Interpretation of AADL Behavior Annex into synchronous formalism using SSA
Yue Ma, Jean-Pierre Talpin, Thierry Gautier

To cite this version:

HAL Id: hal-00554416
https://hal.archives-ouvertes.fr/hal-00554416
Submitted on 10 Jan 2011

HAL is a multi-disciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.
Interpretation of AADL Behavior Annex into synchronous formalism using SSA

Yue Ma     Jean-Pierre Talpin    Thierry Gautier
INRIA, Unité de Recherche Rennes-Bretagne-Atlantique, Campus de Beaulieu, 35042 Rennes Cedex, France
Email: {Yue.Ma, Jean-Pierre.Talpin, Thierry.Gautier}@irisa.fr

Abstract

This article focuses on the essence and distinctive features of the AADL behavioral aspects, for which we use the code generation infrastructure of the synchronous modeling environment SME. It introduces an effective method for transforming a behavior specification consisting of transitions and actions into a set of synchronous equations. We present an approach for this transformation using SSA as an intermediate formalism. This interpretation minimizes introducing new state variables and transitions.

1 Introduction

Nowadays, embedded systems are an integral part of safety critical systems in various domains, such as avionics, automotive and telecommunications. Typically, they have a long life cycle of development and maintenance. In this process, architecture design and early analysis of embedded systems are two of the major challenges for designers using modeling languages such as AADL [1] (Architecture Analysis and Design Language) to describe the systems.

AADL is a language which supports the modeling of component-based systems as an assembly of software components mapped onto execution platforms. The modeling aspect of system design activity is becoming increasingly essential, since it allows prototyping and experiments without necessarily having a physical implementation of the system. The Behavior Annex is proposed as an extension of AADL to offer a way to specify the behaviors of components. AADL allows a fast design entry and software/hardware co-design. However, system validation and verification is a critical challenge. What we are seeking for is to use formal methods to ensure the quality of system designs.

Synchronous languages [4], such as Signal [2, 3], have been used successfully for the design of real-time critical applications to significantly ease the modeling and validation of software components. Their associated toolsets provide formal transformation, automatic code generation, verification, etc.

Signal is a dataflow relational language that relies on the polychronous model [3]. Signal handles unbounded series of typed values \((x_t)_{t \in \mathbb{N}}\), called signals, denoted as \(x\) and implicitly indexed by the discrete pace of its clock, noted \(\dot{x}\). At a given instant, a signal may be present or absent. Two signals are synchronous if they are always present (or absent) at the same instants.

In Signal, a process (written \(P\) or \(Q\)) consists of the synchronous composition (noted \(P \mid Q\)) of equations (written \(x := \text{op} y z\)) over signals. An equation \(x := \text{op} y z\) defines the output signal \(x\) by the result of the application of operator \(\text{op}\) to its input signals \(y\) and \(z\). In addition to the extension to signals of usual functions on values (e.g., boolean or arithmetic operations), the specific basic Signal equations are the delay \(x := y$\) init \(v\), the sampling \(x := y\) when \(z\), and the merging \(x := y\) default \(z\). The reader is referred to [3] for definitions. The process \(P/x\) restricts the lexical scope of the signal \(x\) to the process \(P\). The abstract syntax of a process \(P\) in Signal is defined as:

\[
P, Q := x := \text{op} y z \mid P \mid Q \mid P/x
\]

Relying on these bases, we propose an approach to automatically interpret AADL Behavior Annex into the synchronous formalism Signal. We are concerned with a method to embed notations of the AADL Behavior Annex in a suitable model of computation for the purpose of formal verification and code generation. To model and compile all distinctive programming features of AADL behaviors, transitions and actions, we use the code generation infrastructure of the synchronous modeling environment SME [5]. The SME environment is a front-end of Polychrony [7] (which is a toolset for Signal) in the Eclipse environment based on Model-Driven Engineering (MDE) technologies.

