To appear in Formal Aspects of Computing, 2007
Interface Synthesis and Protocol Conversion
Purandar Bhaduri
1
and S. Ramesh
2
1
Department of Computer Science and Engineering
Indian Institute of Technology Guwahati, India
2
India Science Lab, GM R&D Centre, Bangalore, India
Abstract. Given deterministic interfaces P and Q, we investigate the problem of synthesising an interface R such
that P composed with R refines Q. We show that a solution exists iff P and Q
⊥
are compatible, and the most general
solution is given by (P k Q
⊥
)
⊥
, where P
⊥
is the interface P with inputs and outputs interchanged. Remarkably,
the result holds both for asynchronous and synchronous interfaces. We model interfaces using the interface automata
formalism of de Alfaro and Henzinger. For the synchronous case, we give a new definition of synchronous interface
automata based on Mealy machines and show that the result holds for a weak form of nondeterminism, called observ-
able nondeterminism. We also characterise solutions to the synthesis problem in terms of winning input strategies in
the automaton (P ⊗ Q
⊥
)
⊥
, and the most general solution in terms of the most permissive winning strategy. We apply
the solution to the synthesis of converters for mismatched protocols in both the asynchronous and synchronous do-
mains. For the asynchronous case, this leads to automatic synthesis of converters for incompatible network protocols.
In the synchronous case, we obtain automatic converters for mismatched intellectual property blocks in system-on-
chip designs. The work reported here is based on earlier work on interface synthesis in [Bha05] for the asynchronous
case, and [BR06] for the synchronous one.
Keywords: Interface automata; component compatibility; interface synthesis; protocol conversion.
1. Introduction
Interfaces play a central role in component based design and verification of systems. In this paper we study the
problem of synthesising an interface R, which composed with a known interface P is a refinement of an interface Q.
This is a central problem in component based top-down design of a system. The interface Q is an abstract interface, a
high level specification of the component under development. The interface P is a known part of the implementation
and we are required to find the most general (i.e., abstract) solution R satisfying the relation P k R Q, when it
exists. Here P k Q is the composition of P and Q, and P Q denotes ‘P is a refinement of Q’. This problem
has wide ranging applications such as logic synthesis, design of discrete controllers, communication gateway design
and protocol conversion, and has been studied previously in different contexts – see [MvB83, Shi89, Par89, LX90,
HU99, YVB
+
01, YVB
+
02]. We study two versions of the problem, one for the asynchronous and the other for the
Correspondence and offprint requests to: Purandar Bhaduri, Department of Computer Science and Engineering, Indian Institute of Technology
Guwahati, Guwahati 781039, India. Tel: +91 316 2582360. Fax: +91 361 269 2787. e-mail: pbhaduri@iitg.ernet.in
2 P. Bhaduri and S. Ramesh
synchronous case, in the setting of interface automata [dAH01], where composition and refinement of interfaces are
respectively the composition of interface automata and alternating refinement relations[AHKV98].
Interface automata are a formalism for reasoning about composition and refinement of component interfaces in
terms of the protocol aspects of component behaviour. They are like ordinary automata, except for the distinction
between input and output actions. The input actions of an interface automaton P are controlled by its environment.
Therefore an input action labelling a transition is an input assumption (or constraint on P ’s environment). Dually,
an output action of P is under P ’s control, and represents an an output guarantee of P . Unlike I/O automata [LT87],
interface automata are not required to be input enabled. If an input action a is not enabled at a state s, it is an assumption
on the automaton’s environment that it will not provide a as an input in state s.
When two interfaces P and Q are composed, the combined interface may contain incompatible states: states
where one interface can generate an output that is not a legal input for the other. In the combined interface it is the
environment’s responsibility to ensure that such a state is unreachable [dAH01]. This can be formalised as a two person
game [dAH01] which has the same flavour as the controller synthesis problem of Ramadge and Wonham [RW89]; in
our setting the role of the controller is played by the environment. More formally, we follow de Alfaro [dA03] in
modelling an interface as a game between two players, Output and Input. Player Output represents the system and its
moves represent the outputs generated by the system. Player Input represents the environment; its moves represent the
inputs the system receives from its environment. In general, the set of available moves of each player depends on the
current state of the combined system. The interface is well-formed if the Input player has a winning strategy in the
game, where the winning condition is to avoid all incompatible states. Clearly, the game aspect is relevant only when
defining the composition of two interfaces.
