Presentation is loading. Please wait.

Presentation is loading. Please wait.

Technische Universität München Institut für Informatik D-80290 München, Germany Realizability of System Interface Specifications Manfred Broy.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Technische Universität München Institut für Informatik D-80290 München, Germany Realizability of System Interface Specifications Manfred Broy."— Presentation transcript:

1 Technische Universität München Institut für Informatik D-80290 München, Germany Realizability of System Interface Specifications Manfred Broy

2 2 Amir Pnueli Memorial Symposium, May 2010 Motivation State machines with input and output (generalized Mealy machines) provide a concept of implementation of discrete systems Behavioral abstraction by the concept of interface behavior ◊Interface abstraction for state machines with input and output Interface assertions ◊Specification of interface behavior Realizability as a condition that interface assertions have implementations by state machines Nonrealizable specifications ◊Safety and realizability ◊Liveness and realizability

3 Manfred Broy 3 Amir Pnueli Memorial Symposium, May 2010 Types and channels A type is (for our purpose) a set of messages (signals, events); Let M be the universe of all messages of all types A channel is a name for a communication link in a system Typed channel set C: a set of names in C a function type C : C  Type where Type is the set of types; A snapshot valuation for a channel set C is a mapping v: C  M where v(c) is of type type(c) for all c  C; by Val[C] we denote the set of all channel snapshot valuations

4 Manfred Broy 4 Amir Pnueli Memorial Symposium, May 2010 The system model: static interface The static (syntactic) interface of a system is given by a set I of typed input channels a set O of typed output channels The static interface then is denoted by I » O

5 Manfred Broy 5 Amir Pnueli Memorial Symposium, May 2010 Streams and Channel Histories a stream s of type T is an infinite sequence of elements of type T represented by the mapping s: IN +  T where IN + = IN \ {0} STREAM denotes the set of all streams A channel history z for the typed channel set C is a mapping that associates a stream with every channel in C z: C  STREAM By IH[C] we denote the set of all histories Notation: x  t prefix of length t of the history or stream x

6 Manfred Broy 6 Amir Pnueli Memorial Symposium, May 2010 State Machines with Input and Output A state machine ( ,  ) with input and output for static interface I » O is given by a state space , which represents a set of states, a set    of initial states a state transition function  : (   Val[I])   (   Val[O]) For each state    and each valuation   Val[I] of the input channels in I by messages we get by (  ',  )   ( ,  ) a successor state  '   and a valuation  Val[O] of the output channels consisting of the messages produced by the state transition. Such state machines are also called Mealy machines.

7 Manfred Broy 7 Amir Pnueli Memorial Symposium, May 2010 Classes of state machines A state machine ( ,  ) is called total, if for all states    and all inputs   IH[I]  the sets  ( ,  ) and  are not empty; otherwise the machine ( ,  ) is called partial. deterministic, if  and  ( ,  ) are sets with at most one element for all states    and input   Val[I]. bounded choice, if  and  ( ,  ) are finite sets for all states    and input   Val[I]

8 Manfred Broy 8 Amir Pnueli Memorial Symposium, May 2010 Computations of State Machines a stream x of input : x 1, x 2, … a stream y of output : y 1, y 2, … a stream s of states :  0,  1, … A computation generated state machine ( ,  ) on input history x  IH[I] and the initial state  0 is defined choosing step by step (  i+1, y i+1 )   (  i, x i+1 ) it computes the output history y  IH[O] that way. Comp( ,  ) denotes the set of pairs (x, y) where y  IH[O] is an output history computed by state machine ( ,  ) on input history x  IH[I] and initial state  0  

9 Manfred Broy 9 Amir Pnueli Memorial Symposium, May 2010 Interface function and interface abstraction For syntactic interface I » O an interface function is given by F : IH[I]   ( IH[O]) A state machine ( ,  ) defines an interface abstraction F ( ,  ) : IH[I]   ( IH[O]) F ( ,  ) (x) = {y: (x, y)  Comp( ,  )}

