The Quotient in Preorder Theories
Íñigo X. Íncer Romeo, Leonardo Mangeruca, Tiziano Villa, Alberto Sangiovanni-Vincentelli
JJ.-F. Raskin and D. Bresolin (Eds.): 11th International Symposiumon Games, Automata, Logics, and Formal Verification (GandALF’20).EPTCS 326, 2020, pp. 216–233, doi:10.4204/EPTCS.326.14
The Quotient in Preorder Theories ´I˜nigo X. ´Incer Romeo
University of California, Berkeley, USA i [email protected] Leonardo Mangeruca
Raytheon Technologies Research Center, Rome, Italy l [email protected] Tiziano Villa
Universit`a di Verona, Italy t [email protected] Alberto Sangiovanni-Vincentelli
University of California, Berkeley, USA a [email protected] Seeking the largest solution to an expression of the form Ax ≤ B is a common task in several domainsof engineering and computer science. This largest solution is commonly called quotient. Acrossdomains, the meanings of the binary operation and the preorder are quite different, yet the syntaxfor computing the largest solution is remarkably similar. This paper is about finding a commonframework to reason about quotients. We only assume we operate on a preorder endowed with anabstract monotonic multiplication and an involution. We provide a condition, called admissibility,which guarantees the existence of the quotient, and which yields its closed form. We call preorderedheaps those structures satisfying the admissibility condition. We show that many existing theories incomputer science are preordered heaps, and we are thus able to derive a quotient for them, subsumingexisting solutions when available in the literature. We introduce the concept of sieved heaps to dealwith structures which are given over multiple domains of definition. We show that sieved heaps alsohave well-defined quotients. The identification of missing objects is a common task in engineering. Suppose an engineer wishes toimplement a design with a mathematical description B , and will use a component with a description A to implement this design. In order to find out what needs to be added to A in order to implement B , theengineer seeks a component x in an expression of the form A • x = B , where • is an operator yieldingthe composite of two design elements. Many compositional theories include the notion of a preorder,usually called refinement. The statement A ≤ C usually reads “ A refines C ” or “ A is more specific than C .” In this setting, the problem is recast as finding an x such that A • x ≤ B . It is often assumed that thecomposition operation is monotonic with respect to this preorder. Therefore, if x is a solution, so is any y satisfying y ≤ x . This focuses our attention on finding the largest x that satisfies the expression. Theliterature often calls this largest solution quotient . The logic synthesis community has been a pioneer in defining and solving special cases of the quotientproblem for combinational and sequential logic circuit design ([24, 12]) under names like circuit recti-fication or engineering change or component replacement. In combinational synthesis, much work hasbeen reported to support algebraic and Boolean division: given dividend f and divisor g , find the quotient q and remainder r such f = q · g + r (for · , + standard Boolean operators AND and OR, respectively), askey operation to restructure multi-level Boolean networks [17]. The quotient problem for combinationalcircuits was formulated as a general replacement problem in [9]: given the combinational circuits A andI. ´Incer Romeo, L.Mangeruca, T.Villa,and A.Sangiovanni-Vincentelli 217 C whose synchronous composition produces the circuit specification B , what are the legal replacementsof C that are consistent with the input-output relation of B ? The valid replacements for C were definedas the combinational circuits x such that A ◦ x ⊆ B , and the largest solution for x was characterized by theclosed formula x = (cid:0) A ◦ B ⊥ (cid:1) ⊥ , where ( · ) ⊥ is a unary operator that complements the input-output relationof the circuit to which it is applied (switching the inputs and outputs), while a hiding operation gets ridof the internal signals.In sequential optimization, the typical question addressed was, given a finite-state machine (FSM) A , find an FSM x such that their synchronous composition produces an FSM behaviorally equivalent toa specification FSM B , i.e., solve over FSMs the equation A ◦ x = B , where ◦ is synchronous composi-tion and equality is FSM input-output equivalence. Various topologies were solved, starting with serialcomposition where the unknown was either the head or tail machine, to more complex interconnectionswith feedback. As a matter of fact, sometimes both A and x were known, but the goal was to changethem into FSMs yielding better logical implementations, while preserving their composition, with theobjective to optimize a sequential circuit by computing and exploiting the flexibility due to its modularstructure and its environment (see [17, 38, 21]). An alternative formulation of FSM network synthesiswas provided by encoding the problem in the logic WS1S (Weak Second-Order Logic of 1 Successor),which enables to characterize the set of permissible behaviors at a node of a given network of FSMsby WS1S formulas [1], corresponding to regular languages and so to effective operations on finite stateautomata. Another stream of contributions has been motivated by component-based design of parallel systemswith an interleaving semantics (denoted in our exposition by the composition operator ⋄ ). The problemis stated by Merlin and Bochmann [31] as follows: “Given a complete specification of a given moduleand the specifications of some submodules, the method described below provides the specification of anadditional submodule that, together with the other submodules, will provide a system that satisfies thespecification of the given module.” The problem was reduced to solving equations or inequalities overprocess languages, which are usually prefix-closed regular languages represented by labeled transitionsystems. A closed-form solution of the inequality A ⋄ x ⊆ B over prefix-closed regular languages, writtenas pro j x ( A ⋄ B ) − pro j x ( A ⋄ B ) (where pro j x is a projection over the alphabet of x ), was given in [31, 19]. This approach to solve the equation A ⋄ x = B has been further extended to obtain restricted solutions thatsatisfy properties such as safety and liveness, or are restricted to be FSM languages, which need to beinput-progressive and avoid divergence (see [19, 7, 40]). The quotient problem has been investigated alsofor delay-insensitive processes to model asynchronous sequential circuits, see [13, 30, 32]. Equations ofthe form A ⋄ x ≤ B were defined, and their largest closed-form solutions were written as x = ( A ⋄ B ∼ ) ∼ ,where ( · ) ∼ is a suitable unary operation.An important application from discrete control theory is the model matching problem: design acontroller whose composition with a plant matches a given specification (see [2, 16]). Another significantapplication of the quotient computation has been the protocol design problem, and in particular, theprotocol conversion problem (see [27, 18, 35, 33, 25, 20, 41, 11]). Protocol converter synthesis has beenstudied also over a variant of Input/Output Automata (IOA, [29]), called Interface Automata (IA, [15,14]), yielding a similar quotient equation A ⋄ IA x ⊆ B and closed-form solution (cid:0) A ⋄ IA B ⊥ (cid:1) ⊥ , where ⋄ IA is an appropriate interleaving composition defined for interface automata, and ( · ) ⊥ is again a unaryoperation [6].Some research focused on modal specifications represented by automata whose transitions are typed A detailed survey of previous work in this area can be found in [23, 40]. For a discussion about the maximality of this solution and for more references, we refer to [40], Sec. 5.2.1.
18 TheQuotient inPreorder Theorieswith may and must modalities, as in [28, 36], with a solution of the quotient problem for nondeterministicautomata provided in [3]. It is outside the scope of this paper to address the quotient problem for real-time and hybrid systems (see [10, 8] for verification and control in such settings).As seen above, the quotient problem was studied by different research communities working onvarious application domains and formalisms. Often similar formulations and solutions were reachedalbeit obfuscated by the different notations and objectives of the synthesis process. This motivated aconcentrated effort to distill the core of the problem, modeling it as solving equations over languagesof the form A k x (cid:22) B , where A and B are known components and x is unknown, k is a compositionoperator, and (cid:22) is a conformance relation (see [39] and the monograph [40] for full accounts). The notionof language was chosen as the most basic formalism to specify the components of the equation, andlanguage containment ⊆ was selected as conformance relation. Two basic composition operators weredefined each encapsulating a family of variants: synchronous composition ( • ) modeling the classicalstep-lock coordination, and interleaving composition ( ⋄ ) modeling asynchrony by which componentsmay progress at different rates (there are subtle issues in comparing the two types, as mentioned in [26,42]). Therefore two language equations were defined: A • x ⊆ B and A ⋄ x ⊆ B , where the details of theoperations to convert alphabets according to the interconnection topologies are hidden in the formula. Itturned out that the largest solutions have the same structure, respectively, A • B and A ⋄ B . This led toinvestigate the algebraic properties required by the composition operators to deliver the previous largestclosed-form solutions to unify the two formulas [39]. This effort assumed that the underlying objectswere sets, and that their operations were given in terms of set operations. This work, thus, could notaccount for quotient computations in more complex theories, like interface automata.As a parallel development, in recent years we have seen the growth of a rigorous theory of systemdesign based on the algebra of contracts (see the monograph [5]). In this theory, a strategic role isplayed by assume-guarantee (AG) contracts, in which the missing component problem arises: when thegiven components are not capable of discharging the obligations of the requirements, define a quotientoperation that computes the contract for a component, so that by its addition to the original set theresulting system fulfills the requirements. The quotient of AG contracts was completely characterizedvery recently by a closed-form solution proved in [37]. Once again, the syntax of the quotient has theform (cid:0) A k B − (cid:1) − for contracts A and B and standard contract operations.In summary, even though the concrete models of the components, composition operators, confor-mance relations and inversion functions vary significantly across chosen models and application domains,the quotient formulas have similar syntax across theories. The motivation of this paper is to propose the underlying mathematical structure common to all theseinstances of quotient computation to be able to derive directly the solution formula for any equationsatisfying the properties of this common structure.
