Presentation is loading. Please wait.

Presentation is loading. Please wait.

Submodule construction for specifications with I/O, Nov. 2002 1 Gregor v. Bochmann, University of Ottawa Submodule construction for specifications with.

Published byRandall Andrews Modified over 8 years ago

Similar presentations

Presentation on theme: "Submodule construction for specifications with I/O, Nov. 2002 1 Gregor v. Bochmann, University of Ottawa Submodule construction for specifications with."— Presentation transcript:

1 Submodule construction for specifications with I/O, Nov. 2002 1 Gregor v. Bochmann, University of Ottawa Submodule construction for specifications with input assumptions and output guarantees Gregor v. Bochmann School of Information Technology and Engineering (SITE) University of Ottawa FORTE conference, Houston, November 2002

2 Submodule construction for specifications with I/O, Nov. 2002 2 Gregor v. Bochmann, University of Ottawa Thanks I would like to express my thanks to Philip Merlin with whom I did the first work in this area in 1969 My PhD students Tao and Drissi whose work was on equation solving Nina Yevtushenko for some joint work in this area and for identifying the generalization as a goal My colleague Cory Butz who gave a talk on stochastic databases during which I saw that databases provide a very general framework for equation solving

3 Submodule construction for specifications with I/O, Nov. 2002 3 Gregor v. Bochmann, University of Ottawa Equation solving: Integer division Multiplication: R 1 * R 2 = ? Equation solving: R 1 * X = R 3 What is the value of X ? Solution: definition of the division operation Written “ X = R 3 / R 1 ” What does it mean ? X = biggest Y such that R 1 * X ≤ R 3 Note: in many cases, there is no exact solution, that is, there is no X such that R 1 * X = R 3 For instance: 7 / 3 = 2, and 3 * 2 = 6 ≤ 7

4 Submodule construction for specifications with I/O, Nov. 2002 4 Gregor v. Bochmann, University of Ottawa Context of this talk Multiplication  Machine composition Division  Submodule construction (“equation solving”) Example: R1R1 X R3R3 a1a1 a2a2 a3a3 R1R1 ? a1a1 a2a2 a3a3 R2R2

5 Submodule construction for specifications with I/O, Nov. 2002 5 Gregor v. Bochmann, University of Ottawa Overview Machine composition and equation solving Applications Solution formulas A generalization: Relational databases The cases of labelled transition systems (LTS) and synchronous LTS The case of specifications based on assumptions and guarantees: e.g. synchronous FSMs, IO- Automata and asynchronous FSMs Conclusions

6 Submodule construction for specifications with I/O, Nov. 2002 6 Gregor v. Bochmann, University of Ottawa Equation solving for machines Given machine R 1 and specification R 3 for the behavior of the composition of R 1 with X, find a behavior of machine X such that hide a3 in (R 1 ∞ X) ≤ R 3 Meaning of ≤ : set inclusion of possible execution sequences (“traces”, i.e. sequences of interactions ), also called trace inclusion R1R1 X R3R3 a1a1 a2a2 a3a3

7 Submodule construction for specifications with I/O, Nov. 2002 7 Gregor v. Bochmann, University of Ottawa Applications of machine equation solving Communication protocols Protocol design (Merlin-Bochmann, 1980) Design of communication gateways Controller design for discrete event systems Component reuse, e.g. in software engineering Embedded testing

8 Submodule construction for specifications with I/O, Nov. 2002 8 Gregor v. Bochmann, University of Ottawa Communication protocol design Protocol entities PE 1 and PE 2 use the underlying service S and provide the service R 3 to the users of the protocol PE 1 and S are given PE 2 is to be found R 1 corresponds to (PE 1 ∞ S) PE 1 R3R3 a1a1 a2a2 S PE 2 R1R1 X R3R3 a1a1 a2a2 a3a3

