Relational Interfaces Relational Interfaces Stavros Tripakis UC Berkeley Joint work with Ben Lickly, Joint work with Ben Lickly, Tom Henzinger and Edward Lee UC Berkeley, Feb 2010
Component ‐ Based Design Component Based Design • How can we build large, complex systems How can we build large, complex systems from smaller, simpler systems? – We call the latter components • Raises many interesting questions: – What kind of components do we need? • What are the right building blocks? – Which components to use and how to connect them? connect them? – What is a component? How to reason about components? 2
Interface theories [e.g., Alfaro, Henzinger, et al.] Interface theories [e.g., Alfaro, Henzinger, et al.] • Interface = component abstraction Interface = component abstraction • Interface composition: A • B = C • Interface refinement: A’ ≤ A f f ’ • Theorems: (1) If A’ ≤ A and A satisfies P then A’ satisfies P. (2) If A’ ≤ A and B’ ≤ B, then A’ • B’ ≤ A • B. 3
Substitutability Substitutability • Incremental design • Top ‐ down design T d d i B A A’ B’ B’ (1) If A’ ≤ A and A satisfies P then A’ satisfies P. ( ) (2) If A’ ≤ A and B’ ≤ B, then A’ • B’ ≤ A • B. 4
Synthesis of abstractions Synthesis of abstractions • Bottom ‐ up design B A A’ B’ B’ If A and B are interfaces then we can compute an p interface for their composition: A • B. 5
Tons of related work … Tons of related work … Floyd, Hoare, Dijkstra, Wirth, …, 1960s, 1970s, …: pre/post ‐ conditions, stepwise y , , j , , , , , p /p , p • refinement, … Abrial, 1980s, 1990s: the Z notation, the B method • Back, 1980s, …: refinement calculus • Liskov 1980s: Modular program construction using abstractions Liskov, 1980s: Modular program construction using abstractions • Meyer, 1980s: Eiffel, contracts (pre/post ‐ conditions), subcontracting • (inheritance) Lynch, 1980s: I/O automata • Dill 1980s: Trace theory for automatic hierarchical verification of speed Dill, 1980s: Trace theory for automatic hierarchical verification of speed ‐ • • independent circuits Misra/Chandy, Jones, Barringer/Kuiper/Pnueli, Stark, …, many others, 1980s, • 1990s, 2000s, …: compositional verification, assume ‐ guarantee, … Broy, 1990s, …: FOCUS B 1990 FOCUS • Software engineering: software reuse, modularization, Parnas, many others, … • Type theory: covariance/contravariance • … • 6
Non ‐ relational Interfaces e.g., [Doyen et al., EMSOFT’08] • Separate predicates over inputs and outputs S t di t i t d t t x1 ≥ 0 Guarantee Assumption y ≥ 0 Divide about inputs over outputs x2 > 0 • Cannot express input ‐ output relations : y = x1/x2 7
Relational Interfaces [this work] • Predicates over both inputs and outputs P di t b th i t d t t x1 ≥ 0 y ≥ 0 y ≥ 0 Di id Divide x2 > 0 • Can express input ‐ output relations : Can express input output relations : x ≠ ∧ = 1 x 0 y deterministic (function) (f ) 2 2 x 2 x ≠ → = non ‐ deterministic (relation) 1 x 0 y 2 x 2 8
Plan of talk Plan of talk • Relational interfaces Relational interfaces – Stateless, stateful • Environments and pluggability • Environments and pluggability • Refinement – Refinement and pluggability • Composition – Connection, feedback – Preservation of refinement by composition y p 9
Plan of talk Plan of talk • Relational interfaces Relational interfaces – Stateless, stateful • Environments and pluggability • Environments and pluggability • Refinement – Refinement and pluggability • Composition – Connection, feedback – Preservation of refinement by composition y p 10
Stateless Relational Interfaces Stateless Relational Interfaces I = φ φ I ( ( X X , Y Y , ) ) Set of input variables Set of input variables S t f Set of output variables t t i bl X X Y Y M M M M I I φ φ Contract 11
Contracts Contracts • Semantically: relations between input and y p φ ⊆ × = ∪ output assignments: A ( X ) A ( Y ) A ( X Y ) Set of all assignments φ Set of all assignments over variables in X over variables in Y A(X) A(Y) • Syntactically: predicates or something similar x ≠ ≠ ∧ = 1 1 x 0 0 y 2 x 2 12
