Journal ArticleDOI

# Interface synthesis and protocol conversion

27 Feb 2008-Formal Aspects of Computing (Springer-Verlag)-Vol. 20, Iss: 2, pp 205-224

TL;DR: The problem of synthesising an interface R such that P composed with R refines Q is investigated, and it is shown that a solution exists iff P and Q are compatible, and the most general solution is given by(P \parallel Q^\ Bot)^\bot, where P is the interface P with inputs and outputs interchanged.

AbstractGiven deterministic interfaces P and Q, we investigate the problem of synthesising an interface R such that P composed with R refines Q. We show that a solution exists iff P and $$Q^\bot$$ are compatible, and the most general solution is given by $$(P \parallel Q^\bot)^\bot$$, where $$P^\bot$$ is the interface P with inputs and outputs interchanged. Remarkably, the result holds both for asynchronous and synchronous interfaces. We model interfaces using the interface automata formalism of de Alfaro and Henzinger. For the synchronous case, we give a new definition of synchronous interface automata based on Mealy machines and show that the result holds for a weak form of nondeterminism, called observable nondeterminism. We also characterise solutions to the synthesis problem in terms of winning input strategies in the automaton $$(P \otimes Q^\bot)^\bot$$, and the most general solution in terms of the most permissive winning strategy. We apply the solution to the synthesis of converters for mismatched protocols in both the asynchronous and synchronous domains. For the asynchronous case, this leads to automatic synthesis of converters for incompatible network protocols. In the synchronous case, we obtain automatic converters for mismatched intellectual property blocks in system-on-chip designs. The work reported here is based on earlier work on interface synthesis in Bhaduri (Third international symposium on automated technology for verification and analysis, ATVA 2005, pp 338–353, 2005) for the asynchronous case, and Bhaduri and Ramesh (Sixth international conference on application of concurrency to system design, ACSD 2006, pp 208–216) for the synchronous one.

### 1. Introduction

• Interfaces play a central role in component based design and verification of systems.
• Interface automata are a formalism for reasoning about composition and refinement of component interfaces in terms of the protocol aspects of component behaviour.
• The controller synthesis problem and its solution as a winning strategy in a game has a long history, going back to Büchi and Landwebers’ solution of Church’s problem [BL69].
• Recent work on agent algebras [BPSV03, Pas04] formalises the notions of composition and conformance in an abstract algebraic framework, and makes use of the mirror function in an essential way.

### 2. Asynchronous Interfaces: Interface Automata

• In this section the authors define interface automata and their composition and refinement.
• Throughout this work the authors consider only deterministic interface automata.
• This is in contrast to the original version defined in [dAH01], where an input and an output action with the same name combine to give an internal action.
• The authors call these states backward compatible.
• This implies there is an input strategy πI for P ⊗Q which avoids all locally incompatible states starting from s0P⊗Q, no matter what the output strategy is.

### 3. Synthesis of Interface Automata

• The synthesis problem for interface automata is as follows.
• Here Fig. 1 presents three examples to illustrate the synthesis idea with given interface automata P and Q.
• The solution is essentially identical with Q, except for the polarity of action b. Notation First the authors prove a result about compatibility that is used in Theorem 3.3 below.

### 4. Winning Strategies and Synthesis

• Since the orders are lattices, the most permissive strategy exists, as is given by the lattice join.
• The authors then show that the parallel composition P ‖ Q can be extracted from the most permissive winning strategy for Input.
• Note that the bottom elements are the empty strategies, which are allowed by the definition of strategies.
• From Definition 2.10, this implies that the set T of backward compatible states is empty, and hence by Definition 2.11 the composition P ‖ Q is empty.
• The complexity of the algorithm is linear in the size of the game graph.

### 5. Application: Network Protocol Conversion

• In today’s world, global communication over heterogeneous networks of computers can often lead to protocol mismatches between communicating entities.
• The authors illustrate the use of interface synthesis to the protocol conversion problem through an example adapted from [KNM97].
• When the authors want the two protocols above to work together without causing any inconsistency by using a converter, they need to specify what the converter is allowed and not allowed to do.
• The specification S for the converter relates the two actions sets by specifying temporal ordering of actions.

