scispace - formally typeset
Search or ask a question
Journal ArticleDOI

Interface synthesis and protocol conversion

27 Feb 2008-Formal Aspects of Computing (Springer-Verlag)-Vol. 20, Iss: 2, pp 205-224
TL;DR: The problem of synthesising an interface R such that P composed with R refines Q is investigated, and it is shown that a solution exists iff P and Q are compatible, and the most general solution is given by(P \parallel Q^\ Bot)^\bot, where P is the interface P with inputs and outputs interchanged.
Abstract: Given deterministic interfaces P and Q, we investigate the problem of synthesising an interface R such that P composed with R refines Q. We show that a solution exists iff P and $$Q^\bot$$ are compatible, and the most general solution is given by $$(P \parallel Q^\bot)^\bot$$, where $$P^\bot$$ is the interface P with inputs and outputs interchanged. Remarkably, the result holds both for asynchronous and synchronous interfaces. We model interfaces using the interface automata formalism of de Alfaro and Henzinger. For the synchronous case, we give a new definition of synchronous interface automata based on Mealy machines and show that the result holds for a weak form of nondeterminism, called observable nondeterminism. We also characterise solutions to the synthesis problem in terms of winning input strategies in the automaton $$(P \otimes Q^\bot)^\bot$$, and the most general solution in terms of the most permissive winning strategy. We apply the solution to the synthesis of converters for mismatched protocols in both the asynchronous and synchronous domains. For the asynchronous case, this leads to automatic synthesis of converters for incompatible network protocols. In the synchronous case, we obtain automatic converters for mismatched intellectual property blocks in system-on-chip designs. The work reported here is based on earlier work on interface synthesis in Bhaduri (Third international symposium on automated technology for verification and analysis, ATVA 2005, pp 338–353, 2005) for the asynchronous case, and Bhaduri and Ramesh (Sixth international conference on application of concurrency to system design, ACSD 2006, pp 208–216) for the synchronous one.

Summary (2 min read)

1. Introduction

  • Interfaces play a central role in component based design and verification of systems.
  • Interface automata are a formalism for reasoning about composition and refinement of component interfaces in terms of the protocol aspects of component behaviour.
  • The controller synthesis problem and its solution as a winning strategy in a game has a long history, going back to Büchi and Landwebers’ solution of Church’s problem [BL69].
  • Recent work on agent algebras [BPSV03, Pas04] formalises the notions of composition and conformance in an abstract algebraic framework, and makes use of the mirror function in an essential way.

2. Asynchronous Interfaces: Interface Automata

  • In this section the authors define interface automata and their composition and refinement.
  • Throughout this work the authors consider only deterministic interface automata.
  • This is in contrast to the original version defined in [dAH01], where an input and an output action with the same name combine to give an internal action.
  • The authors call these states backward compatible.
  • This implies there is an input strategy πI for P ⊗Q which avoids all locally incompatible states starting from s0P⊗Q, no matter what the output strategy is.

3. Synthesis of Interface Automata

  • The synthesis problem for interface automata is as follows.
  • Here Fig. 1 presents three examples to illustrate the synthesis idea with given interface automata P and Q.
  • The solution is essentially identical with Q, except for the polarity of action b. Notation First the authors prove a result about compatibility that is used in Theorem 3.3 below.

4. Winning Strategies and Synthesis

  • Since the orders are lattices, the most permissive strategy exists, as is given by the lattice join.
  • The authors then show that the parallel composition P ‖ Q can be extracted from the most permissive winning strategy for Input.
  • Note that the bottom elements are the empty strategies, which are allowed by the definition of strategies.
  • From Definition 2.10, this implies that the set T of backward compatible states is empty, and hence by Definition 2.11 the composition P ‖ Q is empty.
  • The complexity of the algorithm is linear in the size of the game graph.

5. Application: Network Protocol Conversion

  • In today’s world, global communication over heterogeneous networks of computers can often lead to protocol mismatches between communicating entities.
  • The authors illustrate the use of interface synthesis to the protocol conversion problem through an example adapted from [KNM97].
  • When the authors want the two protocols above to work together without causing any inconsistency by using a converter, they need to specify what the converter is allowed and not allowed to do.
  • The specification S for the converter relates the two actions sets by specifying temporal ordering of actions.

6. Synchronous Interface Automata

  • In earlier sections the authors have presented the synthesis problem and its solution for interface automata, a formalism intended for component-based modelling and development of asynchronous systems.
  • The authors SIA model essentially defines Mealy automata with explicit input assumptions and output guarantees.
  • The game view of interface composition and refinement then applies mutatis mutandis to the synchronous setting.
  • Let P and Q be two SIA with I/O signatures as above.