9 Submodule construction for specifications with I/O, Nov. 2002 9 Gregor v. Bochmann, University of Ottawa Communication gateways Given desired end-to-end communication service E2E Protocols in the two networks (different) To be found: gateway behavior (shown by red box) PE 1 R3R3 a1a1 a2a2 S PE 2 PE’ 1 R’3R’3 a1a1 a2a2 S’ PE’ 2 adapter E2E

10 Submodule construction for specifications with I/O, Nov. 2002 10 Gregor v. Bochmann, University of Ottawa Controller design Applications in process control, robotics, etc. Also called “Discrete event systems” (a separate research community, e.g. [Ramage-Wonham, 1989] and many subsequent papers) Distinction between non-controllable and controllable interactions (like input/output) System to be controlled Controller Desired properties a1a1 a2a2 a3a3

11 Submodule construction for specifications with I/O, Nov. 2002 11 Gregor v. Bochmann, University of Ottawa Component reuse A given submodule does not completely correspond to the specification of the system to be built An additional submodule to be built (and designed throught equation solving) makes up the “difference” Submodule to be re-used New subm. to be built Module to be built a1a1 a2a2 a3a3

12 Submodule construction for specifications with I/O, Nov. 2002 12 Gregor v. Bochmann, University of Ottawa Embedded testing If internal interactions (i.e. a 3 ) are not visible, only the properties of the composed system can be observed The most general behavior of the SUT that leads to conforming behavior for the composed system, is the solution of submodule construction. This behavior is often more general than the specification for the SUT; the difference can not be observed. Component assumed correct Component under test Properties of composed system a1a1 a2a2 a3a3

13 Submodule construction for specifications with I/O, Nov. 2002 13 Gregor v. Bochmann, University of Ottawa Equation solving for labelled transition systems Rendezvous interactions a 3 : between R 1 and X a 2 : between R 1 and environment a 1 : between X and environment Behavior definition set of allowed execution sequences e.g. for X: execution sequences over interactions at a 3 or a 1 R1R1 X R3R3 a1a1 a2a2 a3a3

14 Submodule construction for specifications with I/O, Nov. 2002 14 Gregor v. Bochmann, University of Ottawa The problem and its solution Problem: Find most general X (largest set of execution sequences) such that hide a 3 in (R 1 ∞ X) ≤ R 3 Solution: X = (a 1 U a 3 )* \ (minus) any sequence that could lead to an observable execution sequence not in R 3, i.e. hide a 2 in (R 1 ∞ ( (a 1 U a 2 )* \ R 3 ) ) R1R1 X R3R3 a1a1 a2a2 a3a3 R1R1 X R3R3 a1a1 a2a2 a3a3

15 Submodule construction for specifications with I/O, Nov. 2002 15 Gregor v. Bochmann, University of Ottawa A comment Since all execution sequences of X must go in interaction with R 1 and R 3, we may replace the chaos for X with all sequences that are obtained by the composition of R 1 and R 3, that is [Merlin and Bochmann, 1980] Solution: X = hide a 2 in (R 1 ∞ R 3 ) \ (minus) hide a 2 in (R 1 ∞ ( (a 1 U a 2 )* \ R 3 ) ) R1R1 X R3R3 a1a1 a2a2 a3a3 R1R1 X R3R3 a1a1 a2a2 a3a3

16 Submodule construction for specifications with I/O, Nov. 2002 16 Gregor v. Bochmann, University of Ottawa Equation solving for synchronous automata Synchronous communication Simultaneous interactions at all interfaces; at each clock pulse, there is a vector of interactions Behavior definition set of allowed sequences of interaction vectors e.g. for X: the interaction vectors include interactions at a 3 and a 1 R1R1 X R3R3 a1a1 a2a2 a3a3

17 Submodule construction for specifications with I/O, Nov. 2002 17 Gregor v. Bochmann, University of Ottawa Solution of equation solving Identical form of formulas Meaning of operators have changed ∞ : synchronous composition hide operator ignores a component of the vector [Yevtushenko et al., 1999]

