Softw Syst Model
DOI 10.1007/s10270-011-0212-1
REGULAR PAPER
Confluence of aspects for sequence diagrams
Roy Grønmo · Ragnhild Kobro Runde ·
Birger Møller-Pedersen
Received: 22 July 2009 / Revised: 6 July 2011 / Accepted: 11 August 2011
© Springer-Verlag 2011
Abstract The last decade has seen several aspect language
proposals for UML 2 sequence diagrams. Aspects allow the
modeler to define crosscutting concerns of sequence diagrams and to have these woven with the sequence diagrams of
a so-called base model, in order to create a woven model. In a
real-world scenario, there may be multiple aspects applicable
to the same base model. This raises the need to analyse the set
of aspects to identify possible aspect interactions (dependencies and conflicts) between applications of aspects. We call a
set of aspects terminating if they may not be applied infinitely
many times for any given base model. Furthermore, we call
a set of terminating aspects confluent, if they, for any given
base model, always yield the same final result regardless of
the order in which they are applied. Since confluence must
hold for any base model, this is a much stronger result than
many of the current approaches that have addressed detection of aspect interactions limited to a specific base model.
Our aspects are specified using standard sequence diagrams
with some extensions. In this paper, we present a confluence
theory specialized for our highly expressive aspect language.
For the most expressive aspects, we prove that confluence is
undecidable. For another class of aspects with considerable
expressiveness, we prescribe an algorithm to check confluence. This algorithm is based on what we call an extended
critical pair analysis. These results are useful both for modelers and researchers working with sequence diagram aspects
and for researchers wanting to establish a confluence theory
Communicated by Prof. Robert France.
R. Grønmo (B) · R. K. Runde · B. Møller-Pedersen
Department of Informatics, University of Oslo, Oslo, Norway
e-mail: roy.gronmo@sintef.no
R. Grønmo
SINTEF ICT, Oslo, Norway
for other aspect-oriented modelling or model transformation
approaches.
Keywords Aspect · Weave · Confluence ·
Aspect interaction · Aspect interference ·
Graph transformation · Critical pair · UML ·
Sequence diagram
1 Introduction
Model-driven engineering of large and complex systems
involves a set of models. These models vary in the level of
abstraction, and they use different diagram types. Some of
these models are related to each other, they contain overlapping information and models may be partially or fully derived
from other models. Furthermore, there may be cross-cutting
concerns which are scattered and tangled into the model set.
There are several techniques that aim to ease the specification and maintenance of the model set, e.g. model transformation and aspect-oriented modeling.
Model transformation produces new models based on one
or more input models. Relevant examples include model
refactoring, transformations from an abstract model to a more
detailed model, and transformations between models of the
same reality seen from different viewpoints.
Aspect-oriented modeling can be seen as a special case
of model transformation, where an aspect describes crosscutting concerns by a separate module. In what is called
the weaving process, the aspects are woven with the source
model (called base model) to produce a woven model. An
aspect can be woven with the base model in multiple places.
This enables easier specification and maintenance as it avoids
duplicating the aspect concern into all the relevant places in
the base model.
123
R. Grønmo et al.
In several model transformation and aspect-oriented
modeling approaches, the transformation or aspect model
can be specified by a set of declarative rules or aspects. This
is the case in e.g. ATL (ATLAS Transformation Language)
[19], QVT (Query/View/Transformation) [40], and Epsilon
[31] for model transformation and in [5,23,25,41,48,53] for
aspect-oriented modeling. Unlike in imperative approaches,
where the execution order is fixed, a set of declarative
rules/aspects often allow the transformation tool or aspect
weaver to apply the rules/aspects in any order.
The approaches that allow for non-deterministic application of the rules/aspects normally still provide means to prioritize and to control the execution order. However, in many
cases the rules/aspects are independent of each other, and
then it is an unnecessary burden to require that the modeler
specifies an explicit execution strategy. In other cases, there
are dependencies between the rules/aspects that need to be
managed by the specification.
In such a setting, it is very useful to perform a confluence analysis. A set of aspects is confluent if they for any
given base model always yields the same final result regardless of the order in which they are applied. This assumes
that the set of aspects is terminating, i.e. that the aspects
may not be applied infinitely many times for any given base
model. For aspect-oriented approaches, where each aspect is
applied only once for each base model [22,25,48], termination is not an issue. However, there are also many approaches
(e.g. [2,3,8,11,27,53]) where non-termination is a possibility. Repeated application of aspects may be useful for
instance when an aspect changes the base model so that
another aspect becomes applicable. However, this means that
termination should be checked before performing the confluence analysis itself.
In this paper, we present a confluence theory for sequence
diagram-based aspects. The rest of this introduction is structured as follows: In Sect. 1.1, we present the problem of
aspect interactions and dependencies in more detail, and provide some real-world examples. In Sect. 1.2, we explain the
main features of our aspect language with respect to other
sequence diagram-based aspect languages, and in Sect. 1.3
we give a brief overview of the confluence theory presented
in this paper. Finally, Sect. 1.4 summarizes the main results
and presents the organization of the remainder of the paper.
1.1 Aspect interactions
For aspect-oriented development, the problem of aspect
interaction is well-known [1,9,16,20,24,29,37,47,53,54].
Aspect interaction deals with conflicts and dependencies in
the application of the aspects. For instance, two aspects may
be mutually exclusive which means that only one of them
may be applied on any given base model. There are also situations where the two aspects both may be applied to the base
123
model, but result in two different woven models depending
on the weave order. In other cases, the aspects may both be
applied to the base model, but only in a strict order. These
situations may all be acceptable or undesirable, depending
on the exact set of aspects and the context in which they are
used.
We will now give some simple, but realistic, examples
of aspect interaction. First, consider a phone service where
a user may receive an incoming call when being busy with
an ongoing call. Let us assume that there are two aspects
specified that are relevant in this situation. The first aspect
specifies that the incoming call is forwarded to an answering
machine, while the second aspect puts the incoming call on
hold. These two aspects are obviously in conflict in the sense
that only one of them can be applied to the incoming call.
Another example is an authorization aspect and an authentication aspect that both apply to some existing service.
A strict weave order is required if the authorization aspect
assumes that the user is authenticated first. Otherwise, the
resulting application may incorrectly report that the user is
unauthorized while the problem was a missing authentication.
An example of dependency where the aspects may be
applied in any order is a billing aspect and a storage aspect
that applies to sent SMS messages. The billing aspect keeps
track of the aggregated costs of SMS messages and the storage aspect saves each sent SMS message in a separate folder.
Since the chosen weave order will produce different applications, this is an example of aspect interaction. However, for
these two aspects, the interaction is acceptable since it is not
relevant which one of billing and storage is performed first,
as long as both are carried out by the application.
1.2 Sequence diagram-based aspects
In this paper, we consider sequence diagram-based aspects.
There have been a number of aspect language proposals for
UML two sequence diagrams [5–7,15,25,41,49,53]. Some
of the sequence diagram aspect proposals pursue a model
weaving approach [15,25,49,53], while others intend to postpone the weaving to the program level [5–7,41]. When dealing with multiple aspects, there is in both weave alternatives
a need for analysing if there are aspect interactions.
In order to establish a confluence theory for sequence
diagram-based aspects, we use the sequence diagram aspect
language introduced in [14,15]. The aspect language is supported by the SeDi-Weaver tool [50] in which one can specify
sequence diagrams, aspects and perform weaving.
In this aspect language, weaving is performed on the
basis of match conditions for where in the base model each
aspect may be applied. These match conditions are also given
as sequence diagrams (called pointcut diagrams) and may
Confluence of aspects for sequence diagrams
contain arbitrary many messages, in contrast to in [6,7] where
only single events may be used as match conditions.
Another important feature of the aspect language is that
it is semantics-based, in contrast to most other proposals,
e.g. [5–7,41,49,53], which are syntax-based. With semantics-based weaving as in [15,26], syntactically different but
semantically equivalent model extracts are matched. As an
important result, we prove that our match and weave definitions guarantee valid woven sequence diagrams. To the best
of our knowledge, this property has not been proven in any
other work on sequence diagram aspects.
In this paper, we provide a formal theory for matching,
weaving and confluence for sequence diagram aspects. Even
though the theory is based on semantics-based matching, all
these concepts are defined and explained in direct relation to
the concrete syntax of sequence diagrams. This makes the
results of this paper accessible also for practitioners.
1.3 Confluence theory for sequence diagram-based aspects
With a large number of aspects, it can be both timeconsuming and non-trivial to manually investigate all the
aspects to see if there are undesired interactions. However,
very few works address the detection of aspect interactions for sequence diagram-based aspects. Neither are we
aware of any full confluence analysis directly related to
any other model transformation or aspect-oriented modeling
approaches.
Some approaches [12,37,38,53] detect conflicts and
dependencies by translating their rules/aspects into another
formalism such as graph transformation [10] or logic-based
languages [29]. In these cases, possible conflicts and dependencies are reported not in the original aspect modeling notation, but in relation to the target language, making the results
less accessible for system modelers and aspect designers. In
contrast, our confluence theory can be understood directly
within the familiar syntax of sequence diagrams.
Detecting aspect interactions may be performed in relation to a specific base model, as in [8,16]. Such an analysis
will have to be repeated for each base model the aspects are
applied to, and also whenever there is a change in the base
model. This is not necessary with our full confluence analysis, which can ensure that there will be no aspect interactions
for any base model.
As a starting point for our confluence analysis, we use
results from term rewrite systems (TRS) [4] and graph
transformation systems (GTS) [10], where the property of
confluence has been extensively studied with the goal to algorithmically identify conflicts and dependencies [17,18,30,
33,34,44].
For TRS, a notion of critical pairs was first introduced by
Knuth and Bendix [30] as a systematic way to check confluence of a terminating TRS. Critical pairs are constructed
by making all combinations of terms from the union of two
rules’ match conditions. If the application of the two rules
are not directly commutable, then we have a critical pair. In
a critical pair analysis it is checked if each critical pair is
joinable, i.e. if further application of the rules still yields the
same final result. Confluence holds if and only if all critical
pairs are joinable.
Unlike in TRS, confluence of a terminating GTS is undecidable. However, a GTS-based critical pair analysis is still
sufficient to claim confluence for many typical cases.
Although the confluence theories for TRS and GTS provide a useful starting point, they cannot be directly applied
to sequence diagram aspects. For TRS, the confluence theory assumes a total order of its elements, while in sequence
diagrams the events are only partially ordered. Also, both the
GTS and TRS matching strategies are purely syntax-based
and do not take the semantics of the language into account,
unlike our sequence diagram aspects.
In GTS, there are two conflict types leading to dependence
and possible non-confluence. It is more complicated for our
sequence diagram aspects, where we identify five different
conflict types, of which two are analogous to the conflict
types from GTS. If no conflicts may be found, then the set of
aspects is guaranteed to be confluent. If there are conflicts, a
further analysis is needed to decide whether confluence holds
or not.
We investigate the different levels of expressive power
in our aspect language. For the full language as presented
in [14], we prove that the confluence of terminating aspects
is undecidable.
For a restricted version of the language, we identify an
algorithmic way to determine confluence of terminating
aspects. This result is stronger than for terminating GTS
where confluence is undecidable. In the restricted version of
the language, we disallow using negative match conditions
and a wild card construct to match an unspecified number of
events in certain positions.
The restricted aspect language still has substantial expressiveness so that aspects in this language are interesting to
study. Such aspects can for instance specify the matching of
arbitrarily many (but fixed number of) messages, as well as
the addition or deletion of arbitrarily many messages.
The confluence check is based on an extended version of
traditional critical pairs. Unlike the situation from TRS and
GTS, it is not sufficient to construct the critical pairs by only
using the rule’s elements.
When working with sequence diagram-based aspects, our
confluence theory is useful in that it enables an approach
where the aspects may be specified independently of each
other. After the aspects are specified, a confluence analysis
may be performed to identify pairs of aspects where there
are possible conflicts and dependencies. For each such pair,
the specifier may then decide that this is insignificant, or that
123
R. Grønmo et al.
the two aspects should be identified as mutually exclusive,
or that a specific weave order should be given for the two
aspects. As a special case of the last alternative, the specifier
may also choose to create a new aspect, combining the two
problematic ones.
The confluence analysis is complementary to other kinds
of analysis that may be performed in the setting of aspectoriented modelling. For instance, it may be desirable to analyse to what extent the aspect weaving affects the original
behavior of the base model, or whether analysis results on
the base model alone is applicable also after the weaving [21].
1.4 Overview of the paper
The main results in this paper are captured by five theorems.
Theorem 1 proves that it is sufficient to use a given set of syntactic criteria in order to achieve semantics-based matching
and weaving. Theorems 2 and 3 prove that our match definitions ensure valid woven sequence diagrams. Theorem 4
proves that confluence is undecidable for the most expressive
aspects. For another class of aspects, Theorem 5 proves that
a set of (terminating) aspects is confluent if and only if all
extended critical pairs are joinable.
The remainder of this paper is organized as follows:
Sect. 2 provides the preliminaries regarding sequence diagrams. Section 3 contains mathematical preliminaries. Section 4 presents the sequence diagram aspect language with the
match and weave definitions. Section 5 formally defines confluence. Section 6 defines independence and presents the five
different conflict types for sequence diagram-based aspects.
Section 7 proves that confluence is undecidable for the full
aspect language. Section 8 prescribes an algorithm based on
critical pairs to check confluence for a restricted version of
the aspect language. Section 9 presents related work. Section 10 briefly describe some of the potential future work;
and finally Sect. 11 provides the conclusions.
2 Sequence diagrams
Sequence diagrams are used to describe the communication
between different parts of a system (e.g. between various
components or objects), or between a system and its users.
Sequence diagrams are used within a broad range of application domains, and for different methodological purposes,
including requirements analysis, test case specification and
user documentation.
Figure 1 a shows a sequence diagram with two lifelines
L1 and L2, and two messages with the signals a and b. A
lifeline, visualized with a rectangle and a dashed line below,
represents an interacting entity on which events take place in
an order from top to bottom on the dashed line.
123
(a)
(b)
L2
L1
!a
(c)
?a
!a
(d)
?a
a
b
!b
?b
!b
?b
{<! a, ?a, !b, ?b>,
<!a, !b, ?a, ?b>}
Fig. 1 Example: a sequence diagram, b direct partial orders (dpo), c
partial orders (po), d traces
Each message is represented by two events, a send event
(!) and a receive event (?). A unique identifier (not shown in
the diagram) is assigned to each message, and the identifier is
shared between the send and receive events of the message.
The example diagram in Fig. 1a has four events, !a and !b on
lifeline L1, and ?a and ?b on lifeline L2.
Sequence diagrams impose a partial order of events given
by: (1) the send event must come before the receive event of
the same message (this is referred to as the message invariant), and (2) all events are ordered from top to bottom on each
lifeline. An intuitive idea behind this partial order is that messages are sent asynchronously and that they may happen in
any order on different lifelines, but sequentially on the same
lifeline. Figure 1b shows the four partial order requirements
of the sequence diagram from Fig. 1a.
UML [43] defines the semantics of a sequence diagram
by using traces that represent possible execution runs, where
a trace is a sequence of event occurrences. More precisely,
the semantics of a sequence diagram can be described as
a set of positive traces and a set of negative traces. Positive
traces define valid behavior and negative traces define invalid
behavior, while all other traces are defined as inconclusive. In
this paper, we concentrate only on positive traces and let [[ D ]]
denote the positive traces, i.e. the semantics, of the sequence
diagram D. The set of (positive) traces of a sequence diagram
corresponds to each valid permutation of events that satisfy
the partial order requirements. As shown in Fig. 1d, we get
two traces in our example.
The partial order relation and its transitive closure is
important for some of the proofs in this paper. For a given
diagram, we let dpo(e1 , e2 ) denote the fact that there is a
direct partial order from the event e1 to the event e2 . Note
that dpo is an asymmetric relation. There is a direct partial
order from an event to the immediate next event on the lifeline
(if it exist), and from the send and to the receive event of the
same message. The partial order relation po is the transitive
closure of the dpo relation. For the diagram in Fig. 1a, the
arrows in Fig. 1b shows the dpo relations, while the arrows
in Fig. 1c shows the po relations. If it is not clear from the
context, the dpo and po relations may be prefixed with the
name of the sequence diagram that they relate to.
If the partial order relation contains a cycle, then there
exists no traces in the semantics of the diagram, and according to the UML specification [43] this means that the orig-
Confluence of aspects for sequence diagrams
L1
L1
L2
L2
L1
a
a
b
loop {1,2}
L2
c
a
L1
alt
b
c
(a) Sequence diagram D
L2
L1
L2
a
a
a
a
where N0 is the set of natural numbers (including 0) and
max = ∞ means that the contents of the loop may be performed arbitrary many times.
Definition 2 (Make a Set of Basic Sequence Diagrams)
Given a sequence diagram D. The function toBSD(D) transforms D into a semantically equivalent set of BSDs:
c
b
(b) toBSD(D)
Fig. 2 Making a set of BSDs from a sequence diagram D with combined fragments
inal sequence diagram is an invalid sequence diagram. All
messages in a sequence diagram must be drawn horizontally
or downwards, which prevents drawing a diagram without
any traces. We only consider valid sequence diagrams in this
paper.
2.1 Combined fragments
With UML 2, sequence diagrams were enhanced with combined fragment operators. For describing positive behaviour,
the most common operators are seq for sequential behavior,
par for parallel behavior, alt for alternatives, opt for optional
behavior and loop for loops. An example of a sequence diagram with combined fragments is given in Fig. 2a. We refer to
a sequence diagram without any combined fragments (except
seq) as a basic sequence diagram (BSD). The seq operator,
which can be used in a BSD, is normally not explicitly shown
in the diagrams.
The results in this paper apply to base models that use the
combined fragment operators listed above. We now define
a semantics-preserving translation of a sequence diagram
using these operators into a set of BSDs. This allows us to
focus on the much simpler BSDs in our formal definitions
without compromising the generality of the results.
Definition 1 (Sequence diagram constructors) Let Event
denote the set of all events. Then the set of all sequence
diagrams (for a limited set of combined fragments), denoted
SD, can be defined recursively:
An opt can be seen as a special case of alt, and a par operator can be replaced by a semantically equivalent sequence
diagram by using alt’s and seq’s as shown in [36].
Figure 2b shows how the sequence diagram D in Fig. 2a
is transformed by toBSD(D) into a set of BSDs. The loop
represents two alternatives, either one or two iterations, and
the alt has two alternatives. This results in four alternative
BSDs.
Definition 2 ensures that our confluence theory is valid
also for base diagrams using par, alt, opt and loop, even
though the formal definitions apply to basic sequence diagrams only.
