interface theories with component reuse laurent doyenepfl thomas henzingerepfl barbara jobstmannepfl...
TRANSCRIPT
Interface Theories With Component Reuse
Laurent Doyen EPFL
Thomas Henzinger EPFL
Barbara Jobstmann EPFL
Tatjana Petrov EPFL
2
Outline
1. Motivation– Interface theories and component-based design – New operator: component reuse
2. Shared refinement: Stateless Interfaces
3. Shared refinement: Stateful Interfaces
4. Conclusions and future work
Interfaces
Odd(x)?
Divide
x int y boolean
x int
y int, y!=0z real
Signature
Assertional
• analogy with type systems• static checking at compile-time• well-formed: usable in some environment
3
Interface Automaton
FIFOenq
deq
E
F
Size2Buffer
EF EF EF
(enq,deq),(!enq,!deq)enq
deq
E
F(enq,deq)
(enq,!deq)
(!enq,deq)
(enq,!deq)
(enq,deq),(!enq,!deq)
(enq,deq),(!enq,!deq)
Assumption: !(deq,!enq)Guarantee: (E,!F)
Transition guards
4
I111I112
I21 I22I13
I12
I11
I2
Component-Based Design
I1
I1
I2
I11
5
Interface Theories
If A and B are compatible and A' A and B' B, then A’ and B' are compatible and A'||B' A||B.
6
BA
A’
B’
I111I112
I21 I22I13
I12
I11
I2
Component-Based Design
I1
I1
I2
I11
I22 Π I112
7
Interface Theories
• Parallel composition and feedback, Contravariant refinement relation
=> independent implementiability
=> stepwise refinement [de Alfaro, Henzinger, 2001]
• Shared refinement => greatest lower bound in the refinement lattice
=> associativity
=> distributivity
8
Stateless Interface
• Predicates over input and output variables
• Wellformedness • Inputs and outputs disjoint• Assumption satisfiable• Guarantee satisfiable
9
Assumptionabout inputs
Guaranteeover outputs
Dividex int
y int, y!=0z real
Parallel Composition
10
Aeven(x) y mod 3 = 0
Bx > 0 z mod 4 = 0
Aeven(x) &(x>0)
y
B z
A||B
xy mod 3 = 0 &z mod 4 = 0
Parallel Composition
11
even(x) y mod 3 = 0
odd(x) z mod 4 = 0
FALSE
y mod 3 = 0 & z mod 4 = 0
A y
B z
A||B
x
A
B
INCOMPATIBLE !
Connection
A zyx
zyx Ac
x=0 => y=0 TRUE
forall x,z. (TRUE & (x=z)) => (x=0 => y=0)
TRUE & (x=z)
y=0
12
Connection
TRUEy = 0
zAc
INCOMPATIBLE !
13
Refinement Relation
B refines A
even(x) even(y)
x int y mod 4 = 0
14
A
B
Refinement Relation
Implementation must obey output guarantee →B does not refine C
even(x) y mod 3 = 0
x int y mod 4 = 0
15
C
B
Refinement Relation
Implementation must accept all permissible inputs →B does not refine D
Deven(x) even(y)
Bodd(x) y mod 4 = 0
16
Shared Refinement
17
(A Π B) can be used in any design as an implementation of A, and as an implementation of B
Aeven(x) y mod 3 = 0
Bx>0 y mod 4 = 0
A Π B even(x)ORx>0
y mod 12 = 0
Shared Refinement
18
Aeven(x) odd(y)
Bx>0 y mod 4 = 0
Shared Refinement
19
Aeven(x) odd(y)
Bx>0 y mod 4 = 0
A Π B even(x)ORx>0
FALSE
NOT
SHARED-REFINABLE !
