MODAL INTERFACE AUTOMATA ∗ GERALD L ¨UTTGEN a AND WALTER VOGLER ba Software Technologies Research Group, University of Bamberg, 96045 Bamberg, Germany e-mail address : [email protected] b Institute for Computer Science, University of Augsburg, 86135 Augsburg, Germany e-mail address : [email protected]
Abstract.
De Alfaro and Henzinger’s Interface Automata (IA) and Nyman et al.’s re-cent combination IOMTS of IA and Larsen’s Modal Transition Systems (MTS) are es-tablished frameworks for specifying interfaces of system components. However, neitherIA nor IOMTS consider conjunction that is needed in practice when a component shallsatisfy multiple interfaces, while Larsen’s MTS-conjunction is not closed and Beneˇs et al.’sconjunction on disjunctive MTS does not treat internal transitions. In addition, IOMTS-parallel composition exhibits a compositionality defect.This article defines conjunction (and also disjunction) on IA and disjunctive MTS andproves the operators to be ‘correct’, i.e., the greatest lower bounds (least upper bounds)wrt. IA- and resp. MTS-refinement. As its main contribution, a novel interface theorycalled Modal Interface Automata (MIA) is introduced: MIA is a rich subset of IOMTSfeaturing explicit output-must-transitions while input-transitions are always allowed im-plicitly, is equipped with compositional parallel, conjunction and disjunction operators,and allows a simpler embedding of IA than Nyman’s. Thus, it fixes the shortcomings ofrelated work, without restricting designers to deterministic interfaces as Raclet et al.’smodal interface theory does. Introduction
Interfaces play an important role when designing complex software and hardware systems soas to be able to check interoperability of system components already at design stage. Earlyinterface theories deal with types of data and operations only and have been successfullydeployed in compilers. Over the past two decades, research has focused on more advancedinterface theories for sequential and object-oriented software systems, where interfaces alsocomprise behavioural types. Such types are often referred to as contracts [Mey92] and canexpress pre- and post-conditions and invariants of methods and classes. Much progress has [ Theory of computation ]: Models of computation—Concurrency; Logic—Logic andVerification; Semantics and reasoning; [
Software and its engineering ]: Context specific languages—Interface definition languages; Software system models—State systems.
Key words and phrases: interface theories, interface automata, modal transition systems, disjunctivemodal transition systems, modal interface automata, conjunction, disjunction. ∗ An extended abstract of this article appeared in 7th IFIP Intl. Conf. on
Theoretical Computer Science (TCS 2012), vol. 7604 of Lecture Notes in Computer Science, pp. 265–279, Springer, 2012.
LOGICAL METHODS l IN COMPUTER SCIENCE DOI:10.2168/LMCS-9(3:4)2013 c (cid:13)
G. Lüttgen and W. Vogler CC (cid:13) Creative Commons
G. L ¨UTTGEN AND W. VOGLER been made on the design of contract languages and on automated verification techniquesthat can decide whether a system component meets its contract (cf. [HLL +
12] for a survey).More recently, behavioural interfaces have also been proposed and are being investi-gated for the use in concurrent systems, with prominent application examples being em-bedded systems (e.g., [MG05]) and web services (e.g., [BCHS07, MB03]). In this context,behavioural interfaces are intended to capture protocol aspects of component interaction.One prominent example of such an interface theory is de Alfaro and Henzinger’s
InterfaceAutomata (IA) [dH01, dH05], which is based on labelled transition systems (LTS) but dis-tinguishes a component’s input and output actions. The theory comes with an asymmetricparallel composition operator, where a component may wait on inputs but never on outputs.Thus, a component’s output must be consumed immediately, or an error occurs. In case nopotential system environment may restrict the system components’ behaviour so that allerrors are avoided, the components are deemed to be incompatible.Semantically, IA employs a refinement notion based on an alternating simulation, suchthat a component satisfies an interface if (a) it implements all input behaviour prescribedby the interface and (b) the interface permits all output behaviour executed by the imple-menting component. Accordingly and surprisingly, an output in a specification can alwaysbe ignored in an implementation. In particular, a component that consumes all inputsbut never produces any output satisfies any interface. Since a specifier certainly wants tobe able to prescribe at least some outputs, Larsen, Nyman and Wasowski have built theirinterface theory on Modal Transition Systems (MTS) [Lar90] rather than LTS, which en-ables one to distinguish between may- and must-transitions and thus to express mandatoryoutputs. The resulting
IOMTS interface theory [LNW07], into which IA can be embed-ded, is equipped with an IA-style parallel composition and an MTS-style modal refinement.Unfortunately, IOMTS-modal refinement is not a precongruence (i.e., not compositional)for parallel composition; a related result in [LNW07] has already been shown incorrect byRaclet et al. in [RBB + ∧ for IA; we prove that ∧ is indeed conjunction, i.e., thegreatest lower bound wrt. alternating simulation (cf. Sec. 2). Essentially the same operatorhas recently and independently been defined in [CCJK12], where it is shown that it gives thegreatest lower bound wrt. a trace-based refinement relation. As an aside, we also develop andinvestigate the dual disjunction operator ∨ for IA. This is a natural operator for describingalternatives in loose specifications, thus leaving implementation decisions to implementors.Similarly, we define conjunction and disjunction operators for a slight extension of MTS(a subset of Disjunctive MTS [LX90], cf. Sec. 3), which paves us the way for our main con-tribution outlined below. Although Larsen has already studied conjunction and disjunctionfor MTS, his operators do, in contrast to ours, not preserve the MTS-property of syntacticconsistency, i.e., a conjunction or disjunction almost always has some required transitions(must-transitions) that are not allowed (missing may-transitions). An additional difficultywhen compared to the IA-setting is that two MTS-interfaces may not have a common im-plementation; indeed, inconsistencies may arise when composing MTSs conjunctively. We
ODAL INTERFACE AUTOMATA 3 handle inconsistencies in a two-stage definition of conjunction, adapting ideas from our priorwork on conjunction in a CSP-style process algebra [LV10] that uses, however, a very dif-ferent parallel operator and refinement preorder. In [BCK11], a conjunction for DisjunctiveMTS (DMTS) is introduced in a two-stage style, too. Our construction and results for con-junction significantly extend the ones of [BCK11] in that we also treat internal transitionsthat, e.g., result from communication.Note also that our setting employs event-based communication via handshake and thusdiffers substantially from the one of shared-memory communication studied by Abadi andLamport in their paper on conjoining specifications [AL95]. The same comment applies toDoyen et al. [DHJP08], who have studied a conjunction operator for an interface theoryinvolving shared-variable communication.Our article’s main contribution is a novel interface theory, called
Modal Interface Au-tomata (MIA), which is essentially a rich subset of IOMTS that still allows one to expressoutput-must-transitions. In contrast to IOMTS, must-transitions can also be disjunctive,and input-transitions are either required (i.e., must-transitions) or allowed implicitly. MIAis equipped with an MTS-style conjunction ∧ , disjunction ∨ and an IOMTS-style parallelcomposition operator, as well as with a slight adaptation of IOMTS-refinement. We showthat (i) MIA-refinement is a precongruence for all three operators; (ii) ∧ ( ∨ ) is indeed con-junction (disjunction) for this preorder; and (iii) IA can be embedded into MIA in a muchcleaner, homomorphic fashion than into IOMTS [LNW07] (cf. Sec. 4). Thereby, we remedythe shortcomings of related work while, unlike the language-based modal interface theoryof [RBB + Conjunction and Disjunction for Interface Automata
Interface Automata (IA) were introduced by de Alfaro and Henzinger [dH01, dH05] as a reactive type theory that abstractly describes the communication behaviour of software orhardware components in terms of their inputs and outputs. IAs are labelled transitionsystems where visible actions are partitioned into inputs and outputs. The idea is thatinterfaces interact with their environment according to the following rules. An interfacecannot block an incoming input in any state but, if an input arrives unexpectedly, it istreated as a catastrophic system failure. This means that, if a state does not enable aninput, this is a requirement on the environment not to produce this input. Vice versa, aninterface guarantees not to produce any unspecified outputs, which are in turn inputs tothe environment.This intuition is reflected in the specific refinement relation of alternating simulation between IA and in the parallel composition on IA, which have been defined in [dH05] and arerecalled in this section. Most importantly, however, we introduce and study a conjunctionoperator on IA, which is needed in practice to reason about components that are expectedto satisfy multiple interfaces.
Definition 2.1 (Interface Automata [dH05]) . An Interface Automaton (IA) is a tuple Q = ( Q, I, O, −→ ), where(1) Q is a set of states,(2) I and O are disjoint input and output alphabets, resp., not containing the special, silentaction τ ,(3) −→ ⊆ Q × ( I ∪ O ∪ { τ } ) × Q is the transition relation . G. L ¨UTTGEN AND W. VOGLER
The transition relation is required to be input-deterministic , i.e., a ∈ I , q a −→ q (cid:48) and q a −→ q (cid:48)(cid:48) implies q (cid:48) = q (cid:48)(cid:48) . In the remainder, we write q a −→ if q a −→ q (cid:48) for some q (cid:48) , as well as q (cid:54) a −→ for its negation.In contrast to [dH05] we do not distinguish internal actions and denote them all by τ , as isoften done in process algebras. We let A stand for I ∪ O , let a ( α ) range over A ( A ∪ { τ } ),and introduce the following weak transition relations: q ε = ⇒ q (cid:48) if q ( τ −→ ) ∗ q (cid:48) , and q o = ⇒ q (cid:48) for o ∈ O if ∃ q (cid:48)(cid:48) . q ε = ⇒ q (cid:48)(cid:48) o −→ q (cid:48) ; note that there are no τ -transitions after the o -transition.Moreover, we define ˆ α = ε if α = τ , and ˆ α = α otherwise. Definition 2.2 (Alternating Simulation [dH05]) . Let P and Q be IAs with common inputand output alphabets. Relation R ⊆ P × Q is an alternating simulation relation if for all( p, q ) ∈ R : (i): q a −→ q (cid:48) and a ∈ I implies ∃ p (cid:48) . p a −→ p (cid:48) and ( p (cid:48) , q (cid:48) ) ∈ R , (ii): p α −→ p (cid:48) and α ∈ O ∪ { τ } implies ∃ q (cid:48) . q ˆ α = ⇒ q (cid:48) and ( p (cid:48) , q (cid:48) ) ∈ R .We write p (cid:118) IA q and say that p IA-refines q if there exists an alternating simulationrelation R such that ( p, q ) ∈ R .According to the basic idea of IA, if specification Q in state q allows some input a deliveredby the environment, then the related implementation state p of P must allow this inputimmediately in order to avoid system failure. Conversely, if P in state p produces output a to be consumed by the environment, this output must be expected by the environment evenif q a = ⇒ ; this is because Q could have moved unobservedly from state q to some q (cid:48) thatenables a . Since inputs are not treated in Def. 2.2 (ii), they are always allowed for p .It is easy to see that IA-refinement (cid:118) IA is a preorder on IA and the largest alternatingsimulation relation. Given input and output alphabets I and O , resp., the IA BlackHole
I,O = df ( { blackhole } , I, O, { ( blackhole , a, blackhole ) | a ∈ I } )IA-refines any other IA over I and O .2.1. Conjunction on IA.
Two IAs with common alphabets are always logically consistentin the sense that they have a common implementation, e.g., the respective blackhole IA asnoted above. This makes the definition of conjunction on IA relatively straightforward.Here and similarly later, we index a transition by the system’s name to make clear fromwhere it originates, in case this is not obvious from the context.