### 6. Synchronous Interface Automata

• In earlier sections the authors have presented the synthesis problem and its solution for interface automata, a formalism intended for component-based modelling and development of asynchronous systems.
• The authors SIA model essentially defines Mealy automata with explicit input assumptions and output guarantees.
• The game view of interface composition and refinement then applies mutatis mutandis to the synchronous setting.
• Let P and Q be two SIA with I/O signatures as above.

### 7. Synthesis of Synchronous Interfaces

• Here P⊥ has the same interpretation as in the asynchronous case.
• First the authors prove a result about compatibility that is used in Theorem 7.2 below.
• The complexity of computing (P ‖ Q⊥)⊥ is again O(|P ||Q|) using the standard iterative refinement technique as in the asynchronous case.

### 8. Converter Synthesis

• In this section the authors show how the SIA framework and the interface synthesis procedure described in Section 7 can be used to synthesise a protocol converter for two IP blocks that have incompatible protocols of interaction.
• Sometimes the authors indicate a don’t care explicitly by a signal T. Fig. 7 illustrates the synchronous interfaces for two mismatched protocols.
• The authors ignore all data values such as addresses, and consider only boolean control values.
• The authors require that the system as a whole (the two protocols along with the converter) satisfies the interface described by Fig.

Did you find this useful? Give us your feedback

Content maybe subject to copyright    Report

To appear in Formal Aspects of Computing, 2007
Interface Synthesis and Protocol Conversion
1
and S. Ramesh
2
1
Department of Computer Science and Engineering
Indian Institute of Technology Guwahati, India
2
India Science Lab, GM R&D Centre, Bangalore, India
Abstract. Given deterministic interfaces P and Q, we investigate the problem of synthesising an interface R such
that P composed with R reﬁnes Q. We show that a solution exists iff P and Q
are compatible, and the most general
solution is given by (P k Q
)
, where P
is the interface P with inputs and outputs interchanged. Remarkably,
the result holds both for asynchronous and synchronous interfaces. We model interfaces using the interface automata
formalism of de Alfaro and Henzinger. For the synchronous case, we give a new deﬁnition of synchronous interface
automata based on Mealy machines and show that the result holds for a weak form of nondeterminism, called observ-
able nondeterminism. We also characterise solutions to the synthesis problem in terms of winning input strategies in
the automaton (P Q
)
, and the most general solution in terms of the most permissive winning strategy. We apply
the solution to the synthesis of converters for mismatched protocols in both the asynchronous and synchronous do-
mains. For the asynchronous case, this leads to automatic synthesis of converters for incompatible network protocols.
In the synchronous case, we obtain automatic converters for mismatched intellectual property blocks in system-on-
chip designs. The work reported here is based on earlier work on interface synthesis in [Bha05] for the asynchronous
case, and [BR06] for the synchronous one.
Keywords: Interface automata; component compatibility; interface synthesis; protocol conversion.
1. Introduction
Interfaces play a central role in component based design and veriﬁcation of systems. In this paper we study the
problem of synthesising an interface R, which composed with a known interface P is a reﬁnement of an interface Q.
This is a central problem in component based top-down design of a system. The interface Q is an abstract interface, a
high level speciﬁcation of the component under development. The interface P is a known part of the implementation
and we are required to ﬁnd the most general (i.e., abstract) solution R satisfying the relation P k R Q, when it
exists. Here P k Q is the composition of P and Q, and P Q denotes P is a reﬁnement of Q’. This problem
has wide ranging applications such as logic synthesis, design of discrete controllers, communication gateway design
and protocol conversion, and has been studied previously in different contexts see [MvB83, Shi89, Par89, LX90,
HU99, YVB
+
01, YVB
+
02]. We study two versions of the problem, one for the asynchronous and the other for the
Correspondence and offprint requests to: Purandar Bhaduri, Department of Computer Science and Engineering, Indian Institute of Technology
Guwahati, Guwahati 781039, India. Tel: +91 316 2582360. Fax: +91 361 269 2787. e-mail: pbhaduri@iitg.ernet.in

