Relational Interfaces Relational Interfaces Stavros Tripakis UC - PowerPoint PPT Presentation

Relational Interfaces Relational Interfaces Stavros Tripakis UC Berkeley Joint work with Ben Lickly, Joint work with Ben Lickly, Tom Henzinger and Edward Lee UC Berkeley, Feb 2010

Component ‐ Based Design Component Based Design • How can we build large, complex systems How can we build large, complex systems from smaller, simpler systems? – We call the latter components • Raises many interesting questions: – What kind of components do we need? • What are the right building blocks? – Which components to use and how to connect them? connect them? – What is a component? How to reason about components? 2

Interface theories [e.g., Alfaro, Henzinger, et al.] Interface theories [e.g., Alfaro, Henzinger, et al.] • Interface = component abstraction Interface = component abstraction • Interface composition: A • B = C • Interface refinement: A’ ≤ A f f ’ • Theorems: (1) If A’ ≤ A and A satisfies P then A’ satisfies P. (2) If A’ ≤ A and B’ ≤ B, then A’ • B’ ≤ A • B. 3

Substitutability Substitutability • Incremental design • Top ‐ down design T d d i B A A’ B’ B’ (1) If A’ ≤ A and A satisfies P then A’ satisfies P. ( ) (2) If A’ ≤ A and B’ ≤ B, then A’ • B’ ≤ A • B. 4

Synthesis of abstractions Synthesis of abstractions • Bottom ‐ up design B A A’ B’ B’ If A and B are interfaces then we can compute an p interface for their composition: A • B. 5

Tons of related work … Tons of related work … Floyd, Hoare, Dijkstra, Wirth, …, 1960s, 1970s, …: pre/post ‐ conditions, stepwise y , , j , , , , , p /p , p • refinement, … Abrial, 1980s, 1990s: the Z notation, the B method • Back, 1980s, …: refinement calculus • Liskov 1980s: Modular program construction using abstractions Liskov, 1980s: Modular program construction using abstractions • Meyer, 1980s: Eiffel, contracts (pre/post ‐ conditions), subcontracting • (inheritance) Lynch, 1980s: I/O automata • Dill 1980s: Trace theory for automatic hierarchical verification of speed Dill, 1980s: Trace theory for automatic hierarchical verification of speed ‐ • • independent circuits Misra/Chandy, Jones, Barringer/Kuiper/Pnueli, Stark, …, many others, 1980s, • 1990s, 2000s, …: compositional verification, assume ‐ guarantee, … Broy, 1990s, …: FOCUS B 1990 FOCUS • Software engineering: software reuse, modularization, Parnas, many others, … • Type theory: covariance/contravariance • … • 6

Non ‐ relational Interfaces e.g., [Doyen et al., EMSOFT’08] • Separate predicates over inputs and outputs S t di t i t d t t x1 ≥ 0 Guarantee Assumption y ≥ 0 Divide about inputs over outputs x2 > 0 • Cannot express input ‐ output relations : y = x1/x2 7

Relational Interfaces [this work] • Predicates over both inputs and outputs P di t b th i t d t t x1 ≥ 0 y ≥ 0 y ≥ 0 Di id Divide x2 > 0 • Can express input ‐ output relations : Can express input output relations : x ≠ ∧ = 1 x 0 y deterministic (function) (f ) 2 2 x 2 x ≠ → = non ‐ deterministic (relation) 1 x 0 y 2 x 2 8

Plan of talk Plan of talk • Relational interfaces Relational interfaces – Stateless, stateful • Environments and pluggability • Environments and pluggability • Refinement – Refinement and pluggability • Composition – Connection, feedback – Preservation of refinement by composition y p 9

Plan of talk Plan of talk • Relational interfaces Relational interfaces – Stateless, stateful • Environments and pluggability • Environments and pluggability • Refinement – Refinement and pluggability • Composition – Connection, feedback – Preservation of refinement by composition y p 10

Stateless Relational Interfaces Stateless Relational Interfaces I = φ φ I ( ( X X , Y Y , ) ) Set of input variables Set of input variables S t f Set of output variables t t i bl X X Y Y M M M M I I φ φ Contract 11

Contracts Contracts • Semantically: relations between input and y p φ ⊆ × = ∪ output assignments: A ( X ) A ( Y ) A ( X Y ) Set of all assignments φ Set of all assignments over variables in X over variables in Y A(X) A(Y) • Syntactically: predicates or something similar x ≠ ≠ ∧ = 1 1 x 0 0 y 2 x 2 12

Assumptions and Guarantees Assumptions and Guarantees • Input assumptions : set of legal input Input assumptions : set of legal input assignments φ φ ≡ ≡ ∃ ∃ φ φ ⊆ ⊆ in in ( ( ) ) Y Y : : A A ( ( X X ) ) • Output guarantees : set of possible output • Output guarantees : set of possible output assignments φ φ ≡ ∃ ∃ φ φ ⊆ out ( ( ) ) X X : A A ( ( Y Y ) ) 13

