Submodule construction in logics 1 Gregor v. Bochmann, University of Ottawa Using First-Order Logic to Reason about Submodule Construction Gregor v. Bochmann School of Information Technology and Engineering (SITE) University of Ottawa Submitted to FORTE conference, 2009

Submodule construction in logics 2 Gregor v. Bochmann, University of Ottawa Thanks I would like to express my thanks to Philip Merlin with whom I did the first work in this area in 1969 My PhD students Tao and Drissi whose work was on equation solving Nina Yevtushenko for some joint work in this area and for identifying the generalization as a goal My colleague Cory Butz who gave a talk on stochastic databases during which I saw that databases provide a very general framework for equation solving

Submodule construction in logics 3 Gregor v. Bochmann, University of Ottawa Equation solving: Integer division Multiplication: R 1 * R 2 = ? Equation solving: R 1 * X = R 3 What is the value of X ? Solution: definition of the division operation Written “ X = R 3 / R 1 ” What does it mean ? X = biggest Y such that R 1 * X ≤ R 3 Note: in many cases, there is no exact solution, that is, there is no X such that R 1 * X = R 3 For instance: 7 / 3 = 2, and 3 * 2 = 6 ≤ 7

Submodule construction in logics 4 Gregor v. Bochmann, University of Ottawa Context of this talk Multiplication  Machine composition Division  Submodule construction (“equation solving”) Example: R1R1 X R3R3 a1a1 a2a2 a3a3 R1R1 ? a1a1 a2a2 a3a3 R2R2

Submodule construction in logics 5 Gregor v. Bochmann, University of Ottawa Overview Introduction Machine composition and equation solving Applications Solution formulas Equation solving in the logic context Mapping logics to synchronous systems Mapping logics to labelled transition systems Conclusions

Submodule construction in logics 6 Gregor v. Bochmann, University of Ottawa Equation solving for machines Given machine M 1 and specification M 3 for the behavior of the composition of M 1 with X, find a behavior of machine X such that hide a3 in (M 1 ∞ X) ≤ M 3 Meaning of ≤ : set inclusion of possible execution sequences (“traces”, i.e. sequences of interactions ), also called trace inclusion M1M1 X M3M3 a1a1 a2a2 a3a3

Submodule construction in logics 7 Gregor v. Bochmann, University of Ottawa Applications of machine equation solving Communication protocols Protocol design (Merlin-Bochmann, 1980) Design of communication gateways Controller design for discrete event systems Component reuse, e.g. in software engineering Embedded testing

Submodule construction in logics 8 Gregor v. Bochmann, University of Ottawa Communication protocol design Protocol entities PE 1 and PE 2 use the underlying service S and provide the service R 3 to the users of the protocol PE 1 and S are given PE 2 is to be found R 1 corresponds to (PE 1 ∞ S) PE 1 R3R3 a1a1 a2a2 S PE 2 R1R1 X R3R3 a1a1 a2a2 a3a3

Submodule construction in logics 9 Gregor v. Bochmann, University of Ottawa Communication gateways Given desired end-to-end communication service E2E Protocols in the two networks (different) To be found: gateway behavior (shown by red box) PE 1 R3R3 a1a1 a2a2 S PE 2 PE’ 1 R’3R’3 a1a1 a2a2 S’ PE’ 2 adapter E2E

Submodule construction in logics 10 Gregor v. Bochmann, University of Ottawa Controller design Applications in process control, robotics, etc. Also called “Discrete event systems” (a separate research community, e.g. [Ramage-Wonham, 1989] and many subsequent papers) Distinction between non-controllable and controllable interactions (like input/output) System to be controlled Controller Desired properties a1a1 a2a2 a3a3

Submodule construction in logics 11 Gregor v. Bochmann, University of Ottawa Component reuse A given submodule does not completely correspond to the specification of the system to be built An additional submodule to be built (and designed throught equation solving) makes up the “difference” Submodule to be re-used New subm. to be built Module to be built a1a1 a2a2 a3a3

Submodule construction in logics 12 Gregor v. Bochmann, University of Ottawa Embedded testing If internal interactions (i.e. a 3 ) are not visible, only the properties of the composed system can be observed The most general behavior of the SUT that leads to conforming behavior for the composed system, is the solution of submodule construction. This behavior is often more general than the specification for the SUT; the difference can not be observed. Component assumed correct Component under test Properties of composed system a1a1 a2a2 a3a3

Submodule construction in logics 13 Gregor v. Bochmann, University of Ottawa Equation solving for labelled transition systems Rendezvous interactions a 3 : between M 1 and X a 2 : between M 1 and environment a 1 : between X and environment Behavior definition for M i set of allowed execution sequences A subset of Alphabet* (all sequences over the alphabet) Can be defined by a constraint C i characterizing this set of sequences M1M1 X M3M3 a1a1 a2a2 a3a3