18 Submodule construction for specifications with I/O, Nov. 2002 18 Gregor v. Bochmann, University of Ottawa Relational database (intro) A DB is a set of relations A relation is a table Each column is an attribute Each row is an “object” An element at position (a i, o k ) in the table represents the value that object o k takes for attribute a i With each attribute a i is associated a set of possible values D i

19 Submodule construction for specifications with I/O, Nov. 2002 19 Gregor v. Bochmann, University of Ottawa Relational database concepts Formal definitions: Attributes: A = {a 1, a 2, … a n } Attribute values: D = U D i Relation over A r (A r  A), written R[A r ]: (possibly infinite) set of mappings T: A r  D with T( a i ) ε D i Note: each mapping corresponds to a row

20 Submodule construction for specifications with I/O, Nov. 2002 20 Gregor v. Bochmann, University of Ottawa Example NameAgeSalary Fred5350000 Paul5060000 Alice2140000 Suzanne3550000 Bob2030000 NameProject FredBigOne AliceBigOne FredSmallOne SuzanneSmallOne R1 R2

21 Submodule construction for specifications with I/O, Nov. 2002 21 Gregor v. Bochmann, University of Ottawa Relational operators Projection Given R[A r ] and A x  A r, the projection of R[A r ] onto A x, written proj Ax (R), is a relation over A x with T ε proj Ax (R) iff exists T’ ε R s.t.  a i ε A x : T(a i ) = T’(a i ) Join Given R 1 [A 1 ] and R 2 [A 2 ], the join of R 1 and R 2, written R 1 ∞ R 2, is a relation over A 1 U A 2 with T ε (R 1 ∞ R 2 ) iff proj A1 (T) ε R 1 and proj A2 (T) ε R 2 Chaos Given A x  A, the chaos over A x, written Ch[A x ], is the relation which includes all mappings T: A x  D with T( a i ) ε D i

22 Submodule construction for specifications with I/O, Nov. 2002 22 Gregor v. Bochmann, University of Ottawa Example Proj {Project} (R2) = R1 ∞ R2 = NameAgeSalary Fred5350000 Paul5060000 Alice2140000 Suzanne3550000 Bob2030000 NameProject FredBigOne AliceBigOne FredSmallOne SuzanneSmallOne R1 R2 Project BigOne SmallOne NameAgeSalaryProject Fred5350000BigOne Fred5350000SmallOne Alice2140000BigOne Suzanne3550000SmallOne

23 Submodule construction for specifications with I/O, Nov. 2002 23 Gregor v. Bochmann, University of Ottawa Equation solving for relational databases We consider Three attributes a 1, a 2, a 3 Two relations R 1 [{a 3, a 2 }], R 3 [{a 1, a 2 }] Problem: What is the biggest relation X [{a 1, a 3 }] satisfying proj {a1, a2 } (R 1 ∞ X)  R 3 Solution: X = Ch[{a 1, a 3 }] \ proj {a1, a3 } (R 1 ∞ (Ch[{a 1, a 2 }] \ R 3 ) ) Proof: see paper Greneralization to more complex attribute structures is also easy R1R1 X R3R3 a1a1 a2a2 a3a3

24 Submodule construction for specifications with I/O, Nov. 2002 24 Gregor v. Bochmann, University of Ottawa D 1 = {  } D 2 = {aa, ab, ba, bb} D 3 = {c, d} X = Ch[{a 1, a 3 }] \ proj {a1, a3 } (R 1 ∞ (Ch[{a 1, a 2 }] \ R 3 ) ) An example R1R1 X R3R3 a1a1 a2a2 a3a3 a1a1 a2a2  ab R3R3 R1R1 a2a2 a3a3 c d aad a1a1 a3a3  c  d Ch[{a 1, a 3 }] a1a1 a2a2  aa  ba  bb Ch[{a 1, a 2 }] \ R 3 ) R 1 ∞ (Ch[{a 1, a 2 }] \ R 3 ) a1a1 a2a2 a3a3  aad a1a1 a3a3  c X

