A Theory for Refinement and Compatibility
2. ASYNCHRONOUS COMMUNICATION
(a)Ω(Prod, OProdB )
/put /put (p0,hputi) putB putB (p0, ) (p0,hput,puti)· · · (b)Ω(BufCtr, OBufCtrB ) put/ /get b1 b0
FIGURE4.8. Buffered PIOs for the transition systems in Fig. 4.7
toast
/put
t0 t1
FIGURE4.9. Refinement of the original producer
Then, asynchronous (buffered) communication betweenProdandBufCtris introduced by a corresponding definition of buffered PIOs. Ω(Prod, OProdB )withOProdB = {(∅,{put})} results in a PIO with an output queue for messages labelledput. An excerpt of the cor- responding (infinite-state) transition system is depicted in Fig. 4.8. For the buffer con- trol BufCtr we leave the output get open, hence define OBBufCtr = {({put},∅)}. Thus, Ω(BufCtr, OBBufCtr)is still a PIO without queue which is obtained fromBufCtrby a relabelling ofputfor asynchronous communication (cf. Fig. 4.8). The compositionΩ(Prod, OBProd)⊗
Ω(BufCtr, OBBufCtr)then results in an infinite-state system, which repeatedly (and internally) produces items, stores them in an internal FIFO buffer and then externally provides them for consumption via the open output transitionget.
2.2. Refinement and Asynchronous Compatibility. Our component model explic- itly distinguishes components and connectors. The components’ behaviour is specified by automata showing a temporal ordering of receive, send and local actions. Connectors in contrast do not specify any application specific temporal ordering of message exchange but act as a communication medium which determines the timing of the message exchange be- tween components linked with this connector. Therefore, connectors are not user-defined in the sense components are and hence our notion of refinement must not apply to connec- tors. Instead we focus on the refinement of the components’ behaviour aiming at a notion of compositionality which is independent of the connectors used on the abstract system level. For the case of synchronous communication this is backed by Prop. 4.12 already. For the case of asynchronous communication we rely on the following proposition. Theorem 4.25(Refinement transfer) Let(A, OB)be anαPIO and letCbe a partitioned PIO. IfCvbbA, thenΩ(C, OB)
vbbΩ(A, OB).
PROOF. Let β be the relabelling for asynchronous communication w.r.t. OB. By C vbb A we haveCβ
vbb Aβ (similar to Lem. 2.16 (2)). Denote the output queues forOBbyQBthen it follows by Thm. 4.10 thatCβ⊗QBvbbCβ
⊗QB.
Example 4.26(Refinement transfer) Suppose the producer of Ex. 4.24 creates a slice of toasted bread which should be passed to the consumer afterwards. In a corresponding process as depicted in Fig. 4.9 toast production is an internal step preceeding the storage of the produced item via the (yet) open output transitionput. If the internal transition is persistent, i.e. (t0,toast, t1) ∈ ΠToastwe haveToastvbbProd, witnessed by the relation {(t0, p0),(t1, p0)} ⊆SToast×SProd. Therefore Thm. 4.25 is applicable and it follows that Ω(Toast, OProdB )v
bbΩ(Prod, OB
62 4. A THEORY FOR REFINEMENT AND COMPATIBILITY
Note that Ω(Prod, OBProd) is an infinite-state system and hence verification of its re- finement is in general undecidable. In contrast, Toastvbb Prodcould be verified using finite-state verification techniques.
Based on Thm. 4.25 we can claim compositionality for the case of buffered PIOs similar to the case of PIOs with rendezvous communication. Though note that there is an important difference: Here we rely on the refinement of the PIOs underlying the particular buffered PIOs and not on a refinement between the buffered PIOs in turn.
Corollary 4.27(Precongruence transfer) Let(A, OBA)and(B, OBB)be composableαPIOs and letCbe a partitioned PIO. LetCandBbe composable. IfCvbbA, thenΩ(C, OB
A)⊗ Ω(B, OBB)vbbΩ(A, OB
A)⊗Ω(B, OBB)
PROOF. The claim follows by Thm. 4.25 and Thm. 4.10.
Example 4.28 (Precongruence transfer) Applying the corollary to Ex. 4.26 allows the buffered producer to be replaced by a buffered toast producer in the composition with the buffer controller. More formally, sinceToastvbbProd(cf. Ex. 4.26) we have, by Cor. 4.27,
Ω(Toast, OBProd)⊗Ω(BufCtr, OBBufCtr)v bbΩ(
Prod, OProdB )⊗Ω(BufCtr, OBufCtrB ).