3 Mathematical preliminaries
This section defines some helper functions and useful notations that are used throughout the paper:
– L denotes the set of all lifelines
– Event is the set of all events
– Event ∗ denotes the set of all finite event sequences,
i.e. traces
– Message is the set of all messages
– ll(e) is the lifeline on which the event e is placed
– ev(D) is the set of events in the diagram D
– msg(D) is the set of messages in the diagram D
– substr(t1 , t2 ) denotes the fact that t1 is a substring, i.e. a
continuous subsequence of events, of t2
– t1 t2 is the concatenation of the two traces t1 and t2
– t l is the trace t projected onto the lifeline l, i.e. we
remove all trace events that do not occur on the lifeline l
– D{l} is the top-down sequence of events on the lifeline l
in the sequence diagram D
123
R. Grønmo et al.
– first(D{l}) is the first event on the lifeline l in diagram D
(undefined if l does not have any events in D)
– last(D{l}) is the last event on the lifeline l in diagram D
(undefined if l does not have any events in D)
– before(e, D) returns the sequence of events before the
event e (on its lifeline) in the diagram D (undefined if e
is not present in D)
– after(e, D) returns the sequence of events after the event
e (on its lifeline) in the diagram D (undefined if e is not
present in D).
4 The sequence diagram aspect language
In this section, we present our aspect diagram language. First,
in Sect. 4.1, we give a general introduction to the language.
Then, in Sects. 4.2–4.4, we present the details of the language,
together with formal match and weave definitions. We start
with a restrictive version of the language in Sect. 4.2, and
then successively add features so that the full language is
presented in Sect. 4.4.
4.1 Aspect diagrams
In our approach, a base model is a set of sequence diagrams
on which the aspects should be applied. An aspect consists
of exactly one pointcut diagram, exactly one advice diagram, and a (possibly empty) set of negative pointcut diagrams. These diagrams are all valid BSDs (basic sequence
diagrams), which in the case of pointcut and advice diagrams
may be extended with symbolic messages and an arbitrary
events symbol. An aspect is applied to one diagram within
the base model at a time. We refer to this as the base diagram.
For an aspect A, we refer to its pointcut by A. pc, its advice
by A.a, and its set of negative pointcuts by A.Npc.
An aspect is similar to a GTS rule, where the pointcut
diagram (corresponds to LHS in GTS) defines a pattern for
which we are looking for matches in the base diagram. If
a match is found, the weaving of the aspect with the base
diagram is defined by the advice diagram (corresponds to
RHS in GTS), specifying a set of messages to replace the
ones matched by the pointcut diagram. This implies that messages present only in the pointcut and not in the advice will
be deleted, while messages present only in the advice and not
in the pointcut will be added. If any of the negative pointcuts
(correspond to negative application conditions in GTS) have
a match, then a potential match of the pointcut is prevented.
Figure 3 shows an aspect which matches the message a
directly followed by message b. The message a is preserved,
message b is deleted and message c is added. The right part
of the figure shows the woven diagram when the aspect is
applied to the base diagram in the middle part of the figure.
123
L1
L2
a
b
L1
L2
L1
a
c
L2
L1
L2
m1
a
b
m2
m1
a
c
m2
Fig. 3 Aspect (pointcut and advice), base and woven diagrams
alternative advice diagrams
L2
L1
L1
a
c
a 1 L2
b1
b
b
c
a
L2
L1
Fig. 4 Two aspects that preserve all pointcut messages
We need special care to ensure termination for some
aspects that preserve all the pointcut messages. Figure 4
shows two aspects that preserve all the pointcut messages.
The first aspect (labeled 1) guarantees termination if this is
the only aspect to be applied.
The second aspect (labeled 2) includes a match of the
pointcut in the advice. To obtain termination, we need to
define that this aspect is applied only once to the same match.
Woven matches are marked (here displayed by a superscript
number) to exclude each of the involved messages from
future matches of the same aspect as the number indicates.
The match marking will not be part of the woven diagram.
In general, our pointcut and advice diagrams can use symbolic message symbols, such as a mix of hardcoded letters
and wildcards (e.g. ∗ to denote an arbitrary sequence of letters). For simplicity, our formalism only covers fixed message
symbols in this paper. The negative pointcuts of the undecidability proof, is the only place in this paper where we use
symbolic message symbols.
In Sect. 4.2, we consider aspects consisting of one pointcut and one advice diagram only. Negative pointcut diagrams
are introduced in Sect. 4.3, while the arbitrary events symbol
is explained in Sect. 4.4. Each of these sections are structured
into two subsections, presenting first the matching and then
the weaving of the aspects into the base model.
4.2 Aspect diagrams without negative pointcuts and
arbitrary events symbols
In this section, we consider first matching (in Sect. 4.2.1),
and then weaving (in Sect. 4.2.2), for the sequence diagram
aspect language without negative pointcuts and arbitrary
events symbols.
Confluence of aspects for sequence diagrams
L2
L3
4: a
L1
L2
L3
1: a
D pc and a base diagram Db if and only if there exists a tracebased match between one of the pointcut traces and one of
the base traces. Formally:
2: a
def
3: a
φ = {4 → 2}
φ = {4 → 1}
φ = {4 → 3}
Fig. 5 One correct and two incorrect φ mappings
4.2.1 Matching
We now define precisely how the matching works for aspects
consisting of one pointcut and no negative pointcut diagrams.
The main definitions of this section are Definition 4 defining
the criteria for a semantics-based match between a pointcut and a base diagram and Definition 7 defining lifelinebased matching. As an important result, Theorem 1 states that
semantics-based and lifeline-based matching always give the
same result and may be used interchangeably.
The definitions use an injective mapping function,
φ : Message → Message, which maps each pointcut message to a base message with the same signal and the same
lifelines as sender and receiver. Implicitly, φ also defines a
mapping from pointcut events to base events where the signal
kind (send or receive) is preserved, and from pointcut traces
to base traces. We will therefore overload φ to take both messages and events as parameter. Similarly, φ is overloaded to
take a set or a sequence of messages or events as parameter.
Figure 5 shows one correct and two incorrect φ mappings for the given pointcut and base diagrams. Ids are shown
explicitly, by the id number followed by a colon, as a prefix
to the message signal. The second and third φ mappings are
incorrect since there is a mismatch between the sender and
receiver lifelines.
In semantics-based matching, we are looking for matches
in the semantics of the two diagrams. With trace semantics,
this amounts to finding a trace from the base diagram (called
a base trace) which contains a trace from the pointcut diagram (called a pointcut trace) as a continuous subsequence, in
which case we say that there is a trace-based match between
the two traces.
Definition 3 (Trace-based match) The mapping φ defines a
trace-based match between a pointcut trace t pc and a base
trace tb if and only if the pointcut trace is a continuous
subtrace of the base trace (where the message of each event
in the pointcut trace is mapped by φ). Formally:
def
tmatchφ (t pc , tb ) = substr(φ(t pc ), tb )
Definition 4 (Semantics-based match) The mapping φ defines a semantics-based match between a pointcut diagram
smatchφ (D pc , Db ) =
∃t pc ∈ [[ D pc ]], tb ∈ [[ Db ]] : tmatchφ (t pc , tb )
The choice of match definition is further backed by the
following lemma.
Lemma 1 (All pointcut traces are matched) If the mapping φ
defines a semantics-based match between a pointcut diagram
D pc and a base diagram Db , then all traces in the pointcut
diagram have a matching trace in the base diagram. Formally:
smatchφ (D pc , Db ) ⇒
∀t pc ∈ [[ D pc ]] : ∃tb ∈ [[ Db ]] : tmatchφ (t pc , tb )
Proof See Appendix A.2.
In theory we may calculate all the pointcut and base traces
to find matches. In practice this is an intractable problem
since the number of traces may have an exponential growth
relative to the number of events in the diagram. Instead we
use a lifeline-based matching which is equivalent to the
semantics-based matching.
A necessary, but not sufficient, criterion for lifeline-based
matching is that for all lifelines, the pointcut events must
occur as a continuous subsequence in the base diagram. If
this is the case, there is a candidate match between the two
diagrams.
Definition 5 (Candidate match) The mapping φ defines a
candidate match between a pointcut diagram D pc and a base
diagram Db if and only if for all lifelines, the events in the
pointcut diagram is a (possibly empty) continuous subsequence of the events in the base diagram (where the message
of each event in the pointcut diagram is mapped by φ). Formally:
def
cmatchφ (D pc , Db ) = ∀l ∈ L : substr(φ(D pc {l}), Db {l})
Informally, we will refer to the range of φ in the base diagram, as the mapped events. For a candidate match to be a
proper lifeline-based match, there must be no match-blocking
partial orders that require some unmapped events to occur
between two of the mapped events in the base diagram. If
there is a match-blocking partial order, the candidate match
cannot produce a contained pointcut trace within a base trace,
since there will always be intermediate events in the base
trace.
Figure 6 illustrates that the match definition needs to
exclude base diagram matches with match-blocking partial
orders. All lifelines of the base diagram contain the pointcut
123
R. Grønmo et al.
L1
a
L1
L3
L2
a
{ <!a,?a,!b,?b> }
b
L3
L2
{<!a,?a,!c,?c,!b,?b>,
<!a,?a,!b,!c,?c,?b>,
<!a,!c,?a,!b,?c,?b>,
<!a,!c,?c,?a,!b,?b>,
<!a,?a,!c,!b,?c,?b>,
<!a,!c,?a,?c,!b,?b>}
c
b
in itself. However, the partial order relation now contains
(!c1, ?c2), which is a match-blocking partial order. Thus,
there is no semantics-based match for the base diagram, and
there should be no lifeline-based match either.
Definition 6 (Match-blocking partial order) A match-blocking partial order with respect to φ and a pointcut diagram
D pc is a partial order between two of the unmapped base
events, and such that the partial order of the base diagram
Db requires these two events to happen between two of the
mapped events. Formally:
def
blocking(D pc ,φ) (a, b, Db ) =
Fig. 6 c is a match-blocking message
a, b ∈ (ev(Db ) \ φ(ev(D pc ))) ∧ (a, b) ∈ Db .po ∧
∃e1 , e2 ∈ φ(ev(D pc )) : ((e1 , a) ∈ Db .po ∧ (b, e2 ) ∈ Db .po)
L1
L0
c1
a
L2
L3
c2
b
Fig. 7 (!c1, ?c2) ∈ base. po is a match-blocking partial order
Definition 7 (Lifeline-based match) The mapping φ defines
a lifeline-based match between a pointcut diagram D pc and
a base diagram Db if and only if φ defines a candidate match
between the two diagrams and there are no match-blocking
partial orders. Formally:
def
lmatchφ (D pc , Db ) =
events as a continuous subsequence (taking φ to be the identity mapping), which means that there is a candidate match
between the pointcut and the base diagram. However, the
c message is a match-blocking message, with (!c, ?c) as the
match-blocking partial order, meaning that this is not a proper
lifeline-based match. This is because the !c event is after
the candidate match (!a) on lifeline L1, while the ?c event
is before the candidate match (?b) on lifeline L3. I.e., both
(!a, !c) and (?c, ?b) are partial orders for the base diagram,
requiring the unmapped events !c and ?c to occur between
the two mapped events !a and ?b.
When investigating the traces, we see that there is no
semantics-based match either. The pointcut has a single trace:
!a, ?a, !b, ?b . None of the six shown base traces have the
pointcut trace as a continuous subsequence, and thus there
are no semantics-based matches. This is because the matchblocking c message will always get its two events between
the first and last events of the matched pointcut trace.
If we modify the base diagram of Fig. 6 such that the c
message switches direction (with !c on L3 and ?c on L1), then
we get a match since the c message is no longer match-blocking. From all the direct partial orders involving the redirected
c message, i.e. (!c, ?c), (!a, ?c) and (!c, ?b), it is clear that
!c may happen before and ?c after all of the mapped events.
Similarly, we get a semantics-based match since the set of
base traces now includes the trace !c, !a, ?a, !b, ?b, ?c .
Lifeline-based matching should consider not only matchblocking messages, but match-blocking partial orders in
general. To illustrate why this is necessary, we keep the pointcut from Fig. 6 and apply it to the base diagram in Fig. 7.
In Fig. 7, neither c1 nor c2 is a match-blocking message
123
cmatchφ (D pc , Db ) ∧ ∀a, b ∈ ev.Db : ¬blocking(D pc ,φ) (a, b, Db )
With lifeline-based matching, the problem of finding
matches is now reduced from calculating all possible traces
to searching for candidate matches and checking for matchblocking partial orders. The following theorem ensures that
lifeline-based matching may be performed instead of semantics-based matching as they both give the same result.
Theorem 1 (Lifeline-based equals semantics-based match)
The mapping φ defines a lifeline-based match between a
pointcut diagram D pc and a base diagram Db if and only
if φ defines a semantics-based match. Formally:
lmatchφ (D pc , Db ) ⇔ smatchφ (D pc , Db )
Proof See Appendix A.3.
Hereafter we use the short term match to mean a semantics-based/lifeline-based match, and we allow to use match in
formulas when it is irrelevant to differentiate between the two
(equivalent) match formulas. With the match definition formalized, we are in a position to define isomorphic diagrams.
Two diagrams are isomorphic if their underlying structure
(and thereby also their semantics) is the same even though
they are drawn slightly different.
Definition 8 (Isomorphic diagrams) If there exists a φ which
is one-to-one (both injective and surjective) between two diagrams D1 and D2 and where φ defines a match of D1 in D2
(φ −1 defines a match of D2 in D1 ), then D1 and D2 are
isomorphic diagrams. Formally:
def
isomorph(D1 , D2 ) =
∃φ ∈ : matchφ (D1 , D2 ) ∧ matchφ −1 (D2 , D1 )
Confluence of aspects for sequence diagrams
where is the set of all φ’s
Throughout this paper we will implicitly consider two diagrams to be the same if they are isomorphic.
A1
vide additional information: D1 −→ D2 means a direct derA1 ,φ1
ivation which has applied the aspect A1 , and D1 −−−→ D2
means a direct derivation which has applied the aspect A1
with the mapping φ1 .
∗
The notation → means a derivation (consisting of zero
or more direct derivations) with unspecified aspects. A normal form is a diagram on which there are no possible direct
derivations. The notation D means that the diagram D is a
normal form.
Figure 8 shows how the lifeline-based weaving works in
a special notation where we do not show the messages, only
events as filled circles on each lifeline. The matched sequence
of events on each lifeline is marked by a rectangle. For each
lifeline the matched subsequence of events in the base is
replaced by the entire advice event sequence (empty in the
case of lifeline L2) on the same lifeline.
Definition 9 (Direct derivation) Dw is a direct derivation of
Db with respect to the aspect A and the mapping φ, written
A,φ
Db −−→ Dw , if and only if there is a match between the
pointcut of A (A.pc) and Db , and for each lifeline in Db , the
events matched by φ are replaced by the entire subsequence
L2
e5
e6
e7
e8
L1
L2
e1
e10
e11
e12
e4
4.2.2 Weaving
This section presents the weaving process, formally defined
by Definition 9. For aspects consisting of one pointcut and
one advice diagram only, Theorem 2 ensures that the weaving process always results in a valid sequence diagram, i.e. a
sequence diagram without any cycles in its partial order.
In this paper, we consider weaving to be the nondeterministic application of a set of aspects on a base diagram. A direct derivation is an atomic step in the weaving,
where a single aspect is applied to a single match in the base
diagram, while a derivation consists of zero or more direct
derivations.
Throughout this paper, we will adapt important terms and
notations from term rewriting systems (TRS) [4] and graph
transformation systems (GTS) [44] to the context of aspect
diagrams.
The notation D1 → D2 or D2 ← D1 means a direct derivation from diagram D1 to diagram D2 by applying some
(not specified) aspect. The notation can be extended to pro-
L1
e1
e2
e3
e4
L3
L2
L1
e9
e10
e11
e12
L3
e12
e13
e14
L3
e5
e6
e8
e12
e13
e14
event on lifeline
match on lifeline
Fig. 8 Weaving
of events (possibly empty) of the advice (A.a) for that lifeline
(where the advice events are also mapped by φ). Formally:
A,φ
def
Db −−→ Dw =
matchφ (A.pc, Db ) ∧
∀l ∈ L : ∃h 1 , h 2 ∈ Event ∗ : Db {l} = h 1 φ((A.pc){l}) h 2
∧ Dw {l} = h 1 φ((A.a){l}) h 2
We have extended the φ mapping so that it also maps from
advice messages/events to base messages/events. Shared ids
between the pointcut and the advice denote messages that are
preserved. As a general convention, we assume that messages
with the same signal, sender and receiver in the pointcut and
the advice have the same id, unless the ids are explicitly visible in the diagram. When the convention is ambiguous, any
assignment of ids can be chosen as long as the ids are unique
within each advice diagram. The advice ids are insignificant
to the effects of the weaving, since the advice diagrams with
different ids are still isomorphic. The trace set is independent
of the ids. The φ mapping of advice messages not shared with
the pointcut must be given fresh ids with respect to the base
diagram.
In general our aspect language supports advice events on
lifelines with no pointcut events, and this can be meaningful
with respect to a particular base diagram [14]. However, it is
undefined where to place the new advice events in relation
to existing events on such lifelines. This normally leads to
non-confluence, and we disregard such aspects in this paper.
We are not allowed to delete lifelines, since deleting a
lifeline with events may produce invalid sequence diagrams
where a message contains only one of its two events.
The criterion of excluding candidate matches with matchblocking partial orders complicates our confluence theory.
However, this criterion cannot be ignored if we want to ensure
a sound weaving. As an example, Fig. 9 introduces an advice
for the pointcut and base given in Fig. 6. The advice inserts a
d message after the matched a and b messages. If we ignore
the match-blocking partial order (!c, ?c), and allow a match
123
R. Grønmo et al.
L1
L3
L2
L1
L2
b
d
L1
c
b
b
d
L1
L2
L1
L2
a
b
a
L1
a
a
L1
a
a
a
a
L2
L2
L1
b
a
b
a
L2
L1
b
b
L2
a
Fig. 9 Ignoring match-blocking partial orders may lead to invalid
sequence diagrams
L2
Fig. 10 Incorrect match leads to undesired weaving/alternative woven
results
L2
L1
L3
a
a
L1 a L2
b
d
a
b
a
b
d
Fig. 11 Negative pointcut—implicit ids with one match
two events on the L2 lifeline, we get a final woven result
with a crossing b message (notice that the b message is a
match-blocking message for the two remaining a messages).
Crossing messages are allowed in general, but it is unexpected and undesired in this case.
The example in Fig. 10 is non-confluent, since a nondeterministic matching strategy gives one of the following
three alternative derivations resulting in two different normal forms:
1. a, a, a, a → a, b, a
2. a, a, a, a → a, a, b → b, b
3. a, a, a, a → b, a, a → b, b
4.3 Aspect diagrams with negative pointcuts
in the base diagram, then the woven result will be an invalid
sequence diagram because we get a cyclic partial order relation.
The following theorem establishes that our match and
weave definitions are sound in the sense that as long as the
base and advice diagrams are valid sequence diagrams (i.e.
with a non-empty semantics), then the woven result will also
be a valid sequence diagram.
Theorem 2 (The woven result is a valid sequence diagram)
Given an aspect A, a base diagram Db , and a direct derA,φ
ivation Db −−→ Dw , then the woven result Dw is a valid
sequence diagram. Formally:
matchφ (A.pc, Db ) ∧ [[ Db ]] = ∅ ∧ [[ A.a ]] = ∅ ⇒ [[ Dw ]] = ∅
Proof See Appendix A.4.
