 7 as root-state and the subsystem having state 10 as root-state cannot have failures. It follows that failure behaviours may appear when subsystems are composed in parallel. From the example above we have the following proposition: Proposition9. The semantics of [14] is not projectable.
Our aim is to de ne a global-consistent semantics such that a step of a statechart is always composed by the union of steps of its parallel components, so that each component can never reach a con guration that is not reachable if the component is put in a non reactive environment. The idea is that of inductively de ning a notion of semantics of a state, so the semantics of a statechart z coincides with the semantics of its root-state rootz . When two or more states are composed in parallel, a step of the state obtained is forced to be a union of steps of such states. We de ne the function Enabled : 2Bz � 2Pz � 2Tz ?! 2Tz such that: Enabled(C; �; T) = Consistent(T)\Compatible(T)\Relevant(C)\Triggered(� [ factions(t)jt 2 T g), where: { For a set of transitions T the set Consistent(T) contains every transition t0 such that for each transition t 2 T, t and t0 are consistent (�z (lcaz (lcaz (t); lcaz (t0 ))) = AND) or t = t0 . { For a set of transitions T, the set Compatible(T) contains every transition t0 such that for each transition t 2 T, t and t0 are compatible. { For a con guration C, Relevant(C) is the set of transitions relevant in C. { For a set of signal �, Triggered(�) contains the set of transitions triggered by �. A set of transitions T is inseparable if for each set of transitions T 0 � T, it holds Enabled(C; �; T 0) \ (T ? T 0 ) 6= ;. In [14] it is proved that for a set of transitions T such that T = Enabled(C; �; T), there exists a causal justi cation of all signals appearing in the trigger of the transitions in T starting from � only if T is inseparable. We de ne now the semantics of a state. De nition10. Given a statechart z and a state b 2 Bz , the semantics of b is de ned as follows: 1. If b is a basic state, then fbg is the only con guration of b, and b has no step which can be performed from fbg. 2. If b is an or-state, let us name by b1 ; : : :; bn its direct substates. The default con guration is fbg [ C1, where C1 is the default con guration of b1 . Each
con guration C of b is in the form C = fbg [ Ci, where Ci is a con guration of bi , 1 � i � n. If the environment supplies the set of signals �, one of the following cases hold: (a) There exists a step T from Ci to Ci0 in bi for input �. It follows that T is a step from fbg [ Ci to fbg [ Ci0. (b) There exists a transition t with lcaz (t) = b, t triggered by � and t relevant in fbg [ Ci. Then ftg is a step from C to C ? ��z (outz (t)) [ def(inz (t)). 3. If b is an and-state, let us name by b1; : : :; bn its direct substates. The default con guration is fbg [ C1 [ : : : [ Cn, where Ci is the default con guration of bi , 1 � i � n. Each con guration C of b is in the form C = fbg[ C1 [ : : : [ Cn, where Ci is a con guration of bi , 1 � i � n. In this case a set of transitions T is a step from C for a set of signals � i�: (a) T � Enabled(T). (b) T is inseparable. (c) T � T 0 ^ T 0 � Enabled(T 0) ^ T 0 inseparable =) 91 � i � n; T 00 = T 0 \ trans(bi ) j T 00 is not a step for bi from Ci for any set of signals. Condition 3(c) ensures that a step of a state is always the union of steps of its substates. As an example, if we consider statechart z5 of Fig. 5, the step which can be performed from the initial con guration for the empty set of signals is T = ft3 g. The missed execution of transition t1 prevents the subsystem having state 7 as root-state from entering the con guration f2; 3; 4; 6; 7g, which is not a reachable con guration of 7 viewed as a complete system. Proposition11. The semantics of Def. 10 is projectable.