7. Synthesis of Synchronous Interfaces

  • Here P⊥ has the same interpretation as in the asynchronous case.
  • First the authors prove a result about compatibility that is used in Theorem 7.2 below.
  • The complexity of computing (P ‖ Q⊥)⊥ is again O(|P ||Q|) using the standard iterative refinement technique as in the asynchronous case.

8. Converter Synthesis

  • In this section the authors show how the SIA framework and the interface synthesis procedure described in Section 7 can be used to synthesise a protocol converter for two IP blocks that have incompatible protocols of interaction.
  • Sometimes the authors indicate a don’t care explicitly by a signal T. Fig. 7 illustrates the synchronous interfaces for two mismatched protocols.
  • The authors ignore all data values such as addresses, and consider only boolean control values.
  • The authors require that the system as a whole (the two protocols along with the converter) satisfies the interface described by Fig.

Did you find this useful? Give us your feedback

Content maybe subject to copyright    Report

To appear in Formal Aspects of Computing, 2007
Interface Synthesis and Protocol Conversion
Purandar Bhaduri
1
and S. Ramesh
2
1
Department of Computer Science and Engineering
Indian Institute of Technology Guwahati, India
2
India Science Lab, GM R&D Centre, Bangalore, India
Abstract. Given deterministic interfaces P and Q, we investigate the problem of synthesising an interface R such
that P composed with R refines Q. We show that a solution exists iff P and Q
are compatible, and the most general
solution is given by (P k Q
)
, where P
is the interface P with inputs and outputs interchanged. Remarkably,
the result holds both for asynchronous and synchronous interfaces. We model interfaces using the interface automata
formalism of de Alfaro and Henzinger. For the synchronous case, we give a new definition of synchronous interface
automata based on Mealy machines and show that the result holds for a weak form of nondeterminism, called observ-
able nondeterminism. We also characterise solutions to the synthesis problem in terms of winning input strategies in
the automaton (P Q
)
, and the most general solution in terms of the most permissive winning strategy. We apply
the solution to the synthesis of converters for mismatched protocols in both the asynchronous and synchronous do-
mains. For the asynchronous case, this leads to automatic synthesis of converters for incompatible network protocols.
In the synchronous case, we obtain automatic converters for mismatched intellectual property blocks in system-on-
chip designs. The work reported here is based on earlier work on interface synthesis in [Bha05] for the asynchronous
case, and [BR06] for the synchronous one.
Keywords: Interface automata; component compatibility; interface synthesis; protocol conversion.
1. Introduction
Interfaces play a central role in component based design and verification of systems. In this paper we study the
problem of synthesising an interface R, which composed with a known interface P is a refinement of an interface Q.
This is a central problem in component based top-down design of a system. The interface Q is an abstract interface, a
high level specification of the component under development. The interface P is a known part of the implementation
and we are required to find the most general (i.e., abstract) solution R satisfying the relation P k R Q, when it
exists. Here P k Q is the composition of P and Q, and P Q denotes P is a refinement of Q’. This problem
has wide ranging applications such as logic synthesis, design of discrete controllers, communication gateway design
and protocol conversion, and has been studied previously in different contexts see [MvB83, Shi89, Par89, LX90,
HU99, YVB
+
01, YVB
+
02]. We study two versions of the problem, one for the asynchronous and the other for the
Correspondence and offprint requests to: Purandar Bhaduri, Department of Computer Science and Engineering, Indian Institute of Technology
Guwahati, Guwahati 781039, India. Tel: +91 316 2582360. Fax: +91 361 269 2787. e-mail: pbhaduri@iitg.ernet.in