We show that we can compute the quotient by only assuming the axioms of a preorder , enriched witha binary operation of source multiplication and a unary involution operation. In particular we introducethe new algebraic notion of preordered heaps characterized by a condition, called admissibility , whichguarantees the existence of the solution and yields a closed form for it. Then we show that a numberof theories in computer science meet this condition, e.g., Boolean lattices, AG contracts, and interfaceautomata; so for all of them we are able to (re-)derive axiomatically the formulas that compute theirrelated quotients. We also introduce the concept of sieved heaps to deal with structures defined overmultiple domains, and we show that the equations A • x ≤ B admit a solution also over sieved heaps,I. ´Incer Romeo, L.Mangeruca, T.Villa,and A.Sangiovanni-Vincentelli 219generalizing the known solutions of equations on languages over multiple alphabets with respect tosynchronous and interleaving composition, well studied in the literature. The paper is structured as follows. Sec. 2 develops the basic mathematical machinery of preorderedheaps, whereas Sec. 3 shows that various theories are preordered heaps. Sec. 4 introduces sieved heaps,whereas Sec. 5 applies them to equations over languages with multiple alphabets. Sec. 6 concludes.Some proofs are omitted due to space constraints.
In this section we introduce an algebraic structure for which the existence of quotients is guaranteed.We show in Section 3 that many theories in computer science are instances of this concept. First weintroduce the notation we will use: • Let P be a set and let µ : P × P → P be a binary operation on P . For any element a ∈ P , we let µ a : P → P be the function µ a = µ ◦ ( a × id ) , where id is the identity operator and ( a × id ) : P → P isthe unary function ( a × id ) : b ( a , b ) . Similarly, we let µ a = µ ◦ ( id × a ) . If we call µ multiplication, µ a is left multiplication by a , and µ a is right multiplication by a . • For any set P , we let the mapping flip : P × P → P × P be flip ( a , b ) = ( b , a ) ( a , b ∈ P ). • Consider a set P and a binary relation ≤ on P . Then ≤ is a preorder if it is reflexive and transitive; i.e.,for all a , b and c in P , we have a ≤ a (reflexivity) and if a ≤ b and b ≤ c then a ≤ c (transitivity). If apreorder is antisymmetric, ( a ≤ b and b ≤ a implies a = b ), then it is a partial order. • Let ( P , ≤ ) be a preorder and let a , b ∈ P . If a ≤ b and b ≤ a , we write a ≃ b . • Let F : P → P . We say that F is monotonic or order-preserving if a ≤ b ⇒ Fa ≤ Fb for all a , b ∈ P .Similarly, we say that F is antitone or order-reversing if a ≤ b ⇒ F b ≤ Fa for all a , b ∈ P . • Suppose that L , R : P → P are two monotonic maps on P . We say that ( L , R ) form an adjoint pair, orthat L is the left adjoint of R ( R is respectively the right adjoint of L ), or that the pair ( L , R ) forms aGalois connection when for all b , c ∈ P , we have Lb ≤ c if and only if b ≤ Rc . • Let F , G : P → P be functions on a preorder P . We say that F ≤ G when Fa ≤ Ga for all a ∈ P . As we discussed in the introduction, many times in engineering and computer science one encountersexpressions of the form A • x ≤ B , and one wishes to solve for the largest x that satisfies the expression.The symbols have different specific meanings in the various domains, yet in all applications we know,the syntax for computing the quotient always has the form A • B , where ( · ) is an involution (i.e., a unaryoperator which is its own inverse). To give meaning to the inequality, at a minimum we need a preorderand a binary operation; to give meaning to the quotient expression, we need to assume the existenceof an involution. In all compositional theories, the refinement order has the connotation of specificity:if a ≤ b then a is a refinement of b . The binary operation is usually interpreted as composition. Theproduct a • b is understood as the design obtained when operating both a and b in a topology given by themathematical description of each component. The unary operation is sometimes understood as giving an20 TheQuotient inPreorder Theoriesexternal view on an object. If a component has mathematical description a , then a gives the view thatthe environment has of the design element. In Boolean algebras, this unary operation is negation. Ininterface theories, it’s usually an operation which switches inputs and output behaviors.We thus introduce an algebraic structure consisting of a preorder, a binary operation which is mono-tonic in both arguments, and an involution which is antitone. We have called the binary operation sourcemultiplication for reasons having to do with category theory: we will show that this operation servesas the left functor of an adjunction. Therefore, its application to an object of the preorder yields the source of one of the two arrows in the adjunction. Why not simply call it multiplication? Because sourcemultiplication together with the involution generate another binary operation. This second operation wecall target multiplication because its application to an object yields the target of one of the arrows in theadjunction. The unary operation will simply be called involution .The algebraic structure will be called preordered heap . The inspiration came from engineering de-sign. In some design methodologies, design elements at the same level of abstraction are not comparablein the refinement order. Indeed, a refinement of a design element usually yields a design element in amore concrete layer. But we are placing all components under the same mathematical structure. Thissuggested the name heap . We add the adjective preorder simply to differentiate the concept from existingalgebraic heaps. We are ready for the definition: Definition 2.1. A preordered heap is a structure ( P , ≤ , µ , γ ) , where ( P , ≤ ) is a preorder; µ : P × P → Pis a binary operation on P, monotonic in both arguments, called source multiplication ; and γ : P → P isan antitone operation on P called involution . These operations satisfy the following axioms: • A1: γ = id. • A2a (left admissibility): µ a ◦ γ ◦ µ a ◦ γ ≤ id ( a ∈ P ) . • A2b (right admissibility): µ a ◦ γ ◦ µ a ◦ γ ≤ id ( a ∈ P ) . Note 2.1.
In Definition 2.1, we did not assume commutativity in µ . If µ is commutative, we have µ = µ ◦ flip, so µ a = µ ◦ ( a × id ) = µ ◦ flip ◦ ( a × id ) = µ ◦ ( id × a ) = µ a . It follows that for a commutativepreordered heap, axioms A2a and A2b become ( µ a ◦ γ ) ≤ id . (1)We have discussed all elements in the definition of a preordered heap, except for the admissibilityconditions. What are they? Consider left admissibility: µ a ◦ γ ◦ µ a ◦ γ ≤ id. Let b ∈ P and set B = ( γ ◦ µ a ◦ γ )( b ) . Left admissibility means that B satisfies the expression µ ( a , x ) ≤ b . Similarly, set C = ( γ ◦ µ a ◦ γ )( b ) . Right admissibility means that C satisfies µ ( x , a ) ≤ b . When µ is commutative, we of course have B = C . We will soon show a surprising fact: the axioms of a preordered heap are sufficient to guaranteethat B and C are in fact the largest solutions to both expressions, i.e., B and C are the quotients for leftand right source multiplication, respectively. We show this immediately after introducing an importantbinary operation called target multiplication, but first we consider an example. Example.
Consider a Boolean lattice B . The lattice is clearly a preorder. Take the involution to bethe negation operator. This is an antitone operator and satisfies A1: ¬¬ b = b for all b ∈ B . Takesource multiplication to be the meet of the lattice (i.e., logical AND). This operation is monotonic inthe preorder. Since this source multiplication is commutative, the admissibility conditions reduce tochecking (1). For a , b ∈ B , we have ( µ a ◦ γ ) b = a ∧ ¬ ( a ∧ ¬ b ) = a ∧ ( ¬ a ∨ b ) = a ∧ b ≤ b . Thus, theBoolean lattice satisfies the admissibility conditions, making it a preordered heap.I. ´Incer Romeo, L.Mangeruca, T.Villa,and A.Sangiovanni-Vincentelli 221 For the rest of this section, let ( P , ≤ , µ , γ ) be a preordered heap. We define the target multiplication τ : P × P → P as τ = γ ◦ µ ◦ ( γ × γ ) . Since γ = id (axiom A1), we can also write µ = γ ◦ τ ◦ ( γ × γ ) , i.e.,the diagram P × P PP × P P γ × γ µτ γ commutes.We could have defined a preordered heap in terms of target multiplication instead of source multipli-cation. The two operations are closely linked. In fact, we will see in the next section that these operationsform an adjoint pair. Example.