The model transformation specified here relies on an inductive SSA (static single assignment) [6] transformation algorithm across transitions/actions, that produces intermediate representation. A program is said to be in SSA form whenever each variable in the program appears only once on the left hand side of an assignment. Only one new value of a variable \(x\) should at most be defined within an instant. The SSA form of a program replaces assignments of a program variable \(x\) with assignments to new versions of \(x\), uniquely indexing each assignment. The \(\phi\) operator is needed to choose the value depending on the program control-flow, where a variable can be assigned in both branches of a conditional statement or in the body of a loop. As SSA is an intermediate representation, the introduction
of the \( \phi \)-function will not consume execution cost. The compilation will optimize the final execution code. It introduces an effective method for transforming behavior specifications consisting of transitions and actions into a set of synchronous equations. This transformation minimizes the needed state variables and component synchronization.

In this paper, we show how to not only translate the core imperative programming features into equations, but also extend it to the mode automata that control the activation of such elementary transitions and actions. We give an overview of AADL and Behavior Annex in Section 2. The principles of the interpretation from AADL Behavior Annex to Signal are described in Section 3. Experimental results are provided by a case study. Some related works and conclusions are given in Section 4 and Section 5.

2 AADL and Behavior Annex

AADL is an SAE standard aimed at high level design and evaluation of the architecture of embedded systems. The language employs formal modeling concepts for the description of software and hardware architecture. It focuses on the description of systems using the component-based paradigm. A set of predefined components are offered:

- **Application software components** include process, thread, thread group, subprogram, and data components.
- **Execution platform components** model the hardware part of the system. This includes the processor, memory, device, and bus components.
- **Composite components** model components consisting of both hardware and software. A system component models a component containing execution platform, application software and other composite components.

The AADL Behavior Annex [8] is an extension of the core of the standard to offer a way to specify the local functional behavior of the components. It supports describing precisely the behaviors, such as port communication, computation, timing, etc. A Behavior Annex can be attached to a thread or a subprogram: threads or subprograms start from an initial state, and a transition to a complete (resp. return) state, specified as \( t : \) complete state (return state). From state \( s_i \), it may perform a transition \( A \) to a new state \( s_j \), written \( s_i \rightarrow s_j \{ S \} \), if the guard \( g \) is true.

\[
\text{behavior_spec} \ x \ A \ \text{where} \ A := s_i \rightarrow s_j \{ S \} | A_1; A_2 \quad \text{and} \quad g := [\text{on expr}] [e] [\text{when expr}] [exp],
\]

and \( s := \) (initial | complete | return) state

- The guard \( g \) can either be an expression \( \text{expr} \) or contain an optional event or event data receipt \( e \) and an optional boolean condition \( [\text{on expr}] [\text{when expr}] \).
- The condition may depend on the received data, and it can be split in two parts: the on part expresses conditions over the current state, and the when part expresses a condition over the data to be read.
- An event \( e \) can be a receipt from an event port \( (p?) \), or from an event data port \( (p!(x)) \) where \( x \) is a state variable or a data subcomponent.

**Actions**

Actions are sequences of operations on variables that are performed during the execution of transitions.

\[
\text{(action) } S := x := f(y, z); p!; \text{p?!} \langle x \rangle \text{; p}] \text{; p}\langle x \rangle \quad \text{if } x \text{ then } S_1 \text{ else } S_2 \quad \text{for } (x \in X) \quad S
\]

- \( \text{delay(min, max)} \) and \( \text{computation(min, max)} \) define the value of \( x \) from the function \( f \) of the current values of \( y \) and \( z \).
- The conditional \( x \) if \( x \text{ then } S_1 \text{ else } S_2 \) executes \( S_1 \) if the current value of \( x \) is true, otherwise executes \( S_2 \).
- The finite loop \( \text{for } (x \in X) \quad S \) allows iterations over finite integer ranges or over unparameterized types, which are specified by a data classifier.
- The timing actions \( \text{delay(min, max)} \) and \( \text{computation(min, max)} \) specify non-deterministic waiting time and computation time intervals. The difference is that \( \text{computation(min, max)} \) consumes CPU, while \( \text{delay(min, max)} \) does not.

