A Component Model for Architectural Programming

Hubert Baumeister\(^1,6\) Florian Hacklinger\(^2,6\) Rolf Hennicker\(^3,6\)
Alexander Knapp\(^4,6\) Martin Wirsing\(^5,6\)

Institut für Informatik
Ludwig-Maximilians-Universität München
Germany

Abstract

Software architectures and modular composition help in constructing large-scale software systems. Current programming languages provide only insufficient support for software architecture. Architectural programming overcomes the problem of architectural erosion in implementations by integrating concepts of software architecture into programming languages. We present the new programming language JAVA/A as an instance for Java-based architectural programming and show how JAVA/A integrates architectural notions such as components, connectors, and assemblies into Java. A main asset of JAVA/A is its underlying abstract component model which provides the basis for reasoning about software components and assemblies. We give a formalisation of the abstract component model in terms of transition systems and states as algebras, and prove a consistency result for assemblies.

Keywords: Architectural programming, software architecture, semantics of components

1 Introduction

According to the ANSI/IEEE 1471 2000-standard, software architecture is: “The fundamental organization of a system embodied in its components, their relationships to each other and to the environment and the principles guiding its design and evolution.” [9] (cf. also, e.g., [5,17]). Therefore, components are modelled “through-

---

\(^1\) Email: baumeister@ifi.lmu.de
\(^2\) Email: hacklinger@ifi.lmu.de
\(^3\) Email: hennicker@ifi.lmu.de
\(^4\) Email: knapp@ifi.lmu.de
\(^5\) Email: wirsing@ifi.lmu.de
\(^6\) This research has been partially supported by the EC 6th Framework project SENSORIA “Software Engineering for Service-Oriented Overlay Computers” (IST 016004) and the GLOWA-Danube project (01LW0303A) sponsored by the German Federal Ministry of Education and Research.

1571-0661 © 2006 Elsevier B.V. Open access under CC BY-NC-ND license.
doi:10.1016/j.entcs.2006.05.015
out the development life cycle and successively refined into deployment and run-
time” [12].

Architecture description languages (ADLs), like Wright, Darwin, or Rapide, provide means to model and analyse both the static and dynamic properties of software architectures. ADL models, however, are mainly employed in the analysis and design steps of the classical software development phases. The implementation step is, at best, only supported by code generation facilities (for an ADL comparison and overview, see, e.g., [11]). Common implementation environments are not capable of representing architectural notions properly. Thus, a hand-coded implementation from an ADL model inevitably tends to loose its connection to the intended architectural structure during the maintenance steps; the same issue will hold for generated code tampered with by hand when not strictly adhering to the model-driven development discipline. The result is “architectural erosion” [14].

In order to counter architectural erosion in the implementation and mainten-
ance phases, we propose the inclusion of architectural notions, like components, ports with provided and required interfaces as well as protocols, connectors, and as-
semplies, into a programming language and we call such a language an architectural programming language.

We present the new programming language **Java/A** [7] as an instance for a Java-based architectural programming language, show how **Java/A** integrates archi-
tectural notions into Java, and present the abstract component model which forms the semantical basis underlying **Java/A**. In **Java/A** components are strongly encapsulated behaviours of which only the exchange of messages with their environ-
ment according to well-defined provided and required operation interfaces can be observed. Hence, component reuse and replaceability is fostered. The component interfaces are bound to ports which regulate message exchange by protocols and ports can be linked by connectors establishing a communication channel between their owning components. Thus, safe communication can be specified and verified. A set of components whose ports are linked by connectors forms an assembly. The number of ports a component offers, the linkage of ports between components, and the number of components in an assembly can vary dynamically, providing basic means for dynamic reconfiguration. **Java/A** is supported by a compiler which translates **Java/A** programs to Java classes and includes the possibility to check port protocols for compatibilty, i.e., that two connected ports will only exchange messages the communication partner understands, and the trace of messages will not lead to a deadlock.

It may be noted that traditional component frameworks like EJB, JavaBeans, COM+, CORBA, &c. do not qualify as architectural programming languages, since these techniques do not properly support the concepts of (required) interfaces, connectors, and assemblies. However, the inclusion of interface protocols into programming languages has been discussed for quite a long time [20,13]. On the other hand, ArchJava [1], an architectural extension of Java, introduces the structural features of architectural programming languages, such as components and ports, into a programming language, but does not give any support for controlling the
The dynamic behaviour of ports by e.g. port protocols.

A main asset of Java/A is its underlying abstract component model which has strongly influenced the design of Java/A and which provides the basis for reasoning on assemblies and port compatibility. The abstract component model is formalised using the interface automata approach [2] to I/O-transition systems for describing the observable behaviour and the “states-as-algebras” approach [4] for representing the internals of components and assemblies. In particular, component and port types are modelled as sorts in order to ease dynamic reconfiguration and dynamic creation and deletion.

The paper is structured as follows: In Sect. 2, we introduce architectural programming with Java/A, present the component metamodel of Java/A, illustrate the architectural concepts by an example and show how dynamic reconfiguration at runtime is supported by Java/A. In Sect. 3 we present the semantic basis for the main constituents of our component model and give mathematical formalisations of components, ports, and assemblies. As an example of a consistency result, we prove in Sect. 4 that model checking deadlock-freedom of port protocols induces deadlock-freedom of the corresponding assembly, provided that its components correctly refine the respective port protocol state machines. In the remaining sections 5 and 6 we compare our approach with related work and discuss ongoing and future work.

2 Architectural Programming

The basic idea of architectural programming is to preserve a software architecture throughout the software development process in a decent way. For instance, in the analysis phase the components of an architecture are implied by the system boundaries of a use case model. In the design, architectures may be represented with UML component diagrams or by a model in an architecture description language. In the implementation, an architecture should be implemented in an architectural programming language, like Java/A.

After giving a brief introduction to Java/A and its features, we illustrate the language by means of a (simplified) Bank–ATM example. Moreover, we discuss the reconfiguration possibilities offered by Java/A.

2.1 Java/A

Figure 1 summarises the component metamodel of Java/A. A component has ports, and each port has a provided and required interface and may have a protocol associated with it to describe the sequence of messages allowed for that port. A component is either a simple component or a composite component. A composite component consists of an assembly which contains components and connectors. A connector links two components by connecting ports they own. In order to support strong encapsulation of components, a composite component is not directly composed out of subcomponents and connectors, instead a composite component is built from an assembly by hiding the internal structure of how the composite
component is constructed.

JAVA/A extends Java by providing support for these architectural concepts, introducing keywords port, required, provided, simple and composite component, and assembly, and including port protocol descriptions as UML state machines. The JAVA/A compiler transforms JAVA/A components into pure Java code which can be compiled to byte code using the Java compiler. The generated Java classes are integrated into the JAVA/A component framework, which provides general operations that are common to all JAVA/A components, serving, for instance, for reconfiguration support. Each component can be compiled and deployed on its own, since the component’s dependencies on the environment are encapsulated in ports. The correctness of an assembly, i.e., that for every connected port the required interface is satisfied by the provided interface of the connected counterpart and their protocols are compatible, can be assured using the UML state machine model checker HUGO [10], which is integrated with the JAVA/A compiler.

2.2 Example: Bank–ATM

We will illustrate our approach to architectural programming and the programming language JAVA/A by a simplified Bank–ATM example. In this example, a varying number of ATMs may be connected to a bank. An ATM can send an IBAN and a PIN to the bank in order to withdraw money. Then the bank asks a clearing company whether the IBAN together with the PIN is valid. If this is the case the ATM can withdraw an amount of money.

The design of the Bank–ATM system is shown in the component diagram in Fig. 2(a) where the composite component BankATM contains an assembly of three components ClearingCompany, Bank, and ATM whose ports are wired by appropriate connectors. The stacked boxes depicting port BA of component Bank indicates that it is a dynamic port which can have an arbitrary number of port instances. In contrast, static ports (like CB, BC and AB) must have a single instance at any time. Fig. 2(b) shows an admissible system configuration with two ATM instances whose
ports (of type AB) are linked to different port instances of type BA.