2 P. Bhaduri and S. Ramesh
synchronous case, in the setting of interface automata [dAH01], where composition and reﬁnement of interfaces are
respectively the composition of interface automata and alternating reﬁnement relations[AHKV98].
Interface automata are a formalism for reasoning about composition and reﬁnement of component interfaces in
terms of the protocol aspects of component behaviour. They are like ordinary automata, except for the distinction
between input and output actions. The input actions of an interface automaton P are controlled by its environment.
Therefore an input action labelling a transition is an input assumption (or constraint on P s environment). Dually,
an output action of P is under P s control, and represents an an output guarantee of P . Unlike I/O automata [LT87],
interface automata are not required to be input enabled. If an input action a is not enabled at a state s, it is an assumption
on the automaton’s environment that it will not provide a as an input in state s.
When two interfaces P and Q are composed, the combined interface may contain incompatible states: states
where one interface can generate an output that is not a legal input for the other. In the combined interface it is the
environment’s responsibility to ensure that such a state is unreachable [dAH01]. This can be formalised as a two person
game [dAH01] which has the same ﬂavour as the controller synthesis problem of Ramadge and Wonham [RW89]; in
our setting the role of the controller is played by the environment. More formally, we follow de Alfaro [dA03] in
modelling an interface as a game between two players, Output and Input. Player Output represents the system and its
moves represent the outputs generated by the system. Player Input represents the environment; its moves represent the
inputs the system receives from its environment. In general, the set of available moves of each player depends on the
current state of the combined system. The interface is well-formed if the Input player has a winning strategy in the
game, where the winning condition is to avoid all incompatible states. Clearly, the game aspect is relevant only when
deﬁning the composition of two interfaces.
Reﬁnement of interfaces corresponds to weakening assumptions and strengthening guarantees. An interface P re-
ﬁnes Q only if P can be used in any environment where Q can be. The usual notion of reﬁnement is simulation or trace
containment [LT87]. For interface automata, a more appropriate notion is that of alternating simulation [AHKV98],
which is contravariant on inputs and covariant on outputs: if P Q (P reﬁnes Q), P accepts more inputs (weaker
input assumptions) and provides fewer outputs (stronger output guarantees). Thus alternating reﬁnement preserves
compatibility: if P and Q are compatible (i.e., P k Q is well-formed) and P
0
P , then so are P
0
and Q. The basic
notions of interface automata are summarised in Section 2.
In Section 3 we show that a solution to P k R Q for R exists for deterministic interface automata iff P and
Q
are compatible, and the most abstract (under alternating reﬁnement) solution is given by (P k Q
)
. Further, in
Section 4 we show that such an R can be constructed from the most permissive winning strategy for player Input in the
combined game (P Q
)
. Here P
is the game P with the moves of the players Input and and Output interchanged,
and P Q is the combined game obtained from P and Q by synchronising on shared actions and interleaving the rest.
We say a strategy π is more permissive than π
0
when, at every position in the game, the set of moves allowed by π
includes those allowed by π
0
. The most permissive winning strategy is one that is least restrictive. This result ties up
the relation between composition, reﬁnement, synthesis and winning strategies, and should be seen as one more step
towards a “uniform framework for the study of control, veriﬁcation, component-based design, and implementation of
open systems”, based on games [dA03].
Note that the notation P
is borrowed from linear logic [Gir87], where games play an important semantic
role [Bla92]. Using the notation of linear logic, the solution R to the synthesis problem can be written as (P Q
)
=
P
OQ = P ( Q, where , O and ( are respectively, the linear logic connectives ‘With’, ‘Par’ and linear implica-
tion. In our setting, the connective of linear logic is parallel composition k. The striking similarity of this solution
with submodule construction by von Bochmann in [vB02] and the language equation posed by Yevtushenko et al.in
[YVB
+
01, YVB
+
02] is intriguing. In these works, the largest solution of the language equation P R Q for R is
the language
P Q where P Q is the synchronous (or parallel) composition of languages P and Q, and P is the
complement of P . Clearly, there is a formal correspondence between P Q and our P k Q, between P and our P
,
and between language inclusion and alternating simulation.
We should also mention the formal resemblance of our work with Abramsky’s Semantics of Interaction [Abr97],
based on the game semantics of linear logic. In particular, the strategy called Application (or Modus Ponens) in [Abr97]
is the solution to our synthesis problem in a different setting. The solution R = P ( Q suggests that the problem
of synthesis can be seen as the construction of a suitable morphism in an appropriate category of interface automata,
along the lines of [MT98, Tab04]. However, we do not pursue this thread in this paper.
There is also a similarity between our work and the solution to the rectiﬁcation problem given in [BDWM93], using
Dill’s trace theory [Dil89]. The results in [BDWM93] are applicable to combinational circuits i.e., interfaces without
any state. In [BDWM93] P , Q, R are combinational circuits modelled as input-output relations and || the circuit
composition operator; mir is the mirror function that swaps inputs and outputs and complements the input-output