Now that we have introduced the match and derivation
definitions, we may elaborate why we need the φ function as
an injective mapping from the pointcut events to base events.
Consider the aspect and base diagram example in Fig. 10.
The aspect defines that two consecutive a messages should
be replaced by a b message, and the base diagram contains
four consecutive a messages. Without using ids and the mapping function φ in the match, we could mistakenly choose a
match which does not pair the correct send and receive events
(rectangles in the figure surround the matched events). By
matching the last two events on the L1 lifeline and the first
123
We now extend the sequence diagram aspect language to
include also negative pointcuts. I.e., an aspect A now consists
of a pointcut diagram A.pc, a (possibly empty) set A.Npc
of negative pointcut diagrams, and an advice diagram A.a.
However, none of the diagrams may contain any arbitrary
events symbols (which will be introduced in Sect. 4.4). The
structure of this section follows that of Sect. 4.2, discussing
first matching in Sect. 4.3.1 and then weaving in Sect. 4.3.2.
4.3.1 Matching
Negative pointcuts are used to exclude matches between a
pointcut and a base diagram (analogous to negative application condition in GTS [34]). An example is given in Fig. 11.
As a general convention, we assume that messages with the
same signal, sender and receiver in the pointcut and any of
the negative pointcuts have the same id, unless the ids are
explicitly visible in the diagram. If the convention is ambiguous, then explicit ids are required since different assignment
of ids may give different results.
In Fig. 11, the leftmost pointcut diagram defines that we
are looking for matches of two consecutive messages a and b
within a base diagram, while the negative pointcut diagram
defines that these messages should not be followed by a d
message. The base diagram in the figure has only one match
(marked by the rectangle) where φ matches the pointcut to
the first occurrence of the two consecutive messages a and b.
Confluence of aspects for sequence diagrams
L1
L1
L2
1: a
2: b
L1
L2
3: a
4: b
5: d
L2
L1
a
b
a
b
d
L2
a
//
b
//
L1 a L2
c //
//
b
L2
L1
a
a
b
L1
L2
a
a1
c
b1
Fig. 13 The arbitrary events symbol
Fig. 12 Negative pointcut—explicit ids with no matches
Definition 10 (Semantics-based/lifeline-based match with
negative pointcuts) The mapping φ defines a match between
an aspect A with pointcut diagram A.pc and negative pointcut diagrams A.Npc, and a base diagram Db if and only if
both of the following conditions hold:
– there is a match between the pointcut and the base diagram
– for any negative pointcut diagram, it is not possible to find
a match between the negative pointcut diagram and the
base diagram based on any φ having the same mapping
as φ for all messages shared with the pointcut diagram.
Formally:
def
matchφ (A, Db ) =
matchφ (A.pc, Db ) ∧
∀Dnpc ∈ A.Npc : ∀φ : φ φ ⇒ ¬match φ (Dnpc , Db )
where φ φ is a short-hand for
∀m ∈ msg(A.pc) ∩ msg(Dnpc ) : φ(m) = φ (m)
4.3.2 Weaving
The negative pointcuts do not affect the weaving process
described in Sect. 4.2.2, they only restrict the set of valid
matches on which the corresponding aspect is applied. Definition 9, that defines a direct derivation, remains the same,
except for substituting matchφ (A.pc, Db ) with the more general matchφ (A, Db ) to include possible negative pointcuts.
Theorem 2, stating that the woven result is always a valid
sequence diagram, also holds for negative pointcuts since
negative pointcuts only restrict when we get matches to be
used in the weaving.
4.4 Aspect diagrams with negative pointcuts and the
arbitrary events symbol
We now consider matching (Sect. 4.4.1) and weaving
(Sect. 4.4.2) using the full sequence diagram aspect language,
where the aspects may have additional expressiveness by
using the arbitrary events symbols. The arbitrary events symbol indicates the presence of an arbitrary number of events
(including zero events), and is shown in Fig. 13, displayed as
. Theorem 3 ensures that the weaving is sound (i.e. always
results in valid sequence diagrams) also when considering
the full language.
No φ can make the second occurrence of the two consecutive
messages a and b to be a match, since the next message is a
d message, which the negative pointcut forbids.
In Fig. 12, we modify the diagrams from Fig. 11 by only
changing the ids. The ids are now shown explicitly since they
are different from the default convention. The a and b messages in the pointcut now have different ids than the a and
b messages in the negative pointcut. This means that the a
and b messages in the negative pointcut can be mapped to
the same a and b messages, or to different ones when trying
to match the negative pointcut. For the first occurrence of a
and b in the base diagram, we can map the a and b in the
negative pointcut to the second a and b messages, and the
negative pointcut prevents a match. For the second occurrence of a and b in the base diagram, the a and b messages
in the negative pointcut can be mapped to the same as for
the pointcut, and the negative pointcut once again prevents a
match. Hence, there are no matches in the base diagram.
We now generalize the match definition to consider also
aspects with negative pointcut diagrams. There is a match
between a base diagram and an aspect if and only if the base
diagram matched the pointcut, but none of the negative pointcut diagrams of the aspect.
4.4.1 Matching
In an aspect, each lifeline in the pointcut and negative pointcut diagrams may contain zero or more arbitrary events symbols. A unique identifier is associated with each arbitrary
events symbol, and the set of all arbitrary events symbols
is referred to as ArbEvt. In the advice diagram, each arbitrary events symbol from the pointcut must be preserved, on
the same lifeline and in the same order relative to the other
arbitrary events symbols.
Our example aspect in Fig. 13 defines that we are looking
for matches of the a message followed by an arbitrary number of events on both its lifelines, and then finally a b message. The advice inserts a c message of which the position
is uniquely defined in relation to the arbitrary events symbols. The send event of the c message, !c, shall be inserted
directly before all the arbitrary events (and after the !a event)
123
R. Grønmo et al.
on lifeline L1, and the receive event, ?c, shall be inserted
directly after all the arbitrary events (and before the ?b event)
on lifeline L2.
We allow only for irreducible matches of arbitrary events
symbols, which means that the set E of events in the base diagram for which a match with the pointcut diagram is found,
cannot be reduced to another set E ⊂ E and still be a match
for the same aspect. This requirement means that a, a, b is
not a match for the base diagram a, a, b in Fig. 13. This is
because that set of messages can be reduced to the match
a, b (where the a is the latter a). In this match, the arbitrary
events symbols are bound to empty event sequences.
Notice that since the aspect in Fig. 13 has an advice that
contains a pointcut match, it will never terminate. We will
use match marking to exclude the previously matched a and b
messages from further matches of the same aspect. We have
displayed the match marking by a superscript number (1 ) to
denote that aspect number one (the one defined in the example) cannot match the elements another time. The aspect will
thus be applied only once and the final woven result will be
a, a, c, b.
If arbitrary events symbols are used also in the negative
pointcuts, their ids will determine if they must be bound to
the same events as the symbols in the pointcut. For a single
pointcut or negative pointcut diagram, the same base event
cannot be matched by two different arbitrary events symbols
in the same match. However, two different arbitrary events
symbols in different diagrams (e.g. one pointcut and one negative pointcut diagram, or two negative pointcut diagrams)
may be bound to overlapping sets of events.
We now formally define the matching for aspect diagrams
with arbitrary events symbols. The definitions use a mapping
ψ : ArbEvt → Event ∗ , which maps each arbitrary events
symbol in the aspect to a (possibly empty) sequence of base
events on the same lifeline. For a diagram D, the notation
D ψ is used to denote the diagram D with every occurrence
of the arbitrary events symbol replaced with the corresponding event sequence according to the mapping ψ. Similarly,
for an aspect A, Aψ denotes that the mapping ψ has been
used on every diagram in A.
Definition 11 (Semantics-based/lifeline-based match with
negative pointcuts and arbitrary events symbols) The mappings φ and ψ define a match between an aspect A and a base
diagram Db if and only if both of the following conditions
hold:
– there is a match between the pointcut of A and Db according to Definition 10
– the match is irreducible, i.e. for all φ and ψ that maps a
proper subset of the events mapped by φ and ψ, there is
no match.
123
⇒
L1
L2
a
L1 a L2
//
//
//
c
x
c
//
L1
L2
L1
L2
a
a
b
x
c
c
b
Fig. 14 New messages cannot be freely placed in relation to an arbitrary events symbol
Formally:
def
matchφ,ψ (A, Db ) =
matchφ (Aψ , Db ) ∧
∀φ , ψ : range(φ , ψ ) ⊂ range(φ, ψ)
⇒ ¬matchφ (Aψ , Db )
where range(φ, ψ) is the union of all base events mapped to
by φ and ψ.
The last clause in the definition ensures that the bound
arbitrary events symbols in the pointcut cannot be reduced
to a proper subset and still achieve a match.
4.4.2 Weaving
Once the binding of the arbitrary events symbols in the
aspect is resolved (by ψ), the weaving process is the same
as for diagrams without arbitrary events symbols (described
in Sect. 4.2.2). When it is useful, the notation for direct
derivation can include the exact ψ that has been used.
A1 ,φ1 ,ψ1
D1 −−−−−→ D2 means a direct derivation from diagram
D1 to diagram D2 by using the aspect A1 with the mapping
φ1 and the arbitrary events binding ψ1 .
Theorem 2 proved that our aspects without the arbitrary
events symbol guaranteed a valid woven sequence diagram.
This is not the case if we allow to freely place new messages
in relation to the arbitrary events symbols. Fig. 14 shows an
aspect where we add a new message x. The event !x is placed
after an arbitrary events symbol on one lifeline, and the event
?x before another arbitrary events symbol on another lifeline.
When applying this aspect on the base model in Fig. 14, the
arbitrary events symbols are bound to a message b. In the
woven diagram, the partial order relation for the messages
x and b constitute a cycle. The reason for this cycle is that
the advice diagram becomes invalid with the binding of the
arbitrary events symbols.
To ensure that an advice diagram is valid, we need restrictions on how messages are placed in relation to the arbitrary events symbols. We assume that any advice diagram
Da is valid before introducing the arbitrary events symbol.
The advice diagram we get by removing all arbitrary events
symbols, denoted by Da= , shall still be a valid diagram. The
Confluence of aspects for sequence diagrams
following theorem ensures valid woven diagrams also for
aspects with arbitrary events symbols:
Theorem 3 (Valid woven diagrams for negative pointcuts
and arbitrary events symbols) Given an aspect A with pointcut diagram A.pc, advice diagram A.a that does not introduce a partial order (a, b) with a after an arbitrary event
and b before an arbitrary event, a base diagram Db , and a
Definition 14 (Locally confluent) A set A of aspects is
(locally) confluent if and only if for all base diagrams D, all
direct derivations from the base diagram are joinable. Formally:
def
locallyConfluent(A) =
A1
⇒ D1 ↓ D2
A,φ,ψ
direct derivation Db −−−→ Dw , then the woven result Dw
is a valid sequence diagram. Formally:
matchφ (A.pc, Db ) ∧
[[ Db ]] = ∅ ∧ [[ (A.a)= ]] = ∅ ∧
(a, b) ∈ ((A.a).po \ D pc .po), p1 , p2 ∈ ArbEvt :
A2
∀D, D1 , D2 ∈ SD, A1 , A2 ∈ A : D1 ← D → D2
Newman’s Lemma [39] proves that local confluence and
confluence are equivalent for terminating systems. For most
practical purposes a system is terminating, so we assume that
we have terminating sets of aspects in this paper. Termination
theory is however outside the scope of this paper.
a ∈ after( p1 , A.a) ∧ b ∈ before( p2 , A.a)
⇒ [[ Dw ]] = ∅
6 Independence
Proof See Appendix A.5.
5 Basic confluence terminology
The remainder of this paper is concerned with our confluence
theory for sequence diagram aspects. This section presents
some basic terminology related to confluence, including confluence itself which is defined by Definition 13. The next
section (Sect. 6) discusses independent derivations, which
is an important step for deciding confluence. In Sect. 7 we
prove that confluence is undecidable for the full aspect language presented in Sect. 4.4, while Sect. 8 establishes how
confluence may be decided for the restricted aspect language
presented in Sect. 4.2.
In confluence theory, joinability is an important property.
Two diagrams are joinable if they may be transformed into
the same diagram by applying the set of aspects zero or more
times on each of the two diagrams individually.
Definition 12 (Joinable) Two diagrams D1 and D2 are joinable, written D1 ↓ D2 , if there exists derivations leading to
a common (up to isomorphism) diagram D join . Formally:
∗
def
∗
D1 ↓ D2 = D1 → D join ← D2
As a shorthand, D1 ↓D
2 means that D1 and D2 are not
joinable.
A set of aspects is terminating if and only if there exists
no infinite derivation sequence for any base diagram.
Definition 13 ((Globally) confluent) A set A of aspects is
(globally) confluent if and only if for all base diagrams D,
all derivations from the base diagram are joinable. Formally:
def
confluent(A) =
∗
∗
∀D, D1 , D2 ∈ SD : D1 ← D → D2 ⇒ D1 ↓ D2
In confluence theory, it is useful to establish an independence
definition. We define two direct derivations from the same
base diagram to be independent if they are commutable, i.e.
the two derivations can be applied in any order with the result
being the same (up to isomorphism). If all direct derivations
from an arbitrary base diagram are independent, then the set
of aspects is guaranteed to be confluent.
In this section, we formally define independence in Definition 15, while Lemmas 2 and 3 give independence criteria
for the sequence diagram aspect languages from Sect. 4.2
(the basic language without negative pointcuts and arbitrary
events symbols) and 4.4 (the full language), respectively.
Definition 15 (Independence)
A1 ,φ1 ,ψ1
A2 ,φ2 ,ψ2
Two
direct
derivations
D1 ←−−−−− D −−−−−→ D2 from the same diagram D are
independent if and only if there exists a diagram D join such
A2 ,φ2 ,ψ2
A1 ,φ1 ,ψ1
that D1 −−−−−→ D join ←−−−−− D2 .
For GTS there are two cases of dependence [34]: usedelete conflict and produce-forbid conflict. A use-delete conflict occurs when one rule deletes something in the left hand
side of the other rule. A produce-forbid conflict occurs when
one rule produces something that is matched by a negative
application condition in the left hand side of the other rule.
For our aspects, the situation is more complicated than for
GTS which have only two conflict types. We identify three
conflict types for aspects without negative pointcuts, and two
additional conflict types for aspects with negative pointcuts.
First, we concentrate on aspects without negative pointcuts.
We show four examples with dependent derivations before
giving the general lemma.
Figure 15 shows an example of a use-delete conflict. Both
aspects A1 and A2 can match the same a message in the given
base diagram. Since aspect A1 deletes the a message, aspect
A2 cannot be applied after the A1 derivation. This means that
123
R. Grønmo et al.
L1
L1
L2
a
L1
L2
A1
A2
←
L1
L2
L1
→
L2
b
L2
a
c
A1
→
L2
L1
a
b
L1
a
L2
L1
a
c
L2
b
c
Fig. 15 use-delete conflict where one derivation deletes a message which otherwise could be matched by the other aspect
L1
L1
L3
L2
L2
a
a
c
b
b
A1
A2
L2
a
L3
L2
a
c
d
b
→
L1
L3
L3
d
b
A2
←
L1
L2
b
←
L1
L3
L2
L3
L2
L3
L1
c
b
L3
L2
a
a
d
b2
b
Fig. 16 use-delete conflict with respect to lifeline event orders
L1
L1
L2
a
L2
mb
L2
b
←
L2
L1
b
←
bm
L1 L2
mb
L2
bm
MakeMB
A1
MakeMB
L1
L1
b
L1 L2
a
bm
→
L1
mb
L2
a
Fig. 17 produceMB-blocked conflict where one derivation produces a match-blocking partial order for the other aspect
two derivations from the same base diagram are dependent
since they lead to two different normal forms.
Another less obvious situation of a use-delete conflict
can occur even with two aspects that do not delete any messages. Consider the example in Fig. 16. We have two aspects
A1 and A2 where the matches of two direct derivations share
the same b message. By applying the two aspects on the
base diagram example, we get two result diagrams which
cannot be joined. Thus, the two derivations must be dependent.
The reason why these two derivations are dependent can
be found by investigating the lifeline event orders of the two
aspects. Aspect A1 uses the event order ?a, !b on lifeline
L2, which is implicitly deleted by the aspect A2 since it adds
123
the new !d event in between the two events. So, with respect
to the lifeline event orders of the aspect diagrams, there is a
use-delete conflict.
The previously introduced notion of match-blocking
partial orders lead to another conflict type, called produceMB-blocked conflict. The prohibited match-blocking partial orders may be considered as a kind of fixed negative
pointcut for all aspects. An example is given in Fig. 17. Here,
the MakeMB aspect produces a match-blocking partial order
(the message mb) for the other derivation, and thus the two
derivations are dependent.
The third example of dependent derivations, which we call
produce-produce conflict, occurs when two aspects both
add events before or after the same common matched event.
Confluence of aspects for sequence diagrams
L1
L3
L2
L2
L1
L2
a
L3
L1
L2
L3
d
A1
L2
L3
→
L1
L2
L3
L2
a
b
L3
d
d
a
c
L1
a
b
a
c
L1
a
→
b
d
L3
A2
←
L1
L3
L2
a
A1
A2
←
L2
L1
c
b
L1
L3
b
a
a
c
b
Fig. 18 produce-produce conflict where the two derivations produce unequal event sequences after a common matched event
L1
L2
L3
L1
A2
L1
L2
L2
adv
c
L3
b
L2
L3
c
b
L3
A1
→
L2
L1
L3
a
a
L2
adv
→
L1
L1
b
A2
←
L1
L3
b
c
A1
←
L2 L3
b
adv adv
L3
adv
b
L1
L2
b
a
b
adv
L1
L3
L2
adv
adv
b
Fig. 19 produce-produce conflict where only one of an added message’s two events is placed in relation to common matched events
In Fig. 18 both aspect derivations add a different event after
the common matched event !a. The ?c event is added by the
A1 aspect and the ?d event is added by the aspect A2. The
order matters and the two derivations are dependent.
To avoid produce-produce conflicts we introduce the condition that event sequences added before or after a common
matched event are equal. The event sequences should be
equal also with respect to the ids, as demonstrated in [13].
Figure 19 shows another example of a produce-produce
conflict, where all the added events before or after common
matched events are equal (including mapped ids). The conflict occurs because only one of the two events of a message,
?adv, is added in relation to a common matched event (?b).
The other event of the added message, !adv is placed in different positions in the base model. The order of the aspect
matters, since the A1–A2 derivation produces two new adv
messages that are crossing, while the A2–A1 derivation produces two new adv that are not crossing.
The three conflict types explained above lead to the following independence lemma, giving the criteria for when two
direct derivations are dependent.
Lemma 2 (Independent derivations) For aspects without
negative pointcuts and the arbitrary events symbol, two direct
A1 ,φ1
A2 ,φ2
derivations D1 ←−−− D −−−→ D2 are independent if and
only if the following criteria are met:
1. ¬ use-delete.