We showed that Boolean lattices are preordered heaps. For B a Boolean lattice and a , b ∈ B ,we have τ ( a , b ) = γ ◦ µ ( γ a , γ b ) = ¬ ( ¬ a ∧ ¬ b ) = a ∨ b . This suggests that the relation between sourceand target multiplications is a generalization of De Morgan’s identities for Boolean algebras.We will use the following identities: for a ∈ P , µ a = γ ◦ τ ◦ ( γ × γ ) ◦ ( a × id ) = γ ◦ τ ◦ ( γ a × id ) ◦ γ = γ ◦ τ γ a ◦ γ and µ a = γ ◦ τ ◦ ( γ × γ ) ◦ ( id × a ) = γ ◦ τ ◦ ( id × γ a ) ◦ γ = γ ◦ τ γ a ◦ γ . (2) For a , b ∈ P , we are interested in the conditions under which we can find the largest x ∈ P such that µ ( a , x ) ≤ b . The following theorem says that source multiplication in a preordered heap is “invertible.” Theorem 2.2.
Let ( P , ≤ , µ , γ ) be a preordered heap and let τ be its target multiplication. Then for a ∈ P, ( µ a , τ γ a ) and ( µ a , τ γ a ) are adjoint pairs.Proof. Let b , c ∈ P with b ≤ τ γ a ( c ) . We have µ a ( b ) ≤ ( µ a ◦ τ γ a )( c ) = ( µ a ◦ γ ◦ µ a ◦ γ )( c ) ≤ c , by leftadmissibility (by A2a).Conversely, assume that µ a ( b ) ≤ c . Then µ a ◦ γ ( b ) ≤ c (by A1) γ ◦ ( µ a ◦ γ )( γ b ) ≥ γ ( c )( µ a ◦ γ ) ◦ ( µ a ◦ γ )( γ b ) ≥ ( µ a ◦ γ )( c )( γ b ) ≥ ( µ a ◦ γ )( c ) (by A2b) b ≤ ( γ ◦ µ a ◦ γ )( c ) = τ γ a ( c ) . (by A1)The adjointness of ( µ a , τ γ a ) follows from a similar reasoning.The fact that ( µ a , τ γ a ) is an adjoint pair means that left source multiplication by a is “inverted” byright target multiplication by γ a , i.e., µ ( a , x ) ≤ b if and only if x ≤ τ ( b , γ a ) . In other words, the largest solution of µ ( a , x ) ≤ b is x = τ ( b , γ a ) . Using the familiar multiplicativenotation for source multiplication, and ( · ) / a = τ γ a for “right division by a ,” we have shown that thelargest solution of ax ≤ b is x = b / a . Calling a \ ( · ) = τ γ a “left division by a ,” we have shown that thelargest solution of xa ≤ b is x = a \ b . These two divisions are related as follows: Corollary 2.3 (Isolating the unknown) . Let P be a preordered heap and a , x , y ∈ P. Then y ≤ a / x if andonly if x ≤ y \ a.
22 TheQuotient inPreorder Theories
Proof.
By two applications of Theorem 2.2, we obtain y ≤ a / x = τ γ x ( a ) ⇔ µ ( x , y ) ≤ a ⇔ x ≤ τ γ y ( a ) = y \ a .Theorem 2.2 is our main result. It shows that preordered heaps have sufficient structure for thecomputation of quotients. When we prove that a structure is a preordered heap, this theorem immediatelyyields the existence of an adjoint for multiplication, and its closed form.In general, to show that a theory is a preordered heap, we must identify its involution and sourcemultiplication. Then we have to verify the admissibility conditions. How difficult is that? Our originalproblem was identifying the largest x satisfying µ ( a , x ) ≤ b for some notion of multiplication µ , invo-lution γ , and preorder ≤ . As we discussed, left admissibility requires that τ γ a b satisfies the inequality µ ( a , x ) ≤ b , and right admissibility requires that τ γ a b satisfies µ ( x , a ) ≤ b . What the theorem tells usis that they are the largest solutions to µ ( a , x ) ≤ b and µ ( x , a ) ≤ b , respectively. In other words, thetheorem saves us the effort of making an argument for the optimality of the solutions.Theorem 2.2 also suggests the following observation. For a given a ∈ P , we have adjoint pairs ( µ a , τ γ a ) and ( µ a , τ γ a ) . As we noticed, this means we can find the largest x such that µ ( a , x ) ≤ b or µ ( x , a ) ≤ b . But it also means that we can find the smallest x such that b ≤ τ ( a , x ) or b ≤ τ ( x , a ) . This isbecause, µ γ a is the left adjoint of τ a , and µ γ a is the left adjoint of τ a . For all examples we will discuss,source multiplication plays the role of the usual composition operation of the theory. But preorderedheaps make it clear that µ and τ are closely related operations. In fact, preordered heaps generalize DeMorgan’s identities (see section 2.2). Thus, while inequalities of the form µ ( a , x ) ≤ b are more commonin the literature, preordered heaps indicate that we can also solve inequalities of the form b ≤ τ ( a , x ) . Aswe will see, for some theories there is clear understanding of how target multiplication can be used, butfor others its use is unknown. Example.
In the case of a Boolean lattice B , what is the quotient? We showed in previous examplesthat B is a preordered heap, and we identified its target multiplication. For a , b ∈ B , we can write anexpression of the form µ ( a , x ) ≤ b . By Theorem 2.2, we know the largest x that satisfies this expressionis τ γ a b = τ ( b , ¬ a ) = b ∨ ¬ a , i.e., the quotient is the implication a → b . In the definition of a preordered heap, we did not assume that source multiplication has an identity. Herewe consider briefly what happens when it does. Multiplicative identities are common, and in fact, thereexists a multiplicative identity in all compositional theories we know.Suppose P is a preordered heap and e ∈ P is a left identity for source multiplication, i.e., µ e ≃ id.By Theorem 2.2, ( id , τ γ e ) is an adjoint pair. The right adjoint of id is id. Since adjoints are unique upto isomorphism, τ γ e ≃ id. This means that γ e is a right identity element for τ . Moreover, in view of (2), τ γ e ≃ id. By Theorem 2.2, ( µ e , id ) is an adjoint pair. By the same reasoning just followed, we must have µ e ≃ id. We record this result: Corollary 2.4.
Let ( P , ≤ , µ , γ ) be a preordered heap. If e ∈ P is a left (or right) identity for sourcemultiplication, it is a double-sided identity for source multiplication, and γ e is a double-sided identityfor target multiplication. Analogously, if e ∈ P is a left (or right) identity for target multiplication, it is adouble-sided identity for target multiplication, and γ e is a double-sided identity for source multiplication. Example.
Let B be a Boolean lattice. The top element of the lattice, usually denoted 1, is an identityfor source multiplication: 1 ∧ a = a for all a ∈ B . The previous corollary tells us that ¬ = As described in Section 2, as soon as we verify that a theory is a preordered heap, we know how tocompute quotients for that theory. Here we show that assume-guarantee (AG) contracts and interfaceautomata are preordered heaps. In both cases, we first define the algebraic aspects of the theory, andthen we proceed to show that it is a preordered heap, which involves verifying the axioms of Definition2.1. After we do this, we invoke Theorem 2.2 to express its quotient in closed-form. The literature forboth theories is large, and we only discuss them algebraically. To learn about their uses and the designmethodologies based on them, we suggest [5] and [15].
