Towards Compositional Feedback in Non-Deterministic and Non-Input-Receptive Systems
TTowards Compositional Feedback in Non-Deterministic andNon-Input-Receptive Systems ∗ Viorel Preoteasa and Stavros Tripakis , Aalto University and University of California, Berkeley
November 5, 2018
Abstract
Feedback is an essential composition operator in many classes of reactive and other systems. Thispaper studies feedback in the context of compositional theories with refinement. Such theories allowto reason about systems on a component-by-component basis, and to characterize substitutability as arefinement relation. Although compositional theories of feedback do exist, they are limited either todeterministic systems (functions) or input-receptive systems (total relations). In this work we proposea compositional theory of feedback which applies to non-deterministic and non-input-receptive systems(e.g., partial relations). To achieve this, we use the semantic frameworks of predicate and propertytransformers, and relations with fail and unknown values. We show how to define instantaneous feedbackfor stateless systems and feedback with unit delay for stateful systems. Both operations preserve therefinement relation, and both can be applied to non-deterministic and non-input-receptive systems.
Large and complex systems are best designed using component-based rather than monolithic methodologies.In the component-based paradigm a system is an assembly of interacting components. Each component canitself be a subsystem composed from other components. Arbitrary component hierarchies can be built inthis manner, allowing to decompose a complex system into simpler and further simpler subsystems.Systems constantly evolve, and a key concern in a component-based setting is substitutability : when canwe replace some component A with a new component A (cid:48) ? The issue is property preservation : the replacementmust not result in breaking essential properties of the existing system. Moreover, we would like to avoid asmuch as possible having to re-verify the new system from scratch, since verification is an expensive process.Ideally, a simple check should suffice to guarantee that the new system is correct, assuming that the oldsystem was correct.Compositional theories with refinement provide an elegant framework for reasoning about these problems.In such theories the following notions are central: (a) the notion of component; (b) composition operators,which create new components by composing existing ones; (c) the notion of refinement , which is a binaryrelation between components. Typically two main theorems are provided by such a theory:1. Preservation of refinement by composition , which can be roughly stated as: if A (cid:48) refines A and B (cid:48) refines B , then the composition of A (cid:48) and B (cid:48) refines the composition of A and B .2. Preservation of properties by refinement , which can be roughly stated as: if A (cid:48) refines A and A satisfiesproperty φ , then A (cid:48) also satisfies φ . ∗ This work was partially supported by the Academy of Finland, the U.S. National Science Foundation (awards a r X i v : . [ c s . S E ] A p r BA B A
Figure 1: Composition operators: serial composition (left); parallel composition (middle); feedback compo-sition (right).To see how the above two theorems can be used, consider again the scenario above where A is replaced by A (cid:48) . We can avoid re-verifying the new system by trying instead to show that A (cid:48) refines A . If this is true,then by preservation of refinement by composition it follows that the new system (with A (cid:48) ) refines the oldsystem (with A ). (Here we also implicitly use that refinement is reflexive, which is typically true.) Moreover,by preservation of properties by refinement it follows that if property φ holds in the old system then it willalso hold in the new system. In this way, we can avoid checking φ directly on the new system, which can beexpensive when the system is large. Instead, we must show that A (cid:48) refines A , which is an easier verificationproblem, as it deals with only two components.In this paper we look at components as blocks with inputs and outputs. In such a setting, there are threebasic composition operators (see Figure 1): • Serial composition , where the output of one component is connected to the input of another component. • Parallel composition , where two components are “stacked on top of each other” without any connections,but encapsulated into a single component. • Feedback composition , where the output of a component is connected into one of its inputs.Semantically, we want our components to be able to model systems which are both non-deterministic and non-input-receptive . Non-determinism means that the system may produce more than one output for a giveninput. Non-determinism is well established as a powerful modeling mechanism which allows abstracting fromunnecessary details among other things. Non-input-receptiveness means that the system may declare someinput values to be illegal (always, or at certain times). For example, a component computing the square rootof a real number may declare that negative inputs are illegal. Note that this is different from stating that ifthe input is negative then the output can be arbitrary. The latter corresponds logically to an implication: x ≥ ⇒ y = √ x (here x denotes the input and y the output); whereas the former corresponds to aconjunction: x ≥ ∧ y = √ x . Although less common in the domains of formal methods and verification,non-input-receptive systems are common in programming languages and type theory, where they provide thebasis for type checking. Type checking is a key feature of many languages and can be seen as a “lightweight”verification mechanism as the programmer does not have to provide a formal specification of her program(the program only needs to type check). In our setting, non-input-receptiveness is essential in order to beable to model compatibility of components during composition. For an extensive discussion of this point,see [dA04, TLHL11].In this setting, parallel composition is relatively straightforward to define and can be logically seen astaking the conjunction of the specifications of the two components. Serial composition is a bit trickier andlogically involves ∀ - ∃ quantification, which essentially states that any output of the upstream component is alegal input for the downstream component (i.e., there exists for it an output of the downstream component).This game theoretic semantics is necessary when the components are both non-deterministic and non-input-receptive, while it collapses to the standard semantics (composition of functions or relations, or logicalconjunction) when components are either deterministic or input-receptive [dA04, dAH01, TLHL11]. Bothparallel and serial composition as defined above are compositional in the sense that they preserve refinement.Compositional theories of feedback do exist, but they are limited to either deterministic systems, orto input-receptive systems. To our knowledge, compositional feedback for both non-deterministic and non-input-receptive systems has so far remained elusive. The main difficulty has been to come up with a definition2f feedback which preserves refinement. That is, if A (cid:48) refines A , then κ ( A (cid:48) ) refines κ ( A ) , where κ ( · ) is thefeedback composition operator. An extensive account of some of the difficulties and failed attempts is givenin [TS14], for the framework of relational interfaces [TLHL11].To illustrate some of the earlier problems and how they are handled in the new framework, consider thefollowing example, first given in [DHJP08]. Let A be a component with two input variables u, x , one outputvariable v , and input-output relation true , which means that A accepts any input value, and given an inputvalue, it can return any output (because true is satisfied by any ( u, x, v ) triple). Now let A (cid:48) be anothercomponent with inputs u, x , output v , and relation u (cid:54) = v . This means that A (cid:48) accepts any input ( u, x ) ,and given such u , returns some v different from u . In the relational interface framework (as well as in ourframework), A (cid:48) refines A . This is because A (cid:48) has the same legal inputs as A (in fact, every input is legal forboth) and A (cid:48) is “more deterministic” than A .Now, suppose we apply feedback to both A and A (cid:48) , in particular, we connect output v to input u . Denotethe resulting components by B and B (cid:48) , respectively. Both B and B (cid:48) have a single input, x ( u is no longera free input, since it has been connected to v ). What should the relations of B and B (cid:48) be? Note that wewant B (cid:48) to refine B , otherwise refinement is not preserved by feedback. The straightforward way to definefeedback is to add the constraint u = v , since v is connected to u , essentially becoming the same “wire”.Doing so, we obtain true ∧ u = v , i.e., u = v , as the relation of B , and u (cid:54) = v ∧ u = v , i.e., false , as therelation of B (cid:48) . This is problematic, since false does not refine u = v . Indeed, according to the game-theoreticsemantics, refinement is not implication, because inputs and outputs must be treated differently. In ourexample, any input x is legal for B , whereas no input x is legal for B (cid:48) , which means that B (cid:48) cannot replace B , i.e., does not refine it.In this paper, we attack the problem of feedback afresh. We adopt the frameworks of refinement calculus (RC) [BvW98] and refinement calculus of reactive systems (RCRS) [PT14]. RC is a classic compositionalframework for reasoning about sequential programs, while RCRS is an extension of RC to reason aboutreactive systems. In RC, programs are modeled as (monotonic) predicate transformers , i.e., functions fromsets of post-states to sets of pre-states. In RCRS, systems are modeled as (monotonic) property transformers ,which are functions that transform sets of output infinite sequences into sets of input infinite sequences. Bothpredicate and property transformers are powerful mathematical tools, able to capture both non-deterministicand non-input-receptive systems. In fact, they are more powerful than partial relations, which is the semanticbasis of relational interfaces [TLHL11]. Therefore one can hope that some of the difficulties in obtaining acompositional definition of feedback in the relational framework can be overcome in the refinement calculiframeworks.We first consider stateless systems and instantaneous feedback , i.e., feedback in a single step (Section 5).We model stateless systems using predicate transformers, where instead of a post/pre-state interpretation,we use an output/input interpretation. We often employ strictly conjunctive predicate transformers, whichcorrespond to input-output relations over a domain extended with a special value fail (denoted • ), usedto model illegal inputs (those return • as output). We further extend these relations with an additional unknown value (denoted ⊥ ). The unknown value is used to define feedback by means of a fix-point iteration,starting with unknown and potentially converging to known values. The idea to use unknown values andfix-points comes from methods for dealing with instantaneous feedback in deterministic and input-receptivesystems (i.e., total functions) [Mal94, Ber99, EL03]. In our case systems are non-deterministic and also mayreject some inputs. We therefore need to generalize the fix-point method to relations with fail and unknown.The precise definition is involved (Def. 2), but roughly speaking, for a given input we explore all possiblecomputation paths, including those in which the feedback input stabilizes to a known or unknown value, aswell as those in which either the relation returns • or the path does not stabilize. We can then consider aninput to the post-feedback system as legal if no execution path fails, and those which stabilize reach a knownvalue.This instantaneous feedback operator preserves refinement. In the example discussed above, the newdefinition results in both B and B (cid:48) being the component Fail which rejects all inputs, since the aboveprocedure does not stabilize in neither the case of A nor A (cid:48) . This indicates that the two feedback operationsare