Definition 2.3 (Conjunction on IA) . Let P = ( P, I, O, −→ P ) and Q = ( Q, I, O, −→ Q )be IAs with common input and output alphabets and disjoint state sets P and Q . Theconjunction P ∧ Q is defined by ( { p ∧ q | p ∈ P, q ∈ Q } ∪ P ∪ Q, I, O, −→ ), where −→ isthe least set satisfying −→ P ⊆−→ , −→ Q ⊆−→ , and the following operational rules:(I1) p ∧ q a −→ p (cid:48) if p a −→ P p (cid:48) , q (cid:54) a −→ Q and a ∈ I (I2) p ∧ q a −→ q (cid:48) if p (cid:54) a −→ P , q a −→ Q q (cid:48) and a ∈ I (I3) p ∧ q a −→ p (cid:48) ∧ q (cid:48) if p a −→ P p (cid:48) , q a −→ Q q (cid:48) and a ∈ I (O) p ∧ q a −→ p (cid:48) ∧ q (cid:48) if p a −→ P p (cid:48) , q a −→ Q q (cid:48) and a ∈ O (T1) p ∧ q τ −→ p (cid:48) ∧ q if p τ −→ P p (cid:48) (T2) p ∧ q τ −→ p ∧ q (cid:48) if q τ −→ Q q (cid:48) ODAL INTERFACE AUTOMATA 5
Figure 1: Example illustrating IA-conjunction.Intuitively, conjunction is the synchronous product over actions (cf. Rules (I3), (O), (T1)and (T2)). Since inputs are always implicitly present, this also explains Rules (I1) and (I2);for example, in Rule (I1), q does not impose any restrictions on the behaviour after input a and is therefore dropped from the target state. Moreover, the conjunction operator iscommutative and associative. As an aside, note that the rules with digit 2 in their namesare the symmetric cases of the respective rules with digit 1; this convention will hold truethroughout this article. Fig. 1 applies the rules above to an illustrating example; here andin the following figures, we write a ? for an input a and a ! for an output a .Essentially the same conjunction operator is defined by Chen et al. in [CCJK12], wherea non-standard variant of IA is studied that employs explicit error states and uses a trace-based semantics and refinement preorder (going back to Dill [Dil89]). The difference betweentheir conjunction and Def. 2.3 is that error states are explicitly used in the clauses thatcorrespond to Rules (I1) and (I2) above, which renders our definition arguably more elegant.In [CCJK12], an analogue theorem to Thm. 2.4 below is shown, but its statement is differentas it refers to a different refinement preorder. Also note that, deviating from the IA-literature, error states are called inconsistent in [CCJK12], but this is not related to logicinconsistency as studied by us.Our first result states that an implementation satisfies the conjunction of interfacesexactly if it satisfies each of them. This is a desired property in system design where eachinterface describes one aspect (or view) of the overall specification. Theorem 2.4 ( ∧ is And) . Let
P, Q, R be IAs with states p , q , r , resp. Then, r (cid:118) IA p and r (cid:118) IA q if and only if r (cid:118) IA p ∧ q .Proof. “ ⇐ =”: It is sufficient to show that R = df { ( r, p ) | ∃ q. r (cid:118) IA p ∧ q } ∪ (cid:118) IA is analternating simulation relation. Let ( r, p ) ∈ R due to q ; the case r (cid:118) IA p is obvious. Wecheck the conditions of Def. 2.2: • Let p a −→ P p (cid:48) with a ∈ I . − q (cid:54) a −→ Q : Hence, p ∧ q a −→ p (cid:48) by Rule (I1) and, due to r (cid:118) IA p ∧ q , there exists some r (cid:48) with r a −→ R r (cid:48) and r (cid:48) (cid:118) IA p (cid:48) . Since ( r (cid:48) , p (cid:48) ) ∈ R we are done. − q a −→ Q q (cid:48) : Hence, p ∧ q a −→ p (cid:48) ∧ q (cid:48) by Rule (I3) and, due to r (cid:118) IA p ∧ q , there existssome r (cid:48) with r a −→ R r (cid:48) and r (cid:48) (cid:118) IA p (cid:48) ∧ q (cid:48) . Now, ( p (cid:48) , q (cid:48) ) ∈ R . • Let r α −→ R r (cid:48) with α ∈ O ∪ { τ } . − α (cid:54) = τ : Thus, by Rule (O) and possibly Rules (T1), (T2), p ∧ q α = ⇒ p (cid:48) ∧ q (cid:48) with r (cid:48) (cid:118) IA p (cid:48) ∧ q (cid:48) . We can project the transition sequence underlying p ∧ q α = ⇒ p (cid:48) ∧ q (cid:48) tothe P -component and get p α = ⇒ P p (cid:48) , and we are done since ( r (cid:48) , p (cid:48) ) ∈ R . − α = τ : Hence, p ∧ q ε = ⇒ p (cid:48) ∧ q (cid:48) , possibly by Rules (T1) and (T2), with r (cid:48) (cid:118) IA p (cid:48) ∧ q (cid:48) .Again, we can project to p ε = ⇒ P p (cid:48) (where possibly p (cid:48) = p ) and also have ( r (cid:48) , p (cid:48) ) ∈ R . G. L ¨UTTGEN AND W. VOGLER “= ⇒ ”: We show that R = df { ( r, p ∧ q ) | r (cid:118) IA p and r (cid:118) IA q } ∪ (cid:118) IA is an alternatingsimulation relation. Let ( r, p ) ∈ R ; the case r (cid:118) IA p is obvious, so we consider the followingcases:(1) p ∧ q a −→ with a ∈ I : (I1): p ∧ q a −→ p (cid:48) due to p a −→ P p (cid:48) and q (cid:54) a −→ Q . Then, r a −→ R r (cid:48) for some r (cid:48) with r (cid:48) (cid:118) IA p (cid:48) due to r (cid:118) IA p , and we are done since ( r (cid:48) , p (cid:48) ) ∈ R . (I2): Analogous to Case (I1). (I3): p ∧ q a −→ p (cid:48) ∧ q (cid:48) due to p a −→ P p (cid:48) and q a −→ Q q (cid:48) . Then, r a −→ R r (cid:48) for some r (cid:48) with r (cid:48) (cid:118) IA p (cid:48) due to r (cid:118) IA p . By input-determinism and r (cid:118) IA q , we also have r (cid:48) (cid:118) IA q (cid:48) and are done since ( r (cid:48) , p (cid:48) ∧ q (cid:48) ) ∈ R .(2) r α −→ R r (cid:48) with α ∈ O ∪ { τ } : • α ∈ O : Due to r (cid:118) IA p and r (cid:118) IA q we have p (cid:48) , q (cid:48) such that p α = ⇒ P p (cid:48) , q α = ⇒ Q q (cid:48) , r (cid:48) (cid:118) IA p (cid:48) and r (cid:48) (cid:118) IA q (cid:48) , i.e., ( r (cid:48) , p (cid:48) ∧ q (cid:48) ) ∈ R . We can interleave the τ -transitions ofthe two transition sequences by Rules (T1) and (T2) and finally synchronize the two α -transitions according to Rule (O), and obtain p ∧ q α = ⇒ p (cid:48) ∧ q (cid:48) . • α = τ : Analogous, but without the synchronized transition.Technically, this result states that ∧ gives the greatest lower-bound wrt. (cid:118) IA (up to equiv-alence), and its proof uses the input-determinism property of IA. The theorem also impliescompositional reasoning; from universal algebra one easily gets: Corollary 2.5.
For IAs
P, Q, R with states p , q and r : p (cid:118) IA q = ⇒ p ∧ r (cid:118) IA q ∧ r .Proof. Assume p (cid:118) IA q . Then, (always) p ∧ r (cid:118) IA p ∧ r ⇐⇒ (by Thm. 2.4) p ∧ r (cid:118) IA p and p ∧ r (cid:118) IA r = ⇒ (by assumption and transitivity) p ∧ r (cid:118) IA q and p ∧ r (cid:118) IA r ⇐⇒ (byThm. 2.4) p ∧ r (cid:118) IA q ∧ r .2.2. Disjunction on IA.
In analogy to conjunction we develop a disjunction operator onIA and discuss its properties; in particular, this operator should give the least upper bound.
Definition 2.6 (Disjunction on IA) . Let P = ( P, I, O, −→ P ) and Q = ( Q, I, O, −→ Q )be IAs with common input and output alphabets and disjoint state sets P and Q . Thedisjunction P ∨ Q is defined by ( { p ∨ q | p ∈ P, q ∈ Q } ∪ P ∪ Q, I, O, −→ ), where −→ is theleast set satisfying −→ P ⊆−→ , −→ Q ⊆−→ and the following operational rules:(I) p ∨ q a −→ p (cid:48) ∨ q (cid:48) if p a −→ P p (cid:48) , q a −→ Q q (cid:48) and a ∈ I (OT1) p ∨ q α −→ p (cid:48) if p α −→ P p (cid:48) and α ∈ O ∪ { τ } (OT2) p ∨ q α −→ q (cid:48) if q α −→ Q q (cid:48) and α ∈ O ∪ { τ } Note that this definition preserves the input-determinism required of IA. The definition isroughly dual to the one of IA-conjunction, i.e., we take the ‘intersection’ of initial inputbehaviour and the ‘union’ of initial output behaviour. Strictly speaking, this would requirethe following additional rule for outputs o ∈ O :(O3) p ∨ q o −→ p (cid:48) ∨ q (cid:48) if p o −→ P p (cid:48) and q o −→ Q q (cid:48) However, the addition of this rule would in general result in disjunctions p ∨ q that arelarger than the least upper bound of p and q wrt. (cid:118) IA . The following theorem shows thatour ∨ -operator properly characterizes the least upper bound: ODAL INTERFACE AUTOMATA 7
Figure 2: Example illustrating IA-disjunction’s different treatment of inputs and outputs.
Theorem 2.7 ( ∨ is Or) . Let
P, Q, R be IAs with states p , q and r , resp. Then, p ∨ q (cid:118) IA r if and only if p (cid:118) IA r and q (cid:118) IA r .Proof. “ = ⇒ ”: We prove that R = df { ( p, r ) | ∃ q. p ∨ q (cid:118) IA r } ∪ (cid:118) IA is an alternatingsimulation relation. We let ( p, r ) ∈ R due to q – the case p (cid:118) IA r is obvious – and checkthe conditions of Def. 2.2: • Let r a −→ R r (cid:48) with a ∈ I . Hence, by p ∨ q (cid:118) IA r and the only applicable Rule (I), p ∨ q a −→ p (cid:48) ∨ q (cid:48) due to p a −→ P p (cid:48) and q a −→ Q q (cid:48) with p (cid:48) ∨ q (cid:48) (cid:118) IA r (cid:48) . Since ( p (cid:48) , r (cid:48) ) ∈ R weare done. • Let p α −→ P p (cid:48) with α ∈ O ∪{ τ } . Hence, p ∨ q α −→ p (cid:48) by Rule (OT1) and, due to p ∨ q (cid:118) IA r ,there exists some r (cid:48) such that r ˆ α = ⇒ r (cid:48) and p (cid:48) (cid:118) IA r (cid:48) .“ ⇐ =”: We show that R = df { ( p ∨ q, r ) | p (cid:118) IA r and q (cid:118) IA r } ∪ (cid:118) IA is an alternatingsimulation relation. We let ( p ∨ q, r ) ∈ R and consider the following cases:(1) Let r a −→ R r (cid:48) with a ∈ I . By p (cid:118) IA r and q (cid:118) IA r we have p (cid:48) and q (cid:48) such that p a −→ P p (cid:48) , q a −→ Q q (cid:48) , p (cid:48) (cid:118) IA r (cid:48) and q (cid:48) (cid:118) IA r (cid:48) . Thus, we are done since p ∨ q a −→ p (cid:48) ∨ q (cid:48) using Rule (I)and since ( p (cid:48) ∨ q (cid:48) , r (cid:48) ) ∈ R .(2) p ∨ q α −→ p (cid:48) with α ∈ O ∪ { τ } . W.l.o.g., p α −→ P p (cid:48) due to Rule (OT1). Then, r ˆ α = ⇒ R r (cid:48) for some r (cid:48) satisfying p (cid:48) (cid:118) IA r (cid:48) , by p (cid:118) IA r .Compositionality of disjunction can now be derived dually to the proof of Corollary 2.5 butusing Thm. 2.7 instead of Thm. 2.4: Corollary 2.8.
For IAs
P, Q, R with states p , q and r : p (cid:118) IA q = ⇒ p ∨ r (cid:118) IA q ∨ r . The two examples of Fig. 2 round off our investigation of IA disjunction by illustrating theoperator’s different treatment of inputs and outputs. Regarding p ∨ q on the figure’s left-hand side, the choice of which disjunct to implement is taken with the first action o ∈ O ifboth disjuncts are implemented; this meets the intuition of an inclusive-or. In the analogoussituation of r ∨ s on the figure’s right-hand side, a branching on i ∈ I is not allowed due toinput-determinism, and the resulting IA is thus intuitively unsatisfactory. The root causefor this is that the IA-setting does not include sufficiently many automata and, therefore,the least upper bound is ‘too large’. The shortcoming can be remedied by introducingdisjunctive transitions, as we will do below in the dMTS- and MIA-settings. Then, we willhave more automata and, indeed, will get a smaller least upper bound.2.3. Parallel Composition on IA.
We recall the parallel composition operator | on IAof [dH05], which is defined in two stages: first a standard product ⊗ between two IAs isintroduced, where common actions are synchronized and hidden. Then, error states areidentified, and all states are pruned from which reaching an error state is unavoidable. G. L ¨UTTGEN AND W. VOGLER
Figure 3: Example illustrating IA-parallel composition, where IA
TryOnce has inputs { send, ack, nack } and outputs { trnsmt, ok, reset, retry } , while IA Client has in-puts { ok, retry } and outputs { send } . Definition 2.9 (Parallel Product on IA [dH05]) . IAs P and P are called composable if A ∩ A = ( I ∩ O ) ∪ ( O ∩ I ), i.e., each common action is input of one IA and outputof the other IA. For such IAs we define the product P ⊗ P = ( P × P , I, O, −→ ), where I = ( I ∪ I ) \ ( O ∪ O ) and O = ( O ∪ O ) \ ( I ∪ I ) and where −→ is given by thefollowing operational rules:(Par1) ( p , p ) α −→ ( p (cid:48) , p ) if p α −→ p (cid:48) and α / ∈ A (Par2) ( p , p ) α −→ ( p , p (cid:48) ) if p α −→ p (cid:48) and α / ∈ A (Par3) ( p , p ) τ −→ ( p (cid:48) , p (cid:48) ) if p a −→ p (cid:48) and p a −→ p (cid:48) for some a .Note that, in case of synchronization and according to Rule (Par3), one only gets internal τ -transitions. Definition 2.10 (Parallel Composition on IA [dH05]) . A state ( p , p ) of a parallel product P ⊗ P is an error state if there is some a ∈ A ∩ A such that (a) a ∈ O , p a −→ and p (cid:54) a −→ , or (b) a ∈ O , p a −→ and p (cid:54) a −→ .A state of P ⊗ P is incompatible if it may reach an error state autonomously, i.e.,only by output or internal actions that are, intuitively, locally controlled. Formally, theset E ⊆ P × P of incompatible states is the least set such that ( p , p ) ∈ E if (i) ( p , p )is an error state or (ii) ( p , p ) α −→ ( p (cid:48) , p (cid:48) ) for some α ∈ O ∪ { τ } and ( p (cid:48) , p (cid:48) ) ∈ E .The parallel composition P | P of P , P is obtained from P ⊗ P by pruning , i.e.,removing all states in E and all transitions involving such states as source or target. If( p , p ) ∈ P | P , we write p | p and call p and p compatible .Parallel composition is well-defined since input-determinism is preserved. Theorem 2.11 (Compositionality of IA-Parallel Composition [dH05]) . Let P , P and Q be IAs with p ∈ P , p ∈ P , q ∈ Q and p (cid:118) IA q . Assume that Q and P arecomposable; then, (a) P and P are composable and (b) if q and p are compatible, thenso are p and p and p | p (cid:118) IA q | p . This result relies on the fact that IAs are input-deterministic. While the theorem is alreadystated in [dH05], its proof is only sketched therein. Here, it is a simple corollary of Thm. 4.14in Sec. 4.3 and Thms. 4.16 and 4.17(b) in Sec. 4.4 below.