---

**Figure 1. Behavior Annex example**

```plaintext
thread implementation door_handler.imp
annex behavior specification {+
states
s0: initial complete state;
transitions
s0 • [on (dps > 3) and handle] -> s0 {
    warn_diff_press = true;
    door_info = locked;
    if (on_ground) door_locked = false;
    else door_locked = true; end if;
};

s0 • [on not (dps > 3 and handle)] -> s0 {
    warn_diff_press = false;
    door_info = locked;
    if (in_flight) door_locked = true;
    else door_locked = false; end if;
};
+
end door_handler.imp;
```
The interpretation of transitions $T_1 \parallel T_2$ can be parallel:
$$
I(T_1 | T_2) = I(T_1) \cap I(T_2)
$$
where $W = I_0(U)$, and $U = I_0(T)$

Each step of the interpretation $I_T, I_U, I_W$ will be explained in detail in the following subsections.

### 3.1 Actions to basic actions

A transition from a source state $s$ when condition $c$ is satisfied, to a destination state $t$, with attached general action $S$, noted as $s \xrightarrow{c} t \{S\}$, can be decomposed into a set of intermediate transitions $U \in \mathcal{U}$, in which the actions in each new transition are basic actions $B \in \mathcal{B}$.

$$
S \xrightarrow{c} t \{S\} \xrightarrow{c} U
$$

where $U = s_1 \xrightarrow{c} s_j \{B_i\} | U_1 | U_2$, and $B_i \in \mathcal{B}$

We use $I_T(T)$ to represent this interpretation from a general transition $T \in \mathcal{I}$ to basic transition $U \in \mathcal{U}$. The interpretation of the transitions can be parallel.

We also use the notation $I_{TS}$ to note this transformation, the action $S$ is decomposed into $B; S'$, where $B$ is the basic actions from the beginning of $S$, and $S'$ is the rest.

$$
I_T(s \xrightarrow{c} t \{S\}) = I_{TS}(s, c, t, S, \phi)
$$

where $S = B; S'$, and $B \in \mathcal{B}$, and $U \in \mathcal{U}$

- At the very beginning of the interpretation, there is no basic action before $S$.
- Suppose $S' = S_1; S_2$ where $S_1$ is the first action of $S'$. If action $S_1$ is a basic action $S_1 \in \mathcal{B}$, then it can be merged to the previous basic action set $B$. Otherwise, if $B$ is empty, decompose $S_1$ and $S_2$ respectively, and apply the defined rules for each one. If $B$ is not empty, introduce a new transition for action $B$, and decompose $S_1, S_2$ similarly to the previous case.

$$
I_{TS}(s, c, t, S_1; S_2, B) = \begin{cases} 
I_{TS}(s, c, t, S_2; B; S_1) & \text{if } S_1 \in \mathcal{B} \\
I_{TS}(s, c, t, B) & \text{if } S_1 \notin \mathcal{B} \text{ and } B = \phi \\
(U_1, U_2) & \text{if } S_1 \notin \mathcal{B} \text{ and } B \neq \phi
\end{cases}
$$

where

$$
(I_{TS}(s, c, t, S_1, S_2), U_2) = U_2 - I_{TS}(s_1, \text{true}, t, S_2, \phi)
$$

$$
(U_3, s_2) = U_3 - I_{TS}(s_1, \text{true}, s_1)
$$

$$
U_4 - I_{TS}(s_2, \text{true}, S_2, \phi)
$$

The transformation for the composite action $S \in \mathcal{I}$ and $S \notin \mathcal{B}$, noted as $I'_T(s, c, s) = (U, t)$ (where $s \xrightarrow{c} t \{S\}$ is the original transition with composite action $S, U$ is the resulting basic transition), will be represented in the following subsections.

$$
I_T(s, c, s) = (U, t) \quad \text{where } S \in \mathcal{I}, \text{ and } S \notin \mathcal{B}, \text{ and } U \in \mathcal{U}
$$

If there is no action following $S$ in the interpretation, which means that the action $S$ is already a basic action $S \in \mathcal{B}$, then the resulting transition is the same as the original one.

$$
I_{TS}(s, c, t, s, \phi) = (s \xrightarrow{c} t \{S\})
$$

Next, we will interpret each of the composite actions $S$, $(S \in \mathcal{I} \text{ and } S \notin \mathcal{B})$. We write $I_T(s, c, S) = (U, t)$ for the action $S$ from source state $s$, with guard $c$. It returns an intermediate transition $U$ (the actions in $U$ are the basic actions), and an exit state $t$. 

