HAL Id: inria-00292870
https://hal.inria.fr/inria-00292870v7
Submitted on 13 Jan 2009
HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci-
L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents
assume-guarantee reasoning
Yann Glouche, Paul Le Guernic, Jean-Pierre Talpin, Thierry Gautier
To cite this version:
Yann Glouche, Paul Le Guernic, Jean-Pierre Talpin, Thierry Gautier. A Boolean algebra of contracts for logical assume-guarantee reasoning. [Research Report] RR-6570, INRIA. 2008, pp.41. �inria- 00292870v7�
a p p o r t
d e r e c h e r c h e
9-6399ISRNINRIA/RR--6570--FR+ENG
Thèmes COM et SYM
A Boolean algebra of contracts for logical assume-guarantee reasoning
Yann Glouche, Paul Le Guernic, Jean-Pierre Talpin et Thierry Gautier
N° 6570
Juillet 2008
Yann Glouhe, PaulLe Guerni,Jean-Pierre Talpin et Thierry Gautier
∗
ThèmesCOMet SYMSystèmesommuniantset Systèmessymboliques
ProjetsESPRESSO
Rapportdereherhe n°6570Juillet200838pages
Abstrat: Assume-guaranteereasoning isa popular andexpressiveparadigm foramod-
ularand ompositionalspeiationofprograms. It isin turn ofbeoming afundamental
oneptin mainstreamindustrialomputer-aideddesigntoolsforembeddedsystemdesign.
In this paper, we elaborate new foundations for ontrat-based embedded system design
byproposingageneral-purposealgebraofassume/guaranteeontratsbasedontwosimple
onepts: rst,theassumptionorguaranteeofaomponentisdenedasalterand,seond,
ltersenjoythestrutureof aBoolean algebra. This yieldsan algebraiallyrih struture
whih allowsustoreasononontrats.
Key-words: assume/guarantee,ontrat,embeddedsystem,veriation,Booleanalgebra
∗
{yann.glouhe,paul.leguerni,jean-pierre.talpin,thierry.gautier}irisa.fr
Résumé : Le raisonnement basé surhypothèses/garantiesest unparadigme populaireet
expressifpourlaspéiationmodulaireetompositionnelledeprogrammes. Cetteapprohe
devient un onept fondamental dans l'informatique industrielle des outils de oneption
assistée par ordinateur pour les systèmes embarqués. Dans e rapport, nous élaborons
de nouvelles bases pour la oneptiondes systèmes embarquésfondée sur les ontrats, en
proposantune algèbrede ontratsgénérale,basée surdeux oneptssimples: d'unepart,
leshypothèsesetgarantiesd'unomposantsontdéniesentantqueltres,etd'autrepart,
lesltresontunestrutured'algèbrebooléenne. Ilenrésulteunestruturealgébriquerihe
quipermetderaisonnersurlesontrats.
Mots-lés : hypothèse/garantie, ontrat, système embarqué, vériation, algèbre boo-
léenne
Contents
1 Introdution 4
2 Analgebra ofproesses 4
3 Analgebra oflters 9
4 Analgebra ofontrats 14
5 Related work 18
6 Disussion 18
7 Conlusion 20
Referenes 22
A Proofs ofSetion2 23
B Proofs ofSetion3 25
C Proofs ofSetion4 30
1 Introdution
Commonmethodologialpreeptsfor attakingthedesignoflargeembedded arhitetures
advisethevalidationofspeiationsasearlyaspossibleandaniterativevalidationofeah
renementormodiationmadetotheinitialspeiation,untiltheimplementationofthe
systemisnalized. Additionally,ooperativeomponent-baseddevelopmentrequirestouse
andtoassembleomponents,thathavebeendevelopedbydierentsuppliers,andinasafe
andonsistentway. Theseomponentshavetobeprovidedwiththeironditionsofuseand
someguaranteesthattheyhavebeenvalidated whentheseonditionsaresatised.
We adopt the paradigmof ontrat to dene aomponent-basedvalidation proess in
theontextofasynhronousmodelingframework. Wedeneanovelalgebraiframeworkto
enablelogialreasoningonontrats. Itisbasedontwosimpleonepts. First,theassump-
tionsandguaranteesofaomponentaredened aslters: assumptionslterthebehavior
aomponentmayaeptandguaranteeslterthebehaviorsaomponentprovides. Seond
andforemost,wedeneaBooleanalgebratomanipulatelters. Thisyieldsanalgebraially
rihstruturewhihallowsustoreasononontrats(toabstrat,rene,ombineandnor-
malize them). This algebrai model is based on a minimalist model of exeution traes,
allowingonetoadaptiteasilyto apartiulardesignframework.
The most important aspet introdued by the framework is the notion of lter, for
whih the negationis learly dened. A lter onstrainsa nite set ofvariables, whih is
representedbythesetoftheproesseswhihsatisfytheseonstraints.