Examples: Figs. 15 and 16.
Requirement: None of the two derivations deletes a direct
partial order which is part of the other derivation’s
match. Formally:
: 1 , e2 ∈ ev(Ax.pc)
∀e
(e1 , e2 ) ∈ (Ax.pc).dpo ⇒ (φx (e1 ), φx (e2 )) ∈ D y .dpo
where (x, y) ∈ {(1, 2), (2, 1)}.
2. ¬ produceMB-blocked.
Example: Fig. 17.
Requirement: None of the two derivations produces a
match-blocking partial order for the other derivation’s
match. Formally:
∀e1 , e2 ∈ ev(Dx ) : ¬blocking(Ay.pc,φ y ) (e1 , e2 , Dx )
where (x, y) ∈ {(1, 2), (2, 1)}.
3. ¬ produce-produce.
Examples: Figs. 18 and 19.
Requirement: If there is a lifeline where the matches of
the two derivations start (end) with the same event e,
the two derivations cannot add unequal event sequences
before (after) that event. For all events e added before
(after) e, also the corresponding event e¯ (i.e. if e is a
123
R. Grønmo et al.
send event, then e¯ is the receive event of the same message, and vice versa) is added with respect to a common
matched event. Formally:
[Before-part:]
L1
L2
a
L3
L3
L1
L2
a
b
A1
∀l ∈ L, e1 ∈ Event, e2 ∈ Event :
e1 = first((A1.pc){l}) ∧ e2 = first((A2.pc){l})
∧ φ1 (e1 ) = φ2 (e2 )
⇒
L2
a1
L3 L3
b
b1
adv
L3
b
adv
A1
←
L1
L3
→
L1
L2
a
L3
L3
b
b
L1
L2
a1
L3 L3
b1
adv
b
Fig. 20 use-delete conflict due to match marking
(before(e1 , A1.a) = ∅ ∨ before(e2 , A2.a) = ∅
∨ (φ1 (before(e1 , A1.a)) = φ2 (before(e2 , A2.a))
∧ ∀e ∈ φ1 (before(e1 , A1.a)) :
∃e ∈ Event, l ∈ L : l = ll(e ) = ll(e¯ )
∧ ((e = φ1 (first(A1.pc){l })
∧ e = φ2 (first(A2.pc){l }))
∨ (e = φ1 (last(A1.pc){l })
∧ e = φ2 (last(A2.pc){l })))))
[After-part (symmetrical to Before-part):]
∀l ∈ L, e1 ∈ Event, e2 ∈ Event :
e1 = last((A1.pc){l}) ∧ e2 = last((A2.pc){l})
∧ φ1 (e1 ) = φ2 (e2 )
⇒
( after(e1 , A1.a) = ∅ ∨ after(e2 , A2.a) = ∅
∨ (φ1 (after(e1 , A1.a)) = φ2 (after(e2 , A2.a))
∧ ∀e ∈ φ1 (after(e1 , A1.a)) :
∃e ∈ Event, l ∈ L : l = ll(e ) = ll(e¯ )
∧ ((e = φ1 (first(A1.pc){l })
∧ e = φ2 (first(A2.pc){l }))
∨ (e = φ1 (last(A1.pc){l })
∧ e = φ2 (last(A2.pc){l })))))
The φ’s are extended to also map advice messages (and
not only pointcut messages) to base messages. This criterion is satisfied if there exists φ mappings of the advice
messages such that the before and after relations can be
satisfied.
Proof See Appendix A.6.
A special case of the first criterion is when a common
matched message m is deleted, since (!m, ?m) is always a
direct partial order. Another special case of the first criterion
can occur for two derivations that both use the same aspect,
and where the aspect applies match marking to avoid termination. When both derivations use the same match marking
aspect (with only partially overlapping matches), then the
123
match marking of the overlapping message(s) appears as if it
was a ‘deletion’ of a common matched message. A use-delete
conflict due to match marking is illustrated in Fig. 20.
Two derivations with no common matched events can only
be dependent if there is a violation of criterion 2. The third
criterion is not violated when only one of the derivations adds
an event sequence after a common matched event, or when
only one of the derivations adds an event sequence before a
common matched event. Thus, the two derivations may be
independent if one derivation adds an event sequence before
a common matched event, while the other derivation adds an
event sequence after the same common matched event.
Independence Lemma 2 gives necessary and sufficient
independence criteria when there are no negative pointcuts or
arbitrary events symbols in the aspects. These criteria ensure
that the advice diagram of one of the two aspects does not
prevent a match for the pointcut of the other aspects. In the
case where the aspect also contains one or more negative
pointcut diagrams, the three criteria of Lemma 2 are still
necessary, but they are no longer sufficient to ensure independence. With negative pointcuts, there are two additional
conflict types that make two derivations dependent.
The first case, which we call a deleteMB-forbid conflict,
is illustrated in Fig. 21. In this example, aspect A1 may be
applied to the base diagram as the c message is a matchblocking partial order for the candidate match between the
base diagram and the negative pointcut of A1. However,
aspect A2 changes the direction of the c message, so that
it is no longer blocking the negative pointcut of A1. Note
that independence would have been restored had A2 not only
removed the match-blocking partial order, but also destroyed
the candidate match for the negative pointcut, for instance by
also removing the b message.
The second case is illustrated in Fig. 22. In this case, aspect
A2 introduces a match for the negative pointcut of A1 by
changing the c message to a b message, meaning that aspect
A1 may no longer be applied. This corresponds to a produce-forbid conflict. In general, one of the sequence diagram aspects may very well introduce a candidate match for
a negative pointcut in the other aspect, as long as the resulting diagram also has a match-blocking partial order for that
candidate match. However, this is not the case in Fig. 22.
Confluence of aspects for sequence diagrams
Fig. 21 deleteMB-forbid
conflict where one derivation
removes a match-blocking
partial order for a negative
pointcut of the other aspect
L1
L1
L2
L2
L1
L3
a
a
L1
L2
x
A2
L2
←
L3
L1
L1
a
a
b
L2
The usage of arbitrary events symbols in aspect diagrams
does not affect the independence theory, and no additional
independence criteria are needed. This is because the binding
of the arbitrary events symbols is resolved in the match, and
the weaving must preserve the events bound by the arbitrary
events symbols. Hence, with a specific ψ, the aspect can be
seen as being free from arbitrary events symbols.
The examples in Figs. 21 and 22 lead to the following independence lemma for aspects which may also contain one or
more negative pointcuts. In the lemma, the two conflict types
deleteMB-forbid and produce-forbid are combined into one
formal independence criteria.
Lemma 3 (Independent derivations with negative pointcuts and arbitrary events symbols) Two direct derivations
A1,φ1 ,ψ1
L3
c
b
L1
L2
L2
L1
c
L2
L2
b
A2
←
L1
L2
a
A1
A2
x
b
L1
L3
x
←
L1
L2
b
L1
L2
c
a
c
b
L2
L1
L3
→
L1
L3
x
c
c
b
Fig. 22 produce-forbid
conflict where one derivation
produces a match for a negative
pointcut of the other aspect
L2
L2
A2
A1
←
x
L1
c
b
L1
L3
L2
→
L1
x
c
L2
L1
a
c
L2
a
b
derivation (the converse of criterion 1). Formally:
∀Dnpc ∈ Ax.Npc : ∀φx ∈ :
φx φx ⇒
((∃e1 , e2 ∈ ev(D y ) : blocking(Dnpc ,φx ) (e1 , e2 , D y ))
∨
(∃e1 , e2 ∈ ev(Dnpc ) : (e1 , e2 ) ∈ Dnpc .dpo
∧(φx (e1 ), φx (e2 )) ∈ D y .dpo) )
where (x, y) ∈ {(1, 2), (2, 1)}.
Proof See Appendix A.7.
A2,φ2 ,ψ2
D1 ←−−−−− D −−−−−→ D2
are independent if and only if the following criterion is met
in addition to the criteria from Lemma 2:
4. ¬ deleteMB-forbid and ¬ produce-forbid.
Example: Figs. 21 and 22
Requirement: None of the two derivations produces a
match for one of the other derivation’s negative pointcuts. This may be ensured either by keeping / producing a
match-blocking message (the converse of criterion 2), or
by making sure that for each negative pointcut, at least
one of the partial orders is deleted / not produced by the
7 Confluence is undecidable
Plump [44] has shown that confluence is undecidable for
terminating GTS by reduction of the well-known undecidable Post’s Correspondence Problem (PCP) [45]. This section
shows that confluence is undecidable for the full sequence
diagram aspect language.
Plump specifies a systematic way to encode a PCP instance
into a set of GTS rules, which he proves are terminating.
Then he uses two lemmas to prove that the PCP instance
has a solution if and only if the constructed GTS rules are
not confluent. Our proof reuses Plumps proof except that we
123
R. Grønmo et al.
1
2
3
4
α
aba
bbb
aab
bb
β
a
aaa
abab
babba
1
4
3
1
aba
bb
aab
aba
ababbaababa
a
babba
abab
a
ababbaababa
Fig. 23 Post Correspondence Problem (PCP) example
have a systematic way to encode a PCP instance into a set of
terminating sequence diagram aspects instead of GTS rules.
Our set of aspects correspond very closely to the GTS rules
that Plump constructs, although the notations and formalisms
are different.
The rest of this section is used to prove the following theorem:
Theorem 4 (Undecidability) It is undecidable to determine
if an arbitrary finite set of terminating aspect diagrams with
negative pointcuts and the arbitrary events symbol is confluent.
The structure of the remainder of this section is as follows:
First, we explain the PCP problem, then we present a method
to construct a set of aspect diagrams based on an arbitrary
PCP instance. Lemma 4 gives that these aspect diagrams are
terminating. Lemmas 5 and 6 state that the constructed aspect
diagrams are confluent if and only if the PCP instance has no
solution. Together, this gives that the set of aspects is confluent if and only if the PCP instance has no solution. Since PCP
is undecidable, this must mean that confluence is undecidable as well (Theorem 4), as we otherwise could have used
confluence to decide the PCP problem.
An example instance of PCP has four numbered pairs of
words over an alphabet with the letters a and b (top part of
Fig. 23). A solution to the PCP instance will be a sequence
of these pairs such that the concatenation of the top letters
equals the concatenation of the bottom letters (bottom part
of Fig. 23). The sequence 1, 4, 3, 1 is a solution. Notice that
a word pair may be repeated such as with pair number 1 in
the solution. Otherwise it would be sufficient to produce all
possible combinations in order to decide PCP.
The decision problem is to decide if there exists a solution to a given PCP instance. A PCP instance consists of n
word pairs where we denote pair number i as (αi , βi ). Furthermore, αi and βi are words consisting of characters from
some alphabet .
We now proceed by giving the full details of the undecidability proof, starting with explaining the transformation of
a PCP instance into a set of aspects. The main idea is that a
solution proposal, i.e. a sequence of indices, may be encoded
as a base diagram as shown in the leftmost diagram in the
top part of Fig. 24. We use message signals to represent indi-
123
ces between 1 and n, characters in the alphabet , and the
special signals start and end. A solution proposal involves
three lifelines. The Propose lifeline contains a sequence of k
indices representing a proposal. Aspects (explained in more
detail later) are defined so that lifeline A/B is first used to
produce a full sequence of characters for the α/β part of the
proposed word pairs, and finally to test if those two character
sequences are equal.
For simplicity in the proof, we use extensively messages
where the sender and receiver lifelines are equal (which is
allowed for sequence diagrams), e.g. the end message on the
Propose lifeline. It is possible to do the proof without such
messages by introducing a few additional lifelines.
We define the PCP aspects such that a base diagram representing a PCP solution proposal will have two normal forms
(where no further aspects may be applied), the success normal form and the fail normal form as shown in the top part
of Fig. 24.
Based on a PCP instance I we automatically produce a
set of aspects, aspects(I), as shown in the bottom part of
Fig. 24. We now explain the rationale behind these aspects.
We present aspect templates representing a set of aspects
ranging over the possible indices {1, . . . , n} or over the alphabet . The symbols ai for all i ∈ {1, . . . , p} and b j for all
i ∈ {1, . . . , q} denote characters over the alphabet . p and q
are natural numbers, where their value depend on the index i.
The aspects are carefully designed so that they will enforce a
specific weave order: first init aspects, then test aspects, and
finally clean aspects.
An init aspect (init1 or init2) replaces an index i on the
Propose lifeline by the character messages, corresponding
to the word pair (αi , βi ), onto the A and B lifelines. For
instance, if i = 1 with the PCP instance in Fig. 23, messages
a, b and a will be inserted on the A lifeline, and message
a on the B lifeline. When all indices are removed from the
Propose lifeline, the test aspects will take over.
The test aspects are mutually exclusive. The test1 aspects
remove messages with equal character names (represented
by x in the aspect template) from both the A and B lifelines, and these aspects are the only test aspects that keep
the success message. The other test aspects (test2, test3
and test4) replace the success message with a fail message.
The test2 aspects detect unequal character messages on the
A and B lifelines, while the test3 and test4 aspects detect
an unequal number of messages on the A and B lifelines.
The test aspects will be applied repeatedly until they either
remove all characters from both the A and B lifelines, or
until the fail message is introduced. The three sets of clean
aspects (cleanP, cleanA, and cleanB) will continue to weave
on failure marked diagrams until the fail normal form is
reached.
The fail aspects ensure that we can always produce the
fail normal form from base diagrams that encode a PCP pro-
Confluence of aspects for sequence diagrams
Propose
Propose
A
B
sta
end
i1 rt
start
i
B
...
end
Propose
st
ar
t
A
B
end
a1
bq
//
start
fail
end
start
success
//
end
i
end
i ∈ {1,...,n} ∧ α i = a1...ap ∧ β i = b1...bq
start
Propose
st
ar
t
Propose
A
B
sta
end
rt //
//
start
success
B
end
A
B
end
//
//
a1
ap
start
Propose
A
B
Propose
A
B
st
st
end
end
ar /
ar /
//
t /
t /
//
success
fail
a
b
start
start
end
end
a,b ∈ Γ ∧ a ≠ b
Propose
A
B
end
st
ar /
t /
fail
start
end
Propose
A
B
end
st
ar
//
t
success
b
start
end
x∈Γ
a∈Γ
Propose
A
B
sta
end
rt /
/
/
fail
start /
i
//
end
Propose
A
B
end
st
ar /
t /
//
a
fail
start
end
//
end
end
Propose
A
B
Propose
A
B
sta
sta
end
end
rt
rt
start
start
fail
i
//
//
end
end
i ∈ {1,...,n}
Propose
A
B
st
end
ar
t /
/
//
fail
start
end
b∈Γ
*
1..n}
B
Propose
A
end
st
ar /
t /
//
fail
start
a∈Γ
i ∈ {1,...,n}
Propose
i
//
#m: * {m
//
end
Propose
A
B
end
st
ar
t
//
fail
start
end
b∈Γ
Propose
A
B
sta
end
rt /
/
/
fail
start /
Propose
A
B
st
end
ar
t /
//
/
fail
b
start
end
bq
i ∈ {1,...,n} ∧ α i = a1...ap ∧ β i = b1...bq
Propose
A
B
end
st
ar /
//
t /
success
start
end
Propose
A
B
end
st
ar /
//
t /
success
x
x
start
end
b1
...
ap
A
...
...
b1
...
success
//
end
Propose
A
B
end
st
ar /
t /
success
a
start
end
Propose
end
start
start
success
end
k
B
Propose
A
sta
end
rt
start
i
//
end
A
*
Propose
i
//
//
Propose
*
i
//
*
//
end
end
i ∈ {1,...,n} for all
the negative pointcuts
Fig. 24 Top: solution proposal has two possible normal forms, Bottom: aspects(I )
posal. The rationale is that a base diagram has two normal
forms (success and fail) only in cases where the base diagram
encodes a PCP solution.
We have defined three negative pointcuts to avoid weaving
on ill-defined diagrams. These negative pointcuts all apply to
each of the aspects having an index in the pointcut, i.e. init1,
init2, cleanP and fail. The negative pointcuts ensure that there
are only other indices (or nothing) between a matched index
and its end message on the Propose lifeline. Identifiers (not
shown) are used to bind the i and end messages in the pointcuts to the same i and end messages in the negative pointcuts.
The first negative pointcut template contains the expression
#m : ∗ {m ∈
/ 1 . . . n}, which means that the negative pointcut
matches any message signal except valid indices.
123
R. Grønmo et al.
Lemma 4 aspects(I) is terminating
Proof No aspects add index-messages on the Propose lifeline. Thus, the aspects fail, init1, init2 and cleanP removing index-messages from the Propose lifeline cannot be
repeated infinitely. It suffices to prove that the remaining set
of aspects (excluding the fail, init1, init2 and cleanP aspects)
are terminating. These aspects all decrease the number of
messages, and thus cannot be repeated infinitely either. We
conclude that the complete set of aspects are terminating.
Lemma 5 If I has a solution, then aspects(I) is not
confluent.
Proof A base diagram with the encoded solution, i 1 , . . . , i k ,
in proposal state has both the success and fail normal forms.
We get the success normal form by first applying the aspect
init1 once, then the aspect init2 k − 1 times. Since we assume
that i 1 , . . . , i k is a solution, of the PCP instance I, we know
that there will be equivalent sequences of character messages
on the A and B lifelines. Thus, the aspect test1 can be applied
to remove all these character messages until we reach the success normal form.
We get the fail normal form by first applying the fail aspect
once, followed by applying the aspect cleanP k − 1 times.
Thus, aspects(I) is not confluent.
Lemma 6 If I does not have a solution, then aspects(I) is
confluent.
Proof From Newman’s Lemma and that aspects(I) is terminating (Lemma 4), it is sufficient to show that aspects(I) is
locally confluent. The proof proceeds by trying to find a pair
of direct derivations which is not joinable, i.e. to show that
the aspects are not locally confluent. From Definition 15, we
know that such a pair of derivations must be dependent.
From Lemma 3, there are four criteria that can make two
direct derivations dependent. We now consider these four
criteria in the reverse order.
Criterion 4 is violated if we have a produce-forbid or a
deleteMB-forbid conflict. There are no aspects introducing a
message spanning two lifelines, so there cannot be a produceforbid conflict for the two latter negative pointcuts. Only success and fail messages are introduced as non-index messages
on the Propose lifeline, and the success and fail messages will
always get the !start event directly above on the Propose lifeline. This means that we cannot get a produce-forbid conflict
for the first negative pointcut either. deleteMB-forbid conflicts cannot occur. This is because all aspects only add and
delete messages where the sender and receiver lifelines are
the same.
Even though criterion 4 has not been formally defined for
negative pointcuts with symbolic messages (e.g. ∗ as message signal), it is easy to see that we cannot get produce-forbid
conflicts here.
123
For criterion 3 that defines produce-produce conflicts,
observe that for all aspects events are only added in between
the matched start and end messages for all the three lifelines.
Hence, criterion 3 can obviously not be violated.
For criterion 2 that defines produceMB-blocked conflicts,
it is not possible to produce match-blocking partial orders for
the other derivation since for all added messages the sender
and receiver lifelines are the same.