Port protocols are specified with UML state machines. A protocol describes the order and dependencies of messages which are sent and received by a port. Figure 3 displays the protocol of the port BC which specifies that each time the bank sends a message verifyPIN via BC it will wait for either a response pinOK or pinNotOk at the port BC before it can send another message verifyPIN.

2.3 Implementation of the Bank–ATM example using JAVA/A

The following code shows parts of the JAVA/A-declaration of the component Bank:

```java
simple component Bank {
    Map balance = new HashMap();
    Queue pending = new LinkedList();
    BA current = null;
    Set verifieds = new HashSet();

dynamic port BA {
    provided {
        signal verifyPIN(IBAN iban, int pin);
        signal withdraw(IBAN iban, Money amount);
    }
    required {
        void pinOk();

    / verifyPIN(iban, pin)

    Idle
    Verifying

    pinOk() /
    pinNotOk() /

    Figure 3. UML state machine describing the protocol of port BC.
```
void pinNotOk();
void withdrawOk();
void withdrawNotOk();
}
<! // protocol of BA ... !>
}

port BC {
  provided {
    void pinOk();
    void pinNotOk();
  }
  required {
    void verifyPIN(IBAN iban, int pin);
  }

  <! // protocol of BC
  states {
    initial Initial;
    simple Idle;
    simple Verifying;
  }
  transitions {
    Initial -> Idle;
    Idle -> Verifying { effect verifyPIN(); }
    Verifying -> Idle { trigger pinOk(); }
    Verifying -> Idle { trigger pinNotOk(); }
  }
}

In lines 2–5 component attributes are declared and initialised. The attributes of the component hold account balances (balance), a queue of verifyPIN requests (pending), the port instance of the currently processed request (current), and a set of port instances with already verified IBANs and PINs (verifieds). In lines 6–44, the ports BA and BC are defined. Each port declaration contains a set of provided operations (forming the provided interface) and a set of required operations (forming the required interface). Provided operations with the keyword signal are asynchronous, all other operations are synchronous. Port protocols are specified by UML state machines which are textually represented using the notation UTE [8]. For instance, lines 30–43 show the UTE representation of the UML state machine of port BC (see Fig. 3).

Every operation which is declared in a provided interface of a port must be implemented in the body of the port’s owning component. For instance, the operation verifyPIN provided by the port BA is implemented as follows:

```java
void verifyPIN(BA incoming, IBAN iban, int pin)
  implements BA.verifyPIN(IBAN, int) {
    pending.offer(new Object[]{incoming, iban, pin});
    synchronized (pending) {
      while (current != null) {
        try { pending.wait(); }
        catch (InterruptedException e) { e.printStackTrace(); }
      }
      Object[] request = (Object[])pending.poll();
      current = (BA)request[0];
      IBAN iban = (IBAN)request[1];
      int pin = ((Integer)request[2]).intValue();
      try {
        BC.verifyPIN(iban, pin);
      }
      catch (javaa.exception.ConnectionException e) { e.printStackTrace();
```
The parameter list of the implementing method is extended by a parameter \texttt{incoming} of the port type \texttt{BA} in order to allow the implementer to distinguish the source of a message in case of a dynamic port with multiple instances. To validate a PIN to an IBAN, the bank uses the clearing company which is connected to the bank at the port \texttt{BC}. Requests to verify a PIN on port \texttt{BC} (l. 16) must be sequentialised to comply with the protocol of \texttt{BC} (Fig. 3), hence the queue \texttt{pending} is used to keep requests that cannot be processed immediately. In case the port is not connected, the invocation of an operation declared in the port’s required interface results in throwing a \texttt{ConnectionException}.

The implementation of the operation \texttt{pinOk} provided by the port \texttt{BC} reads as follows.

```java
void pinOk() implements BC.pinOk() {
  verifieds.add(current);
  current.pinOk();
  current = null;
  synchronized (pending) {
    pending.notify();
  }
}
```

As the component \texttt{Bank} will always have exactly one port instance of the type \texttt{BC} it is not necessary to extend the parameter list of \texttt{pinOk} by a parameter of type \texttt{BC}. First, the port instance of type \texttt{BA} of the currently processed request which is held in the field \texttt{current} is added to the set of already verified port instances. Next, a message \texttt{pinOk} is sent out via the port instance \texttt{current}. Finally, waiting threads are notified of the termination of the current verification request.

The \texttt{JAVA/A} realisation of the component \texttt{BankATM} is shown in the following code fragment:

```java
composite component BankATM {
  assembly {
    component types { ATM, Bank, ClearingCompany }
    connector types {
      Bank.BA, ATM.AB;
      ClearingCompany.CB, Bank.BC;
    }
    initial configuration {
      ATM atm0 = new ATM();
      ATM atm1 = new ATM();
      Bank bank = new Bank();
      ClearingCompany cc = new ClearingCompany();
      Connector cn0 = new Connector();
      cn0.connect(atm0.AB, bank.BA);
      Connector cn1 = new Connector();
      cn1.connect(atm1.AB, bank.BA);
      Connector cn2 = new Connector();
      cn2.connect(bank.BC, cc.CC);
    }
  }
}
```

The component \texttt{BankATM} contains an assembly and therefore in l. 3–7 all component and connector types which will be used in the initial configuration and in future reconfigurations are declared (according to the component diagram given in Fig. 2(a)). The initial configuration (see Fig. 2(b)) is built up in lines 9–20. The connector type \texttt{Connector} is provided by the \texttt{JAVA/A} framework and realises
message transportation with local procedure calls. The framework provides also a SOAP-based RPC connector.

2.4 Reconfiguration with JAVA/A

The term dynamic reconfiguration summarises changes to a component-based system at runtime, concerning creation and destruction of components and building up and removing connections between ports. JAVA/A supports each of these reconfiguration variants.

A possible reconfiguration in the Bank–ATM example is the connection and disconnection of ATMs. An idle ATM disconnects from the Bank and reconnects whenever a customer enters his bank card. Figure 4 shows a configuration where one ATM (atm₁) is disconnected from the bank. When a customer enters his bank card the ATM executes the following code which realises the (re)connection of an ATM to the bank.

```java
try {
    Component bank = componentLookUp(this, "Bank");
    Port ba = bank.getPort("BA");
    ConnectionRequest cr =
        new ConnectionRequest(this, this, AB, bank, ba, new Connector());
    reconfigurationRequest(cr);
} catch (ReconfigurationException e) { ... }
```

The JAVA/A framework provides the operations componentLookUp, getPort, and reconfigurationRequest. The first retrieves a component using its identifier, getPort fetches a port instance from a component, and the last operation sends the reconfiguration request to the containing assembly, which performs the reconfiguration if it approves the request. The class ConnectionRequest is also provided by the JAVA/A framework; its constructor has parameters which indicate the originating component of the request, both affected components and their ports, and the connector to use. If the request is not approved by the containing assembly, a reconfiguration exception is thrown. The other reconfiguration variants are realised in JAVA/A following a similar scheme.
3 A Semantical Model for Architectural Programming

We present a semantical model for the main constituents of our component metamodel of JAV/A (see Fig. 1). The semantical model uses a states-as-algebras approach [4] for representing the internals of components and assemblies, and the interface automata approach [2] to I/O-transition systems for describing the observable behaviour. Algebraic operation interfaces specify which operations are provided and required by a port. Port protocols are given by I/O-transition systems with input and output labels over the operations the port provides and requires. Note that the semantics does not distinguish between simple components and composite components. The semantics of both, a simple component and a composite component, is a component which is defined through its internal, algebraic state space and the declaration of the ports it offers; I/O-transition systems with input and output labels over the port operations describe the possible component behaviours. The semantics of a composite component is given by first taking the semantics of its assembly and then by hiding the internal structure of how that assembly is built. Assemblies are given by an internal, algebraic state space and a declaration of the components and connectors between component ports which may occur; the assembly behaviour is again described by an I/O-transition system whose labels reflect the observations on component ports that are not connected and the synchronisation of connected component ports. The internal state of a component stores which ports it currently offers thus providing means for changing ports dynamically; similarly, the internal state of an assembly records the current components and connectors, which may vary over time.