Refinement of interfaces corresponds to weakening assumptions and strengthening guarantees. An interface P re-
fines Q only if P can be used in any environment where Q can be. The usual notion of refinement is simulation or trace
containment [LT87]. For interface automata, a more appropriate notion is that of alternating simulation [AHKV98],
which is contravariant on inputs and covariant on outputs: if P Q (P refines Q), P accepts more inputs (weaker
input assumptions) and provides fewer outputs (stronger output guarantees). Thus alternating refinement preserves
compatibility: if P and Q are compatible (i.e., P k Q is well-formed) and P
0
P , then so are P
0
and Q. The basic
notions of interface automata are summarised in Section 2.
In Section 3 we show that a solution to P k R Q for R exists for deterministic interface automata iff P and
Q
⊥
are compatible, and the most abstract (under alternating refinement) solution is given by (P k Q
⊥
)
⊥
. Further, in
Section 4 we show that such an R can be constructed from the most permissive winning strategy for player Input in the
combined game (P ⊗Q
⊥
)
⊥
. Here P
⊥
is the game P with the moves of the players Input and and Output interchanged,
and P ⊗Q is the combined game obtained from P and Q by synchronising on shared actions and interleaving the rest.
We say a strategy π is more permissive than π
0
when, at every position in the game, the set of moves allowed by π
includes those allowed by π
0
. The most permissive winning strategy is one that is least restrictive. This result ties up
the relation between composition, refinement, synthesis and winning strategies, and should be seen as one more step
towards a “uniform framework for the study of control, verification, component-based design, and implementation of
open systems”, based on games [dA03].
Note that the notation P
⊥
is borrowed from linear logic [Gir87], where games play an important semantic
role [Bla92]. Using the notation of linear logic, the solution R to the synthesis problem can be written as (P ⊗Q
⊥
)
⊥
=
P
⊥
OQ = P ( Q, where ⊗, O and ( are respectively, the linear logic connectives ‘With’, ‘Par’ and linear implica-
tion. In our setting, the ⊗ connective of linear logic is parallel composition k. The striking similarity of this solution
with submodule construction by von Bochmann in [vB02] and the language equation posed by Yevtushenko et al.in
[YVB
+
01, YVB
+
02] is intriguing. In these works, the largest solution of the language equation P • R ⊆ Q for R is
the language
P • Q where P • Q is the synchronous (or parallel) composition of languages P and Q, and P is the
complement of P . Clearly, there is a formal correspondence between P • Q and our P k Q, between P and our P
⊥
,
and between language inclusion and alternating simulation.
We should also mention the formal resemblance of our work with Abramsky’s Semantics of Interaction [Abr97],
based on the game semantics of linear logic. In particular, the strategy called Application (or Modus Ponens) in [Abr97]
is the solution to our synthesis problem in a different setting. The solution R = P ( Q suggests that the problem
of synthesis can be seen as the construction of a suitable morphism in an appropriate category of interface automata,
along the lines of [MT98, Tab04]. However, we do not pursue this thread in this paper.
There is also a similarity between our work and the solution to the rectification problem given in [BDWM93], using
Dill’s trace theory [Dil89]. The results in [BDWM93] are applicable to combinational circuits i.e., interfaces without
any state. In [BDWM93] P , Q, R are combinational circuits modelled as input-output relations and || the circuit
composition operator; mir is the mirror function that swaps inputs and outputs and complements the input-output
Interface Synthesis and Protocol Conversion 3
relation; is the conformance relation which captures the implementation relation between circuits and specifications.
The rectification problem solved in [BDWM93] is the following: when can a small subnetwork of a combinational
circuit be replaced by another less expensive one? The answer to the rectification problem is provided by a general
theorem that states that if Q is a specification of the entire circuit then a replacement subnetwork P combined with the
rest of the circuit R will satisfy the specification Q (i.e., P k R ⊆ Q) iff R ⊆ mir(P k mir(Q)) (modulo a projection
operator used to ignore the internal signals of a composed circuit). Clearly, this has the same form as our solution to
the synthesis problem.