We can concentrate on criterion 1 that defines use-delete
conflicts. There are only two pairs of aspects that can take
part in dependent derivations with use-delete conflicts: (1)
cleanA and cleanB, and (2) fail and init1. The negative pointcuts exclude other combinations. It is trivial to see that cleanA
and cleanB can be commuted.
We now check the last possibility of non-confluence which
init1
f ail
is a derivation D1 ←−−− D −−→ D2 . These two derivations
may have events external to the matches, i.e. before and after
the match on the three involved lifelines, or anywhere on
any other lifeline. Those external events will however not be
affected when we join the two derivations, and we ignore
such events to simplify the argumentation. We explain how
both D1 and D2 leads to the fail normal form.
We apply the init2 aspect on D1 until all index messages are removed from the Propose lifeline. We then apply
the test1 aspect as long as possible (maybe zero times).
Eventually, because I does not have a solution, we will be
able to apply one of the aspects test2, test3 or test4 which
changes the success message to a fail message. The aspects
cleanA and cleanB are applied until we reach the fail normal
form.
On D2 we apply the cleanP aspects until we reach the fail
normal form. Since D1 and D2 are joinable, we have shown
that aspects(I) is confluent.
We are now ready to prove the undecidability theorem
given at the beginning of this section.
Proof of Theorem 4 For every PCP instance I, the set of
aspects constructed by aspects(I) is terminating (Lemma 4).
Furthermore, I has a solution if and only if aspects(I) is
not confluent (Lemmas 5 and 6). Since PCP is undecidable,
the confluence of terminating aspects (w/ deletion, negative
pointcuts and the arbitrary events symbol) must also be undecidable.
Figure 25 illustrates that Lemma 6 depends on our defined
negative pointcuts. Otherwise we get non-confluence for illformed base diagram examples, even if the PCP instance does
not have a solution.
Consider the PCP instance I (Fig. 25a) with a single word
pair (α1 , β1 ) = (a,b). This instance I obviously has no solution. Without the first negative pointcut, we may have a nonindex message, such as trash, in the indices list, and still be
able to apply aspects. In Fig. 25b we have constructed such a
Confluence of aspects for sequence diagrams
α
β
(a)
a
b
Propose
A
B
end
sta
rt
a
b
success
start
trash
end
has no solution
Propose
A
B
end
sta
rt
1
start
trash
end
(b) aspects(
Propose
A
B
end
sta
rt
fail
start
trash
end
) is not confluent
Fig. 25 Undecidability proof (lemma 6) breaks without our defined negative pointcuts
base model which shows that aspects(I) is not confluent. The
aspects fail and init1 can be applied to obtain two different
normal forms.
8 Confluence analysis using critical pairs
In this section, we restrict the expressiveness of aspects to
exclude negative pointcuts and the arbitrary events symbol.
For this class of sequence diagram aspects, we establish a
critical pair analysis to determine confluence.
Confluence of a set of aspects is a property that by Definition 13 must hold for any given base model. With infinitely
many possible base models, we cannot simply check all base
models.
For TRS, it turns out that it is sufficient to investigate a
limited set of input terms, i.e. those that take part in critical
pairs. All critical pairs are joinable if and only if there is confluence [30]. The set of critical pairs is constructed from all
pairs of rules that can produce dependent derivations.
For GTS, confluence holds if all critical pairs are strongly
joinable [44], where strong joinability is joinability and the
additional requirement that all nodes preserved in the two
derivations of the critical pair, must be maintained and be
isomorphic in the joined result. This additional requirement
is relevant only when there are unnamed nodes in the graph.
For sequence diagrams, all messages and lifelines are named,
and there is no difference between joinability and strong joinability.
In the following, we first (by Definition 17 in Sect. 8.1)
define critical pairs in the context of sequence diagrams,
and present a systematic way to construct them. Section 8.2
explains why joinability of critical pairs does not necessarily
imply confluence for sequence diagrams, in contrast to for
TRS and GTS. As a consequence, a notion of extended critical pairs is defined by Definition 19 in Sect. 8.3, for which
it is proved by Theorem 5 that joinability is equivalent with
confluence.
critical pair is used to distinguish these critical pairs from
extended critical pairs which will be defined in Sect. 8.3. The
following definition defines the notion of a minimal context
base diagram, which will be used in the definition of minimal context critical pair. Intuitively, a minimal context base
diagram with respect to two aspects, is a base diagram containing (possibly overlapping) matches for the two pointcut
diagrams, and nothing more.
Definition 16 (Minimal context base diagram) A diagram
D is a minimal context base diagram, mcbd (A1 ,φ1 ,A2 ,φ2 ) (D),
with respect to two aspects A1 and A2 and the mappings φ1
and φ2 if
1. there is a match between D and each of the two pointcut
diagrams, and
2. all messages in D are matched by at least one of the two
pointcuts
Formally:
def
mcbd (A1 ,φ1 ,A2 ,φ2 ) (D) =
matchφ1 (A1 .pc, D) ∧ matchφ2 (A2 .pc, D) ∧
msg(D) = φ1 (msg(A1 .pc)) ∪ φ2 (msg(A2 .pc))
A minimal context critical pair is now defined as two
dependent direct derivations from the same minimal context
base diagram:
Definition 17 (Minimal context critical pair) Two (differA1 ,φ1
A2 ,φ2
ent) direct derivations D1 ←−−− D −−−→ D2 constitute a
minimal context critical pair if the two derivations are dependent and D is a minimal context base diagram for A1 and A2 .
8.1 Minimal context critical pairs
Here, A1 and A2 may represent the same aspect. When
A1 = A2 , the mappings φ1 and φ2 must differ to make the
two derivations different.
We now describe a systematic way to construct the minimal context critical pairs. The strategy is to investigate all
two pairs of aspects (including pairs of the same aspect) to
see if it is possible to construct two dependent derivations:
Analogously to TRS and GTS, we define a notion of critical
pair for sequence diagram aspects. The term minimal context
1. Start with the pointcut of A1 and create an initial base
diagram Dinit = A1 .pc and a mapping φ1 such that for
123
R. Grønmo et al.
:
:
L1 L2 L3 L4
a
d
b
L1 L2 L3 L4
a
d
adv
b
:
L1 L2 L3
L1 L2 L3 L4
adv
b
c
e
L4
b
c
e
L1 L2 L3 L4
L1 L2 L3 L4
L1 L2 L3 L4
a
a
a
d
d
d
A1
A3
adv
adv
A2 adv
b
b
adv
b
e
c
c
e
c
e
←
←
←
L1 L2
adv
A3
←
adv
L1 L2
adv
←
L1 L2 L3 L4
a
x
d
b
e
c
L1 L2
adv
adv
A2
→
L1 L2 L3 L4
a
d
adv
b
c
A3
→
e
L1 L2
adv
adv
adv
adv
L1 L2 L3 L4
L1 L2 L3 L4
a
a
A1
adv
A2 adv x
x
d
d
b
adv
b
c
e
e
c
←
L1 L2 L3 L4
a
d
b
c
e
L1 L2
adv
A2
→
L1 L2 L3 L4
a
x
d
adv
b
c
e
Fig. 26 Joinable critical pairs does not imply local confluence due to additional events between the matches
any message m in the pointcut of A1 , φ1 (m) = m. Put a
red cross in all positions between two consecutive events
on the same lifeline in Dinit . No events can be added to
Dinit at these positions since that would break the match
between the base diagram and the pointcut of A1 .
2. Extend Dinit into D by adding messages from the pointcut of A2 and creating a mapping φ2 such that
(a) φ2 defines a match between A2 and D, and
(b) for each message m 2 in the pointcut of A2
(i) either, φ2 (m 2 ) = m 2 and m 2 is not a message
in Dinit ,
(ii) or, φ2 (m 2 ) = m b where m b is a message
in Dinit . In this case, m b will be a common
matched message for A1 and A2 .
3. D is now a minimal context base diagram for A1 and A2 .
A1 ,φ1
A2 ,φ2
The two direct derivations D1 ←−−− D −−−→ D2 is a
minimal context critical pair if the two derivations are
dependent according to Lemma 2.
The second step needs to be repeated for all possible additions of the messages in the pointcut of A2 to Dinit . It is necessary to also consider crossing messages when constructing
the minimal context base diagram, such as with the base diagram in Fig. 17.
123
8.2 Minimal context critical pairs are not good enough
In contrast to TRS and GTS, an investigation only of minimal context critical pairs is not good enough to claim local
confluence of our aspect diagrams. We illustrate the problem
by two examples.
In the first example (Fig. 26) there are three aspects. The
aspects A1 and A2 add an adv message, while the aspect A3
replaces two consecutive adv messages with a single adv
message. Notice that aspect A2 contains the pointcut in its
advice, and we need to use match marking to ensure that
this aspect will terminate. This set of aspects has two critical
pairs. The first critical pair (shown in the middle part of the
figure) is a base diagram with the five messages a, b, c, d and
e, and its two derivations using the aspect A1 and the aspect
A2. There is a use-delete conflict since the match of aspect
A1 uses the direct partial order (?a,!b), which is implicitly
deleted by aspect A2 since it introduces a new event ?adv in
between the events ?a and !b.
The A2 derivation leads directly to a normal form, because
the !adv event on the L2 lifeline prevents the application
of aspect A1, and aspect A3 is not applicable as there
are no two consecutive adv messages in the diagram. The
A1 derivation in the critical pair results in a diagram on
which it is possible to apply aspect A2, and then aspect
A3. Finally, we get the same normal form as with the A2
Confluence of aspects for sequence diagrams
:
:
L1 L2 L3
a
d
b
L1 L2 L3
a d
adv
b
:
L2 L3 L4
c
d
b
L1 L2 L3 L4
L1 L2 L3 L4
c
c
a
a
A3
A1
adv
d
d
adv
adv
b
b
←
←
L1 L2 L3 L4
a
A1
x
c
d
adv
b
←
L2 L3 L4
c
d adv
L1 L2 L3 L4
c
a
d
b
L1 L2 L3 L4
c
a
d
b
L1 L2 L3 L4
a
x
c
d
b
L1 L2 L3 L4
c
a
adv
d
L1 L2 L3 L4
L1 L2 L3 L4
c
c
a
a
A1
A2
adv
adv
d
d
b
adv
b
→
→
A2
→
L1 L2 L3 L4
L1 L2 L3 L4
a
a
x
A1
x
c
c
adv
adv
d
d
adv
b
b
→
Fig. 27 Joinable critical pairs does not imply local confluence due to added match-blocking partial order
derivation of the critical pair, i.e. the critical pair is joinable.
The second critical pair is a base diagram with three consecutive adv messages, and with two overlapping matches
for two different A3 derivations. This critical pair has already
been joined since the two derivations produces the same
result, which is two consecutive adv messages.
In spite that all critical pairs are joinable, the bottom part
of Fig. 26 shows that the set of aspects is not confluent. As our
base diagram we have added a new message, x, in between
the two matches in the base diagram of the A1 − A2 minimal
context critical pair. The x message is between the matches
on the L1 lifeline since the ?x event is after all the matched
events in the A1 derivation (!a), while it is before all the events
in the A2 derivation (!c).
Notice that when applying the A1 and A2 aspects on this
base diagram it is unambiguous where to place the new ?adv
events on the L1 lifeline. In the A1 derivation it is placed
directly after !a (and thus before ?x), and for the A2 derivation it is placed directly before !c (and thus after ?x). This is
because the new events in the advice relates to the old events
matched by the pointcut.
The result is that the ?x event prevents application of the
aspect A3, which was used in joining the critical pair, since
the ?x event splits A3’s required event order on lifeline L1.
Instead we reach two normal forms which are different, and
we have shown that the set of aspects is not confluent even
though all critical pairs are joinable.
In the second example (Fig. 27) there are also three
aspects. The three aspects all preserve their pointcut mes-
sages and they all add an adv message. The base diagram
and the A1 and A2 derivations in the middle part of Fig. 27
shows the only minimal context critical pair. The two derivations are dependent since there is a use-delete conflict.
Aspect A1 adds an adv message which implies a deletion of
two direct partial orders, (!d,!b) and (?d,?b), that are matched
by aspect A2. The critical pair is joinable by applying the A3
and A1 aspects on the two woven diagrams in the critical pair.
In the bottom part, we have introduced a new message
x, which does not prevent the first A1 and A2 derivations.
However, the A3 aspect is no longer applicable since (!x,?x)
becomes a match-blocking partial order. We reach two normal forms which are different, and we have shown that the
set of aspects is not confluent.
8.3 Extended critical pairs
In this section, we define a way to extend each minimal context critical pair such that all the extended critical pairs are
joinable if and only if the set of aspects is confluent. The minimal context critical pair is extended in a systematic way such
that it is maximally difficult to join the extended critical pair.
This is accomplished by reducing the applicable aspects in
two ways: (1) the introduction of new events (Fig. 26), and (2)
the introduction of match-blocking partial orders (Fig. 27).
Both these extensions may prevent matches and hence the
application of aspects.
We investigate the counterexamples in Figs. 26 and 27 to
see why joinability of minimal context critical pairs is not
good enough. All lifeline positions of the minimal context
123
R. Grønmo et al.
L1
L2
L3
L3
α
α
α
α
a
d
b
β
ω
ω
e
ω
ω
Before (α)
β
β
c
α
Between (β)
ω
Fig. 28 Analysing lifeline positions in the minimal context base diagram of Fig. 26 for relevant extensions
After (ω)
Fig. 29 Relevant message directions in an extended critical pair
base diagram in the critical pair are analysed to see how
additional events in the base diagram may affect the joinability.
Figure 28 shows how additional events may be categorized
as one of three types, depending on their lifeline position relative to the events in the minimal context base diagram: α, β
and ω. An event that occurs in an α-position, is placed before
both matches of the critical pair with respect to a lifeline. The
?x event in the bottom of Fig. 27 is in an α-position. An event
that occurs in a β-position, lies between the two pointcut
matches relative to one lifeline, i.e. after all matched events
from the first pointcut and before all matched events from the
second pointcut. The ?x event in the bottom of Fig. 26 is in
a β-position. An event that occurs in an ω-position is placed
after both matches of the critical pair relative to a lifeline.
The !x event in the bottom of Fig. 27 is in an ω-position.
Figure 28 also shows that some of the lifeline positions in
the minimal context base diagram are prohibited event positions. In these positions we cannot place any events since
they would prevent at least one of the two matches. E.g. an
event between the ?a event and the !b event prevents the A1
derivation of the critical pair. Prohibited positions are shown
as crossed out squares in Fig. 28.
In an extended critical pair, we introduce messages that
either introduce additional events between the matches (as in
Fig. 26) or lead to potentially match-blocking partial orders
for the aspects used to join the two derivations in the critical
pair (as in Fig. 27). At the same time, the introduced messages
cannot introduce match-blocking partial orders that prevents
the two derivations of the critical pair. The messages are only
sent or received at χ -positions = α ∪β ∪ω. We use the special
symbol, χ , as the message signal, and assume this message
signal is not part of any of the aspect pointcuts.
Figure 29 shows all the relevant message directions that
can lead to the extended critical pair not being joinable. The
three ellipses represent the set of α-, β-, and ω-positions
respectively. The directed arrows indicate between which two
kinds of positions, an introduced message is relevant to insert.
For additional events between the matches, as in Fig. 26, this
corresponds to the extended pair having a message to or from
123
a β-position—in the simplest case from a β-position to itself.
For analysis purposes, a match-blocking partial order (which
was the problem in Fig. 27), can always be reduced to a single match-blocking message having the send event after the
match on one lifeline, and before the match on another lifeline. Thus, a message which is sent from an α-position cannot
introduce a match-blocking partial order, while a message
from a β-position to an α-position, or from an ω-position to
a β- or α-position, is potentially match-blocking.
Definition 18 (χ -message) Given a minimal context base
diagram D, a χ -message is a message with signal χ between
two χ -positions where the relevant directions are given by
Fig. 29.
Definition 19 (Extended critical pair) Given a minimal conA1 ,φ1
A2 ,φ2
text critical pair D1 ←−−− D −−−→ D2 , we denote its
χ
A1 ,φ1
A2 ,φ2
χ
extended critical pair by D1 ←−−− D χ −−−→ D2 , where
D χ is constructed from D as follows:
– insert one χ -message in each relevant direction (as
defined in Definition 18) if:
– the χ -message does not introduce a match-blocking
partial order for any of the two matches defined by φ1
and φ2 .
– the χ -message can be inserted such that it does not
introduce cyclic partial orders (in which case the
extended base diagram would be an invalid sequence
diagram)
– D χ contains a χ -message from and to the same β-position
if and only if there are no other χ -messages with its send
or receive event in the same β-position.
We refer to D χ as the extended base diagram. An extended
base diagram that does not contain any χ -messages, corresponds to the minimal context base diagram.
For the A1− A2 minimal context critical pair in Fig. 26 we
now investigate the 10 possible χ -positions shown in the top
Confluence of aspects for sequence diagrams
χ−
L1
1
a
L2
L3
2
3
4
6
c
e
8
L1 L2 L3 L4
a
d
χ b χ
c
d
b
5
7
L3
e
9
L1 L2 L3 L4
a
d
b
c
e
10
L1 L2 L3 L4
a
d
b χ
χ
c
e
L1 L2 L3 L4
a
d
χ b
χ
c
e
L1 L2 L3 L4
a
d
χ b
χ
c
e
Fig. 30 From minimal context base diagram to extended base diagram
for the example in Fig. 26
left part of Fig. 30. For each of these 10 positions we consider
the possible χ -messages being sent from its position. No
χ -messages can be sent from any of the α-positions 1, 2, 3,
and 4.
Position 5: Messages from position 5 to the positions 2,
3 or 4 are impossible, since they introduce match-blocking
partial orders for A1’s match. A χ -message from position 5 to
position 6 shall be part of the extended base diagram according to Definition 19. As there is a message from position 5
to position 6, there should not be a χ -message from position
5 to itself.
Position 6: Messages from position 6 to positions 1 or 2
are match-blocking for A1’s match. A message from position
6 to position 3 introduces cyclic partial orders. A χ -message
from position 6 to position 5 shall be part of the extended base
diagram according to Definition 19. As there is a message
from position 6 to position 5, there should not be a χ -message
from position 6 to itself.
Position 7: Messages from position 7 to positions 2,3 or
4 are impossible, since they introduce match-blocking partial orders for both A1 and A2’s matches. A message from
position 7 to position 6 is match-blocking for A2’s match.
Hence, no χ -messages are added from position 7.
Position 8: Messages from position 8 to positions 1 or
5 are impossible, since they introduce cyclic partial orders
in the extended base diagram. Messages from position 8 to
positions 3 or 4 are match-blocking for both A1 and A2’s
matches, while a message from position 8 to position 6 is
match-blocking for A2’s match. No χ -messages are added
from position 8.
Position 9: Messages from position 9 to positions 5 or 6
are match-blocking for A2’s match. Messages from position
9 to positions 1 or 2 introduce cyclic partial orders, while a
message from position 9 to position 4 is match-blocking for
both A1 and A2’s matches. Hence, no χ -messages are added
from position 9.