illegal, which is similar to discovering an incompatibility during, say, serial composition.3elations with fail and unknown have the same modeling power as strictly conjunctive predicate trans-formers over input/output values with unknowns. We use the two models alternatively, as each is best suitedto obtain certain results. In particular, we define the instantaneus feedback operator using relations withfail and unknowns, but we prove that the operator preserves refinement using their predicate transformerrepresentation.We next turn to the case of stateful systems. Syntactically, we model these as symbolic transition systems ,i.e., relations on input, output, current state, and next state variables. For instance, a simple counter can bemodeled by the relation u (cid:48) = u + 1 , where u denotes the current state and u (cid:48) the next state. Semantically,we use predicate transformers on the same variables [PT14]. We then define feedback with unit-delay for suchpredicate transformers, which corresponds to connecting u (cid:48) to u via a unit-delay component. A unit-delayoutputs at step k its input at the previous step k − . Thus, feedback with unit-delay ensures that the nextstate u (cid:48) becomes the current state in the next step. The feedback with unit-delay operator is defined inSection 7. That definition is aided by iteration operators over property transformers defined in Section 6.Combining the two feedback operators generalizes block-diagram languages like Simulink, which are notable to handle non-deterministic and non-input-receptive components.Our treatment in this paper is mostly semantic. However, following [PT14], we can use syntactic objectssuch as symbolic transition systems to represent predicate and property transformers. For example, theformula u (cid:48) = u + 1 represents a counter, as mentioned above; the formula x ≥ ∧ y = √ x , where x is inputand y is output, represents a relation with fail and also a predicate transformer. We can also use temporal logic (e.g., LTL [Pnu77]) to express properties over infinite sequences of input-output values, including livenessproperties. For example, a system specified by the LTL formula (cid:50) ( x ⇒ (cid:51) y ) ensures that if the input x isinfinitely often true, so will be the output y . Using these representations, most of the constructs presentedin this paper can actually be computed as first-order formulas, or as quantified LTL formulas.All the results presented in this paper have been formalized and proved in the Isabelle theorem prover[NPW02]. The Isabelle code is available from http://rcrs.cs.aalto.fi . Our idea to use relations with an unknown value is inspired from fix-point based methods such as constructivesemantics , which are used to reason about instantaneous feedback in cyclic combinational circuits and syn-chronous languages [Mal94, Ber99, EL03]. These methods deal with monotonic functions over the flat CPOwith unknown as the least element. Because they assume total functions, they are limited to deterministicand input-receptive systems. Refinement is also absent from these frameworks.Fix-point based methods have also been used to reason about non-instantaneous feedback, in systems suchas Kahn Process Networks [Kah74], where processes are modeled as continuous functions on streams. Again,these are total functions, and therefore deterministic and input-receptive. Non-deterministic extensions ofprocess networks exist [Jon94] but they do not include a notion of refinement.Frameworks which allow non-determinism and also include refinement are I/O automata [LT89], reactivemodules [AH99], and Focus [BS01]. All three frameworks assume that components are input-receptive. Notethat in the example given in the introduction, although components A and A (cid:48) are input-receptive, and so is B , B (cid:48) is not. This shows that the straightforward definition of feedback does not preserve input-receptiveness.It is unclear how this example could be handled in the above frameworks.Interface automata [dAH01] allow non-deterministic as well as non-input-receptive specifications. Com-position in this framework is asynchronous parallel composition with input-output label synchronization, andtherefore difficult to directly compare with feedback composition in our framework. Also, interface automataare limited to safety whereas our framework can also express liveness properties.Checking compatibility within the framework of functional programing languages, can be done usingtype-checking as in the Standard ML language [MTH90], or using more advanced techniques as RefinementTypes for ML [FP91], Dependent Types [XP99], and Liquid Types [RKJ08]. These are techniques based onsubtypes and dependent-types that allow checking at compile time of invariants about the computed values ofthe program. These techniques are in general automated, therefore they are applicable only to certain classes4f decidable problems. Our compatibility check for system compositions is more general, and not necessarilydecidable. In our case checking compatibility of system compositions is reduced to checking satisfiability offormulas. If the underlying logic of these formulas is decidable, then we can have an automatic compatibilitytest.In [Mil90] a model for synchronous nondeterministic systems is used for studying preservation of securityproperties by composition of systems, including delayed feedback. However this model does not treat non-input receptive systems. We use higher order logic as implemented by the Isabelle theorem prover. Capital letters
X, Y, . . . denotetypes and small letters denote elements of these types x ∈ X . Bool denotes the type of Boolean values true and false , Nat the natural numbers, and
Real the reals. We use ∧ , ∨ , ⇒ , and ¬ for the Boolean operations.If X and Y are types, then X → Y denotes the type of function from X to Y . For function applicationwe use a dot notation . If f : X → Y is a function, and x ∈ X , then f.x is the function f applied to x .The function type constructor associates to right, and correspondingly the function application associatesto left. That is X → Y → Z is the same as X → ( Y → Z ) and f.x.y is the same as ( f.x ) .y . We alsouse lambda abstraction to construct functions. For example if x + 2 · y ∈ Nat is natural expression, then ( λx, y : x + 2 · y ) : Nat → Nat → Nat is the function that maps x and y into x + 2 · y . We use the notation X × Y for the Cartesian product of X and Y and if x ∈ X and y ∈ Y , then ( x, y ) denotes the pair of x and y from X × Y .Predicates are functions with one or more arguments returning Booleans (e.g., a predicate with twoarguments has signature X → Y → Bool ), and relations are predicates with at least two arguments. Fora relation r : X → Y → Bool we denote by in .r : X → Bool the predicate given by in .r.x = ( ∃ y : r.x.y ) .If r is a relation with more than two arguments, then in .r is defined similarly by quantifying over the lastargument: in .r.x.y.z = ( ∃ u : r.x.y.z.u ) .We extend point-wise all operations on Booleans to operations on predicates and relations. For example if r, r (cid:48) : X → Y → Bool are two relations then r ∧ r (cid:48) and r ∨ r (cid:48) are the relations given by ( r ∧ r (cid:48) ) .x.y = r.x.y ∧ r (cid:48) .x.y and ( r ∨ r (cid:48) ) .x.y = r.x.y ∨ r.x.y , and ( r ≤ r (cid:48) ) = ( ∀ x, y : r.x.y ⇒ r (cid:48) .x.y ) . We use ⊥ and (cid:62) as the smallest andgreatest predicates (relations): ⊥ .x = false and (cid:62) .x = true .For relations r : X → Y → Bool and r (cid:48) : Y → Z → Bool , we denote by r ◦ r (cid:48) the relational composition given by ( r ◦ r (cid:48) ) .x.z = ( ∃ y : r.x.y ∧ r (cid:48) .y.z ) . For a relation r : X → Y → Bool we denote by r − : Y → X → Bool the inverse of r ( r − .y.x ⇔ r.x.y ). A relation r is total (sometimes called left-total ) if for all x there is y such that r.x.y .For reactive systems we need infinite sequences (or traces ) of values. Formally, if X is a type of values,then a trace from X is an element x ∈ X ω = ( Nat → X ) . To make the reading easier, we denote infinitesequences by bold face letters x , y , . . . and values by normal italic small letters x, y, . . . . When, for example,both x and x occur in some formula, we use the convention that the elements of x have the same type as x . For x ∈ X ω , x i = x .i , and x i ∈ X ω is given by x ij = x i .j = x i + j . We consider a pair of traces ( x , y ) asbeing the same as the trace of pairs ( λi : ( x i , y i )) . Linear temporal logic (LTL) [Pnu77] is a logic used for specifying properties of reactive systems. In thispaper we use a semantic (algebraic) version of LTL as in [PT14]. This logic is formalized in Isabelle, andthe details of this formalization are available in [Pre14]. An LTL formula is a predicate on traces and thetemporal operators are functions mapping predicates to predicates. We call predicates over traces (i.e., setsof traces) properties .If p, q ∈ X ω → Bool are properties, then always p , next p , and p until q are also properties and they aredenoted by (cid:50) p , (cid:35) p , and p U q respectively. The property (cid:50) p is true in x if p is true at all time points in5 , (cid:35) p is true in x if p is true at the next time point in x , and p U q is true in x if there is some time in x when q is true, and until then p is true. Formally we have: ( (cid:50) p ) . x = ( ∀ n : p. x n ) , ( (cid:35) p ) . x = p. x ( p U q ) . x = ( ∃ n : ( ∀ i < n : p. x i ) ∧ q. x n ) In addition we define the operator p L q = ¬ ( p U ¬ q ) . Intuitively, p L q holds if, whenever p holds continuouslyup to step n − , then q must hold at step n .If r is a relation on traces we define the temporal operators similarly. For example ( (cid:50) r ) . x . y . z = ( ∀ n : r. x n . y n . z n ) . If r is a relation on values, then we extend it to traces by r. x . y . z = r. x . y . z . In refinement calculus programs are modeled as monotonic predicate transformers [BvW98]. A program S with input type X and output type Y is modeled as a function from ( Y → Bool ) → ( X → Bool ) with aweakest precondition interpretation. If q : Y → Bool is a post-condition (set of final states), then
S.q is the setof all initial states from which the program always terminates and it terminates in a state from q . We modelreactive systems as monotonic property transformers , also with a weakest precondition interpretation [PT14].A reactive system S with input type X and output type Y is formally modeled as a monotonic functionfrom ( Y ω → Bool ) → ( X ω → Bool ) . If q : Y ω → Bool is a post-property (a set of output traces), then
S.q isthe set of input traces for which the execution of S does not fail and it produces an output trace in q . Theremaining of this section applies equally to both monotonic predicate transformers and monotonic propertytransformers, and we will call them simply monotonic transformers.The point-wise extension of the Boolean operations to predicates, and then to monotonic transformersgives us a complete lattice with the operations (cid:118) , (cid:117) , (cid:116) , ⊥ , (cid:62) (observe that (cid:117) and (cid:116) preserve monotonicity).All these lattice operations are also meaningful as operations on programs and reactive systems. The orderof this lattice ( S (cid:118) T ⇔ ( ∀ q : S.q ≤ T.q ) ) is the refinement relation . If S (cid:118) T , then we say that T refines S (or S is refined by T ). If T refines S then T can replace S in any context.The operations (cid:117) and (cid:116) model demonic and angelic non-determinism or choice . The interpretation of (cid:117) is that the system S (cid:117) T is correct (i.e., satisfies its specification) if both S and T are correct. On the otherhand S (cid:116) T is correct if one of S and T are correct. Thus, (cid:117) and (cid:116) represent uncontrollable and controllablenon-determinism, respectively.We denote the bottom and the top of the lattice of monotonic transformers by Fail and
Magic respectively.
Fail is refined by any monotonic transformer and
Magic refines every monotonic transformer.
Fail does notguarantee any property. For any q , Fail .q = ⊥ , i.e., there is no input (sequence) for which Fail will producean output (sequence) from q . On the other hand Magic can establish any property q ( Magic .q = (cid:62) ). Theproblem with Magic is that it cannot be implemented.