25 Submodule construction for specifications with I/O, Nov. 2002 25 Gregor v. Bochmann, University of Ottawa A special case: Trace specifications Attributes  Interfaces D i = I i * that is, all finite sequences of elements of I i, the possible interactions at the interface a i (the “alphabet” at interface a i ) Machine behavior  Relation Each row (DB object) represents a possible execution history (“trace”) ; the value for each attribute describes the interaction sequence occurring at the corresponding interface during that trace Synchrony constraint: The interaction sequences at the different interfaces for a given trace are of equal length

26 Submodule construction for specifications with I/O, Nov. 2002 26 Gregor v. Bochmann, University of Ottawa Two sub-cases: - synchronous operation (as above) - interleaving semantics (below) Attributes  Interfaces D i = (I i U {null} ) * (as synchronous case, except that there is a real interaction at only one interface at a time; “interleaving semantics” ) Machine behavior  Relation As in synchronous case, except that the “interleaving constraint” is satisfied for all mappings of a relation, that is, for any j, the j-th element of T(a i ) is non-null for at most one attribute a i

27 Submodule construction for specifications with I/O, Nov. 2002 27 Gregor v. Bochmann, University of Ottawa Algorithms for equation solving Solution: X = Ch[{a 1, a 3 }] \ proj {a1, a3 } (R 1 ∞ (Ch[{a 1, a 2 }] \ R 3 ) ) Algorithms for operations ∞, \, proj In general not possible (infinite sets of mappings) For finite state models : Polynomial complexity for ∞, proj proj introduces non-determinism \ requires conversion to deterministic models, which has exponential complexity

28 Submodule construction for specifications with I/O, Nov. 2002 28 Gregor v. Bochmann, University of Ottawa Example R1R1 X R3R3 a1a1 a2a2 a3a3 {a, b, n} {c, d, n} {n}

29 Submodule construction for specifications with I/O, Nov. 2002 29 Gregor v. Bochmann, University of Ottawa Systems with input and output Nature of input/output (non-rendezvous) Output: time and parameters of an interaction are determined by the system component producing the output Input: The component receiving the interaction cannot influence the time nor parameter values Specification of component behavior Output: The specification gives guarantees about timing and parameter values Input: The specification may make assumptions about timing of inputs and the received parameter values

30 Submodule construction for specifications with I/O, Nov. 2002 30 Gregor v. Bochmann, University of Ottawa Specification paradigms with hypothesis and guarantees Software Pre- and postconditions of a procedure call They define hypotheses on input parameters, and guarantees on output parameters, respectively Finite state machines (state-deterministic) Unspecified input: hypothesis about the behavior of the environment: this input will not occur when the machine is in this state

31 Submodule construction for specifications with I/O, Nov. 2002 31 Gregor v. Bochmann, University of Ottawa Component specification and interconnection Each attribute of a relation is either input or output Constraint on component interconnection No output conflicts: For each interface, there is only one connected component for which the corresponding attribute is output For trace specifications: Unit delay constraint Output(s) at time t depend only on previous interactions of the same component (not on the input received at time t) [e.g. Broy, Lamport] In FSM context: corresponds to Moore machine

32 Submodule construction for specifications with I/O, Nov. 2002 32 Gregor v. Bochmann, University of Ottawa Conformance to specifications Given a specification R and a trace T Either T  R (we say T conforms to R) or … T has wrong input: all prefixes of T up some time t conform to R, but there is wrong input at time (t+1) T has wrong output: similarly T has wrong input and output at the same time instant A component conforms to a specification R iff no trace T in which the component participates has wrong output in respect to R Note: if a trace has wrong input, nothing can be assumed about wrong output at a later time instance