2 P. Bhaduri and S. Ramesh
synchronous case, in the setting of interface automata [dAH01], where composition and refinement of interfaces are
respectively the composition of interface automata and alternating refinement relations[AHKV98].
Interface automata are a formalism for reasoning about composition and refinement of component interfaces in
terms of the protocol aspects of component behaviour. They are like ordinary automata, except for the distinction
between input and output actions. The input actions of an interface automaton P are controlled by its environment.
Therefore an input action labelling a transition is an input assumption (or constraint on P s environment). Dually,
an output action of P is under P s control, and represents an an output guarantee of P . Unlike I/O automata [LT87],
interface automata are not required to be input enabled. If an input action a is not enabled at a state s, it is an assumption
on the automaton’s environment that it will not provide a as an input in state s.
When two interfaces P and Q are composed, the combined interface may contain incompatible states: states
where one interface can generate an output that is not a legal input for the other. In the combined interface it is the
environment’s responsibility to ensure that such a state is unreachable [dAH01]. This can be formalised as a two person
game [dAH01] which has the same flavour as the controller synthesis problem of Ramadge and Wonham [RW89]; in
our setting the role of the controller is played by the environment. More formally, we follow de Alfaro [dA03] in
modelling an interface as a game between two players, Output and Input. Player Output represents the system and its
moves represent the outputs generated by the system. Player Input represents the environment; its moves represent the
inputs the system receives from its environment. In general, the set of available moves of each player depends on the
current state of the combined system. The interface is well-formed if the Input player has a winning strategy in the
game, where the winning condition is to avoid all incompatible states. Clearly, the game aspect is relevant only when
defining the composition of two interfaces.
Refinement of interfaces corresponds to weakening assumptions and strengthening guarantees. An interface P re-
fines Q only if P can be used in any environment where Q can be. The usual notion of refinement is simulation or trace
containment [LT87]. For interface automata, a more appropriate notion is that of alternating simulation [AHKV98],
which is contravariant on inputs and covariant on outputs: if P Q (P refines Q), P accepts more inputs (weaker
input assumptions) and provides fewer outputs (stronger output guarantees). Thus alternating refinement preserves
compatibility: if P and Q are compatible (i.e., P k Q is well-formed) and P
0
P , then so are P
0
and Q. The basic
notions of interface automata are summarised in Section 2.
In Section 3 we show that a solution to P k R Q for R exists for deterministic interface automata iff P and
Q
are compatible, and the most abstract (under alternating refinement) solution is given by (P k Q
)
. Further, in
Section 4 we show that such an R can be constructed from the most permissive winning strategy for player Input in the
combined game (P Q
)
. Here P
is the game P with the moves of the players Input and and Output interchanged,
and P Q is the combined game obtained from P and Q by synchronising on shared actions and interleaving the rest.
We say a strategy π is more permissive than π
0
when, at every position in the game, the set of moves allowed by π
includes those allowed by π
0
. The most permissive winning strategy is one that is least restrictive. This result ties up
the relation between composition, refinement, synthesis and winning strategies, and should be seen as one more step
towards a “uniform framework for the study of control, verification, component-based design, and implementation of
open systems”, based on games [dA03].
Note that the notation P
is borrowed from linear logic [Gir87], where games play an important semantic
role [Bla92]. Using the notation of linear logic, the solution R to the synthesis problem can be written as (P Q
)
=
P
OQ = P ( Q, where , O and ( are respectively, the linear logic connectives ‘With’, ‘Par’ and linear implica-
tion. In our setting, the connective of linear logic is parallel composition k. The striking similarity of this solution
with submodule construction by von Bochmann in [vB02] and the language equation posed by Yevtushenko et al.in
[YVB
+
01, YVB
+
02] is intriguing. In these works, the largest solution of the language equation P R Q for R is
the language
P Q where P Q is the synchronous (or parallel) composition of languages P and Q, and P is the
complement of P . Clearly, there is a formal correspondence between P Q and our P k Q, between P and our P
,
and between language inclusion and alternating simulation.
We should also mention the formal resemblance of our work with Abramsky’s Semantics of Interaction [Abr97],
based on the game semantics of linear logic. In particular, the strategy called Application (or Modus Ponens) in [Abr97]
is the solution to our synthesis problem in a different setting. The solution R = P ( Q suggests that the problem
of synthesis can be seen as the construction of a suitable morphism in an appropriate category of interface automata,
along the lines of [MT98, Tab04]. However, we do not pursue this thread in this paper.
There is also a similarity between our work and the solution to the rectification problem given in [BDWM93], using
Dill’s trace theory [Dil89]. The results in [BDWM93] are applicable to combinational circuits i.e., interfaces without
any state. In [BDWM93] P , Q, R are combinational circuits modelled as input-output relations and || the circuit
composition operator; mir is the mirror function that swaps inputs and outputs and complements the input-output

