larissa, an aspect-oriented language for reactive systems ...altisen/dstauch/slides-these.pdf ·...

Larissa, an Aspect-Oriented Languagefor Reactive Systems

PhD Defense

David Stauch

Verimag/Grenoble INP

November 13th, 2007

JuryRoland GrozShmuel KatzMario SüdholtPascal Fradet

Florence MaraninchiKarine Altisen

Introduction Larissa Formal Analysis Tools Conclusion 2/36

Outline

1 IntroductionAspect-Oriented ProgrammingReactive Systems and Synchronous LanguagesAOP for Reactive Systems

2 Larissa

3 Formal Analysis Tools

4 Conclusion and Further Work


Aspect-Oriented Programming

Line

Point

setX(int)setY(int)

setP2(Point)setP1(Point)

Displayupdate()

Aspectdisplay.update()

Example: figure editor

Program: modules implementconcernsCrosscutting concerns:cannot be put in own moduleExample: update displaySolution: Add update() to methodsBad: scattered codeIdea: put crosscutting code in aspectWeave aspect in program



Line

Point

setX(int)setY(int)


Displayupdate()


Example: figure editorProgram: modules implementconcerns

Crosscutting concerns:cannot be put in own moduleExample: update displaySolution: Add update() to methodsBad: scattered codeIdea: put crosscutting code in aspectWeave aspect in program



Line

Point

setX(int)setY(int)


Displayupdate()


Example: figure editorProgram: modules implementconcernsCrosscutting concerns:cannot be put in own moduleExample: update display

Solution: Add update() to methodsBad: scattered codeIdea: put crosscutting code in aspectWeave aspect in program



Line

Point

setX(int)setY(int)


Displayupdate()


Example: figure editorProgram: modules implementconcernsCrosscutting concerns:cannot be put in own moduleExample: update displaySolution: Add update() to methodsBad: scattered code

Idea: put crosscutting code in aspectWeave aspect in program



Line

Point

setX(int)setY(int)


Displayupdate()


Example: figure editorProgram: modules implementconcernsCrosscutting concerns:cannot be put in own moduleExample: update displaySolution: Add update() to methodsBad: scattered codeIdea: put crosscutting code in aspect

Weave aspect in program



Line

Point

setX(int)setY(int)


Displayupdate()


Example: figure editorProgram: modules implementconcernsCrosscutting concerns:cannot be put in own moduleExample: update displaySolution: Add update() to methodsBad: scattered codeIdea: put crosscutting code in aspectWeave aspect in program


Example in Java and AspectJ

setY(int)setX(int)


Point

Line

setP1(P)

setX(2)

update()

update()

setX(2)

AOP: Key ConceptsJoin points: where aspectsintervenePointcut: select join pointsAdvice: what aspect does

aspect updateDisplay{

pointcut stateChanged() :|| call(void Point.set*(..))|| call(void Line.set*(..));

after() : stateChanged()

{&& !cflowbelow(stateChanged()){

display.update();}

}

Conclusion on AspectJBased on lexical elementsPowerful constructs



setY(int)setX(int)


Point

Line

setP1(P)

setX(2)

update()

update()

setX(2)




after() : stateChanged() {

&& !cflowbelow(stateChanged()){

display.update();}

}




setY(int)setX(int)


Point

Line

setP1(P)

setX(2)

update()

update()

setX(2)




after() : stateChanged()

{

&& !cflowbelow(stateChanged()){display.update();

}}



Reactive Systems and Synchronous Languages

Constant interactionwith environment

Receive inputs,emit outputsOften safety critical, needfor formal semanticsand verificationSynchronous languages:simple semantics,discrete time

Reactive Systems

Environment

outputsinputs



Constant interactionwith environmentReceive inputs,emit outputsOften safety critical, needfor formal semanticsand verification

Synchronous languages:simple semantics,discrete time

Reactive Systems

Environment

outputsinputs



Constant interactionwith environmentReceive inputs,emit outputsOften safety critical, needfor formal semanticsand verificationSynchronous languages:simple semantics,discrete time

Reactive Systems

Environment

outputsinputs


A Wristwatch – A Reactive System

Wristwatch with four buttonsTwo Models

Altimax: watch, altimeter,barometerVector: Altimax + compass

We model interface component

InterfaceDisplay

Memory

Inputs: buttonsOutputs: signals toother components

mode select

minusplus


The Altimax Interface

Logbook Memory

BarometerAltimeterTime

Time

BaroAlti

Alti Bar

o

Tim

e

mode/

mode/ mode/

mod

e/

mod

e/

modemode

mode

selectm

ode/

select

mode

mode

select


Argos, a Synchronous Language

Base element: Mealy automataArrange modules in parallelModules communicate with local signals

Time, Alti, Baro,...