- The message sending or receiving actions express the communication of messages. A statement $p!$ calls the send service on an event or event data port $p$. The event is immediately sent to the destination with the stored data if any. $p!(x)$ writes data $x$ to the event data port $p$ and calls the send service. $p?$ dequeues an event from event port $p$. $p?(x)$ dequeues a data in the variable $x$.
- Sequences of actions $S_1; S_2$ are executed in order.
3.1 Condition
A conditional evaluates $S_1$ with the condition $x$ to $U_1$ and $S_2$ with condition not $x$ to $U_2$.

$$\mathcal{I}'(\text{if } x \text{ then } S_1 \text{ else } S_2, c, s) = \begin{cases} s \xrightarrow{c \text{ and } x} s_1, t \xrightarrow{c \text{ and not } x} s_2, u \\ \end{cases}$$

where $\mathcal{I}_{TS}(s_1, \text{true}, u, S_1, \phi) = U_1$, $\mathcal{I}_{TS}(s_2, \text{true}, u, S_2, \phi) = U_2$

3.1.2 Loop
A loop statement for $(x \in X) \{S\}$ allows iterations over finite integer ranges or over unparameterized enumerated types, which are specified by a data classifier.

**Integer range** For an integer range, $i \in M..N$, which means that $M$ and $N$ are two integers and $M < N$, the loop statement can be refined as:

$$\mathcal{I}'(\text{for } i \in M..N \{S\}, c, s) = \begin{cases} s \xrightarrow{t\{i:=M\}} u \\ \end{cases}$$

where $\mathcal{I}_{TS}(t, \text{true}, u, S, \phi) = U$

**Enumeration** For an iteration over unparameterized enumeration, $x \in X$, in which $X$ is a data classifier of enumerated type $X = \{x_1, x_2, ..., x_n\}$, the loop statement can be translated as:

$$\mathcal{I}'(\text{for } x \in X \{S\}, c, s) = \begin{cases} s \xrightarrow{t\{i:=i+1\}} u \\ \end{cases}$$

where $\mathcal{I}_{TS}(t, \text{true}, u, S, \phi) = U$

3.3 Computation(m,n)
Computation$(m,n)$ expresses the use of CPU for a possibly non-deterministic period of time between $m$ and $n$. For this non-deterministic choice, we introduce a function $random(m,n)$ to choose a random period $r$ ($m < r \leq n$) while translating. In each iteration of $i$, a synchronization with a physical tick $ms$? is performed.

$$\mathcal{I}'(\text{computation } (m,n), c, s) = \begin{cases} s \xrightarrow{t \{i:=1\}} u \\ \end{cases}$$

where $r \sim random(m,n)$, and $ms$? synchronizes with the physical tick $\phi$.

3.4 Delay(m,n)
The difference between delay and computation is that computation consumes CPU, while delay does not, which means that, when a thread delays some time interval, other threads can execute during this time.

The interpretation of delay is more complicated, for it will request for rescheduling. We can represent the delay using a finite loop if its period can be determined by a random choice:

$$\mathcal{I}'(\text{delay } (m,n), c, s) = \mathcal{I}'((\text{for } i \in 1..r \{}ms\?\{i:=i+1\}\} , c, s) - (U, t)$$

where $r \sim random(m,n)$, and $ms$? synchronizes with the physical tick $\phi$.

3.1.3 Basic actions to SSA form actions
Only one new value of a variable $x$ should at most be defined within an instant in SSA form. An operation $x := f(y, z)$ takes the current value of $y$ and $z$ to define the new value of $x$ by the product with $f$. A statement $p(x)$ sends the value $x$ to $p$. Execution may continue with the same symbolic instant unless a second emission is performed. A statement $p? (x)$ waits a signal from $p$.

We use the notation $\mathcal{I}_U$ to note the intermediate transition $U \in \mathcal{B}$ (with actions $B \in \mathcal{A}$) to be represented in SSA form $W \in \mathcal{W}$ (with actions $A \in \mathcal{A'}$).