Submodule construction in logics 14 Gregor v. Bochmann, University of Ottawa The problem and its solution Problem: Find maximal X (largest set of execution sequences) such that hide a 3 in (C 1 ∞ X) ≤ C 3 Solution: X = (a 1 U a 3 )* \ (minus) any sequence that could lead to an observable execution sequence not in R 3, i.e. hide a 2 in (C 1 ∞ ( (a 1 U a 2 )* \ C 3 ) ) M1M1 X M3M3 a1a1 a2a2 a3a3 M1M1 X M3M3 a1a1 a2a2 a3a3

Submodule construction in logics 15 Gregor v. Bochmann, University of Ottawa The reduced maximal solution Since all execution sequences of X must go in interaction with M 1 and M 3, we may replace the chaos for X with all sequences that are obtained by the composition of M 1 and M 3, that is [Merlin and Bochmann, 1980] Solution: X = hide a 2 in (C 1 ∞ C 3 ) \ (minus) hide a 2 in (C 1 ∞ ( (a 1 U a 2 )* \ C 3 ) ) R1R1 X R3R3 a1a1 a2a2 a3a3 R1R1 X R3R3 a1a1 a2a2 a3a3

Submodule construction in logics 16 Gregor v. Bochmann, University of Ottawa Solutions for different specification paradigms LTS Synchronous machines Input/output automata (IOA) Finite state machines (with message queuing) Extended FSM or IOA Considering progress, liveness Considering real-time properties

Submodule construction in logics 17 Gregor v. Bochmann, University of Ottawa Algorithmic solutions In case of finite state models, and considering trace semantics, there exist algorithms to evaluate the solution formulas. Their complexity: Exponential (if the interface a2 is hidden for X) Polynomial (if all interactions are visible to X)

Submodule construction in logics 18 Gregor v. Bochmann, University of Ottawa Similar formulas for different specification paradigms Nina Yevtushenko noted in 1999 that the formulas for LTS and synchronous machines can be written in identical form But the meaning of operators change For synchronous machines, an synchronous interaction pattern is a vector of interactions at the different interfaces ∞ - composition: building longer vectors hide operator: ignores a component of the vector This led to the generalization of the problem to databases (my paper at FORTE 2002) This paper: General formulation in logic from which all other formulations can be derived

Submodule construction in logics 19 Gregor v. Bochmann, University of Ottawa Equation solving in logic Three variables X A, X B, and X B with values from domains D A, D B, and D B, respectively U = D A  D B  D B Relations, such as R  D A  D B characterized by a constraint C(x A, x B ) where x i is the value of the variable X i Equation:   U : C A (x B, x C )  C B (x A, x C )  C C (x A, x B ) Problem: Given C A, C C, find maximal (least constraining) C B

Submodule construction in logics 20 Gregor v. Bochmann, University of Ottawa Solution C B max (x A, x C ) =  x B  D B : C A (x B, x C )  C C (x A, x B ) =  x B  D B :  C A (x B, x C )  C C (x A, x B ) =  x B  D B :  ( C A (x B, x C )   C C (x A, x B ) ) =  x B  D B : C A (x B, x C )   C C (x A, x B )

Submodule construction in logics 21 Gregor v. Bochmann, University of Ottawa Realizability Realizable subset of R C Incompatible part of R B Reduced maximal solution C B red (x A, x C ) = (  x B  D B : C A (x B, x C )  C C (x A, x B ) )  (  x B  D B : C A (x B, x C )   C C (x A, x B ) )

Submodule construction in logics 22 Gregor v. Bochmann, University of Ottawa Synchronous systems Interfaces I A, I B, I C : set of possible interactions D i = I i * (sequences of interactions) Execution history (synchrony of ith interaction at all interfaces) Hide operation:

Submodule construction in logics 23 Gregor v. Bochmann, University of Ottawa Synchronous solution

Submodule construction in logics 24 Gregor v. Bochmann, University of Ottawa Modeling LTS Interleaving constraint Equivalence of execution histories: if same sequence of non-null interactions Hiding operator:

Submodule construction in logics 25 Gregor v. Bochmann, University of Ottawa Submodule construction for LTS Modified equation Solution or

Submodule construction in logics 26 Gregor v. Bochmann, University of Ottawa Example

Submodule construction in logics 27 Gregor v. Bochmann, University of Ottawa Figure 4 a and b c1c1 c4c4 c1, c3c1, c3 b2b2 c2, c3, c4c2, c3, c4 b1b1 MAMA F a1a1 b2b2 a2a2 b1b1 a2, b1, b2a2, b1, b2 a1, b1, b2a1, b1, b2 MCMC (a)(b)

Submodule construction in logics 28 Gregor v. Bochmann, University of Ottawa Figure 4 c and d

Submodule construction in logics 29 Gregor v. Bochmann, University of Ottawa Figure 4 e and f M A x M B 1 x s 1 c1c1 a1a1 c4c4 1 x s 2 2 x s 1 b1b1 c1c1 1 x s 3 3 x s 1 c2c2 b2b2 a1a1 4 x s 4 c4c4 1 x s 4 c4c4 c2c2 c1c1 a1a1 a2a2 s2s2 s1s1 s3s3 (e) (f)