Interface Synthesis and Protocol Conversion 3
relation; is the conformance relation which captures the implementation relation between circuits and speciﬁcations.
The rectiﬁcation problem solved in [BDWM93] is the following: when can a small subnetwork of a combinational
circuit be replaced by another less expensive one? The answer to the rectiﬁcation problem is provided by a general
theorem that states that if Q is a speciﬁcation of the entire circuit then a replacement subnetwork P combined with the
rest of the circuit R will satisfy the speciﬁcation Q (i.e., P k R Q) iff R mir(P k mir(Q)) (modulo a projection
operator used to ignore the internal signals of a composed circuit). Clearly, this has the same form as our solution to
the synthesis problem.
As a practical application, in the asynchronous case, in Section 5 we show how to apply interface synthesis to
the protocol conversion problem for mismatched network protocols. The heterogeneity of existing networks often
results in incompatible protocols trying to communicate with each other. The protocol conversion problem is, given
two network protocols P
1
and P
2
which are mismatched, to come up with a converter C which mediates between the
two protocols, such that the combined system conforms to an overall speciﬁcation S. We show that a converter C, if it
exists, can be obtained as the solution to P k C S, where P = P
1
k P
2
is the composition of the two protocols.
For the synchronous case, in Section 6 we present synchronous interface automata for reasoning about composition
and reﬁnement of synchronous hardware components, such as intellectual property (IP) blocks in system-on-chip
(SoC) designs. In Section 7 we pose and solve the same synthesis problem as in the asynchronous case. What is
remarkable is, the solutions for the asynchronous and synchronous versions have the same form, namely the most
general solution to P k R Q exists iff P and Q
are compatible, and is given by R = (P k Q
)
. This points to
a uniﬁed theory of interface synthesis underlying both the asynchronous and synchronous cases. The work on agent
algebras by Passeroneet al. [BPSV03, Pas04] seems to bear this out. In Section 8 we show how to apply the synthesis
method to automatically synthesise protocol converters for mismatched IP blocks.
To summarise the main contributions of this paper, we have an algebraic characterisation of solutions to the prob-
lem of synthesis of interface automata, where the operators are parallel composition P k Q and ‘mirror’ P
. The
synthesis algorithm relies on the computation of winning strategies in games implicit in the deﬁnition of parallel
composition for interface automata. The algorithm is the standard iterative ﬁxed point computation using control-
lable predecessors for solving safety games (see [Tho95]). The usefulness of the solution to the synthesis problem
is demonstrated both in the asynchronous and synchronous cases by providing automated methods of constructing
protocol converters. This provides a uniﬁed theory and an algorithm for solving protocol conversion problems which
have appeared in the literature in many guises. The work reported here is based on earlier work on interface synthesis
in [Bha05] for the asynchronous case, and [BR06] for the synchronous one.
Related Work Merlin and von Bochmann [MvB83] proposed the submodule construction problem (also called equa-
tion solving or factorisation) for communication protocol speciﬁcation and synthesis. Given a module speciﬁcation
S and a submodule speciﬁcation M
1
in terms of labelled transition systems, they proposed a method to construct a
submodule M
2
such that M
1
and M
2
together realise the speciﬁcation S by synchronous interaction. Haghverdi and
Ural [HU99] gave a more formal presentation of the problem and an algorithm for its solution using preﬁx-closed ﬁnite
state machines as descriptions of submodules. One limitation of this solution is that the notion of correct realisation is
trace equivalence which is well known not to preserve certain behavioural properties such as the presence of deadlock.
This problem was addressed in the context of equation solving for CCS processes using observational equivalence or
strong bisimulation (see [Mil89]) by various researchers. A representative sample can be found in Shields [Shi89],
Parrow [Par89] and Larsen and Xinxin [LX90]. Yevtushenko et al. [YVB
+
01, YVB
+
02] study the related problem of
language equation solving for both synchronous and parallel (interleaving) composition in the context of synchronous
and asynchronous circuits. The main difference between the works cited above and ours is that we consider models
of open systems with an asymmetry between inputs and outputs. This naturally leads to the game formulation and
alternating simulation as the behavioural preorder captured by the interface automata formalism.
The controller synthesis problem and its solution as a winning strategy in a game has a long history, going back to
B¨uchi and Landwebers’ solution of Church’s problem [BL69]. More recent applications of the idea in the synthesis of
open systems occur in [PR89, MPS95, MT98]. The control of discrete event systems was introduced by Ramdage and
Wonham [RW89] using a language theoretic approach, where the ‘controllable’ and ‘uncontrollable’ actions clearly
correspond to the moves of the player and the opponent in a corresponding game. The use of games for the synthesis of
converters for mismatched protocols by Passerone et al. [PdAHSV02] can be seen as applications of the same general
principle. The present paper uses games to solve the interface synthesis problem, but the solution has a closed form
reminiscent of the submodule construction problem referred to above and the rectiﬁcation problem of Dill [BDWM93].
The combinatorial details of the game structure is hidden behind the algebraic form of the solution.
Recent work on agent algebras [BPSV03, Pas04] formalises the notions of composition and conformance in an
abstract algebraic framework, and makes use of the mirror function in an essential way. The work provides sufﬁcient

