realizability of system interface specifications
DESCRIPTION
Realizability of System Interface Specifications. Manfred Broy. Motivation. State machines with input and output (generalized Mealy machines) provide a concept of implementation of discrete systems Behavioral abstraction by the concept of interface behavior - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Realizability of System Interface Specifications](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815a95550346895dc8139a/html5/thumbnails/1.jpg)
Technische Universität MünchenInstitut für Informatik
D-80290 München, Germany
Realizability of System Interface Specifications
Manfred Broy
![Page 2: Realizability of System Interface Specifications](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815a95550346895dc8139a/html5/thumbnails/2.jpg)
Manfred Broy 2Amir Pnueli Memorial Symposium, May 2010
Motivation
• State machines with input and output (generalized Mealy machines) provide a concept of implementation of discrete systems
• Behavioral abstraction by the concept of interface behavior◊ Interface abstraction for state machines with input and output
• Interface assertions◊ Specification of interface behavior
• Realizability as a condition that interface assertions have implementations by state machines
• Nonrealizable specifications◊ Safety and realizability ◊ Liveness and realizability
![Page 3: Realizability of System Interface Specifications](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815a95550346895dc8139a/html5/thumbnails/3.jpg)
Manfred Broy 3Amir Pnueli Memorial Symposium, May 2010
Types and channels
• A type is (for our purpose) a set of messages (signals, events);Let M be the universe of all messages of all types
• A channel is a name for a communication link in a system
Typed channel set C:• a set of names in C• a function
typeC : C Typewhere Type is the set of types;
• A snapshot valuation for a channel set C is a mappingv: C M
where v(c) is of type type(c) for all c C; by Val[C] we denote the set of all channel snapshot valuations
![Page 4: Realizability of System Interface Specifications](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815a95550346895dc8139a/html5/thumbnails/4.jpg)
Manfred Broy 4Amir Pnueli Memorial Symposium, May 2010
The system model: static interface
The static (syntactic) interface of a system is given by • a set I of typed input channels• a set O of typed output channels
The static interface then is denoted by
I » O
Fresh x: Write y: Val
z: Get
![Page 5: Realizability of System Interface Specifications](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815a95550346895dc8139a/html5/thumbnails/5.jpg)
Manfred Broy 5Amir Pnueli Memorial Symposium, May 2010
Streams and Channel Histories
• a stream s of type T is an infinite sequence of elements of type T represented by the mapping
s: IN+ T where
IN+ = IN \ {0}STREAM denotes the set of all streams
• A channel history z for the typed channel set C is a mapping that associates a stream with every channel in C
z: C STREAMBy IH[C] we denote the set of all histories
Notation:xt prefix of length t of the history or stream x
![Page 6: Realizability of System Interface Specifications](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815a95550346895dc8139a/html5/thumbnails/6.jpg)
Manfred Broy 6Amir Pnueli Memorial Symposium, May 2010
State Machines with Input and Output
A state machine (, ) with input and output for static interface I » O is given by • a state space , which represents a set of states,
• a set of initial states
• a state transition function: ( Val[I]) ( Val[O])
For each • state and each • valuation Val[I] of the input channels in I by messages we get by
(', ) (, ) a successor state ' and a valuation Val[O] of the output channels consisting of the messages produced by the state transition.
Such state machines are also called Mealy machines.
![Page 7: Realizability of System Interface Specifications](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815a95550346895dc8139a/html5/thumbnails/7.jpg)
Manfred Broy 7Amir Pnueli Memorial Symposium, May 2010
Classes of state machines
A state machine (, ) is called
• total, if for all states and all inputs IH[I] the sets (, ) and are not empty; otherwise the machine (, ) is called partial.
• deterministic, if and (, ) are sets with at most one element for all states and input Val[I].
• bounded choice, if and (, ) are finite sets for all states and input Val[I]
![Page 8: Realizability of System Interface Specifications](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815a95550346895dc8139a/html5/thumbnails/8.jpg)
Manfred Broy 8Amir Pnueli Memorial Symposium, May 2010
Computations of State Machines
• a stream x of input : x1 , x2, …
• a stream y of output : y1 , y2, …
• a stream s of states : 0 , 1, …
• A computation generated state machine (, ) on input history x IH[I] and the initial state 0 is defined choosing step by step
(i+1, yi+1) (i, xi+1)
it computes the output history y IH[O] that way.