Corollary 4.29 (Compositionality transfer) Let (A, OBA) and (B, OBB) be composable
αPIOs and letC,D be composable partitioned PIOs. IfCvbbAand D
vbb B, then
Ω(C, OBA)⊗Ω(D, OBB)vbbΩ(A, OB
A)⊗Ω(B, OBB)
PROOF. The proof is analogous to the synchronous case (cf. Prop. 4.12).
Another important aim of our study is to understand which basic compatibility re- quirements may apply to the case of buffered message exchange. This corresponds to the question which kind of architectural incompatibilities should be avoided when using asynchronous connectors (cf. Chap. 2, Sect. 1.3). Considering our notion of output com- patibility as defined above, we aim at guarantees for sending messages since the reception of a message already implies that some sender was successful in omitting the particular message which is not the case for sending. In the context of buffered message exchange this transfers to some guarantee that, once a message has been put into the output queue of a PIO, the particular communication partner is indeed able to dequeue the corresponding message later on. The transition systems in Fig. 4.10 and Fig. 4.11 illustrate such a require- ment more concretely. In Fig. 4.10 both systems are indeed able to dequeue the message sent by its communication partner, either before or after sending messages in turn. For the transition systems in Fig. 4.11, however, this is not the case. Here the fundamental differ- ence between a rendezvous mechanism and buffered message exchange becomes evident. If both systems send messages at the "same" time, the asynchronous system deadlocks due to missing receive capabilities after having sent the messagenandmrespectively.
For the formal definition of a corresponding notion of asynchronous compatibility we rely on the notions of weak, ultra-weak compatibility defined above which is due to the encoding of FIFO buffers along transition systems for the messages sent (output queues) in contrast to an encoding for messages received (input queues).
Definition 4.30(Asynchronous output compatibility) Let(A, OBA)and(B, OBB)be com-
posableαPIOs. (A, OBA)and(B, OBB)areultra-weakly asynchronous output compatible, written(A, OAB)↔a(B, OBB), ifΩ(A, OBA)↔uΩ(B, OBB); they areweakly asynchronous
output compatibleifΩ(A, OAB)↔wΩ(B, OBB).
If not explicitely mentioned, we consider (A, OBA)↔a (B, OBB)and simply talk of
asynchronously output compatibleαPIOs.
Example 4.31 (Asynchronous output compatibility) Consider the transition systemsA
2. ASYNCHRONOUS COMMUNICATION 63
(a) Control PIOsAandB
... ... /n n/ B A n mB n nB m m /m m/
(b) Buffered PIOsΩ(A)andΩ(B)
m/ nB mB hmi hmi /m n/ /m /n hni hni m/ /n /n
FIGURE4.10. Simultaneous sending of messages: asynchronously compatible
(a) Synchronously compatible PIOsAand B m/ /n /m n/ m n ⊗ =
(b) Buffered PIOsΩ(A)andΩ(B)deadlock
... ... /n ... ... ... /m n/ m/ ... hni = (, ) (hni, ) nB ⊗ hmi mB nB mB (hni,hmi) (,hmi) mB nB
FIGURE4.11. Simultaneous sending and mixed-choice: not asynchronously compatible ultra-weak output compatible, since neither does Aprovide an input m before sending
n, nor does B for the case ofn the other way around. Note thatS(A, B) = {n, m}
is the crucial prerequisite for this example. However, (A, OBA) and(B, OBB)are asyn- chronously output compatible ifOAB = {n} andOBB = {m}, i.e. if the respective out- puts are communicated with asynchronous timing. More formally, by definition we have
(A, OBA)↔a(B, OBB), ifΩ(A, OAB)↔uΩ(B, OBB). Thus, under the assumptionLA=OBA
and LB = OBB, we need to check ultra-weak output compatibility for the buffered PIOs Ω(A)andΩ(B)in Fig. 4.10, which is easily verified either by manual inspection or, in this case, even by finite-state verification techniques.
In contrast, the transition systems A and B in Fig. 4.11 are synchronously ultra- weak output compatible but not asynchronously output compatible. The latter is due to the buffering of output messages, which introduces the possibility of deadlock, whenever a mixed-choice state (a state with both an input and an output transition leaving) is left by both communication partner using shared output transitions at the same time.