Memory Displaymode

select

mode

mode

select select

mode

mod

e/

mode/mode/

mod

e/

mode/Time

mod

e/Tim

e

Alti Baro

Alti Bar

o

mode


Crosscutting Concern 1: ShortcutCrosscutting concerns also in reactive systems?

Example from watch: minus button not used in main modesUse it to jump directly to Logbook mode

Logbook Memory


mode

mode

select

mod

e/Ti

me

mode

mode

mode/Alti

mode/Time

mode/Baro

mod

e/A

lti

mode

select

mod

e/B

aro

select

Memory

Display

min

us/L

ogbo

ok

min

us/L

ogbo

ok


Crosscutting Concern 1: ShortcutCrosscutting concerns also in reactive systems?Example from watch: minus button not used in main modesUse it to jump directly to Logbook mode

Logbook Memory


mode

mode

select

mod

e/Ti

me

mode

mode

mode/Alti

mode/Time

mode/Baro

mod

e/A

lti

mode

select

mod

e/B

aro

select

Memory

Display

min

us/L

ogbo

ok

min

us/L

ogbo

ok


Crosscutting Concern 2: Compass Mode

Compassmode/

mode/Time

Vector model has compass modeAdd Compass mode toAltimax base program

Compass

select

mode

mod

e/C

ompa

ss

mode/...mode/...Time

. . .

Altimeter

. . .

Barometer

. . .

Display

Memory

mode/..


Larissa: Aspects for Argos

Goal: aspect language for synchronous languagesArgos adequate base language

simple synchronous languageexpressive, characterizing constructs

Must express cross-cutting concernsSame concepts as other aspect languages:join points, pointcuts, advice


Outline

1 Introduction

2 LarissaContext and RequirementsThe LanguageExample




Argos Operators

Base elements: boolean signals,complete and deterministic Mealy automata

Main operators: parallel product, local signalsSemantics: compilation into flat automata

a

a/mod2

A

mod2

mod2/mod4mod2

Ba/mod4

a

a

a

(

A

‖B) \ {mod2}


Argos Operators

Base elements: boolean signals,complete and deterministic Mealy automataMain operators: parallel product, local signals

Semantics: compilation into flat automata

a

a/mod2

A

mod2

mod2/mod4mod2

B

a/mod4

a

a

a

(A‖B) \ {mod2}


Argos Operators

Base elements: boolean signals,complete and deterministic Mealy automataMain operators: parallel product, local signalsSemantics: compilation into flat automata

a

a/mod2

A

mod2

mod2/mod4mod2

Ba/mod4

a

a

a

(A‖B) \ {mod2}


Encapsulation

Argos programs form expressions, e.g.

((A‖B) \ {a}) ‖ C

A, B and C automata orArgos expressions

Interface: inputs, outputsStrong encapsulation: componentstructure invisible from outsideOperators preserve i/o-traceequivalence (∼): if A′ ∼ A, then

((A′‖B) \ {a})‖C ∼ ((A‖B) \ {a})‖C

I

O

aB

C

a/b

a/bA

a/b

a/b

a

A

B

C

a/bA′


Encapsulation


((A‖B) \ {a}) ‖ C

A, B and C automata orArgos expressionsInterface: inputs, outputs

Strong encapsulation: componentstructure invisible from outsideOperators preserve i/o-traceequivalence (∼): if A′ ∼ A, then

((A′‖B) \ {a})‖C ∼ ((A‖B) \ {a})‖C

I

O

aB

C

a/b

a/bA

a/b

a/b

a

A

B

C

a/bA′


Encapsulation


((A‖B) \ {a}) ‖ C

A, B and C automata orArgos expressionsInterface: inputs, outputsStrong encapsulation: componentstructure invisible from outside