Assumptions and Guarantees Assumptions and Guarantees • Input assumptions : set of legal input Input assumptions : set of legal input assignments φ φ ≡ ≡ ∃ ∃ φ φ ⊆ ⊆ in in ( ( ) ) Y Y : : A A ( ( X X ) ) • Output guarantees : set of possible output • Output guarantees : set of possible output assignments φ φ ≡ ∃ ∃ φ φ ⊆ out ( ( ) ) X X : A A ( ( Y Y ) ) 13
Assumptions and Guarantees Assumptions and Guarantees • Input assumptions : set of legal input Input assumptions : set of legal input assignments φ φ ) ≡ ∃ φ φ in ( ( ) Y : x x ≠ ∧ = ≡ ≠ 1 1 in ( x 0 y ) x 0 2 2 x 2 x ≠ → = ≡ 1 in ( x 0 y ) true 2 x 2 14
Stateful Relational Interfaces Stateful Relational Interfaces I = ξ ξ I ( ( X X , Y Y , ) ) ξ ∪ → ∪ * * : A ( X Y ) C ( X Y ) Set of all possible Set of all possible contracts over X U Y states over X U Y state = history = a1 a2 … ak Stateless = special case of stateful p = same contract at all states 15
Example of stateful interface: unit delay d l x x y y x: 0 1 2 3 4 5 ... 0 1 2 3 4 5 y: v0 0 1 2 3 4 ... unit ‐ delay = ξ I ({ x }, { y }, ) ud ud ξ ε ≡ = ( ) ( y v ) ud 0 ξ ξ ⋅ ≡ = ( ( s s a a ) ) ( ( y y a a ( ( x x )) )) ud d Infinite ‐ state interface last step last step i iti l t t initial state 16
Example of finite ‐ state interface: 1 ‐ place buffer l b ff data in data_in data out data_out 1 1 ‐ place l write full buffer read empty Note: this says almost nothing about implementation Note: this says almost nothing about implementation Global contract: Note: this says nothing about data (holds at all states) State ‐ dependent contracts: ¬ ∧ ¬ ¬ ( ( empty p y full ) ) write read d ∧ ¬ ∧ ( write read ) write ∧ s0 s1 → ¬ empty read read empty empty full full ∧ → ¬ full write 17
Well ‐ formed and well ‐ formable interfaces f • Well ‐ formed: Well formed: – Every reachable state has a satisfiable contract • Well formable • Well ‐ formable: – Can be made well ‐ formed by restricting the inputs – Amounts to finding a winning strategy in a game [Alfaro ‐ Henzinger ‘01, Dill ‘89, Back ‘90] • For stateless interfaces, l f well ‐ formed = well ‐ formable = satisfiable 18
Plan of talk Plan of talk • Relational interfaces Relational interfaces – Stateless, stateful • Environments and pluggability • Environments and pluggability • Refinement – Refinement and pluggability • Composition – Connection, feedback – Preservation of refinement by composition y p 19
Environments and Pluggability Environments and Pluggability E Environment i t Interface 20
Environments Environments = φ φ φ φ E E ( ( X X , Y Y , , ) ) X Y predicate on X (possible inputs) predicate on Y (desirable outputs) Environment Think precondition/postcondition Interface X X Y Y 21
Pluggability Pluggability I = I = φ φ ( ( X X , Y Y , ) ) = φ φ φ φ E ( ( X , , Y , , , , ) ) X X Y Y • Interface I is pluggable to environment E if: p gg ∀ φ → φ X : in ( ) X ∀ φ ∧ φ → φ X , Y : X Y 22
Plan of talk Plan of talk • Relational interfaces Relational interfaces – Stateless, stateful • Environments and pluggability • Environments and pluggability • Refinement – Refinement and pluggability • Composition – Connection, feedback – Preservation of refinement by composition y p 23
Refinement Refinement = φ φ ≤ ≤ = φ φ I I ' ' ( ( X X , Y Y , ' ' ) ) I I ( ( X X , Y Y , ) ) iff iff ∀ ∀ φ φ → → φ φ X X : in i ( ( ) ) i in ( ( ' ' ) ) ∀ ∀ φ φ ∧ ∧ φ φ → → φ φ X X , , Y Y : : in in ( ( ) ) ' 24
Refinement examples Refinement examples ∀ φ → φ X : in ( ) in ( ' ) ∀ ∀ φ φ ∧ φ φ → → φ φ X X , Y Y : : in i ( ( ) ) ' ' = ≤ = ∨ + = more deterministic x y x y x 1 y outputs x x ≠ → = ≤ ≠ ∧ = more legal 1 1 x 0 y x 0 y 2 2 inputs x x 2 2 = ≤ > ∧ = ∨ + = x y x 0 ( x y x 1 y ) or both 25
Refinement properties Refinement properties • Reflexive, transitive, antisymmetric: partial order • Top element: false → φ false in ( ' ) ∧ φ → false ' false φ → in ( ) true • No bottom element φ φ ∧ true → φ φ in i ( ( ) ) t – true is not bottom: – constant outputs are minimal elements • Least upper bound defined b d d f d • Greatest lower bound: sometimes defined – C.f. shared refinement 26
Recommend
More recommend