ODAL INTERFACE AUTOMATA 9
We conclude by presenting a small example of IA-parallel composition in Fig. 3, whichis adapted from [dH05].
Client does not accept its input retry . Thus, if the environmentof
Client ⊗ TryOnce would produce nack , the system would autonomously produce reset and run into a catastrophic error. To avoid this, the environment of
Client | TryOnce isrequired not to produce nack . This view is called optimistic: there exists an environmentin which
Client and
TryOnce can cooperate without errors, and
Client | TryOnce describesthe necessary requirements for such an environment. In the pessimistic view as advocatedin [BHW11],
Client and
TryOnce are regarded as incompatible due to the potential error.3.
Conjunction and Disjunction for Modal Transition Systems
Modal Transition Systems (MTS) were investigated by Larsen [Lar90] as a specificationframework based on labelled transition systems but with two kinds of transitions: must-transitions specify required behaviour, may-transitions specify allowed behaviour, and ab-sent transitions specify forbidden behaviour. Any refinement of an MTS-specification mustpreserve required and forbidden behaviour and may turn allowed behaviour into requiredor forbidden behaviour. Technically, this is achieved via an alternating-style simulationrelation, called modal refinement , where any must-transition of the specification must besimulated by an implementation, while any may-transition of the implementation must besimulated by the specification.Our aim in this section is to extend MTS with conjunction and also disjunction.Larsen [Lar90] first defined conjunction and disjunction on MTS (without τ ), but the re-sulting systems often violate syntactic consistency (they are not really MTSs) and are hardto understand. This construction was subsequently generalized by Larsen and Xinxin toDisjunctive MTS (DMTS) [LX90], again ignoring syntactic consistency. This shortcomingwas recently fixed by Beneˇs et al. [BCK11] by exploiting the fact that an a -must-transitionin a DMTS may have several alternative target states. However, this work does still notconsider a weak setting, i.e., systems with τ . Below, we will define conjunction and dis-junction on a syntactically consistent subclass of DMTS, called dMTS , but more generallyin a weak setting as defined in [dH05, LNW07]; this subclass is sufficient for the purposesof the present article, and we leave the extension of our results to DMTS for future work.Since the treatment of τ -transitions is non-trivial and non-standard, we will motivate andexplain it in detail.Note that this section will not consider parallel composition for (d)MTS. This is becausewe are working towards the MIA-setting that will be introduced in the next section, whichlike IA and unlike (d)MTS distinguishes between inputs and outputs. (d)MTS parallelcomposition can simply be defined in the style similar to Def. 2.9; in particular, it does nothave error states and thus fundamentally differs from conjunction as defined below.3.1. Disjunctive Modal Transition Systems.
We extend standard MTS only as far asneeded for defining conjunction and disjunction, by introducing disjunctive must-transitionsthat are disjunctive wrt. exit states only (see Fig. 5). The following extension also has no τ -must-transitions since these are not considered in the definition of the observational modalrefinement of [LNW07]. Definition 3.1 (disjunctive Modal Transition System) . A disjunctive Modal TransitionSystem (dMTS) is a tuple Q = ( Q, A, −→ , (cid:57)(cid:57)(cid:75) ), where (1) Q is a set of states,(2) A is an alphabet not containing the special, silent action τ ,(3) −→ ⊆ Q × A × ( P ( Q ) \ ∅ ) is the must-transition relation,(4) (cid:57)(cid:57)(cid:75) ⊆ Q × ( A ∪ { τ } ) × Q is the may-transition relation.We require syntactic consistency , i.e., q a −→ Q (cid:48) implies ∀ q (cid:48) ∈ Q (cid:48) . q a (cid:57)(cid:57)(cid:75) q (cid:48) .More generally, the must-transition relation in a standard DMTS [LX90] may be a subsetof Q × ( P ( A × Q ) \ ∅ ). For notational convenience, we write q a −→ q (cid:48) whenever q a −→ { q (cid:48) } ;all must-transitions in standard MTS have this form.Our refinement relation on dMTS abstracts from internal computation steps in the sameway as [LNW07], i.e., by considering the following weak may-transitions for α ∈ A ∪ { τ } : q ε (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) q (cid:48) if q τ (cid:57)(cid:57)(cid:75) ∗ q (cid:48) , and q α (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) q (cid:48) if ∃ q (cid:48)(cid:48) . q ε (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) q (cid:48)(cid:48) α (cid:57)(cid:57)(cid:75) q (cid:48) . Definition 3.2 (Observational Modal Refinement, see [LNW07]) . Let
P, Q be dMTSs.Relation
R ⊆ P × Q is an (observational) modal refinement relation if for all ( p, q ) ∈ R : (i): q a −→ Q (cid:48) implies ∃ P (cid:48) . p a −→ P (cid:48) and ∀ p (cid:48) ∈ P (cid:48) ∃ q (cid:48) ∈ Q (cid:48) . ( p (cid:48) , q (cid:48) ) ∈ R , (ii): p α (cid:57)(cid:57)(cid:75) p (cid:48) implies ∃ q (cid:48) . q ˆ α (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) q (cid:48) and ( p (cid:48) , q (cid:48) ) ∈ R .We write p (cid:118) dMTS q and say that p dMTS-refines q if there exists an observational modalrefinement relation R such that ( p, q ) ∈ R .Again, (cid:118) dMTS is a preorder and the largest observational modal refinement relation. Ex-cept for disjunctiveness, dMTS-refinement is exactly defined as for MTS in [LNW07]. Inthe following figures, any (disjunctive) must-transition drawn also represents implicitly therespective may-transition(s), unless explicitly stated otherwise.3.2. Conjunction on dMTS.
Technically similar to parallel composition for IA, con-junction will be defined in two stages. State pairs can be logically inconsistent due tounsatisfiable must-transitions; in the second stage, we remove such pairs incrementally.
Definition 3.3 (Conjunctive Product on dMTS) . Let P = ( P, A, −→ P , (cid:57)(cid:57)(cid:75) P ) and Q =( Q, A, −→ Q , (cid:57)(cid:57)(cid:75) Q ) be dMTSs with common alphabet. The conjunctive product P & Q = df ( P × Q, A, −→ , (cid:57)(cid:57)(cid:75) ) is defined by its operational transition rules as follows:(Must1) ( p, q ) a −→ { ( p (cid:48) , q (cid:48) ) | p (cid:48) ∈ P (cid:48) , q a (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q q (cid:48) } if p a −→ P P (cid:48) and q a (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q (Must2) ( p, q ) a −→ { ( p (cid:48) , q (cid:48) ) | p a (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) P p (cid:48) , q (cid:48) ∈ Q (cid:48) } if p a (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) P and q a −→ Q Q (cid:48) (May1) ( p, q ) τ (cid:57)(cid:57)(cid:75) ( p (cid:48) , q ) if p τ (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) P p (cid:48) (May2) ( p, q ) τ (cid:57)(cid:57)(cid:75) ( p, q (cid:48) ) if q τ (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q q (cid:48) (May3) ( p, q ) α (cid:57)(cid:57)(cid:75) ( p (cid:48) , q (cid:48) ) if p α (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) P p (cid:48) and q α (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q q (cid:48) It might be surprising that a single transition in the product might stem from a transitionsequence in one of the components (cf. the first four items above) and that the componentscan also synchronize on τ (cf. Rule (May3)). The necessity of this is discussed below; weonly repeat here that conjunction is inherently different from parallel composition where,for instance, there is no synchronization on τ . Definition 3.4 (Conjunction on dMTS) . Given a conjunctive product P & Q , the set F ⊆ P × Q of (logically) inconsistent states is defined as the least set satisfying the followingrules: ODAL INTERFACE AUTOMATA 11
Figure 4: Examples motivating the rules of Def. 3.3.(F1) p a −→ P , q (cid:54) a (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q implies ( p, q ) ∈ F (F2) p (cid:54) a (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) P , q a −→ Q implies ( p, q ) ∈ F (F3) ( p, q ) a −→ R (cid:48) and R (cid:48) ⊆ F implies ( p, q ) ∈ F The conjunction P ∧ Q of dMTSs P, Q is obtained by deleting all states ( p, q ) ∈ F from P & Q .This also removes any may- or must-transition exiting a deleted state and any may-transitionentering a deleted state; in addition, deleted states are removed from targets of disjunctivemust-transitions. We write p ∧ q for the state ( p, q ) of P ∧ Q ; these are the consistent statesby construction, and p ∧ q is only defined for such a state.Regarding well-definedness, first observe that P & Q is a dMTS, where syntactic consistencyfollows from Rule (May3). Now, P ∧ Q is a dMTS, too: if R (cid:48) becomes empty for some( p, q ) a −→ R (cid:48) , then also ( p, q ) is deleted when constructing P ∧ Q from P & Q accordingto (F3). Finally, our conjunction operator is also commutative and associative.Before we formally state that operator ∧ is indeed conjunction on dMTS, we presentseveral examples depicted in Fig. 4, which motivate the rules of Def. 3.3. In each case, r isa common implementation of p and q (but not r (cid:48) in Ex. I), whence these must be logicallyconsistent. Thus, Ex. I explains Rule (Must1). If we only had τ (cid:57)(cid:57)(cid:75) in the preconditionof Rule (May1), p ∧ q of Ex. II would just consist of a c -must- and an a -may-transition;the only τ -transition would lead to a state in F due to b . This would not allow the τ -transition of r , explaining Rule (May1). In Ex. III and with only α (cid:57)(cid:57)(cid:75) in the preconditionsof Rule (May3), p ∧ q would just have three τ -transitions to inconsistent states (due to b , c , resp.). This explains the weak transitions for α (cid:54) = τ in Rule (May3). According toRules (May1) and (May2), p ∧ q in Ex. IV has four τ -transitions to states in F (due to d ).With preconditions based on at least one τ (cid:57)(cid:57)(cid:75) instead of τ (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) in the τ -case of Rule (May3),there would be three more τ -transitions to states in F (due to b or c ). Thus, it is essentialthat Rule (May3) also allows the synchronization of two weak τ -transitions, which in thiscase gives p ∧ q τ (cid:57)(cid:57)(cid:75) p (cid:48) ∧ q (cid:48) .Fig. 5 shows a small example illustrating the treatment of disjunctive must-transitions inthe presence of inconsistency. In P & Q , the a -must-transition of Q combines with the three a -transitions of P to a truly disjunctive must-transition with a three-element target set. Figure 5: Example illustrating dMTS-conjunction.The inconsistency of state (4 ,
6) due to b propagates back to state (3 , P ∧ Q . Theorem 3.5 ( ∧ is And) . Let
P, Q, R be dMTSs. Then, (i) ( ∃ r ∈ R. r (cid:118) dMTS p and r (cid:118) dMTS q ) if and only if p ∧ q is defined. In addition, in case p ∧ q is defined: (ii) r (cid:118) dMTS p and r (cid:118) dMTS q if and only if r (cid:118) dMTS p ∧ q . This key theorem states in Item (ii) that conjunction behaves as it should, i.e., ∧ on dMTSsis the greatest lower bound wrt. (cid:118) dMTS . Item (i) concerns the intuition that two specifi-cations p and q are logically inconsistent if they do not have a common implementation;formally, p ∧ q is undefined in this case. Alternatively, we could have added an explicitinconsistent element ff to our setting, so that p ∧ q = ff . This element ff would be defined tobe a refinement of every p (cid:48) and equivalent to any ( p (cid:48) , q (cid:48) ) ∈ F of some P & Q . Additionally, ff ∧ p (cid:48) and p (cid:48) ∧ ff would be defined as ff , for any p (cid:48) .The proof of the above theorem requires us to first introduce the following concept forformally reasoning about inconsistent states: Definition 3.6 (dMTS-Witness) . A dMTS-witness W of P & Q is a subset of P × Q suchthat the following conditions hold for all ( p, q ) ∈ W :(W1) p a −→ P implies q a (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q (W2) q a −→ Q implies p a (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) P (W3) ( p, q ) a −→ R (cid:48) implies R (cid:48) ∩ W (cid:54) = ∅ Conditions (W1)–(W3) correspond to the negations of the premises of Conditions (F1)–(F3) in Def. 3.4. This implies Part (i) of the following lemma, while Part (ii) is essentialfor proving Thm. 3.5(i):
Lemma 3.7 (Concrete dMTS-Witness) . Let P & Q be a conjunctive product of dMTSs and R be a dMTS. (i): For any dMTS-witness W of P & Q , we have F ∩ W = ∅ . (ii): The set { ( p, q ) ∈ P × Q | ∃ r ∈ R. r (cid:118) dMTS p and r (cid:118) dMTS q } is a dMTS-witness of P & Q .Proof. While the first statement of the lemma is quite obvious, we prove here that W = df { ( p, q ) ∈ P × Q | ∃ r ∈ R. r (cid:118) dMTS p and r (cid:118) dMTS q } is a dMTS-witness of P & Q accordingto Def. 3.6: (W1): p a −→ P P (cid:48) implies r a −→ R R (cid:48) by r (cid:118) dMTS p . Choose some r (cid:48) ∈ R (cid:48) . Then, r a (cid:57)(cid:57)(cid:75) R r (cid:48) by syntactic consistency and q a (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q by r (cid:118) dMTS q . (W2): Analogous to (W1).