Serial composition of two systems modeled as transformers S and T is simply the functional compositionof S and T ( S ◦ T ). For monotonic transformers we denote this composition by S ; T ( ( S ; T ) .q = S. ( T.q ) ).To be able to compose S and T , the type of the output of S must be the same as the type of the input of T .The system Skip defined by ( ∀ q : Skip .q = q ) is the neutral element for serial composition: Skip ; S = S ; Skip = S. We now define two special types of monotonic transformers which will be used to form more generalproperty transformers by composition. For predicate p : X → Bool and relation r : X → Y → Bool we define the assert transformer { p } : ( X → Bool ) → ( X → Bool ) , and the demonic update transformer [ r ] : ( Y → Bool ) → ( X → Bool ) as follows: { p } .q = ( p ∧ q ) , [ r ] .q.x = ( ∀ y : r.x.y ⇒ q.y ) The assert system { p } when executed from a sequence x , behaves as skip when p.x is true, and it failsotherwise. The demonic update statement [ r ] establishes a post condition q when starting in x if all y with r.x.y are in q . If r = ⊥ , then [ r ] = [ ⊥ ] = Magic . 6f R is an expression in x and y , then [ x (cid:59) y | R ] = [ λx, y : R ] . For example if R is z = x + y , then [ x, y (cid:59) z | z = x + y ] = [ λ ( x, y ) , z : z = x + y ] is the system which produces in the output z the value x + y where x and y are the inputs. If e is an expression in x , then [ x (cid:59) e ] = [ x (cid:59) y | y = e ] , where y is a newvariable different of x and which does not occur free in e . For assert statements we introduce similar notation.If P is an expression in x then { x | P } = { λx : P } . If P is x ≤ y , then { x, y | x ≤ y } = { λ ( x, y ) : x ≤ y } .The variables x and y are bounded in [ x (cid:59) y | R ] and { x | P } .The havoc monotonic transformer is the most non-deterministic statement Havoc = [ x (cid:59) y | true ] and itassigns some arbitrary value to the output y .In RCRS we can model (global) specifications of reactive systems, e.g., using LTL as a specificationlanguage, as well as concrete implementations, e.g., using symbolic transition systems (relations on input,output, state, and next-state variables) [PT14]. A global specification may define what the output of asystem is when the input is an entire sequence x . A global specification may also impose conditions on theentire input sequence x , including liveness conditions. For example, the formula (cid:50) (cid:51) x asserts that the input must be true infinitely often. An implementation describes how the system works step-by-step. For instance,an implementation may start with input x and some initial internal state u , compute the output y anda new internal state u , and then use x and u to compute y and u , and so on. Example 1 (System modeling with property and predicate transformers) . We can model a global reactivesystem
Sum that for every input sequence x ∈ Nat ω computes the sequence sum. x ∈ Nat ω , where sum. x .n = x + x + . . . + x n − . We model Sum as a monotonic property transformer:
Sum = [ x (cid:59) sum. x ] We can also model a step of an implementation of
Sum as a predicate transformer:
StepSum = [ u, x (cid:59) u (cid:48) , y | u (cid:48) = u + x ∧ y = u ] (1)The relation u (cid:48) = u + x ∧ y = u describes a symbolic transition system: u is the current state, u (cid:48) the next state, x is the input, and y the output. StepSum works iteratively starting at initial state u , and the first elementof the input x , and assuming that u = 0 , it computes u = u + x = x and y = u = 0 = sum. x . , thenusing u and second element x of x , it computes u = u + x = x + x and y = u = x = sum. x . ,and so on. We will show later in Example 13 how to obtain the Sum property transformer by connecting in
StepSum the output u (cid:48) to the input u in feedback with a unit delay.The assert and demonic choice predicate transformers satisfy the following properties [BvW98]: Theorem 1.
For p, p (cid:48) and r, r (cid:48) of appropriate types we have { p } ; [ r ] ; { p (cid:48) } ; [ r (cid:48) ] = { x | p.x ∧ ∀ y : r.x.y ⇒ p (cid:48) .y } ; [ r ◦ r (cid:48) ] { p } ; [ r ] (cid:118) { p (cid:48) } ; [ r (cid:48) ] ⇔ ( ∀ x : ( p.x ⇒ p (cid:48) .x ) ∧ ( ∀ y : p.x ∧ r (cid:48) .x.y ⇒ r.x.y )) For a monotonic predicate transformer S , the strong and weak iteration of S , denoted S ω and S ∗ , are theleast and greatest fix-points of ( λX : Skip (cid:117) S ; X ) , respectively. These fix-points exist by the Knaster-Tarskifix-point theorem for monotonic functions on complete lattices [Tar55]. When S ∗ is executed, S is repeateda demonically chosen finite number of times. S ω is similar, but if S can be executed indefinitely then S ω fails. S ω can be used to give semantics to the while statement suitable for total correctness reasoning, while S ∗ can be used to give semantics to the while statement suitable for partial correctness reasoning. In thispaper we will use S ∗ to give an alternative definition for the instantaneous feedback operator. For two predicates p and q their product is denoted p × q and is given by ( p × q ) . ( s, s (cid:48) ) = p.s ∧ q.s (cid:48) product (parallel composition) of two monotonic transformers S and T is denoted by S × T and is givenby ( S × T ) .q. ( s, s (cid:48) ) = ( ∃ p, r : p × r ≤ q ∧ S.p.s ∧ T.r.s (cid:48) ) If S = { S i } i ∈ I , is a collection of monotonic transformers, then the fusion of S , denoted Fusion . S , is amonotonic transformer given by Fusion . S .q.s = (cid:0) ∃ p : ( (cid:94) i ∈ I p i ) ≤ q ∧ ( ∀ i : S i .p i .s ) (cid:1) When S contains just two transformers S and T , we write Fusion ( S, T ) instead of Fusion ( { S, T } ) .Note that product and fusion are similar, but not the same. The result of the product A × B is acomponent with separate inputs and outputs for A and B (see Figure 1, parallel composition), whereas theresult of Fusion ( A, B ) is a component with “shared” input and output. Theorem 2.
Fusion and product satisfy the following [BB95] Fusion . ( {{ p i } ; [ r i ] } i ∈ I ) = { (cid:86) i p i ∈ I } ; [ (cid:86) i ∈ I r i ] S (cid:118) S (cid:48) and T (cid:118) T ’ implies S × T (cid:118) S (cid:48) × T (cid:48) ( ∀ i : S i (cid:118) T i ) implies Fusion . S (cid:118)
Fusion . T ( { p } ; [ r ]) × ( { p (cid:48) } ; [ r (cid:48) ]) = { x, y | p.x ∧ p (cid:48) .y } ; [ x, y (cid:59) x (cid:48) , y (cid:48) | r.x.x (cid:48) ∧ r (cid:48) .y.y (cid:48) ] Dijkstra [Dij75] introduced predicate transformers for reasoning about programs. In addition to monotonic-ity, he also required some other properties, like conjunctivity ( S. ( p ∧ q ) = S.p ∧ S.q ), and the law of excludedmiracle ( S. ⊥ = ⊥ ) for his predicate transformers. In this paper we use strictly conjunctive predicate trans-formers. These are the predicate transformers that satisfy a conjunctivity property stronger than the oneused by Dijkstra. A predicate transformer is strictly conjunctive if it commutes with arbitrary non-emptymeets: S. ( (cid:94) i ∈ I q i ) = (cid:94) i ∈ I S.q i for all nonempty I and q : I → Y → Bool .The set of strictly conjunctive predicate transformers are exactly the predicate transformers of the form { p } ; [ r ] , and the set of strictly conjunctive predicate transformers satisfying the law of excluded miracle areexactly the predicate transformers of the form { in .r } ; [ r ] : Theorem 3. [BvW98] A predicate transformers S is strictly conjunctive if and only if there exist a predicate p and a relation r such that S = { p } ; [ r ] S is strictly conjunctive and S satisfies the law of excluded miracle, if and only if there exists a relation r such that S = { in .r } ; [ r ] . For instance, for the predicate transformer
Skip we have
Skip = {(cid:62)} = [ x (cid:59) x ] = {(cid:62)} ; [ x (cid:59) x ] . For the predicate transformers { p } , [ r ] , Fail and
Magic we have: { p } = { p } ; [ x (cid:59) x ] Fail = {⊥} = {⊥} ; [ x (cid:59) x ][ r ] = {(cid:62)} ; [ r ] Magic = [ ⊥ ] = {(cid:62)} ; [ ⊥ ] Skip , { p } and Fail satisfy the law of excludedmiracle. For example we have { p } . ⊥ = p ∧ ⊥ = ⊥ . On the other hand Magic . ⊥ = (cid:62) , so Magic does notsatisfy the law of excluded miracle.Consider also this set of examples: T = [ x (cid:59) y | y = x ] = [ x (cid:59) x ] T = { x ≥ } ; [ x (cid:59) y | y = x ] T = [ x (cid:59) y | x ≥ ∧ y = x ] T = { x ≥ } ; [ x (cid:59) y | x ≥ ∧ y = x ] T = [ x (cid:59) y | x ≥ ⇒ y = x ] T = { x ≥ } ; [ x (cid:59) y | x ≥ ⇒ y = x ] All these transformers are strictly conjunctive. T , T , T and T are all different. T , T and T are all equalbecause the implication ( ∀ x, y : p.x ⇒ r.x.y = r (cid:48) .x.y ) ⇒ { p } ; [ r ] = { p } ; [ r (cid:48) ] is valid (i.e., if for any legal input x the outputs of r and r (cid:48) are the same, then the transformers { p } ; [ r ] and { p } ; [ r ] (cid:48) are the same). All inputs are legal for T , T , and T , but only inputs x ≥ are legal for T .Transformers T , T and T satisfy the law of excluded miracle because, for example in . ( λx, y : x ≥ ⇒ y = x ) = (cid:62) and T = { in . ( λx, y : x ≥ ⇒ y = x ) } ; [ x (cid:59) y | x ≥ ⇒ y = x ] . T does not satisfy the lawof excluded miracle because T . ⊥ .x = ( x < (cid:54) = false . If we run all T , T , T and T on the same input x ≥ , then they all return output y = x . However if we run them on the input x < , then they all behavediferently. T returns output y = x . T behaves magically because the realation x ≥ ∧ y = x is false. T returns some arbitrary y because the relation x ≥ ⇒ y = x is true. T fails for x because x is an illegalinput for T .For strictly conjunctive predicate transformers the weak iteration is equal to an enumerable demonicchoice: Theorem 4. If S is strictly conjunctive then S ∗ = (cid:108) n ∈ Nat S n This theorem gives a simpler definition for the weak iteration S ∗ when S is strictly conjunctive, ascompared to the case when S is just monotonic. This theorem will be used later in Section 5.2 to connect thedefinition of instantaneous feedback on relations to the corresponding definition on predicate transformers. In this section we formally introduce relations with fail and unknown values. As mentioned in the intro-duction, relations with fail and unknown and strictly conjunctive predicate transformers have the sameexpressive power, but each is better suited in defining, explaining, or proving certain results.
First we introduce relations augmented with a special element • which we call “fail”. These relations areequivalent to strictly conjunctive predicate transformers [BvW98]. If in addition these relations are total, thenthey are equivalent to predicate transformers that are strictly conjunctive and satisfy the law of excludedmiracle [BvW98]. Relations with fail are used in the semantics of imperative programming languages tomodel non-termination in the context of non-determinism [Plo76]. In this paper • is used to model non-input-receptive systems: when the output is • , it means that the input is illegal.We assume that • is a new element that does not belong to ordinary types. We define the type A • = A ∪ {•} . An element of x ∈ A • is either • or x ∈ A . An element x ∈ ( A × B ) • is either • or it is a pair ( a, b ) ,with a ∈ A and b ∈ B . A relation with fail from A to B is an element from A • → B • → Bool . We assume9hat relations with fail map • only to • , i.e., R. • . • is true, and R. • .x is false for all x (cid:54) = • . If R is a relationwith fail, and R.x. • , then x is an illegal input for R .To define a relation with fail R , it is enough to define R.x. • for x (cid:54) = • , and to define R.x.y for x (cid:54) = • and y (cid:54) = • , and we assume also R. • . • . Similarly when we state that a relation R has certain properties, we statethese two cases, and in addition we also require R. • . • .The condition that relations with fail map • to • is needed to ensure consistency of the serial compositionof relations with respect to illegal inputs. For example if R and R (cid:48) are relations with fail of appropriatetypes, and x is an illegal input for R , ( R.x. • is true), then x must also be an illegal input for the serialcomposition R ◦ R (cid:48) . This is true because R.x. • and R (cid:48) • . • implies ( R ◦ R (cid:48) ) .x. • . Example 2 (Division) . Div : (
Real ) • → Real • → Bool is a relation with fail modeling division:
Div . ( x, y ) . • = ( y = 0) and Div . ( x, y ) .z = ( y (cid:54) = 0 ∧ z = x/y ) . Because
Div . ( x, . • is true, we have that ( x, is an illegal input for Div , for any x .If x is an illegal input for R , then it is not important if R also maps x to some proper output y ( R.x.y = true , with y (cid:54) = • ). If R (cid:48) is a relation almost identical to R except that R (cid:48) .x.y = false , then weconsider R and R (cid:48) as modeling the same system. We do not restrict relations with fail to relations that mapillegal inputs only to • because we want to model the demonic choice of relations by union. If R and R (cid:48) areof the same type, then R ∨ R (cid:48) models the demonic choice of R and R (cid:48) . If x is illegal for R , then x is illegalalso for R ∨ R (cid:48) , even if x is legal for R (cid:48) .The relation fail is defined by ( ∀ x, y : fail .x.y = ( y = • )) . All inputs are illegal for fail . Similarly topredicate transformers we use the syntax ( x (cid:59) e ) for the relation R that satisfies R. • . • and ( ∀ x (cid:54) = • : R.x.e ) ,where e is an expression containing x .Relations with fail are closed under relation composition (serial composition), and union (demonic choice). Definition 1.
