Re: [Boost-users] [MSM] stack overflow happens when there is a false-guard anonymous transition
Hi Michael, It's always nice to hear from you and have an interesting UML discussion with an expert!
I hope you are well. You know how I like to dig into this stuff... so I'll give my thoughts. They are tainted by the the UML predecessor; however, I think there is good logic and possibly even a specification argument for my point of view.
UML 2.2 Superstructure section 15.3.14 [Transition] provides the associations for:
trigger : Trigger[0..*] -- I am assuming that no trigger is what you are referring to as an anonymous transition. I don't see that term used in current specifications anymore.
guard: Constraint[0..1] -- "A guard is a constraint that provides a fine-grained control over the firing of the transition. The guard is evaluated when an event occurrence is dispatched by the state machine. If the guard is true at that time, the transition may be enabled; otherwise, it is disabled. Guards should be pure expressions without side effects. Guard expressions with side effects are ill formed."
I would argue that the definition of the guard constraint requires that the transition is evaluated when an event is dispatched and is only evaluated once for that event. Because the transition is disabled if the guard evaluates false, then the transition cannot be evaluated again until another event is dispatched.
I think your interpretation makes sense. Agreed.
I would also argue that the system is considered stable once evaluation of an event begins. Guards are not allowed to cause side effects; therefore, the 'state' of the system when evaluation begins should be the same as when evaluation has completed if no transition is taken.
Agreed again.
Personally, the least surprising thing (imnsho) would be that:
1. event is dispatched 2. internal transitions are evaluated for current state 3. external transitions are evaluated for current state 4. hierarchy is followed up and 2/3 repeated 5. if top is reached without satisfying event ... an error has occurred and is acted upon as normal
This is what is implemented for all events except for what the standard calls "Completion Events" (also called anonymous transitions in an UML book from the Booch/Rumbaugh collection).
I do not think whether a trigger is defined or not for a transition will affect this behavior. Transitions without a trigger are simply candidates for any event. The steps outlined above are those used for transitions with triggers, no?
I agree on the first part and disagree on the second. So, I took from the standard: "A completion transition is a transition originating from a state or an exit point but which does not have an explicit trigger, although it may have a guard defined. A completion transition is implicitly triggered by a completion event. In case of a leaf state, a completion event is generated once the entry actions and the internal activities (“do” activities) have been completed. If no actions or activities exist, the completion event is generated upon entering the state. If the state is a composite state or a submachine state, a completion event is generated if either the submachine or the contained region has reached a final state and the state’s internal activities have been completed. This event is the implicit trigger for a completion transition. The completion event is dispatched before any other events in the pool and has no associated parameters. For instance, a completion transition emanating from an orthogonal composite state will be taken automatically as soon as all the orthogonal regions have reached their final state. If multiple completion transitions are defined for a state, then they should have mutually exclusive guard conditions." So you are right and I should handle them like any other event. OTOH, the standard does not see them as a candidate for any event but as an implicit event which I have to trigger after the target state entry behavior. If a transition without an explicit trigger (event) is defined, it fires. And I should generate it only once, thus avoiding the overflow. What you suggest is a kind of an "any" take-all event, which I also find a good idea (I do not remember seeing it in the standard, but a good idea should be implemented if possible). The part of the standard which I find unpracticable is, if the guard rejects the completion event, how do we move out of this case? If I follow the standard, we would need to reenter a state, which means we would need a dummy event (not nice). This is why I suggest a process_completion() which would simply resend a completion event. Ok? Thanks for your (as usual) helpful insights, Christophe PS: reading again, I see that there is another implementation error in the current implementation, completion events have a lower priority than the event queue, I will change this on the way too.
On 9/6/2010 11:54 AM, Christophe Henry wrote:
Personally, the least surprising thing (imnsho) would be that:
1. event is dispatched 2. internal transitions are evaluated for current state 3. external transitions are evaluated for current state 4. hierarchy is followed up and 2/3 repeated 5. if top is reached without satisfying event ... an error has occurred and is acted upon as normal This is what is implemented for all events except for what the standard calls "Completion Events" (also called anonymous transitions in an UML book from the Booch/Rumbaugh collection).
I do not think whether a trigger is defined or not for a transition will affect this behavior. Transitions without a trigger are simply candidates for any event. The steps outlined above are those used for transitions with triggers, no? I agree on the first part and disagree on the second. So, I took from the standard:
So you are right and I should handle them like any other event. OTOH, the standard does not see them as a candidate for any event but as an implicit event which I have to trigger after the target state entry behavior. If a transition without an explicit trigger (event) is defined, it fires. And I should generate it only once, thus avoiding the overflow. What you suggest is a kind of an "any" take-all event, which I also find a good idea (I do not remember seeing it in the standard, but a good idea should be implemented if possible).
The part of the standard which I find unpracticable is, if the guard rejects the completion event, how do we move out of this case? If I follow the standard, we would need to reenter a state, which means we would need a dummy event (not nice). This is why I suggest a process_completion() which would simply resend a completion event. Ok?
Thanks for your (as usual) helpful insights,
Christophe
PS: reading again, I see that there is another implementation error in the current implementation, completion events have a lower priority than the event queue, I will change this on the way too. _______________________________________________
Thanks for getting me on the same page. I think completion events are peculiar only in the sense that their event is implicitly generated. Run-to-completion step semantics must still be obeyed as well as guards must be evaluated only once. If the completion event has been dispatched and it fails to take a transition I believe the state is now quiescent (for reasons articulated earlier). So... how do we exit? The *only* way to exit via the completion transition is for a completion event to be dispatched again. How can this happen? Via a self transition (or compound transition that returns) or via hierarchical search and a return to history. ----------- ----------- ----->| | [g] | | | S1 |--------->| S2 | -->| entry/F1 | | | | | exit/F2 | | | | |__________| |_________| |____| E So, in the example above... we enter S1 via some transition. After entry F1 is executed the completion event is dispatched. If g evaluates as false then we remain in S1. We cannot re-evaluate g unless the completion event is dispatched again and we cannot dispatch the completion event unless we meet the requirements of entering the state and completing entry actions and "do" activities. The only way for that to occur with the above example is taking E. Event E occurs, exit F2 is executed, E transition code is executed, entry F1 is executed and then a new completion event is dispatched. I think executing process_completion is actually a violation of the model (UML). Completion events occur based on a well defined set of rules. Failure to take a completion transition because of a guard is by design or implementation (intentional or a flaw). A new event must be processed that results in a completion event to be dispatched for the evaluation to occur again. It also rubs me wrong because run-to-completion steps are always initiated via an event being dispatched. process_completion would produce a second "interface" for injecting behavior. My recommendation would be to stick with the standard. Typically the side affects of entry F1 or transition E will result in the evaluation of g to true. If simply calling process_completion again results in g becoming true it means significant state changes outside of the state machine (or in a parallel machine). In my opinion, this would be an indicator of a bad design. The one place where I do something similar is when "polling" real hardware; however, I use the above configuration and trigger E to evaluate g in a predictable manner. As for the "wildcard" or any trigger, ROOM had this notion and I have used it extensively over the years. In 13.3.1 you will find AnyReceiveEvent. A transition trigger can be associated with this message event which would specify the transition should be triggered by receipt of any message. I don't think MSM encompasses the Communications Package models and this may be a stretch to get working. Thanks for your hard work on this excellent library! michael -- ---------------------------------- Michael Caisse Object Modeling Designs www.objectmodelingdesigns.com
participants (2)
-
Christophe Henry -
Michael Caisse