Interface Synthesis and Protocol Conversion 3
relation; is the conformance relation which captures the implementation relation between circuits and specifications.
The rectification problem solved in [BDWM93] is the following: when can a small subnetwork of a combinational
circuit be replaced by another less expensive one? The answer to the rectification problem is provided by a general
theorem that states that if Q is a specification of the entire circuit then a replacement subnetwork P combined with the
rest of the circuit R will satisfy the specification Q (i.e., P k R Q) iff R mir(P k mir(Q)) (modulo a projection
operator used to ignore the internal signals of a composed circuit). Clearly, this has the same form as our solution to
the synthesis problem.
As a practical application, in the asynchronous case, in Section 5 we show how to apply interface synthesis to
the protocol conversion problem for mismatched network protocols. The heterogeneity of existing networks often
results in incompatible protocols trying to communicate with each other. The protocol conversion problem is, given
two network protocols P
1
and P
2
which are mismatched, to come up with a converter C which mediates between the
two protocols, such that the combined system conforms to an overall specification S. We show that a converter C, if it
exists, can be obtained as the solution to P k C S, where P = P
1
k P
2
is the composition of the two protocols.
For the synchronous case, in Section 6 we present synchronous interface automata for reasoning about composition
and refinement of synchronous hardware components, such as intellectual property (IP) blocks in system-on-chip
(SoC) designs. In Section 7 we pose and solve the same synthesis problem as in the asynchronous case. What is
remarkable is, the solutions for the asynchronous and synchronous versions have the same form, namely the most
general solution to P k R Q exists iff P and Q
are compatible, and is given by R = (P k Q
)
. This points to
a unified theory of interface synthesis underlying both the asynchronous and synchronous cases. The work on agent
algebras by Passeroneet al. [BPSV03, Pas04] seems to bear this out. In Section 8 we show how to apply the synthesis
method to automatically synthesise protocol converters for mismatched IP blocks.
To summarise the main contributions of this paper, we have an algebraic characterisation of solutions to the prob-
lem of synthesis of interface automata, where the operators are parallel composition P k Q and ‘mirror’ P
. The
synthesis algorithm relies on the computation of winning strategies in games implicit in the definition of parallel
composition for interface automata. The algorithm is the standard iterative fixed point computation using control-
lable predecessors for solving safety games (see [Tho95]). The usefulness of the solution to the synthesis problem
is demonstrated both in the asynchronous and synchronous cases by providing automated methods of constructing
protocol converters. This provides a unified theory and an algorithm for solving protocol conversion problems which
have appeared in the literature in many guises. The work reported here is based on earlier work on interface synthesis
in [Bha05] for the asynchronous case, and [BR06] for the synchronous one.
Related Work Merlin and von Bochmann [MvB83] proposed the submodule construction problem (also called equa-
tion solving or factorisation) for communication protocol specification and synthesis. Given a module specification
S and a submodule specification M
1
in terms of labelled transition systems, they proposed a method to construct a
submodule M
2
such that M
1
and M
2
together realise the specification S by synchronous interaction. Haghverdi and
Ural [HU99] gave a more formal presentation of the problem and an algorithm for its solution using prefix-closed finite
state machines as descriptions of submodules. One limitation of this solution is that the notion of correct realisation is
trace equivalence which is well known not to preserve certain behavioural properties such as the presence of deadlock.
This problem was addressed in the context of equation solving for CCS processes using observational equivalence or
strong bisimulation (see [Mil89]) by various researchers. A representative sample can be found in Shields [Shi89],
Parrow [Par89] and Larsen and Xinxin [LX90]. Yevtushenko et al. [YVB
+
01, YVB
+
02] study the related problem of
language equation solving for both synchronous and parallel (interleaving) composition in the context of synchronous
and asynchronous circuits. The main difference between the works cited above and ours is that we consider models
of open systems with an asymmetry between inputs and outputs. This naturally leads to the game formulation and
alternating simulation as the behavioural preorder captured by the interface automata formalism.
The controller synthesis problem and its solution as a winning strategy in a game has a long history, going back to
B¨uchi and Landwebers’ solution of Church’s problem [BL69]. More recent applications of the idea in the synthesis of
open systems occur in [PR89, MPS95, MT98]. The control of discrete event systems was introduced by Ramdage and
Wonham [RW89] using a language theoretic approach, where the ‘controllable’ and ‘uncontrollable’ actions clearly
correspond to the moves of the player and the opponent in a corresponding game. The use of games for the synthesis of
converters for mismatched protocols by Passerone et al. [PdAHSV02] can be seen as applications of the same general
principle. The present paper uses games to solve the interface synthesis problem, but the solution has a closed form
reminiscent of the submodule construction problem referred to above and the rectification problem of Dill [BDWM93].
The combinatorial details of the game structure is hidden behind the algebraic form of the solution.
Recent work on agent algebras [BPSV03, Pas04] formalises the notions of composition and conformance in an
abstract algebraic framework, and makes use of the mirror function in an essential way. The work provides sufficient