4 P. Bhaduri and S. Ramesh
conditions for characterising all controllers that satisfy a speciﬁcation when composed with a plant. One possible
future work is to investigate the relationship between agent algebras and our interface synthesis framework.
2. Asynchronous Interfaces: Interface Automata
In this section we deﬁne interface automata and their composition and reﬁnement. We follow the game formulation
presented in [dA03]. Throughout this work we consider only deterministic interface automata.
Deﬁnition 2.1. An interface automaton P is a tuple (S
P
, S
0
P
, A
I
P
, A
O
P
, Γ
I
P
, Γ
O
P
, δ
P
) where:
S
P
is a ﬁnite set of states.
S
0
P
S
P
is the set of initial states, which has at most one element, denoted s
0
P
.
A
I
P
and A
O
P
are disjoint sets of input and output actions. The set A
P
= A
I
P
A
O
P
is the set of all actions.
Γ
I
P
: S
P
2
A
I
P
is a map assigning to each state s S
P
a set (possibly empty) of input moves. Similarly,
Γ
O
P
: S
P
2
A
O
P
assigns to each state s S
P
a set (again, possibly empty) of output moves. The input and
output moves at a state s correspond to actions that can be accepted and generated at s respectively. Denote by
Γ
P
(s) = Γ
I
P
(s) Γ
O
P
(s) the set of all actions at s.
δ
P
: S
P
× A
P
S
P
is a transition function associating a target state δ
P
(s, a) with each state s S
P
and action
a A
P
. Note that the value δ
P
(s, a) makes sense only when a Γ
P
(s). When a / Γ
P
(s), the value can be
arbitrary.
The interface automaton P is said to be empty when its set of initial states S
0
P
is empty. Empty interface automata
arise when incompatible automata are composed.
Deﬁnition 2.2. An input strategy for P is a map π
I
: S
+
P
2
A
I
P
satisfying π
I
(σs) Γ
I
P
(s) for all s S
P
and
σ S
P
. An output strategy π
O
: S
+
P
2
A
O
P
is deﬁned similarly. The set of input and output strategies of P are
denoted by Π
I
P
and Π
O
P
respectively.
Note In keeping with [dA03], we have given the general deﬁnition of strategy, where the moves can depend on the
history of the game. It turns out that for the case of safety games we consider in this paper, it is enough to consider
only memoryless strategies, where the current state sufﬁces to deﬁne the set of moves. This simpliﬁcation will be made
in Section 6 while discussing the synchronous interface automata.
An input and output strategy jointly determine a set of traces in S
+
P
as follows. At each step, if the input strategy
proposes a set B
I
of actions, and the output strategy proposes a set B
O
of actions, an action from B
I
B
O
is chosen
nondeterministically.
Deﬁnition 2.3. Given a state s S
P
, and input strategy π
I
and an output strategy π
O
, the set Outcomes(s, π
I
, π
O
)
S
+
P
of resulting plays is deﬁned inductively as follows:
s Outcomes
P
(s, π
I
, π
O
);
if σt Outcomes(s, π
I
, π
O
) for σ S
+
P
and t S
P
, then for all a π
I
(σt) π
O
(σt) the sequence σ
P
(s, a)
Outcomes
P
(s, π
I
, π
O
).
A state s S
P
is said to be reachable in P , if there is a sequence of states s
0
, s
1
, . . . , s
n
with s
0
S
0
P
, s
n
= s,
and for all 0 k < n there is a
k
Γ
P
(s
k
) such that δ
P
(s
k
, a
k
) = s
k+1
. Reach(P ) denotes the set of reachable
states of P
The reﬁnement of interface automata is known as alternating simulation, the right notion of simulation between
games [AHKV98]. Intuitively, an alternating simulation ρ S
P
× S
Q
from P to Q is a relation for which (s, t) ρ
implies all input moves from t can be simulated by s and all output moves from s can be simulated by t.
Deﬁnition 2.4. An alternating simulation ρ from P to Q is a relation ρ S
P
× S
Q
such that, for all (s, t) ρ and
all a Γ
I
Q
(t) Γ
O
P
(s), the following conditions are satisﬁed:
1. Γ
I
Q
(t) Γ
I
P
(s);
2. Γ
O
P
(s) Γ
O
Q
(t);