3.1 Preliminaries

We first summarise some basic definitions on algebras and I/O-transition systems. In particular, we recall the notion of algebraic signatures, algebras, and reducts, see [19]. For I/O-transition systems [2], we define relabellings and products.

Algebras

A signature $\Sigma = (S, F)$ consists of a set $S$ of sorts and a set $F$ of function symbols $f : s_1, \ldots, s_n \to s$. A signature $\Sigma = (S, F)$ is a subsignature of a signature $\Sigma' = (S', F')$, denoted by $\Sigma \subseteq \Sigma'$, if $S \subseteq S'$ and $F \subseteq F'$. A (total) $\Sigma$-algebra $A = ((s^A)_{s \in S}, (f^A)_{f \in F})$ consists of a set $s^A$ for each sort $s$ and interpretation functions $f^A : s_1^A, \ldots, s_n^A \to s^A$ for each $f : s_1, \ldots, s_n \to s \in F$. For signatures $\Sigma = (S, F), \Sigma' = (S', F')$ with $\Sigma \subseteq \Sigma'$, the $\Sigma$-reduct of a $\Sigma'$-algebra $A$ is given by $A|_\Sigma = ((s^A)_{s \in S}, (f^A)_{f \in F})$. If $A$ is a $\Sigma$-algebra and $X = (x_i : s_i)_{i \in I}$ is an $S$-sorted set of variables, a valuation $\rho : X \to A$ assigns to each variable $x$ of sort $s \in S$ a value in $s^A$.

I/O-transition systems

An I/O-labelling $(I, O, T)$ consists of three mutually disjoint sets of input (or provided) labels $I$, output (or required) labels $O$, and internal labels $T$. An I/O-
transition system \( A = (Q, B, \Delta) \) over an I/O-labelling \((I, O, T)\) is given by a set of states \( Q \), a set of initial states \( B \subseteq Q \) and a transition relation \( \Delta \subseteq Q \times (I \cup O \cup T) \times Q \).

An I/O-relabelling \( \lambda : L_1 \rightarrow L_2 \) from an I/O-labelling \( L_1 = (I_1, O_1, T_1) \) to an I/O-labelling \( L_2 = (I_2, O_2, T_2) \) consists of three functions \( \lambda_I : I_1 \rightarrow I_2 \), \( \lambda_O : O_1 \rightarrow O_2 \), and \( \lambda_T : T_1 \rightarrow T_2 \). For a label \( l \in I_1 \cup O_1 \cup T_1 \), we write \( \lambda(l) \) for \( \lambda_I(l) \), if \( l \in I_1 \); \( \lambda_O(l) \), if \( l \in O_1 \); and \( \lambda_T(l) \), if \( l \in T_1 \). Let \( A = (Q, B, \Delta) \) be an I/O-transition system over \( L \) and let \( \lambda : L \rightarrow L' \) be an I/O-relabelling. Then \( A' = (Q', B', \Delta') \) defined by \( Q' = Q \), \( B' = B \), \( \Delta' = \{(q, \lambda(l), q') \mid (q, l, q') \in \Delta \} \) is the relabelled I/O-transition system over \( L' \) with respect to \( \lambda \), written as \( A \lambda \).

Two I/O-labellings \( L_1 = (I_1, O_1, T_1) \) and \( L_2 = (I_2, O_2, T_2) \) are composable if \( T_1 \cap (I_2 \cup O_2 \cup T_2) = \emptyset \), \( I_1 \cap I_2 = \emptyset \), \( O_1 \cap O_2 = \emptyset \), \( T_2 \cap (I_1 \cup O_1 \cup T_1) = \emptyset \). The shared labels of \( L_1 \) and \( L_2 \), written \( L_1 \cap L_2 \), are given by \((I_1 \cup O_1 \cup T_1) \cap (I_2 \cup O_2 \cup T_2) \). The product I/O-labelling of \( L_1 \) and \( L_2 \), written as \( L_1 \otimes L_2 \) is given by \( ((I_1 \cup I_2) \setminus (L_1 \cap L_2), (O_1 \cup O_2) \setminus (L_1 \cap L_2), T_1 \cup T_2 \cup (L_1 \cap L_2)) \). Let \( A_1 = (Q_1, B_1, \Delta_1) \) and \( A_2 = (Q_2, B_2, \Delta_2) \) be I/O-transition systems over composable I/O-labellings \( L_1 \), \( L_2 \), respectively. The product of \( A_1 \) and \( A_2 \), written as \( A_1 \otimes A_2 \), is given by the I/O-transition system \((Q, B, \Delta)\) over the product I/O-labelling \( L_1 \otimes L_2 \) defined as follows:

(i) \( Q = Q_1 \times Q_2 \);
(ii) \( B = B_1 \times B_2 \);
(iii) \( \Delta = \left\{ ((q_1, q_2), l, (q_1', q_2')) \mid (q_1, l, q_1') \in \Delta_1 \land l \notin L_1 \cap L_2 \land q_2 \in Q_2 \right\} \cup \left\{ ((q_1, q_2), l, (q_1', q_2')) \mid (q_2, l, q_2') \in \Delta_2 \land l \notin L_1 \cap L_2 \land q_1 \in Q_1 \right\} \cup \left\{ ((q_1, q_2), l, (q_1', q_2')) \mid (q_1, l, q_1') \in \Delta_1 \land (q_2, l, q_2') \in \Delta_2 \land l \in L_1 \cap L_2 \right\} \).

3.2 Interfaces and ports

Interfaces describe a set of accepted messages by declaring operations over a data signature. Formally, an interface is given by a pair \((\Sigma, Op)\) of a signature \(\Sigma\) and a set of operations \(Op\) over \(\Sigma\), where an operation \(op \in Op\) takes the form \(nm(x_1 : s_1, \ldots, x_k : s_k)\) with \(nm\) the operation name and \(\text{var}(op) = x_1 : s_1, \ldots, x_k : s_k\) the typed formal parameters with sorts in \(\Sigma\). A message for an operation \(op\) over \(\Sigma\) is a pair \((op, \rho)\) with \(\rho : \text{var}(op) \rightarrow \sigma\) a valuation from the operation’s formal parameters to a \(\Sigma\)-algebra \(\sigma\). The class of messages for a set of operations \(Op\) over a signature \(\Sigma\) is denoted by \(\text{Msg}_\Sigma(\text{Op})\).

For instance, the provided interace of port \(BA\) of component \(\text{Bank}\) in our running example has the signature \((S_{BA}, F_{BA})\) with sorts \(S_{BA} = \{\text{int}, \text{IBAN}, \text{Money}\}\) and \(F_{BA}\) comprising basic functions on integers, amounts of money, &c.; the declared operations are \(\text{verifyPIN(iban : IBAN, pin : int)}\) and \(\text{withdraw(iban : IBAN, amount : Money)}\).

Ports represent the windows of a component, prescribing which messages are accepted at a port by specifying a provided interface and which messages must be understood from a port by specifying a required interface. Thus we define a port signature \(\Sigma_P\) to be a pair \((I, O)\) consisting of a provided interface \(I = (\Sigma_{pro}, Op_{pro}^P)\) and a required interface \(O = (\Sigma_{req}, Op_{req}^P)\).
A port protocol regulates the order and dependencies of messages from and to a port. Such a port protocol for a port signature $\Sigma_P$ is given by a port I/O-transition system $(Q, B, \Delta)$ over the I/O-labelling $(\text{Label}^{\text{pro}}_P, \text{Label}^{\text{req}}_P, \text{Label}^{\text{int}}_P)$ where the labels are either

(i) an input label $i/ \in \text{Label}^{\text{pro}}_P$ with $i = (op, \rho) \in \text{Msg}(Op^{\text{pro}}_P)$; or
(ii) an output label $/o \in \text{Label}^{\text{req}}_P$ with $o = (op, \rho) \in \text{Msg}(Op^{\text{req}}_P)$; or
(iii) the internal label $/ \in \text{Label}^{\text{int}}_P$.