4 P. Bhaduri and S. Ramesh
conditions for characterising all controllers that satisfy a specification when composed with a plant. One possible
future work is to investigate the relationship between agent algebras and our interface synthesis framework.
2. Asynchronous Interfaces: Interface Automata
In this section we define interface automata and their composition and refinement. We follow the game formulation
presented in [dA03]. Throughout this work we consider only deterministic interface automata.
Definition 2.1. An interface automaton P is a tuple (S
P
, S
0
P
, A
I
P
, A
O
P
, Γ
I
P
, Γ
O
P
, δ
P
) where:
S
P
is a finite set of states.
S
0
P
S
P
is the set of initial states, which has at most one element, denoted s
0
P
.
A
I
P
and A
O
P
are disjoint sets of input and output actions. The set A
P
= A
I
P
A
O
P
is the set of all actions.
Γ
I
P
: S
P
2
A
I
P
is a map assigning to each state s S
P
a set (possibly empty) of input moves. Similarly,
Γ
O
P
: S
P
2
A
O
P
assigns to each state s S
P
a set (again, possibly empty) of output moves. The input and
output moves at a state s correspond to actions that can be accepted and generated at s respectively. Denote by
Γ
P
(s) = Γ
I
P
(s) Γ
O
P
(s) the set of all actions at s.
δ
P
: S
P
× A
P
S
P
is a transition function associating a target state δ
P
(s, a) with each state s S
P
and action
a A
P
. Note that the value δ
P
(s, a) makes sense only when a Γ
P
(s). When a / Γ
P
(s), the value can be
arbitrary.
The interface automaton P is said to be empty when its set of initial states S
0
P
is empty. Empty interface automata
arise when incompatible automata are composed.
Definition 2.2. An input strategy for P is a map π
I
: S
+
P
2
A
I
P
satisfying π
I
(σs) Γ
I
P
(s) for all s S
P
and
σ S
P
. An output strategy π
O
: S
+
P
2
A
O
P
is defined similarly. The set of input and output strategies of P are
denoted by Π
I
P
and Π
O
P
respectively.
Note In keeping with [dA03], we have given the general definition of strategy, where the moves can depend on the
history of the game. It turns out that for the case of safety games we consider in this paper, it is enough to consider
only memoryless strategies, where the current state suffices to define the set of moves. This simplification will be made
in Section 6 while discussing the synchronous interface automata.
An input and output strategy jointly determine a set of traces in S
+
P
as follows. At each step, if the input strategy
proposes a set B
I
of actions, and the output strategy proposes a set B
O
of actions, an action from B
I
B
O
is chosen
nondeterministically.
Definition 2.3. Given a state s S
P
, and input strategy π
I
and an output strategy π
O
, the set Outcomes(s, π
I
, π
O
)
S
+
P
of resulting plays is defined inductively as follows:
s Outcomes
P
(s, π
I
, π
O
);
if σt Outcomes(s, π
I
, π
O
) for σ S
+
P
and t S
P
, then for all a π
I
(σt) π
O
(σt) the sequence σ
P
(s, a)
Outcomes
P
(s, π
I
, π
O
).
A state s S
P
is said to be reachable in P , if there is a sequence of states s
0
, s
1
, . . . , s
n
with s
0
S
0
P
, s
n
= s,
and for all 0 k < n there is a
k
Γ
P
(s
k
) such that δ
P
(s
k
, a
k
) = s
k+1
. Reach(P ) denotes the set of reachable
states of P
The refinement of interface automata is known as alternating simulation, the right notion of simulation between
games [AHKV98]. Intuitively, an alternating simulation ρ S
P
× S
Q
from P to Q is a relation for which (s, t) ρ
implies all input moves from t can be simulated by s and all output moves from s can be simulated by t.
Definition 2.4. An alternating simulation ρ from P to Q is a relation ρ S
P
× S
Q
such that, for all (s, t) ρ and
all a Γ
I
Q
(t) Γ
O
P
(s), the following conditions are satisfied:
1. Γ
I
Q
(t) Γ
I
P
(s);
2. Γ
O
P
(s) Γ
O
Q
(t);

Interface Synthesis and Protocol Conversion 5
3. (δ
P
(s, a), δ
Q
(t, a)) ρ.
Refinement between interface automata is defined as the existence of an alternating simulation between the initial
states.
Definition 2.5. An interface automaton P refines an interface automaton Q, written P Q, if the following condi-
tions are satisfied:
1. A
I
Q
A
I
P
;
2. A
O
P
A
O
Q
;
3. there is an alternating simulation ρ from P to Q, such that (s
0
, t
0
) ρ for some s
0
S
0
P
and t
0
S
0
Q
.
We now define the parallel composition P k Q of interface automata P and Q in a series of steps.
Definition 2.6. P and Q are composable if A
O
P
A
O
Q
= .
We first define the product automaton P Q of two composable interface automata P and Q, by synchronising their
shared actions and interleaving all others. The set of shared actions of P and Q is defined by Shared(P, Q) = A
P
∩A
Q
.
Definition 2.7. The product P Q of two composable interface automata P and Q is defined by
S
P Q
= S
P
× S
Q
;
S
0
P Q
= S
0
P
× S
0
Q
;
A
I
P Q
= (A
I
P
A
I
Q
)\Comm(P, Q) where Comm(P, Q) = (A
O
P
A
I
Q
)(A
I
P
A
O
Q
) is the set of communication
actions, a subset of Shared(P, Q);
A
O
P Q
= A
O
P
A
O
Q
;
Γ
I
P Q
((s, t)) =
I
P
(s)\(A
O
Q
A
I
Q
))
I
Q
(t)\(A
O
P
A
I
P
))
I
P
(s) Γ
I
Q
(t)) for all (s, t) S
P
× S
Q
;
Γ
O
P Q
((s, t)) = Γ
O
P
(s) Γ
O
Q
(t), for all (s, t) S
P
× S
Q
;
for all a A
P Q
,
δ
P Q
((s, t), a) =
(
(δ
P
(s, a), δ
Q
(t, a)) if a A
P
A
Q
(δ
P
(s, a), t) if a A
P
\A
Q
(s, δ
Q
(t, a)) if a A
Q
\A
P
Note There is an asymmetry between input and output actions in the above definition. An input and output action with
the same label combine to form an output action. The intent is to model multi-way broadcast communication, as in the
version of interface automata defined in [dA03] and in I/O automata [LT87]. This is in contrast to the original version
defined in [dAH01], where an input and an output action with the same name combine to give an internal action.
Since interface automata need not be input enabled, there may be reachable states in P Q where a communication
action can be output by one of the automaton but cannot be accepted as input by the other. These states are called locally
incompatible.
Definition 2.8. The set Incomp(P, Q) of locally incompatible states of P and Q consists of all pairs (s, t) S
P
×S
Q
for which one of the following two conditions hold:
1. a Comm(P, Q) such that a Γ
O
P
(s) but a / Γ
I
Q
(t),
2. a Comm(P, Q) such that a Γ
O
Q
(t) but a / Γ
I
P
(s).
A local incompatibility can be avoided if there is a helpful environment, which by providing the right sequence
of inputs can steer the automaton away from such an undesirable state. The states from which Input can prevent the
product P Q from reaching a state in Incomp(P, Q) are called compatible. In other words, the compatible states are
those from which Input has a winning strategy.
Definition 2.9. A state s S
P Q
is compatible if there is an input strategy π
I
Π
I
P Q
such that, for all output
strategies π
O
Π
O
P Q
, all σ Outcomes
P Q
(s, π
I
, π
O
) and all incompatible states w Incomp(P, Q), the state w
does not appear in the sequence σ.