Plan Thepaperisorganizedasfollows. Setion2introduesasuitablygeneralalgebraof
proesseswhihborrowsitsnotationandoneptstodomaintheory[10℄. Aontrat(A,G )
isviewedasapairoflogialdevieslteringproesses:theassumptionAltersproessesto
selet(aept oronverselyrejet)thosethatareasserted(aeptedoronverselyrejeted)
bytheguaranteeG. Proess-ltersaredenedinSetion3andontratsinSetion4. Se-
tion5presentsrelatedworkandwhihisfurtherdisussedaroundanexamplein Setion6.
Setion7onludes thepresentation.
2 An algebra of proesses
We startwith thedenition of asuitable algebrafor behaviorsand proesses. Usually, a
behaviordesribesthetraeofadisreteproess(aMazurkiewiztraeoratupleofsignals
inLee'staggedsignalmodel). Wedeliberatelyhooseamoreabstratdenitioninorderto
enompassnotonlydisretebehaviorsonBoolean,integer,realvariablesbutalsobehaviors
ofmoreomplexsystems,suhasontinuousfuntions.
Denition 1. [Behavior℄ Let V be an innite, ountable set of variables, and D a set of values; for Y, a nite set of variables inluded in V (written Y ⊂≀V), Y nonempty, a
→D B
emptyvariable domain:
BY =∆ Y→D andB∅ =∆ ∅
ForY,anitesetofvariablesinludedinV,Ynonempty,aY-behavior,Xa(possibly empty)subsetofY,|X is theX-behaviorequaltoonX:
|X =∆{(x,(x))/x∈X}and|∅=∅and|Y = (1)
FromlefttorightThex, y-behaviorsb1andb2arefuntionsfromthevariablesx, y to
funtionsthatdenotesignals. Left,behaviorb1isadisretesamplingmappingadomainof
timerepresentedbynaturalnumberstovaluesinrationalsQ. Right,behaviorb2assoiates
x, y to ontinuousfuntions oftime. Aproess isdenoted byaset ofbehaviorsonagiven
set of variables. For instane, the proess of behaviorb1, below, ontains other possible
behaviorsonthevariablesxandy.
Denition 2. [Proess℄ For X, a nite set of variables (X ⊂≀V), an X -proess p is a nonemptysetofX-behaviors.
Thus, sine B∅ =∆ ∅, there is aunique ∅-proessdesignated by Ω =∆ {∅}; Ω hasthe
emptybehaviorasuniquebehavior. Theemptyproess isdenotedby0=∆ ∅.
Sine Ωdoesnothaveanyvariable, it hasnoeet whenomposed (interseted) with other proesses. It an be seen as the universal proess, for onstraint onjuntion, in
ontrast with 0, the empty set of behaviors, the use of whih in onstraint onjuntion alwaysresultsin theemptyset. 0anbeseenasthenullproess.
ForX , a nite set of variables (X ⊂≀V), we denote by PX the set of X-proesses. A proessinPXdened onanitesetofvariablesXissaidstrit(thusΩisastritproess).
Pdenotesthesetofallstritproesses.
PX =∆P(BX)\ {0}, P=∆∪(X⊂≀V)PX (P∅ ={Ω})
Thedomain of behaviorsin anX-proess pis denotedby var(p)=∆ X. 0is theonly non-stritV-proess: var(0)=V. Aproessiseither0,orastritproess. Hene,theset ofall proessesP⋆ is dened byP⋆ =∆ P∪ {0} and∀X⊂≀V,P⋆X =∆ PX∪ {0}. ForR⊆ P⋆,RdenotestheomplementaryofR. Wedenetheomplementaryofaproessandits restritionor extensionofthebehaviorsto agivensetof variables.
Denition3. [Complementary ofaproess℄ ForX, aniteset ofvariables (X⊂≀V),the omplementaryepofaproessp∈PX isdened by:
p∈PX=⇒ep=∆(BX\p) ={b∈BX/b6∈p} (BfX =0) (2)
Denition 4. [Proess restritionand extension℄ When X, Y are nite sets of variables
suhthatX⊆Y ⊂≀V,Ynonempty,wedenetherestritionq
|X∈PX ofq∈PYtoXand
onverselytheextensionp
|Y∈PYofp∈PX toYby:
q|X =∆ {|X/∈q} (thenq|∅ = Ω,q|var(q) =q) (3)
p
|Y =∆ {∈BY/|X∈p} (thenΩ|Y=BY,p|var(p) =p) (4)
Left, the omplementary ep of a proess p dened on the variables x and y onsists
x, y p
proesspdened on x, y, zonsists ofits projetiononthe restriteddomainRight,the
extension p
|{x, y, z}
of a proess p dened on x, y is the largest proess dened on x, y, z
whoserestritiononx, y isequaltop.