ODAL INTERFACE AUTOMATA 13 (W3):
Consider ( p, q ) ∈ W due to r , with ( p, q ) a −→ S (cid:48) due to p a −→ P P (cid:48) and S (cid:48) = { ( p (cid:48) , q (cid:48) ) | p (cid:48) ∈ P (cid:48) , q a (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q q (cid:48) } according to Rule (Must1). By r (cid:118) dMTS p we get some R (cid:48) ⊆ R such that r a −→ R R (cid:48) and ∀ r (cid:48) ∈ R (cid:48) ∃ p (cid:48) ∈ P (cid:48) . r (cid:48) (cid:118) dMTS p (cid:48) . Choose r (cid:48) ∈ R (cid:48) ; now, r a (cid:57)(cid:57)(cid:75) R r (cid:48) due to syntactic consistency, and q a (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q q (cid:48) with r (cid:48) (cid:118) dMTS q (cid:48) by r (cid:118) dMTS q . Thus, wehave p (cid:48) ∈ P (cid:48) and q (cid:48) such that ( p (cid:48) , q (cid:48) ) ∈ W ∩ S (cid:48) due to r (cid:48) .We are now able to prove Thm. 3.5: Proof. (i)”= ⇒ ”: This follows from Lemma 3.7.(i), (ii)” ⇐ =”: It suffices to show that R = df { ( r, p ) | ∃ q. r (cid:118) dMTS p ∧ q } is an observationalmodal refinement relation. Then, in particular, (i)” ⇐ =” follows by choosing r = p ∧ q . Wecheck the two conditions of Def. 3.2: • Let p a −→ P P (cid:48) ; then, q a (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q since, otherwise, p ∧ q would not be defined due to (F1).Hence, by Rule (Must1), p ∧ q a −→ { p (cid:48) ∧ q (cid:48) | p (cid:48) ∈ P (cid:48) , q a (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q q (cid:48) , p (cid:48) ∧ q (cid:48) defined } . By r (cid:118) dMTS p ∧ q , we get r a −→ R R (cid:48) such that ∀ r (cid:48) ∈ R (cid:48) ∃ p (cid:48) ∧ q (cid:48) . p (cid:48) ∈ P (cid:48) , q a (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q q (cid:48) and r (cid:48) (cid:118) dMTS p (cid:48) ∧ q (cid:48) . Hence, ∀ r (cid:48) ∈ R (cid:48) ∃ p (cid:48) ∈ P (cid:48) . ( r (cid:48) , p (cid:48) ) ∈ R . • r α (cid:57)(cid:57)(cid:75) R r (cid:48) implies ∃ p (cid:48) ∧ q (cid:48) . p ∧ q ˆ α (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) p (cid:48) ∧ q (cid:48) and r (cid:48) (cid:118) dMTS p (cid:48) ∧ q (cid:48) . The contribution of p inthis weak transition sequence gives p ˆ α (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) P p (cid:48) , and we have ( r (cid:48) , p (cid:48) ) ∈ R due to q (cid:48) .(ii)”= ⇒ ”: Here, we show that R = df { ( r, p ∧ q ) | r (cid:118) dMTS p and r (cid:118) dMTS q } is an observa-tional modal refinement relation. By Part (i), p ∧ q is defined and ( r, p ∧ q ) ∈ R whenever r (cid:118) dMTS p and r (cid:118) dMTS q . We now verify the conditions of Def. 3.2: • Let p ∧ q a −→ S (cid:48) , w.l.o.g. due to p a −→ P P (cid:48) and S (cid:48) = { p (cid:48) ∧ q (cid:48) | p (cid:48) ∈ P (cid:48) , q a (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q q (cid:48) ,p (cid:48) ∧ q (cid:48) defined } . Because of r (cid:118) dMTS p , we have r a −→ R R (cid:48) so that ∀ r (cid:48) ∈ R (cid:48) ∃ p (cid:48) ∈ P (cid:48) .r (cid:48) (cid:118) dMTS p (cid:48) . Consider some arbitrary r (cid:48) ∈ R (cid:48) and the respective p (cid:48) ∈ P (cid:48) . Then, r a (cid:57)(cid:57)(cid:75) R r (cid:48) by syntactic consistency and, due to r (cid:118) dMTS q , there exists some q (cid:48) with q a (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q q (cid:48) and r (cid:48) (cid:118) dMTS q (cid:48) . Thus, p (cid:48) ∧ q (cid:48) ∈ S (cid:48) and ( r (cid:48) , p (cid:48) ∧ q (cid:48) ) ∈ R . • Let r α (cid:57)(cid:57)(cid:75) R r (cid:48) and consider p ˆ α (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) P p (cid:48) and q ˆ α (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q q (cid:48) satisfying r (cid:48) (cid:118) dMTS p (cid:48) and r (cid:48) (cid:118) dMTS q (cid:48) .Thus, ( r (cid:48) , p (cid:48) ∧ q (cid:48) ) ∈ R . Further, if α (cid:54) = τ , we have p ∧ q α (cid:57)(cid:57)(cid:75) p (cid:48) ∧ q (cid:48) by Rule (May3).Otherwise, either p τ (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) P p (cid:48) and q τ (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q q (cid:48) and we are done by Rule (May3) again, orw.l.o.g. p τ (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) P p (cid:48) and q = q (cid:48) and we are done by Rule (May1), or p = p (cid:48) and q = q (cid:48) .The following corollary of Thm. 3.5 now easily follows: Corollary 3.8. dMTS-refinement is compositional wrt. conjunction, i.e., if p (cid:118) dMTS q and p ∧ r is defined, then q ∧ r is defined and p ∧ r (cid:118) dMTS q ∧ r .Proof. Assume p (cid:118) dMTS q and p ∧ r is defined. Then, (always) p ∧ r (cid:118) dMTS p ∧ r ⇐⇒ (by Thm. 3.5) p ∧ r (cid:118) dMTS p and p ∧ r (cid:118) dMTS r = ⇒ (by assumption and transitivity) p ∧ r (cid:118) dMTS q and p ∧ r (cid:118) dMTS r = ⇒ (by Thm. 3.5(i)) q ∧ r is defined and (by Thm. 3.5(ii)) p ∧ r (cid:118) dMTS q ∧ r . Figure 6: Example illustrating Larsen’s MTS-conjunction; a (cid:57)(cid:57)(cid:75) drawn separately.Figure 7: Example showing that conjunction cannot be defined on MTS. (A similar exampleis given in [BCK11] without proof.)Thus, we have succeeded in our ambition to define a syntactically consistent conjunctionfor MTS, for a weak MTS-variant with disjunctive must-transitions.Larsen [Lar90] also defines a conjunction operator on MTS, but almost always theresult violates syntactic consistency. A simple example is shown in Fig. 6 where q refines p in Larsen’s setting as well as in our dMTS-setting; in this figure, may-transitions are drawnexplicitly, i.e, a must- is not necessarily also a may-transition. Since Larsen’s p ∧ q is notsyntactically consistent, this p ∧ q and q are, contrary to the first impression, equivalent. Inour dMTS-setting, P ∧ Q is isomorphic to Q which will also hold for our MIA-setting below(with action b read as output and where a could be either an input or an output).Indeed, conjunction cannot be defined on MTS in general, e.g., for the P and Q inFig. 7(a). The states p and q have r as well as s as common implementations; thus, r and s must be implementations of p ∧ q . An MTS P ∧ Q would need in state p ∧ q (i) animmediate a -must-transition (due to q ) followed by (ii) a must- b and no c or a must- c andno b (due to p ). In the first (second) case, s ( r ) is not an implementation of p ∧ q , which isa contradiction. Using dMTS, the conjunction P ∧ Q is as shown in Fig. 7(b).The above shortcoming of MTS has been avoided by Larsen et al. in [LSW95] by limit-ing conjunction to so-called independent specifications that make inconsistencies obsolete;this restriction also excludes the above example. Recently, Bauer et al. [BJL +
12] have de-fined conjunction for a version of MTS extended by partially ordered labels; when refiningan MTS, also the labels can be refined, and this has various applications. However, theconjunction operator is only defined under some restriction, which corresponds to requir-ing determinism in the standard MTS-setting. Another MTS-inspired theory including aconjunction operator has been introduced by Raclet et al. [RBB + p ∧ q as in our dMTS-setting, it is language-based and thus deals withdeterministic systems only.3.3. Disjunction on dMTS.
We will see in Sec. 3.4 that input-transitions (output-trans-itions) in IA correspond to must-transitions (may-transitions) in dMTS. In this light, the
ODAL INTERFACE AUTOMATA 15 following definition of disjunction corresponds closely to the one for IA. In particular, initialmust-transitions are also combined, but this time the choice between disjuncts is not delayed.
Definition 3.9 (Disjunction on dMTS) . Let P = ( P, A, −→ P , (cid:57)(cid:57)(cid:75) P ) and Q = ( Q, A, −→ Q , (cid:57)(cid:57)(cid:75) Q ) be dMTSs with common alphabet. The disjunction P ∨ Q is defined as the tuple( { p ∨ q | p ∈ P, q ∈ Q } ∪ P ∪ Q, A, −→ , (cid:57)(cid:57)(cid:75) ), where −→ and (cid:57)(cid:57)(cid:75) are the least sets satisfying −→ P ⊆−→ , (cid:57)(cid:57)(cid:75) P ⊆ (cid:57)(cid:57)(cid:75) , −→ Q ⊆−→ , (cid:57)(cid:57)(cid:75) Q ⊆ (cid:57)(cid:57)(cid:75) and the following operational rules:(Must) p ∨ q a −→ P (cid:48) ∪ Q (cid:48) if p a −→ P P (cid:48) , q a −→ Q Q (cid:48) (May1) p ∨ q α (cid:57)(cid:57)(cid:75) p (cid:48) if p α (cid:57)(cid:57)(cid:75) P p (cid:48) (May2) p ∨ q α (cid:57)(cid:57)(cid:75) q (cid:48) if q α (cid:57)(cid:57)(cid:75) Q q (cid:48) This definition clearly yields well-defined dMTSs respecting syntactic consistency. It alsogives us the desired least-upper-bound property:
Theorem 3.10 ( ∨ is Or) . Let P , Q , and R be dMTSs with states p , q and r , resp. Then, p ∨ q (cid:118) dMTS r if and only if p (cid:118) dMTS r and q (cid:118) dMTS r .Proof. “= ⇒ ”: We establish that R = df { ( p, r ) | ∃ q. p ∨ q (cid:118) dMTS r } ∪ (cid:118) dMTS is a modalrefinement relation. To do so, we let ( p, r ) ∈ R due to q and check the conditions of Def. 3.2: (i): Let r a −→ R R (cid:48) . By p ∨ q (cid:118) dMTS r and the only applicable Rule (Must), p ∨ q a −→ P (cid:48) ∪ Q (cid:48) due to p a −→ P P (cid:48) and q a −→ Q Q (cid:48) such that ∀ p (cid:48) ∈ P (cid:48) ∪ Q (cid:48) ∃ r (cid:48) ∈ R (cid:48) . p (cid:48) (cid:118) dMTS r (cid:48) . Hence, ∀ p (cid:48) ∈ P (cid:48) ∃ r (cid:48) ∈ R (cid:48) . p (cid:48) (cid:118) dMTS r (cid:48) and, thus, ( p (cid:48) , r (cid:48) ) ∈ R . (ii): Let p α (cid:57)(cid:57)(cid:75) P p (cid:48) . Hence, p ∨ q α (cid:57)(cid:57)(cid:75) p (cid:48) by Rule (May1) and, due to p ∨ q (cid:118) dMTS r , thereexists some r (cid:48) such that r ˆ α (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) r (cid:48) and p (cid:48) (cid:118) dMTS r (cid:48) .“ ⇐ =”: We prove that R = df { ( p ∨ q, r ) | p (cid:118) dMTS r and q (cid:118) dMTS r } ∪ (cid:118) dMTS is a modalrefinement relation. Let ( p ∨ q, r ) ∈ R and consider the following cases: (i): Let r a −→ R R (cid:48) . By p (cid:118) dMTS r and q (cid:118) dMTS r we have P (cid:48) , Q (cid:48) satisfying p a −→ P P (cid:48) , q a −→ Q Q (cid:48) such that ∀ p (cid:48) ∈ P (cid:48) ∃ r (cid:48) ∈ R (cid:48) . p (cid:48) (cid:118) dMTS r (cid:48) and ∀ q (cid:48) ∈ Q (cid:48) ∃ r (cid:48) ∈ R (cid:48) . q (cid:48) (cid:118) dMTS r (cid:48) .Thus, p ∨ q a −→ P (cid:48) ∪ Q (cid:48) using Rule (Must) and we are done. (ii): p ∨ q α (cid:57)(cid:57)(cid:75) p (cid:48) . W.l.o.g., this is due to Rule (May1) and p α (cid:57)(cid:57)(cid:75) P p (cid:48) . Then, r ˆ α (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) R r (cid:48) forsome r (cid:48) satisfying p (cid:48) (cid:118) dMTS r (cid:48) , by p (cid:118) dMTS r .Analogously to the IA-setting we may obtain the following corollary to the above theorem: Corollary 3.11. dMTS-refinement is compositional wrt. disjunction.