We use an environment $E$ to associate each variable with its definition, an expression that locates it, $E : X \rightarrow \mathcal{X}$. The environment of $x$ is noted $E(x)$, and the domain of $E$ is noted $\mathcal{X}(E)$. The restriction of a variable $x$ to environment $E$ is noted $E[x]$, which satisfies:

$$\phi[x = \phi$$

$$(E \cup \{y \mapsto z\})[x] = \begin{cases} E & \text{if } y = x \\ (E[x]) \cup \{y \mapsto z\} & \text{if } y \neq x \\ \end{cases}$$

We write $use_E(x)$ for the expression that returns the definition of the variable $x$ in environment $E$, and $def_E(x)$ for the environment $E$ storing variable $x$ with its associated definition.

$$use_E(x) = \begin{cases} E(x) & \text{if } x \in \mathcal{X}(E) \\ x & \text{otherwise} \end{cases}$$

$$def_E(x) = (E[x]) \cup \{x \mapsto x'\} \text{ where } x' \notin \mathcal{X}(E)$$

We depict sequence of basic actions $B = B_1; B_2$ attached to an intermediate transition $U$ defined in environment $E$ to a set of new SSA form transitions $W$ with an updated environment $F$, in which all the new actions $A$ are in SSA form, and can be executed in the same instant. We use $\mathcal{I}_U(U)$ to note this interpretation from an intermediate transition to SSA form transition $W \in \mathcal{W}$, and we introduce another notation $\mathcal{I}_U$ to define the transformation rules:

$$\mathcal{I}_U(s \xrightarrow{t\{B\}} u) = \mathcal{I}_U(s \xrightarrow{t\{B\}} u) \text{ where } \mathcal{I}_U(B_1, B_2, s, E) = (W, t, F)$$

$$B = B_1; B_2$$

The following transformations can be defined:

- For a single assignment basic action $x := f(y, z)$ in a transition with environment $E$, the new transition will take its SSA form assignment: the final version of variable $x$ and the definition of $y$ and $z$ defined in $E$ are used, the new environment $F$ only stores the final value of $x$ defined in $E$. 


We use the notation $\mathcal{I}_W(W)^{st}$ to represent the interpretation from the SSA form transition $W \in \mathcal{W}$ to Signal process. A local signal $st$ is introduced to represent the state variable, and $nst$ represents the next state.

$$\mathcal{I}_W(W_1 \mid W_2)^{st} = \mathcal{I}_W(W_2)^{st} \mid \mathcal{I}_W(W_1)^{st}$$

$$\mathcal{I}_W(s \overset{t}{\rightarrow} (A)^{st}) = (P \mid nst = t \text{ when } g)$$

where

$$\begin{cases} (P, E) = \mathcal{I}_A(A)^{st}_{P}, \text{ when } g = c \text{ when } (st = s) \end{cases}$$

Following the three steps' interpretation, the behavior specification $\text{behavior spec } x X$, can now be represented as $\text{behavior spec } x (W \parallel \text{ initial state } s_0), (W \in \mathcal{W})$. The interpretation for the behavior specification can be written as:

$$\mathcal{I}(\text{behavior spec } x (T \mid \text{ initial state } s_0))$$

- $\mathcal{I}_W(\text{behavior spec } x (W \mid \text{ initial state } s_0))$

  where $W = \mathcal{I}_U(U)$, and $U = \mathcal{I}_E(T)$

- $\mathcal{I}_W(\text{behavior spec } x (W \mid \text{ initial state } s_0))$

  - $(P \mid st = nst \text{ init } s_0) / st, nst$, where $P = \mathcal{I}_W(W)^{st}$

### 3.4 A Case study

The intermediate generated code of the basic transitions/actions (step $T \xrightarrow{\mathcal{I}_E} U$) for the $\text{door handler}$ thread (previously presented in Figure 1) is depicted in Figure 2. It contains a transformation of the transitions as well as their attached actions. The interpretation introduces two intermediate states: $\text{STATE}_0, \text{STATE}_1$. The first three transitions rewrite the first original one. A transition is introduced for each branch of the condition action.

```
thread implementation door_handler.imp

annex behavior specification (**
states
STATE_0 : state;
STATE_1 : state;

transitions
s0 - [ on dps > 3 and handle ] -> STATE_0 { warn_diff_press := true;
  door_info := locked;};
STATE_0 - [ on ground ] -> s0 { door_locked := false;};
STATE_0 - [ on not ground ] -> s0 { door_locked := true;};
s0 - [ on not dps > 3 and handle ] -> STATE_1 { warn_diff_press := false;
  door_info := locked;};
STATE_1 - [ on in flight ] -> s0 { door_locked := true;};
STATE_1 - [ on not in flight ] -> s0 { door_locked := false;};
**}

end door_handler.imp;
```