Asynchronous compatibility is preserved by blackbox refinement of the PIOs under- lying the given buffered PIOs. This preservation result is particularly useful from the verification point of view due to the potential infinite state space of buffered PIOs. Once asynchronous compatibility is verified, modular refinement checks for the PIOs underlying the given buffered PIOs are sufficient to conclude asynchronous compatibility of the more concrete composition.
64 4. A THEORY FOR REFINEMENT AND COMPATIBILITY
Theorem 4.32(Preservation) Let(A, OBA)and(B, OBB)be composableαPIOs and letC
be a partitioned PIO. LetCandBbe composable. IfCvbbAand(A, OB
A)↔a(B, OBB),
then(C, OBA)↔a(B, OBB).
PROOF. By Thm. 4.25 we haveΩ(C, OAB)vbbΩ(A, OAB). By definition of asynchro-
nous output compatibility we haveΩ(A, OAB)↔uΩ(B, OBB), hence Prop. 4.15 is applicable and we obtainΩ(C, OBA)↔uΩ(B, OBB), which means that(C, OAB)↔a (B, OBB), again
by definition of asynchronous compatibility.
Example 4.33 (Preservation) The αPIOs(Prod, OProdB )and (BufCtr, OBufCtrB ) are asynchro- nously output compatible due to ultra-weak output compatibility of Ω(Prod, OProdB ) and
Ω(BufCtr, OBBufCtr). Consider the buffered PIOs in Fig. 4.8. The buffered producer may always eventually reach a state which outputs put?with one step, since all put! transi- tions are internal transitions. Ω(BufCtr, OBBufCtr)is then required, by the conditions of ultra- weak output compatibility, to reach a global state with a matching input transition (la- belledput?) after at most internal and non-shared output transitions. The buffered PIO
Ω(BufCtr, OBBufCtr)in Fig. 4.8 obviously meets these requirements and therefore, we have in- deed(Prod, OBProd)↔a(BufCtr, OBufCtrB ).
If the producer is replaced by a more concrete process such asToast(cf. Ex. 4.26), then asynchronous output compatibility is preserved ifToastvbbProd. Put differently, once we know about asynchronous output compatibility, it suffices to check finite-state PIOs in order to ensure its preservation. In the example Thm. 4.32 is applicable due toToastvbbProdand thus it follows from(Prod, OBProd)↔a(BufCtr, OBBufCtr)that(Toast, OBProd)↔a(BufCtr, OBufCtrB ).
3. Compatibility and N-ary Composition
In this section we show how to transfer the binary notion of output compatibility to a notion of output compatibility for n-ary compositions calledcommunication-safetyand discuss possibilities to derive this global property from pairwise or incremental compat- ibility analysis respectively. We consider only the case of synchronous communication, since buffered PIOs are PIOs (cf. Prop. 4.23) and thus any definition and result holds anal- ogously in the context of asynchronous communication1. Therefore we will use the notion
of communication-safety for compositions of PIOs as well as for compositions of buffered PIOs. In the latter case we assume a definition analogous to Def. 4.34 below usingαPIOs
(A, OBA)instead ofA.
3.1. Communication-Safety. The notion of communication-safety is a direct trans- fer of the binary definition of output compatibility to an n-ary composition of PIOs. If a global state inR(⊗iAi)is safe, then there is for any globally reachable local output action
a reachable local input such that the output may be synchronised within the global product. Definition 4.34(Communication-safety) Let(A1, . . . , An)be pairwise composable PIOs
withAi = ((Ii, Oi, Ti), Si, s0,i,∆i,Πi). A state(s1, . . . , sn)∈R(NiAi)iscommuni-
cation-safe (comm-safe)forAkwithk∈ {1, . . . , n}, if the following holds: ∀l∈Ok∩(SiIi).∃sk0 ∈Sk .(sk, l, s0k)∈∆k =⇒ (∃j∈ {1, . . . , n} \ {k}.∃sj0 ∈Sj.(sj, l, s0j)∈Π
Oj j ),
where Oj ⊆ (Oj \ Ik)∪ T(Aj). The IOTSAk is comm-safe in(A1, . . . , An), if all
(s1, . . . , sn) ∈ R(NiAi)are comm-safe forAk. (A1, . . . , An)is comm-safe, ifAk is
comm-safe in(A1, . . . , An)for all1 ≤k ≤n. Ultra-weak comm-safetyis defined using
comm-safety with O = (Oj \Ik)∪ T(Aj),weak comm-safetywithOj = T(Aj)and
strong comm-safetywithOj=∅.