Embedding of IA into dMTS.
We can now adopt the embedding of IA into MTSfrom [LNW07] to our setting:
Definition 3.12 (IA-Embedding) . Let P be an IA with A = I ∪ O . Then, the embed-ding [ P ] dMTS of P into (d)MTS is defined as the (d)MTS ( P ∪ { u P } , A, −→ , (cid:57)(cid:57)(cid:75) ), where u P / ∈ P and: p α (cid:57)(cid:57)(cid:75) p (cid:48) if p α −→ P p (cid:48) and α ∈ A ∪ { τ } ; p a −→ p (cid:48) if p a −→ P p (cid:48) and a ∈ I ; p a (cid:57)(cid:57)(cid:75) u P if p (cid:54) a −→ P and a ∈ I ; u P a (cid:57)(cid:57)(cid:75) u P if a ∈ A . Figure 8: Example refuting the reverse refinement in Prop. 3.13(a). All non-labelled tran-sitions depict i -may-transitions.Figure 9: Example refuting the reverse refinement in Prop. 3.13(b) ( a ∈ A = { i, j, k } ).For the remainder of this section we simply write [ p ] for p ∈ [ P ] dMTS . Observe that [ P ] dMTS does not have truly disjunctive transitions; hence, it is an MTS. In [LNW07], it is shownthat this embedding respects refinement, i.e., p (cid:118) IA q if and only if [ p ] (cid:118) dMTS [ q ]. Sinceconjunction (disjunction) on IA and dMTS is the greatest lower bound (least upper bound)wrt. (cid:118) IA and (cid:118) dMTS (up to equivalence), resp., we have by general order theory: Proposition 3.13 (Conjunction/Disjunction and IA-Embedding) . For all IAs P and Q with p ∈ P and q ∈ Q : (a): [ p ∧ q ] (cid:118) dMTS [ p ] ∧ [ q ] ; (b): [ p ∨ q ] (cid:119) dMTS [ p ] ∨ [ q ] . The reverse refinements do not hold due to the additional dMTSs that are not embeddingsof IA. To see this for conjunction, consider the example in Fig. 8, where P and Q areIAs. State r in dMTS R is a common implementation of state [ p ] and state [ q ], i.e., theirconjunction is sufficiently large to cover r . However, r does not refine [ p ∧ q ] since the initial i -must-transition of the latter cannot be matched by the former. Hence, [ p ∧ q ] and [ p ] ∧ [ q ] ODAL INTERFACE AUTOMATA 17
Figure 10: Example demonstrating the compositionality flaw of IOMTS.cannot be equivalent. To see this for disjunction, consider r and s in Fig. 2 on the right.Fig. 9 shows all relevant dMTSs, and [ r ∨ s ] does not refine [ r ] ∨ [ s ] since it does not havea must-transition after i . 4. Modal Interface Automata
An essential point of Larsen, Nyman and Wasowski’s paper [LNW07] is to enrich IA withmodalities to get a flexible specification framework where inputs and outputs can be pre-scribed, allowed or prohibited. To do so, they consider IOMTS, i.e., MTS where visibleactions are partitioned into inputs and outputs, and define parallel composition in IA-style.Our example of Fig. 10 shows that their approach has a serious flaw, namely observa-tional modal refinement is not a precongruence for the parallel composition of [LNW07]. Inthis example, the IOMTS P has input alphabet { a } and empty output alphabet, while Q and Q (cid:48) have input alphabet { i } and output alphabet { a } . Obviously, q (cid:48) (cid:118) dMTS q . Whencomposing P and Q in parallel, p | q would reach an error state after an i -must-transitionin [LNW07] since the potential output a of Q is not expected by P . In contrast, p | q (cid:48) has an i -must- and i -may-transition not allowed by P | Q , so that p | q (cid:48) (cid:54)(cid:118) dMTS p | q . This counterex-ample also holds for (strong) modal refinement as defined in [LNW07] and is particularlysevere since all systems are deterministic and all must-transitions concern inputs only. Theproblem is that p | q forbids input i .In [LNW07], precongruence of parallel composition is not mentioned. Instead, a theo-rem relates the parallel composition of two IOMTSs to a different composition on two re-fining implementations, where an implementation in [LNW07] is an IOMTS in which may-and must-transitions coincide. This theorem is incorrect as is pointed out in [RBB +
11] andrepaired in the deterministic setting of that paper; the repair is again not a precongruenceresult, but still compares the results of two different composition operators. However, a nat-ural solution to the precongruence problem can be adopted from the IA-framework [dH05]where inputs are always allowed implicitly. Consequently, if an input transition is specified,it will always be a must.In the remainder, we thus define and study a new specification framework, called
ModalInterface Automata (MIA), that takes the dMTS-setting for an alphabet consisting of in-put and output actions, requires input-determinism, and demands that every input-may-transition is also an input-must-transition. The advantage over IA is that outputs can beprescribed via output-must-transitions, which precludes trivial implementations like
Black-Hole discussed in Sec. 2.
Definition 4.1 (Modal Interface Automaton) . A Modal Interface Automaton (MIA) is atuple Q = ( Q, I, O, −→ , (cid:57)(cid:57)(cid:75) ), where ( Q, I ∪ O, −→ , (cid:57)(cid:57)(cid:75) ) is a dMTS with disjoint alphabets I for inputs and O for outputs and where for all i ∈ I : (a) q i −→ Q (cid:48) and q i −→ Q (cid:48)(cid:48) implies Q (cid:48) = Q (cid:48)(cid:48) ; (b) q i (cid:57)(cid:57)(cid:75) q (cid:48) implies ∃ Q (cid:48) . q i −→ Q (cid:48) and q (cid:48) ∈ Q (cid:48) . In the conference version of this article, we have considered truly disjunctive must-transitionsonly for outputs, so as to satisfy input determinism; this suffices for developing MIA-conjunction. However, for disjunction we have seen that such transitions are also neededfor inputs. The above definition of MIA therefore permits one disjunctive must-transitionfor each input. This allows some choice on performing an input but, surprisingly, it is input-deterministic enough to support compositionality for parallel composition (cf. Thm. 4.14).
Definition 4.2 (MIA-Refinement) . Let
P, Q be MIAs with common input and outputalphabets. Relation
R ⊆ P × Q is an (observational) MIA-refinement relation if for all( p, q ) ∈ R : (i): q a −→ Q (cid:48) implies ∃ P (cid:48) . p a −→ P (cid:48) and ∀ p (cid:48) ∈ P (cid:48) ∃ q (cid:48) ∈ Q (cid:48) . ( p (cid:48) , q (cid:48) ) ∈ R , (ii): p α (cid:57)(cid:57)(cid:75) p (cid:48) with α ∈ O ∪ { τ } implies ∃ q (cid:48) . q ˆ α (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) q (cid:48) and ( p (cid:48) , q (cid:48) ) ∈ R .We write p (cid:118) MIA q and say that p MIA-refines q if there exists an observational MIA-refinement relation R such that ( p, q ) ∈ R . Moreover, we also write p = MIA q in case p (cid:118) MIA q and q (cid:118) MIA p (which is an equivalence weaker than ‘bisimulation’).One can easily check that (cid:118) MIA is a preorder and the largest observational MIA-refinementrelation. Its definition coincides with dMTS-refinement except that Cond. (ii) is restrictedto outputs and the silent action τ . Thus, inputs are always allowed implicitly and, in effect,treated just like in IA-refinement. Due to the output-must-transitions in the MIA-setting,MIA-refinement can model, e.g., STG-bisimilarity [VW02] for systems without internalactions; this is a kind of alternating simulation refinement used for digital circuits.4.1. Conjunction on MIA.
Similar to conjunction on dMTS, we define conjunction onMIA by first constructing a conjunctive product and then eliminating all inconsistent states.
Definition 4.3 (Conjunctive Product on MIA) . Let P = ( P, I, O, −→ P , (cid:57)(cid:57)(cid:75) P ) and Q =( Q, I, O, −→ Q , (cid:57)(cid:57)(cid:75) Q ) be MIAs with common input and output alphabets and disjoint statesets P and Q . The conjunctive product P & Q = df (( P × Q ) ∪ P ∪ Q, I, O, −→ , (cid:57)(cid:57)(cid:75) ) inheritsthe transitions of P and Q and has additional transitions as follows, where i ∈ I , o ∈ O and α ∈ O ∪ { τ } :(OMust1) ( p, q ) o −→ { ( p (cid:48) , q (cid:48) ) | p (cid:48) ∈ P (cid:48) , q o (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q q (cid:48) } if p o −→ P P (cid:48) and q o (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q (OMust2) ( p, q ) o −→ { ( p (cid:48) , q (cid:48) ) | p o (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) P p (cid:48) , q (cid:48) ∈ Q (cid:48) } if p o (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) P and q o −→ Q Q (cid:48) (IMust1) ( p, q ) i −→ P (cid:48) if p i −→ P P (cid:48) and q (cid:54) i −→ Q (IMust2) ( p, q ) i −→ Q (cid:48) if p (cid:54) i −→ P and q i −→ Q Q (cid:48) (IMust3) ( p, q ) i −→ P (cid:48) × Q (cid:48) if p i −→ P P (cid:48) and q i −→ Q Q (cid:48) (May1) ( p, q ) τ (cid:57)(cid:57)(cid:75) ( p (cid:48) , q ) if p τ (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) P p (cid:48) (May2) ( p, q ) τ (cid:57)(cid:57)(cid:75) ( p, q (cid:48) ) if q τ (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q q (cid:48) (May3) ( p, q ) α (cid:57)(cid:57)(cid:75) ( p (cid:48) , q (cid:48) ) if p α (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) P p (cid:48) and q α (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q q (cid:48) (IMay1) ( p, q ) i (cid:57)(cid:57)(cid:75) p (cid:48) if p i (cid:57)(cid:57)(cid:75) P p (cid:48) and q (cid:54) i (cid:57)(cid:57)(cid:75) Q (IMay2) ( p, q ) i (cid:57)(cid:57)(cid:75) q (cid:48) if p (cid:54) i (cid:57)(cid:57)(cid:75) P and q i (cid:57)(cid:57)(cid:75) Q q (cid:48) (IMay3) ( p, q ) i (cid:57)(cid:57)(cid:75) ( p (cid:48) , q (cid:48) ) if p i (cid:57)(cid:57)(cid:75) P p (cid:48) and q i (cid:57)(cid:57)(cid:75) Q q (cid:48) This product is defined analogously to IA-conjunction for inputs (plus the corresponding‘may’ rules) and to the dMTS-product for outputs and τ . Thus, it combines the effects ODAL INTERFACE AUTOMATA 19 shown in Fig. 1 (where all outputs are treated as may) and Fig. 5 (where all actions areoutputs).
Definition 4.4 (Conjunction on MIA) . Given a conjunctive product P & Q , the set F ⊆ P × Q of (logically) inconsistent states is defined as the least set satisfying the followingrules:(F1) p o −→ P , q (cid:54) o (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q , o ∈ O implies ( p, q ) ∈ F (F2) p (cid:54) o (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) P , q o −→ Q , o ∈ O implies ( p, q ) ∈ F (F3) ( p, q ) a −→ R (cid:48) and R (cid:48) ⊆ F implies ( p, q ) ∈ F The conjunction P ∧ Q of MIAs P, Q with common input and output alphabets is obtainedby deleting all states ( p, q ) ∈ F from P & Q as for dMTS in Def. 3.4. We write p ∧ q forstate ( p, q ) of P ∧ Q ; all such states are defined – and consistent – by construction.The conjunction P ∧ Q is a MIA and is thus well-defined. This can be seen by a similar argu-ment as we have used above in the context of dMTS-conjunction, while input-determinismcan be established by an argument similar to that in the IA-setting. Note that, in contrastto the dMTS-situation, Rules (F1) and (F2) only apply to outputs. Fig. 5 is also an examplefor conjunction in the MIA-setting if all actions are read as outputs.To reason about inconsistency we use a notion of witness again. This may be definedanalogously to the witness notion for dMTS but replacing a ∈ A in Def. 3.6(W1) and (W2)by a ∈ O . We then obtain the analogous lemma to Lemma 3.7, which is needed in the proofof the analogue theorem to Thm. 3.5: Definition 4.5 (MIA-Witness) . A MIA-witness W of P & Q is a subset of ( P × Q ) ∪ P ∪ Q such that the following conditions hold for all ( p, q ) ∈ W :(W1) p o −→ P with o ∈ O implies q o (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q (W2) q o −→ Q with o ∈ O implies p o (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) P (W3) ( p, q ) a −→ R (cid:48) implies R (cid:48) ∩ W (cid:54) = ∅ Lemma 4.6.