33 Submodule construction for specifications with I/O, Nov. 2002 33 Gregor v. Bochmann, University of Ottawa Equation solving for trace specifications with input/output Find most general specification X such that any trace T of the composition of R 1 and X has the following properties: proj {a1, a2} (T) conforms to R 3 If proj {a1, a2} (T) has no wrong input in respect to R 3 then proj {a2, a3} (T) has no wrong input in resp. to R 1 R1R1 X R3R3 a1a1 a2a2 a3a3

34 Submodule construction for specifications with I/O, Nov. 2002 34 Gregor v. Bochmann, University of Ottawa Solution formula Notation: R WO(t) = set of traces that have wrong output in respect to R at time instant t R WI(t) : similarly for wrong input U t : union over all values of t Solution: X = Ch[{a 1, a 3 }] \ proj {a1, a3 } U t ( R 1 ∞ R 3 WO(t) U R 1 WI(t) ∞ R 3 U R 1 WI(t) ∞ R 3 WO(t) )

35 Submodule construction for specifications with I/O, Nov. 2002 35 Gregor v. Bochmann, University of Ottawa Solution algorithms for I/O Synchronous FSMs Can be easily derived from above formula The special case of completely defined, deterministic machines was already solved by Kim et al. Interleaving semantics Simplification: Never wrong input and output at the same time instant IO-Automata Jawad Drissi (PhD thesis) Communicating FSMs Yevtushenko and Petrenko

36 Submodule construction for specifications with I/O, Nov. 2002 36 Gregor v. Bochmann, University of Ottawa Extensions of the specification formalisms More powerful specification languages Petri nets, CSP, LOTOS, etc. Different conformance relations Safeness Trace semantics (as discussed here) Liveness - progress (some good interaction will occur) Liveness [Thistle] Absense of blockings [Tao, PhD thesis] Optional and required progress [Drissi, PhD thesis] Real-time aspects Timed automata [Grenoble; work on DES; Drissi, PhD thesis]

37 Submodule construction for specifications with I/O, Nov. 2002 37 Gregor v. Bochmann, University of Ottawa Conclusions (i) New results presented here: Solution formula for equation solving in the context of relational databases Equation solving for component composition based on trace semantics (synchronous and interleaving case) as special cases Solution formula for trace semantics with input and output

38 Submodule construction for specifications with I/O, Nov. 2002 38 Gregor v. Bochmann, University of Ottawa Conclusions (ii) Application areas: Protocol design (Merlin-Bochmann, 1980) Design of communication gateways Controller design Component reuse, e.g. in software engineering Embedded testing Future work More powerful specification paradigms e.g. interaction parameters Tools Practical design methodology based on formal methods

Download ppt "Submodule construction for specifications with I/O, Nov. 2002 1 Gregor v. Bochmann, University of Ottawa Submodule construction for specifications with."

Similar presentations

Copyright 1999, 2003 G.v. Bochmann CN-FM ch.2 1 Course Notes on Formal Methods for the Development of Distributed Real-Time Applications Gregor v. Bochmann.

Copyright 1999, 2003 G.v. Bochmann CN-FM ch.2 1 Course Notes on Formal Methods for the Development of Distributed Real-Time Applications Gregor v. Bochmann.
Giving a formal meaning to “Specialization” In these note we try to give a formal meaning to specifications, implementations, their comparisons. We define.

Giving a formal meaning to “Specialization” In these note we try to give a formal meaning to specifications, implementations, their comparisons. We define.
Supervisory Control of Hybrid Systems Written by X. D. Koutsoukos et al. Presented by Wu, Jian 04/16/2002.

Supervisory Control of Hybrid Systems Written by X. D. Koutsoukos et al. Presented by Wu, Jian 04/16/2002.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
An Introduction to Markov Decision Processes Sarah Hickmott

An Introduction to Markov Decision Processes Sarah Hickmott
CMPT 354, Simon Fraser University, Fall 2008, Martin Ester 52 Database Systems I Relational Algebra.