For
R, R (cid:48) : A • → B • → Bool two relations with fail of the same type, we define the refinement R (cid:118) R (cid:48) by ( ∀ x : R.x. • ∨ ( R (cid:48) .x ≤ R.x )) . For a relation R : A • → B • → Bool we introduce its corresponding predicate transformer . We define the precondition of R ( prec .R : A → Bool ), the proper relation of R ( rel .R : A → B → Bool ), and the predicatetransformer ( weakest precondition ) of R ( wp .R : ( B → Bool ) → ( A → Bool ) ) by prec .R.x = ¬ R.x. • rel .R.x.y = ( R.x.y ∧ x (cid:54) = • ∧ y (cid:54) = • ) wp .R = { prec .R } ◦ [ rel .R ] The predicate prec .R.x is true if x is a legal input for R , and rel .R.x.y is true if the system modeled by R produces non-deterministically the output y from input x . wp .R is the predicate transformer correspondingto R , and it has the weakest precondition interpretation as explained in Section 3.2.For the Div relation we have prec . Div . ( x, y ) = ( y (cid:54) = 0) , and rel . Div . ( x, y ) .z = ( y (cid:54) = 0 ∧ z = x/y ) .Next lemma shows that wp maps the operations on relations to the corresponding operations on predicatetransformers. Lemma 1.
The following hold: prec . ( R ∨ R (cid:48) ) = prec .R ∧ prec .R (cid:48) prec . ( R ◦ R (cid:48) ) .x = prec .R.x ∧ ( ∀ y. rel .R.x.y ⇒ prec .R (cid:48) .y ) rel . ( R ∨ R (cid:48) ) = rel .R ∨ rel .R (cid:48) and rel . ( R ◦ R (cid:48) ) = rel .R ◦ rel .R (cid:48) wp . ( R ∨ R (cid:48) ) = wp .R (cid:117) wp .R (cid:48) and wp . ( R ◦ R (cid:48) ) = wp .R ; wp .R (cid:48)
10f we replace the binary unions (respectively, intersections) in the above theorem by arbitrary non-emptyunions (resp., intersections), then the results still hold.For a relation R : A → A → Bool the reflexive and transitive closure of R and the transitive closure of R , denoted R ∗ and R + , are relations from A → A → Bool defined by R ∗ = (cid:95) n : Nat R n R + = (cid:95) Let R, R (cid:48) , U, U (cid:48) be relations with fail of appropriate types, then R (cid:118) R (cid:48) ⇔ wp .R (cid:118) wp .R (cid:48) R (cid:118) R (cid:48) ∧ U (cid:118) U (cid:48) ⇒ R ◦ U (cid:118) R (cid:48) ◦ U (cid:48) and R ∨ U (cid:118) R (cid:48) ∨ U (cid:48) R (cid:118) R (cid:48) ⇒ R ∗ (cid:118) R (cid:48)∗ . We denote by ⊥ a special element called unknown which is not part of ordinary types: Nat , Bool , Real , ....For a set A we define a partial order on A ⊥ = A ∪ {⊥} so that, for a, b ∈ A ⊥ : a ≤ b ⇔ a = ⊥ ∨ a = b This order is the flat complete partial order (flat CPO) [DP02].We extend two partial orders on A and B to a partial order on the Cartesian product A × B by ( a, b ) ≤ ( a (cid:48) , b (cid:48) ) ⇔ a ≤ a (cid:48) ∧ b ≤ b (cid:48) ⊥ is the smallest element of A ⊥ , and for the Cartesian product A = A ⊥ × . . . × A n ⊥ we denote also by ⊥ thetuple ( ⊥ , . . . , ⊥ ) ∈ A . The element ⊥ of A is the smallest element of A with the order extended to Cartesianproduct. For simplicity, we call the Cartesian product of a collection of flat CPOs also a flat CPO.For partial order ( A, ≤ ) , an element m ∈ A is maximal if there is no element in A greater than m : maximal .m = ( ∀ x ∈ A : m (cid:54)≤ x ) The context will distinguish the cases when ⊥ is an element of A ⊥ , or the smallest predicate or relation.However, in all cases ⊥ denotes the smallest element of some partially ordered set. Example 3 (AND gate with unknown) . Consider the function ∧ ⊥ : Bool ⊥ → Bool ⊥ → Bool ⊥ defined inTable 1. It models a logical AND gate which returns false if at least one of its inputs is false, even when theother input is unknown. We will return to this example in Example 8.11 ⊥ ⊥ false true ⊥ ⊥ false ⊥ false false false falsetrue ⊥ false true Table 1: AND gate with unknown xy y = 0 ∧ z = ( x / ⊥ y ) z ux v = u ∧ y = v vy Figure 2: Examples of RFUs: Div (left), and ID (right) We use unknown values ( ⊥ ) as the starting value of the feedback variable in an iterative computation of thefeedback, and we use • to represent “failure” (e.g. illegal inputs). To see why we distinguish the two, supposewe used the same value (say ⊥ ) to represent both these concepts. Suppose R. . ⊥ is true for some relation R . This could mean that is an illegal input for R , or that given as input, the output is unknown. Now,suppose we have another relation R (cid:48) that maps unknown inputs to , and we compose R and R (cid:48) in series.What should the composition R ◦ R (cid:48) produce given input ? Is illegal for R ◦ R (cid:48) , or does R ◦ R (cid:48) map to , or both? To avoid such ambiguities, we separate the two concepts and values. Example 4 (Division with fail and unknown) . Continuing Example 2, we extend relation Div with unknown.If the input y is zero, then Div . ( x, y ) fails, otherwise if x is zero, then the result z is zero, even if y is unknown.The complete definition of Div is: Div . ( x, y ) . • = ( y = 0) Div . ( x, y ) .z = ( y (cid:54) = 0) ∧ (cid:0) ( x = 0 ∧ z = 0) ∨ ( x (cid:54) = 0 ∧ y = ⊥ ∧ z = ⊥ ) ∨ ( x = ⊥ ∧ z = ⊥ ) ∨ ( x (cid:54) = ⊥ ∧ y (cid:54) = ⊥ ∧ z = x/y ) (cid:1) . Div is illustrated in Figure 2, where we use / ⊥ for the division operator / extended to unknown values asdefined above. In this section we introduce the definition of instantaneous feedback for an RFU R : ( A × B ) • → ( A × C ) • → Bool , as shown in Figure 3(a), where A = A ⊥ × . . . × A n ⊥ . The intention is to feed output v back into input u , as shown in Figure 3(b). The fact that we require R to have an extra input x and an extra output y iswithout loss of generality, as we can model absence of these wires by having their type ( B or C ) be the unittype , i.e., the type that has the empty tuple () as its only element. ux R (a) vy x R (b) vy x R (c) y Figure 3: (a) RFU R , (b) InstFeedback .R , (c) fb _ hide .R The idea of the instantaneous feedback calculation is outlined next. We start with ⊥ = ( ⊥ , . . . , ⊥ ) ∈ A ,and a given x ∈ B , and we construct the following tree: The nodes of the tree are labeled with elements in ( A × ( C ∪ { ? } )) • . The root of the tree is ( ⊥ , ?) , and for every node of the tree of the form ( u, ?) we createnew children nodes as follows: 12. If R. ( u, x ) . • then we create the child • .2. If there exists v, y such that u < v and R. ( u, x ) . ( v, y ) , then we create the child ( v, ?) .3. If there exists y such that R. ( u, x ) . ( u, y ) , then we create the child node ( u, y ) .We thus obtain a tree with leaves of the form • , ( u, ?) , or ( u, y ) . Note that the depth of this tree is finite,because whenever we create a child ( v, ?) of ( u, ?) we require u < v , and we cannot have a strictly increasinginfinite sequence of A elements (because A is a product of flat CPOs). That is, if all u values become known(non- ⊥ ), then all children of ( u, ?) are leaves.Let us illustrate this tree construction with some examples. Example 5 (The trees of the relations true and u (cid:54) = v discussed in Section 1) . Consider the RFUs TRUE and NEQ , having inputs u, x ∈ { , } ⊥ and outputs v, y ∈ { , } ⊥ , defined by: TRUE . ( u, x ) . ( v, y ) = ( v = y ) NEQ . ( u, x ) . ( v, y ) = ( v = y ) ∧ ( u = ⊥ ⇒ v = ⊥ ) ∧ ( u (cid:54) = ⊥ ⇒ ( v (cid:54) = u ∧ v (cid:54) = ⊥ )) . TRUE is the RFU corresponding to the relation true discussed in the introduction (this system is alsosometimes called havoc ). TRUE accepts any input (i.e., is input-receptive) and non-deterministically returnsany output. Note that its two outputs v and y can be anything, but are always equal due to the constraint v = y . NEQ is the RFU corresponding to the relation u (cid:54) = v discussed in the introduction (component A (cid:48) ). NEQ accepts any input x and returns any output v different from that input (again, y is always equal to v ).Since NEQ is an RFU, we also define how the relation behaves with unknown values. TRUE and NEQ areillustrated in Figure 4a and Figure 4b, respectively. ux y = v vy (a) ux v = u ∧ y = v vy (b) Figure 4: (a) TRUE , (b) NEQ The trees of TRUE and NEQ are shown in Figure 5. Both trees are independent of the value of input x .In the tree of TRUE we start with u = ⊥ and according to the tree construction rule 2 we create the childrenwith v = 0 and v = 1 , since v > ⊥ in both these cases. According to rule 3, we also create the child ( ⊥ , ⊥ ) ,because TRUE . ( ⊥ , x ) . ( ⊥ , ⊥ ) is true for any x . From node (0 , ?) the only possible child is (0 , , according torule 3, because TRUE . (0 , x ) . (0 , is true for any x . Note that, even though TRUE allows v to be arbitrarywhen u = 0 , for all such v , the ordering u < v does not hold due to the flat CPO property. Therefore, (0 , is the only possible child of (0 , ?) . Similarly for (1 , ?) and (1 , . In the tree of NEQ , when starting with u = ⊥ , we can only choose v = ⊥ . ( ⊥ , ?)(1 , ?)(0 , ?) ( ⊥ , ⊥ )(0 , 0) (1 , 1) ( ⊥ , ?)