A port declaration $P : \Sigma_P$ consists of a name $P$ and a port signature $\Sigma_P$.

Figure 5 shows an excerpt of a possible I/O-transition system for port $BC$ of component $\text{Bank}$ which reflects the UML state machine specifying the port protocol in Fig. 3.

### 3.3 Components

A component has an internal data state and declares ports. Formally, a component signature $\Sigma_C$ is a pair $(\Sigma, (P : \Sigma_P)_{P \in \mathcal{P}})$ where $\Sigma$ is the state signature of $\Sigma_C$ and $(P : \Sigma_P)_{P \in \mathcal{P}}$ the family of port declarations of $\Sigma_C$ satisfying the following requirements:

(i) all $P \in \mathcal{P}$ are sorts of $\Sigma$;
(ii) $\Sigma^{\text{pro}}_P, \Sigma^{\text{req}}_P \subseteq \Sigma$ for all $P \in \mathcal{P}$.

Note that the port names used in the port declarations are required to be sorts in the state signatures. This allows for dynamic ports, where each port is represented by an element of appropriate sort given by the port declarations. We write $\Sigma^{\text{state}}_C$ for the state signature of the component signature $\Sigma_C$; and $\text{Ports}_C$ for the names of the port declarations $\mathcal{P}$ of $\Sigma_C$. A component declaration $C : \Sigma_C$ consists of a name $C$ and a component signature $\Sigma_C$.

The behaviour of a component is given by an I/O-transition system. The states of the transition system have the function of control states (cf. [6]) as they determine the behaviour of the component. A state operator maps each control state to a data state which is an algebra over the state signature of the component. The labels of the transitions are either the internal label or I/O-labels corresponding to the messages sent and received via ports.

The state space $\text{State}_C$ of a component signature $\Sigma_C$ is given by $\text{Alg}(\Sigma^{\text{state}}_C)$. A label for a component signature $\Sigma_C$ and a state pair $(\sigma, \sigma') \in \text{State}_C \times \text{State}_C$ is either
A model for the component Bank.

(i) an input label \( p.i / \in \text{Label}_{\text{pro}}(\sigma, \sigma') \) with \( p \in \text{Ports}_C \) and \( i = (op, \rho) \in \text{Msg}(\text{Op}_p^\text{pro}) \) where \( \rho : \text{var}(op) \rightarrow \sigma' | \sigma \); or

(ii) an output label \( /p.o \in \text{Label}_{\text{req}}(\sigma, \sigma') \) with \( p \in \text{Ports}_C \) and \( o = (op, \rho) \in \text{Msg}(\text{Op}_p^\text{req}) \) where \( \rho : \text{var}(op) \rightarrow \sigma' | \sigma \); or

(iii) the internal label \( / \in \text{Label}_{\text{int}}(\sigma, \sigma') \).

We define \( \text{Label}_C(\sigma, \sigma') \) as \( \text{Label}_{\text{pro}}(\sigma, \sigma') \cup \text{Label}_{\text{req}}(\sigma, \sigma') \cup \text{Label}_{\text{int}}(\sigma, \sigma') \); and we abbreviate \( \bigcup \{ \text{Label}_{\text{pro}}(\sigma, \sigma') : (\sigma, \sigma') \in \text{State}_C \times \text{State}_C \} \) by \( \text{Label}_{\text{pro}} \), and similarly for \( \text{Label}_{\text{req}} \) and \( \text{Label}_{\text{int}} \).

An I/O-transition system for a component signature \( \Sigma_C \) is given by an I/O-transition system \( (Q, B, \Delta) \) over the I/O-labelling \( (\text{Label}_{\text{pro}}^C, \text{Label}_{\text{req}}^C, \text{Label}_{\text{int}}^C) \). A state operator for a component signature \( \Sigma_C \) and an I/O-transition system \( (Q, B, \Delta) \) for \( \Sigma_C \) is a function \( \varsigma : Q \rightarrow \text{State}_C \) such that \( l \in \text{Label}_C(\varsigma(q), \varsigma(q')) \), if \( (q, l, q') \in \Delta \). A model of a component signature \( \Sigma_C \) is given by a pair \( (H, \varsigma) \) such that \( H \) is an I/O-transition system for \( \Sigma_C \) and \( \varsigma \) is state operator for \( \Sigma_C \) and \( H \). The class of models of \( \Sigma_C \) is denoted by \( \text{Mod}(\Sigma_C) \).

An example of a model for the component Bank is given in Fig. 6. The control states, \( q_0, q_1, \ldots \), are shown in the upper part of the state boxes and the associated data states in the lower part.

From an I/O-transition system \( H = (Q, B, \Delta) \) of a component it is possible to generate the behaviour of the component observable at a given port \( p \) of sort \( P \in \text{Ports}_C \) as an I/O-transition system over the signature of that port. The states of this reduc of \( H \) to \( p \) are given by all states of the component in which the port lives. The transitions of the reduc are the transitions from the component where the prefix \( p \) in the labels involving port \( p \) is removed and all other labels are converted to internal transitions. The start states include all the start states of the
component \( H \) if port \( p \) exists in these states, as well as the states where \( p \) starts to exist.

(i) \( Q|_\varsigma\ p = \{ q \mid q \in Q \land p \in P^{\varsigma}(q) \}; \)

(ii) \( B|_\varsigma\ p = \{ q \mid q \in B \cap Q|_\varsigma\ p \} \lor (\exists(q', l, q) \in \Delta . p \notin P^{\varsigma}(q') \land p \in P^{\varsigma}(q)) \}; \)

(iii) \( \Delta|_\varsigma\ p = \{ (q, l[p, q']) \mid (q, l, q') \in \Delta \cap (Q|_\varsigma\ p) \times \text{Label}_C \times (Q|_\varsigma\ p) \} \) where \( (p.i)/p = i/, (/p.o)/p = /o, \) and \( l/p = / \) otherwise.

The reduct of \( H \) to \( p \) via \( \varsigma \), denoted by \( H|_\varsigma\ p \), is the I/O-transition system \( (Q|_\varsigma\ p, B|_\varsigma\ p, \Delta|_\varsigma\ p) \) over the I/O-labelling \( (\text{Label}_{P^\text{pro}}^\varsigma, \text{Label}_{P^\text{req}}^\varsigma, \text{Label}^\text{init}) \). For a model \( M = (((Q, B, \Delta), \varsigma) \in \text{Mod}(\Sigma_C), a P \in \text{Ports}_C),\) a \( p \in \bigcup\{P^\varsigma(q) \mid q \in Q\} \) we write \( M|_\varsigma\ p \) for \( (Q, B, \Delta)|_\varsigma\ p \).

### 3.4 Connectors

A connector connects two ports. The signatures of the ports connected by a connector are given by the connector’s signature. These port signatures need to be compatible, i.e., the provided interface of each port needs to subsume the required interface of the other port.

A connector signature \( \Sigma_A \) is a pair \( (P_1 : \Sigma P_1, P_2 : \Sigma P_2) \), where \( \Sigma P_1 = (I_1, O_1) \) and \( \Sigma P_2 = (I_2, O_2) \) are the left and right port signatures of \( \Sigma_A \) such that \( I_2 \) subsumes \( O_1 \) and \( I_1 \) subsumes \( O_2 \) where an interface \( I' = (\Sigma', \text{Op}') \) subsumes an interface \( I = (\Sigma, \text{Op}) \), written as \( I \preceq I' \), if \( \Sigma \subseteq \Sigma' \) and \( \text{Op} \subseteq \text{Op}' \). A connector declaration \( A : \Sigma_A \) consists of a name \( A \) and a connector signature \( \Sigma_A \). We write \( \text{Ports}_A \) for the set \( \{P_1, P_2\} \) with the port names used in the connector declaration.