10 Manfred Broy 10 Amir Pnueli Memorial Symposium, May 2010 Interface assertions For static interface I » O a logical formula R which contains the input and output channels in I and O as free variables for streams is called interface assertion Interface assertion R defines a predicate R(x, y) on histories x and y and an associated interface function F: y  F(y)  R(x, y) A state machine ( ,  ) is correct for interface assertion R if (x, y)  Comp( ,  )  R(x, y)

11 Manfred Broy 11 Amir Pnueli Memorial Symposium, May 2010 A Specification Example System Fresh delivers always the newest value of x Types Write = {d  Data} Get = {get, “-”} Val = {d  Data} The logical specification:  t: z(t) = get  y(t+1) = last(x, t) z(t) = “-”  y(t+1) = “-” where: last(x, 0) = d 0 last(x, t+1) = if x(t)  “-” then x(t) else last(x, t) fi Note that this system is very difficult to describe with shared variables and access to shared variables by assignments.

12 Manfred Broy 12 Amir Pnueli Memorial Symposium, May 2010 Causality A function F : IH[I]   ( IH[O]) that fulfils the proposition (for all t, x, y) x  t = x’  t  {y  t+k: y  F(x)} = y  t+k: y  F(x’)} is called k-delayed. 0-delayed functions are called causal 1-delayed functions are called strongly causal A causal function is also called an interface behaviour.

13 Manfred Broy 13 Amir Pnueli Memorial Symposium, May 2010 Definition: Realizability Interface assertion R and associated behavior F and is called realizable, if there exists a (strongly) causal total function f : IH[I]  IH[O] such that R(x, f(x))  x  IH[I] : f(x)  F(x) Then f is called a (strong) realization of F (and R) y  F(x) is called realizable if there exists a realization f with y = f(x) F (and R) are called fully realizable if every y  F(x) is realizable By [[F]] we denote the set of all realizations of F

14 Manfred Broy 14 Amir Pnueli Memorial Symposium, May 2010 Example: Nonrealizable causal interface assertion Consider the interface specification R(x, y) = [x ≠ y] Facts: the behavior associated with R is strongly causal R is a liveness property R is not realizable

15 Manfred Broy 15 Amir Pnueli Memorial Symposium, May 2010 Realizability and state machines Theorem Interface assertion R and associated behavior F and are realizable, iff there exists a total deterministic state machine that is correct for R.

16 Manfred Broy 16 Amir Pnueli Memorial Symposium, May 2010 Theorem: Realizability For each interface specification R: there exist a state machine that is correct for R iff R realizable.

17 Manfred Broy 17 Amir Pnueli Memorial Symposium, May 2010 Theorems on interface abstraction An interface abstraction F ( ,  ) of a total Mealy machine ( ,  ) is always causal strongly causal, if ( ,  ) is a Moore machine fully realizable.

18 Manfred Broy 18 Amir Pnueli Memorial Symposium, May 2010 Realizability of interface specification R Questions: Is causality a sufficient condition for realizability Under which conditions is R realizable Realizability of contracts (assumption/commitment specifications) The role of safety and liveness of R for realizability

19 Manfred Broy 19 Amir Pnueli Memorial Symposium, May 2010 Causality and realizability Theorem: An interface assertion R is realizable iff there exist a realizable causal interface assertion R’ with R’  R

20 Manfred Broy 20 Amir Pnueli Memorial Symposium, May 2010 Conditions for realizability Theorem: If the formula  x:  y: R(x, y) does not holds, then the causal interface specification R is not realizable

21 Manfred Broy 21 Amir Pnueli Memorial Symposium, May 2010 Notation Let P be a predicate about histories. We write P(x  t) for the formula  x’: x  t = x’  t  P(x’)

22 Manfred Broy 22 Amir Pnueli Memorial Symposium, May 2010 Characterizing Safety and Liveness An interface assertion R is a safety property if for all x and y: R(x, y)   t: R(x  t, y  t) Interface assertion R is a liveness property if for all x and y  t: R(x  t, y  t)

23 Manfred Broy 23 Amir Pnueli Memorial Symposium, May 2010 Safety Realizability Theorem: A causal safety interface specification R is fully realizable iff the formula  x:  y: R(x, y) holds.