Citations
More filters
Journal Article
TL;DR: In this paper, the authors present algorithms for the automatic synthesis of real-time controllers by finding a winning strategy for certain games defined by the timed-automata of Alur and Dill.
Abstract: This paper presents algorithms for the automatic synthesis of real-time controllers by finding a winning strategy for certain games defined by the timed-automata of Alur and Dill. In such games, the outcome depends on the players' actions as well as on their timing. We believe that these results will pave the way for the application of program synthesis techniques to the construction of real-time embedded systems from their specifications.

524 citations

Book
28 Mar 2018
TL;DR: This paper intends to provide treatment where contracts are precisely defined and characterized so that they can be used in design methodologies such as the ones mentioned above with no ambiguity, and provides an important link between interfaces and contracts to show similarities and correspondences.
Abstract: Recently, contract-based design has been proposed as an “orthogonal” approach that complements system design methodologies proposed so far to cope with the complexity of system design. Contract-based design provides a rigorous scaffolding for verification, analysis, abstraction/refinement, and even synthesis. A number of results have been obtained in this domain but a unified treatment of the topic that can help put contract-based design in perspective was missing. This monograph intends to provide such a treatment where contracts are precisely defined and characterized so that they can be used in design methodologies with no ambiguity. In particular, this monograph identifies the essence of complex system design using contracts through a mathematical “meta-theory”, where all the properties of the methodology are derived from a very abstract and generic notion of contract. We show that the meta-theory provides deep and illuminating links with existing contract and interface theories, as well as guidelines for designing new theories. Our study encompasses contracts for both software and systems, with emphasis on the latter. We illustrate the use of contracts with two examples: requirement engineering for a parking garage management, and the development of contracts for timing and scheduling in the context of the AUTOSAR methodology in use in the automotive sector.

238 citations

Book
01 Jan 2004
TL;DR: This poster presents a probabilistic procedure to characterize the response of the immune system to the presence of foreign substances such as cadmium, which is a natural component of infectious disease.
Abstract: ion Refinement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Pei-Hsin Ho

106 citations

Journal Article
TL;DR: In this article, the authors present interface models that describe both the input assumptions of a component and its output behavior, and provide a compatibility check for component-based design, enabling us to check that the output behavior of the component satisfies the design specification only when the inputs assumptions of the specification are satisfied.
Abstract: We present interface models that describe both the input assumptions of a component, and its output behavior. By enabling us to check that the input assumptions of a component are met in a design, interface models provide a compatibility check for component-based design. When refining a design into an implementation, interface models require that the output behavior of a component satisfies the design specification only when the input assumptions of the specification are satisfied, yielding greater flexibility in the choice of implementations. Technically, our interface models are games between two players, Input and Output; the duality of the players accounts for the dual roles of inputs and outputs in composition and refinement. We present two interface models in detail, one for a simple synchronous form of interaction between components typical in hardware, and the other for more complex synchronous interactions on bidirectional connections. As an example, we specify the interface of a bidirectional bus, with the input assumption that at any time at most one component has write access to the bus. For these interface models, we present algorithms for compatibility and refinement checking, and we describe efficient symbolic implementations.