Shared Refinement: Properties
Greatest lower bound in the refinement lattice
Associativity:
Distributivity:
20
(A Π B) Π C = A Π (B Π C)
a1 g1 a2 g2
A1 x A2a1 OR a2 g1 & g2
A1
A1 Π A2
A2
A || (B Π C) = (A || B) Π (A || C)
A Π (B || C) = (A Π B) || (A Π C)
A Π B
Greatest lower bound in the refinement lattice
Shared Refinement: Properties
21
A B
for all C, if C ≤ A and C ≤ B then C ≤ A Π B
A Π B
Greatest lower bound in the refinement lattice
Shared Refinement: Properties
22
A B
C
A1
A3
B1 B2
A1 Π B1 Π B2 Π A3
Associativity
Shared Refinement: Properties
23
Stateful Interface
FIFOenq
deq
E
F
Size2Buffer
EF EF EF
(enq,deq),(!enq,!deq)enq
deq
E
F(enq,deq)
(enq,!deq)
(!enq,deq)
(enq,!deq)
(enq,deq),(!enq,!deq)
(enq,deq),(!enq,!deq)
Assumption: !(deq,!enq)Guarantee: (E,!F)
Transition guards
24
Interface Theories• Define
– Refinement relation
– Composition of interfaces
so that…
• Ensure
If A and B is are compatible and A' A and B' B, then A’ and B' are compatible and A'||B' A||B.
[de Alfaro, Henzinger, 2001]
25
Stateful Interface
• Wellformedness• Satisfiable assumption in each state = non-stopping• Satisfiable guarantee in each state• Deterministic
26
Size2Buffer
EF EF EF
(enq,deq),(!enq, !deq)enq
deq
E
F(enq ,deq)
(enq ,!deq)
(!enq, deq)
(enq, !deq)
(enq,deq),(!enq, !deq)
(enq,deq),(!enq, !deq)
Stateful Interfaces: Refinement
• Alternating simulation relation[Alur, Henzinger, Kupferman, Vardi,
1998]
• N refines M if there exists a relation R between the states such that if (p,q) is in R, then
• a(p) => a(q)• g(q) => g(p)• a(p) & g(q) & (p → p’) & (q → q’) => (p’,q’) in R
27
Stateful Interfaces: Refinement
Ax: inty : int
p1
x intq1
y odd
q1 ≤ p1
x eveny int
p2
x evenq2
y odd
q2 ≤ p2
x inty int
p3
x intq3
y int
x eveny odd
q3 ≤ p3
28
Stateful Interfaces: Refinement
29
Size2Buffer
EF EF EF
(enq,deq),(!enq,!deq)enq
deq
E
F(enq,deq)
(enq,!deq)
(!enq,deq)
(enq,!deq)
(enq,deq),(!enq,!deq)
(enq,deq),(!enq,!deq)
SlowBuffer
T T
enq
deq
E
F(!enq ,!deq)
enq or deq(!enq ,!deq)
I111Size2Buffer
I21 SlowBufferI13
I12
I11
I2
Shared Refinement
I1
I1
I2
I11
Size2Buffer Π SlowBuffer
30
Stateful Interface
31
EF EF EF
!e!d
EF EF EF
EF EF EF!ed !ed
T T
e!d,!ed,ed
!e!d
!e!d
!e!d
!e!d!ed
ed e!d
!ed e!d !ed
ed!e!d
e!d
!e!d
ed !e!d
ed
ed
ed
!ed !ed
e!d e!d
!ed!ed
Size2Buffer Π SlowBuffer
Shared Refinement: Properties
Greatest lower bound in the refinement lattice
Associativity:
Distributivity:
32
(A Π B) Π C = A Π (B Π C)
A || (B Π C) ≤ (A || B) Π (A || C)
(A Π B) || (A Π C) ≤ A Π (B || C)
(A||B) Π (A||C)
Distributivity
Shared Refinement: Properties
A || (B Π C) ≤ (A || B) Π (A || C)
A CA B
33
(A||B) Π (A||C)
Distributivity
Shared Refinement: Properties
A || (B Π C) ≤ (A || B) Π (A || C)
A CA B
A B Π C
A || (B Π C)
34
View-Points
35
F Π T Π P
TimingT
PowerP
Functional F
Conclusions
We extended the existing theory
Possible Applications
• Implementation of view-points
• Refactoring of systems
• Use of standard components
36
Future Work
Implementation of an automatic checker for shared refinability
Asynchronous case Relationship to modal interfaces
[Benveniste et al.: Residual for Component Specifications, 2007]
37