**Figure 2. Intermediate Behavior code**

In this example, the SSA form of transitions is the same as depicted in Figure 2, since all the variables are already uniquely defined in each of the transitions. Each transition will then be interpreted to Signal equations. The generated code for the first SSA form transition is listed here, the guard and state variables ($st, nst$) are added.
Our technique uses the underlying model of computation AADL and behavior annex specification into BIP. It supposes the actual behaviors are described using the implementation language, so the actions are not considered, while the translation of the transitions is shown roughly. In our transformation, the transitions and actions are both presented. [12] proposes a formal semantics for a subset of AADL behavior annex using Timed Abstract State Machine (TASM). It defines the synchronization actions (remote subprogram call) which have not been considered in our approach, however, it does not present how the basic actions are translated. In AADL2Fiacre [13], the transformations from AADL and behavior annex to Fiacre are illustrated on a small example, but the semantics are not formally defined.

Our approach and tools are based on the studies and experimental results on the translation of C/C++ parallel codes into synchronous formalism using SSA transformation [10]. In the ANR project SPACIFY, [14] proposes an approach to model notations of the Synoptic language and to embed them in a suitable model of computation for the purpose of formal verification and code generation. It consists of an inductive SSA transformation algorithm across a hierarchy of blocks that produces synchronous equations. The impact of this transformation technique has a big advantage: it minimizes the number of state variables across hierarchical automata and hence creates a minimal number of transitions in the generated code.

For future works, we intend to implement an automatic transformation. Since the intermediate SSA form is very simple, the implementation can focus on optimizations and performances. One extension is to model the scheduling policy as well as a rescheduling algorithm when a system service is requested. Furthermore, an extension to composite state specified in Behavior Annex jointly with the actions would be interesting. Another extension study is the validation of message communication optimization.

4 Related Works

A few approaches for defining the semantics or for interpreting the behavior annex of AADL have been proposed. AADL2BIP [11] studies a general methodology for translating AADL and behavior annex specification into BIP. It supposes the actual behaviors are described using the implementation language, so the actions are not considered, while the translation of the transitions is shown roughly. In our transformation, the transitions and actions are both presented. [12] proposes a formal semantics for a subset of AADL behavior annex using Timed Abstract State Machine (TASM). It defines the synchronization actions (remote subprogram call) which have not been considered in our approach, however, it does not present how the basic actions are translated. In AADL2Fiacre [13], the transformations from AADL and behavior annex to Fiacre are illustrated on a small example, but the semantics are not formally defined.

Our approach and tools are based on the studies and experimental results on the translation of C/C++ parallel codes into synchronous formalism using SSA transformation [10]. In the ANR project SPACIFY, [14] proposes an approach to model notations of the Synoptic language and to embed them in a suitable model of computation for the purpose of formal verification and code generation. It consists of an inductive SSA transformation algorithm across a hierarchy of blocks that produces synchronous equations.

5 Conclusion

We have presented in this paper the principle and implementation that interpret AADL behavior annex into a synchronous data-flow and multi-clocked model of computation. This interpretation is based on the use of SSA as an intermediate format. It gives a thorough description of an inductive SSA transformation algorithm across a hierarchy of transitions that produce synchronous equations.

Our technique uses the underlying model of computation of the SME platform. We obtain an effective method for transforming a hierarchy of behavior specifications consisting of transitions and actions into a set of synchronous equations. The impact of this transformation technique has a big advantage: it minimizes the number of state variables across hierarchical automata and hence creates a minimal number of transitions in the generated code.

For future works, we intend to implement an automatic transformation. Since the intermediate SSA form is very simple, the implementation can focus on optimizations and performances. One extension is to model the scheduling policy as well as a rescheduling algorithm when a system service is requested. Furthermore, an extension to composite state specified in Behavior Annex jointly with the actions would be interesting. Another extension study is the validation of message communication optimization.

References