Interface Synthesis and Protocol Conversion 5
3. (δ
P
(s, a), δ
Q
(t, a)) ρ.
Reﬁnement between interface automata is deﬁned as the existence of an alternating simulation between the initial
states.
Deﬁnition 2.5. An interface automaton P reﬁnes an interface automaton Q, written P Q, if the following condi-
tions are satisﬁed:
1. A
I
Q
A
I
P
;
2. A
O
P
A
O
Q
;
3. there is an alternating simulation ρ from P to Q, such that (s
0
, t
0
) ρ for some s
0
S
0
P
and t
0
S
0
Q
.
We now deﬁne the parallel composition P k Q of interface automata P and Q in a series of steps.
Deﬁnition 2.6. P and Q are composable if A
O
P
A
O
Q
= .
We ﬁrst deﬁne the product automaton P Q of two composable interface automata P and Q, by synchronising their
shared actions and interleaving all others. The set of shared actions of P and Q is deﬁned by Shared(P, Q) = A
P
∩A
Q
.
Deﬁnition 2.7. The product P Q of two composable interface automata P and Q is deﬁned by
S
P Q
= S
P
× S
Q
;
S
0
P Q
= S
0
P
× S
0
Q
;
A
I
P Q
= (A
I
P
A
I
Q
)\Comm(P, Q) where Comm(P, Q) = (A
O
P
A
I
Q
)(A
I
P
A
O
Q
) is the set of communication
actions, a subset of Shared(P, Q);
A
O
P Q
= A
O
P
A
O
Q
;
Γ
I
P Q
((s, t)) =
I
P
(s)\(A
O
Q
A
I
Q
))
I
Q
(t)\(A
O
P
A
I
P
))
I
P
(s) Γ
I
Q
(t)) for all (s, t) S
P
× S
Q
;
Γ
O
P Q
((s, t)) = Γ
O
P
(s) Γ
O
Q
(t), for all (s, t) S
P
× S
Q
;
for all a A
P Q
,
δ
P Q
((s, t), a) =
(
(δ
P
(s, a), δ
Q
(t, a)) if a A
P
A
Q
(δ
P
(s, a), t) if a A
P
\A
Q
(s, δ
Q
(t, a)) if a A
Q
\A
P
Note There is an asymmetry between input and output actions in the above deﬁnition. An input and output action with
the same label combine to form an output action. The intent is to model multi-way broadcast communication, as in the
version of interface automata deﬁned in [dA03] and in I/O automata [LT87]. This is in contrast to the original version
deﬁned in [dAH01], where an input and an output action with the same name combine to give an internal action.
Since interface automata need not be input enabled, there may be reachable states in P Q where a communication
action can be output by one of the automaton but cannot be accepted as input by the other. These states are called locally
incompatible.
Deﬁnition 2.8. The set Incomp(P, Q) of locally incompatible states of P and Q consists of all pairs (s, t) S
P
×S
Q
for which one of the following two conditions hold:
1. a Comm(P, Q) such that a Γ
O
P
(s) but a / Γ
I
Q
(t),
2. a Comm(P, Q) such that a Γ
O
Q
(t) but a / Γ
I
P
(s).
A local incompatibility can be avoided if there is a helpful environment, which by providing the right sequence
of inputs can steer the automaton away from such an undesirable state. The states from which Input can prevent the
product P Q from reaching a state in Incomp(P, Q) are called compatible. In other words, the compatible states are
those from which Input has a winning strategy.
Deﬁnition 2.9. A state s S
P Q
is compatible if there is an input strategy π
I
Π
I
P Q
such that, for all output
strategies π
O
Π
O
P Q
, all σ Outcomes
P Q
(s, π
I
, π
O
) and all incompatible states w Incomp(P, Q), the state w
does not appear in the sequence σ.