66 citations

01 Jul 2015
TL;DR: This paper intends to provide treatment where contracts are precisely defined and characterized so that they can be used in design methodologies such as the ones mentioned above with no ambiguity, and provides an important link between interface and contract theories to show similarities and correspondences.
Abstract: Aircrafts, trains, cars, plants, distributed telecommunication military or health care systems, and more, involve systems design as a critical step. Complexity has caused system design times and costs to go severely over budget so as to threaten the health of entire industrial sectors. Heuristic methods and standard practices do not seem to scale with complexity so that novel design methods and tools based on a strong theoretical foundation are sorely needed. Model-based design as well as other methodologies such as layered and compositional design have been used recently but a unified intellectual framework with a complete design flow supported by formal tools is still lacking. Recently an “orthogonal” approach has been proposed that can be applied to all methodologies introduced thus far to provide a rigorous scaffolding for verification, analysis and abstraction/refinement: contractbased design. Several results have been obtained in this domain but a unified treatment of the topic that can help in putting contract-based design in perspective is missing. This paper intends to provide such treatment where contracts are precisely defined and characterized so that they can be used in design methodologies such as the ones mentioned above with no ambiguity. In addition, the paper provides an important link between interface and contract theories to show similarities and correspondences. This paper is complemented by a companion paper where contract based design is illustrated through use cases.

52 citations


Cites methods from "Interface synthesis and protocol co..."

  • ...In [42], incremental design of deterministic Interface Automata is studied....

    [...]

References
More filters
Book ChapterDOI
27 Jul 2002
TL;DR: This work presents interface models that describe both the input assumptions of a component, and its output behavior, and presents algorithms for compatibility and refinement checking, and describes efficient symbolic implementations.
Abstract: We present interface models that describe both the input assumptions of a component, and its output behavior. By enabling us to check that the input assumptions of a component are met in a design, interface models provide a compatibility check for component-based design. When refining a design into an implementation, interface models require that the output behavior of a component satisfies the design specification only when the input assumptions of the specification are satisfied, yielding greater flexibility in the choice of implementations. Technically, our interface models are games between two players, Input and Output; the duality of the players accounts for the dual roles of inputs and outputs in composition and refinement. We present two interface models in detail, one for a simple synchronous form of interaction between components typical in hardware, and the other for more complex synchronous interactions on bidirectional connections. As an example, we specify the interface of a bidirectional bus, with the input assumption that at any time at most one component has write access to the bus. For these interface models, we present algorithms for compatibility and refinement checking, and we describe efficient symbolic implementations.

68 citations

Journal Article
TL;DR: In this article, the authors present interface models that describe both the input assumptions of a component and its output behavior, and provide a compatibility check for component-based design, enabling us to check that the output behavior of the component satisfies the design specification only when the inputs assumptions of the specification are satisfied.
Abstract: We present interface models that describe both the input assumptions of a component, and its output behavior. By enabling us to check that the input assumptions of a component are met in a design, interface models provide a compatibility check for component-based design. When refining a design into an implementation, interface models require that the output behavior of a component satisfies the design specification only when the input assumptions of the specification are satisfied, yielding greater flexibility in the choice of implementations. Technically, our interface models are games between two players, Input and Output; the duality of the players accounts for the dual roles of inputs and outputs in composition and refinement. We present two interface models in detail, one for a simple synchronous form of interaction between components typical in hardware, and the other for more complex synchronous interactions on bidirectional connections. As an example, we specify the interface of a bidirectional bus, with the input assumption that at any time at most one component has write access to the bus. For these interface models, we present algorithms for compatibility and refinement checking, and we describe efficient symbolic implementations.

66 citations

Journal ArticleDOI
TL;DR: This paper presents a systematic approach to protocol conversion using the theory of supervisory control of discrete event systems and introduces the notion of converter languages to obtain a necessary and sufficient condition for the existence of protocol converter and presents an effective algorithm for computing it whenever it exists.
Abstract: A protocol mismatch occurs when heterogeneous networks try to communicate with each other. Such mismatches are inevitable due to the proliferation of a multitude of networking architectures, hardware, and software on one hand, and the need for global connectivity on the other hand. In order to circumvent this problem the solution of protocol conversion has been proposed. In this paper we present a systematic approach to protocol conversion using the theory of supervisory control of discrete event systems, which was partially first addressed by Inan. We study the problem of designing a converter for a given mismatched pair of protocols, using their specifications, and the specifications for the channel and the user services. We introduce the notion of converter languages and use it to obtain a necessary and sufficient condition for the existence of protocol converter and present an effective algorithm for computing it whenever it exists.