Operators preserve i/o-traceequivalence (∼): if A′ ∼ A, then

((A′‖B) \ {a})‖C ∼ ((A‖B) \ {a})‖C

I

O

aB

C

a/b

a/bA

a/b

a/b

a

A

B

C

a/bA′


Encapsulation


((A‖B) \ {a}) ‖ C

A, B and C automata orArgos expressionsInterface: inputs, outputsStrong encapsulation: componentstructure invisible from outsideOperators preserve i/o-traceequivalence (∼): if A′ ∼ A, then

((A′‖B) \ {a})‖C ∼ ((A‖B) \ {a})‖C

I

O

aB

C

a/b

a/bA

a/b

a/b

a

A

B

C

a/bA′


Requirements: Aspects for Argos

Express cross-cutting concernscrosscut structure of Argos expressionsparallel composition can express some aspectsfor sequential languages

Integrate well into Argosdefine as translation into automatonsimple, formal semanticsrespect encapsulation, as other Argos operators

usually not respected by aspect languages


Related Work

Aspects and ParallelismConcurrent aspects [Douence et al, GPCE06]:

asynchronous base program, asynchronous executionof advice

Formal PropertiesMany formalisations of aspect languagesAspects preserving the encapsulation:

Composition Filters [Bergmans, Aksit]:intercept and modify messages between componentsOpen Modules [Aldrich, ECOOP06]:add additional information to interface


Larissa

Join points: one step in the executionI.e., transitions in an automaton

Pointcut: select transitions in automatonAdvice: modify transitions

change target state and outputsChallenge: respect encapsulation

aspect must only refer to interface Aspect

I

O


Larissa

Join points: one step in the executionI.e., transitions in an automatonPointcut: select transitions in automaton

Advice: modify transitionschange target state and outputs

Challenge: respect encapsulationaspect must only refer to interface

Aspect

I

O


Larissa

Join points: one step in the executionI.e., transitions in an automatonPointcut: select transitions in automatonAdvice: modify transitions

change target state and outputs

Challenge: respect encapsulationaspect must only refer to interface

Aspect

I

O


Larissa



aspect must only refer to interface

Aspect

I

O


Larissa



aspect must only refer to interface Aspect

I

O


Pointcuts

Must select transitions

Solution: observer automatoninputs: inputs and outputsof observed programone output JP

Pointcut emits JP⇒ transition in program selectedTransitions identified staticallyby parallel product

I

O

a

b

Pointcut

a

b

JP

b

b/JPb/JP


Pointcuts

Must select transitionsSolution: observer automaton

inputs: inputs and outputsof observed programone output JP


I

O

a

b

Pointcut

a

b

JP

b

b/JP

b/JP


Pointcuts



Pointcut emits JP⇒ transition in program selected

Transitions identified staticallyby parallel product

I

O

a

b

Pointcut

a

b

JP

b

b/JP

b/JP


Pointcuts




I

O

a

b

Pointcut

a

b

JP

b

b/JP

b/JP


Advice

Difficulty: specify one new target state

Solution: execute finite input traceautomaton deterministic, thusalways identifies one state

Two kinds:toInit advice: execute tracefrom initial statetoCurrent advice: execute tracefrom source state of transition

Aspect

I

O


Advice

Difficulty: specify one new target stateSolution: execute finite input trace

automaton deterministic, thusalways identifies one state

Two kinds:toInit advice: execute tracefrom initial statetoCurrent advice: execute tracefrom source state of transition

b

O

Itrace

Aspect

a

a.

a

a.

b

b

b

b


Example: Logbook Shortcut Aspect LB

Pointcut: transitions in main modes where minus is trueAdvice: trace mode.select.mode.mode, output Logbook