Assume-guarantee contracts are an algebra and a methodology to support compositional system designand analysis. Fix once and for all a set B whose elements we call behaviors. Subsets of B are referred toas behavioral properties or trace properties. An AG contract is a pair of properties C = ( A , G ) satisfying A ∪ G = B . Contracts are used as specifications: a component adheres to contract C if it meets theguarantees G when instantiated in an environment that satisfies the assumptions A . The specific form ofthese properties is not our concern now; we are only interested in the algebraic definitions. The algebraof assume-guarantee contracts was introduced by R. Negulescu [32] (there called process spaces ) to dealwith assume-guarantee reasoning for concurrent programs. The algebra was reintroduced, together witha methodology for system design, by Benveniste et al. [4] to apply assume-guarantee reasoning to thedesign and analysis of any engineered system. Now we describe the operations of this algebra.For C ′ = ( A ′ , G ′ ) another contract, the partial order of AG contracts, called refinement , is givenby C ≤ C ′ when G ⊆ G ′ and A ⊇ A ′ . The involution of AG contracts, called reciprocal, is given by γ C = ( G , A ) . This operation is clearly antitone and meets axiom A1. Source multiplication is contractcomposition: µ ( C , C ′ ) = ( A ∩ A ′ ∪ ¬ ( G ∩ G ′ ) , G ∩ G ′ ) . This operation yields the tightest contract obeyedby the composition of two design elements, each obeying contracts C and C ′ , respectively. Compositionis monotonic in the refinement order of AG contracts. We need to verify the admissibility conditions.Since source multiplication for AG contracts is commutative, we verify (1): ( µ C ◦ γ ) C ′ = ( µ C ◦ γ ) ◦ ( µ C )( G ′ , A ′ ) = µ C ( G ∩ A ′ , A ∩ G ′ ∪ ¬ ( G ∩ A ′ ))= ( A ∩ G ∩ A ′ ∪ ¬ G ∪ ¬ ( A ∩ G ′ ∪ ¬ A ′ ) , G ∩ ( A ∩ G ′ ∪ ¬ A ′ ))= ( A ∩ A ′ ∪ ¬ G ∪ ¬ A ∩ A ′ ∪ ¬ G ′ ∩ A ′ , G ∩ ( A ∩ G ′ ∪ ¬ A ′ ))= ( A ′ ∪ ¬ G , G ∩ ( A ∩ G ′ ∪ ¬ A ′ )) ≤ ( A ′ , G ′ ) = C ′ , where in the last step we used the fact that ¬ A ′ ⊆ G ′ , which follows from A ′ ∪ G ′ = B . We conclude thatAG contracts satisfy the admissibility conditions, and thus have preordered heap structure.What is target multiplication for AG contracts? From its definition, we have τ ( C , C ′ ) = γ ◦ µ ◦ ( γ C , γ C ′ ) = γ ◦ µ (( G , A ) , ( G ′ , A ′ )) = ( A ∩ A ′ , G ∩ G ′ ∪ ¬ ( A ∩ A ′ )) . This is an operation on contracts called merging . One of the main objectives of the theory of assume-guarantee contracts is to deal with multipleviewpoints , i.e., a multiplicity of design concerns, each having a contract representing the specificationfor that concern (e.g., functionality, timing, etc.). In [34], it is argued that the operation of merging isused to bring multiple viewpoint specifications into a single contract object.Since AG contracts are preordered heaps, we get their quotient formulas from Theorem 2.2. Theadjoint of µ C ′ is τ γ C ′ = γ ◦ µ C ′ ◦ γ . Applying this to C yields τ γ C ′ ( C ) = γ ◦ µ C ′ ( G , A ) = ( A ∩ G ′ , G ∩ A ′ ∪ ¬ ( A ∩ G ′ )) . This closed-form expression for the quotient of AG contracts was first reported in [37].24 TheQuotient inPreorder TheoriesAlso by Theorem 2.2, the left adjoint of merging by a fixed contract C ′ is the operation µ ( C , γ C ′ ) = µ (( A , G ) , ( G ′ , A ′ )) = ( A ∩ G ′ ∪ ¬ ( G ∩ A ′ ) , G ∩ A ′ ) . This operation was recently introduced under thename of separation in [34]. We show that Interface Automata as introduced in [15] have preordered heap structure. To achieve thisresult, we first provide the relevant definitions for interface automata. All definitions match those of[15], except for our definition of alternating simulation for interface automata.An interface automaton P = h V P , V init P , A IP , A OP , A HP , T P i consists of the following elements: • V P is a set of states. • V init P ⊆ V P is a set of initial states. Following [15], we require that V init P contains at most one state. • A IP , A OP , and A HP are mutually disjoint sets of input, output, and internal actions. We denote by A P = A IP ∪ A OP ∪ A HP the set of all actions. • T P ⊆ V P × A P × V P is a set of steps.Following [15], if a ∈ A IP (resp. a ∈ A OP , a ∈ A HP ), then ( v , a , v ′ ) is called an input (resp. output,internal) step. We denote by T IP (resp. T OP , T HP ) the set of input (resp. output, internal) steps. Anaction a ∈ A P is enabled at a state v ∈ V P if there is a step ( v , a , v ′ ) ∈ T P for some v ′ ∈ V P . We indicateby A IP ( v ) , A OP ( v ) , A HP ( v ) the subsets of input, output, and internal actions that are enabled at the state v ,and we let A P ( v ) = A IP ( v ) ∪ A OP ( v ) ∪ A HP ( v ) . Definition 3.1.
If P and Q are interface automata, let shared ( P , Q ) = ( A IP ∩ A OQ ) ∪ ( A OP ∩ A IQ ) . Theproduct P ⊗ Q is the interface automaton with the following constituents: V P ⊗ Q = V P × V Q , V initP ⊗ Q = V initP × V initQ , A IP ⊗ Q = ( A IP ∪ A IQ ) − shared ( P , Q ) , A OP ⊗ Q = ( A OP ∪ A OQ ) − shared ( P , Q ) , A HP ⊗ Q = A HP ∪ A HQ ∪ shared ( P , Q ) − ( A IP ⊗ Q ∪ A OP ⊗ Q ) , and T P ⊗ Q = (cid:8) (( v , u ) , a , ( v ′ , u )) (cid:12)(cid:12) ( v , a , v ′ ) ∈ T P ∧ a ∈ A P − A Q ∧ u ∈ V Q (cid:9) ∪ (cid:8) (( v , u ) , a , ( v , u ′ )) (cid:12)(cid:12) ( u , a , u ′ ) ∈ T Q ∧ a ∈ A Q − A P ∧ v ∈ V P (cid:9) ∪ (cid:8) (( v , u ) , a , ( v ′ , u ′ )) (cid:12)(cid:12) ( v , a , v ′ ) ∈ T P ∧ ( u , a , u ′ ) ∈ T Q ∧ a ∈ A P ∩ A Q (cid:9) . We call illegal those states of the product in which one of the interface automata can take a stepthrough a shared action, but the other can’t. These states are removed from the product in the defini-tion of composition of interface automata. Given two composable interface automata P and Q , the set Illegal ( P , Q ) ⊆ V P × V Q of illegal states of P ⊗ Q is given by Illegal ( P , Q ) = ( v , u ) ∈ V P × V Q (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) ∃ a ∈ shared ( P , Q ) . a ∈ A OP ( v ) ∧ a / ∈ A IQ ( u ) ∨ a ∈ A OQ ( u ) ∧ a / ∈ A IP ( v ) . An environment for an interface automaton R is an interface automaton E such that E is composablewith R , E is nonempty, A IE = A OR , and Illegal ( R , E ) = /0. A legal environment for the pair ( P , Q ) is anenvironment for P ⊗ Q such that no state in Illegal ( P , Q ) × V E is reachable in ( P ⊗ Q ) ⊗ E . We say thata pair ( v , u ) ∈ V P × V Q of states is compatible if there is an environment E for P ⊗ Q such that no statein Illegal ( P , Q ) × V E is reachable in ( P ⊗ Q ) ⊗ E from the state { ( v , u ) } × V init E . Two interface automata P and Q are compatible if the initial state ( v , u ) ∈ V initP × V initQ is compatible. We write Cmp ( P , Q ) for theset of compatible states of P ⊗ Q . With these notions, we can define parallel composition for interfaceautomata.I. ´Incer Romeo, L.Mangeruca, T.Villa,and A.Sangiovanni-Vincentelli 225Given two compatible interface automata P and Q , the composition P k Q is an interface automatonwith the same action sets as P ⊗ Q . The states are V P k Q = Cmp ( P , Q ) ; the initial states are V init P k Q = V init P ⊗ Q ∩ Cmp ( P , Q ) ; and the steps are T P k Q = T P ⊗ Q ∩ ( Cmp ( P , Q ) × A P k Q × Cmp ( P , Q )) .Let v ∈ V P , the set IntReach P ( v ) is the smallest set U ⊆ V P such that v ∈ U and if u ∈ U and ( u , a , u ′ ) ∈ T HP , then u ′ ∈ U . Moreover, we let ExtEn OP ( v ) = [ u ∈ IntReach ( v ) A OP ( u ) and ExtEn IP ( v ) = [ u ∈ IntReach ( v ) A IP ( u ) be the sets of externally enabled output and input actions, respectively, at v . And for all externally enabledinput and output actions a ∈ ExtEn IP ( v ) ∪ ExtEn OP ( v ) , we let ExtDest P ( v , a ) = (cid:8) u ′ (cid:12)(cid:12) ∃ ( u , a , u ′ ) ∈ T P . u ∈ IntReach P ( v ) (cid:9) . With these notions, we can define an alternating simulation between interface automata.