Position 10: Messages from position 10 to positions 1, 2 or
3 all introduce cyclic partial orders. A message from position
10 to position 5 is match-blocking for A2’s match. Hence,
no χ -messages are added from position 10.
Finally, our extended base diagram is constructed as
shown in Fig. 30. Notice that there are two added events
in both the positions 5 and 6. By ordering these differently,
we get four different extended base diagrams. One of these
four diagrams contains cyclic partial orders, and cannot be
used. The other three alternatives are equally good for our
purpose, and we non-deterministically choose one.
For the example in Fig. 27, the extended base diagram
becomes identical (except for having a message symbol χ
instead of x) to the base model in the bottom of Fig. 27 that
is used to show non-confluence.
Theorem 5 (Confluence) A set of terminating aspects (without the arbitrary events symbol and without negative pointcuts) is confluent if and only if all the extended critical pairs
are joinable.
Proof See Appendix A.8.
The production of all extended critical pairs, and the joinability check, can be fully automated. All the minimal context
critical pairs are constructed by taking all pairs of aspects
to see if the pointcuts can be combined to constitute minimal context base diagrams in dependent derivations. From
Definition 19 we produce the set of all extended critical pairs
from the minimal context critical pairs. Since we assume that
the set of aspects is terminating, it follows from Newman’s
lemma that the joinability corresponds to the equivalence of
normal forms. Hence, confluence can be determined by a
fully automated algorithm.
The confluence theory has assumed that the base diagrams
are basic sequence diagrams. However, we may conclude that
the theory works for sequence diagrams using any combination of opt, alt, loop and par operators. This is because we in
Sect. 2.1 defined how such sequence diagrams can be mapped
to a set of basic sequence diagrams. For unbounded loops this
means that we get infinitely many basic sequence diagrams.
A confluence result will even hold for such unbounded loops
since confluence by definition must hold for arbitrary base
models.
123
R. Grønmo et al.
9 Related work
Related work is organized in two subsections. In the first
subsection, we address related work related to detection of
aspect interactions for general aspect-oriented approaches.
In the second subsection, we address related work related to
sequence diagram-based aspects, and discuss to what extent
our results can apply to those approaches.
9.1 Detection of aspect interactions
We are not aware of any related work addressing a full confluence theory based on the concrete syntax of sequence diagram-based aspects. In fact, we have not seen any full confluence analysis directly related to any other model transformation or aspect-oriented modeling approach.
There are, however, some approaches [12,37,38,53] that
translate their rules/aspects to another formalism that supports automated detection of conflicts and dependencies. Two
such target formalisms are graph transformation and logicbased languages [29].
The benefit of the translation-based approaches is that
well-established theories and associated tools can be reused.
However, there are several drawbacks compared to a more
specialized approach. While our confluence theory can
be understood directly within the familiar concrete syntax of sequence diagrams, the translation-based approaches
requires detailed knowledge of another formalism. Considerable effort is needed to perform translations of the base
models themselves and the corresponding aspects. In addition, the reported conflicts and dependencies will be given
in relation to the representations in the respective formalism,
and not directly in relation to the aspect modeling notation,
which is sequence diagram-based aspects in our approach.
This can be less comprehensive for the system modelers and
aspect designers.
Graph transformation has a well-established theory for
confluence which is partially supported by the AGG tool [52].
AGG can be used to automatically detect dependencies and
conflicts. A dependency between two rules means that the
first rule will enable additional matches of the second rule.
A conflict means that application of one rule can prevent the
other rule from being applied.
The AGG tool only partially supports the confluence theory of graph transformation. If there are no conflicts reported
by AGG, then the set of rules are confluent. The set of rules
may, however, be confluent even if there are conflicts. Conflicts lead to critical pairs, and a so-called strong joinability
of all critical pairs is sufficient to claim confluence. Due to
undecidability of confluence, confluence may hold even if
not all critical pairs are strongly joinable. Some examples of
aspects that are translated to rules in AGG may be found in
[12,29,37,53].
123
Kniesel [29] uses so-called conditional transformations,
which are logic-based transformation specifications. The
approach can be used to detect aspect interactions in AspectJ
[22] with a translation-based approach to the Condor tool
[28]. The detection of aspect interactions in the Condor tool
is more efficient than the NP-complete analysis supported
by AGG. Except for this, the two tools are very similar as
reported by Mens et al. [38]. The Condor tool will report
triggerings and inhibitions, where a triggering corresponds
to a dependency in AGG and an inhibition corresponds to a
conflict in AGG.
Many approaches study aspect interactions in relation to
one given base model [8,16]. This is more restricted than
studying the confluence property, which is a property that
means that there will be no aspect interactions for any base
model. Performing a full confluence analysis, as we do, is
more complicated and may sometimes reveal problems that
tend to not occur in practice. On the other hand, the detection of aspect interactions in relation to a specific base model
needs to be performed each time the base model changes.
In this case, the system developer may have to resolve conflicts each time the weaving process is activated, which is
particularly undesirable for runtime weaving.
Havinga et al. [16], is an example of an approach to detect
conflicts related to a specific base model. They focus on socalled aspect introduction in AspectJ, i.e. aspects that change
the static structure of Java such as the class definitions. Java
programs are translated into graphs and AspectJ aspects are
translated into graph transformation rules. The Groove tool
[46] is used to analyze possible conflicts by exploring the
entire state space of possible graph transformations. A conflict is reported if the final woven result is ambiguous. Staijen and Rensink [1] have a similar approach to Havinga
et al., where the main difference is that the original aspects
are defined in the composition filters language instead of
AspectJ.
There are some approaches that explore if aspects can
cause undesired effects on a model or program state [16,21,
32]. This is different from the focus of our paper to detect
if the weave order of multiple aspects can be ambiguous.
Havinga et al. specify separate rules to match broken invariants, and detects if the weaving of an aspect leads to a match
of this invariant rule. Unlike Havinga et al., Krishnamurthi
et al. [32] specify sufficient criteria to ensure that aspects
cannot violate the invariants for any given base model.
Katz and Katz [21] describe a modular verification of
aspects with respect to model checking. Like in our approach,
they allow for invasive aspects which means that the woven
system can represent new states that were unreachable in the
base. Even with invasive aspects, they can perform a model
checking analysis of the effects of a set of woven aspects.
The analysis in our approach is also modular since the confluence analysis is performed only with the set of aspects and
Confluence of aspects for sequence diagrams
independently of a base model. However, our analysis detects
any aspect interactions, while their analysis is about model
checking the effects of a set of aspects. The two approaches
are complementary. There can be aspect interactions among
two aspects even if the two aspects are correct with respect
to model checking.
In another work by Katz and Katz [20], they check every
two pairs of aspects to detect aspect interactions independently of a base system. These aspects are specified in Linear Temporal Logic as assume-guarantee pairs. They provide
sufficient conditions to conclude that the weave order for two
aspects are commutable. Their result is weaker than ours in
that they don’t examine if the non-commutable aspects can
be joinable by a continuous weaving that may involve other
aspects. Hence, there are cases where two aspects may not be
commutable and we still have confluence meaning that there
are no aspect interactions.
In Douence et al. [8,9] aspects are defined by a formal
grammar. Aspect interactions can be statically detected since
they in this formalism only occur at shared joinpoints. With
our aspects, aspect interactions are only guaranteed to occur
at shared joinpoints for two of the five conflict types (usedelete and produce-produce). Douence et al. allow for two
types of automated detection of conflicts: (1) for any base
model, and (2) relative to a specific base model.
Mehner et al. [37] define aspects for UML activity diagrams. The aspects follow the traditional AspectJ, where only
single activities can be joinpoints and where advices are of
types before, after and around. The effects of an advice are
captured by precondition and postcondition, which are specified as AGG rules. This allows for AGG dependency and
conflict reports.
Oldevik et al. [42] describe how to specify a set of model
transformations to support software product line modeling.
Unlike our non-deterministic matching process, each model
transformation has a hardcoded reference to where in the
base model the transformation shall be applied. They identify criteria to ensure that these hardcoded references are
non-overlapping. No further analysis is made to check if
overlapping model transformations can be applied in any
order to yield the same final result.
9.2 Sequence diagram-based aspects
Whittle et al. [53] use syntax-based sequence diagram
aspects, in a tool called MATA, to support variability modeling. The models are translated into abstract syntax as graphs
and GTS rules in the AGG tool [52], where conflicting rules
are detected. Such conflicting rules can be used as the basis
for manually applying a critical pair analysis (to our best
knowledge not supported by any tools) as prescribed in the
graph transformation confluence theories [17,44]. However,
such an analysis will miss to detect some positive cases of
confluence due to the undecidability of confluence for graph
transformation. This is in contrast to our extended critical pair
analysis which gives a yes/no answer in all cases. In addition,
a translation to graph transformation has the disadvantages
of translation-based approaches that we mentioned above.
Whittle et al.’s aspect language is quite expressive, and
their any construct is quite similar to our arbitrary events
symbol. However, they have not described support for negative pointcuts. Whittle et al. do not provide a formal nor a
precise definition of a match, which makes a complete comparison difficult.
Since their aspect language is syntax-based, the language
has two main drawbacks. Firstly, the weaving misses to match
semantically equivalent but syntactically different structures
which typically can occur when the base diagrams involve
combined fragments. Secondly, weaving soundness, as we
have called it, is not guaranteed. Whittle et al. will perform
the undesired weaving of the example in Figs. 6 and 9, which
leads to the invalid woven sequence diagram shown in Fig. 9.
An advantage of the syntax-based approach is that it preserves the original structure of combined fragments, while
this is broken down in our semantics-based weaving process. In the end, we have one alt operator where the operands
represent each woven basic sequence diagram.
It is likely that a simplified version of our confluence
theory can be applied to Whittle et al.’s sequence diagram
aspects. The syntax-based approach ignores match-blocking
partial orders, which means that two of our five conflict types
(produceMB-blocked and deleteMB-forbid) can be ignored
when constructing the critical pairs.
In [41], Oldevik et al. use syntax-based sequence diagram
aspects that are based on Whittle et al.’s aspects. While our
and Whittle et al.’s aspects are woven at the model level, the
aspects in [41] are woven with Java programs at runtime.
Since the weaving happens at runtime, the possible aspects
are limited to add behavior after some observed behavior has
occurred. Oldevik et al.’s aspects are thus a restricted version of Whittle et al.’s aspects and a simplified version of our
confluence theory may be applicable.
Solberg et al. [49] define aspects for sequence diagrams
by tagging the base diagram elements to be affected, which
means that there is no non-deterministic aspect application
and a confluence analysis is superfluous.
Clarke and Walker [6] and Deubler et al. [7] both define
sequence diagram-based aspects limited to single event
matching only and with synchronous messages. Although
our decidability result of Theorem 5 seems valid for these
two approaches, the advice normally introduces events on
lifelines not part of the match, which in the general case leads
to non-confluence. With single event matching, the extended
critical pairs reduce to traditional critical pairs.
Klein et al. [25] define semantics-based sequence diagram
aspects, but their aspects are not identical to ours and have
123
R. Grønmo et al.
some variation points both on the matching and weaving parts
which we will detail in the following. They define four match
strategies. The two strictest match strategies can be seen as
sequence diagram aspects without arbitrary events, which
means that there cannot be any non-pointcut matched events
between the matched pointcut events on a lifeline. The strictest match strategy, called strict part, is stricter than our match
strategy since it does not allow any crossing messages, even
though they do not imply what we call ‘match blocking partial
orders’.
The second strictest match strategy, called enclosed part,
is less strict than our match strategy since it allows for any
crossing messages of the matched pointcut messages, including those that imply match blocking partial orders. Weaving
soundness is only guaranteed for Klein et al.’s strictest match
strategy, and not for the three others since they allow matches
with match blocking partial orders.
Our Theorem 5 can be applied to their enclosed part and
strict part matchings to decide confluence. The other two
match strategies of Klein et al. [25] assume implicitly that
there are arbitrary events allowed in any position. However,
they do not have an unambiguous definition on how to merge
new events with the arbitrary events, which means that there
will always be non-confluence in the general case. Unless
special care is taken, weaving soundness is not guaranteed.
The merging of new events with arbitrary events may lead
to invalid woven sequence diagrams. Klein et al. have not
described support for negative pointcuts.
Klein et al. have a weaving process that is a bit more
restricted than our fully non-deterministic weaving. In their
approach, the aspects are non-deterministically ordered in
a sequence. The first aspect is then woven on all disjoint
matches in the base model at once. Weaving continues with
the next aspect. The process will always terminate, since the
weaving finishes when the last aspect is applied on all its disjoint matches. We believe that our confluence theory can be
applied to their aspects. The requirement of disjoint matches
will simply remove some potential critical pairs. Furthermore, our analysis needs to apply their weaving process when
trying to join an extended critical pair. Since termination is
guaranteed, then confluence can be algorithmically checked
without proving the termination property.
Kienzle et al. [23,24] do not provide means to automatically detect aspect interactions, in contrast to our critical pair
analysis. Instead, they provide means to model the aspect
dependencies both at the programming and at the modeling
level. In [23], they present sequence diagram aspects which
are based on the aspects by Klein et al.
The work by Sánchez et al. [48] combine the highly
expressive join point designation diagrams (JPDD) [51] with
activity diagram model weaving. JPDDs are used for expressing the pointcut which can use several UML diagram notations including UML sequence diagrams with synchronous
123
messages. However, the base model and the advice must be
specified by UML activity diagrams. The framework does
not provide means to detect aspect interactions. While our
weaving happens at the modeling level, their weaving happens at runtime where the aspects can depend on the actual
runtime data. There are two reasons why our confluence theory is not directly applicable to their approach. Firstly, in
our confluence theory both pointcut and advice are specified
as sequence diagrams, and the pointcuts alone are not sufficient to determine conflicting aspects. Secondly, our theory is based on asynchronous messages. However, our initial
investigations indicate that a subset of our confluence theory
can be reused for synchronous messages. Synchronous messages appears to be simpler than asynchronous messages in
this context.
Liang et al. [35] map sequence diagrams to graphs and
specify composition directives based on category theory to
compose sequence diagrams. Their composition approach
is symmetric as opposed to all the other approaches in this
subsection that are asymmetric approaches. An asymmetric approach distinguish between a base diagram and an
aspect diagram. Since their composition directives seem to
uniquely define the composed result without non-determinism involved, a confluence analysis is not relevant.
10 Future work
As future work it remains to investigate if it is decidable to
determine confluence for other classes of aspect diagrams,
e.g. allowing either the arbitrary events symbol or negative
pointcuts, but not both, or aspect diagrams that preserve all
the pointcut messages with both the arbitrary events symbol
and negative pointcuts.
For the classes of aspect diagrams where confluence is
undecidable, future work should still identify a set of sufficient criteria to conclude that confluence holds.
For simplicity, we have not included symbolic message
signals (e.g. ∗ to represent arbitrary message signals) in our
formalism. It should be quite straightforward to extend the
match definitions to support matching message signals based
on regular expressions for strings. However, for the construction of critical pairs, symbolic message signals may be more
difficult. Two aspects may for instance have related messages, where one message signal is a specialization of the
other. We need further investigation to see how this influences the confluence analysis.
Since our confluence results depend upon terminating
sets of aspects, future work to establish a termination theory would be a strong complement to the confluence theory
presented in this paper. We consider to implement a confluence test algorithm in our aspect weaver tool, to support the
extended critical pair analysis.
Confluence of aspects for sequence diagrams
With proper tool support, it will also be possible to perform
a realistic case study evaluating the practical usefulness of
both the aspect language used in this paper and our approach
to confluence analysis.
As the aspect language in this paper is quite expressive,
an interesting extension of this work would be to investigate
to what extent the language and confluence analysis may be
applied to other areas of model transformation.
11 Conclusions
This paper presents a sequence diagram-based aspect language with formal match and weave definitions. The aspect
language includes support for arbitrarily large pointcut
descriptions, negative pointcuts, and allowing an arbitrary
number of events in predefined positions. A formal trace
model for sequence diagrams is used as the basis for our
match definition, which we call semantics-based matching.
This allows us to match and weave in a number of desired
cases where syntax-based weaving fails.
The main results in this paper are captured by five theorems, which we now summarize.
It is intractable to perform matching at the trace level.
However, Theorem 1 proves that a semantics-based matching equals a matching which we call lifeline-based matching. The aspect language is supported by the SeDi-Weaver
tool [50], where lifeline-based matching has been tested to
give efficient performance even on large sequence diagrams.
Semantics-based matching on the other hand, failed to terminate even for relatively small sequence diagrams.
Theorems 2 and 3 prove that our match and weave definitions ensure valid woven sequence diagrams, for two different levels of expressiveness. Other sequence diagram-based
aspects with similar expressiveness [25,53] cannot guarantee
this property.
Our aspects are specified in a commonly used declarative
manner that involve non-determinism with respect to which
aspect shall be applied next and upon which match. This
non-determinism give rise to a well-known problem of aspect
interactions [1,9,16,20,24,29,37,47,53,54], of which some
interactions are undesirable.
A confluence analysis can be used to detect aspect interactions automatically. Furthermore, if confluence holds then
we know that there will not be aspect interactions of any
type for any given base model. If the set of aspects is nonconfluent, then a confluence analysis can document which
pairs of aspects can have interactions within an example base
sequence diagram.
Our theory gives considerable knowledge about where the
boundary between high expressiveness and undecidability of
confluence lies. Theorem 4 proves that confluence is unde-
cidable when our aspects can use both negative pointcuts and
the arbitrary events symbol.
In the class of sequence diagram aspects without negative
pointcuts and the arbitrary events symbol, Theorem 5 proves
that a set of (terminating) aspects is confluent if and only if all
extended critical pairs are joinable. This class of aspects still
has considerable expressiveness, since the aspects can have
arbitrary many messages and lifelines and the base models
can use combined fragment operators of types alt, opt, par
and even unbounded loop. Since all the extended critical
pairs can be systematically constructed and the joinability
can be checked, we have prescribed an algorithmic way to
check confluence. Critical pairs are built by comparing each
pair of two aspects to see if they can lead to one of our five
identified conflict types.
The results in this paper is useful for modelers and
researchers working with sequence diagram aspects, as well
as for researchers wanting to establish a confluence theory
for other aspect-oriented modelling or model transformation
approaches.
Acknowledgments The work reported in this report has been partly
funded by The Research Council of Norway, grant no. 167172/V30
(the SWAT project), and by the DiVA project grant no. 215412 (EU
FP7 STREP). We thank Stein Krogdahl for his valuable feedback.
Appendix: A Proofs
A.1 Additional lemmas
The lemmas in this section will be used in the following
proofs.
The first lemma states that when there is a match between
a pointcut and a base diagram, the two diagrams have the
same direct partial orders with respect to the events involved
in the match.
Lemma 7 (Corresponding direct partial orders) If the mapping φ defines a semantics-based match between a pointcut
diagram D pc and a base diagram Db , then there is a direct
partial order between events in the pointcut diagram if and
only if there is a direct partial order between the corresponding mapped events in the base diagram.
