I/O & Interface Automata By Josh Lessard, Josh Taylor, Real Xu

Presenters’ Intro

Presenters’ Problem

Agenda Components & Automata Interface Automata Single-Threaded Interface Automata Conclusion

Components & Automata By Real Xu, User Interface Group, School of Computer Science, University of Waterloo

Objective Understand Components & Framework Discover relationship between Component-Based Design and Embedded Systems Introduction to Component-Based Model of Computation Review evolvement Understand why we use automata

Components & Framework What is component? subroutines processes/threads distributed objects review of lecture 1 any kind of building block

Components & Framework What is framework? Subroutines libraries?  No structure Operating systems?  Yes, but weak CORBA, DCOM?  Yes, but confined to software Interaction mechanisms?  Yes, incorporate hardware and software We want: constraints + benefits

Components & Framework Framework A class library and policies Programming Languages Operating System DS & Middleware Body System Social/political System Components Already existed methods Language primitives (a,c) Single processes/programs Distributed components Organs Companies and organizations

Components & Framework Framework 1.JavaBeans, COM, CORBA 2.Publish and Subscribe, Linda, JavaSpaces 3.Asynchronous message passing 4.Synchronous message passing 5.Discrete events 6.Continuous time Interaction Mechanism 1.Unstructured events, no built-in synchronization 2.Event notification, 3.Processes send message through channels that buffer msgs 4.Processes communicate in atomic instantaneous actions 5.Components communicate via signals that carry events placed in time, which is globally known by all components 6.Processes communicate via continuous-time signals, which are functions on the real numbers.

Component-Based Model of Computation Which framework is best? Your component States of knowledge Interaction mechanisms Specialized, domain dependent!

Component-Based Model of Computation Framework problem for embedded system? We want: as unspecified as possible Union all?  too complex Choose one?  not using all advantages Use an ADL  may get a poor design match Need a design language, not a descriptive language!

Component-Based Model of Computation The Type System Ensure software correctness: good! OOP works, but not for larger structure. Constrains interface: good! Ensure compatibility when composing: good! Static syntax: bad!

Component-Based Model of Computation Automata Use automata to get interface assumptions Capture dynamic interface properties Automata give protocols for component communication Characterize services that each domain provides Use composition and hierarchy of automata

Conclusions Components Frameworks Framework for embedded system Type System Automata

Interface Automata By Josh Taylor,

What is an Interface Automaton? It is an automaton that can be used to determine if two interfaces are compatible For simplicity, I will refer to an Interface Automaton as P or Q

An Interface Automaton P =  : V P is a set of states V P Init  V P is a set of initial states. A I P, A O P, and A H P are mutually disjoint sets of input, output, and internal actions. Let A P = A I P  A O P  A H P  P  V P  A P  V P is a set of steps.

Example Interface Automaton V comp = {0, 1, 2, 3, 4, 5, 6} V comp Init = {0} A I comp = {msg, nack, ack} (?) A O comp = {send, ok, fail} (!) A H comp =  (;)  comp = { (0,msg,1), (1,send,2), (2,ack,5), … }

Properties An action a  A P is enabled at a state v  V P if there is a step (v,a,v)  P for some v  V P A I P (v), A H P (v), A O P (v) are the subsets of actions that are enabled at state v Interface automata are not required to be input-enabled, that is we do not require A I P (v) = A I P for all states v  V P Shared(P,Q) = A P  A Q

Composition Two interface automata P and Q are composable if A I P  A I Q = , A O P  A O Q =  A H P  A Q = , A H Q  A P =  The composition P||Q of the two interface automata is obtained by restricting the product P  Q to its compatible (non- illegal) states

User and Comp Consider the product of User and Comp…

Black Box Gives: User  Comp 6 is an illegal state. Why? …

Illegal States Illegal(User, Comp) = { (v,u)  V user  V comp |  a  Shared(User,Comp) such that : ( a  A O user (v) and a !  A I comp (u)) or (a  A O comp (u) and a !  A I user (v)) } In User  Comp, the output step (6,fail,0) of Comp has no corresponding input in User

User || Comp User  Comp with illegal states removed, we need an environment so that no input will be generated, that will lead to an illegal state

Legal Environment Given two composable interface automata P and Q, a legal environment for the pair (P,Q) is an environment for P  Q such that no state in Illegal(P,Q)  V E is reachable in (P  Q)  E The existence of a legal environment for the composition of two interfaces indicates that the interfaces are compatible

Environment for User  Comp Channel is a legal environment for User  Comp because the state (6,u), u  V Channel is not reachable

In Closing There are algorithms to generate the composition of two interface automata Two automata are compatible if there exists a legal environment for the composition Interface automata provide a concise and formal notation that parallels the natural way of evolving a component-based design

Single-Threaded Interface Automata By Josh Lessard, Programming Languages Group, School of Computer Science, University of Waterloo

Introduction For uniprocessor systems, interface automata are unnecessarily complex Take advantage of single active thread of control Single-threaded version of interface automata Greatly reduces state space and gives rise to smaller automata

Definition A single-threaded interface automaton (STIA) P is an interface automaton that satisfies two conditions:

STIA Condition #1 The set V P of states is partitioned into two disjoint sets V P = V O P  V I P. The states in V O P are called running, because only internal and output actions are enabled: for all v  V O P, we have A I P (v) = . The states in V I P are called waiting, because only input actions are enabled: for all v  V I P, we have A O P (v) = A H P (v) = .