### 3.5 Assemblies

Additional to comprising component and connector declarations, an assembly has an algebraic state signature such that the names of components used in the component declarations and the names of the connectors used in the connector declarations correspond to sorts in the state signature. Then components and connectors are represented by elements of these sorts. Similarly to ports, this allows for adding and removing components and connectors to the assembly at runtime.

An assembly signature \( \Sigma_\Gamma \) is a triple \( (\Sigma, (C : \Sigma C)_{C \in \mathcal{C}}, (A : \Sigma_A)_{A \in \mathcal{A}}) \) where \( \Sigma \) is the state signature of \( \Sigma_\Gamma \), \( (C : \Sigma C)_{C \in \mathcal{C}} \) is the family of component declarations of \( \Sigma_\Gamma \) and \( (A : \Sigma_A)_{A \in \mathcal{A}} \) is the family of connector declarations of \( \Sigma_\Gamma \) satisfying the following requirements:

(i) All \( C \in \mathcal{C} \) are sorts of \( \Sigma \);

(ii) for all \( C \in \mathcal{C} \) all port names \( P \in \text{Ports}_C \) are sorts in \( \Sigma \);

(iii) all \( A \in \mathcal{A} \) are sorts of \( \Sigma \);

(iv) for all \( A \in \mathcal{A} \) with \( \Sigma_A = (P_1 : \Sigma P_1, P_2 : \Sigma P_2) \) there are \( C_1, C_2 \in \mathcal{C} \) such that \( P_1 \in \text{Ports}_{C_1} \) and \( P_2 \in \text{Ports}_{C_2} \).

(v) for all \( A \in \mathcal{A} \) with \( \Sigma_A = (P_1 : \Sigma P_1, P_2 : \Sigma P_2) \) there are function symbols \( \pi_{1,A} : A \rightarrow P_1 \) and \( \pi_{2,A} : A \rightarrow P_2 \) in \( \Sigma \).
We write $\Sigma^\text{state}_\Gamma$ for the state signature of the assembly signature $\Sigma_\Gamma$; $\text{Comp}_\Gamma$ for the names of the component declarations $\mathcal{C}$ of $\Sigma_\Gamma$; and $\text{Conn}_\Gamma$ for the names of the connector declarations $\mathcal{A}$ of $\Sigma_\Gamma$.

As with ports and components, the behaviour of an assembly is again an I/O-transition system $(Q, B, \Delta)$. As with components, there is a state operator mapping each state in $Q$ to an algebra over the state signature of the assembly. In addition, there is a component reduct functor which, given a component $c$, maps an algebra over the state signature of the assembly to an algebra over the state signature of the component $c$. The labels of the transition system have the form $/\sigma_i/_{\text{c.p.i.}}$,$/\text{c.p.o.}$, and $(\text{c1.p1,c2.p2}).m$, corresponding to the internal label, to messages $i$ sent by component $c$ via port $p$, to messages $o$ received by component $c$ via port $p$, and to messages $m$, where the sending of message $m$ by component $c_1$ via port $p_1$ and the reception of that message by component $c_2$ via port $p_2$ are synchronised, respectively. Synchronisation labels can only occur, and are bound to occur, if compatible ports of components are linked by a connector.

Let $\Sigma_\Gamma$ be an assembly signature. The state space $\text{State}_\Gamma$ for $\Sigma_\Gamma$ is given by $\text{Alg}(\Sigma^\text{state}_\Gamma)$. An element of $\text{State}_\Gamma$ is called a configuration. A component reduct operator for $\Sigma_\Gamma$ is a function $g \in \Pi \sigma \in \text{State}_\Gamma \cdot \Pi C \in \text{Comp}_\Gamma \cdot \Pi c \in C^\sigma$. $\text{State}_c$. A label for an assembly signature $\Sigma_\Gamma$, a component reduct operator $g$, and a state pair $(\sigma, \sigma') \in \text{State}_\Gamma \times \text{State}_\Gamma$ is either

(i) an input label $/c.p.i/ \in \text{Label}^\text{pro}_{\Gamma,g}(\sigma, \sigma')$ with $c \in C^\sigma$ for some $C \in \text{Comp}_\Gamma$, $p \in P^\sigma$ for some $P \in \text{Ports}_C$ and $i = (op, \rho) \in \text{Msg}(\text{Op}^\text{pro}_P)$ with $\rho : \text{var}(op) \rightarrow (g(\sigma')(\Gamma)(c))|\Sigma^\text{pro}_P$ if there is no $A \in \text{Conn}_\Gamma$ such that there is an $a \in A^\sigma$ with $p \in \{\pi^\sigma_{1,A}(a), \pi^\sigma_{2,A}(a)\}$; or

(ii) an output label $/c.p.o. \in \text{Label}^\text{req}_{\Gamma,g}(\sigma, \sigma')$ with $c \in C^\sigma$ for some $C \in \text{Comp}_\Gamma$, $p \in P^\sigma$ for some $P \in \text{Ports}_C$ and $o = (op, \rho) \in \text{Msg}(\text{Op}^\text{req}_P)$ with $\rho : \text{var}(op) \rightarrow (g(\sigma)(\Gamma)(c))|\Sigma^\text{req}_P$ if there is no $A \in \text{Conn}_\Gamma$ such that there is an $a \in A^\sigma$ with $p \in \{\pi^\sigma_{1,A}(a), \pi^\sigma_{2,A}(a)\}$; or

(iii) a synchronisation label $(c1.p1,c2.p2).m \in \text{Label}^\text{int}_{\Gamma,g}(\sigma, \sigma')$ with $c_1 \in C^\sigma_1$ for some $C_1 \in \text{Comp}_\Gamma$, $p_1 \in P^\sigma_1$ for some $P_1 \in \text{Ports}_{C_1}$, $c_2 \in C^\sigma_2$ for some $C_2 \in \text{Comp}_\Gamma$, $p_2 \in P^\sigma_2$ for some $P_2 \in \text{Ports}_{C_2}$ such that $m = (op, \rho) \in \text{Msg}(\text{Op}^\text{pro}_P \cap \text{Msg}(\text{Op}^\text{req}_P))$ with $\rho : \text{var}(op) \rightarrow (g(\sigma)(\Gamma)(c_1))|\Sigma^\text{pro}_P \cap \Sigma^\text{req}_P = (g(\sigma')(\Gamma)(c_2))|\Sigma^\text{pro}_P \cap \Sigma^\text{pro}_P$ if there is an $A \in \text{Conn}_\Gamma$ and an $a \in A^\sigma$ with $p_1 = \pi^\sigma_{1,A}(a)$ and $p_2 = \pi^\sigma_{2,A}(a)$; or

(iv) the internal label $/ \in \text{Label}^\text{int}_{\Gamma,g}(\sigma, \sigma')$.

We define $\text{Label}^\text{pro}_{\Gamma,g}(\sigma, \sigma')$ as $\text{Label}^\text{pro}_{\Gamma,g}(\sigma, \sigma') \cup \text{Label}^\text{req}_{\Gamma,g}(\sigma, \sigma') \cup \text{Label}^\text{int}_{\Gamma,g}(\sigma, \sigma')$, and we abbreviate $\{\text{Label}^\text{pro}_{\Gamma,g}(\sigma, \sigma') \cup (\sigma, \sigma') \in \text{State}_\Gamma \times \text{State}_\Gamma\}$ by $\text{Label}^\text{pro}_{\Gamma,g}$, and similarly for $\text{Label}^\text{req}_{\Gamma,g}$ and $\text{Label}^\text{int}_{\Gamma,g}$.