Let P & Q be a conjunctive product of MIAs. Then, for any MIA-witness W of P & Q , we have (i) F ∩ W = ∅ . Moreover, (ii) the set W = df { ( p, q ) ∈ P × Q | ∃ MIA R and r ∈ R. r (cid:118)
MIA p and r (cid:118) MIA q } ∪ P ∪ Q is a MIA-witness of P & Q .Proof. Since Part (i) is again obvious, we directly proceed to proving Part (ii), for which itsuffices to consider the elements of { ( p, q ) ∈ P × Q | ∃ r ∈ R. r (cid:118)
MIA p and r (cid:118) MIA q } ; thus,let ( p, q ) ∈ W due to MIA R and r ∈ R : (W1): p o −→ P P (cid:48) implies r o −→ R R (cid:48) by r (cid:118) MIA p . Choose some r (cid:48) ∈ R (cid:48) . Then, r o (cid:57)(cid:57)(cid:75) R r (cid:48) by syntactic consistency, and q o (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q by r (cid:118) MIA q . (W2): Analogous to (W1). (W3):
Assume ( p, q ) a −→ . According to the operational rules for conjunction, we distinguishthe following cases: (OMust1): Then, ( p, q ) a −→ S (cid:48) for a ∈ O , i.e., p a −→ P P (cid:48) and S (cid:48) = { ( p (cid:48) , q (cid:48) ) | p (cid:48) ∈ P (cid:48) , q a (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q q (cid:48) } . By r (cid:118) MIA p we obtain some R (cid:48) ⊆ R such that r a −→ R R (cid:48) and ∀ r (cid:48) ∈ R (cid:48) ∃ p (cid:48) ∈ P (cid:48) . r (cid:48) (cid:118) MIA p (cid:48) . Choose r (cid:48) ∈ R (cid:48) and the respective p (cid:48) ∈ P (cid:48) ; now, r a (cid:57)(cid:57)(cid:75) R r (cid:48) due tosyntactic consistency, and q a (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q q (cid:48) with r (cid:48) (cid:118) MIA q (cid:48) for some q (cid:48) by r (cid:118) MIA q . Thus, wehave p (cid:48) ∈ P (cid:48) and q (cid:48) such that ( p (cid:48) , q (cid:48) ) ∈ W ∩ S (cid:48) due to r (cid:48) . Case (OMust2) is analogous. (IMust1): Then, ( p, q ) a −→ P (cid:48) for a ∈ I , and we are done. Case (IMust2) is analogous. (IMust3): Then, ( p, q ) a −→ P (cid:48) × Q (cid:48) for a ∈ I due to p a −→ P P (cid:48) and q a −→ Q Q (cid:48) . By r (cid:118) MIA p , r (cid:118) MIA q and input-determinism, we have some R (cid:48) and r (cid:48) ∈ R (cid:48) such that r a −→ R R (cid:48) , ∃ p (cid:48) ∈ P (cid:48) . r (cid:48) (cid:118) MIA p (cid:48) and ∃ q (cid:48) ∈ Q (cid:48) . r (cid:48) (cid:118) MIA q (cid:48) . Thus, ( p (cid:48) , q (cid:48) ) ∈ W due to r (cid:48) .We can now state and prove the desired largest-lower-bound theorem, from which compo-sitionality of (cid:118) MIA wrt. ∧ follows in analogy to the IA- and dMTS-settings: Theorem 4.7 ( ∧ is And) . Let
P, Q be MIAs. We have (i) ( ∃ MIA R and r ∈ R. r (cid:118)
MIA p and r (cid:118) MIA q ) if and only if p ∧ q is defined. Further, in case p ∧ q is defined and for anyMIA R and r ∈ R : (ii) r (cid:118) MIA p and r (cid:118) MIA q if and only if r (cid:118) MIA p ∧ q .Proof. (i)”= ⇒ ”: This follows directly from Lemma 4.6 above.(ii)” ⇐ =”: For a MIA R we show that R = df { ( r, p ) ∈ R × P | ∃ q ∈ Q. r (cid:118)
MIA p ∧ q } ∪ (cid:118) MIA is a MIA-refinement relation, by checking the two conditions of Def. 4.2 for some ( r, p ) ∈ R due to q : • Let p a −→ P P (cid:48) and consider the following cases depending on whether action a is an inputor an output: − a ∈ O : Then, q a (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q since, otherwise, p ∧ q would not be defined due to (F1). Thus, byRule (OMust1), p ∧ q a −→ { p (cid:48) ∧ q (cid:48) | p (cid:48) ∈ P (cid:48) , q a (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q q (cid:48) , p (cid:48) ∧ q (cid:48) defined } . By r (cid:118) MIA p ∧ q ,we get some R (cid:48) ⊆ R such that r a −→ R R (cid:48) and ∀ r (cid:48) ∈ R (cid:48) ∃ p (cid:48) ∧ q (cid:48) . p (cid:48) ∈ P (cid:48) , q a (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q q (cid:48) and r (cid:48) (cid:118) MIA p (cid:48) ∧ q (cid:48) . Hence, ∀ r (cid:48) ∈ R (cid:48) ∃ p (cid:48) ∈ P (cid:48) . ( r (cid:48) , p (cid:48) ) ∈ R . − a ∈ I : This can lead to a transition of p ∧ q in two ways: (IMust1): q (cid:54) a −→ Q , whence p ∧ q a −→ P (cid:48) . By r (cid:118) MIA p ∧ q , there is some R (cid:48) such that r a −→ R R (cid:48) and ∀ r (cid:48) ∈ R (cid:48) ∃ p (cid:48) ∈ P (cid:48) . r (cid:48) (cid:118) MIA p (cid:48) . (IMust3): q a −→ Q Q (cid:48) , whence p ∧ q a −→ ( P (cid:48) × Q (cid:48) ) \ F . By r (cid:118) MIA p ∧ q , there issome R (cid:48) such that r a −→ R R (cid:48) and ∀ r (cid:48) ∈ R (cid:48) ∃ p (cid:48) ∧ q (cid:48) ∈ P (cid:48) × Q (cid:48) . r (cid:48) (cid:118) MIA p (cid:48) ∧ q (cid:48) and,thus, ( r (cid:48) , p (cid:48) ) ∈ R due to q (cid:48) . • r α (cid:57)(cid:57)(cid:75) R r (cid:48) with α ∈ O ∪ { τ } implies ∃ p (cid:48) ∧ q (cid:48) . p ∧ q ˆ α (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) p (cid:48) ∧ q (cid:48) and r (cid:48) (cid:118) MIA p (cid:48) ∧ q (cid:48) . Thecontribution of p in this weak transition sequence gives p ˆ α (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) P p (cid:48) , and we have ( r (cid:48) , p (cid:48) ) ∈ R due to q (cid:48) .(i)” ⇐ =”: This follows from (ii)” ⇐ =” by choosing R = P ∧ Q and r = p ∧ q .(ii)”= ⇒ ”: Let R be a MIA R . We show that the relation R = df { ( r, p ∧ q ) | r ∈ R,r (cid:118)
MIA p and r (cid:118) MIA q } ∪ (cid:118) MIA is a MIA-refinement relation. Due to Part (i), p ∧ q isdefined whenever r (cid:118) MIA p and r (cid:118) MIA q . We now verify the conditions of Def. 4.2 for( r, p ∧ q ) ∈ R : • Let p ∧ q a −→ and distinguish the following cases by our operational rules: − p ∧ q a −→ S (cid:48) with a ∈ O : By Rule (OMust1) this is w.l.o.g. due to p a −→ P P (cid:48) and S (cid:48) = { p (cid:48) ∧ q (cid:48) | p (cid:48) ∈ P (cid:48) , q a (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q q (cid:48) , p (cid:48) ∧ q (cid:48) defined } . By r (cid:118) MIA p , we have some R (cid:48) ⊆ R suchthat r a −→ R R (cid:48) and ∀ r (cid:48) ∈ R (cid:48) ∃ p (cid:48) ∈ P (cid:48) . r (cid:48) (cid:118) MIA p (cid:48) . Consider some arbitrary r (cid:48) ∈ R (cid:48) andthe respective p (cid:48) ∈ P (cid:48) . Then, we have r a (cid:57)(cid:57)(cid:75) R r (cid:48) by syntactic consistency and, due to r (cid:118) MIA q , some q (cid:48) with q a (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q q (cid:48) and r (cid:48) (cid:118) MIA q (cid:48) . Thus, p (cid:48) ∧ q (cid:48) ∈ S (cid:48) and ( r (cid:48) , p (cid:48) ∧ q (cid:48) ) ∈ R . ODAL INTERFACE AUTOMATA 21
Figure 11: MIA-disjunction is more intuitive than IA-disjunction. − p ∧ q a −→ P (cid:48) with a ∈ I : This is w.l.o.g. due to Rule (IMust1): p a −→ P P (cid:48) and q (cid:54) a −→ Q .By r (cid:118) MIA p , we have some R (cid:48) such that r a −→ R R (cid:48) and ∀ r (cid:48) ∈ R (cid:48) ∃ p (cid:48) ∈ P (cid:48) . r (cid:48) (cid:118) MIA p (cid:48) ,whence ( r (cid:48) , p (cid:48) ) ∈ R . − p ∧ q a −→ ( P (cid:48) × Q (cid:48) ) \ F with a ∈ I : This is due to Rule (IMust3), i.e., p a −→ P P (cid:48) and q a −→ Q Q (cid:48) . By r (cid:118) MIA p and r (cid:118) MIA q , we get a unique r a −→ R R (cid:48) (byinput-determinism) such that ∀ r (cid:48) ∈ R (cid:48) ∃ p (cid:48) ∈ P (cid:48) , q (cid:48) ∈ Q (cid:48) . r (cid:48) (cid:118) MIA p (cid:48) and r (cid:48) (cid:118) MIA q (cid:48) ; thus,( r (cid:48) , p (cid:48) ∧ q (cid:48) ) ∈ R . • Let r α (cid:57)(cid:57)(cid:75) R r (cid:48) with α ∈ O ∪ { τ } and consider p ˆ α (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) P p (cid:48) and q ˆ α (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q q (cid:48) satisfying r (cid:48) (cid:118) MIA p (cid:48) and r (cid:48) (cid:118) MIA q (cid:48) . Thus, ( r (cid:48) , p (cid:48) ∧ q (cid:48) ) ∈ R . Further, if α (cid:54) = τ , we have p ∧ q α (cid:57)(cid:57)(cid:75) p (cid:48) ∧ q (cid:48) byRule (May3). Otherwise, either p τ (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) P p (cid:48) and q τ (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q q (cid:48) and we are done by Rule (May3),or w.l.o.g. p τ (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) P p (cid:48) and q = q (cid:48) and we are done by Rule (May1), or p = p (cid:48) and q = q (cid:48) .In analogy to Corollary 3.8 we obtain: Corollary 4.8.
MIA-refinement is compositional wrt. conjunction.
Disjunction on MIA.
The disjunction of two MIAs P and Q can be defined in thesame way as for dMTS, except for the special treatment of inputs in the may-rules whichguarantees that P ∨ Q is a MIA and, especially, that Def. 4.1(b) is satisfied: Definition 4.9 (Disjunction on MIA) . Let P = ( P, I, O, −→ P , (cid:57)(cid:57)(cid:75) P ), Q = ( Q, I, O, −→ Q , (cid:57)(cid:57)(cid:75) Q ) be MIAs with common input and output alphabets and disjoint state sets P and Q .The disjunction P ∨ Q is defined by ( { p ∨ q | p ∈ P, q ∈ Q } ∪ P ∪ Q, I, O, −→ , (cid:57)(cid:57)(cid:75) ), where −→ and (cid:57)(cid:57)(cid:75) are the least sets satisfying −→ P ⊆−→ , (cid:57)(cid:57)(cid:75) P ⊆ (cid:57)(cid:57)(cid:75) , −→ Q ⊆−→ , (cid:57)(cid:57)(cid:75) Q ⊆ (cid:57)(cid:57)(cid:75) andthe following operational rules:(Must) p ∨ q a −→ P (cid:48) ∪ Q (cid:48) if p a −→ P P (cid:48) and q a −→ Q Q (cid:48) (May1) p ∨ q α (cid:57)(cid:57)(cid:75) p (cid:48) if p α (cid:57)(cid:57)(cid:75) P p (cid:48) and, in case α ∈ I , also q α (cid:57)(cid:57)(cid:75) Q (May2) p ∨ q α (cid:57)(cid:57)(cid:75) q (cid:48) if q α (cid:57)(cid:57)(cid:75) Q q (cid:48) and, in case α ∈ I , also p α (cid:57)(cid:57)(cid:75) P It is easy to see that this definition is well-defined, i.e., the resulting disjunctions are indeedMIAs, and we additionally have:
Theorem 4.10 ( ∨ is Or) . Let P , Q and R be MIAs with states p , q and r , resp. Then, p ∨ q (cid:118) MIA r if and only if p (cid:118) MIA r and q (cid:118) MIA r . The theorem’s proof is as for dMTS (cf. Thm. 3.10) but, in the (ii)-cases, only α ∈ O ∪ { τ } has to be considered. Analogously to dMTS we obtain the following corollary to Thm. 4.10: Corollary 4.11.
MIA-refinement is compositional wrt. disjunction.
Figure 12: MIA-disjunction is an inclusive-or.To conclude this section we argue that MIA-disjunction is more intuitive than IA-disjunction. The example in Fig. 11 shows MIAs P , Q , P ∨ Q as well as a MIA R , wherestate r corresponds to the IA-disjunction of states p and q when we understand P and Q asIAs. As expected (cf. p. 7), p ∨ q is a refinement of r , but not vice versa. MIA-disjunction cannow be considered to be more intuitive since the first transition in the disjunction decideswhich disjunct has to be satisfied afterward, in contrast to IA-disjunction.Moreover, Fig. 12 shows that MIA-disjunction is an inclusive-or: an implementationof p ∨ q can have an o i and another o j ;interestingly, r (cid:118) MIA p ∨ q satisfies ‘half’ of p and ‘half’ of q . In general, for each ac-tion a ∈ A separately, a refinement of some disjunction has to satisfy at least all initial a -must-transitions of one of its disjuncts.4.3. Parallel Composition on MIA.
In analogy to the IA-setting [dH05] we provide aparallel operator on MIA. Here, error states are identified, and all states are removed fromwhich reaching an error state is unavoidable in some implementation, as is done for IOMTSin [LNW07].