Definition 3.2.
Consider two interface automata P and Q. A binary relation (cid:22) ⊆ V Q × V P is an alternat-ing simulation from Q to P if for all states u ∈ V Q and v ∈ V P such that u (cid:22) v, the following conditionshold:(a) ExtEn IP ( v ) ⊆ ExtEn IQ ( u ) , ExtEn OQ ( u ) ⊆ ExtEn OP ( v ) .(b) For all actions a ∈ ExtEn OQ ( u ) and all states u ′ ∈ ExtDest Q ( u , a ) , there is a state v ′ ∈ ExtDest P ( v , a ) such that u ′ (cid:22) v ′ and for all actions a ∈ ExtEn IP ( v ) and all states v ′ ∈ ExtDest P ( v , a ) , there is a stateu ′ ∈ ExtDest Q ( u , a ) such that u ′ (cid:22) v ′ . Now we use the notion of alternating simulation to establish a preorder for interface automata: theinterface automaton Q refines the interface automaton P , written Q (cid:22) P , if A IP ⊆ A IQ , A OP ⊇ A OQ , andthere is an alternating simulation (cid:22) from Q to P , a state v ∈ V init P , and a state u ∈ V init Q such that u (cid:22) v .Let P = h V P , V init P , A IP , A OP , A HP , T P i be an interface automaton. The mirror of P , denoted P ⊤ , is givenby P ⊤ = h V P , V init P , A OP , A IP , A HP , T P i . The mirror operation is clearly an involution, i.e., (cid:0) P ⊤ (cid:1) ⊤ = P . Letthe source multiplication µ be the parallel composition of interface automata, γ be the mirror operation,and let the preorder be refinement. We state the main claim of this section: Proposition 3.3.
A theory of interface automata is a preordered heap.
Since interface automata have preordered heap structure, for given interface automata P and Q , The-orem 2.2 enables us to find largest solutions R for equations of the form µ ( Q , R ) ≤ P . The quotient forinterface automata was first reported in [6]. Now that we know interface automata have preordered heapstructure, we can ask: what is target multiplication for interface automata? The operation is given by τ ( P , Q ) = (cid:0) P ⊤ k Q ⊤ (cid:1) ⊤ . We propose to call this operation merging in analogy to the case of AG contracts.Similarly, by Theorem 2.2, merging by fixed Q , τ Q , has a left adjoint given by µ γ Q ( P ) = P k Q ⊤ . Forthe same reason, we propose to call this binary operation separation . In AG contracts, merging and sep-aration are used to handle multiple viewpoints in a design. To the best of our understanding, the notionof handling multiple design viewpoints has not been discussed for interface automata. Maintaining theanalogy to AG contracts, we suspect that merging and separation here defined provide interface automatathe ability to handle these multiple viewpoints. Exploring this idea is material for future work. Some theories in computer science require manipulating objects which are not defined over the samedomain. For example, consider a language L defined over an alphabet Σ . Let Σ be another alphabet26 TheQuotient inPreorder Theoriesfor which L is a language. The powerset of a set is a Boolean lattice, so we have two preordered heaps P Σ = Σ ∗ and P Σ = Σ ∗ whose source multiplications and involutions are intersection and negation ( ∗ is the Kleene star—we will define operations carefully in the section on languages). With the theory ofpreordered heaps, we know how to solve inequalities for P Σ and for P Σ . Suppose we define an operationthat allows us to compose L ∈ P Σ with L ∈ P Σ . How do we solve inequalities involving L and L then? These languages belong to different preordered heaps. It is natural to define such an operationby mapping L and L to a common preordered heap, which by definition, has its own notion of sourcemultiplication. We need a notion of mapping between preordered heaps: Definition 4.1.
Let ( P , ≤ , µ , γ ) and ( P ′ , ≤ ′ , µ ′ , γ ′ ) be two preordered heaps. A preordered heap homo-morphism f : P → P ′ is an order-preserving map which commutes with the source multiplications andinvolutions, i.e., P × P P ′ × P ′ P P ′ f × f µ µ ′ f and P P ′ P P ′ f γ γ ′ f commute. Preordered heaps P Σ and P Σ are indexed by alphabets. The common preordered heap where L and L can be mapped is determined by Σ and Σ . As we will see in the next section, one option is to saythat they generate the alphabet Σ c = Σ ∪ Σ , and we can define maps ι : P Σ → P Σ c and ι : P Σ → P Σ c that embed languages over Σ and Σ to those defined under Σ c . This observation tells us that we canuse a structure S in order to index preordered heaps; this structure must have a binary operation definedin it. This operation will fulfill the role of identifying the alphabets where two languages can meet.Call this structure S , and let · be its binary operation. If we have two languages defined over the samealphabet, we should not need to move to another alphabet to compute the source multiplication of thetwo languages; thus, the binary operation of S should be idempotent. We will also require the operationto be commutative since it makes no difference whether we go to the language generated by Σ and Σ orto that generated by Σ and Σ . A similar reasoning leads us to require associativity. Thus, S is endowedwith an associative, commutative, idempotent binary operation, which means it is a semilattice. Wemake the choice to interpret it as an upper semi-lattice because we have the intuition that the languagesgenerated by two smaller languages should be larger than any of the two, but this interpretation does notimpose any algebraic limitations: an upper semilattice can be turned into a lower semilattice simply byflipping it upside-down.We introduce the notion of a sieved, preordered heap (sieved heap, for short) that allows us to moveobjects between different domains of definition or different levels of abstraction. A sieved heap is acollection of preordered heaps indexed by an upper semilattice S together with mappings between thepreordered heaps. We call these mappings concretizations. An upper semilattice can be interpreted asa partial order: for a , b ∈ S , we say that a ≤ ab . Thus, the shortest definition for a sieved heap is thatit is a functor from the preorder category S to PreHeap , the preordered heap category, whose objectsare preordered heaps and whose arrows are preordered heap homomorphisms. We will give a longerdefinition. But first, why the adjective sieved? A sieved heap consists of a collection of preordered heapsand maps between them. We interpret these preordered heaps as structures containing varying amountsof detail about an object. This varying granularity motivated the name. This is the definition of thiscomposite structure:
Definition 4.2.
Let S be a semilattice. Let { ( P x , ≤ x , µ x , γ x ) } x ∈ S be a collection of preordered heaps suchthat for every x , y , z ∈ S we have a unique preordered heap homomorphism ι : P x → P xy referred to asa concretization and making P xy P x P xyz ι ′ ι ι ′′ commute. We require the concretization ι : P x → P x to be theidentity. Let P = ⊕ x ∈ S P x , where ⊕ stands for disjoint union. We call ( P , ≤ , µ , γ ) an S-sieved heap, where I. ´Incer Romeo, L.Mangeruca, T.Villa,and A.Sangiovanni-Vincentelli 227 µ : P × P → P is an operation called source multiplication, and γ : P → P is called involution. Let a ∈ P x and b ∈ P y , and let ι x : P x → P xy and ι y : P y → P xy be concretizations. These operations are given by µ ( a , b ) = µ xy ( ι x ( a ) , ι y ( b )) and γ ( a ) = γ x ( a ) . Moreover, we say that a ≤ b if and only if there exists z ∈ S and concretizations ι : P x → P z and ι ′ : P y → P z such that ι ( a ) ≤ z ι ′ ( b ) , where ≤ z is the preorder of P z . Target multiplication τ for P is defined in a similar way: τ ( a , b ) = τ xy ( ι x ( a ) , ι y ( b )) , where τ xy is thetarget multiplication of the preordered heap P xy . Now we show that a sieved heap is itself a preordered heap. To do this, we must show that the relation ≤ over sieved heaps is a preorder, that source multiplication defined for a sieved heap is monotonic, thatits involution is antitone, and that it meets the admissibility conditions. The following statements showthat sieved heaps have these properties. Lemma 4.3.