( ⊥ , ⊥ ) Figure 5: Tree for TRUE (left); Tree for NEQ (right)Given the above tree construction, the instantaneous feedback of an RFU R , denoted InstFeedback .R , willbe a relation from B • to ( A × C ) • such that: InstFeedback .R.x. ( u, y ) is true if ( u, y ) is a leaf in the tree; and InstFeedback .R.x. • is true if • is a leaf in the tree. The type of InstFeedback .R is shown in Figure 3(b).13ext we define InstFeedback .R formally. In addition we define another version of the feedback ( fb _ hide .R : B • → C • ) in which we remove the output component u if u is maximal (i.e., if it contains no unknowns), orwe make the feedback fail otherwise. The type of fb _ hide .R is shown in Figure 3(c). Definition 2. For an RFU R : ( A × B ) • → ( A × C ) • → Bool we define InstFeedback .R : B • → ( A × C ) • → Bool , fb _ end : ( A × C ) • → C • → Bool , and fb _ hide .R : B • → C • : InstFeedback .R.x. ( u, y )= ∃ n, u , . . . , u n : u = ⊥ ∧ u n = u ∧ R. ( u, x ) . ( u, y ) ∧ (cid:0) ∀ i < n : u i < u i +1 ∧ ( ∃ z : R. ( u i , x ) . ( u i +1 , z )) (cid:1) InstFeedback .R.x. • = ∃ n, u , . . . , u n : u = ⊥ ∧ R. ( u n , x ) . •∧ (cid:0) ∀ i < n : u i < u i +1 ∧ ( ∃ z : R. ( u i , x ) . ( u i +1 , z )) (cid:1) fb _ end . ( u, y ) .z = maximal .u ∧ z = y fb _ end . ( u, y ) . • = ¬ maximal .u fb _ hide .R = InstFeedback .R ◦ fb _ end Example 6 (Instantaneous feedback of TRUE and NEQ ) . Continuing Example 5, let us compute the in-stantaneous feedback operators defined above on the RFUs TRUE and NEQ . We get: InstFeedback . TRUE .x. ( v, y ) = ( v = y ) InstFeedback . NEQ .x. ( v, y ) = ( v = y = ⊥ ) fb _ hide . TRUE = failfb _ hide . NEQ = fail As we should expect, the result of our instantaneous feedback definition is fail , for both relations. This isvery different from the straightforward definition discussed in the introduction, and eliminates the problemspresented there. Specifically, the refinement TRUE (cid:118) NEQ is preserved by feedback, solving the problemidentified in the introduction. The result of applying fb _ hide to TRUE and NEQ is fail because as can beseen from the trees of Figure 5, the feedback variable u can be assigned any value, including the unknownvalue ⊥ .We next provide more examples that illustrate our instantaneous feedback operator. We also provean important result which shows that the operator reduces to standard operators for the special case ofdeterministic and input-receptive systems. axy Bus u + u Scope u Figure 6: Bus followed by function block in feedback Example 7 (A seemingly algebraic loop in a Simulink diagram) . The diagram shown in Figure 6 is inspiredfrom real-world Simulink models. This particular pattern is found in an automotive fuel control systembenchmark by Toyota [JDK + + a , x , and y are inputs to a Bus block whichoutputs them as a tuple. This tuple is then fed into a function block which performs addition on the 2ndand 3rd elements of the tuple ( u and u ). The output of the function is fed back into the bus. But there isno algebraic loop because the function does not depend on the 1st element of the tuple, i.e., a . The outputof the bus is fed also into a Scope block which is supposed to print all three elements of the tuple on the14 x v = ( u ∧ ⊥ x ) ∧ y = v vy Figure 7: AND gatescreen. We can model the bus and the scope as the identity function, and we have: Bus . ( a, x, y ) . ( u , u , u ) = ( a = u ∧ x = u ∧ y = u ) Scope . ( u , u , u ) . ( a, x, y ) = ( a = u ∧ x = u ∧ y = u ) Fun . ( u , u , u ) .v = ( v = u + u ) Sys = Bus ◦ ( u (cid:59) u, u ) ◦ ( Fun × Scope ) where Sys is the system without the feedback connection. If we apply the feedback we obtain, as could beexpected: InstFeedback . Sys = ( x, y (cid:59) x + y, x, y ) Example 8 (Instantaneous feedback of AND gate) . Suppose we connect in feedback the AND gate functionfrom Table 1. To apply feedback, we again add an extra output y = v (see Figure 7), and we get: AND . ( u, x ) . ( v, y ) = ( v = y = u ∧ ⊥ x ) InstFeedback . AND .x. ( v, y ) = ( v = y ) ∧ ( x = false ⇒ y = false ) ∧ ( x (cid:54) = false ⇒ y = ⊥ ) fb _ hide . AND .x.y = ( x = false ⇒ y = false ) ∧ ( x = true ⇒ y = • ) . The result of the feedback is a component which outputs false when its free input x is false. On the otherhand, if x is true or unknown, then the component fails.The result above is consistent with the result obtained using classic theories of instantaneous feedbackfor total functions (or constructive semantics ) [Mal94, Ber99, EL03]. This will generally be the case fordeterministic systems, as the tree described in the instantaneous feedback calculation above, becomes asingle path in those cases. Therefore, for the special case of total functions, our semantics specializes to theconstructive semantics.Let us state this formally. Let A be a flat CPO, and let R : ( A × B ) • → ( A × C ) • → Bool be a relationsuch that there exist total functions f : B → A → A and g : B → A → C such that for all x , f.x ismonotonic on A and ∀ u, x, z : R. ( u, x ) .z ⇔ z = ( f.x.u, g.x.u ) . Then: Theorem 5. If A is a flat CPO and R is as above then InstFeedback .R.x. ( u, y ) ⇐⇒ u = µ ( f.x ) ∧ y = g.x.u where µ ( f.x ) is the least fixpoint of f.x , which exists because of the assumption that f.x is monotonic on A . Example 9 (AND gate with an additional wire) . AND (cid:48) . (( w, u ) , x ) . (( v, w (cid:48) ) , y ) = ( w = w (cid:48) ∧ v = y = u ∧ ⊥ x ) InstFeedback . AND (cid:48) .x. (( v, w (cid:48) ) , y ) = ( v = w (cid:48) = y ∧ x = false ⇒ y = false ∧ x (cid:54) = false ⇒ y = ⊥ ) fb _ hide . AND (cid:48) .x.y = ( x = false ⇒ y = false ) ∧ ( x = true ⇒ y = • ) . The feedback of this component is the same as the feedback for the AND component. Example 10 (Instantaneous feedback of ID ) . One might wonder what might happen if we connect theidentity function in feedback. Since our feedback operator takes relations with two input and two outputwires, we define the identity operator ID . ( u, x ) . ( v, y ) = ( u = v = y ) ux v = ( u ∧ ⊥ x ) ∧ y = v ∧ w = w vw y ∧ ⊥ uxw vyw Figure 8: AND gate with an additional wirewhich ignores input x , and assigns both outputs v and y to its other input u (see Figure 2). Output y allowsto record the result of the feedback when we hide the feedback variables ( u and v ). As might be expected,the result of applying feedback is fail : InstFeedback . ID .x. ( v, y ) = ( v = y = ⊥ ) fb _ hide . ID = fail The result is fail because the feedback variable is assigned the value unknown. Again, this is consistent withthe result obtained using constructive semantics.The power of our framework is that it applies not just to deterministic and input-receptive systems, asin Examples 7, 8, and 10, or to non-deterministic but still input-receptive systems, as in Examples 5 and 6,but also to non-deterministic and non-input-receptive systems, as in the example below. Example 11 (Instantaneous feedback of a non-deterministic and non-input-receptive system) . Consider theRFU NonDet , having inputs u ∈ Nat ⊥ and x ∈ Nat and outputs v ∈ Nat ⊥ and y ∈ Nat . NonDet is definedas: NonDet . ( u, x ) . • = ( u = 2) NonDet . ( u, x ) . ( v, y ) = ( u (cid:54) = 2) ∧ ( y = v ∨ y = v + 1) ∧ (cid:0) v = x + 1 ∨ v = x + 2 ∨ ( u = ⊥ ∧ v = 6) ∨ ( u (cid:54) = ⊥ ∧ v = 7) (cid:1) . That is, all inputs where u = 2 are illegal, and if u (cid:54) = 2 then the output v is non-deterministically x + 1 , or x + 2 , or if u = ⊥ , or if u (cid:54) = ⊥ . Note that if u = ⊥ then u (cid:54) = 2 . Output y is either v or v + 1 . For x = 0 and x = 2 , we get the trees of Figure 9. ( ⊥ , ?)(2 , ?)(1 , ?) (6 , ?)(1 , 1) (1 , • (a) ( ⊥ , ?)(4 , ?)(3 , ?) (6 , ?)(3 , 3) (3 , 4) (4 , 4) (4 , Figure 9: Trees for NonDet (a) x = 0 , (b) x = 2 Then, we have: InstFeedback . NonDet .x. • = ( x = 0 ∨ x = 1) InstFeedback . NonDet .x. ( v, y ) = ( x (cid:54) = 1 ∧ v = x + 1 ∧ ( y = x + 1 ∨ y = x + 2)) ∨ ( x (cid:54) = 0 ∧ v = x + 2 ∧ ( y = x + 2 ∨ y = x + 3)) and because v has always a known value after feedback, fb _ hide is the same, but without the outputcomponent v . We can also observe that in the feedback of NonDet the cases v = 6 and v = 7 do not occur.This is because the feedback does not stabilize in these cases.16ne of the main results of this paper is that the feedback operation preserves refinement: Theorem 6. If R, R (cid:48) : ( A ⊥ × B ) • → ( A ⊥ × C ) • → Bool , then R (cid:118) R (cid:48) ⇒ InstFeedback .R (cid:118) InstFeedback .R (cid:48) . To prove this theorem we introduce some additional functions on R and we use them to give an alternativepoint free definition of fb _ hide .R . ux R. ( u, x ) . ( v, ) ∧ u < v ∧ x = x ( a ) vx ux R. ( u, x ) . ( v, y ) ∧ u = v ( b ) vy Figure 10: ( a ) fb _ a .R , ( b ) fb _ b .R Definition 3. For a relation R from ( A ⊥ × B ) • → ( A ⊥ × C ) • → Bool we define fb _ begin : B • → ( A ⊥ × B ) • → Bool , fb _ a : ( A ⊥ × B ) • → ( A ⊥ × B ) • → Bool , and fb _ b : ( A ⊥ × B ) • → ( A ⊥ × C ) • → Bool by fb _ begin .x. ( u, x (cid:48) ) = ( u = ⊥ ) ∧ ( x = x (cid:48) ) fb _ a .R. ( u, x ) . ( v, x (cid:48) ) = ( u < v ) ∧ ( x = x (cid:48) ) ∧ ( ∃ y : R. ( u, x ) . ( v, y )) fb _ a .R. ( u, x ) . • = R. ( u, x ) . • fb _ b .R. ( u, x ) . ( v, y ) = ( u = v ) ∧ R. ( u, x ) . ( u, y ) fb _ b .R. ( u, x ) . • = R. ( u, x ) . • Next lemma shows that fb _ a and fb _ b preserve refinement, and InstFeedback .R can be defined as a pointfree combination of fb _ begin , fb _ a .R , and fb _ b .R : Lemma 4. If R, R (cid:48) : ( A ⊥ × B ) • → ( A ⊥ × C ) • → Bool , then fb _ begin , fb _ a .R , fb _ b .R , and fb _ end are relations with fail.2. R (cid:118) R (cid:48) ⇒ fb _ a .R (cid:118) fb _ a .R (cid:48) R (cid:118) R (cid:48) ⇒ fb _ b .R (cid:118) fb _ b .R (cid:48) InstFeedback .R = fb _ begin ◦ ( fb _ a .R ) ∗ ◦ fb _ b .R Using this lemma and Lemma 3 we can prove now Theorem 6: Assume R (cid:118) R (cid:48) , then we have InstFeedback .R = {Lemma 4} fb _ begin ◦ ( fb _ a .R ) ∗ ◦ fb _ b .R (cid:118) {Lemma 4 and Lemma 3} fb _ begin ◦ ( fb _ a .R (cid:48) ) ∗ ◦ fb _ b .R (cid:48) = {Lemma 4} InstFeedback .R (cid:48) Another main result of this paper is that serial composition can be expressed as parallel compositionfollowed by feedback. To state this, we first define the cross product of two relations, which is essentiallytheir parallel composition, but with their outputs swapped, as shown in Figure 11a. The swapping is doneso that we can apply feedback to the right “wires”, as shown in Figure 11b.17 Rux (a) vy R Rx (b) vy Figure 11: (a) cross product, (b) feedback of cross product Definition 4. The cross product of two relations with fail