##### Citations
More filters

Journal Article
Oded Maler
Abstract: This paper presents algorithms for the automatic synthesis of real-time controllers by finding a winning strategy for certain games defined by the timed-automata of Alur and Dill. In such games, the outcome depends on the players' actions as well as on their timing. We believe that these results will pave the way for the application of program synthesis techniques to the construction of real-time embedded systems from their specifications.

515 citations

Book
28 Mar 2018
TL;DR: This paper intends to provide treatment where contracts are precisely defined and characterized so that they can be used in design methodologies such as the ones mentioned above with no ambiguity, and provides an important link between interfaces and contracts to show similarities and correspondences.
Abstract: Recently, contract-based design has been proposed as an “orthogonal” approach that complements system design methodologies proposed so far to cope with the complexity of system design. Contract-based design provides a rigorous scaffolding for verification, analysis, abstraction/refinement, and even synthesis. A number of results have been obtained in this domain but a unified treatment of the topic that can help put contract-based design in perspective was missing. This monograph intends to provide such a treatment where contracts are precisely defined and characterized so that they can be used in design methodologies with no ambiguity. In particular, this monograph identifies the essence of complex system design using contracts through a mathematical “meta-theory”, where all the properties of the methodology are derived from a very abstract and generic notion of contract. We show that the meta-theory provides deep and illuminating links with existing contract and interface theories, as well as guidelines for designing new theories. Our study encompasses contracts for both software and systems, with emphasis on the latter. We illustrate the use of contracts with two examples: requirement engineering for a parking garage management, and the development of contracts for timing and scheduling in the context of the AUTOSAR methodology in use in the automotive sector.

199 citations

Book
01 Jan 2004
TL;DR: This poster presents a probabilistic procedure to characterize the response of the immune system to the presence of foreign substances such as cadmium, which is a natural component of infectious disease.
Abstract: ion Refinement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Pei-Hsin Ho

106 citations

Journal Article
Abstract: We present interface models that describe both the input assumptions of a component, and its output behavior. By enabling us to check that the input assumptions of a component are met in a design, interface models provide a compatibility check for component-based design. When refining a design into an implementation, interface models require that the output behavior of a component satisfies the design specification only when the input assumptions of the specification are satisfied, yielding greater flexibility in the choice of implementations. Technically, our interface models are games between two players, Input and Output; the duality of the players accounts for the dual roles of inputs and outputs in composition and refinement. We present two interface models in detail, one for a simple synchronous form of interaction between components typical in hardware, and the other for more complex synchronous interactions on bidirectional connections. As an example, we specify the interface of a bidirectional bus, with the input assumption that at any time at most one component has write access to the bus. For these interface models, we present algorithms for compatibility and refinement checking, and we describe efficient symbolic implementations.

66 citations

01 Jul 2015
TL;DR: This paper intends to provide treatment where contracts are precisely defined and characterized so that they can be used in design methodologies such as the ones mentioned above with no ambiguity, and provides an important link between interface and contract theories to show similarities and correspondences.
Abstract: Aircrafts, trains, cars, plants, distributed telecommunication military or health care systems, and more, involve systems design as a critical step. Complexity has caused system design times and costs to go severely over budget so as to threaten the health of entire industrial sectors. Heuristic methods and standard practices do not seem to scale with complexity so that novel design methods and tools based on a strong theoretical foundation are sorely needed. Model-based design as well as other methodologies such as layered and compositional design have been used recently but a unified intellectual framework with a complete design flow supported by formal tools is still lacking. Recently an “orthogonal” approach has been proposed that can be applied to all methodologies introduced thus far to provide a rigorous scaffolding for verification, analysis and abstraction/refinement: contractbased design. Several results have been obtained in this domain but a unified treatment of the topic that can help in putting contract-based design in perspective is missing. This paper intends to provide such treatment where contracts are precisely defined and characterized so that they can be used in design methodologies such as the ones mentioned above with no ambiguity. In addition, the paper provides an important link between interface and contract theories to show similarities and correspondences. This paper is complemented by a companion paper where contract based design is illustrated through use cases.