As a practical application, in the asynchronous case, in Section 5 we show how to apply interface synthesis to
the protocol conversion problem for mismatched network protocols. The heterogeneity of existing networks often
results in incompatible protocols trying to communicate with each other. The protocol conversion problem is, given
two network protocols P
1
and P
2
which are mismatched, to come up with a converter C which mediates between the
two protocols, such that the combined system conforms to an overall specification S. We show that a converter C, if it
exists, can be obtained as the solution to P k C S, where P = P
1
k P
2
is the composition of the two protocols.
For the synchronous case, in Section 6 we present synchronous interface automata for reasoning about composition
and refinement of synchronous hardware components, such as intellectual property (IP) blocks in system-on-chip
(SoC) designs. In Section 7 we pose and solve the same synthesis problem as in the asynchronous case. What is
remarkable is, the solutions for the asynchronous and synchronous versions have the same form, namely the most
general solution to P k R Q exists iff P and Q
⊥
are compatible, and is given by R = (P k Q
⊥
)
⊥
. This points to
a unified theory of interface synthesis underlying both the asynchronous and synchronous cases. The work on agent
algebras by Passeroneet al. [BPSV03, Pas04] seems to bear this out. In Section 8 we show how to apply the synthesis
method to automatically synthesise protocol converters for mismatched IP blocks.
To summarise the main contributions of this paper, we have an algebraic characterisation of solutions to the prob-
lem of synthesis of interface automata, where the operators are parallel composition P k Q and ‘mirror’ P
⊥
. The
synthesis algorithm relies on the computation of winning strategies in games implicit in the definition of parallel
composition for interface automata. The algorithm is the standard iterative fixed point computation using control-
lable predecessors for solving safety games (see [Tho95]). The usefulness of the solution to the synthesis problem
is demonstrated both in the asynchronous and synchronous cases by providing automated methods of constructing
protocol converters. This provides a unified theory and an algorithm for solving protocol conversion problems which
have appeared in the literature in many guises. The work reported here is based on earlier work on interface synthesis
in [Bha05] for the asynchronous case, and [BR06] for the synchronous one.
Related Work Merlin and von Bochmann [MvB83] proposed the submodule construction problem (also called equa-
tion solving or factorisation) for communication protocol specification and synthesis. Given a module specification
S and a submodule specification M
1
in terms of labelled transition systems, they proposed a method to construct a
submodule M
2
such that M
1
and M
2
together realise the specification S by synchronous interaction. Haghverdi and
Ural [HU99] gave a more formal presentation of the problem and an algorithm for its solution using prefix-closed finite
state machines as descriptions of submodules. One limitation of this solution is that the notion of correct realisation is
trace equivalence which is well known not to preserve certain behavioural properties such as the presence of deadlock.
This problem was addressed in the context of equation solving for CCS processes using observational equivalence or
strong bisimulation (see [Mil89]) by various researchers. A representative sample can be found in Shields [Shi89],
Parrow [Par89] and Larsen and Xinxin [LX90]. Yevtushenko et al. [YVB
+
01, YVB
+
02] study the related problem of
language equation solving for both synchronous and parallel (interleaving) composition in the context of synchronous
and asynchronous circuits. The main difference between the works cited above and ours is that we consider models
of open systems with an asymmetry between inputs and outputs. This naturally leads to the game formulation and
alternating simulation as the behavioural preorder captured by the interface automata formalism.
The controller synthesis problem and its solution as a winning strategy in a game has a long history, going back to
B¨uchi and Landwebers’ solution of Church’s problem [BL69]. More recent applications of the idea in the synthesis of
open systems occur in [PR89, MPS95, MT98]. The control of discrete event systems was introduced by Ramdage and
Wonham [RW89] using a language theoretic approach, where the ‘controllable’ and ‘uncontrollable’ actions clearly
correspond to the moves of the player and the opponent in a corresponding game. The use of games for the synthesis of
converters for mismatched protocols by Passerone et al. [PdAHSV02] can be seen as applications of the same general
principle. The present paper uses games to solve the interface synthesis problem, but the solution has a closed form
reminiscent of the submodule construction problem referred to above and the rectification problem of Dill [BDWM93].
The combinatorial details of the game structure is hidden behind the algebraic form of the solution.
Recent work on agent algebras [BPSV03, Pas04] formalises the notions of composition and conformance in an
abstract algebraic framework, and makes use of the mirror function in an essential way. The work provides sufficient
4 P. Bhaduri and S. Ramesh
conditions for characterising all controllers that satisfy a specification when composed with a plant. One possible
future work is to investigate the relationship between agent algebras and our interface synthesis framework.