Formally:
smatchφ (D pc , Db ) ⇒
∀e1 , e2 ∈ ev.D pc :
((e1 , e2 ) ∈ D pc .dpo ⇔ (φ(e1 ), φ(e2 )) ∈ Db .dpo)
Proof Assume that φ defines a semantics-based match
between D pc and Db (i.e. smatchφ (D pc , Db )). It follows
from Definition 4 of semantics-based match, that we may
choose one pointcut trace t pc ∈ [[ D pc ]] and one base trace
tb ∈ [[ Db ]] such that φ defines a trace-based match between
t pc and tb (i.e. tmatchφ (t pc , tb )).
123
R. Grønmo et al.
Choose two arbitrary pointcut events e1 and e2 . As D pc is
a basic sequence diagram without any combined fragments,
all events in the diagram must occur in every trace in its
semantics, and it follows that e1 ∈ t pc and e2 ∈ t pc . By
Definition 3 of trace-based match, we get that φ(e1 ) ∈ tb
and φ(e2 ) ∈ tb , and since tb is a trace in the semantics of
Db , φ(e1 ) and φ(e2 ) must be two events in the base diagram
Db .
It remains to prove that there is a direct partial order
between e1 and e2 in the pointcut diagram D pc if and only if
there is a direct partial order between φ(e1 ) and φ(e2 ) in the
base diagram Db . There are two cases to consider, as a direct
partial order is either a consequence of the message invariant
or the result of two events occurring directly after each other
on the same lifeline.
If e1 is the send and e2 the receive event of the same message m, then by definition of φ, φ(e1 ) must be the send and
φ(e2 ) the receive event of the same message φ(m), and the
direct partial from φ(e1 ) to φ(e2 ) follows from the message
invariant.
If e2 occurs directly after e1 on the same lifeline l, then
e1 , e2 will be a continuous subtrace of t pc restricted to the
lifeline l (i.e. substr( e1 , e2 , t pc l). By Definition 3 of tracebased match, φ(t pc ) is a continuous subtrace of tb , and hence
φ(e1 ), φ(e2 ) must be a continuous subtrace of tb as well
(i.e. substr( φ(e1 ), φ(e2 ) , tb l)). With φ(e1 ) and φ(e2 ) on
the same lifeline (by Definition of φ and e1 and e2 being on
the same lifeline), this can only be the case if there is a direct
partial order from φ(e1 ) to φ(e2 ).
on l is the same for both aspects (otherwise, the lemma does
not apply).
For the base diagram D, its event sequence on l must consist of three parts: A (possibly empty) sequence before(e, D)
before the match with the pointcut of A1, the sequence of
matched events (φ1 ((A1.pc){l})) with e as the first event in
the sequence, and finally a (possibly empty) sequence h 1
after the match.
By Definition 9 of direct derivation, we get that for the
woven diagram D1 , the event sequence on l must be as for
D, except that the sequence of matched events is replaced by
the corresponding mapped sequence of advice events, i.e.
(φ1 ((A1.a){l})).
For there to be a match between the pointcut of A2 and D1 ,
the sequence of mapped advice events must include e, and
this sequence may therefore be split in two sub-sequences
φ1 (before(e1 , A1.a)) and h 2 , with e = φ1 (e1 ) being the first
event in h 2 .
Together, this gives that the event sequence on l in the diagram D1 must be before(e, D) φ1 (before(e1 , A1.a)) h 2
h1.
Similarly, when applying the aspect A2 on the base diagram D2 , the advice of A2 inserts the (possibly empty) event
sequence φ2 (before(e2 , A2.a)) directly before e = φ2 (e2 )
on the lifeline l.
As a result, the event sequence before e in the final
woven diagram D2 is the (possibly empty) sequence
before(e, D), followed by the (possibly empty) sequence
φ1 (before(e1 , A1.a)), followed by the (possibly empty)
sequence φ2 (before(e2 , A2.a)).
Lemma 8 (Event sequence before common matched event)
For any derivation applying first aspect A1 and then aspect
A2, if there is a lifeline where the first event of both pointcuts
maps to the same base event e, then the event sequence before
e in the woven diagram will consist of the event sequence
before e in the original base diagram, followed by the mapped
event sequence inserted before e by the advice of A1, followed
by the mapped event sequence inserted before e by the advice
of A2.
Formally:
Lemma 9 Candidate match and corresponding direct partial
orders The mapping φ defines a candidate match between a
pointcut diagram D pc and a base diagram Db if and only if
there is a direct partial order between two pointcut events in
the pointcut diagram exactly when there is a direct partial
order between the corresponding mapped events in the base
diagram.
Formally:
∀D, D1 , D2 ∈ SD, l ∈ L, e ∈ Event, e1 ∈ Event, e2 ∈ Event :
∀e1 , e2 ∈ ev.D pc :
A1,φ1
A2,φ2
((e1 , e2 ) ∈ D pc .dpo ⇔ (φ(e1 ), φ(e2 )) ∈ Db .dpo)
D −→ D1 −→ D2
∧ e1 = first((A1.pc){l})
∧ e2 = first((A2.pc){l})
∧ e = φ1 (e1 ) = φ2 (e2 )
⇒ before(e, D2 )
= before(e, D) φ1 (before(e1 , A1.a)) φ2 (before(e2 , A2.a))
A1,φ1
A2,φ2
Proof Assume that D −→ D1 and D1 −→ D2 are two
valid direct derivations, and choose an arbitrary lifeline l in
the base diagram D. Assume that the first matched event e
123
cmatchφ (D pc , Db ) ⇔
Proof ⇒: The proof is similar to the proof of Lemma 7.
⇐: Assume that there is a direct partial order between
two pointcut events e1 and e2 in the pointcut diagram if and
only if there is a direct partial order between the corresponding mapped events φ(e1 ) and φ(e2 ) in the base diagram. For
any consecutive events e and e on the same lifeline l in the
pointcut diagram, it follows that the sequence φ(e ), φ(e )
is a substring of the event sequence on l in the base diagram.
From this, we may conclude that the event sequence on l in
Confluence of aspects for sequence diagrams
the pointcut diagram will, when mapped by φ, be a substring
of the event sequence on l in the base diagram, meaning that
there is a candidate match between the pointcut and the base
diagram.
A.2 Proof of Lemma 1
Assume that φ defines a semantics-based match between D pc
and Db (i.e. smatchφ (D pc , Db )). According to Definitions 3
and 4 of trace-based and semantics-based match, this means
that there exists a base trace tb with a mapped pointcut trace
φ(t pc ) as a continuous subtrace, i.e. tb = h 1 φ(t pc ) h 2
for some event sequences h 1 and h 2 .
The pointcut diagram D pc does not contain any combined
fragments, and any pointcut trace t pc will be a permutation
of the events in t pc .
We now prove that for any pointcut trace t pc , the trace
tb = h 1 φ(t pc ) h 2 will be a valid base trace having the
pointcut trace as a continuous subtrace.
The only difference between tb and tb is the relative ordering of the pointcut events, meaning that tb obeys all base
partial orders between two events where one or both is not
in the set of pointcut events.
It remains to prove that for any two pointcut events, there
is a partial order between the mapped events in the base diagram only if the corresponding partial order exists also in the
pointcut diagram. For direct partial orders, this follows from
Lemma 7 above. Lemma 7 is sufficient, as all other partial
orders in the transitive closure will be implied by the direct
partial orders.
A.3 Proof of Theorem 1
⇒: Assume that φ defines a lifeline-based match between
D pc and Db (i.e. lmatchφ (D pc , Db )). By Definitions 4 and 3
of semantics-based match (i.e. smatchφ (D pc , Db )), we need
to prove that there exists a pointcut trace t pc and a base trace
tb , with φ(t pc ) as a continuous subsequence of tb , i.e. there
exists sequences h 1 and h 2 such that tb = h 1 φ(t pc ) h 2 .
By Definitions 7 of lifeline-based match and 5 of candidate match, we know that for all lifelines, the base diagram
contains the mapped pointcut events as a continuous subsequence. Together with the message invariant, this means that
the pointcut events in D pc and the mapped base events in Db
have the same direct partial orders.
From Definition 7 of lifeline-based match, we also have
that there are no match-blocking partial orders. Thus, for
any arbitrary unmapped event a, and mapped events φ(e1 )
and φ(e2 ) such that (φ(e1 ), φ(e2 )) ∈ Db .po, at most one
of (φ(e1 ), a) ∈ Db .po and (a, φ(e2 )) ∈ Db .po may hold.
Hence, we may construct a base trace tb where any unmapped
event a occurs either before (in h 1 ) or after (in h 2 ) the mapped
events (in φ(t pc )) as required.
⇐: Assume that φ defines a semantics-based match
between D pc and Db (i.e. smatchφ (D pc , Db )). We first prove
that this implies that φ defines a candidate match between
D pc and Db (i.e. cmatchφ (D pc , Db )).
By Definitions 4 and 3 of semantics-based match, we
know that there exists a pointcut trace t pc and a base trace tb
such that φ(t pc ) is a continuous subtrace of tb . It follows that
for each lifeline, the event sequence in φ(t pc ) is a continuous
subtrace of the event sequence for the same lifeline in tb . For
any basic sequence diagram, the event sequence for a single lifeline is the same for all traces of the diagram, and the
same as the top-down sequence of syntactic events on that
lifeline. Hence, for all lifelines, the events in the pointcut diagram constitutes a continuous subsequence of the events in
the base diagram and there is a candidate match as required.
In order to have a lifeline-based match, it remains to prove
that there are no match-blocking partial orders in the base
diagram Db .
Assume for contradiction that there exists a match-blocking partial order, i.e. two unmapped events a and b, and two
mapped events φ(e1 ) and φ(e2 ) in the base diagram Db such
that (a, b) ∈ Db .po, (φ(e1 ), a) ∈ Db .po and (b, φ(e2 )) ∈
Db .po hold. This means that any base trace must include
the sequence φ(e1 ), a, b, φ(e2 ) as a (possibly non-continuous) subsequence. Any mapped pointcut trace is on the form
h 1 φ(e1 ) h 2 φ(e2 ) h 3 , where h 2 cannot include a or
b, since a and b are not mapped by pointcut events. However, this means that no pointcut trace can be a continuous
subsequence of a base trace with a and b in between φ(e1 )
and φ(e2 ), which contradicts the assumption that there exists
a semantics-based match. Hence, no match-blocking partial
order can exists, and φ defines a lifeline-based match between
D pc and Db .
A.4 Proof of Theorem 2
Assume that φ defines a match between the pointcut of A
and the base diagram (i.e. matchφ (A.pc, Db )). Remember
that we only consider valid base, pointcut and advice diagrams, meaning that [[ Db ]] = ∅ and [[ A.a ]] = ∅. Assume
for contradiction that the woven result is an invalid sequence
diagram, i.e. [[ Dw ]] = ∅.
For any basic sequence diagram, its trace-set is empty if
and only if the partial order relation contains a cycle. By
[[ Dw ]] = ∅, we may then choose two events e1 and e2 from
Dw such that (e1 , e2 ) ∈ Dw .po and (e2 , e1 ) ∈ Dw .po both
holds.
As neither the base nor the advice diagram contains a
cycle, the cycle in Dw cannot be the result of a “backwards”
message on a single lifeline (i.e. a message with the receive
event occurring before the send event in the top-down order
123
R. Grønmo et al.
b
a
event on lifeline
match replaced
by advice events
Fig. 31 Match-blocking messages prevent matches leading to invalid
woven sequence diagrams
on the lifeline). Instead, the cycle must contain events on at
least two different lifelines, meaning that in the partial order
path from e1 , via e2 , and back to e1 , there must exist at least
two direct partial orders between events on different lifelines.
Such direct partial orders can only be a consequence of the
message invariant, i.e. a partial order between the send and
the receive event of the same message.
As neither the base nor the advice diagram contains a cycle
in itself, one of the two messages in the cycle must be a message (mapped by φ) from the advice diagram A.a, and the
other a message from the base diagram Db which was not
included in the match with A.pc.
Consequently, there must exist a message a in φ(msg(A.a))
and a message b in msg(Db ) \ φ(msg(A.pc)), such that
(?a, !b) ∈ Dw .po and (?b, !a) ∈ Dw .po both holds, i.e. the
advice message must be received before the base message
may be sent, and vice versa. This is illustrated in Fig. 31.
However, the advice events are only inserted as replacements for the pointcut events on each lifeline (since we do
not allow introducing events on lifelines without events in the
pointcut), meaning that there must have existed some mapped
events ex and e y such that (ex , !b) ∈ Db .po and (?b, e y ) ∈
Db .po both held in the original diagram. However, this makes
b a match-blocking message (with (!b, ?b) ∈ Db .po a matchblocking partial order) as its two events is required to happen
between the mapped events ex and e y .
By the assumption matchφ (A.pc, Db ) and Definition 7 of
lifeline-based match, no such match-blocking message may
exist, and we have a contradiction. Hence, [[ Dw ]] = ∅ and
the woven result Dw is indeed a valid sequence diagram.
A.5 Proof of Theorem 3
Assume that φ defines a match between the pointcut of A
and the base diagram (i.e. matchφ (A.pc, Db )), and that the
base diagram and the advice diagram without arbitrary events
(i.e. (A.a)= ) are valid sequence diagrams (i.e. [[ Db ]] = ∅
and [[ (A.a)= ]] = ∅). If any ψ resolution of the arbitrary
events symbols in A.a gives a valid sequence diagram, we
know from Theorem 2 that the woven result Dw will be a
valid sequence diagram as well.
123
This implies that it suffices to prove that the additional
assumption of this theorem (A.a does not introduce a partial
order with the first event after and the second event before
an arbitrary events symbol) implies that any ψ resolution of
the arbitrary events symbols give valid advice diagrams.
Since the pointcut has a match in the valid base diagram,
then the ψ resolution must give a valid pointcut diagram. As
we also have that the advice diagram without arbitrary events
symbols is valid, this means that any cyclic partial order in
the advice diagram must be caused by a combination of ψ
events and a partial order (e1 , e2 ) introduced by the advice.
To constitute a cycle, the e2 event must occur before an arbitrary events symbol on one lifeline, and the e1 event must
occur after an arbitrary events symbol on another lifeline.
However, such a partial order cannot exist by the additional
assumption of this theorem, and the advice diagram with all
arbitrary events symbols resolved must be a valid diagram.
Hence, we conclude by Theorem 2 that the woven diagram
Dw is valid, i.e. [[ Dw ]] = ∅.
A.6 Proof of Lemma 2
if-direction:
A1,φ1
A2,φ2
Assume that D −→ D1 and D −→ D2 are two valid
direct derivations, and that independence criteria 1–3 hold
for these derivations.
A2,φ2
From D −→ D2 and Definition 9 of a direct derivation, φ2 must define a match between D and the pointcut of
A2 (i.e. matchφ (A2.pc, D)). By Lemma 7, all direct partial orders in the pointcut of A2 also exists between the
corresponding mapped events in D. By independence criterion 1, these direct partial orders also exists in D1 , meaning that for all lifelines, the mapped event sequence in A2
will be a substring of the event sequence in D1 . I.e., φ2
defines a candidate match between D1 and the pointcut of
A2 (i.e. cmatchφ2 (A2.pc, D1 )). By independence criterion
2, there are no match-blocking partial order and there is a
(lifeline-based) match between D1 and the pointcut of A2 ,
meaning that A2 may be applied on D1 in order to reach a
woven model D1,2 .
Similarly, A1 may be applied on D2 with the woven result
D2,1 .
It remains to prove that D1,2 and D2,1 must be identical
(up to isomorphism). It is sufficient to prove that the event
sequence on an arbitrary lifeline l is identical in D1,2 and
D2,1 , There are two cases to consider.
The first case is when the events on l in the pointcuts of
A1 and A2 maps to disjoint sets of events in D. With disjoint
matches, the replacements made by the two advices do not
interfere with each other, and the event sequences in D1,2
and D2,1 are trivially equal.
Confluence of aspects for sequence diagrams
In the second case, the pointcuts of A1 and A2 maps to at
least one common event on l in D. Let ct be the non-empty
sequence of events on l mapped to by both pointcuts, and let
e be the first event in ct.
By independence criterion 1, ct cannot be changed by any
of the aspects and must therefore be a substring of the event
sequence on l in both D1,2 and D2,1 .
If none of the pointcuts match any events before e on l,
Lemma 8 and independence criterion 3 ensures that the event
sequence before e must be the same in both D1,2 and D2,1 .
If only one of the pointcuts matches a non-empty event
sequence before the common match sequence ct in D, independence criterion 1 gives that the other aspect cannot add
any events before ct. The aspect matching events before ct
will make the same changes here in both D1,2 and D2,1 ,
meaning that the event sequence before ct will be the same
in both diagrams.
Similarly, the event sequence after ct must be the same in
both D1,2 and D2,1 .
Together, this gives that the complete event sequence on l
must be identical in D1,2 and D2,1 as required.
only-if-direction:
For simplicity, we use x = 1 and y = 2 in this proof, but
the proof is equally valid for x = 2 and y = 1.
A1,φ1
A2,φ2
Assume that D1 ←− D −→ D2 are independent.
Criterion 1: Assume that there is a direct partial order in D
between two events φ1 (a) and φ1 (b) matched by the pointcut of A1. By Lemma 7, there must be a direct partial order
between the corresponding events in the pointcut of A1. By
Definition 15, φ1 must define a match between D2 and the
pointcut of A1. Lemma 7 then gives that there must be a
direct partial order between φ1 (a) and φ1 (b) also in D2 , as
required by independence criterion 1.
Criterion 2: By Definition 15, φ2 must define a match
between D1 and the pointcut of A2. By Definition 7 of lifeline-based match, no match-blocking partial orders may exist
in D1 as required by independence criterion 2.
Criterion 3: The following proof proves criterion 3 for the
first/before-case. The end/after-case is proved in a symmetrical manner.
Assume that there is a lifeline l where the event sequences
matched by the pointcuts of A1 and A2 both start with the
same event e (with e1 and e2 being the corresponding pointcut events in A1 and A2, respectively). By Definition 15
A2,φ2
of independence there exists a D join such that D1 −→
A1,φ1
D join ←− D2 . By Lemma 8, we get before(e, D join ) =
before(e, D) φ1 (before(e1 , A1.a)) φ2 (before(e2 , A2.a))
A1,φ1
A2,φ2
A2,φ2
A1,φ1
from D −→ D1 −→ D join and before(e, D join ) =
before(e, D) φ2 (before(e2 , A2.a)) φ1 (before(e1 , A1.a))
from D −→ D2 −→ D join . As these two right hand sides
must be equal, it follows that either
before(e1 , A1.a) = ∅, before(e2 , A2.a) = ∅ or
before(e1 , A1.a) = before(e2 , A2.a) as before(ex , Ax.a) =
∅ if and only if φx (before(ex , Ax.a)) = ∅.
In the last case, independence means that the two added
event-sequences are considered to be identical meaning that
they may be added to the diagram in any order. For independence to hold, also the corresponding events on the other
message ends must be placed on exactly the same place so
that the order is insignificant. This is possible only if there
exists a common first or last common matched event which
they are placed in relation to, meaning that the final conjunct
of criterion 3 also holds.