R : A • → B • → Bool and R : C • → D • → Bool is a relation with fail R ⊗ R (cid:48) : ( C × A ) • → ( B × D ) • → Bool , given by R ⊗ R (cid:48) . ( u, x ) . • = R.x. • ∨ R (cid:48) .u. • R ⊗ R (cid:48) . ( u, x ) . ( v, y ) = R.x.v ∧ R (cid:48) .u.y We can now prove that the feedback of the cross product of two relations is the same as their serialcomposition: Theorem 7. If R : A •⊥ → B •⊥ → Bool , R (cid:48) : B •⊥ → C •⊥ → Bool , R (cid:48) is total and ¬ R (cid:48) . ⊥ . • then InstFeedback . ( R ⊗ R (cid:48) ) .x. • = ( R ◦ R (cid:48) ) .x. • InstFeedback . ( R ⊗ R (cid:48) ) .x. ( u, y ) = R.x.u ∧ R (cid:48) .u.y fb _ hide . ( R ⊗ R (cid:48) ) .x. • = ( R ◦ R (cid:48) ) .x. • ∨ R.x. ⊥ fb _ hide . ( R ⊗ R (cid:48) ) .x.y = ( ∃ u : u (cid:54) = ⊥ ∧ R.x.u ∧ R (cid:48) .u.y ) The condition ¬ R (cid:48) . ⊥ . • is needed because if R (cid:48) maps unknown ( ⊥ ) to fail ( • ), then the feedback iterationstops and the whole left term maps some external input x to fail. On the other hand, if R maps x only to a (cid:54)∈ {⊥ , •} , and R (cid:48) maps a only to b (cid:54) = • , then, the serial composition does not fail for the same x . Thisassumption is reasonable, since all it states is that the unknown value must be legal, at least in contextswhen we want to use a component in feedback. In this section we show how to compute the feedback of a relation R : (( A ⊥ × B ⊥ ) × C ) • → (( A ⊥ × B ⊥ ) × D ) • → Bool as in Figure 12(a) in two different ways. First we compute the feedback on ( u, s ) - ( v, t ) , as in Figure12(b). Second, we compute the feedback on u - v , and then on s - t , as in Figure 12(c). We would like thatthese two composition patterns result in the same relation. Indeed, we shall show that the relations of Figure12(b) and (c) are equivalent, under certain assumptions. usx R vty ( a ) x R vty ( b ) x R vty ( c ) Figure 12: Composing instantaneous feedbackThe feedback from Figure 12(b) corresponds to InstFeedback .R . Note that one application of InstFeedback is enough, because R takes as input ( u, s ) as a pair, and outputs ( v, t ) also as a pair.To define the feedback from Figure 12(c) we need to introduce three adaptation functions: adapt . ( u, ( s, x )) . (( u (cid:48) , s (cid:48) ) , x (cid:48) ) = ( u = u (cid:48) ) ∧ ( s = s (cid:48) ) ∧ ( x = x (cid:48) ) adapt . ( v, ( t, y )) . ( t (cid:48) , ( v (cid:48) , y (cid:48) )) = ( v = v (cid:48) ) ∧ ( t = t (cid:48) ) ∧ ( y = y (cid:48) ) adapt . ( t, ( v, y )) . (( v (cid:48) , t (cid:48) ) , y (cid:48) ) = ( v = v (cid:48) ) ∧ ( t = t (cid:48) ) ∧ ( y = y (cid:48) ) A = adapt ◦ R ◦ adapt − is represented in the inner dashed rectangle from Figure 12(c), andit has the appropriate type to construct the feedback on the variables u - v . The system B = InstFeedback .A has input ( s, x ) and output ( v, ( t, y )) , and we want now to connect in feedback s and t . For this we need thesecond adapt function that switches v and t : C = ( B ◦ adapt ) . System C corresponds to the outer dashedrectangle from Figure 12(c). The system InstFeedback .C has input x and output ( t, ( v, y )) , and to this weapply adapt to obtain (( v, t ) , y ) . We define SeqFeedback .R = ( InstFeedback .C ) ◦ adapt , and we have: SeqFeedback .R = ( InstFeedback . (( InstFeedback . ( adapt ◦ R ◦ adapt − )) ◦ adapt )) ◦ adapt In order to prove the equality InstFeedback .R = SeqFeedback .R we introduce some additional assumptions.For a relation R of appropriate type we define: mono .R = ( ∀ u, u (cid:48) , x, v, y : u ≤ u (cid:48) ∧ R. ( u (cid:48) , x ) . ( v, y ) ⇒ R. ( u, x ) . ( v, y )) mono _ fail .R = ( ∀ u, u (cid:48) , x : u ≤ u (cid:48) ∧ R. ( u, x ) . • ⇒ R. ( u (cid:48) , x ) . • ) indep1 .R = ( ∀ x, y, z, z (cid:48) : R. (( ⊥ , ⊥ ) , z ) . (( x, y ) , z (cid:48) ) ⇒ ( ∃ a : R. (( x, ⊥ ) , z ) . (( x, y ) , a )) ∧ ( ∃ b : R. (( ⊥ , y ) , z ) . (( x, y ) , b ))) indep2 .R = ( ∀ x, y, y (cid:48) , a, b, a (cid:48) , b (cid:48) : R. (( ⊥ , ⊥ ) .x ) . (( a, b ) , y ) ∧ R. (( ⊥ , ⊥ ) .x ) . (( a (cid:48) , b (cid:48) ) , y (cid:48) ) ⇒ ( ∃ z : R. (( ⊥ , ⊥ ) .x ) . (( a, b (cid:48) ) , z ))) In these definitions we assume that all variables range over proper values only, and not • .The property mono .R is true if the relation R is such that when the input u contains more unknownvalues than input u (cid:48) then all choices available from u (cid:48) are also available from u . If mono .R is true, then ( fb _ a .R ) + = fb _ a .R , and the feedback computation becomes easier. The property mono _ fail .R is dual, andstates that if R fails for some input u and some u (cid:48) has less unknown values than u , then R fails also for u (cid:48) .The properties indep1 , and indep2 introduces some independences in the way the first input component of R is used in the computation.Next theorem gives sufficient conditions under which the equality InstFeedback .R = SeqFeedback .R holds. Theorem 8. Let R a relation as in Figure 12(a). We have: 1. If mono .R is true then for all proper values (possibly unknowns, but not fail) x, v, t, y InstFeedback .R.x. (( v, t ) , y ) = SeqFeedback .R.x. (( v, t ) , y ) 2. If mono .R , mono _ fail .R , indep1 .R , and indep2 .R , then for all x InstFeedback .R.x. • = SeqFeedback .R.x. • In this section we show how to construct the instantaneous feedback directly on predicate transformers.We show how to define fb _ a , fb _ b , fb _ begin , fb _ end , InstFeedback , and fb _ hide on predicate transformersover values with ⊥ . Definition 5. If S is a monotonic predicate transformer, then we define Fb _ begin = [ x (cid:59) ⊥ , x ] Fb _ end = { v, y | maximal .v } ; [ v, y (cid:59) y ] Fb _ a .S = [ u, x (cid:59) ( u, x ) , x ]; (( S (cid:107) [ u, x (cid:59) v, y | u < v ]) × Skip ); [( v, y ) , x (cid:59) ( v, x )] Fb _ b .S = Fusion . ( S, [ u, x (cid:59) u, y ]) InstFeedbackPT .S = Fb _ begin ; ( Fb _ a .S ) ∗ ; Fb _ b .S Fb _ hide .S = InstFeedbackPT .S ; Fb _ end ⊥ ) occurs explicitly in the definition of Fb _ begin , and it occurs implicitly in the definitionsof Fb _ end and Fb _ a because the order ≤ relation on values is defined using ⊥ . Theorem 9. If R is a relation with fail and unknown, then wp . ( fb _ begin ) = Fb _ begin wp . ( fb _ end ) = Fb _ end wp . ( fb _ a .R ) = Fb _ a . ( wp .R ) wp . ( fb _ b .R ) = Fb _ b . ( wp .R ) wp . ( InstFeedback .R ) = InstFeedbackPT . ( wp .R ) wp . ( fb _ hide .R ) = Fb _ hide . ( wp .R ) Parts 1 to 4 from this theorem can be proved expanding the definitions, and using properties of fusion andproduct (Theorem 2). Part 5 follows from 1, 3, and 4 using wp . ( R ∗ ) = ( wp .R ) ∗ (Lemma 2). Part 6 followsdirectly from 2 and 5.Theorem 9, in particular, parts 5 and 6, show that the definition of the feedback operation on predicatetransformers is equivalent to the definition of feedback on relations with fail and unknown. In Section 7 we will define feedback with unit delay for arbitrary predicate transformers. In this section weintroduce some auxiliary operators to aid that definition.For a property transformer S with input and output of the same type we want to construct anotherproperty transformer IterateNextOmega .S which works in the following way. It starts by executing S on theinput sequence x to obtain the output y , then it executes S on the suffix y ( y starting from position instead of ) to obtain z , then it executes S on z , and so on. The output of IterateOmega .S is the sequence y , z , · · · . The operator IterateNextOmega is illustrated in Figure 13. In the figure, we use multipleincoming arrows to represent sequences of values, and not separate input “wires”. x x ... x n ... S ... y S ... z S ... u y z u Figure 13: IterateNextOmega .S The first step in defining IterateNextOmega .S is to define a property transformer SkipNext .S which forsome input x , executes S on x and leaves the first component x of x unchanged. Definition 6. If S is a property transformer and n ∈ Nat , then SkipNext .S and SkipTop .n are propertytransformers given by SkipNext .S = [ x (cid:59) x , x ] ; ( Skip × S ) ; [ z, w (cid:59) z · w ] SkipTop .n = [ x (cid:59) y | eqtop .n. x . y ] where eqtop .n. x . y = ( ∀ i < n : x i = y i ) and z · w denotes the new sequence obtained by prepending element z at the head of sequence w . 