Frames for the Specification of Component Behaviours
1. FRAME SPECIFICATIONS FOR PORT-BASED COMPONENTS
input-persistent I/O-transition system, that isfrm(k : K) = pio(buf(k: K)). Note that
buf(k : K)does not show internal labels due to the definition of queue IOTSs. There- fore, the frame of a connector (declaration) is indeed a frame in the sense that it does not show any internal but only input and output labels. The frame of a component declaration
c : C ∈CmpDclis given byfrm(c : C) = c.frm(C). The following lemma states the
equivalence of the given translation and a direct definition using the PIO encoding of FIFO queues (cf. Def. 4.21) for later reference. The claim follows directly from the definitions. Lemma 6.3 Letk:K be an asynchronous connector withports(K) = {p:P , q:Q}. Thenpio(buf(k:K)) =k.(QBmsg(req(P))⊗QBmsg(req(Q))), whereQBis the PIO encoding of FIFO queues w.r.t. required messages ofP andQresp.
Definition 6.4(Frame assembly) Theframeof an assemblyais given by
frm(a) = (N
c:C∈cmps(a)(frm(c:C)σα)⊗ N
k:K∈conns(a)frm(k:K)). Composite components are assumed to be equipped with a frame just like simple com- ponents. Correctness as required by Def. 6.2 above then depends on the relation between the assembly behaviour of the component and its frame which is consistent with the def- inition of composite components in Chap. 2. With the following table we provide a brief conceptual overview in order to summarise and relate our behavioural definitions with the frame definitions for components, connectors and assemblies.
Behaviour Frame
beh(C) =IOTS frm(C) =PIO
buf(K) =que(P)⊗que(Q) frm(K) =pio(buf(K))
beh(a) =Nbeh(
C)ξ⊗Nbuf(
K) frm(a) =Nfrm(
C)⊗Nfrm(
K)
beh(CC) =beh(a)ρ frm(CC) =PIO
The only difference is in the definitions for composite components. The behaviour of as- semblies and composite components is derived from the behaviours of the subcomponents. The frame, in contrast, is derived only for assemblies. For composite components we still expect an explicitely given frame specification; cf. Def. 6.2. Note that frm(a)usually
shows internal transitions as a result from the synchronisation of component and connector frames. This is in contrast to the internal transitions of the frame of a composite component which is, analogously to simple components, supposed to show anonymousτactions only. 1.2. Frame Analysis. Having a frame composition mechanism at hand, the compat- ibility properties studied on the level of PIOs can directly be transferred to the level of frames. Then, by the notion of correct components defined above, an analysis of compat- ibility, communication-safety (comm-safety) respectively on the level of frame specifica- tions allows to conclude comm-safety of component behaviours. Remember that comm- safety is the n-ary version of output compatibility and comes in three flavours, strong, weak and ultra-weak comm-safety corresponding to the respective kind of output compatibility. Since blackbox refinement preserves weak and ultra-weak output compatibility we have the following.
Proposition 6.5 (Frame analysis) Let a ∈ Asm such that for all c:C ∈ cmps(a),
beh(c:C) ∈ [[frm(c:C)]]. Iffrm(a)is weakly (ultra-weakly) comm-safe, thenbeh(a)
is weakly (ultra-weakly) comm-safe.
PROOF. By definitionfrm(a)is a composition of PIOs. Thus by definition of correct- ness,pio(beh(c:C)) vbb frm(c:C)for allc:C
∈cmps(a). The connector transition
systems for frame and behaviour assemblies are equivalent due to the direct translation from connector behaviour to connector frame (cf. Lem. 6.3). Hence the assumptions of Prop. 4.35 hold and the claim follows bynapplications of Prop. 4.35.
102 6. FRAMES FOR THE SPECIFICATION OF COMPONENT BEHAVIOURS
Strong compatibility is not preserved by blackbox-refinement and hence strong comm- safety does not carry over. In order to get an analogous result, a strong variant of the blackbox refinement that does not allow insertion and removal of internal transitions must be used.1
Frame analysis using Prop. 6.5 allows to infer properties of an implementation from an analysis of its specification, i.e. from an analysis on the frame level of the component- based system. In general, results from frame analysis can be expected to carry over for any property which is preserved by blackbox refinement between PIOs. For instance, Chap. 4 examined the preservation of safety properties using a greybox variant of blackbox refine- ment. Greybox refinement is related to our notion of correct implementations by Thm. 4.47 and Thm. 4.48. We consider assemblies with hidden enqueue actions.
Proposition 6.6 (Safety properties) Let a ∈ Asmsuch that for all c:C ∈ cmps(a),
beh(c:C) ∈ [[frm(c:C)]]. LetHB = S
{lB | lB ∈ Tfrm(a)}and letPsf be a safety property forfrm(a)\HB. Iffrm(a)\HB|=Psf thenbeh(a)\HB|=Psf.
In order to simplify the proof’s presentation, we will use directly behaviours and frames of component types, skip a detailed discussion with relabellings σandαfor the
proper synchronisation within assemblies (cf. Def. 2.22), and consider completely buffered PIOs. The latter corresponds to components that communicate by asynchronous connec- tors only. Let sync(a) ⊆ cmps(a) andasync(a) ⊆ cmps(a) be the subsets of syn- chronously and asynchronously communicating components in assemblya. First we proof the following lemma.
Lemma 6.7 Leta∈Asmsuch that for allc:C∈cmps(a),beh(c:C)∈[[frm(c:C)]]. LetHB=S
{lB|lB∈Tfrm(a)}. Thenbeh(a)\HBvgbfrm(a)\HB.
PROOF OF LEMMA. By definition of assembly frames, associativity and commutativ- ity of the product operator, and definition of buffered PIOs:
frm(a)\HB= (N c:C∈cmps(a)frm(C)⊗ N k:K∈conns(a)frm(K))\HB = (N c:C∈sync(a)frm(C)⊗ N c:C∈async(a)Ω(frm(C)))\HB =N c:C∈sync(a)frm(C)⊗ N c:C∈async(a)(Ω(frm(C))\HB) =N c:C∈sync(a)frm(C)⊗ N c:C∈async(a)(Ω(frm(C))ξ).
For the third step, note thatHB comprises only enqueue labels and thus the hiding does
not affect synchronously communicating components. As frames do not show internal la- bels we may replace the hiding of enqueue labels by a hiding of all internal labels usingξ
in the fourth step. By the correctness assumptionbeh(c:C) ∈[[frm(c:C)]], the invari- ance of blackbox refinement w.r.t.ξ(cf. Lem. 4.5), and the transfer property of blackbox refinement (cf. Cor. 4.29) it holds that
N c:C∈sync(a)beh(C)ξv bbN c:C∈sync(a)frm(C)and N c:C∈async(a)Ω(beh(C))ξv bbN c:C∈async(a)Ω(frm(C))ξ. Now, theorems 4.47 and 4.48 are applicable and we obtain
N c:C∈sync(a)beh(C)ξv gbN c:C∈sync(a)frm(C)and N c:C∈async(a)Ω(beh(C))ξv gbN c:C∈async(a)Ω(frm(C))ξ. Thus, by compositionality of greybox refinement (cf. Cor. 4.46), it follows that
N c:C∈sync(a)beh(C)ξ⊗ N c:C∈async(a)Ω(beh(C))ξv gbfrm(a) \HB.
As the left-hand side is obtained frombeh(a)\HBanalogously to the case offrm(a)\HB
above, the claim follows.
2. COMPRESSING PROXY REVISITED 103