The Main Theorem

5.3.1 A Precise Statement of the Composition Principle

Having discussed composition and implementation, we come to the prob- lem of proving that the composition of specications

S

1 and

S

2 imple-

ments a specication

S

. As we observed in (5) of Section 5.2, we must prove R 1(

S

1) \R 2(

S

2)

S

. One might attempt to prove this with the

renement-mapping method of Section 5.2.2. Since we cannot expect to construct the realizable part of a specication, we would have to prove the stronger result that

S

1

\

S

2 implements

S

. However,

S

has the form

E

)

M

and each

S

i has the form

E

i )

M

i. The renement-mapping method proves

that a specication of the form

E

)

M

0 implements

E

)

M

, but

S

1

\

S

2

is not in this form. A simple renement mapping won't work; we need the Composition Principle.

We now restate the Composition Principle, for the case

n

= 2, in terms of our formal denitions. The principle's premises are that system is

the composition of systems 1 and

2, the specication of

is

E

)

M

,

and the specication of each i is

E

i )

M

i. As we have already indi-

cated,

E

,

E

1, and

E

2must be safety properties. Also needed are some addi-

tional assumptions that are natural consequences of our method of writing specications|assumptions that we disregard for now, but add as hypothe-

ses of the theorem and discuss afterwards. The hypotheses of the principle consist of three conditions:

1. guarantees

M

if each componenti guarantees

M

i.

Formally, this condition asserts that

M

1 \

M

2

M

. It can be sat-

ised automatically by taking

M

to be

M

1 \

M

2. We can therefore

simplify the Composition Principle by eliminating

M

, and letting the conclusion assert that satises

E

)

M

1 \

M

2. To show that

satises the specication

E

)

M

, one proves that

E

)

M

1

\

M

2

implements

E

)

M

, using the renement-mapping method described

in Section 5.2.2.

2. The environment assumption

E

i of each component i is satised if

the environment of satises

E

and every j satises

M

j.

This condition asserts that

E

\

M

1 \

M

2

E

1 and

E

\

M

1 \

M

2

E

2,

two assertions that can be combined as

E

\

M

1 \

M

2

E

1 \

E

2.

3. Every componentiguarantees

M

iunder environment assumption

E

i.

This condition simply asserts that each component i satises its

specication

E

i )

M

i.

The Composition Principle's conclusion asserts that satises the speci-

cation

E

)

M

1

\

M

2. (Remember that we have replaced

M

by

M

1 \

M

2.)

When the principle is formulated in terms of specications rather than sys- tems, condition 3 disappears and the conclusion states that the composition of the components' specications implements the system's specication. The Composition Principle then becomes the proof rule:

E

\

M

1 \

M

2

E

1 \

E

2 R 1(

E

1 )

M

1) \R 2(

E

2 )

M

2)

E

)

M

1 \

M

2 (6) Unfortunately, this rule is not valid. To obtain a valid rule, we must replace its hypothesis with a stronger one.

Rule (6) appears unreasonably circular because it allows one to assume

M

i in proving the environment assumption

E

i that is necessary for compo-

nenti to guarantee

M

i. This suggests that we strengthen the hypothesis

by disallowing the use of

M

i in proving

E

i, obtaining the rule:

E

\

M

2

E

1

; E

\

M

1

E

2 R 1(

E

1 )

M

1) \R 2(

E

2 )

M

2)

E

)

M

1 \

M

2 (7)

This rule is indeed valid. However, it would be wrong to attribute the invalidity of (6) to simple circularity. Rule (7) is also circular, and it would be incorrect without the additional assumptions that we have been ignoring. For example, suppose we could take

E

1 =

E

2 =

M

1 =

M

2 =

P

for some

safety property

P

. Both hypotheses of (7) then reduce to the tautology

E

\

P

P

; and each

E

i)

M

ibecomes

P

)

P

, an identically true specication

satised by any system. Rule (7) would then yield the ridiculous conclusion that the composition of any two systems satises the specication

E

)

P

.

Not only is (7) valid despite its circularity, but there is an even stronger valid rule that looks just as circular as (6). The way to strengthen (7) is suggested by a closer examination of its hypotheses. The rst hypothesis asserts that

E

and

M

2 imply

E

1. Property

E

1 is assumed to be a safety

property, and any safety property that is implied by

M

2 is implied by

M

2.

We would therefore expect

E

\

M

2to imply

E

1only if

E

\

M

2 does. Similarly,

E

\

M

1 should imply

E

2 only if

E

\

M

1 does. Proposition 12 shows that

the following inference rules are indeed valid|again, under certain natural assumptions.

_E

\

M

2

E

1

E

\

M

2

E

1

E

\

M

1

E

2

E

\

M

1

E

2 (8) We can thus replace

M

1 and

M

2 by their closures in the hypotheses of (7).

But we can do even more. In the hypothesis, we can actually assume both

M

1 and

M

2 when proving

E

1 and

E

2. In other words, rule (6) is valid if,

in the hypothesis, we replace

M

1 and

M

2 by

M

1 and

M

2. Thus, one can

assume

M

i when proving the assumption

E

i that is necessary for i to

guarantee

M

i.

We now state our precise results. The hypotheses of the proposition and the theorem are discussed later. The proposition asserts the rst rule of (8); the second rule is obtained by the obvious substitutions. In the theorem, we have strengthened the proof rule's conclusion by replacing

E

)

M

1 \

M

2

with its realizable part.

Proposition 12

If

1,

2, and

1 [

2 are agent sets and

E

,

E

1, and

M

2

are properties such that: 1.

E

=

I

\

P

where

(a)

I

is a state predicate.

(b)

P

is a safety property that constrains at most :(

1

[

2).

3.

1 \

2 = ;

4.

M

2 is a

2-abstract property.

Then the rule of inference

E

\

M

2

E

1

E

\

M

2

E

1 is sound.

Theorem 2

If

1,

2, and

1 [

2 are agent sets and

E

,

E

1,

E

2,

M

1, and

M

2 are properties such that:

1.

E

=

I

\

P

,

E

In document SRC RR 66 pdf (Page 45-48)