20igure 14 gives a graphical illustration of these transformers. In the figure we use double arrows torepresent sequences.Intuitively, SkipNext .S takes the sequence x , removes its “head” x , applies S , and then propends to theoutput the head x . SkipTop .n takes some sequence x and outputs a sequence y which has the same first n elements as x , and is arbitrary after that. x x S y y (a) x ... x n − x n y ... y n − y n (b) Figure 14: (a) SkipNext .S , (b) SkipTop .n SkipNext and SkipTop satisfy the following properties: Theorem 10. If S , T are property transformers, p is a property, and r is a relation, then we have SkipNext . ( S ; T ) = ( SkipNext .S ) ; ( SkipNext .T ) SkipNext . Fusion ( S, T ) = Fusion (cid:0) ( SkipNext .S ) , ( SkipNext .T ) (cid:1) SkipNext . ( { p } ; [ r ]) = { (cid:35) p } ; [ idnext .r ] SkipTop . Havoc S (cid:118) S (cid:48) ⇒ SkipNext .S (cid:118) SkipNext .S (cid:48) where idnext .r = ( (cid:35) r ) ∧ eqtop . .Then, IterateNextOmega .S would intuitively be the infinite serial composition IterateNextOmega .S = S ; SkipNext .S ; . . . ; SkipNext n .S ; . . . Formally, however, we cannot define an infinite serial composition. In order to solve this problem, weconstruct the finite compositions S ; SkipNext .S ; . . . ; SkipNext n .S ; SkipTop .n for all n , and then we take the infinite fusion of all these property transformers. Formally we have: Definition 7. If S is a property transformer, n ∈ Nat , and F is a mapping on monotonic property trans-formers, then Iterate .F.S.n , IterateOmega .F.S , and IterateNextOmega .S are defined by Iterate .F.S.n = S ; F.S ; . . . ; F n − .S IterateOmega .F.S = Fusion . ( λn : Iterate .F.S.n ; SkipTop .n ) IterateNextOmega .S = IterateOmega . SkipNext .S (2)The property transformer Iterate . SkipNext .S.n applied to a sequence x calculates a sequence y where thefirst n components are correct values for a possible output of IterateNextOmega .S as can be seen in Figure13. Always the first n components of y are possible values computed by IterateNextOmega .S , however thecomponents y n of y are not correct components for the final result of IterateNextOmega .S . For this reasonwe set these components to arbitrary values using SkipTop .n . Using Iterate . SkipNext .S.n ; SkipTop .n forarbitrarily large n s we get arbitrary large prefixes of outputs of IterateNextOmega .S . Taking the fusion of allthese sequences together results in all possible outputs of IterateNextOmega .S .21 xample 12 (Iterate of unit delay) . Let us apply Iterate . SkipNext to a unit delay initialized by the value a .If Delay .a = [ x (cid:59) y | y = a ∧ ( ∀ i.y i +1 = x i )] , then we have Iterate . SkipNext . ( Delay . .n ; SkipTop .n = [ x (cid:59) y | ∀ i < n : y i = 0] (3)that is, from arbitrary input x we get all possible y s that have a prefix of size n of s. The proof of (3) isgiven by: IterateOmega . SkipNext . ( Delay . {Definition of IterateOmega and (3)} Fusion . ( λn : [ x (cid:59) y | ∀ i < n : y i = 0])= {Theorem 2} [ x (cid:59) y | ( ∀ n : ∀ i < n : y i = 0]= {Logic calculation} [ x (cid:59) y | ∀ i : y i = 0] We now state some properties for the iteration operators introduced in Definition 7. The iterationspreserve refinement. Theorem 11. If F is a monotonic mapping of property transformers, then S (cid:118) S (cid:48) ⇒ Iterate .F.S.n (cid:118) Iterate .F.S (cid:48) .n S (cid:118) S (cid:48) ⇒ IterateOmega .F.S (cid:118) IterateOmega .F.S (cid:48) S (cid:118) S (cid:48) ⇒ IterateNextOmega .S (cid:118) IterateNextOmega .S (cid:48) The next two theorems show how to calculate the iteration operators for property transformers of theform { p } ; [ r ] . Before stating these theorems we introduce an iteration operator on relations, similar to theone on monotonic transformers. For a relation r : X → X → Bool and a mapping R : ( X → X → Bool ) → ( X → X → Bool ) on relation we define IterateRel .R.r.n = r ◦ R.r ◦ · · · ◦ R n − .r. Theorem 12. If p is a predicate, r a relation, F a mapping on monotonic transformers, P a mapping onpredicates, and R a mapping on relations, then 1. If ( ∀ p, r : F. ( { p } ; [ r ]) = { P.p } ; [ R.r ]) then Iterate .F. ( { p } ; [ r ]) .n = { x | ∀ i < n : ∀ y : IterateRel .R.r.i. x . y ⇒ P i .p. y } ; [ IterateRel .R.r.n ] Iterate . SkipNext . ( { p } ; [ r ]) .n = { x | ∀ i < n : ∀ y : IterateRel . idnext .r.i. x . y ⇒ (cid:35) i .p.y } ; [ IterateRel . idnext .r.n ] Using this theorem, Theorem 2, and Theorem 10 we can calculate IterateNextOmega . ( { p } ; [ r ]) . Theorem 13. For a property p. x and a relation r. x . y we have IterateNextOmega . ( { p } ; [ r ]) = { x | ( ∀ n, y : IterateRel . idnext .r.n. x . y ⇒ (cid:35) n p. y ) } ; [ (cid:86) n ( IterateRel . idnext .r.n ◦ eqtop .n ) ] Feedback with Unit Delay In Section 5 we defined an instantaneous feedback operator, for stateless systems. In this section we turnour attention to feedback for systems with state. We model a stateful system as a predicate transformer S with inputs u and x and outputs v and y , such that u models the current state, and v the next state (thus, u and v must have the same type). We will connect v to u in feedback via a unit delay. By doing so, thenext state becomes the current state in the next step.The result of the feedback-with-unit-delay operator applied to a predicate transformer as above is aproperty transformer that takes as input an infinite sequence x and produces an infinite output sequence y ,for a given initial state u . The system starts by executing S on the first component x of x , and on u .This results in the values u and y . In the next step, the second value x of x and u are used as input for S resulting in u and y , and so on. This computation is depicted in Figure 15a.We achieve this computation by lifting S to a special property transformer and then applying the IterateNextOmega operator. Definition 8. For a predicate transformer S as described earlier, we define the property transformer AddDelay .S with input a tuple of infinite sequences u , x , y and output of the same type: AddDelay .S = [ u , x , y (cid:59) ( u , x ) , ( u , x )] ; ( S × Skip ) ;[( a, b ) , ( u, x ) (cid:59) u (cid:48) , x (cid:48) , y (cid:48) | u (cid:48) = u ∧ u (cid:48) = a ∧ y (cid:48) = b ∧ x (cid:48) = x ] The property transformer AddDelay .S takes as input the sequences u , x , y , executes S on input u and x producing the values a , and b , and then sets the output u (cid:48) , x (cid:48) , y (cid:48) where u (cid:48) = u , u (cid:48) = a , y (cid:48) = b , and x (cid:48) = x . The components u (cid:48) , u (cid:48) , . . . and y (cid:48) , y (cid:48) , . . . are assigned arbitrary values. The transformer AddDelay .S returns the value of the second output component y at time zero, but adds a unit delay to the first outputcomponent v . AddDelay .S also adapts the input and the output of S to be of the same type such that wecan apply IterateNextOmega to AddDelay .S . Figure 15b gives a graphical representation of AddDelay .S . Inthis figure the input x is split in two components x and x = ( x , x , . . . ) , input u is split similarly in u and u , output u (cid:48) is split in u (cid:48) , u (cid:48) , and u (cid:48) , output x (cid:48) is equal to input x , and output y (cid:48) is split in y and y . From this figure we can also see that the input components u and y are not used (they are notconnected inside AddDelay .S ), and the output components u (cid:48) and y (cid:48) are assigned arbitrary values (theyare not connected). u x x x ... S S S ... y y y ... (a) u x x u y S u u y x u y (b) Figure 15: (a) Unit delay feedback of S , (b) AddDelay .S Finally we can introduce the transformer DelayFeedback .init.S : Definition 9. If init is a predicate on the initial value of the feedback variable u and S is a predicatetransformer as described above, then unit delay feedback is given by DelayFeedback .init.S = [ x (cid:59) u , x , y | init. u ] ; IterateNextOmega ( AddDelay .S ) ; [ u , x , y (cid:59) y ] The intuition behind the above definition is that if we plug AddDelay .S (Figure 15b) into Figure 13, usingthe tuple ( u , x , y ) instead of x , then we obtain the desired system of Figure 15a.A major result of this section is that the operators AddDelay and DelayFeedback preserve refinement:23 heorem 14. If S is a predicate transformer as above then S (cid:118) S (cid:48) ⇒ AddDelay .S (cid:118) AddDelay .S (cid:48) S (cid:118) S (cid:48) ⇒ DelayFeedback .S (cid:118) DelayFeedback .S (cid:48) The results presented so far in this section apply to any predicate transformer S with the structuredescribed above (inputs u, x and outputs v, y ). In practice, we often describe transformers as symbolictransition systems, that is, using a predicate init specifying the set of initial states, a predicate p specifyingthe set of legal inputs, and a relation r specifying the transition and output relations. If S is obtained froma symbolic transition system, that is, if S has the form { u, x | p.u.x } ; [ u, x (cid:59) u (cid:48) , y | r.u.u (cid:48) .x.y ] , then we canprove the following: Theorem 15. We have DelayFeedback .init. ( { u, x | p.u.x } ; [ u, x (cid:59) u (cid:48) , y | r.u.u (cid:48) .x.y ]) = { x | ∀ u : init. u ⇒ ( in .r L p ) . u . u . x } ; [ x (cid:59) y | ∃ u : init. u ∧ (cid:50) r. u . u . x . y ] This theorem shows that the unit delay feedback of such a predicate transformer is identical to theproperty transformer semantics of the corresponding symbolic transition system [PT14], which provides asanity check of our construction. The condition ( ∀ u : init. u ⇒ ( in .r L p ) . u . u . x ) is false on input x , if thereexists u , . . . , u n and y , . . . , y n − such that ( ∀ i < n : r. u i . u i +1 , x i , y i ) is true and p. u n . x n is false. That is,if with x it is possible to reach a false assertion, then the system will fail from x , even if non-failing choicesare possible.The intuitive behavior of a system as in Theorem 15 was explained in the beginning of this section.Here we elaborate on this intuition further, explaining in particular how it works for non-deterministic andnon-input-receptive systems. The system starts with some initial state u and input x (the first elementof x ) and it checks the input condition p. u . x . If the condition is false, then x is an illegal input at state u , and execution fails. Otherwise, the system computes non-deterministically the output y and the nextstate u , such that r. u . u . x . y is true. This ends the first execution step. The system then proceeds withthe next step, where it uses u and x to test again the input condition p , and so on. At any point duringexecution, if p. u i . x i becomes false then the system fails. Otherwise the system outputs non-deterministicallythe infinite sequence y , y , · · · . We note that if r is deterministic, i.e., if there exists function f such that r.u.u (cid:48) .x.y ⇔ ( u (cid:48) , y ) = f. ( u, x ) , then this process yields the standard execution runs. Example 13. [Stateful systems in feedback] Consider the following relations modeling systems with state( u and u (cid:48) represent current and next state