An I/O-transition system for an assembly signature $\Sigma_\Gamma$ and a component reduct operator $g$ for $\Sigma_\Gamma$ is given by an I/O-transition system $(Q, B, \Delta)$ over the I/O-labelling $(\text{Label}^\text{pro}_{\Gamma,g}, \text{Label}^\text{req}_{\Gamma,g}, \text{Label}^\text{int}_{\Gamma,g})$. A state operator for a component signature $\Sigma_C$ and an I/O-transition system $(Q, B, \Delta)$ for $\Sigma_\Gamma$ and a component reduct operator
\( \varrho \) for \( \Sigma_\Gamma \) is a function \( \varsigma : Q \to \text{State}_\Gamma \) such that \( l \in \text{Label}_{\Gamma, \varrho}(\varsigma(q), \varsigma(q')) \), if \( (q, l, q') \in \Delta \).

Similarly to the reduct of components to ports in Sect. 3.3, we define the reduct of a I/O-transition system \( H \) of an assembly to a I/O-transition system representing a component \( c \) within the assembly. The states of the reduct are given by all states of \( H \) where the component lives, and the transitions of the reduct are the transitions of \( H \) where the prefix \( c \) in the labels involving component \( c \) are removed. Furthermore, a synchronisation label of the form \((c_1, p_1, c_2, p_2).m \) is reduced to \( /p_1.m \) if \( c_1 = c \) and to \( p_2.m / \) if \( c_2 = c \) and to \( / \) if neither \( c_1 = c \) nor \( c_2 = c \). All other labels are mapped to the internal label \( / \). The start states are all the start states of \( H \) together with all the states in which the component \( c \) starts to exist.

Let \( H = (Q, B, \Delta) \) be an I/O-transition system for an assembly signature \( \Sigma_\Gamma \) and a component reduct operator \( \varrho \) and let \( \varsigma \) be a state operator for \( \Sigma_C \), \( H \), and \( \varrho \). Let \( C \subseteq \text{Comp}_\Gamma \) and \( c \in \bigcup \{ C^{\varsigma(q)} \mid q \in Q \} \). The reduct of \( H \) to \( c \) via \( \varsigma \), denoted by \( H|_{\varsigma} \), is the I/O-transition system \((Q|_{\varsigma} c, B|_{\varsigma} c, \Delta|_{\varsigma} c)\) over the I/O-labelling \((\text{Label}_{\Gamma, C}^{\text{pro}}, \text{Label}_{\Gamma, C}^{\text{req}}, \text{Label}_{\Gamma, C}^{\text{int}})\) with

1. \( Q|_{\varsigma} c = \{ q \mid q \in Q \land c \in C^{\varsigma(q)} \} \);
2. \( B|_{\varsigma} c = \{ q \in Q \mid (q \in B \cap Q|_{\varsigma} c) \lor (\exists (q', l, q) \in \Delta. c \notin C^{\varsigma(q')} \land c \in C^{\varsigma(q)}) \} \);
3. \( \Delta|_{\varsigma} c = \{ (q, l|_{\varsigma} c, q') \mid (q, l, q') \in \Delta \cap (Q|_{\varsigma} c) \times \text{Label}_{\Gamma} \times (Q|_{\varsigma} c) \} \) where \( (c, p, i)|_{\varsigma} c = p.i, (c, p, o)|_{\varsigma} c = /p.o, \ (c_1, p_1, c_2, p_2)|_{\varsigma} c = p_1.m \) if \( c = c_1, \ (c_1, p_1, c_2, p_2)|_{\varsigma} c = /p_2.m \) if \( c = c_2 \), and \( l|_{\varsigma} c = / \) otherwise.

The reduct of \( \varrho \) to \( c \) via \( \varsigma \), denoted by \( \varrho|_{\varsigma} c \), is given by \( \lambda q \cdot \varrho(\varsigma(q))(C)(c) \).

A model of an assembly signature is given by an I/O-transition system \( H \) plus a state operator, mapping a state of the transition system to an algebra over the state signature of the assembly, and a component reduct operator, extracting an algebra over the state signature of a component from an algebra over the state signature of the assembly. Each reduct of the assembly to a component is required to be a model of the corresponding component signature. Furthermore, existing ports in a data state of the assembly have to also exist in the data state of exactly one component of the assembly.

A model for the assembly Bank–ATM is shown in Fig. 7. As with component models, the control states, \( q_0, q_1, \ldots \), are shown in the upper part of the state boxes, the associated data states in the lower part. The data states are parameterised over the component instances, such that \( \text{current}(b) = \text{null} \) represents the valuation of the attribute \( \text{current} \) of Bank instance \( b \).

A model of an assembly signature \( \Sigma_\Gamma \) is given by a triple \((\varrho, H, \varsigma)\) where \( \varrho \) is a component reduct operator \( \Sigma_\Gamma \), \( H = (Q, B, \Delta) \) is an I/O-transition system for \( \Sigma_\Gamma \) and \( \varrho \), and \( \varsigma \) is a state operator for \( \Sigma_\Gamma \), \( H \), and \( \varrho \) such that

1. for all \( C \subseteq \mathcal{C} \) and all \( c \in \bigcup \{ C^{\varsigma(q)} \mid q \in Q_{\Gamma} \land C \in \text{Comp}_\Gamma \} \) the following holds: \((H|_{\varsigma} c, \varrho|_{\varsigma} c) \in \text{Mod}(\Sigma_C)\);
2. if \( q \in Q \) with \( p \in P^{\varsigma(q)} \) for some \( P \in \text{Ports}_C \) for some \( C \in \text{Comp}_\Gamma \), then there is a unique \( c \in C^{\varsigma(q)} \) such that \( p \in P^{\varrho(\varsigma(q))(C)(c)} \).
(iii) if \( q \in Q \) with \( p \in P_{\rho(\varsigma(q))}(C)(c) \) for some \( P \in \text{Ports}_C \) for some \( C \in \text{Comp}_G \) and some \( c \in C^{\varsigma(q)} \), then \( p \in \text{P}_r(q) \).

The class of models of \( \Sigma_G \) is denoted by \( \text{Mod}(\Sigma_G) \). For a model \( M = (\rho, (Q, B, \Delta), \varsigma) \in \text{Mod}(\Sigma_G) \), a \( C \in \text{Comp}_G \) and a \( c \in \bigcup\{C^{\varsigma(q)} \mid q \in Q\} \) we write \( M|c \) for \(( (Q, B, \Delta)|_{\varsigma}, \rho|_{\varsigma} \).

3.6 From assemblies to components

As shown in Fig. 1, the semantics of a composite component is given by its assembly by hiding the internal structure of the assembly, i.e., its subcomponents and connectors. The state signature of the component is given by the state signature of the assembly, and the ports of the component are all the ports of the assembly which are not connected within that assembly. Let \( \Sigma_G = (\Sigma, (C : \Sigma_C)_{C \in \mathcal{C}}, (A : \Sigma_A)_{A \in \mathcal{A}}) \) be an assembly signature, then the corresponding component signature \( \text{BuildComp}(\Sigma_G) \) is \((\Sigma, (P : \Sigma_P)_{P \in \mathcal{P}}) \) where \((P : \Sigma_P)_{P \in \mathcal{P}} \) belongs to \((P : \Sigma_P)_{P \in \mathcal{P}} \) if \((P : \Sigma_P) \) is a port declaration in the component signature \( \Sigma_C \) for some component declaration \((C : \Sigma_C) \) of \( \Sigma_G \) such that \( P \) is not a port name in \( \bigcup\{A \in \mathcal{A} \mid A \in \text{Ports}_A\} \).

The I/O-transition system of the component determined by an assembly is given by the transition system for the assembly with labels properly renamed, i.e., the component prefix \( c \) is removed from I/O labels and all other labels (i.e., synchronisation labels and the internal label) are mapped to the internal label \( / \).

Let \((\rho, H, \varsigma) \) be a model of an assembly signature \( \Sigma_G \) and \( H \) an I/O-transition system for \( \Sigma_G \). Then \( \text{BuildComp}((\rho, H, \varsigma)) = (H\lambda, \varsigma) \) is a model of component signature \( \text{BuildComp}(\Sigma_G) \) where \( \lambda \) is an I/O-relabelling given by \( \lambda(c.p.i/) = p.i/ \).
\( \lambda(\text{c.p.o}) = /\text{p.o} \), \( \lambda((\text{c}_1.\text{p}_1, \text{c}_2.\text{p}_2).m) = / \), and \( \lambda(/) = / \).

