1 / 27

Realizability of System Interface Specifications

Realizability of System Interface Specifications. Manfred Broy. Motivation. State machines with input and output (generalized Mealy machines) provide a concept of implementation of discrete systems Behavioral abstraction by the concept of interface behavior

avidan
Download Presentation

Realizability of System Interface Specifications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Realizability of System Interface Specifications Manfred Broy

  2. Motivation • State machines with input and output (generalized Mealy machines) provide a concept of implementation of discrete systems • Behavioral abstraction by the concept of interface behavior • Interface abstraction for state machines with input and output • Interface assertions • Specification of interface behavior • Realizability as a condition that interface assertions have implementations by state machines • Nonrealizable specifications • Safety and realizability • Liveness and realizability

  3. Types and channels • A type is (for our purpose) a set of messages (signals, events); Let M be the universe of all messages of all types • A channel is a name for a communication link in a system Typed channel setC: • a set of names in C • a function typeC : C  Type where Type is the set of types; • A snapshot valuation for a channel set C is a mapping v:C  M where v(c) is of type type(c) for all c  C; by Val[C] we denote the set of all channel snapshot valuations

  4. The system model: static interface The static (syntactic) interface of a system is given by • a set I of typed input channels • a set O of typed output channels The static interface then is denoted by I »O

  5. Streams and Channel Histories • a streams of type T is an infinite sequence of elements of type T represented by the mapping s: IN+ T where IN+ = IN \ {0} STREAM denotes the set of all streams • A channel historyz for the typed channel set C is a mapping that associates a stream with every channel in C z: C  STREAM By IH[C] we denote the set of all histories Notation: xt prefix of length t of the history or stream x

  6. State Machines with Input and Output A state machine(, ) with input and output for static interface I » O is given by • a state space, which represents a set of states, • a set  of initial states • a state transition function : ( Val[I]) ( Val[O]) For each • state  and each • valuation Val[I]of the input channels in I by messages we get by (', ) (, ) a successor state '  and a valuation  Val[O]of the output channels consisting of the messages produced by the state transition. Such state machines are also called Mealy machines.

  7. Classes of state machines A state machine (, ) is called • total, if for all states  and all inputs   IH[I] the sets (, ) and  are not empty; otherwise the machine (, ) is called partial. • deterministic, if  and (, ) are sets with at most one element for all states  and input   Val[I]. • bounded choice, if  and (, ) are finite sets for all states  and input   Val[I]

  8. Computations of State Machines • a stream x of input : x1 , x2, … • a stream y of output : y1 , y2, … • a stream s of states : 0 , 1, … • A computation generated state machine (, ) on input history x  IH[I] and the initial state 0 is defined choosing step by step (i+1, yi+1)  (i, xi+1) it computes the output history y  IH[O] that way. • Comp(, ) denotes the set of pairs (x, y) where y IH[O] is an output history computed by state machine (, ) on input history x  IH[I] and initial state 0  

  9. Interface function and interface abstraction For syntactic interface I » O an interface function is given by F: IH[I]  (IH[O]) A state machine (, ) defines an interface abstraction F(, ): IH[I]  (IH[O]) F(, )(x) = {y: (x, y)  Comp(, )}

  10. Interface assertions For static interface I»O a logical formula R which contains the input and output channels in I and O as free variables for streams is called interface assertion Interface assertion R defines a predicate R(x, y) on histories x and y and an associated interface function F: y  F(y)  R(x, y) A state machine (, ) is correct forinterface assertion Rif (x, y)  Comp(, ) R(x, y)

  11. A Specification Example System Fresh delivers always the newest value of x Types • Write = {d  Data} • Get = {get, “-”} • Val = {d  Data} The logical specification:  t: z(t) = get  y(t+1) = last(x, t) z(t) = “-”  y(t+1) = “-” where: last(x, 0) = d0 last(x, t+1) = if x(t)  “-” then x(t) else last(x, t) fi Note that this system is very difficult to describe with shared variables and access to shared variables by assignments.

  12. Causality A function F: IH[I]  (IH[O]) that fulfils the proposition (for all t, x, y) xt = x’t  {yt+k: y  F(x)} = yt+k: y  F(x’)} is called k-delayed. • 0-delayed functions are called causal • 1-delayed functions are called strongly causal A causal function is also called an interfacebehaviour.

  13. Definition: Realizability Interface assertion R and associated behavior F and is called realizable, if there exists a (strongly) causal total function f: IH[I]  IH[O] such that R(x, f(x))  x IH[I] : f(x) F(x) Then • f is called a (strong)realization of F (and R) • yF(x) is called realizable if there exists a realization f with y = f(x) • F (and R) are called fully realizable if every yF(x) is realizable • By [[F]] we denote the set of all realizations of F

  14. Example: Nonrealizable causal interface assertion Consider the interface specification R(x, y) = [x ≠ y] Facts: • the behavior associated with R is strongly causal • R is a liveness property • R is not realizable

  15. Realizability and state machines Theorem Interface assertion R and associated behavior F and are realizable, iff there exists a total deterministic state machine that is correct for R.

  16. Theorem: Realizability For each interface specification R: there exist a state machine that is correct for R iff Rrealizable.

  17. Theorems on interface abstraction An interface abstraction F(, )of a total Mealy machine (, ) is always • causal • strongly causal, if (, ) is a Moore machine • fully realizable.

  18. Realizability of interface specification R Questions: • Is causality a sufficient condition for realizability • Under which conditions is R realizable • Realizability of contracts (assumption/commitment specifications) • The role of safety and liveness of R for realizability

  19. Causality and realizability Theorem: An interface assertion R is realizable iff there exist a realizable causal interface assertion R’ with R’  R

  20. Conditions for realizability Theorem: If the formula  x:  y: R(x, y) does not holds, then the causal interface specification R is not realizable

  21. Notation Let P be a predicate about histories. We write P(xt) for the formula  x’: xt = x’t  P(x’)

  22. Characterizing Safety and Liveness An interface assertion R is a safety property if for all x and y: R(x, y)  t: R(xt, yt) Interface assertion R is a liveness property if for all x and y  t: R(xt, yt)

  23. Safety Realizability Theorem: A causal safety interface specification R is fully realizable iff the formula  x:  y: R(x, y) holds.

  24. Bounded choice and safety Theorem If a total state machine (, ) is bounded choice then its associated interface assertion (x, y)  Comp(, ) is a safety property.

  25. Liveness requires unbounded choice Theorem Every fully realizable liveness property can be implemented by an unbounded choice state machine.

  26. Example. Nonrealizable Specification Consider a system • with only one input channel x and • one output channel y both carrying Boolean messages with specification R(x, y) = [ (true#x <  true#y = )  (true#x =  true#y < ) ] Here true#x denotes the number of messages in stream x. Both assertions are liveness properties and so is predicate R. Obviously,  x:  y: R(x, y) Note the assertion true#x < ∞ as well as its negation true#x = ∞ are both liveness conditions.

  27. Conclusion • Causality and realizability are mandatory properties for interface specification • There is a difference between logical inconsistency and nonrealizability • Safety is simple for realizability • Liveness is tricky for realizability • Realizability and causality provide healthy conditions for contracts

More Related