2. Asynchronous Interfaces: Interface Automata
In this section we define interface automata and their composition and refinement. We follow the game formulation
presented in [dA03]. Throughout this work we consider only deterministic interface automata.
Definition 2.1. An interface automaton P is a tuple (S
P
, S
0
P
, A
I
P
, A
O
P
, Γ
I
P
, Γ
O
P
, δ
P
) where:
• S
P
is a finite set of states.
• S
0
P
⊆ S
P
is the set of initial states, which has at most one element, denoted s
0
P
.
• A
I
P
and A
O
P
are disjoint sets of input and output actions. The set A
P
= A
I
P
∪ A
O
P
is the set of all actions.
• Γ
I
P
: S
P
→ 2
A
I
P
is a map assigning to each state s ∈ S
P
a set (possibly empty) of input moves. Similarly,
Γ
O
P
: S
P
→ 2
A
O
P
assigns to each state s ∈ S
P
a set (again, possibly empty) of output moves. The input and
output moves at a state s correspond to actions that can be accepted and generated at s respectively. Denote by
Γ
P
(s) = Γ
I
P
(s) ∪ Γ
O
P
(s) the set of all actions at s.
• δ
P
: S
P
× A
P
→ S
P
is a transition function associating a target state δ
P
(s, a) with each state s ∈ S
P
and action
a ∈ A
P
. Note that the value δ
P
(s, a) makes sense only when a ∈ Γ
P
(s). When a /∈ Γ
P
(s), the value can be
arbitrary.
The interface automaton P is said to be empty when its set of initial states S
0
P
is empty. Empty interface automata
arise when incompatible automata are composed.
Definition 2.2. An input strategy for P is a map π
I
: S
+
P
→ 2
A
I
P
satisfying π
I
(σs) ⊆ Γ
I
P
(s) for all s ∈ S
P
and
σ ∈ S
∗
P
. An output strategy π
O
: S
+
P
→ 2
A
O
P
is defined similarly. The set of input and output strategies of P are
denoted by Π
I
P
and Π
O
P
respectively.
Note In keeping with [dA03], we have given the general definition of strategy, where the moves can depend on the
history of the game. It turns out that for the case of safety games we consider in this paper, it is enough to consider
only memoryless strategies, where the current state suffices to define the set of moves. This simplification will be made
in Section 6 while discussing the synchronous interface automata.
An input and output strategy jointly determine a set of traces in S
+
P
as follows. At each step, if the input strategy
proposes a set B
I
of actions, and the output strategy proposes a set B
O
of actions, an action from B
I
∪ B
O
is chosen
nondeterministically.
Definition 2.3. Given a state s ∈ S
P
, and input strategy π
I
and an output strategy π
O
, the set Outcomes(s, π
I
, π
O
) ⊆
S
+
P
of resulting plays is defined inductively as follows:
• s ∈ Outcomes
P
(s, π
I
, π
O
);
• if σt ∈ Outcomes(s, π
I
, π
O
) for σ ∈ S
+
P
and t ∈ S
P
, then for all a ∈ π
I
(σt)∪ π
O
(σt) the sequence σtδ
P
(s, a) ∈
Outcomes
P
(s, π
I
, π
O
).
A state s ∈ S
P
is said to be reachable in P , if there is a sequence of states s
0
, s
1
, . . . , s
n
with s
0
∈ S
0
P
, s
n
= s,
and for all 0 ≤ k < n there is a
k
∈ Γ
P
(s
k
) such that δ
P
(s
k
, a
k
) = s
k+1
. Reach(P ) denotes the set of reachable
states of P
The refinement of interface automata is known as alternating simulation, the right notion of simulation between
games [AHKV98]. Intuitively, an alternating simulation ρ ⊆ S
P
× S
Q
from P to Q is a relation for which (s, t) ∈ ρ
implies all input moves from t can be simulated by s and all output moves from s can be simulated by t.
Definition 2.4. An alternating simulation ρ from P to Q is a relation ρ ⊆ S
P
× S
Q
such that, for all (s, t) ∈ ρ and
all a ∈ Γ
I
Q
(t) ∪ Γ
O
P
(s), the following conditions are satisfied:
1. Γ
I
Q
(t) ⊆ Γ
I
P
(s);
2. Γ
O
P
(s) ⊆ Γ
O
Q
(t);
Interface Synthesis and Protocol Conversion 5
3. (δ
P
(s, a), δ
Q
(t, a)) ∈ ρ.