The relation ≤ on an S-sieved heap P is a preorder.Proof. Reflexivity. Let a ∈ P x . Let ι be the concretization ι : P x → P x . Then ι a ≤ x ι a because ≤ x is apreorder in P x ; this means that a ≤ a in P .Transitivity. Let b ∈ P y and c ∈ P z and suppose that a ≤ b and b ≤ c . Then there exist v , w ∈ S suchthat ι x a ≤ v ι y b and ι ′ y b ≤ w ι z c , where the diagram P v P vw P w P x P y P z ι v ι w ι x ι y ι ′ y ι z shows the relevant concretizationmaps (these diagrams commute per Definition 4.2). We obtain immediately ι v ◦ ι x a ≤ vw ι v ◦ ι y b and ι w ◦ ι ′ y b ≤ vw ι w ◦ ι z c . From the diagram, ι v ◦ ι y = ι w ◦ ι ′ y , which means that ι v ◦ ι x a ≤ vw ι w ◦ ι z c , whichmeans that a ≤ c . Lemma 4.4.
Source multiplication on P is monotonic in both arguments.Proof.
Let a , b , c ∈ P with a ≤ c . Suppose that a ∈ P x , b ∈ P y , and c ∈ P z . Since a ≤ c , there exist u ∈ S such that ι x a ≤ u ι z c for concretizations ι x : P x → P u and ι z : P z → P u . Note that this means there exist u ′ , u ′′ ∈ S such that u = xu ′ and u = zu ′′ . But this implies that uy = xyu ′ and uy = yzu ′′ . Thus, there existconcretizations ι xy : P xy → P uy and ι yz : P yz → P uy , and P y P xy P uy P yz P x P u P z ι ′ y ι y ι ′′ y ι xy ι yz ι ′ x ι x ι u ι ′ z ι z (3)commutes. Since a ≤ c , we have µ uy ( ι u ◦ ι x a , ι y b ) ≤ uy µ uy ( ι u ◦ ι z c , ι y b ) . (4)By the commutativity of the diagram, ι y = ι xy ◦ ι ′ y = ι yz ◦ ι ′′ y and ι u ◦ ι x = ι xy ◦ ι ′ x and ι u ◦ ι z = ι yz ◦ ι ′ z .Using these identities, we can rewrite (4) as µ uy (cid:0) ι xy ◦ ι ′ x a , ι xy ◦ ι ′ y b (cid:1) ≤ uy µ uy (cid:0) ι yz ◦ ι ′ z c , ι yz ◦ ι ′′ y b (cid:1) , which implies that ι xy ◦ µ xy (cid:0) ι ′ x a , ι ′ y b (cid:1) ≤ uy ι yz ◦ µ yz (cid:0) ι ′ z c , ι ′′ y b (cid:1) and thus ι xy ◦ µ ( a , b ) ≤ uy ι yz ◦ µ ( c , b ) . This shows that µ ( a , b ) ≤ µ ( c , b ) . Monotonicity in the second argument is proved in the same way.28 TheQuotient inPreorder Theories Theorem 4.5.
An S-sieved heap P is a preordered heap.Proof.
By lemma 4.3, we know that ( P , ≤ ) is a preorder. By lemma 4.4, we know that source multipli-cation for P is monotonic. From the definition of involution γ for P , it is immediate that this operation isantitone and that γ = id. We must show the admissibility conditions. Let a ∈ P x and b ∈ P y . Using the no-tation of (3), we have µ ( a , γ ◦ µ ( γ b , a )) = µ ( a , γ ◦ µ xy ( ι ′ y ◦ γ b , ι ′ x a )) = µ xy ( ι ′ x a , γ ◦ µ xy ( γ ◦ ι ′ y b , ι ′ x a )) ≤ ι ′ y b ,where we used the left admissibility of the preordered heap P xy . But this means that µ ( a , γ ◦ µ ( γ b , a )) ≤ b .We conclude that P meets the left admissibility condition. Applying the same procedure tells us that P also has right admissibility. Thus, P is a preordered heap.Now that we know that sieved heaps are preordered heaps, we can compute quotients in these struc-tures. We will now consider the solution of inequalities over languages as an application of sieved heaps. Language inequalities arise as the formalization of the problem of synthesizing an unknown componentin hardware and software systems. In this section, we provide preliminaries on languages and discusstheir properties and operations. A fuller treatment of language properties can be found in [42, 40]. Ourobjective is to show that commonly studied language structures are sieved heaps, which allows us toaxiomatically find their quotients per the results of Section 4.
An alphabet is a finite set of symbols. The set of all finite strings over a fixed alphabet X is denoted by X ⋆ . X ⋆ includes the empty string ε . A subset L ⊆ X ⋆ is called a language over alphabet X . [22] is astandard reference on this subject.A substitution f is a mapping of an alphabet Σ to subsets of ∆ ⋆ for some alphabet ∆ . The substitution f is extended to strings by setting f ( ε ) = { ε } and f ( xa ) = f ( x ) f ( a ) . The following are well-studiedlanguage operations. • Given a language L over alphabet X and an alphabet V , consider the substitution l : X → ( X × V ) ⋆ defined as l ( x ) = { ( x , v ) | v ∈ V } . Then the language L ↑ V = ∪ α ∈ L l ( α ) over alphabet X × V is the lifting of language L to alphabet V . • Given a language L over alphabet X and an alphabet V , consider the mapping e : X → ( X ∪ V ) ⋆ definedas e ( x ) = { α x β | α , β ∈ ( V − X ) ⋆ } . Then the language L ⇑ V = ∪ α ∈ L e ( α ) over alphabet X ∪ V is the expansion of language L to alphabet V , i.e., words in L ⇑ V are obtained from those in L by inserting any-where in them words from ( V − X ) ⋆ . Notice that e is not a substitution and that e ( ε ) = { α | α ∈ V ⋆ } .The following proposition states that language liftings and expansions meet the properties of concretiza-tion maps of a sieved heap. These results will be used in the next section dealing with inequalities overlanguages. Proposition 5.1.
Liftings and expansions are order-preserving and commute with intersection and com-plementation.
I. ´Incer Romeo, L.Mangeruca, T.Villa,and A.Sangiovanni-Vincentelli 229
Consider two systems A and B with associated languages L ( A ) and L ( B ) . The systems communicate witheach other by a channel U and with the environment by channels I and O . The following two well-studiedoperators describe the external behavior of the composition of L ( A ) and L ( B ) . Definition 5.2.
Given the disjoint alphabets I , U , O, a language L over I × U , and a language L overU × O, the synchronous composition of languages L and L is the language ( L ) ↑ O ∩ ( L ) ↑ I , denotedby L • L , defined over I × U × O. Definition 5.3.
Given the disjoint alphabets I , U , O, a language L over I ∪ U , and a language L overU ∪ O, the parallel composition of languages L and L is the language ( L ) ⇑ O ∩ ( L ) ⇑ I , denoted byL ⋄ L , defined over I ∪ U ∪ O. Example.
Let L = { a , aa } be a language of the alphabet Σ = { a , b } , and Σ = { c , d } be anotheralphabet for which L = { c } is a language. Then L • L = { ( a , c ) } and L ⋄ L = { ac , ca , caa , aca , aac } .Synchronous composition abstracts the parallel execution of modules in lock step, assuming a globalclock and instant communication by a broadcasting mechanism, modeling the product semantics com-mon in the hardware community. In asynchronous composition modules execute independently at dif-ferent speeds assuming clocks which progress at arbitrary rates relative to one another, modeling theinterleaving semantics common in the software community. A comparison can be found in [26]. Nowwe show that we can interpret the above products as the source multiplication of a sieved heap. For eachproduct, we first need to identify a suitable indexing semilattice. Then we need to build the appropriatepreordered heaps and their maps. Suppose we have a disjoint family F = { Σ i } ≤ i ≤ n of alphabets for some positive integer n ,and let S = F . Then S is a semilattice under the operation of set union, i.e., if x , y ∈ S , we have xy = x ∪ y . Preordered heaps.
For any x ∈ S , let | x | be the cardinality of x . There exist natural numbers k , . . . , k | x | such that x = { Σ k j } ≤ j ≤| x | ⊆ F and 1 ≤ k i < k j ≤ n for i < j . We map each x to a preordered heapas follows. We define the alphabet over x as α ( x ) = Σ k × · · · × Σ k | x | , and we set P x = α ( x ) ∗ . Sourcemultiplication µ x for P x is intersection, and involution γ x is complementation. ( P x , ≤ x , µ x , γ x ) is a Booleanlattice, thus a preordered heap, as shown in Section 2. Concretizations.