CMPT 354, Simon Fraser University, Fall 2008, Martin Ester 52 Database Systems I Relational Algebra.
Formal Languages and Automata Theory Applied to Transportation Engineering Problem of Incident Management Neveen Shlayan Ph.D. Candidate.

Formal Languages and Automata Theory Applied to Transportation Engineering Problem of Incident Management Neveen Shlayan Ph.D. Candidate.
Convertibility Verification and Converter Synthesis: Two Faces of the Same Coin Jie-Hong Jiang EE249 Discussion 11/21/2002 Passerone et al., ICCAD ’ 02.

Convertibility Verification and Converter Synthesis: Two Faces of the Same Coin Jie-Hong Jiang EE249 Discussion 11/21/2002 Passerone et al., ICCAD ’ 02.
Languages. A Language is set of finite length strings on the symbol set i.e. a subset of (a b c a c d f g g g) At this point, we don’t care how the language.

Languages. A Language is set of finite length strings on the symbol set i.e. a subset of (a b c a c d f g g g) At this point, we don’t care how the language.
61 Nondeterminism and Nodeterministic Automata. 62 The computational machine models that we learned in the class are deterministic in the sense that the.

61 Nondeterminism and Nodeterministic Automata. 62 The computational machine models that we learned in the class are deterministic in the sense that the.
An Introduction to Input/Output Automata Qihua Wang.

An Introduction to Input/Output Automata Qihua Wang.
Equivalence, DFA, NDFA Sequential Machine Theory Prof. K. J. Hintz Department of Electrical and Computer Engineering Lecture 2 Updated and modified by.

Equivalence, DFA, NDFA Sequential Machine Theory Prof. K. J. Hintz Department of Electrical and Computer Engineering Lecture 2 Updated and modified by.
Regular Languages Sequential Machine Theory Prof. K. J. Hintz Department of Electrical and Computer Engineering Lecture 3 Comments, additions and modifications.

Regular Languages Sequential Machine Theory Prof. K. J. Hintz Department of Electrical and Computer Engineering Lecture 3 Comments, additions and modifications.
Goldstein/Schnieder/Lay: Finite Math & Its Applications, 9e 1 of 86 Chapter 2 Matrices.

Goldstein/Schnieder/Lay: Finite Math & Its Applications, 9e 1 of 86 Chapter 2 Matrices.
Review of “Embedded Software” by E.A. Lee Katherine Barrow Vladimir Jakobac.

Review of “Embedded Software” by E.A. Lee Katherine Barrow Vladimir Jakobac.
Unified Modeling (Part I) Overview of UML & Modeling

Unified Modeling (Part I) Overview of UML & Modeling
Bridging the gap between Interaction- and Process-Oriented Choreographies Talk by Ivan Lanese Joint work with Claudio Guidi, Fabrizio Montesi and Gianluigi.

Bridging the gap between Interaction- and Process-Oriented Choreographies Talk by Ivan Lanese Joint work with Claudio Guidi, Fabrizio Montesi and Gianluigi.
Software Engineering, COMP201 Slide 1 Protocol Engineering Protocol Specification using CFSM model Lecture 30.

Software Engineering, COMP201 Slide 1 Protocol Engineering Protocol Specification using CFSM model Lecture 30.
Models of Computation for Embedded System Design Alvise Bonivento.

Models of Computation for Embedded System Design Alvise Bonivento.
Www.sensoria-ist.eu Bridging the gap between Interaction- and Process-Oriented Choreographies Talk by Ivan Lanese Joint work with Claudio Guidi, Fabrizio.

Bridging the gap between Interaction- and Process-Oriented Choreographies Talk by Ivan Lanese Joint work with Claudio Guidi, Fabrizio.

Similar presentations

Ads by Google