Figure 8 shows the component Bank–ATM based on the assembly Bank–ATM from Fig. 7. Again the control states, \( q_0, q_1, \ldots \), are shown in the upper part of the state boxes and the associated data states in the lower part. Since the assembly Bank–ATM does not have any open ports, the model in Fig. 8 has only internal labels and no I/O-labels. The synchronisation labels of the assembly Bank–ATM (shown in Fig. 7) have been converted to the internal label in the component Bank–ATM.

4 Deadlock-free components

Based on the semantical component model, we prove that model checking port protocols, as described in Sect. 2.1, leads to correct results: If the protocols are compatible, i.e., the provided interface of one port subsumes the required interface of the other port and vice versa, and the product of the two port protocol machines is deadlock-free, then a component built from an assembly is deadlock-free provided that the components of the assembly refine the respective port protocol state machines.

4.1 Refinement

We first introduce a special notion of refinement of I/O-transition systems which preserves deadlock-freedom and extends the definition of alternating simulation refinement [2].
Let $A = (Q, B, \Delta)$ be an I/O-transition system over $(I, O, T)$ and $q \in Q$. The internal closure of $q$, written $\text{closure}_A(q)$ is the smallest set $E \subseteq Q$ such that (1) $q \in E$ and (2) if $q' \in E$ and $(q', l, q'') \in \Delta$ with $l \in T$ then $q'' \in E$. The enabled labels of $q$ are given by the set $\text{enabled}_A(q) = \{ l \in I \cup O \mid \exists q' \in \text{closure}_A(q). \exists q'' \in Q. (q', l, q'') \in \Delta \}$. The states reachable by an enabled label $l$ in $q$ are given by the set $\text{reach}_A(q, l) = \{ q'' \mid \exists (q', l, q'') \in \Delta. q' \in \text{closure}_A(q) \}$; the states reachable by enabled transitions from $q$ are given by the set $\text{reach}_A(q) = \bigcup \{ \text{reach}_A(q, l) \mid l \in \text{enabled}_A(q) \}$. The deadlock states reachable by internal labels from $q$ are given by the set $\text{dead}_A(q) = \{ q' \in \text{closure}_A(q) \mid \neg \exists (q', l, q'') \in \Delta \}$.

An I/O-transition system $A_2 = (Q_2, B_2, \Delta_2)$ over I/O-labelling $(I_2, O_2, T_2)$ refines an I/O-transition system $A_1 = (Q_1, B_1, \Delta_1)$ over I/O-labelling $(I_1, O_1, T_1)$, written $A_1 \succeq A_2$, if the following conditions hold:

(i) $I_1 \subseteq I_2$ and $O_2 \subseteq O_1$;

(ii) there is a simulation $R$ from $A_2$ to $A_1$ such that for all $q_{0, 2} \in B_2$ there is a $q_{0, 1} \in B_1$ with $(q_{0, 1}, q_{0, 2}) \in R$.

4.2 Deadlock-free assemblies

We now consider components which are correct in the sense that they refine their respective port protocol state machines. We prove that correct components connected via compatible ports lead to deadlock-free assemblies for the special case that the assembly has exactly two components and each of the components has one port which is connected to the port of the other component.

Let $\Sigma_R$ and $\Sigma_P$ be port signatures, let $\Sigma_C_1 = (\Sigma_1, \{ R_1 : \Sigma_R \})$ and $\Sigma_C_r = (\Sigma_r, \{ P_r : \Sigma_P \})$ be component signatures, let $\Sigma_A = (\Sigma_R, \Sigma_P)$ be a connector signature, and let $\Sigma_T = (\Sigma, \{ C_1 : \Sigma_C_1, C_r : \Sigma_C_r \}, \{ A : \Sigma_A \})$ be an assembly signature. Let $M_T = (P_T, H_T, \sigma_T) \in \text{Mod}(\Sigma_T)$ with $H_T = (Q_T, B_T, \Delta_T)$ such that

(i) there are always exactly two components, i.e., there are $c_1, c_r$ with $\{ c_1 \} = C_1^{\text{SR}(q)}$
and \( \{c_r\} = C^{\Sigma(q)}_r \) for all \( q \in Q_\Gamma \);

(ii) each existing component has always exactly one port, i.e., there are \( p_l, p_r \) with 
\[
\{p_l\} = P^{\Sigma(q)}_{1,r}(C_1)(c_l) \quad \text{and} \quad \{p_r\} = P^{\Sigma(q)}_{r,1}(C_r)(c_r)
\]
for all \( q \in Q_\Gamma \);

(iii) the ports are always connected, i.e., there is an \( a \) with \( \{a\} = A^{\Sigma(q)}_r \) and
\[
\pi^{\Sigma(q)}_{1,a}(a) = p_l \quad \text{and} \quad \pi^{\Sigma(q)}_{2,a}(a) = p_r \quad \text{for all} \quad q \in Q_\Gamma.
\]

Let \( M_l = (Q_l, B_l, \Delta_l) \) and \( M_r = (Q_r, B_r, \Delta_r) \) be I/O-transition systems for \( \Sigma_{P_l} \) and \( \Sigma_{P_r} \), respectively. Let \( M'_l = M_l \lambda_l \) where \( \lambda_l(\cdot) = p_l, \lambda_l(i) = i, \) and \( \lambda_l(\cdot) = o \); and \( M'_r = M_r \lambda_r \) where \( \lambda_r(\cdot) = p_r, \lambda_r(i) = i, \) and \( \lambda_r(\cdot) = o \).

**Proposition 4.2** If \( M'_l \otimes M'_r \not\models \delta \) and \( M_l \models (M_{\Gamma}[c_1]|p_l) \) and \( M_r \models (M_{\Gamma}[c_1]|p_r) \), then \( M_\Gamma \not\models \delta \).

**Proof** Let \( (M_{\Gamma}[c_1]|p_l) \) and \( (M_{\Gamma}[c_1]|p_r) \) be given by \( M'_{l1} = (Q_{l1}, B_{l1}, \Delta_{l1}) \) and \( M'_{r1} = (Q_{r1}, B_{r1}, \Delta_{r1}) \), respectively. First of all, note that \( q \in Q_{l1} \) iff \( q \in Q_\Gamma \), \( q \in B_{l1} \) iff \( q \in B_\Gamma \), and \( (q, (l|c_1)|p_l, q') \in \Delta_{l1} \) iff \( (q, l, q') \in \Delta_\Gamma \); and analogously for \( M_{r1} \) and \( M_{r1} \). Let \( R_l \) and \( R_r \) be simulations satisfying condition (ii) on refinements from \( (M_{\Gamma}[c_1]|p_l) \) to \( M_l \) and \( (M_{\Gamma}[c_1]|p_r) \) to \( M_r \), respectively. Define a relation \( R \subseteq (Q_l \times Q_r) \times Q_\Gamma \) as follows: \( ((q_l, q_r), q_\Gamma) \in R \iff (q_l, q_r) \in R_l \land (q_r, q_\Gamma) \in R_r \). If we can show that \( R \) is a simulation from \( M_l \) to \( M'_l \otimes M'_r \) satisfying condition (ii) on refinements, the claim follows from Lemma 4.1.