STIA Condition #2 All output steps must lead to waiting states: for all (u, a, v)   O P, we have v  V I P. Conversely, only output steps can lead to waiting states: for all v  V I P and all (u, a, v)   P, we have a  A O P.

STIA Conditions Condition 1 eliminates choice between output/internal actions (ie this automaton advancing thread) and input actions (ie some other automaton advancing thread) Running states indicate ownership of the single thread of control; waiting states indicate non- ownership Condition 2 ensures that an STIA waits for an input precisely after issuing an output action because if there is only a single thread of control, then each output step relinquishes that thread

Single-Threaded Composition Special version of composition for STIAs Prunes input actions that occur at states where internal or output actions are also enabled Can do this because when in a running state, input for this automaton cannot be produced by other automata

Single-Threaded Composition Consider two composable STIAs P and Q. The single-threaded composition P|||Q is obtained from P||Q by first removing all steps (v, a, u)   I P||Q for which A O P||Q (v)  A H P||Q (v)  , and then removing all states that become unreachable from V init P||Q.

Example

Invalid input steps removed:

Example Unreachable states removed:

Conclusion Four of the nine states were eliminated (nearly 50%)!!! Complexity was greatly reduced When modelling for uniprocessor systems, STIAs are a good way to remove clutter from diagrams by doing away with states that are unreachable due to the nature of single threaded systems

Summary of our talk By Real Xu, User Interface Group, School of Computer Science, University of Waterloo

Summary of our talk Why Interface Automata? What is Interface Automata? How to Use Interface Automata Efficiently? Why?- What?- How? Future work

Why?- What?- How?

I/O Automata [N. Lynch, M.Tuttle 1989] A labelled transition system model Asynchronous concurrent systems Actions classified: input (labelled), output, internal

Why?- What?- How?

I/O Automata What does it do? Component Input universal Pessimistic: compatible if no error can arise Based on transition systems Interface Automata How it can be used? Interface Input existential Optimistic: compatible if errors can be avoided Based on game theory

Why?- What?- How? I/O Automata Composition is easy: simply compute the product Verification is complex: need to verify that the interface are compatible Interface Automata Composition is complex: requires compatibility check Verification is easy: none needed generally

Future Work How to adapt to object – orientated code? How to model dynamic object creation? How to connect to the real software?

Acknowledgement R.E.Johnson, “Frameworks = (Components + Patterns),” Comm. ACM, Oct. 1997, pp T.A.Henzinger, “The Theory of Hybrid Automata,” Proc. 11 th Symp. Logic in Computer Science, IEEE CS Press, Los Alamitos, Calif., 1996, pp L. de Alfaro, T.A. Henzinger. Interface Automata. In Proceedings of the Joint 8th European Software Engineering Conference and 9th ACM SIGSOFT International Symposium on the Foundations of Software Engineering (ESEC/FSE 01) Luca de Alfaro and Thomas A. Henzinger. Interface Theories for Component-Based Design. Proceedings of the First International Workshop on Embedded Software (EMSOFT '01), Lecture Notes in Computer Science 2211, Springer-Verlag, 2001, pp L. de Alfaro, T.A. Henzinger, R. Jhala. Compositional Methods for Probabilistic Systems. In Proceedings of CONCUR 01: Concurrency Theory, 12th International Conference, Lectures Notes in Computer Science, Springer-Verlag, L. de Alfaro, T.A. Henzinger, R. Majumdar. Symbolic Algorithms for Infinite-State Games. Proceedings of CONCUR 01: Concurrency Theory, 12th International Conference, Lectures Notes in Computer Science, Springer-Verlag, 2001 L. de Alfaro, T.A. Henzinger, F.Y.C. Mang. The Control of Synchronous Systems. Concurrency Theory, Lectures Notes in Computer Science, Springer-Verlag, 2001 L. de Alfaro, T.A. Henzinger, F.Y.C. Mang. Detecting Errors Before Reaching Them. Computer-aided Verification, Lectures Notes in Computer Science 1855, pages , Springer-Verlag, 2000 Nancy Lynch and Mark Tuttle. An introduction to Input/Output automata. CWI-Quarterly, 2(3): , September Centrum voor Wiskunde en Informatica, Amsterdam, The Netherlands Edward A. Lee, "Overview of the Ptolemy Project," Technical Memorandum UCB/ERL M01/11, University of California, Berkeley, March 6, 2001 Xiaojun Liu, Jie Liu, Johan Eker, and Edward A. Lee, "Heterogeneous Modeling and Design of Control Systems," to appear in Software-Enabled Control: Information Technology for Dynamical Systems, T. Samad and G. Balas (eds.), New York City: IEEE Press, Edward A. Lee, “What’s Ahead for Embedded Software?” IEEE 33:18-26, 2000 Edward A. Lee, Y. Xiong. System-level Types for Component-based Design. Technical Memorandum UCB/ERL M00/8, Electronics Research Lab, University of California, Berkeley, 2000

Thanks for involvements and questions and answers!