Proof. Follows immediately from the de nition. 2 Now, starting form the step of a complete statechart, we characterize the steps that are performed by its components. Let us assume that b is a state of a statechart z. If z starting from a con guration C performs a step T, b 2 C, P1 = Pz \ fa j a 2 trigger(t) [ action(t); t 2 T g and P2 = Pz \ fa j a 2 trigger(t); t 2 T g, then each step T 0 strictly containing T \ trans(b), performed by b from con guration ��z (b) \ C to a con guration C 0 for input P1, implies the production of signals in P2. In fact from Def. 10 it follows that if there are transitions in trans(b) that are triggered by P1, relevant in C 0, consistent and compatible with T, but not included in T, then each step of b containing them and trans(b) \ T contains also transitions that are not compatible with T. So we can deduce that b performs a step triggered by P1 which is not strictly included in any step triggered by P1 that does not produce any signal in P2. Now we give the nondeterministic procedure Step ? Construction that, given a con guration and a set of signals, returns a step. Given a transition t, a con guration C and a state rootC such that C � ��z (rootC ), let U(t; C) denote the highest (in the hierarchy) and-state, if any, that has rootC as an ancestor and lcaz (t) as a substate. As an example for the statechart of Fig. 5 we have
U(t1 ; f1; 3; 4; 6;7;8;10;11g) = 7. Given a con guration C and a set of signals � the procedure Step, for a triggered transition t, to the current set T adds t if there is no U(t; C), a complete step in U(t; C) otherwise. The procedure Step calls the procedure Steps that, given a con guration of a state, a set of signals and a set of transitions of such state, returns the set of all steps that contain such transitions. Two sets of transitions, T and T 0, are compatible if for each t 2 T and t0 2 T 0 , t and t0 are compatible. Procedure Step ? Construction(in C : 2Bz ; � : 2Pz ; out T : 2Tz ); begin
T := ;; Tch := Enabled(C; �; T) ? T;
repeat choose t 2 Tch;
Tch := Tch ? ftg;
if 9U(t; C) then begin
C 0 := C \ ��z (U(t; C)); T 0 := T \ trans(U(t; C)); �0 := � [ (ftrigger(t) [ action(t) j t 2 T g \ Pz ); Steps(C 0 ; �0 ; T 0; T ); if 9 T 00 2 T compatible with T; T 0 � T 00 then
begin choose T 00 2 T compatible with T; T 0 � T 00;
T := T [ T 00 ; Tch := Enabled(C; �; T) ? T
end end else begin
T := T [ ftg; Tch := Enabled(C; �; T) ? T
until Tch = ; end.
end
Procedure Steps(in C : 2Bz ; � : 2Pz ; T : 2Tz ; out T : 22 z ); begin T
T := fT g;
for each t 2 Enabled(C; �; T) ? T do if 9U(t; C) then begin
C 0 := C \ ��z (U(t; C)); T 0 := T \ trans(U(t; C)); �0 := � [ (ftrigger(t) [ action(t) j t 2 T g \ Pz ); Steps(C 0 ; �0; T 0; T 0);
for each T 00 2 T 0 compatible with T; T 0 � T 00 do begin
Steps(C; �; T 00 [ T; T 00); T := T [ T 00
end else begin
end
Steps(C; �; T [ ftg; T 00); T := T [ T 00
end.
end
Now we prove that the procedure Step ? Construction computes, for a con guration and a set of signals, a step as in Def. 10. Moreover, we prove that the procedure computes all steps. Proposition12. The procedure Step ? Construction, for a con guration C and a set of signals �, returns a set of transitions T if and only if T is a step from C for � as in Def. 10. Proof. Let us suppose that T0 is computed by the procedure Step ? Construction for a con guration C and a set of signal �. We must prove that T0 is a step. First we note that if the procedure Steps, for a con guration C 0 , a set of signals �0 and a set of transitions T 0 , returns T , then T is the set of all steps containing T 0 that can be performed from C 0 for �0 . In fact T coincides initially with the set fT 0 g, and for each t 2 Enabled(C 0; �0; T 0)? T 0, t is added to T 0 if there does not exist U(t; C 0), otherwise every step of U(t; C 0) compatible with T 0 and caused by �0 [ (ftrigger(t) [ action(t) j t 2 T 0g \ Pz ) is added to T 0. Now the procedure is called for the new set T 0 and the transitions obtained as a result are added to T . As regards the procedure Step ? Construction, if set T has been computed in a step of the procedure, in the next step three cases may hold: { For a transition t 2 Enabled(C; �; T) ? T, U(t; C) does not exist. Then t is added to T. { For a transition t 2 Enabled(C; �; T) ? T, U(t; C) exists. Then all steps of U(t; C) triggered by � [ (ftrigger(t) [ action(t) j t 2 T g \ Pz ) are computed by the procedure Steps, and the transitions of one of them strictly containing T \ trans(U(t; C)) and which is compatible with T are added to T. { Either Enabled(C; �; T) ? T = ; or for all t 2 Enabled(C; �; T) ? T there exists a state U(t; C) but there exists no step of U(t; C) compatible with T strictly containing T \ trans(U(t; C)). In this case the procedure returns T, which is a step from C for � according to Def. 10. Let us suppose now that T0 is a step from C for � and that T0 is not computable by the procedure Step ? Construction. Let us assume we execute the procedure
Step ? Construction for C and � with the following constraint: at each step, if T is the current solution, transitions which are taken from T0 are added to T whenever it is possible. It follows that the procedure computes a step T 0 such that T 0 � T0 or T0 � T 0, but, from de nition of a step, it follows that there do not exist two steps T1 and T2 with the former being a subset of the latter. 2 In the complete version of this paper we give also an operational semantics in terms of Labelled Transitions Systems (LTS). We follow the idea of [15] of constructing LTS's with states representing con gurations and transitions representing steps, with labels describing the environments that are compatible with taking the corresponding steps, so that the LTS's can be viewed as the semantics of the statecharts. Our construction is inductive, and we have composition of LTS's corresponding with composition of statechart states. (Note that if we consider non projectable semantics for statecharts, in order to obtain the same result we must de ne LTS's that carry more information such as transitions that are not associated with steps (see [13], [11])). A similar semantics provides a formal basis for verifying statecharts by using the classical techniques proposed for process algebras, such as equivalences, preorders and model checking. A tool for editing and simulating statecharts, which assumes our non-global consistent projectable semantics, is at an advanced state of developement.