main

sub

minus/JP

Time∨Alti∨Baro

select

pointcut of LB

Logbook Memory


mode

select select

mode

mod

e/

mode/

mod

e/

mode/Time

mod

e/Ti

me

Baro

Alti Bar

o

mode

Altimode/

select

mode

mode

.../JP

.../JP

.../JP

.../JP

.../JP

.../JP

minus∧mode/JP,Time

mode

mode

select

mode

min

us/L

ogbo

ok

min

us/L

ogbo

ok

altimax

/LB




main

sub

minus/JP

Time∨Alti∨Baro

select

pointcut of LBLogbook Memory


mode

select select

mode

mod

e/

mode/

mod

e/

mode/Time

mod

e/Ti

me

Baro

Alti Bar

o

mode

Altimode/

select

mode

mode

.../JP

.../JP

.../JP

.../JP

.../JP

.../JP


mode

mode

select

mode

min

us/L

ogbo

ok

min

us/L

ogbo

ok

altimax

/LB




main

sub

minus/JP

Time∨Alti∨Baro

select

pointcut of LBLogbook Memory


mode

select select

mode

mod

e/

mode/

mod

e/

mode/Time

mod

e/Ti

me

Baro

Alti Bar

o

mode

Altimode/

select

mode

mode

.../JP

.../JP

.../JP

.../JP

.../JP

.../JP


mode

mode

select

mode

min

us/L

ogbo

ok

min

us/L

ogbo

okaltimax/LB


Advice Program

Advice insufficient for Compass ConcernReplace transition by advice programAdvice program has terminating state:represents return to base program

mainMode

modeCompass

selectmode/

mode

advice program


. . .

Altimeter

. . .

Barometer

. . .

mode/..

mode/...Compass

. . .

mode/..

altimax

/compass


Advice Program

Advice insufficient for Compass ConcernReplace transition by advice programAdvice program has terminating state:represents return to base program

mainMode

modeCompass

selectmode/

mode

advice program


. . .

Altimeter

. . .

Barometer

. . .

mode/..

mode/...Compass

. . .

mode/..

altimax /compass


Recovery Advice and Compiler

Recovery advice“Jumping backward”Identify set of recovery statesJump to last recovery state that was passed

Compiler for Argos and LarissaAll language variants implementedExperimentation with many examplesWritten in Java, AspectJ, BDD libraryAvailable at

http://www-verimag.imag.fr/∼stauch/ArgosCompiler/


Outline

1 Introduction

2 Larissa

3 Formal Analysis ToolsAspect InterferenceAspects and Contracts



Formal Analysis Tools

Larissa: small language, formally defined,with simple semanticsWell adapted to study formal propertiesof aspect languagesWe studied two such properties:

interaction of several aspectscombination of Larissa with contracts


Aspect Interaction

Aspect InteractionDo several aspects influence each other?When is P/A1/A2 ∼ P/A2/A1?

Example: Second Shortcut Aspect MAlso use plus button as shortcutin the main modesPressing plus goes to the Memory mode

select

sub

mainTime∨Alti∨Baro

plus/JPm

Pointcut of M


Weaving the Second Shortcut Aspect

Weave M into altimax/LB

When pressing minus in main mode:altimax/LB goes to submodepointcut stays in main mode

Error: Advice transitions added to Logbook mode

select

sub


plus/JPm

Pointcut of M

Logbook

Time...

...

Altimode/

min

us/..

.

plus/Memory

altimax/LB

/M



Weave M into altimax/LBWhen pressing minus in main mode:

altimax/LB goes to submodepointcut stays in main mode


select

sub


plus/JPm

Pointcut of M

Logbook

Time...

...

Altimode/

min

us/..

.

plus/Memory

altimax/LB

/M



Weave M into altimax/LBWhen pressing minus in main mode:

altimax/LB goes to submodepointcut stays in main mode


select

sub


plus/JPm

Pointcut of M

Logbook

Time...

...

Altimode/

min

us/..

. plus/Memory

altimax/LB/M


Joint Weaving

Problem: aspect M written for altimax, not for altimax/LBIdea: weave aspects jointly into the program

Select join points for all aspects first, then apply advice

Joint Weaving: altimax/(LB,M)1 apply pointcuts and determine join point transitions2 sequentially apply advice


Joint Weaving

Problem: aspect M written for altimax, not for altimax/LBIdea: weave aspects jointly into the programSelect join points for all aspects first, then apply advice

Joint Weaving: altimax/(LB,M)1 apply pointcuts and determine join point transitions2 sequentially apply advice


Application to the Example: altimax/(LB,M)

Logbook Memory


mode

mode

select

mod

e/Ti

me

mode

mode

mode/Alti

mode/Time

mode/Baro

mod

e/A

ltimode

select

mod

e/B

aro

select

.../JP

.../JP

.../JP

.../JP

.../JP

.../JP


.../JPm

.../JPm

.../JPm

plus/Memory

plus

/Mem

ory

min

us/L

ogbo

ok

min

us/L

ogbo

ok


Proving Non-Interference

Is altimax/(LB,M)∼ altimax/(M,LB)?