For x , y ∈ S , P xy is clearly a preordered heap because xy ∈ S . We also define thepreordered heap P x , y = Σ ∗ x , y for Σ x , y = α ( x ) × α ( y − x ) with source multiplication equal to set intersectionand involution equal to complementation. Note that the only difference between P xy and P x , y is the orderin which the alphabets Σ i appear in each: P xy contains all sets of finite strings over the alphabet α ( xy ) , and P x , y contains all sets of finite strings over the alphabet α ( x ) × α ( y − x ) . Thus, P xy and P x , y are isomorphicas sets. Let β : P x , y → P xy be this isomorphism, which is easily seen to be a preordered heap isomorphism.This allows us to define the concretization ι x as follows: P xy P x P x , y β ( · ) ↑ α ( y − x ) ι x .From Proposition 5.1, we know that ( · ) ↑ α ( y − x ) is a preordered heap map. Thus, we have an S -sievedheap { ( P x , ≤ x , µ x , γ x ) } x ∈ S . Since sieved heaps are preordered heaps (Theorem 4.5), for A ∈ P x and B ∈ P y ,an equation of the form A • z ≤ B has the largest solution Z ∈ P xy with Z = ¬ (cid:0) ¬ β ′ (cid:0) B ↑ α ( x − y ) (cid:1) ∩ β ′′ (cid:0) A ↑ α ( y − x ) (cid:1)(cid:1) ,
30 TheQuotient inPreorder Theorieswhere β ′ : P y , x → P xy and β ′′ : P x , y → P xy are extensions of the alphabet permutations to languages, asdescribed above. Example.
Let I , U , and O be disjoint alphabets. Then S consists of all subsets of { I , O , U } . Let i = { I } , u = { U } , and o = { O } . The preordered heap P iu consists of all languages over the alphabet I × U . P uo consists of all languages over U × O . If L ∈ P iu , the concretization ι : P iu → p iuo maps L to alanguage over I × U × O . Observe that the order in which each alphabet appears is important and setfrom the beginning; this eliminates any potential ambiguities with the ordering of the alphabets (e.g., isit the alphabet I × U or U × I ?). By definition, this concretization map is ( · ) ↑ O . In the same way, theconcretization ι ′ : P uo → p iuo is β ◦ ( · ) ↑ I , where β : P uo , i → P iuo permutes the symbols of the languageso that they appear in the order ( a , b , c ) with a ∈ I , b ∈ U , and c ∈ O . Thus, source multiplication is µ ( L , L ) = L ↑ O ∩ β ( L ↑ I ) , which is the synchronous product. Now we form a semilattice S whose elements are abstract sets and whose operation is set union. Let x ∈ S , and define P x = x ∗ . For y ∈ S , the concretization P x P xy ι is ι = ( · ) ⇑ y − x . Proposition 5.1shows that ι is a preordered heap map. Thus, we have a sieved heap { ( P x , ≤ x , µ x , γ x ) } x ∈ S .Since sieved heaps are preordered heaps (Theorem 4.5), we are in a position to solve language equa-tions under asynchronous composition. Let x , y ∈ S , A ∈ P x and B ∈ P y . The largest solution to theequation A ⋄ z ≤ B yields Z ∈ P xy with Z = ¬ ( ¬ B ⇑ x − y ∩ A ⇑ y − x ) . Example.
As before, let I , U , and O be disjoint alphabets, and let I , U , O ∈ S , where S is a semilatticewith the operation of set union. The preordered heap P IU consists of all languages over I ∪ U . Simi-larly, the preordered heap P UO consists of all languages over U ∪ O . The embedding ι : P IU → P IUO issimply ( · ) ⇑ O , and the embedding ι ′ : P UO → P IUO is ( · ) ⇑ I . Thus, for L ∈ P IU and L ∈ P UO , sourcemultiplication is µ ( L , L ) = L ⇑ O ∩ L ⇑ I , which is the asynchronous product. The comparison of the closed form computation of quotients ranging from language equations to AGcontracts suggested a new algebraic structure, called preordered heap , endowed with the axioms ofpreorders, together with a monotonic multiplication and an involution. We showed that an admissibilitycondition allows to solve equations over preordered heaps, and we gave the closed form of the solution.We showed that various theories qualify as preordered heaps and therefore admit such explicit solution.In particular, we showed that the conditions for being preordered heaps hold for Boolean lattices, assume-guarantee contracts, and for interface automata: in all cases we were able to derive axiomatically thequotients, which had been previously obtained by specific analysis of each theory. Finally we definedequations over sieved heaps to handle components defined over multiple alphabets, and rederived asspecial cases the solution of language equations known in the literature.
Acknowledgements
We are grateful for the comments of our anonymous reviewers. This work was supported in part byNSF Contract CPS Medium 1739816; MIUR, Project “Italian Outstanding Departments, 2018-2022”;INDAM, GNCS 2020, “Strategic Reasoning and Automated Synthesis of Multi-Agent Systems”; Uni-versity of Verona, Cooperint 2019, Program for Visiting Researchers.I. ´Incer Romeo, L.Mangeruca, T.Villa,and A.Sangiovanni-Vincentelli 231
References [1] A. Aziz, F. Balarin, R.K. Brayton & A. L. Sangiovanni-Vincentelli (2000):
Sequential synthesis using S1S .IEEETransactionsonComputer-AidedDesign 19(10), pp. 1149–1162, doi:10.1109/43.875301.[2] G. Barrett & S. Lafortune (1998):
Bisimulation, the Supervisory Control Problem and Strong Model Matchingfor Finite State Machines . Discrete Event Dynamic Systems: Theory & Applications 8(4), pp. 377–429,doi:10.1023/A:1008301317459.[3] Nikola Beneˇs, Benoˆıt Delahaye, Uli Fahrenberg, Jan Kˇret´ınsk´y & Axel Legay (2013):
Hennessy-MilnerLogic with Greatest Fixed Points as a Complete Behavioural Specification Theory . In Pedro R. D’Argenio& Hern´an Melgratti, editors: CONCUR 2013 – Concurrency Theory, Springer Berlin Heidelberg, Berlin,Heidelberg, pp. 76–90, doi:10.1007/978-3-642-40184-8 7.[4] A. Benveniste, B. Caillaud, A. Ferrari, L. Mangeruca, R. Passerone & C. Sofronis (2007):
Multiple ViewpointContract-Based Specification and Design . In Frank S. de Boer, Marcello M. Bonsangue, Susanne Graf &Willem-Paul de Roever, editors: FormalMethodsforComponentsandObjects, Springer Berlin Heidelberg,Berlin, Heidelberg, pp. 200–225, doi:10.1007/978-3-540-92188-2 9.[5] A. Benveniste, B. Caillaud, D. Nickovic, R. Passerone, J.-B. Raclet, P. Reinkemeier, A. L. Sangiovanni-Vincentelli, W. Damm, T. A. Henzinger & K. G. Larsen (2018):
Contracts for System Design . FoundationsandTrends R (cid:13) inElectronicDesignAutomation 12(2-3), pp. 124–400, doi:10.1561/1000000053.[6] P. Bhaduri & S. Ramesh (2008): Interface synthesis and protocol conversion . Formal Asp. Comput. 20(2),pp. 205–224, doi:10.1007/s00165-007-0045-4.[7] G. Bochmann (2013):
Using logic to solve the submodule construction problem . Discrete Event DynamicSystems 23(1), pp. 27–59, doi:10.1007/s10626-011-0127-6.[8] Patricia Bouyer, Franck Cassez & Franc¸ois Laroussinie (2011):
Timed Modal Logics for Real-Time Systems- Specification, Verification and Control . Journal of Logic, Languageand Information 20(2), pp. 169–203,doi:10.1007/s10849-010-9127-4.[9] J.R. Burch, D. Dill, E. Wolf & G. DeMicheli (1993):
Modelling hierarchical combinational cir-cuits . In: The Proceedings of the International Conference on Computer-Aided Design, pp. 612–617,doi:10.1109/ICCAD.1993.580149.[10] Franck Cassez & Franc¸ois Laroussinie (2000):
Model-Checking for Hybrid Systems by Quotienting andConstraints Solving . In E. Allen Emerson & Aravinda Prasad Sistla, editors: ComputerAided Verification,Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 373–388, doi:10.1007/10722167 29.[11] G. Castagnetti, M. Piccolo, T. Villa, N. Yevtushenko, R. K. Brayton & A. Mishchenko (2015):
AutomatedSynthesis of Protocol Converters with BALM-II . In D. Bianculli, R. Calinescu & B. Rumpe, editors: SoftwareEngineering and Formal Methods. SEFM 2015 Collocated Workshops: ATSE, HOFM, MoKMaSD, andVERY*SCART.York,UK,September7-8,2015, pp. 281–296, doi:10.1007/978-3-662-49224-6 23.[12] E. Cerny & M. Marin (1977):
An approach to unified methodology of combinational switching circuits . IEEETransactionsonComputersvol. C-26(8), pp. 745–756, doi:10.1109/TC.1977.1674912.[13] W. Chen, J. Udding & T. Verhoeff (1989):
Networks of communicating processes and their (de-)composition .In J.L.A. van de Snepscheut, editor: Mathematics of Program Construction, Lecture Notes in ComputerScience 375, Springer Berlin Heidelberg, pp. 174–196, doi:10.1007/3-540-51305-1 10.[14] L. De Alfaro (2003):
Game Models for Open Systems . In N. Dershowitz, editor: Verifica-tion: Theory and Practice, Lecture Notes in Computer Science 2772, Springer Verlag, pp. 269–289,doi:10.1007/978-3-540-39910-0 12.[15] L. De Alfaro & T. A. Henzinger (2001):
Interface Automata . SIGSOFT Softw. Eng. Notes 26(5), pp. 109–120, doi:10.1145/503209.503226.[16] M. D. Di Benedetto, A. Sangiovanni-Vincentelli & T. Villa (2001):
Model Matching for Finite State Ma-chines . IEEETransactionsonAutomaticControl 46(11), pp. 1726–1743, doi:10.1109/9.964683.