Definition 4.12 (Parallel Product on MIA) . MIAs P and P are composable if A ∩ A =( I ∩ O ) ∪ ( O ∩ I ), as in IA. For such MIAs we define the product P ⊗ P = ( P × P , I, O, −→ , (cid:57)(cid:57)(cid:75) ), where I = ( I ∪ I ) \ ( O ∪ O ) and O = ( O ∪ O ) \ ( I ∪ I ) and where −→ and (cid:57)(cid:57)(cid:75) are defined as follows:(Must1) ( p , p ) a −→ P (cid:48) × { p } if p a −→ P (cid:48) and a / ∈ A (Must2) ( p , p ) a −→ { p } × P (cid:48) if p a −→ P (cid:48) and a / ∈ A (May1) ( p , p ) α (cid:57)(cid:57)(cid:75) ( p (cid:48) , p ) if p α (cid:57)(cid:57)(cid:75) p (cid:48) and α / ∈ A (May2) ( p , p ) α (cid:57)(cid:57)(cid:75) ( p , p (cid:48) ) if p α (cid:57)(cid:57)(cid:75) p (cid:48) and α / ∈ A (May3) ( p , p ) τ (cid:57)(cid:57)(cid:75) ( p (cid:48) , p (cid:48) ) if p a (cid:57)(cid:57)(cid:75) p (cid:48) and p a (cid:57)(cid:57)(cid:75) p (cid:48) for some a .Recall that there are no τ -must-transitions since they are irrelevant for refinement. Definition 4.13 (Parallel Composition on MIA) . Given a parallel product P ⊗ P , a state( p , p ) is an error state if there is some a ∈ A ∩ A such that (a) a ∈ O , p a (cid:57)(cid:57)(cid:75) and p (cid:54) a −→ , or (b) a ∈ O , p a (cid:57)(cid:57)(cid:75) and p (cid:54) a −→ .Again we define the set E ⊆ P × P of incompatible states as the least set such that( p , p ) ∈ E if (i) ( p , p ) is an error state or (ii) ( p , p ) α (cid:57)(cid:57)(cid:75) ( p (cid:48) , p (cid:48) ) for some α ∈ O ∪ { τ } and ( p (cid:48) , p (cid:48) ) ∈ E . ODAL INTERFACE AUTOMATA 23
The parallel composition P | P of P and P is now obtained from P ⊗ P by pruning ,namely removing all states in E and every transition that involves such states as its source,its target or one of its targets; all may-transitions underlying a removed must-transition aredeleted, too. If ( p , p ) ∈ P | P , we write p | p and call p and p compatible .Parallel products and parallel compositions are well-defined MIAs. Syntactic consistencyis preserved, as is input-determinism since input-transitions are directly inherited from oneof the composable systems. In particular, Cond. (b) in Def. 4.1 holds due to the additionalclause regarding the deletion of may-transitions. In addition, targets of disjunctive must-transitions are never empty since all must-transitions that remain after pruning are takenfrom the product without modification.As an example why pruning is needed, consider Fig. 3 again and read the τ -transitionsas may-transitions and all other transitions as must-transitions. Further observe that prun-ing is different from removing inconsistent states in conjunction. For truly disjunctivetransitions ( p , p ) a −→ P (cid:48) of the product P ⊗ P , the state ( p , p ) is removed alreadyif P (cid:48) ∩ E (cid:54) = ∅ , i.e., there exists some ( p (cid:48) , p (cid:48) ) ∈ P (cid:48) ∩ E , and not only if P (cid:48) ⊆ E . This isclear for a ∈ O since ( p , p ) a (cid:57)(cid:57)(cid:75) ( p (cid:48) , p (cid:48) ) by syntactic consistency and, therefore, ( p , p ) isdeleted itself by Cond. (ii) above. Note that Cond. (ii) corresponds directly to the IA-casesince output-transitions there correspond to may-transitions here (see Sec. 3.4). For a ∈ I ,reaching the error state can only be prevented if the environment does not provide a ; in-tuitively, this is because P (cid:48) has w.l.o.g. the form P (cid:48) × { p } in the product of P and P (i.e., p (cid:48) = p ). The implementor of P might choose to implement p a −→ p (cid:48) such that– when P ’s implementation is composed with P ’s – the error state is reached. To expressthe requirement on the environment not to exhibit a , must-transition ( p , p ) a −→ P (cid:48) andall underlying may-transitions have to be deleted. Theorem 4.14 (Compositionality of MIA-Parallel Composition) . Let P , P and Q beMIAs with p ∈ P , p ∈ P , q ∈ Q and p (cid:118) MIA q . Assume that Q and P arecomposable; then: (a): P and P are composable. (b): If q and p are compatible, then so are p , p and p | p (cid:118) MIA q | p .Proof. Part (a) follows immediately since MIA Q has the same input and output alphabetsas MIA P , due to p (cid:118) MIA q . Regarding Part (b), the first claim is implied by the followingauxiliary result:Let E P be the E -set of P ⊗ P and E Q be the one of Q ⊗ P . Then,( p , p ) ∈ E P and p (cid:118) MIA q together imply ( q , p ) ∈ E Q .The proof of this result is by induction on the length of a path from ( p , p ) to an errorstate of P ⊗ P : (Base): Let ( p , p ) be an error state. • Let p a (cid:57)(cid:57)(cid:75) P with a ∈ O ∩ I and p (cid:54) a −→ P . Then, for some q (cid:48) , we have q ε (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q q (cid:48) a (cid:57)(cid:57)(cid:75) Q by p (cid:118) MIA q ; therefore, ( q , p ) ε (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) ( q (cid:48) , p ) ∈ E Q and ( q , p ) ∈ E Q , too. • Let p a (cid:57)(cid:57)(cid:75) P with a ∈ O ∩ I and p (cid:54) a −→ P . If q a −→ Q , we have a contradictionto p (cid:118) MIA q ; otherwise, ( q , p ) is an error state. (Step): For a shortest path from ( p , p ) to an error state, consider the first transition( p , p ) α (cid:57)(cid:57)(cid:75) ( p (cid:48) , p (cid:48) ) ∈ E P with α ∈ O ∪ { τ } . The transition is due to Rule (May1), (May2) or (May3). In all cases we show p (cid:48) (cid:118) MIA q (cid:48) , which implies ( q (cid:48) , p (cid:48) ) ∈ E Q byinduction hypothesis. (May1): p α (cid:57)(cid:57)(cid:75) P p (cid:48) , p = p (cid:48) , α / ∈ A , and α ∈ O ∪ { τ } by α ∈ O ∪ { τ } . Hence,there is some q (cid:48) such that q α (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q q (cid:48) and p (cid:48) (cid:118) MIA q (cid:48) , due to p (cid:118) MIA q , and( q , p ) ˆ α (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) ( q (cid:48) , p ) by applications of Rule (May1). By induction hypothesis, ( q (cid:48) , p ) ∈ E Q and, thus, ( q , p ) ∈ E Q . (May2): p = p (cid:48) , p α (cid:57)(cid:57)(cid:75) P p (cid:48) and α / ∈ A . Now, since P and Q have the samealphabets by p (cid:118) MIA q , we can apply Rule (May2) again and obtain ( q , p ) α (cid:57)(cid:57)(cid:75) ( q , p (cid:48) ), so that ( q , p (cid:48) ) ∈ E Q by induction hypothesis. Hence, ( q , p ) ∈ E Q , too. (May3): α = τ . • p a (cid:57)(cid:57)(cid:75) P p (cid:48) with a ∈ O , and p a (cid:57)(cid:57)(cid:75) P p (cid:48) with a ∈ I . By p (cid:118) MIA q , we have q ε (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q q (cid:48)(cid:48) a (cid:57)(cid:57)(cid:75) Q q (cid:48) for some q (cid:48) , q (cid:48)(cid:48) with p (cid:48) (cid:118) MIA q (cid:48) . Hence, ( q , p ) ε (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) ( q (cid:48)(cid:48) , p ) τ (cid:57)(cid:57)(cid:75) ( q (cid:48) , p (cid:48) ) via Rules (May1) and (May3). By induction hypothesis, ( q (cid:48) , p (cid:48) ) ∈ E Q and,thus, ( q , p ) ∈ E Q , too. • p a (cid:57)(cid:57)(cid:75) P p (cid:48) with a ∈ I , and p a (cid:57)(cid:57)(cid:75) P p (cid:48) with a ∈ O . If q (cid:54) a (cid:57)(cid:57)(cid:75) Q , then q (cid:54) a −→ Q by syntactic consistency and ( q , p ) is thus an error state. If q a (cid:57)(cid:57)(cid:75) Q , then thereexist unique p a −→ P P (cid:48) and q a −→ Q Q (cid:48) . We have p (cid:48) ∈ P (cid:48) by Def. 4.1(b) and ∃ q (cid:48) ∈ Q (cid:48) . p (cid:48) (cid:118) MIA q (cid:48) since p (cid:118) MIA q . Hence, q a (cid:57)(cid:57)(cid:75) Q q (cid:48) by syntactic consistencyand ( q , p ) τ (cid:57)(cid:57)(cid:75) ( q (cid:48) , p (cid:48) ) due to Rule (May3). By induction hypothesis, ( q (cid:48) , p (cid:48) ) ∈ E Q and, therefore, ( q , p ) ∈ E Q .This completes the proof of the auxiliary result. We can now prove that R = df { ( p | p , q | p ) | p (cid:118) MIA q , p , p as well as q , p compatible } is a MIA-refinement relation, for which we let ( p | p , q | p ) ∈ R and check the conditionsof Def. 4.2: (i): Let q | p a −→ Q (cid:48) with Q (cid:48) ∩ E Q = ∅ due to either Rule (Must1) or (Must2). (Must1): q a −→ Q Q (cid:48) and Q (cid:48) = Q (cid:48) × { p } . Then, by p (cid:118) MIA q , there is some P (cid:48) ⊆ P such that p a −→ P P (cid:48) and ∀ p (cid:48) ∈ P (cid:48) ∃ q (cid:48) ∈ Q (cid:48) . p (cid:48) (cid:118) MIA q (cid:48) . Now, ( p , p ) a −→ P (cid:48) × { p } by Rule (Must1) and since a / ∈ A . For p (cid:48) ∈ P (cid:48) we have a suitable q (cid:48) ∈ Q (cid:48) , and ( p (cid:48) , p ) / ∈ E P since ( q (cid:48) , p ) / ∈ E Q and due to the auxiliary resultabove. Thus, for the arbitrary p (cid:48) | p , we also have ( p (cid:48) | p , q (cid:48) | p ) ∈ R . (Must2): p a −→ P P (cid:48) and Q (cid:48) = { q } × P (cid:48) . Then, ( p , p ) a −→ P (cid:48) = { p } × P (cid:48) by Rule (Must2) and as P , Q have the same alphabets by p (cid:118) MIA q . For( p , p (cid:48) ) ∈ P (cid:48) , we get ( p , p (cid:48) ) / ∈ E P since ( q , p (cid:48) ) / ∈ E Q and due to the auxiliaryresult above. Thus, p | p a −→ P (cid:48) and, for p | p (cid:48) ∈ P (cid:48) , we have q | p (cid:48) ∈ Q (cid:48) with( p | p (cid:48) , q | p (cid:48) ) ∈ R . (ii): Let p | p α (cid:57)(cid:57)(cid:75) p (cid:48) | p (cid:48) / ∈ E P with α ∈ O ∪ { τ } . The transition arises from one of theRules (May1), (May2) or (May3): (May1): p (cid:48) = p and p α (cid:57)(cid:57)(cid:75) P p (cid:48) . By p (cid:118) MIA q , we have q α (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q q (cid:48) forsome q (cid:48) such that p (cid:48) (cid:118) MIA q (cid:48) . Hence, ( q , p ) ˆ α (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) ( q (cid:48) , p ) by repeated applica-tion of Rule (May1) and since ω / ∈ A . If any state on this transition sequence ODAL INTERFACE AUTOMATA 25
Figure 13: Example illustrating the need of input-determinism for MIA.were in E Q , then also ( q , p ) ∈ E Q which contradicts ( p | p , q | p ) ∈ R . Thus, q | p α (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) q (cid:48) | p with ( p (cid:48) | p , q (cid:48) | p ) ∈ R . (May2): p (cid:48) = p and p α (cid:57)(cid:57)(cid:75) P p (cid:48) . Then, ( q , p ) α (cid:57)(cid:57)(cid:75) ( q , p (cid:48) ) by Rule (May2)and since P and Q have the same alphabets due to p (cid:118) MIA q . If the latterstate ( q , p (cid:48) ) were in E Q , then also the former state ( q , p ). Therefore, we have q | p α (cid:57)(cid:57)(cid:75) q | p (cid:48) and, moreover, ( p | p (cid:48) , q | p (cid:48) ) ∈ R . (May3): α = τ , p a (cid:57)(cid:57)(cid:75) P p (cid:48) and p a (cid:57)(cid:57)(cid:75) P p (cid:48) for some a . • a ∈ O ∩ I : Then, q ε (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) Q q (cid:48)(cid:48) a (cid:57)(cid:57)(cid:75) Q q (cid:48) for q (cid:48) , q (cid:48)(cid:48) with p (cid:48) (cid:118) MIA q (cid:48) , due to p (cid:118) MIA q . Now, ( q , p ) ε (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) ( q (cid:48)(cid:48) , p ) τ (cid:57)(cid:57)(cid:75) ( q (cid:48) , p (cid:48) ) by Rules (May1), (May3). Asin Case (May1) above, q | p ε (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) q (cid:48) | p (cid:48) and ( p (cid:48) | p (cid:48) , q (cid:48) | p (cid:48) ) ∈ R . • a ∈ I ∩ O : If q (cid:54) a (cid:57)(cid:57)(cid:75) Q , then ( q , p ) would be an error state, which is acontradiction. Therefore, q a (cid:57)(cid:57)(cid:75) Q and, by Def. 4.1(b), there exist unique p a −→ P P (cid:48) and q a −→ Q Q (cid:48) by input-determinism. We have p (cid:48) ∈ P (cid:48) and ∃ q (cid:48) ∈ Q (cid:48) . p (cid:48) (cid:118) MIA q (cid:48) since p (cid:118) MIA q . Thus, ( q , p ) τ (cid:57)(cid:57)(cid:75) ( q (cid:48) , p (cid:48) ) by Rule (May3)and syntactic consistency, and ( q (cid:48) , p (cid:48) ) / ∈ E Q by the same reasoning as above.Hence, q | p τ (cid:57)(cid:57)(cid:75) q (cid:48) | p (cid:48) with ( p (cid:48) | p (cid:48) , q (cid:48) | p (cid:48) ) ∈ R .This precongruence property of MIA-refinement would not hold if we would do away withinput-determinism in MIA. To see this, consider the example of Fig. 13 for which p (cid:118) MIA q ;however, p | r (cid:118) MIA q | r does not hold since q and r are compatible while p and r are not.An analogue reasoning applies to IA, although we do not know of a reference in the IAliterature where this has been observed.4.4. Embedding of IA into MIA.