66 citations

Proceedings Article
22 Apr 1996
TL;DR: This analysis suggests a desideratum of Intensional Semantics, interpolating between denotational and operational semantics as traditionally conceived, which should combine the good mathematical structural properties of Denotational semantics with the ability to capture dynamical aspects and to embody computational intuitions of operational semantics.
Abstract: The “classical” paradigm for denotational semantics models data types as domains, i.e. structured sets of some kind, and programs as (suitable) functions between domains. The semantic universe in which the denotational modelling is carried out is thus a category with domains as objects, functions as morphisms, and composition of morphisms given by function composition. A sharp distinction is then drawn between denotational and operational semantics. Denotational semantics is often referred to as “mathematical semantics” because it exhibits a high degree of mathematical structure; this is in part achieved by the fact that denotational semantics abstracts away from the dynamics of computation—from time. By contrast, operational semantics is formulated in terms of the syntax of the language being modelled; it is highly intensional in character; and it is capable of expressing the dynamical aspects of computation. The classical denotational paradigm has been very successful, but has some definite limitations. Firstly, fine-structural features of computation, such as sequentiality, computational complexity, and optimality of reduction strategies, have either not been captured at all denotationally, or not in a fully satisfactory fashion. Moreover, once languages with features beyond the purely functional are considered, the appropriateness of modelling programs by functions is increasingly open to question. Neither concurrency nor “advanced” imperative features such as local references have been captured denotationally in a fully convincing fashion. This analysis suggests a desideratum of Intensional Semantics, interpolating between denotational and operational semantics as traditionally conceived. This should combine the good mathematical structural properties of denotational semantics with the ability to capture dynamical aspects and to embody computational intuitions of operational semantics. Thus we may think of Intensional semantics as “Denotational semantics + time (dynamics)”, or as “Syntax-free operational semantics”. A number of recent developments (and, with hindsight, some older ones) can be seen as contributing to this goal of Intensional Semantics. We will focus on the recent work on Game semantics, which has led to some striking advances in the Full Abstraction problem for PCF and other programming languages (Abramsky et al. 1995) (Abramsky and McCusker 1995) (Hyland and Ong 1995) (McCusker 1996a) (Ong 1996). Our aim is to give a genuinely elementary first introduction; we therefore present a simplified version of game semantics, which nonetheless

50 citations

Proceedings ArticleDOI
04 Nov 2001
TL;DR: In this paper, the parallel language equation A/spl square/X/spl sube/C has been studied in the context of modeling delay-insensitive processes and their environments.
Abstract: The problem of designing a component that, combined with a known part of a system, conforms to a given overall specification arises in several applications ranging from logic synthesis to the design of discrete controllers. We cast the problem as solving abstract equations over languages. Language equations can be defined with respect to several language composition operators such as synchronous composition, /spl middot/, and parallel composition, /spl square/; conformity can be checked by language containment. In this paper, we address parallel language equations. Parallel composition arises in the context of modeling delay-insensitive processes and their environments. The parallel composition operator models an exchange protocol by which an input is followed by an output after a finite exchange of internal signals. It abstracts a system with two components with a single message in transit, such that at each instance either the components exchange messages or one of them communicates with its environment, which submits the next external input to the system only after the system has produced an external output in response to the previous input. We study the most general solutions of the language equation A/spl square/X/spl sube/C, and define the language operators needed to express them. Then we specialize such equations to languages associated with important classes of automata used for modeling systems, e.g., regular languages and FSM languages. In particular, for A/spl square/X/spl sube/C, we give algorithms for computing: the largest FSM language solution, the largest complete solution, and the largest solution whose composition with A yields a complete FSM language. We solve also FSM equations under bounded parallel composition. In this paper, we give concrete algorithms for computing such solutions, and state and prove their correctness.

46 citations

Frequently Asked Questions (2)
Q1. What are the contributions mentioned in the paper "Interface synthesis and protocol conversion" ?

Given deterministic interfaces P and Q, the authors investigate the problem of synthesising an interface R such that P composed with R refines Q. The authors show that a solution exists iff P and Q are compatible, and the most general solution is given by ( P ‖ Q ), where P is the interface P with inputs and outputs interchanged. For the synchronous case, the authors give a new definition of synchronous interface automata based on Mealy machines and show that the result holds for a weak form of nondeterminism, called observable nondeterminism. For the asynchronous case, this leads to automatic synthesis of converters for incompatible network protocols. The work reported here is based on earlier work on interface synthesis in [ Bha05 ] for the asynchronous case, and [ BR06 ] for the synchronous one. 

As future work, the authors would like to relax some restrictions they have put on the synchronous interface model, such as the requirement of observable nondeterminism. Other possibilities would be to include the effect of hiding internal signals and including fairness specifications to both asynchronous and synchronous interfaces. The work on agent algebras related to semantic foundations for heterogeneous systems ( see [ Pas04 ] ) has a similar goal, and it will be interesting to investigate the connections between the two. The authors are grateful to the anonymous referees for suggesting many improvements in the presentation.