Not always, because advice is still applied sequentiallyJointly woven Larissa aspects still interfere,if they select the same join point transitions

Theorem for Jointly-Woven AspectsNoninterference of two aspects, for any base program:

if no transition selected by both aspectsin product of pointcuts

Noninterference of two aspects, for given base program P:if no transition selected by both aspectsin product of pointcuts and P


Proving Non-Interference

Is altimax/(LB,M)∼ altimax/(M,LB)?Not always, because advice is still applied sequentiallyJointly woven Larissa aspects still interfere,if they select the same join point transitions

Theorem for Jointly-Woven AspectsNoninterference of two aspects, for any base program:

if no transition selected by both aspectsin product of pointcuts

Noninterference of two aspects, for given base program P:if no transition selected by both aspectsin product of pointcuts and P


Design-by-Contract

Originally introduced by Bertrand Meyerfor object-oriented programmingContract: assumption A ⇒ guarantee G

Example (in Java):

class C{/∗ @ assume i < 10 ∗ //∗ @ guarantee \result < 10 ∗ /int m( int i ) { . . . }

}


Design-by-Contract

Originally introduced by Bertrand Meyerfor object-oriented programmingContract: assumption A ⇒ guarantee GExample (in Java):

class C{/∗ @ assume i < 10 ∗ //∗ @ guarantee \result < 10 ∗ /int m( int i ) { . . . }

}


Aspects Modify Contracts

Example call to m: i=9, returns 9

Adding aspect to m:int around(int i): m(i){

return 1 + proceed(i + 1);}

Now: A violated, G violatedIn this case, a new contract formethod with aspect can be derived:

/∗ @ assume i < ∗ //∗ @ guarantee \result < ∗ /

Idea: derive new contractsautomatically

9

m(9)

result<10

i<10



Example call to m: i=9, returns 9Adding aspect to m:

int around(int i): m(i){return 1 + proceed(i + 1);

}

Now: A violated, G violatedIn this case, a new contract formethod with aspect can be derived:



9

m(9)

result<10

i<10





}Now: A violated

, G violatedIn this case, a new contract formethod with aspect can be derived:



9

m(10)m(9)

result<10

i<10





}Now: A violated, G violated

In this case, a new contract formethod with aspect can be derived:



9

m(10)

10

m(9)

result<10

i<10





}Now: A violated, G violatedIn this case, a new contract formethod with aspect can be derived:

/∗ @ assume i < 10 ∗ //∗ @ guarantee \result < 10 ∗ /


9

m(10)

10

m(9)

result<10

i<10








9

m(9)

10

m(8)

result<10

i<10i<9








9

m(9)

10

m(8)

result<10result<11

i<10i<9


Contracts for Reactive Systems

Assumption constrains inputsGuarantee constrains outputsExample with input a and output b:

Assumption: a always occurs in pairsGuarantee: a is immediately followed by b

Observers can express such propertiesInputs are accepted until output err is emitted

E

a

aAssumption

true/erra/err

EbGuarantee

ab/err

true/err


Generating New Contracts

Goal: apply asp to (A, G), and obtain (A′, G′), such that

P |= (A, G) ⇒ P/asp |= (A′, G′)

Idea: Simulate the effect of the aspect on the programas far as possible on A and GDone for Argos and Larissa aspectsAdvantages of the approach:

determine effect of the aspect on programbefore it is writtenallows modular verification


Outline

1 Introduction

2 Larissa


4 Conclusion and Further WorkContributionsFurther Work


Contributions

Contributions:Identification of cross-cutting concerns in reactive systemsLarissa, an aspect language for Argos

formal definition and properties, preservation of equivalencedeveloped many examples and case studies

Formal analysis tools for LarissaNon-InterferenceCombination with Design-by-Contract

Compiler for Larissaimplements all language variantshandles large programs


Further Work

Extension with variablespossible to respect encapsulation

Extension to other synchronous languagesNon-functional concerns in reactive contexts

Modeling of systems-on-a-chipModeling of sensor networks

b

a/i:=1

int i := 0

a.i>0

Trace a.a

Appendix 37/36

Outline

5 AppendixMore on Further WorkMore on Contract WeavingMore on InterferenceMore on Recovery Advice

Appendix 38/36

Extension with Variables

Difficulty: respect encapsulationInternal integer variables:part of implementation

aspect must not change them directlypointcut, advice program cannot usethem, but can have their owntrace execution must set them

