Step semantics

• Consecution: for every i = 0, 1, . . ., the valuation σi₊₁ is a −→ successor of

σi, i.e.,σi−→ σi₊₁.

A run is a path satisfying

• Time divergence: The sequence σ0(MC )σ1(MC ). . . grows beyond any bound,

i.e., the value of MC increases beyond any bound. Thus a run cannot have Zeno behaviour.

5.2

Step semantics

Computing a step. A node can become active or inactive during execution. If it is entered, it becomes active: the system is in the corresponding state. If the node is left, it becomes inactive: the system is not in the corresponding state. Since activity diagrams allow for the specification of parallelism (fork and join), more than one node can be active at the same time. All the active nodes together represent the global state, called the configuration. Since we use activity diagrams to model workflows, a configuration is a global state of the case (cf. page 12).

Formally, the configuration is a bag of nodes. The configuration is not a set, because a node can be active more than once at the same time. Figure 5.1 shows an example to illustrate this. If a customer wants some goods and not enough goods are in stock, the company can already send the goods in stock to the customer and produce the remaining goods in parallel. So Produce partial order and Take partial order from stock are active at the same time. If Take partial order from stock terminates, node Send partial shipment is entered. If next Produce partial order terminates, node Send partial shipment is entered again. Then two instances of node Send partial shipment are active at the same time, because the two shipments are processed in parallel. Thus, the configuration is a bag of nodes, rather than a set.

Let C denote the current configuration, C : bag Nodes and let E be the bag of input events, E : bag Events, to which the system responds by taking a step.

Produce partial order

Take partial order from stock

Send partial shipment

e1:

58 Chapter 5· Two formal semantics of activity diagrams A hyperedge is relevant in C if its sources are contained in the current con- figuration. A hyperedge can be relevant more than once, since its source nodes can be more than once in the configuration. For example, if in Figure 5.1 the current configuration C is [Send partial shipment, Send partial shipment], then two instances of e1 are relevant. A hyperedge cannot be relevant more often than the number of times any of its source nodes is in the configuration. The bag of relevant hyperedges, relevant (C ), is defined as follows:

relevant (C ) =df { h → n ∈ HyperEdges ×1|

settobag(source(h)) C

∧ n = min( { C  s | s ∈ source(h) } ) }

where denotes bag containment, function settobag maps a set into an equivalent bag:

settobag(S )=df{s → 1 | s ∈ S}

and, given a set X of natural numbers, min(X ) returns the minimum number of the numbers in X , and B el counts the number of times element el occurs in bag B .

A hyperedge is enabled iff it is relevant, it is triggered by an event in the input E , and its guard evaluates to true. A guard expression can contain variables. To evaluate a guard expression, each variable must have a value. A guard is evaluated in a valuationσ by substituting for every variable v its value σ(v). If g is true in valuationσ, this is written as σ |= g. For example, if σ(x) = 10 then σ |= x ≥ 5 butσ |= x = 8. The bag enabled_σ(C, E) of enabled hyperedges is defined formally as follows. enabled_σ(C, E) =df { h→n ∈ HyperEdges ×1 | h→ n ∈ relevant(C ) ∧ ( event(h)E ∨ event(h) = ⊥ ) ∧ σ |= guard(h) }

whereis bag membership and as before⊥ denotes the absence of a trigger event

(see page 34).

A special guard expression is the in predicate. Given a node n, in(n) abbrevi- ates nC .

Given a configuration C and a bag E of input events, a bag of hyperedges H is defined to be consistent, written consistent (C, E, H ), iff all hyperedges can be taken at the same time. Some hyperedges cannot be taken at the same time, because either (i) they leave some sources node more often than possible in the

5.2· Step semantics 59 configuration, or (ii) some point-to-point event in E triggers more than one hy- peredge in H .

consistent (C, E, H ) ⇔ (df hHsettobag(source(h))) C

∧ ∀ eE • sendtype(e)=p2p ⇒

length({ h→n ∈ H | event(h)=e }) ≤ E  e where denotes bag union, p2p stands for point-to-point (see page 33) and where length(B ) counts the number of elements in bag B : X
1:

length({x → n}) =df n

length({x → n}  B) =df n + length(B )

Configuration C is interfering iff some of the activities enabled by the activity nodes in C update the same variable v , so they conflict.

interfering(C ) ⇔ ∀ a, bdf C• a = b ⇒ ¬ (a
b)

∧ a = b ⇒ C  a = 1

A bag of hyperedges H is defined to be maximal iff for every enabled hyperedge h, the bag H [ h ] is inconsistent or the configuration reached next is interfering. Notation [ h ] denotes a bag that only contains h. We will define function nextconfig below.

maximal_σ(C, E, H ) ⇔ ∀ hdf enabledσ(C, E) • h H ⇒

( ¬ consistent(C , E, H [ h ])

∨ interfering(nextconfig(C , H [ h ])) ) Finally, predicate isStep defines a bag of hyperedges S to be a step iff every hyperedge in S is enabled, S is maximal and consistent, and the next configuration is noninterfering. The two semantics that we will define in the next sections both use the predicate isStep.

isStep_σ(C, E, S) ⇔df S  enabled_σ(C, E) ∧ consistent(C , E, S)

∧ ¬ interfering( nextconfig(C , S) ) ∧ maximalσ(C, E, S)

This definition of a step is declarative. Steps can be computed, given some bag H of enabled hyperedges, by splitting H into maximal, consistent bags of hyperedges that do not lead to interfering next configurations.

Effect of step on configuration. By taking a step, some nodes are left and others are entered. Given a step H , the function left returns the bag of nodes that

60 Chapter 5· Two formal semantics of activity diagrams are left if all the hyperedges in H are taken and the function entered returns the bag of nodes that are entered if all the hyperedges in H are taken:

left (H ) =df  hH settobag(source(h)) entered (H ) =df  hH settobag(target (h))

By taking a step the configuration changes. The function nextconfig returns the next configuration, given a configuration C and a consistent bag of hyperedges H :

nextconfig(C, H ) =df ( C left (H ) )  entered(H )

Example. Consider the example activity diagram in Figure 1.1 and its under- lying activity hypergraph in Figure 3.6. As explained on page 40, we let activity Check stock update the boolean variable insufficient stock, activity Check customer the boolean variable customer ok, and Handle payment the boolean variable pay- ment ok. Suppose the current configuration is [Check stock, Check customer]. In order to give an impression of all the different execution possibilities in this config- uration, we have listed in Table 5.1 for each of the relevant inputs that may occur, the configuration that is entered subsequently by taking a step. The computed step is implied by the reached configuration.

insufficient stock

true true false false

customer ok true false true false

Terminating activity node

Check stock [Check cus- tomer, Make production plan] [Check cus- tomer, Make production plan] [Check customer, WAIT-1] [Check customer, WAIT-1] Check customer [Check stock,

WAIT-2, Send bill] [Check stock, WAIT-2, fi- nal] [Check stock, WAIT-2, Send bill] [Check stock, WAIT-2, fi- nal]

Check stock & Check customer [Make pro- duction plan, WAIT-2, Send bill] [Make pro- duction plan, WAIT-2, final] [WAIT-1, WAIT-2, Send bill] [WAIT-1, WAIT-2, final]

Table 5.1 Possible next configurations for the activity hypergraph in Figure 3.6.

5.3· Requirements-level semantics 61