Assumptions and Guarantees Assumptions and Guarantees • Input assumptions : set of legal input Input assumptions : set of legal input assignments φ φ ) ≡ ∃ φ φ in ( ( ) Y : x x ≠ ∧ = ≡ ≠ 1 1 in ( x 0 y ) x 0 2 2 x 2 x ≠ → = ≡ 1 in ( x 0 y ) true 2 x 2 14

Stateful Relational Interfaces Stateful Relational Interfaces I = ξ ξ I ( ( X X , Y Y , ) ) ξ ∪ → ∪ * * : A ( X Y ) C ( X Y ) Set of all possible Set of all possible contracts over X U Y states over X U Y state = history = a1 a2 … ak Stateless = special case of stateful p = same contract at all states 15

Example of stateful interface: unit delay d l x x y y x: 0 1 2 3 4 5 ... 0 1 2 3 4 5 y: v0 0 1 2 3 4 ... unit ‐ delay = ξ I ({ x }, { y }, ) ud ud ξ ε ≡ = ( ) ( y v ) ud 0 ξ ξ ⋅ ≡ = ( ( s s a a ) ) ( ( y y a a ( ( x x )) )) ud d Infinite ‐ state interface last step last step i iti l t t initial state 16

Example of finite ‐ state interface: 1 ‐ place buffer l b ff data in data_in data out data_out 1 1 ‐ place l write full buffer read empty Note: this says almost nothing about implementation Note: this says almost nothing about implementation Global contract: Note: this says nothing about data (holds at all states) State ‐ dependent contracts: ¬ ∧ ¬ ¬ ( ( empty p y full ) ) write read d ∧ ¬ ∧ ( write read ) write ∧ s0 s1 → ¬ empty read read empty empty full full ∧ → ¬ full write 17

Well ‐ formed and well ‐ formable interfaces f • Well ‐ formed: Well formed: – Every reachable state has a satisfiable contract • Well formable • Well ‐ formable: – Can be made well ‐ formed by restricting the inputs – Amounts to finding a winning strategy in a game [Alfaro ‐ Henzinger ‘01, Dill ‘89, Back ‘90] • For stateless interfaces, l f well ‐ formed = well ‐ formable = satisfiable 18

Plan of talk Plan of talk • Relational interfaces Relational interfaces – Stateless, stateful • Environments and pluggability • Environments and pluggability • Refinement – Refinement and pluggability • Composition – Connection, feedback – Preservation of refinement by composition y p 19

Environments and Pluggability Environments and Pluggability E Environment i t Interface 20

Environments Environments = φ φ φ φ E E ( ( X X , Y Y , , ) ) X Y predicate on X (possible inputs) predicate on Y (desirable outputs) Environment Think precondition/postcondition Interface X X Y Y 21

Pluggability Pluggability I = I = φ φ ( ( X X , Y Y , ) ) = φ φ φ φ E ( ( X , , Y , , , , ) ) X X Y Y • Interface I is pluggable to environment E if: p gg ∀ φ → φ X : in ( ) X ∀ φ ∧ φ → φ X , Y : X Y 22

Plan of talk Plan of talk • Relational interfaces Relational interfaces – Stateless, stateful • Environments and pluggability • Environments and pluggability • Refinement – Refinement and pluggability • Composition – Connection, feedback – Preservation of refinement by composition y p 23

Refinement Refinement = φ φ ≤ ≤ = φ φ I I ' ' ( ( X X , Y Y , ' ' ) ) I I ( ( X X , Y Y , ) ) iff iff ∀ ∀ φ φ → → φ φ X X : in i ( ( ) ) i in ( ( ' ' ) ) ∀ ∀ φ φ ∧ ∧ φ φ → → φ φ X X , , Y Y : : in in ( ( ) ) ' 24

Refinement examples Refinement examples ∀ φ → φ X : in ( ) in ( ' ) ∀ ∀ φ φ ∧ φ φ → → φ φ X X , Y Y : : in i ( ( ) ) ' ' = ≤ = ∨ + = more deterministic x y x y x 1 y outputs x x ≠ → = ≤ ≠ ∧ = more legal 1 1 x 0 y x 0 y 2 2 inputs x x 2 2 = ≤ > ∧ = ∨ + = x y x 0 ( x y x 1 y ) or both 25

Refinement properties Refinement properties • Reflexive, transitive, antisymmetric: partial order • Top element: false → φ false in ( ' ) ∧ φ → false ' false φ → in ( ) true • No bottom element φ φ ∧ true → φ φ in i ( ( ) ) t – true is not bottom: – constant outputs are minimal elements • Least upper bound defined b d d f d • Greatest lower bound: sometimes defined – C.f. shared refinement 26