For a proof that \( R \) is a simulation from \( M_l \) to \( M'_l \otimes M'_r \), let \( ((q_l, q_r), q_\Gamma) \in R \). Conditions (i–ii) for simulations hold for \( R \), as \( A \) is a connector between \( \Sigma_{P_l} \) and \( \Sigma_{P_r} \) and thus all labels in \( M'_l \otimes M'_r \) are internal; and all labels in \( H_\Gamma \) are internal labels, as \( p_l \) and \( p_r \) always exist and are connected. For condition (iii), let dead\(_{H_\Gamma}(q_r) \neq \emptyset \). Let \( q_{r,0}, \ldots, q_{r,n} \) be a sequence of states in \( Q_\Gamma \) such that \( q_{r,0} = q_r \), and for each \( 0 \leq i < n \) there is a path from \( q_{r,i} \) to \( q_{r,i+1} \) in \( H_\Gamma \) using first only internal labels \( / \) and then exactly one synchronisation label \( s_i \), and from \( q_{r,n} \) there is a path to a state \( d_\Gamma \) with no successors in \( H_\Gamma \) such that this path uses only internal labels \( / \). We inductively construct \( q_{l,i} \in Q_l \) and \( q_{r,i} \in Q_r \) such that \( ((q_{l,i}, q_{r,i}), q_{\Gamma,i}) \in R \) for all \( 0 \leq i \leq n \) and such that there is a path from \( q_{l,i}, q_{r,i} \) to \( q_{l,i+1}, q_{r,i+1} \) in \( M'_l \otimes M'_r \) for all \( 0 \leq i < n \). If \( n = 0 \), we can choose \( q_{l,0} = q_l \) and \( q_{r,0} = q_r \). Let \( n > 0 \) and let \( q_{l,i} \in Q_l \) and \( q_{r,i} \in Q_r \) be constructed for \( 0 \leq i < n \). Then enabled\(_{M'_l}(q_{r,n-1}) \neq \emptyset \) and enabled\(_{M'_r}(q_{\Gamma,n-1}) \neq \emptyset \), as \( s_{n-1} \) is a synchronisation label; say, \( m/ \in \) enabled\(_{M'_l}(q_{r,n-1}) \) and \( /m \in \) enabled\(_{M'_r}(q_{\Gamma,n-1}) \). By conditions (i–ii) on simulations, there are \( q_{l,n} \in \) reach\(_{M_l}(q_{l,n-1}, /m) \) with \( (q_{l,n}, q_{r,n}) \in R_l \) and \( q_{r,n} \in \) reach\(_{M_r}(q_{r,n-1}, /m) \) with \( (q_{r,n}, q_{\Gamma,n}) \in R_r \); hence \( ((q_{l,n}, q_{r,n}), q_{\Gamma,n}) \in R \) and by the construction of \( M'_l \otimes M'_r \) there is a path from \( (q_{l,n-1}, q_{r,n-1}) \) to \( (q_{l,n}, q_{r,n}) \) in \( M'_l \otimes M'_r \). Using such a sequence of states \( (q_{l,i}, q_{r,i}) \) for \( 0 \leq i \leq n \) in \( M'_l \otimes M'_r \) we have that dead\(_{M_{\Gamma}}(q_{\Gamma,n}) \neq \emptyset \) and dead\(_{M_r}(q_{\Gamma,n}) \neq \emptyset \) and thus dead\(_{M'_l \otimes M'_r}(q_{l,n}, q_{r,n}) \neq \emptyset \) and hence also dead\(_{M'_l \otimes M'_r}(q_{l,0}, q_{r,0}) \neq \emptyset \), as there is a path from \( (q_{l,0}, q_{r,0}) \) to \( (q_{l,n}, q_{r,n}) \) in \( M'_l \otimes M'_r \) using only internal labels.

Finally, for \( q_r \in B_r \) there are \( q_l \in B_l \) and \( q_r \in B_r \) with \( (q_l, q_r) \in R_l \) and \( (q_r, q_\Gamma) \in R_r \) by condition (ii) on refinements. Hence, \( ((q_l, q_r), q_\Gamma) \in R \) and \( (q_l, q_r) \in B_{M'_l \otimes M'_r} \). Thus, \( M'_l \otimes M'_r \models M_\Gamma \). As, by Lemma 4.1, refinements preserve deadlock-free,
\( M_\Gamma \) is deadlock-free.

This result also means that if the parallel composition of the port protocol state machines does not produce a deadlock then the only situation where the assembly can deadlock is by violating the refinement relations. That is, one of the component fails to react to an incoming message or fails to produce an output required by the other component. This could, for example, be the case if the component waited on a message of a different port.

The I/O-transition system of the component \( \text{BuildComp}(M_\Gamma) \) has the same states and transitions as the I/O-transition system for the assembly \( M_\Gamma \). Thus Prop. 4.2 leads immediately to:

**Corollary 4.3** Given the assumptions for Prop. 4.2. Then \( \text{BuildComp}(M_\Gamma) \not\models \delta \) for the component \( \text{BuildComp}(M_\Gamma) \) built from the assembly \( M_\Gamma \).

### 4.3 Model Checking

Deadlock-freedom of the parallel composition of two finite port protocols can be checked using the UML state machine model checker \( \text{Hugo} \) [10]. Which additional verification and abstraction techniques to apply to check infinite port protocols is beyond the scope of this paper. For example, the semantics of the UML state machine in Fig. 3 is the I/O-transition system in Fig. 5, which has infinitely many transitions from \text{Idle} to \text{Verifying} given by all possible arguments to the operation \( \text{verifyPin} \). To apply \( \text{Hugo} \) to such a system, we may use as an appropriate abstraction the finite state machine in Fig. 9 where all operations are parameter-free. It is easy to see that since the transitions in the original I/O-transition system do not depend on arguments, deadlock-freedom of the abstracted, finite system implies deadlock-freedom of the original system.

![Figure 9. An abstraction of the protocol state machine of the port BC from Fig. 3 used for model checking.](image)

### 5 Related Work

Architectural programming languages, and thus JAVA/A, transfer long standing ideas from architecture description languages into programming. ADLs [11] support the modelling and, partially, the analysis of component-based systems; furthermore, some ADLs also provide code generation facilities (see, e.g. [15]). Architectural programming languages, however, aim directly at the implementation level and the representation of a system architecture in the code preventing architectural erosion in the implementation and maintenance phases. Therefore, APLs can be seen as a complement to ADLs.
More recently, ArchJava [1] has been proposed as a programming language integrating architectural concepts into Java, similar to JAVA/A. However, ArchJava lacks port protocols or other abstract means to specify component behaviour. Thus, reasoning about communication integrity is limited to analysis on the interface level. Furthermore, ArchJava does not provide a formal semantics.

A different approach to the implementation of software architectures is followed by the component models SOFA [16] and Fractal [3] and the work by Pavel et al. [13]: The structural definition of components, their ports, and assemblies is separated from the behaviour of these components and assemblies. The implementation of component-based software systems is based on frameworks and development guidelines; SOFA also offers a code template generation tool. However, neither approach integrates architectural concepts into a programming language.

There is a variety of technologies to support the implementation of components. Unlike APLs, ADLs, or component models, these technologies—among them Enterprise JavaBeans, COM+, CORBA [17]—leave the structural aspects of software architectures mostly implicit. Moreover, they do not properly support the concepts of (required) interfaces, connectors, and assemblies.

6 Conclusions

We have presented the principles of the architectural programming language JAVA/A which supports component-based implementations of large-scale software systems. The formal foundation of the semantics of JAVA/A given by an abstract component model which uses algebras to denote states and I/O-transition systems to model the behaviour of components. In addition to the JAVA/A implementation a prototype serving as a test bed for our semantic model has been implemented in VisualWorks Smalltalk [18].

Our study provides the basis for challenging, future tasks concerning the consolidation of our component model, the development of a comprehensive specification framework for components and the investigation of correctness notions for component realisations and refinements. For the consolidation of the component model we are particularly interested to integrate complex (n-ary) connectors and to model global reconfigurations and shared objects. Concerning component specifications our approach actually supports the definition of port protocols which focus on the external (black box) views of components. While black-box views are important for the user of a component, glass-box views are important for the implementor of a component. An important issue is to extend our approach to the specification of glass-box views describing the internal behaviour of a component. On this basis we can then define a correctness notion for JAVA/A programs such that a JAVA/A program is a correct realisation of a component specification if it satisfies the required internal behaviour.
Acknowledgements

We would like to thank Jeff Kramer and Jeff Magee for valuable hints and discussions.

References