32 TheQuotient inPreorder Theories [17] M. Fujita, Y. Matsunaga & M. Ciesielski (2001):
Multi-Level Logic Optimization . In R. Brayton, S. Hassoun& T. Sasao, editors: LogicSynthesisandVerification, Kluwer, pp. 29–63, doi:10.1007/978-1-4615-0817-5 2.[18] P. Green (1986):
Protocol Conversion . IEEE Transactions on Communications 34(3), pp. 257–268,doi:10.1109/32.4655.[19] E. Haghverdi & H. Ural (1999):
Submodule construction from concurrent system specifications . InformationandSoftwareTechnology41(8), pp. 499–506, doi:10.1016/S0950-5849(99)00014-2.[20] H. Hallal, R. Negulescu & A. Petrenko (2000):
Design of divergence-free protocol converters using supervi-sory control techniques . In: 7thIEEEInternationalConferenceonElectronics,CircuitsandSystems,ICECS2000, 2, pp. 705–708, doi:10.1109/ICECS.2000.912975.[21] S. Hassoun & T. Villa (2001):
Optimization of Synchronous Circuits . In R. Brayton, S. Hassoun & T. Sasao,editors: LogicSynthesisandVerification, Kluwer, pp. 225–253, doi:10.1007/978-1-4615-0817-5 2.[22] J.E. Hopcroft, R. Motwani & J.D. Ullman (2001):
Introduction to Automata Theory, Languages, and Com-putation . Addison-Wesley Publishing Company, doi:10.1145/568438.568455.[23] T. Kam, T. Villa, R. K. Brayton & A. L. Sangiovanni-Vincentelli (1997):
Synthesis of FSMs: FunctionalOptimization . Kluwer Academic Publishers, Boston, doi:10.1007/978-1-4757-2622-0.[24] J. Kim & M.M. Newborn (1972):
The simplification of sequential machines with input restrictions . IRETransactionsonElectronicComputers, pp. 1440–1443, doi:10.1109/T-C.1972.223521.[25] R. Kumar, S. Nelvagal & S.I. Marcus (1997):
A discrete event systems approach for protocol conversion . Dis-creteEventDynamicSystems: Theory&Applications7(3), pp. 295–315, doi:10.1023/A:1008258331497.[26] R.P. Kurshan, M. Merritt, A. Orda & S.R. Sachs (1999):
Modelling asynchrony with a synchronous model .FormalMethodsinSystemDesign vol. 15(no. 3), pp. 175–199, doi:10.1007/3-540-60045-0 61.[27] S. S. Lam (1988):
Protocol Conversion . IEEETrans.Softw.Eng. 14(3), pp. 353–362, doi:10.1109/32.4655.[28] K.G. Larsen & L. Xinxin (1990):
Equation solving using modal transition systems . In: Logic inComputer Science, 1990. LICS ’90, Proceedings., Fifth Annual IEEE Symposium on e, pp. 108–117,doi:10.1109/LICS.1990.113738.[29] N. Lynch & M. Tuttle (1989):
An introduction to Input/Output automata . CWI-Quarterly 2(3), pp. 219–246,doi:10.1.1.83.7751.[30] W.C. Mallon, J.T. Tijmen & T. Verhoeff (1999):
Analysis and Applications of the XDI Model . In:International Symposium on Advanced Research in Asynchronous Circuits and Systems, pp. 231–242,doi:10.1109/ASYNC.1999.761537.[31] P. Merlin & G. v. Bochmann (1983):
On the Construction of Submodule Specifications and Com-munication Protocols . ACM Transactions on Programming Languages and Systems 5(1), pp. 1–25,doi:10.1145/357195.357196.[32] R. Negulescu (2000):
Process spaces . In C. Palamidessi, editor: Proceedings of CONCUR 2000,11th International Conference on Concurrency Theory, LNCS 1877, Springer-Verlag, pp. 199–213,doi:10.1007/3-540-44618-4 16.[33] R. Passerone, L. De Alfaro, T. A. Henzinger & A. L. Sangiovanni-Vincentelli (2002):
Convertibility verifi-cation and converter synthesis: two faces of the same coin . In Lawrence T. Pileggi & Andreas Kuehlmann,editors: ICCAD, ACM, pp. 132–139. Available at http://doi.acm.org/10.1145/774572.774592 .[34] R. Passerone, ´I. ´Incer Romeo & A. L. Sangiovanni-Vincentelli (2019):
Coherent Extension, Composition,and Merging Operators in Contract Models for System Design . ACM Trans.Embed.Comput.Syst. 18(5s),doi:10.1145/3358216.[35] R. Passerone, J. A. Rowson & A. L. Sangiovanni-Vincentelli (1998):
Automatic Synthe-sis of Interfaces Between Incompatible Protocols . In: DAC, pp. 8–13. Available at http://doi.acm.org/10.1145/277044.277047 . I. ´Incer Romeo, L.Mangeruca, T.Villa,and A.Sangiovanni-Vincentelli 233 [36] J.-B. Raclet, E. Badouel, A. Benveniste, B. Caillaud, A. Legay & R. Passerone (2011):
A modalinterface theory for component-based design . Fundamenta Informaticae 108(1-2), pp. 119–149,doi:10.3233/FI-2011-416.[37] ´I. ´Incer Romeo, A. L. Sangiovanni-Vincentelli, C.-W. Lin & E. Kang (2018):
Quotient for Assume-GuaranteeContracts . In: 16thACM-IEEEInternationalConferenceonFormalMethodsandModelsforSystemDesign,MEMOCODE 18, p. 6777, doi:10.1109/MEMCOD.2018.8556872.[38] E. Sentovich & D. Brand (2001):
Flexibility in Logic . In R. Brayton, S. Hassoun & T. Sasao, editors: LogicSynthesisandVerification, Kluwer, pp. 65–88, doi:10.1007/978-1-4615-0817-5 2.[39] T. Villa, A. Petrenko, N. Yevtushenko, A. Mishchenko & R. K. Brayton (2015):
Component-Based Design by Solving Language Equations . Proceedings of the IEEE 103(11), pp. 2152–2167,doi:10.1109/JPROC.2015.2450937.[40] T. Villa, N. Yevtushenko, R. K. Brayton, A. Mishchenko, A. Petrenko & A. L. Sangiovanni-Vincentelli (2012):
The Unknown Component Problem: Theory and Applications . Springer,doi:10.1007/978-0-387-68759-9.[41] S. Watanabe, K. Seto, Y. Ishikawa, S. Komatsu & M. Fujita (2007):
Protocol Transducer Synthesis usingDivide and Conquer approach . In: Design Automation Conference, 2007. ASP-DAC ’07. Asia and SouthPacific, pp. 280–285, doi:10.1109/ASPDAC.2007.357999.[42] N. Yevtushenko, T. Villa, R. K. Brayton, A. Mishchenko & A. L. Sangiovanni-Vincentelli (2004):