24 Manfred Broy 24 Amir Pnueli Memorial Symposium, May 2010 Bounded choice and safety Theorem If a total state machine ( ,  ) is bounded choice then its associated interface assertion (x, y)  Comp( ,  ) is a safety property.

25 Manfred Broy 25 Amir Pnueli Memorial Symposium, May 2010 Liveness requires unbounded choice Theorem Every fully realizable liveness property can be implemented by an unbounded choice state machine.

26 Manfred Broy 26 Amir Pnueli Memorial Symposium, May 2010 Example. Nonrealizable Specification Consider a system with only one input channel x and one output channel y both carrying Boolean messages with specification R(x, y) = [ (true#x <   true#y =  )  (true#x =   true#y <  ) ] Here true#x denotes the number of messages in stream x. Both assertions are liveness properties and so is predicate R. Obviously,  x:  y: R(x, y) Note the assertion true#x < ∞ as well as its negation true#x = ∞ are both liveness conditions.

27 Manfred Broy 27 Amir Pnueli Memorial Symposium, May 2010 Conclusion Causality and realizability are mandatory properties for interface specification There is a difference between logical inconsistency and nonrealizability Safety is simple for realizability Liveness is tricky for realizability Realizability and causality provide healthy conditions for contracts

Download ppt "Technische Universität München Institut für Informatik D-80290 München, Germany Realizability of System Interface Specifications Manfred Broy."

Similar presentations

Completeness and Expressiveness

Completeness and Expressiveness
Distributed Snapshots: Determining Global States of Distributed Systems - K. Mani Chandy and Leslie Lamport.

Distributed Snapshots: Determining Global States of Distributed Systems - K. Mani Chandy and Leslie Lamport.
Distributed Snapshots: Determining Global States of Distributed Systems Joshua Eberhardt Research Paper: Kanianthra Mani Chandy and Leslie Lamport.

Distributed Snapshots: Determining Global States of Distributed Systems Joshua Eberhardt Research Paper: Kanianthra Mani Chandy and Leslie Lamport.
Finite State Machines (FSMs)

Finite State Machines (FSMs)
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Models of Concurrency Manna, Pnueli.

Models of Concurrency Manna, Pnueli.
Primitive Recursive Functions (Chapter 3)

Primitive Recursive Functions (Chapter 3)
TOPIC : Finite State Machine(FSM) and Flow Tables UNIT 1 : Modeling Module 1.4 : Modeling Sequential circuits.

TOPIC : Finite State Machine(FSM) and Flow Tables UNIT 1 : Modeling Module 1.4 : Modeling Sequential circuits.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Event structures Mauro Piccolo. Interleaving Models Trace Languages:  computation described through a non-deterministic choice between all sequential.

Event structures Mauro Piccolo. Interleaving Models Trace Languages:  computation described through a non-deterministic choice between all sequential.
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?

Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
Dr. Kalpakis CMSC 621, Advanced Operating Systems. Logical Clocks and Global State.

Dr. Kalpakis CMSC 621, Advanced Operating Systems. Logical Clocks and Global State.
10.6.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.
EECS 20 Lecture 38 (April 27, 2001) Tom Henzinger Review.

EECS 20 Lecture 38 (April 27, 2001) Tom Henzinger Review.
A Semantic Characterization of Unbounded-Nondeterministic Abstract State Machines Andreas Glausch and Wolfgang Reisig 1.

A Semantic Characterization of Unbounded-Nondeterministic Abstract State Machines Andreas Glausch and Wolfgang Reisig 1.
Introduction to Computability Theory

Introduction to Computability Theory
PTIDES: Programming Temporally Integrated Distributed Embedded Systems Yang Zhao, EECS, UC Berkeley Edward A. Lee, EECS, UC Berkeley Jie Liu, Microsoft.

PTIDES: Programming Temporally Integrated Distributed Embedded Systems Yang Zhao, EECS, UC Berkeley Edward A. Lee, EECS, UC Berkeley Jie Liu, Microsoft.

Similar presentations

Ads by Google