49 citations

### Cites methods from "Interface synthesis and protocol co..."

• ...In [42], incremental design of deterministic Interface Automata is studied....

[...]

##### References
More filters

Book
01 Jan 1989
TL;DR: This chapter discusses Bisimulation and Observation Equivalence as a Modelling Communication, a Programming Language, and its application to Equational laws.
Abstract: Foreword. 1. Modelling Communication. 2. Basic Definitions. 3. Equational laws and Their Application. 4. Strong Bisimulation and Strong Equivalence. 5. Bisimulation and Observation Equivalence. 6. Further Examples. 7. The Theory of Observation Congruence. 8. Defining a Programming Language. 9. Operators and Calculi. 10. Specifications and Logic. 11. Determinancy and Confluence. 12. Sources and Related Work. Bibliography. Index.

8,544 citations

Journal ArticleDOI
30 Jan 1987

3,829 citations

Journal ArticleDOI
01 Jan 1989
TL;DR: The focus is on the qualitative aspects of control, but computation and the related issue of computational complexity are also considered.
Abstract: A discrete event system (DES) is a dynamic system that evolves in accordance with the abrupt occurrence, at possibly unknown irregular intervals, of physical events. Such systems arise in a variety of contexts ranging from computer operating systems to the control of complex multimode processes. A control theory for the logical aspects of such DESs is surveyed. The focus is on the qualitative aspects of control, but computation and the related issue of computational complexity are also considered. Automata and formal language models for DESs are surveyed. >

2,759 citations

Journal ArticleDOI
TL;DR: This column presents an intuitive overview of linear logic, some recent theoretical results, and summarizes several applications oflinear logic to computer science.
Abstract: Linear logic was introduced by Girard in 1987 [11] . Since then many results have supported Girard' s statement, \"Linear logic is a resource conscious logic,\" and related slogans . Increasingly, computer scientists have come to recognize linear logic as an expressive and powerful logic with connection s to a variety of topics in computer science . This column presents a.n intuitive overview of linear logic, some recent theoretical results, an d summarizes several applications of linear logic to computer science . Other introductions to linear logic may be found in [12, 361 .

2,199 citations

Proceedings ArticleDOI
03 Jan 1989
TL;DR: An algorithm is presented based on a new procedure for checking the emptiness of Rabin automata on infinite trees in time exponential in the number of pairs, but only polynomial in theNumber of states, which leads to a synthesis algorithm whose complexity is doubleonential in the length of the given specification.
Abstract: @(x, y) is valid over all tree models. For the restricted case that all variables range over finite domains, the validity problem is decidable, and we present an algorithm for constructing the program whenever it exists. The algorithm is based on a new procedure for checking the emptiness of Rabin automata on infinite trees in time exponential in the number of pairs, but only polynomial in the number of states. This leads to a synthesis algorithm whose complexity is double exponential in the length of the given specification.

1,485 citations

##### Related Papers (5)
01 Sep 2001
04 Dec 2008
Albert Benveniste
01 Jan 2004
###### Q1. What are the contributions mentioned in the paper "Interface synthesis and protocol conversion" ?

Given deterministic interfaces P and Q, the authors investigate the problem of synthesising an interface R such that P composed with R refines Q. The authors show that a solution exists iff P and Q are compatible, and the most general solution is given by ( P ‖ Q ), where P is the interface P with inputs and outputs interchanged. For the synchronous case, the authors give a new definition of synchronous interface automata based on Mealy machines and show that the result holds for a weak form of nondeterminism, called observable nondeterminism. For the asynchronous case, this leads to automatic synthesis of converters for incompatible network protocols. The work reported here is based on earlier work on interface synthesis in [ Bha05 ] for the asynchronous case, and [ BR06 ] for the synchronous one.

As future work, the authors would like to relax some restrictions they have put on the synchronous interface model, such as the requirement of observable nondeterminism. Other possibilities would be to include the effect of hiding internal signals and including fairness specifications to both asynchronous and synchronous interfaces. The work on agent algebras related to semantic foundations for heterogeneous systems ( see [ Pas04 ] ) has a similar goal, and it will be interesting to investigate the connections between the two. The authors are grateful to the anonymous referees for suggesting many improvements in the presentation.