5 Other approaches. In the previous sections we have examined semantics which are not modular. It is immediate to see that the problem of non-modularity appears only if there are signals that may be used both as input and as output signals. If we consider a synchronous language in which a signal must be used only as input signal or as output signal then it is easier to de ne modular speci cations. This is the case of Esterel (see [2]). Also Argos (see [12]) allows modular speci cations. In Argos an `external' signal cannot be both an input and an output signal, but for an `internal' signal there is not such restriction. The approaches of Esterel and Argos limit the composition of subsystems. We note that in our semantics nondeterminism may arise due to communication of signals between components. As an example, if statechart z1 in Fig.1 is supplied with signal b and not signal a, then there is a nondeterministic choice between ring t1 or t3 . Now, in Argos situations as above, where nondeterminism arises in the composition of subsystems, are rejected, and in Esterel nondeterminism is not permitted at all. An advantage due to rejecting of nondeterminism is that the computation of a reaction is less complex, but, on the other hand, the composition of prede ned components is limited. Finally, we note that the semantics implemented in STATEMATE and recently formalized in [6] is modular but does not enforce the synchronous hypothesis.
References 1. M. von der Beek: A Comparison of Statecharts Variants. Lecture Notes in Computer Science 863, pp 128-148, Springer, Berlin, 1994. 2. G. Berry and G. Gonthier: The ESTEREL Synchronous Programming Language: Design, Semantics, Implementation. Science of Computer Programming 19, pp. 87-152, 1992. 3. P. Caspi, N. Halbwachs, D. Pilaud and J. Plaice: LUSTRE, a Declarative Language for Programming Synchronous Systems. In 14th ACM Symposium on Principles of Programming Languages, pp. 178-188, ACM Press, New York, 1987. 4. P. Le Guernic, A. Benveniste, P. Bournai and T. Gonthier: Signal: a Data Flow Oriented Language for Signal Processing. Technical Report IRISA Report 246, Rennes, France, 1985. 5. D. Harel, H. Lachover, A. Naamad, A. Pnueli, M. Politi, R. Sherman, A. ShtullTrauring and M. Trachtenbrot: STATEMATE: A Working Environment for the Developement of Complex Reactive Systems. IEEE Transactions on Software Engineering 16, pp. 403-414, 1990. 6. D. Harel and A. Naamad: The STATEMATE Semantics of Statecharts. ACM Transactions on Software Engineering Methods 5, 1996. 7. D. Harel and A. Pnueli: On the Development of Reactive Systems. In K.R. Apt, editor, Logic and Models of Concurrent Systems, NATO, ASI-13, pp. 477-498, Springer, 1985. 8. D. Harel: Statecharts: A Visual Formalism for Complex Systems. Science of Computer Programming 8, pp. 231-274, 1987. 9. D. Harel, A. Pnueli, J. P. Schmidt and R. Sherman: On the formal Semantics of Statecharts. In Proc. Second IEEE Symp. on Logic in Computer Science, pp. 54-64, IEEE Computer Society Press, New York, 1987. 10. C. Huizing and R. Gerth: Semantics of Reactive Systems in Abstract Time. Lecture Notes in Computer Science 600, pp. 291-314, Springer, Berlin, 1992. 11. F. Levi: A Process Language for Statecharts. In Proc. of the Workshop Analysis and Veri cation of Multiple-agent Languages, Lecture Notes in Computer Science 1192, pp. 388-403, Springer, Berlin, 1996. 12. F. Maraninchi: Operational and Compositional Semantics of Synchronous Automaton Composition. In Proc. of CONCUR 92, Lecture Notes in Computer Science 630, pp. 550-564, Springer, Berlin, 1992. 13. A. Maggiolo-Schettini, A. Peron and S. Tini: Equivalence of Statecharts. In Proc. of CONCUR 96, Lecture Notes in Computer Science 1119, pp. 687-702, Springer, Berlin, 1996. 14. A. Pnueli and M. Shalev: What is in a Step: on the Semantics of Statecharts. Lecture Notes in Computer Science 525, pp. 244-264, Springer, Berlin, 1991. 15. A. C. Uselton and S. A. Smolka: A Process Algebraic Semantics for Statecharts. In Proc. of CONCUR 94, Lecture Notes in Computer Science 836, pp. 2-17, Springer, Berlin, 1994.
This article was processed using the LaTEX macro package with LLNCS style