Integer In/Outputs:Aspect can modify outputs onlyif program cannot read themi.e., o:=o+1 impossible

b

a/i:=1

int i := 0

a.i>0

Trace a.a

a.i≤1

Appendix 38/36

Extension with Variables

Difficulty: respect encapsulationInternal integer variables:part of implementation

aspect must not change them directlypointcut, advice program cannot usethem, but can have their owntrace execution must set them

Integer In/Outputs:Aspect can modify outputs onlyif program cannot read themi.e., o:=o+1 impossible

b

a/i:=1

int i := 1

a.i>0

Trace a.a

a.i≤1

Appendix 39/36

Aspect Languages for Other Synchronous Languages

Synchronous languages have different styles:Argos, Esterel: Imperative base + parallel compositionLustre: purely parallel

Adapt Larissa to other languages?Pointcut: powerful, semantic, built-in everywhereAdvice: similar for Esterel (but trace automata specific)Lustre: something different needed

Appendix 40/36

Non-Functional Properties in Reactive Contexts

Modeling and simulation of reactive systemsStart by abstract functional model, add non-functionalpropertiesNon-functional properties often cross-cuttingIdentified two areas

Systems-on-a-chip: add timing informationInvestigated in Quentin Meuniers Master’s ThesisWireless sensor networks: energy consumption

Appendix 41/36

Contract Weaving — Technical Overview

Problem: aspects cannot be applied directly to observerautomata

Solution:Transform observers into generator automata ndApply aspect to generatorsTransform woven generators back to observers obsDifferent for assumption and guarantee:

A′ = obsA(ndA(A)/asp)G′ = obsG(ndG(G)/asp)

Then,P |= (A, G) ⇒ P/asp |= (A′, G′)

Appendix 41/36

Contract Weaving — Technical Overview

Problem: aspects cannot be applied directly to observerautomataSolution:

Transform observers into generator automata ndApply aspect to generatorsTransform woven generators back to observers obsDifferent for assumption and guarantee:

A′ = obsA(ndA(A)/asp)G′ = obsG(ndG(G)/asp)

Then,P |= (A, G) ⇒ P/asp |= (A′, G′)

Appendix 42/36

Example – Guarantee Weaving

Example aspect: adviceoutput b, trace a

a.b/JP

Pointcut

EbGuarantee

ab/err

true/err

true/bndG(Guarantee)

a, a/ba/b, a

a/b

a/ba,

ndG(Guarantee)/asp

a/ba/b, aa

a a.b

Eb/err

a.bobsG(ndG(Guarantee)/asp)

true/err

Appendix 42/36



a.b/JP

Pointcut

EbGuarantee

ab/err

true/err


a, a/ba/b, a

a/b

a/ba,

ndG(Guarantee)/asp

a/ba/b, a

aa a.b

Eb/err


true/err

Appendix 42/36



a.b/JP

Pointcut

EbGuarantee

ab/err

true/err


a, a/ba/b, a

a/b

a/ba,

ndG(Guarantee)/asp

a/ba/b, aa

a a.b

Eb/err


true/err

Appendix 43/36

Interference: Shortcut Aspects

Use first method: calculate product of two pointcuts

minus∧plus/JPl

select

sub


minus∧plus/JPm

minus∧plus/JPl ,JPm

Aspects interfere when both buttons are pressed at thesame time in a main modeProduct tells us exactly where aspects may interfere

Appendix 44/36

Recovery Advice

toInit advice: jumping to a fixed locationtoCurrent advice: jumping forwardMissing: jumping backwardsSpecification with trace impossible: automaton notdeterministicDifferent solution:

specify recovery states in base programtarget state of advice transition: the last recovery statepassed

Appendix 45/36

Example

Example: R1, R2 recovery states (selected by an observer)Return to recovery state that was passed last

R1

R2

a

aa

aa/JP

a.R2

a.R1

Signals R1 and R2 decide which transition is takenMust be emitted by an Memory Automaton, run in parallel,which remembers which recovery state was passed last

Appendix 45/36

Example

Example: R1, R2 recovery states (selected by an observer)Return to recovery state that was passed last

R1

R2

a

aa

a

a/JP

a.R2

a.R1

Signals R1 and R2 decide which transition is takenMust be emitted by an Memory Automaton, run in parallel,which remembers which recovery state was passed last

larissa, an aspect-oriented language for reactive systems ...altisen/dstauch/slides-these.pdf ·...

Documents