A.7 Proof of Lemma 3
if-direction:
Equal to the proof of Lemma 2, except that in order to
prove that there is a match between A2 and D1 , we must
also prove that there is no match between D1 and any of the
negative pointcut diagrams in A2. By independence criterion
4, there are two cases to consider for each diagram Dnpc in
the set of negative pointcuts for A2.
In the first case, there is a match-blocking partial order in
D1 with respect to Dnpc , and consequently no match between
Dnpc and D1 .
In the second case, there is a direct partial order in Dnpc ,
but not a direct partial order in between the corresponding
mapped events in D1 . In this case, Lemma 9 gives that there
is no candidate match between Dnpc and D1 , and hence no
(lifeline-based) match either.
only-if-direction:
For simplicity, we use x = 1 and y = 2 in this proof, but
the proof is equally valid for x = 2 and y = 1.
A1,φ1 ,ψ1
A2,φ2 ,ψ2
Assume that D1 ←− D −→ D2 are independent.
For criteria 1–3, the proof is equal to the proof of Lemma 2.
Criterion 4: Choose an arbitrary diagram Dnpc in the set of
negative pointcuts for A1. By Definition 15 of independence
A2,φ2 ,ψ2
A1,φ1 ,ψ1
there exists a D join such that D1 −→ D join ←− D2 .
By definition of direct derivation, this means that there is a
match between A1 and D2 , which by Definition 11 means
that there is not a match between Dnpc and D2 . Definition 7
of a lifeline-based match gives two cases to consider.
In the first case, there is a match-blocking partial order in
D2 , which is the same as the first disjunct of independence
criterion 4.
In the second case, there is no candidate match between
Dnpc and D2 , meaning that either there exists two events in
Dnpc such that there is a direct partial order between them,
but not between the corresponding mapped events in D2 , in
which case the second disjunct of independence criterion 4
is satisfied. Or, there exists two events e1 and e2 in Dnpc such
123
R. Grønmo et al.
that there is no direct partial order between them even though
there is between the corresponding mapped events in D2 . As
the direct partial order does not exist in Dnpc , it cannot be
due to the message invariant and the two events involved in
the direct partial order must occur directly after each other
on the same lifeline. If there is a direct partial order from e2
to e1 in Dnpc , then this is sufficient for the second disjunct
of independence criterion 4 to be satisfied. Otherwise, there
must be a (non-direct) partial order either from e1 to e2 or
from e2 to e1 (as they occur on the same lifeline). In both
cases, there must exists an intermediate event which forms a
direct partial order with either e1 or e2 , and as the corresponding direct partial order cannot exist in D2 (where no event
may occur between the mapped events φ1 (e1 ) and φ1 (e2 ),
because there is a direct partial order between them), this
is again sufficient for the second disjunct of independence
criterion 4.
A.8 Proof of Theorem 5
if-direction.
This is trivial, since only one non-joinable extended critical
pair serves as a counter-example against confluence.
only-if-direction.
It is sufficient to prove that non-confluence implies that there
exists at least one non-joinable extended critical pair. For contradiction we assume non-confluence and that all extended
critical pairs are joinable.
With non-confluence there exists two direct derivations
A2 ,φ2
A1 ,φ1
D1 ←−−− D −−−→ D2 , where D1 ↓D
2 . From Definition
15, we know that these two derivations must be dependent. Let D − = φ1 (msg(A1 .pc)) ∪ φ2 (msg(A2 .pc)) and
let D1− and D2− be the corresponding derivation results in
A1 ,φ1
A2 ,φ2
D1− ←−−− D − −−−→ D2− . These two derivations constitute
a minimal context critical pair.
The corresponding extended critical pair is
A1 ,φ1
A2 ,φ2
(D1− )χ ←−−− (D − )χ −−−→ (D2− )χ and from our joinability assumption (that shall give a contradiction) we conclude
that (D1− )χ ↓ (D2− )χ . Thus there exist derivation sequences:
∗
∗
(D1− )χ −
→ D join ←
− (D2− )χ , for some diagram D join .
∗
All the derivations in (D1− )χ −
→ D join can be repeated
(each derivation step uses the same aspect and match) in a der∗
ivation from D1 to D 1join , i.e. D1 −
→ D 1join . This claim holds
for the following reasons: (1) no χ -messages are matched or
affected by any derivation, (2) the messages that are taken
back does not introduce new match-blocking partial orders
for any of the used matches, since the extended critical pair is
constructed to have the maximum amount of potential matchblocking partial orders in the relevant area, (3) the messages
that are taken back in α-positions and ω-positions can be
seen as wrappers around the derivations, and (4) the mes-
123
sages that are taken back in β-positions are placed where
there previously was at least one χ -message event.
Correspondingly, we can conclude that all the derivations
∗
→ D join can be repeated (each derivation step
in (D2− )χ −
∗
uses the same aspect and match) in D2 −
→ D 2join . We deduce
1
2
that D join = D join , since all derivations are similar. We
have only replaced the χ -messages that remain unchanged
in the derivations, by some other messages that also remain
unchanged in the derivations.
We have shown that D1 ↓ D2 , which is a contradiction
that concludes our proof.
References
1. Aksit, M., Rensink, A., Staijen, T.: A graph-transformation-based
simulation approach for analysing aspect interference on shared
join points. In: Proceedings of the 8th International Conference on
Aspect-Oriented Software Development (AOSD 2009), pp. 39–50.
ACM, New York (2009)
2. Andrews J.H.: Process-algebraic foundations of aspect-oriented
programming. In: Metalevel Architectures and Separation of
Crosscutting Concerns, Third International Conference, REFLECTION. Lecture Notes in Computer Science, vol. 2192, pp. 187–209.
Springer, Berlin (2001)
3. Aßmann, U., Ludwig, A.: Aspect weaving with graph rewriting.
In: Generative and Component-Based Software Engineering, First
International Symposium, GCSE. Lecture Notes in Computer Science, vol. 1799, pp. 24–36. Springer, Berlin (1999)
4. Bezem, M., Klop, J.W., de Vrijer, R.: Term Rewriting Systems. Cambridge University Press, Cambridge (2003)
5. Carton, A., Driver, C., Jackson, A., Clarke, S.: Model-driven
Theme/UML. In: Transactions on Aspect-Oriented Software
Development VI, Special Issue on Aspects and Model-Driven Engineering. LNCS, vol. 5560, pp. 238–266. Springer, Berlin (2009)
6. Clarke, S., Walker, R.J.: Composition patterns: an approach to
designing reusable aspects. In: Proceedings of the 23rd International Conference on Software Engineering (ICSE 2001), pp. 5–14.
IEEE Computer Society, Washington (2001)
7. Deubler, M., Meisinger, M., Rittmann, S., Krüger, I.: Modeling
Crosscutting Services with UML Sequence Diagrams. In: Proceedings of the 8th International Conference on Model Driven Engineering Languages and Systems (MoDELS 2005). LNCS, vol. 3713,
pp. 522–536. Springer, Berlin (2005)
8. Douence, R., Fradet, P., Südholt, M.: A framework for the detection
and resolution of aspect interactions. In: Generative Programming
and Component Engineering, ACM SIGPLAN/SIGSOFT Conference, GPCE. Lecture Notes in Computer Science, vol. 2487,
pp. 173–188. Springer, Berlin (2002)
9. Douence, R., Fradet, P., Südholt, M.: Composition, reuse and interaction analysis of stateful aspects. In: Proceedings of the 3rd International Conference on Aspect-Oriented Software Development
(AOSD 2004), pp. 141–150. ACM, New York (2004)
10. Ehrig, H., Ehrig, K., Prange, U., Taentzer, G.: Fundamentals of
Algebraic Graph Transformation. Springer, Berlin (2006)
11. Fradet, P., Südholt, M.: An aspect language for robust programming. In: Object-Oriented Technology, ECOOP’99 Workshop
Reader, ECOOP’99. Lecture Notes in Computer Science, vol.
1743, pp. 291–292. Springer, Berlin (1999)
12. Grønmo, R., Møller-Pedersen, B.: Aspect diagrams for UML activity models. In: Applications of Graph Transformations with Indus-
Confluence of aspects for sequence diagrams
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
trial Relevance, Third International Symposium, AGTIVE. Lecture
Notes in Computer Science, vol. 5088. Springer, Berlin (2008)
Grønmo, R., Runde, R.K., Møller-Pedersen, B.: Confluence of
Aspects for Sequence Diagrams—Research Report No 390. ISBN
82-7368-351-6, ISSN no 0806-3036 October (2009)
Grønmo, R., Sørensen, F., Møller-Pedersen, B., Krogdahl, S.: A
semantics-based aspect language for interactions with the arbitrary
events symbol. In: Proceedings of the 4th European Conference on
Model Driven Architecture—Foundations and Applications (ECMDA-FA 2008). LNCS, vol. 5095, pp. 262–277. Springer, Berlin
(2008)
Grønmo, R., Sørensen, F., Møller-Pedersen, B., Krogdahl, S.:
Semantics-based weaving of UML sequence diagrams. In: Proceedings of the 1st International Conference on Theory and Practice of Model Transformations (ICMT 2008). LNCS, vol. 5063, pp.
122–136. Springer, Berlin (2008)
Havinga, W., Nagy, I., Bergmans, L., Aksit, M.: A graph-based
approach to modeling and detecting composition conflicts related
to introductions. In: Proceedings of the 6th International Conference on Aspect-Oriented Software Development (AOSD 2007).
ACM International Conference Proceeding Series, vol. 208, pp.
85–95. ACM, New York (2007)
Heckel, R., Küster, J.M., Taentzer, G.: Confluence of typed attributed graph transformation systems. In: Proceedings of the 1st
International Conference on Graph Transformation (ICGT 2002).
LNCS, vol. 2505, pp. 161–176. Springer, Berlin (2002)
Huet, G.P.: Confluent reductions: abstract properties and applications to term rewriting systems. J. ACM 27(4), 797–821 (1980)
Jouault, F., Kurtev, I.: Transforming models with ATL. In: Satellite
Events at the MoDELS 2005 Conference, Revised Selected Papers.
LNCS, vol. 3844, pp. 128–138. Springer, Berlin (2006)
Katz, E., Katz, S.: Incremental analysis of interference among
aspects. In: Proceedings of the 7th Workshop on Foundations
of Aspect-Oriented Languages, FOAL 2008, pp. 29–38. ACM,
New York (2008)
Katz, E., Katz, S.: Modular verification of strongly invasive aspects.
In: Proceedings of the 8th Workshop on Foundations of Aspect-Oriented Languages, FOAL, pp. 7–12. ACM, New York (2009)
Kiczales, G., Hilsdale, E., Hugunin, J., Kersten, M., Palm, J., Griswold, W.G.: An overview of AspectJ. In: ECOOP ’01: Proceedings
of the 15th European Conference on Object-Oriented Programming
(2001)
Kienzle, J., Abed, W.A., Klein, J.: Aspect-oriented multi-view
modeling. In: Proceedings of the 8th International Conference on
Aspect-Oriented Software Development (AOSD 2009), pp. 87–98.
ACM, New York (2009)
Kienzle, J., Duala-Ekoko, E., Gélineau, S.: AspectOptima: a case
study on aspect dependencies and interactions. In: Transactions
on Aspect-Oriented Software Development V. LNCS, vol. 5490,
pp. 187–234. Springer, Berlin (2009)
Klein, J. Fleurey, F., Jézéquel J.-M.: Weaving multiple aspects in
sequence diagrams. In: Transactions on Aspect Oriented Software
Development III. LNCS, vol. 4620, pp. 167–199. Springer, Berlin
(2007)
Klein, J., Hélouët, L., JézéquelM, J.-M.: Semantic-based weaving
of scenarios. In: Proceedings of the 5th International Conference on
Aspect-Oriented Software Development (AOSD 2006), pp. 27–38.
ACM, New York (2006)
Klint, P., van der Storm, T., Vinju, J.J.: Term rewriting meets aspectoriented programming. In: Processes, Terms and Cycles: Steps on
the Road to Infinity, Essays Dedicated to Jan Willem Klop, on the
Occasion of His 60th Birthday. Lecture Notes in Computer Science,
vol. 3838, pp. 88–105. Springer, Berlin (2005)
Kniesel, G.: The Condor tool. http://roots.iai.uni-bonn.de/
research/condor/
29. Kniesel, G.: Detection and resolution of weaving interactions. In:
Transactions on Aspect-Oriented Software Development V. LNCS,
vol. 5490, pp. 135–186. Springer, Berlin (2009)
30. Knuth, D.E., Bendix, P.B.: Simple Word Problems in Universal
Algebras. Pergamon Press, Oxford (1970)
31. Kolovos, D.S., Paige, R.F., Polack, F.: The Epsilon transformation language. In: Proceedings of the 1st International Conference
on Theory and Practice of Model Transformations (ICMT 2008).
LNCS, vol. 5063, pp. 46–60. Springer, Berlin (2008)
32. Krishnamurthi, S., Fisler, K., Greenberg, M.: Verifying aspect
advice modularly. In: Proceedings of the 12th ACM SIGSOFT
International Symposium on Foundations of Software Engineering, pp. 137–146. ACM, New York (2004)
33. Küster, J.M., Heckel, R., Engels, G.: Defining and validating transformations of UML models. In: Proceedings of the 2003 IEEE
Symposium on Human Centric Computing Languages and Environments (HCC 2003), pp. 145–152. IEEE Computer Society,
Washington (2003)
34. Lambers, L., Ehrig, H., Orejas, F.: Conflict detection for graph
transformation with negative application conditions. In: Proceedings of the 3rd International Conference on Graph Transformations (ICGT 2006). LNCS, vol. 4178, pp. 61–76. Springer, Berlin
(2006)
35. Liang, H., Diskin, Z., Dingel, J., Posse, E.: A general approach for
scenario integration. In: Model Driven Engineering Languages and
Systems, 11th International Conference, MoDELS. Lecture Notes
in Computer Science, vol. 5301, pp. 204–218. Springer, Berlin
(2008)
36. Man, J.D.: Towards a formal semantics of Message Sequence
Charts. In: SDL’93 Using Objects, Proceedings of the 6th SDL
Forum, pp. 157–165. Elsevier Science, Amsterdam (1993)
37. Mehner, K., Monga, M., Taentzer, G.: Analysis of aspect-oriented
model weaving. In: Transactions on Aspect-Oriented Software
Development V. LNCS, vol. 5490, pp. 235–263. Springer, Berlin
(2009)
38. Mens, T., Kniesel, G., Runge, O.: Transformation dependency analysis—a comparison of two approaches. In: LMO, pp. 167–184.
Hermès Lavoisier (2006)
39. Newman, M.H.A.: On theories with a combinatorial definition of
“equivalence”. Ann. Math. 43(2), 223–243 (1942)
40. Object Management Group (OMG): Meta Object Facility (MOF)
2.0 Query/View/Transformation Specification version 1.0, OMG
document formal/2008-04-03 (2008)
41. Oldevik, J., Haugen, Ø.: From sequence diagrams to Java-stairs
aspects. In: Proceedings of the 8th International Conference on
Aspect-Oriented Software Development (AOSD 2009), pp. 99–
110. ACM, New York (2009)
42. Oldevik, J., Haugen, Ø., Møller-Pedersen, B.: Confluence in
domain-independent product line transformations. In: Fundamental Approaches to Software Engineering, 12th International Conference, FASE. Lecture Notes in Computer Science, vol. 5503.
Springer, Berlin (2009)
43. (OMG) O.M.G.: UML 2.2 Superstructure Specification, OMG document formal/2009/02-02 (2009)
44. Plump, D.: Confluence of graph transformation revisited. In: Processes, Terms and Cycles: Steps on the Road to Infinity, Essays
Dedicated to Jan Willem Klop, on the Occasion of His 60th Birthday. LNCS, vol. 3838, pp. 280–308. Springer, Berlin (2005)
45. Post, E.L.: A variant of a recursively unsolvable problem. Bull.
Am. Math. Soc. 52 (1946)
46. Rensink, A.: The GROOVE Simulator: a tool for state space generation. In: Applications of Graph Transformations with Industrial Relevance, Second International Workshop, AGTIVE. Lecture
Notes in Computer Science, vol. 3062, pp. 479–485. Springer, Berlin (2004)
123
R. Grønmo et al.
47. Rinard, M.C., Salcianu, A., Bugrara, S.: A classification system and analysis for aspect-oriented programs. In: Proceedings
of the 12th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 147–158. ACM, New York
(2004)
48. Sánchez, P., Fuentes, L., Stein, D., Hanenberg, S., Unland, R.:
Aspect-oriented model weaving beyond model composition and
model transformation. In: Proceedings of the 11th Internation Conference on Model Driven Engineering Languages and Systems
(MoDELS 2008), LNCS, vol. 5301, pp. 766–781. Springer, Berlin
(2008)
49. Solberg, A., Simmonds, D., Reddy, R., Ghosh, S., France, R.B.:
Using aspect oriented techniques to support separation of concerns in model driven development. In: Proceedings of the 29th
Annual International Computer Software and Applications Conference (COMPSAC 2005), pp. 121–126. IEEE Computer Society,
Washington (2005)
50. Sørensen, F., Grønmo, R.: The SeDi-Weaver tool. http://folk.uio.
no/roygr/
51. Stein, D., Hanenberg, S., Unland, R.: Join point designation diagrams: a graphical representation of join point selections. Int. J.
Softw. Eng. Knowl. Eng. 16(3), 317–346 (2006)
52. Taentzer, G.: AGG: A graph transformation environment for modeling and validation of software. In: Proceedings of the 2nd International Workshop on Applications of Graph Transformations with
Industrial Relevance (AGTIVE 2003). LNCS, vol. 3062, pp. 446–
453. Springer, Berlin (2003)
53. Whittle, J., Jayaraman, P., Elkhodary, A., Moreira, A., Araújo,
J.: MATA: a unified approach for composing UML aspect models based on graph transformation. In: Transactions on AspectOriented Software Development VI. Special Issue on Aspects
and Model-Driven Engineering. LNCS, vol. 5560, pp. 191–237.
Springer, Berlin (2009)
54. Zhang, G., Hölzl, M.: HiLA: High-level aspects for UML state
machines. In: Proceedings of the 14th Workshop on Aspect-Oriented Modeling (AOM@MoDELS 2009) (2009)
Author Biographies
Roy Grønmo is research scientist at SINTEF. He holds a doctor degree in Computer science
at the University of Oslo. The
main research topics are modeldriven development, model and
graph transformation, serviceoriented modeling and aspectoriented modeling.
123
Ragnhild Kobro Runde is associate professor at University of
Oslo, where she received her
Dr. Scient. degree on UML2.0
sequence diagrams in 2007. Her
main research interests include
object-oriented programming and
modelling languages, as well as
practical formal methods.
Birger Møller-Pedersen is professor at University of Oslo. He
has worked with object orientation, from various implementations of SIMULA to the design
of BETA. He was a key person
in adding object-orientation to
ITU SDL (standardized 1992).
With Ericsson he contributed to
UML2.0 within OMG.