• Comp(, ) denotes the set of pairs (x, y) where y IH[O] is an output history computed by state machine (, ) on input history x IH[I] and initial state 0
0 1 2 …
x1/y1 x2 /y2
![Page 9: Realizability of System Interface Specifications](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815a95550346895dc8139a/html5/thumbnails/9.jpg)
Manfred Broy 9Amir Pnueli Memorial Symposium, May 2010
Interface function and interface abstraction
For syntactic interface I » O an interface function is given by
F : IH[I] (IH[O])
A state machine (, ) defines an interface abstraction
F(, ) : IH[I] (IH[O])
F(, )(x) = {y: (x, y) Comp(, )}
![Page 10: Realizability of System Interface Specifications](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815a95550346895dc8139a/html5/thumbnails/10.jpg)
Manfred Broy 10Amir Pnueli Memorial Symposium, May 2010
Interface assertions
For static interface I»O a logical formula R • which contains the input and output channels in I and O as free
variables for streams is called interface assertion
Interface assertion R defines • a predicate R(x, y) on histories x and y • and an associated interface function F:
y F(y) R(x, y)
A state machine (, ) is correct for interface assertion R if
(x, y) Comp(, ) R(x, y)
![Page 11: Realizability of System Interface Specifications](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815a95550346895dc8139a/html5/thumbnails/11.jpg)
Manfred Broy 11Amir Pnueli Memorial Symposium, May 2010
A Specification Example
System Fresh delivers always the newest value of xTypes• Write = {d Data}• Get = {get, “-”}• Val = {d Data}
The logical specification: t:z(t) = get y(t+1) = last(x, t)
z(t) = “-” y(t+1) = “-”where:last(x, 0) = d0
last(x, t+1) = if x(t) “-” then x(t) else last(x, t) fiNote that this system is very difficult to describe with shared variables and access to shared variables by assignments.
Fresh x: Write y: Val
z: Get
![Page 12: Realizability of System Interface Specifications](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815a95550346895dc8139a/html5/thumbnails/12.jpg)
Manfred Broy 12Amir Pnueli Memorial Symposium, May 2010
Causality
A functionF : IH[I] (IH[O])
that fulfils the proposition (for all t, x, y)xt = x’t {yt+k: y F(x)} = yt+k: y F(x’)}
is called k-delayed.
• 0-delayed functions are called causal• 1-delayed functions are called strongly causal
A causal function is also called an interface behaviour.
![Page 13: Realizability of System Interface Specifications](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815a95550346895dc8139a/html5/thumbnails/13.jpg)
Manfred Broy 13Amir Pnueli Memorial Symposium, May 2010
Definition: Realizability
Interface assertion R and associated behavior F and is called realizable,
if there exists a (strongly) causal total function f : IH[I] IH[O]
such thatR(x, f(x))
x IH[I] : f(x) F(x)Then• f is called a (strong) realization of F (and R)• y F(x) is called realizable if there exists a realization f with
y = f(x) • F (and R) are called fully realizable if every y F(x) is
realizable • By [[F]] we denote the set of all realizations of F
![Page 14: Realizability of System Interface Specifications](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815a95550346895dc8139a/html5/thumbnails/14.jpg)
Manfred Broy 14Amir Pnueli Memorial Symposium, May 2010
Example: Nonrealizable causal interface assertion
Consider the interface specificationR(x, y) = [x ≠ y]
Facts:• the behavior associated with R is strongly causal• R is a liveness property• R is not realizable
![Page 15: Realizability of System Interface Specifications](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815a95550346895dc8139a/html5/thumbnails/15.jpg)
Manfred Broy 15Amir Pnueli Memorial Symposium, May 2010
Realizability and state machines
TheoremInterface assertion R and associated behavior F and are
realizable, iff there exists a total deterministic state machine that is correct for R.
![Page 16: Realizability of System Interface Specifications](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815a95550346895dc8139a/html5/thumbnails/16.jpg)
Manfred Broy 16Amir Pnueli Memorial Symposium, May 2010
Theorem: Realizability
For each interface specification R:
there exist a state machine that is correct for Riff
R realizable.