To conclude, we provide an embedding of IA intoMIA in the line of [LNW07]:
Definition 4.15 (IA-Embedding) . Let P be an IA. The embedding [ P ] MIA of P into MIAis defined as the MIA ( P, I, O, −→ , (cid:57)(cid:57)(cid:75) ), where (i) p i −→ p (cid:48) if p i −→ P p (cid:48) and i ∈ I , and(ii) p α (cid:57)(cid:57)(cid:75) p (cid:48) if p α −→ P p (cid:48) and α ∈ I ∪ O ∪ { τ } .In the remainder of this section we simply write [ p ] for p ∈ [ P ] MIA . This embedding is muchsimpler than the one of [LNW07] since MIA more closely resembles IA than IOMTS does.In particular, the following theorem is obvious:
Theorem 4.16 (IA-Embedding Respects Refinement) . For IAs
P, Q with p ∈ P , q ∈ Q : p (cid:118) IA q if and only if [ p ] (cid:118) MIA [ q ] . Our embedding respects operators ∧ and | , unlike the one in [LNW07]: Theorem 4.17 (IA-Embedding is a Homomorphism) . For IAs
P, Q with p ∈ P , q ∈ Q : (a): [ p ] ∧ [ q ] = MIA [ p ∧ q ] ; (b): [ p ] | [ q ] = MIA [ p | q ] . Proof.
Part (b) follows directly from the definitions of parallel composition on IA and MIA,whereas Part (a)” (cid:119)
MIA ” is an immediate consequence of Thms. 4.7 and 4.16 by generalorder theory. We are thus left with proving Part (a)” (cid:118)
MIA ”.Both sides only differ in additional transitions α (cid:57)(cid:57)(cid:75) with α ∈ O ∪ { τ } in [ P ] MIA ∧ [ Q ] MIA ,where on the other side ε (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) α (cid:57)(cid:57)(cid:75) . Formally, we define the relation R = df { ([ p ] ∧ [ q ] , [ p ∧ q ]) | p ∈ P, q ∈ Q } ∪ id P ∪ id Q and argue that R is a MIA-refinement relation: • Firstly, [ P ] MIA ∧ [ Q ] MIA and [ P ∧ Q ] MIA are isomorphic on input-transitions since theRules (IMust1)–(IMust3) (and Rules (IMay1–(IMay3)) exactly correspond to Rules (I1)–(I3), as well as on P and Q . • Secondly, consider a transition [ p ] ∧ [ q ] τ (cid:57)(cid:57)(cid:75) [ p (cid:48) ] ∧ [ q ] according to Rule (May1) and[ p ] τ (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) P [ p (cid:48) ]. Then, p ∧ q τ = ⇒ p (cid:48) ∧ q in IA by repeated application of Rule (T1) and, there-fore, [ p ∧ q ] τ (cid:57)(cid:57)(cid:75)(cid:57)(cid:57)(cid:75) [ p (cid:48) ∧ q ] in the IA-embedding. Rule (May2) is analogous, and Rule (May3)for α = τ is similar (with interleaving of τ -steps). In addition, Rule (May3) for α ∈ O issimilar, too, except that the τ -steps are followed by an α -transition according to Rule (O).We observe that the IA-embedding into MIA is ‘better’ wrt. conjunction than that intodMTS since refinement holds in both directions. The reason is that MIA-refinement iscoarser (i.e., larger) than dMTS-refinement applied to MIAs (which are dMTSs after all):input may-transitions do not have to be matched in the former. Thus, there can be morelower bounds wrt. MIA-refinement and the greatest lower bound can be larger. Proposition 4.18 (Disjunction and IA-Embedding) . For IAs
P, Q with p ∈ P , q ∈ Q , wehave: [ p ] ∨ [ q ] (cid:118) MIA [ p ∨ q ] . This result holds by general order theory due to Thm. 4.16. The reverse refinement fordisjunction is not valid as we have already seen in Fig. 11, and this difference repairs ashortcoming of IA-disjunction as discussed on p. 7.5.
Conclusions and Future Work
We introduced
Modal Interface Automata (MIA), an interface theory that is more expres-sive than
Interface Automata (IA) [dH05]: it allows one to mandate that a specification’srefinement must implement some output, thus excluding trivial implementations, e.g., onethat accepts all inputs but never emits any output. This was also the motivation behind
IOMTS [LNW07] that extends
Modal Transition Systems (MTS) [Lar90] by inputs and out-puts; however, the IOMTS-parallel operator in the style of IA is not compositional. Apartfrom having disjunctive must-transitions, MIA is a subset of IOMTS, but it has a differentrefinement relation that is a precongruence for parallel composition.Most importantly and in contrast to IA and IOMTS, the MIA theory is equipped with aconjunction operator for reasoning about components that satisfy multiple interfaces simul-taneously. Along the way, we also introduced conjunction on IA and a disjunctive extensionof MTS – as well as disjunction on IA, MTS and MIA – and proved these operators to bethe desired greatest lower bounds (resp., least upper bounds) and thus compositional. Com-pared to the language-based modal interface theory of [RBB + disjunctive transitions) even for inputs. Hence, MIA establishes a theoreticallyclean and practical interface theory that fixes the shortcomings of related work. ODAL INTERFACE AUTOMATA 27
Figure 14: In Logic LTS [LV10], disjunction is internal choice.From a technical perspective, our MIA-theory borrows from our earlier work on LogicLTS [LV10]. There, we started from a very different conjunction operator appropriate fora deadlock-sensitive CSP-like process theory, and then derived a ‘best’ suitable refinementrelation. In [LV10], disjunction is simply internal choice (cid:117) , as sketched in Fig. 14. For MIA, p (cid:117) q is not suited at all since both p and q require that input i is performed immediately.Future work shall follow both theoretical and practical directions. On the theoret-ical side, we firstly wish to study MIA’s expressiveness in comparison to other theoriesvia thoroughness [FFELS09]. More substantially, however, we intend to enrich MIA withtemporal-logic operators, in the spirit of truly mixing operational and temporal-logic stylesof specification in the line of our Logic LTS in [LV11]. Important guidance for this willbe the work of Feuillade and Pinchinat [FP07], who have introduced a temporal logic formodal interfaces that is equally expressive to MTS. In contrast to [LV11], their setting isnot mixed, does not consider nondeterminism, and does not include a refinement relation.Indeed, a unique feature of Logic LTS is that its refinement relation subsumes the standardtemporal-logic satisfaction relation.On the practical side, we plan to study the algorithmic complexity implied by MIA-refinement, on the basis of existing literature for MTS. For example, Antonik et al. [AHL + +
11] advocatedeterministic automata for modal interface theories in order to reduce complexity. In ad-dition, we wish to adapt existing tool support for interface theories to MIA, e.g., the
MIOWorkbench [BMSH10].
Acknowledgement
We thank the anonymous reviewers for their constructive comments and for pointing outadditional related work. Part of this research was supported by the DFG (German ResearchFoundation) under grant nos. LU 1748/3-1 and VO 615/12-1 (“Foundations of Heteroge-neous Specifications Using State Machines and Temporal Logic”).
References [AHL +
10] A. Antonik, M. Huth, K.G. Larsen, U. Nyman, and A. Wasowski. Modal and mixed specifi-cations: Key decision problems and their complexities.
Mathematical Structures in ComputerScience , 20(1):75–103, 2010.[AL95] M. Abadi and L. Lamport. Conjoining specifications.
ACM TOPLAS , 1(3):507–534, 1995.[BCHS07] D. Beyer, A. Chakrabarti, T.A. Henzinger, and S.A. Seshia. An application of web-service in-terfaces. In
ICWS , pages 831–838. IEEE, 2007. [BCK11] N. Beneˇs, I. Cern´a, and J. Kˇret´ınsk´y. Modal transition systems: Composition and LTL modelchecking. In
ATVA , volume 6996 of
LNCS , pages 228–242. Springer, 2011.[BHW11] S. Bauer, R. Hennicker, and M. Wirsing. Interface theories for concurrency and data.
Theoret.Comp. Sc. , 412(28):3101–3121, 2011.[BJL +
12] S. Bauer, L. Juhl, K. G. Larsen, A. Legay, and J. Srba. Extending modal transition systemswith structured labels.
Mathematical Structures in Computer Science , 22(4):581–617, 2012.[BMSH10] S. Bauer, P. Mayer, A. Schroeder, and R. Hennicker. On weak modal compatibility, refinement,and the MIO Workbench. In
TACAS , volume 6015 of
LNCS , pages 175–189. Springer, 2010.[CCJK12] T. Chen, C. Chilton, B. Jonsson, and M. Kwiatkowska. A compositional specification theory forcomponent behaviours. In
ESOP , volume 7211 of
LNCS , pages 148–168. Springer, 2012.[dH01] L. de Alfaro and T.A. Henzinger. Interface automata. In
FSE , pages 109–120. ACM, 2001.[dH05] L. de Alfaro and T.A. Henzinger. Interface-based design. In
Engineering Theories of Software-Intensive Systems , volume 195 of
NATO Science Series . Springer, 2005.[DHJP08] L. Doyen, T.A. Henzinger, B. Jobstmann, and T. Petrov. Interface theories with componentreuse. In
EMSOFT , pages 79–88. ACM, 2008.[Dil89] D.L. Dill.
Trace Theory for Automatic Hierarchical Verification of Speed-Independent Circuits .MIT Press, 1989.[FFELS09] H. Fecher, D. de Frutos-Escrig, G. L¨uttgen, and H. Schmidt. On the expressiveness of refinementsettings. In
FSEN , volume 5961 of
LNCS , pages 276–291. Springer, 2009.[FP07] G. Feuillade and S. Pinchinat. Modal specifications for the control theory of discrete eventsystems.
J. Discrete Event Dyn. Syst. , 17:211–232, 2007.[FU08] D. Fischbein and S. Uchitel. On correct and complete strong merging of partial behaviour models.In
SIGSOFT FSE , pages 297–307. ACM, 2008.[HLL +
12] J. Hatcliff, G. T. Leavens, K. R. M. Leino, P. M¨uller, and M. Parkinson. Behavioral interfacespecification languages.
ACM Computing Surveys , 44(3):16, 2012.[Lar90] K.G. Larsen. Modal specifications. In
Automatic Verification Methods for Finite State Systems ,volume 407 of
LNCS , pages 232–246. Springer, 1990.[LNW07] K.G. Larsen, U. Nyman, and A. Wasowski. Modal I/O automata for interface and product linetheories. In
ESOP , volume 4421 of
LNCS , pages 64–79. Springer, 2007.[LSW95] K.G. Larsen, B. Steffen, and C. Weise. A constraint oriented proof methodology based on modaltransition systems. In
TACAS , volume 1019 of
LNCS , pages 17–40. Springer, 1995.[LV10] G. L¨uttgen and W. Vogler. Ready simulation for concurrency: It’s logical!
Inform. and Comput. ,208:845–867, 2010.[LV11] G. L¨uttgen and W. Vogler. Safe reasoning with Logic LTS.
Theoret. Comp. Sc. , 412(28):3337–3357, 2011.[LX90] K.G. Larsen and L. Xinxin. Equation solving using modal transition systems. In
LICS , pages108–117. IEEE, 1990.[MB03] L. G. Meredith and S. Bjorg. Contracts and types.
C. ACM , 46(10):41–47, 2003.[Mey92] B. Meyer. Applying design by contract.
IEEE Computer , 25(10):40–51, 1992.[MG05] W. Maydl and L. Grunske. Behavioral types for embedded software – A survey. In
Component-Based Software Development , volume 3778 of
LNCS , pages 82–106. Springer, 2005.[RBB +
11] J. Raclet, E. Badouel, A. Benveniste, B. Caillaud, A. Legay, and R. Passerone. A modal interfacetheory for component-based design.
Fund. Inform. , 107:1–32, 2011.[VW02] W. Vogler and R. Wollowski. Decomposition in asynchronous circuit design. In
Concurrency andHardware Design , volume 2549 of
LNCS , pages 152–190. Springer, 2002.
This work is licensed under the Creative Commons Attribution-NoDerivs License. To viewa copy of this license, visit http://creativecommons.org/licenses/by-nd/2.0/http://creativecommons.org/licenses/by-nd/2.0/