variables, respectively): R = [ u, x (cid:59) u (cid:48) , y | u (cid:48) = u ∧ y = u ] (4) R = [ u, x (cid:59) u (cid:48) , y | u (cid:48) = u + 1 ∧ y = u ] (5)In R , the next state is equal to the current state. In R , the next state increments the current state by .We will also use the relation StepSum defined in (1). In all three cases the output y is equal to the state.Let Zero be the predicate given by Zero .u = ( u = 0) . We compose the above systems by connecting u (cid:48) to u in feedback with unit delay. In all three cases we use the predicate Zero as init , and in all three cases weuse input-receptive components, i.e., where p = (cid:62) . We get:1. DelayFeedback . Zero .R = [ x (cid:59) y | ∀ i : y i = 0] . Since the initial state is , the output is always .2. DelayFeedback . Zero .R = [ x (cid:59) y | ∀ i : y i = i ] . The output at the i -th step equals i .3. DelayFeedback . Zero . StepSum = [ x (cid:59) sum. x ] . The output is the summation of the sequence of inputsseen so far.The three examples above are all input-receptive and deterministic. Our framework can also handlenon-input-receptive and non-deterministic systems, as illustrated next:24 xample 14 (A deterministic but non-input-receptive system) . Let R = { u, x | u ≤ a } ; [ u, x (cid:59) u (cid:48) , y | u (cid:48) = u + x ∧ y = u ] . R is similar to StepSum , but imposes the condition that at each step the state u is boundedby some constant a . Applying feedback we get: DelayFeedback . Zero .R = { x |∀ i : sum. x .i ≤ a } ; [ x (cid:59) sum. x ] Note that the local (i.e., at each step) condition u ≤ a becomes (after feedback) the global condition thatthe sum of all elements x i of every prefix of the input x must be less or equal to a . Example 15 (A non-deterministic and non-input-receptive system) . We can also weaken the relation u (cid:48) = u + x ∧ y = u and make the previous system non-deterministic. For example at each step we can choose tocompute u (cid:48) = u + x or u (cid:48) = x . Let R = { u, x | u ≤ a } ; [ u, x (cid:59) u (cid:48) , y | ( u (cid:48) = u + x ∨ u (cid:48) = x ) ∧ y = u ] . Thenwe get: DelayFeedback . Zero .R = { x | ∀ i : sum. x .i ≤ a } ; [ x (cid:59) y | y = 0 ∧ ( ∀ i : y i +1 = y i + x i ∨ y i +1 = x i )] Observe that the global condition on x remains the same. This is because in the worst case the non-deterministic choice could always pick the alternative u (cid:48) = u + x , which leads to higher numbers stored in u compared to the alternative u (cid:48) = x . For a relation R : (( A ⊥ × . . . × A k ⊥ ) × X ) • → (( A ⊥ × . . . × A k ⊥ ) × Y ) • , in the ∃ n quantifier from thedefinition of InstFeedback .R , n is bound by k . This is so because a strictly increasing sequence u < u < . . . on A ⊥ × . . . × A k ⊥ can have at most k + 1 elements. Because of this property we have: ( fb _ a .R ) ∗ = (cid:95) i ≤ k ( fb _ a .R ) i so we can calculate the feedback symbolically using InstFeedback .R = fb _ begin ◦ ( (cid:95) i ≤ k ( fb _ a .R ) i ) ◦ fb _ b .R If relation R is defined using a first order formula, then InstFeedback .R is also a first order formula.Checking refinement of two relations with R (cid:118) R (cid:48) defined by first order formulas is also reduced tochecking validity of a first order formula ( ∀ x : R.x. • ∨ ( ∀ y : R (cid:48) .x.y ⇒ R.x.y ) .Refinement of predicate transformers of the form { p } ; [ r ] are also reduced to checking validity of a firstorder formula (Theorem 1). The predicate transformers of the form { p } ; [ r ] are closed to serial and demoniccompositions, fusion, and product, so if p and r are defined using first order formulas, then so are the resultsof these operations (Theorem 1 and 2).The delay feedback of a predicate transformer of the form { p } ; [ r ] is equivalent by Theorem 15 toa property transformer of the form { P } ; [ R ] where P and R are quantified LTL formulas. Checking therefinement DelayFeedback .S (cid:118) DelayFeedback .S (cid:48) , is reduced by Theorem 14 to checking the refinement S (cid:118) S (cid:48) of predicate transformers.However, IterateOmega .F.S and IterateNextOmega .S cannot be reduced always to first order logic orquantified LTL formulas. We have stated and proven all results presented in this paper, in the Isabelle/HOL theorem prover. Ourtheory is built on top of theories for refinement calculus and a semantic formalization of LTL. Proofs omittedfrom this paper can be found in the Isabelle code, available from http://rcrs.cs.aalto.fi . At the timeof this writing our Isabelle theories comprise a total of about 5k lines of code.Our formalization benefited from the rich collection of Isabelle formalization of mathematical structuresused in this paper: partial orders, Boolean algebras, complete lattices, and others.25 Feedback composition is challenging to define for non-deterministic and non-input-receptive systems, so thatrefinement is preserved. In this paper we make progress toward this goal. First, we propose an instantaneousfeedback composition operator for partial relations with fail and unknown (Section 5). This operator gener-alizes constructive semantics which are limited to total functions [Mal94, Ber99, EL03]. Second, we proposea feedback-with-unit-delay operator for systems with state (Section 7). Both operators preserve refinement(Theorems 6 and 14).Our framework can be applied to arbitrary Simulink diagrams by first translating them into predicatetransformers that handle current and next state variables as inputs and outputs, respectively, and then apply-ing feedback with unit delay on these variables. Contrary to Simulink, our construction allows instantaneousfeedback as well as non-deterministic and non-input-receptive components.Open problems remain. Seeking a generalization of the feedback operators directly to property trans-formers, at the semantic level, is a worthwhile albeit difficult goal. With this generalization, we will be ableto treat Simulink basic blocks as property transformers, and apply serial and feedback compositions directly. References [AH99] R. Alur and T. Henzinger. Reactive modules. Formal Methods in System Design , 15:7–48, 1999.[BB95] R.-J. Back and M. Butler. Exploring summation and product operators in the refinement cal-culus. In Mathematics of Program Construction , volume 947 of LNCS . Springer, 1995.[Ber99] G. Berry. The Constructive Semantics of Pure Esterel, 1999.[BS01] M. Broy and K. Stølen. Specification and development of interactive systems: focus on streams,interfaces, and refinement . Springer, 2001.[BvW98] R.-J. Back and J. von Wright. Refinement Calculus. A systematic Introduction . Springer, 1998.[dA04] L. de Alfaro. Game models for open systems. In Nachum Dershowitz, editor, Verification: Theoryand Practice , volume 2772 of Lecture Notes in Computer Science , pages 192–213. Springer, 2004.[dAH01] L. de Alfaro and T. Henzinger. Interface automata. In Foundations of Software Engineering(FSE) . ACM Press, 2001.[DHJP08] L. Doyen, T. Henzinger, B. Jobstmann, and T. Petrov. Interface theories with component reuse.In EMSOFT , pages 79–88, 2008.[Dij75] E.W. Dijkstra. Guarded commands, nondeterminacy and formal derivation of programs. Comm.ACM , 18(8):453–457, 1975.[DP02] B.A. Davey and H.A. Priestley. Introduction to lattices and order . Cambridge University Press,New York, second edition, 2002.[EL03] S. Edwards and E.A. Lee. The semantics and execution of a synchronous block-diagram language. Sci. Comp. Progr. , 48:21–42(22), July 2003.[FP91] T. Freeman and F. Pfenning. Refinement Types for ML. SIGPLAN Not. , 26(6):268–277, May1991.[JDK + , 2014. Benchmark Simulink models available from http://cps-vo.org/group/ARCH/benchmarks . 26JDK + , HSCC ’14, pages253–262. ACM, 2014.[Jon94] B. Jonsson. A fully abstract trace model for dataflow and asynchronous networks. Distrib.Comput. , 7(4):197–212, 1994.[Kah74] G. Kahn. The semantics of a simple language for parallel programming. In Information Pro-cessing 74, Proceedings of IFIP Congress 74 . North-Holland, 1974.[LT89] N.A. Lynch and M.R. Tuttle. An introduction to input/output automata. CWI Quarterly ,2:219–246, 1989.[Mal94] S. Malik. Analysis of cyclic combinational circuits. IEEE Trans. Computer-Aided Design ,13(7):950–956, 1994.[Mil90] J. K. Millen. Hookup security for synchronous machines. In Computer Security FoundationsWorkshop III , pages 84–90, 1990.[MTH90] R. Milner, M. Tofte, and R. Harper. The Definition of Standard ML . MIT Press, Cambridge,MA, USA, 1990.[NPW02] T. Nipkow, L. C. Paulson, and M. Wenzel. Isabelle/HOL — A Proof Assistant for Higher-OrderLogic . LNCS 2283. Springer, 2002.[Plo76] G. D. Plotkin. A powerdomain construction. SIAM Journal on Computing , 5(3):452–487, 1976.[Pnu77] A. Pnueli. The temporal logic of programs. In FOCS , 1977.[Pre14] V. Preoteasa. Formalization of refinement calculus for reactive systems. Archive of FormalProofs , October 2014. http://afp.sf.net/entries/RefinementReactive.shtml .[PT14] V. Preoteasa and S. Tripakis. Refinement calculus of reactive systems. In Embedded Software(EMSOFT) . ACM, 2014.[RKJ08] P. M. Rondon, M. Kawaguci, and R. Jhala. Liquid types. SIGPLAN Not. , 43(6):159–169, 2008.[Tar55] A. Tarski. A lattice-theoretical fixpoint theorem and its applications. Pacific J. Math. , 5:285–309, 1955.[TLHL11] S. Tripakis, B. Lickly, T. A. Henzinger, and E. A. Lee. A Theory of Synchronous RelationalInterfaces. ACM Transactions on Programming Languages and Systems (TOPLAS) , 33(4), July2011.[TS14] S. Tripakis and C. Shaver. Feedback in Synchronous Relational Interfaces. In From Programsto Systems , volume 8415 of LNCS , pages 249–266. Springer, 2014.[XP99] H. Xi and F. Pfenning. Dependent types in practical programming. In