Refinement between interface automata is defined as the existence of an alternating simulation between the initial
states.
Definition 2.5. An interface automaton P refines an interface automaton Q, written P Q, if the following condi-
tions are satisfied:
1. A
I
Q
⊆ A
I
P
;
2. A
O
P
⊆ A
O
Q
;
3. there is an alternating simulation ρ from P to Q, such that (s
0
, t
0
) ∈ ρ for some s
0
∈ S
0
P
and t
0
∈ S
0
Q
.
We now define the parallel composition P k Q of interface automata P and Q in a series of steps.
Definition 2.6. P and Q are composable if A
O
P
∩ A
O
Q
= ∅.
We first define the product automaton P ⊗Q of two composable interface automata P and Q, by synchronising their
shared actions and interleaving all others. The set of shared actions of P and Q is defined by Shared(P, Q) = A
P
∩A
Q
.
Definition 2.7. The product P ⊗ Q of two composable interface automata P and Q is defined by
• S
P ⊗Q
= S
P
× S
Q
;
• S
0
P ⊗Q
= S
0
P
× S
0
Q
;
• A
I
P ⊗Q
= (A
I
P
∪A
I
Q
)\Comm(P, Q) where Comm(P, Q) = (A
O
P
∩A
I
Q
)∪(A
I
P
∩A
O
Q
) is the set of communication
actions, a subset of Shared(P, Q);
• A
O
P ⊗Q
= A
O
P
∪ A
O
Q
;
• Γ
I
P ⊗Q
((s, t)) = (Γ
I
P
(s)\(A
O
Q
∪ A
I
Q
)) ∪ (Γ
I
Q
(t)\(A
O
P
∪ A
I
P
)) ∪ (Γ
I
P
(s) ∩ Γ
I
Q
(t)) for all (s, t) ∈ S
P
× S
Q
;
• Γ
O
P ⊗Q
((s, t)) = Γ
O
P
(s) ∪ Γ
O
Q
(t), for all (s, t) ∈ S
P
× S
Q
;
• for all a ∈ A
P ⊗Q
,
δ
P ⊗Q
((s, t), a) =
(
(δ
P
(s, a), δ
Q
(t, a)) if a ∈ A
P
∩ A
Q
(δ
P
(s, a), t) if a ∈ A
P
\A
Q
(s, δ
Q
(t, a)) if a ∈ A
Q
\A
P
Note There is an asymmetry between input and output actions in the above definition. An input and output action with
the same label combine to form an output action. The intent is to model multi-way broadcast communication, as in the
version of interface automata defined in [dA03] and in I/O automata [LT87]. This is in contrast to the original version
defined in [dAH01], where an input and an output action with the same name combine to give an internal action.
Since interface automata need not be input enabled, there may be reachable states in P ⊗Q where a communication
action can be output by one of the automaton but cannot be accepted as input by the other. These states are called locally
incompatible.
Definition 2.8. The set Incomp(P, Q) of locally incompatible states of P and Q consists of all pairs (s, t) ∈ S
P
×S
Q
for which one of the following two conditions hold:
1. ∃a ∈ Comm(P, Q) such that a ∈ Γ
O
P
(s) but a /∈ Γ
I
Q
(t),
2. ∃a ∈ Comm(P, Q) such that a ∈ Γ
O
Q
(t) but a /∈ Γ
I
P
(s).
A local incompatibility can be avoided if there is a helpful environment, which by providing the right sequence
of inputs can steer the automaton away from such an undesirable state. The states from which Input can prevent the
product P ⊗ Q from reaching a state in Incomp(P, Q) are called compatible. In other words, the compatible states are
those from which Input has a winning strategy.
Definition 2.9. A state s ∈ S
P ⊗Q
is compatible if there is an input strategy π
I
∈ Π
I
P ⊗Q
such that, for all output
strategies π
O
∈ Π
O
P ⊗Q
, all σ ∈ Outcomes
P ⊗Q
(s, π
I
, π
O
) and all incompatible states w ∈ Incomp(P, Q), the state w
does not appear in the sequence σ.