![Page 17: Realizability of System Interface Specifications](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815a95550346895dc8139a/html5/thumbnails/17.jpg)
Manfred Broy 17Amir Pnueli Memorial Symposium, May 2010
Theorems on interface abstraction
An interface abstraction F(, ) of a total Mealy machine (, )
is always
• causal • strongly causal, if (, ) is a Moore machine• fully realizable.
![Page 18: Realizability of System Interface Specifications](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815a95550346895dc8139a/html5/thumbnails/18.jpg)
Manfred Broy 18Amir Pnueli Memorial Symposium, May 2010
Realizability of interface specification R
Questions:
• Is causality a sufficient condition for realizability• Under which conditions is R realizable• Realizability of contracts (assumption/commitment
specifications) • The role of safety and liveness of R for realizability
![Page 19: Realizability of System Interface Specifications](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815a95550346895dc8139a/html5/thumbnails/19.jpg)
Manfred Broy 19Amir Pnueli Memorial Symposium, May 2010
Causality and realizability
Theorem:An interface assertion R is realizable iff there exist a realizable causal interface assertion R’ with
R’ R
![Page 20: Realizability of System Interface Specifications](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815a95550346895dc8139a/html5/thumbnails/20.jpg)
Manfred Broy 20Amir Pnueli Memorial Symposium, May 2010
Conditions for realizability
Theorem: If the formula
x: y: R(x, y)does not holds, then the causal interface specification R is not realizable
![Page 21: Realizability of System Interface Specifications](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815a95550346895dc8139a/html5/thumbnails/21.jpg)
Manfred Broy 21Amir Pnueli Memorial Symposium, May 2010
Notation
Let P be a predicate about histories.
We writeP(xt)
for the formula x’: xt = x’t P(x’)
![Page 22: Realizability of System Interface Specifications](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815a95550346895dc8139a/html5/thumbnails/22.jpg)
Manfred Broy 22Amir Pnueli Memorial Symposium, May 2010
Characterizing Safety and Liveness
An interface assertion R is a safety property if for all x and y:
R(x, y) t: R(xt, yt)
Interface assertion R is a liveness property if for all x and y
t: R(xt, yt)
![Page 23: Realizability of System Interface Specifications](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815a95550346895dc8139a/html5/thumbnails/23.jpg)
Manfred Broy 23Amir Pnueli Memorial Symposium, May 2010
Safety Realizability
Theorem: A causal safety interface specification Ris fully realizable iff the formula
x: y: R(x, y)
holds.
![Page 24: Realizability of System Interface Specifications](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815a95550346895dc8139a/html5/thumbnails/24.jpg)
Manfred Broy 24Amir Pnueli Memorial Symposium, May 2010
Bounded choice and safety
TheoremIf a total state machine (, ) is bounded choice then its associated interface assertion
(x, y) Comp(, )is a safety property.
![Page 25: Realizability of System Interface Specifications](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815a95550346895dc8139a/html5/thumbnails/25.jpg)
Manfred Broy 25Amir Pnueli Memorial Symposium, May 2010
Liveness requires unbounded choice
TheoremEvery fully realizable liveness property can be implemented by an unbounded choice state machine.
![Page 26: Realizability of System Interface Specifications](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815a95550346895dc8139a/html5/thumbnails/26.jpg)
Manfred Broy 26Amir Pnueli Memorial Symposium, May 2010
Example. Nonrealizable Specification
Consider a system • with only one input channel x and • one output channel y both carrying Boolean messages with specification
R(x, y) = [ (true#x < true#y = ) (true#x = true#y < ) ]
Here true#x denotes the number of messages in stream x.Both assertions are liveness properties and so is predicate R. Obviously,
x: y: R(x, y)Note the assertion
true#x < ∞as well as its negation
true#x = ∞are both liveness conditions.
![Page 27: Realizability of System Interface Specifications](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815a95550346895dc8139a/html5/thumbnails/27.jpg)
Manfred Broy 27Amir Pnueli Memorial Symposium, May 2010
Conclusion
• Causality and realizability are mandatory properties for interface specification
• There is a difference between logical inconsistency and nonrealizability
• Safety is simple for realizability• Liveness is tricky for realizability• Realizability and causality provide healthy conditions for
contracts