ThesetP⋆X,equippedwithunion,intersetionandomplementaryisaBooleanalgebra withsuprenumP⋆X and innum0. Restritionisextended to 0, theblokingproess,by
0|
X = {|X
/∈ ∅}= 0. The restritionand extension of strit proesses satisfythe followingproperties.
Property 1. WhenW, X, Y, Z are nite sets ofvariables, Y, Z nonempty,p , q strit
proesses:
var(p ) ⊆Z ⊆Y =⇒ (p|Z|Y =p|Y)∧(p|Y|Z =p|Z) (5) var(p)=var(q )⊆Y =⇒ (((p∩q)|Y = (p|Y∩q|Y))∧((p∪q)|Y = (p|Y∪q|Y)))(6) var(p)=var(q )⊆Y =⇒ ((p⊆q)⇐⇒(p|Y ⊆q|Y)) (7)
X⊆var(p)=var(q) =⇒ ((p⊆q) =⇒(p|X⊆q|X)) (8)
Wedenetheposetofstritproesses.
Denition5. [Stritproessesextension℄FornonemptynitesetsofvariablesX⊆Y ⊂≀V
andforp∈PX,therelationpqmeansthatqisanextensionofptoY:
(pq)⇐⇒((var(p)⊆var(q ))∧(p|var(q) =q))
Property 2. (P,)isaposet.
Theupperset[↑p]ofaproesspis theset ofallitsextensions:
[↑p] =∆{q∈P/pq} ([↑Ω] ={BX}
X⊂≀V) (9)
Denition6. [Variableontrol℄Aproess qontrolsavariabley,written (qy),i
((y∈var(q ))∧q(((q|(var(q)\{y}))|var(q))) (10)
AproessqontrolsavariablesetX,written(qX)i
(∀x∈X )(qx) (Ω∅) (11)
Moreover, isextendedto P⋆ with0 V.
Left, theupperset [↑p] istheset ofallproessesq∈P suh that(pq)Center, let
X ={x, y, z}, aproess p ∈PX ontrols thevariables x and y and letsz free Right, a
proessp∈PX ontrolsthevariablesx, y, z.
Note that, if a proess p ontrols X, this does not imply that, for all x∈X, y∈X,
x6=y,(p|(X\{x}))ontrolsy .
Denition7. [Reduedproess℄Astritproesspisredued iitontrolsallitsvariables:
pisredued ipvar(p ).
Forinstane,Ωisredued. Reduedstritproesses areminimalin(P,). Wedenoteby
▽
q,alledredutionofq ,the(minimal)stritproesssuhthat
▽
qq(p isreduedi▽p=p ).
Right, the redution
▽
q of a proess q
and a proess p in the upper set [↑q].
Assuming that var(q ) = ({x1. . . xn} ∪ {y1. . . ym}) and that q ontrols the vari-
ables {x1. . . xn}, we have var(▽q) = {x1. . . xn}. The proess p is suh that
p ∈ [↑▽q] with var(p) ⊆ ({x1. . . xn} ∪ {y1. . . ym}∪{z1. . . zl}). Proesspontrols
thevariables{x1. . . xn},and{y1. . . ym} ∪ {z1. . . zl} is a set of free variables, suh
that
▽
q=▽p.
Property 3. Theomplementaryepofastrit proesspisreduedipisredued;epand
pontrolthesamesetofvariablesvar(p).
Fromtheabove,wededuethat[↑▽p],theuppersetoftheredutionofp,isa(prinipal)
lteredset[10℄: itisnonemptyandeahpairofelementshasalowerbound.Wealsoobserve
that var(▽q)is thegreatest subsetof variablessuh that qvar(▽q); forastrit proess q,
weextendthedenitionofvar()totheuppersetofitsredutionbyvar([↑▽q])=∆var(▽q).
Property 4. Theuppersetofastrit proesspontainsauniqueproessp
|Y
denedon
agivenset ofvariables Y⊇ var(p ) ;the proesspand itsextension p|Y ontrolthe same
setofvariables,that istheset ofvariablesontroledbytheredutionofp.
((q∈[↑p])∧(r∈[↑p])∧(var(q)=var(r ))) =⇒(q=r) (12) (var(p)⊆Y) =⇒((p|Y)var(▽p)) (13) ((var(p)∪var(q))⊆Y) =⇒((p|Y =q|Y) =⇒(▽p=▽q)) (14)
Fortheblokingproess,weset 0 Vand[↑0] ={0}.
Wedenetheinlusionlower set ofaproesstoaptureallthesubsetsofitsbehaviors.
LetR⊆P⋆,[R↓⊆] isthelowerset ofRfor⊆:
[R↓⊆] =∆{p∈P⋆/(∃q∈R)(p⊆q)} (15)
Property 5. Fromtheabovedenitions, weonludethat:
[[↑
▽
0]↓⊆] = {0} (16) [[↑
▽
Ω]↓⊆] = P⋆ (17)
3 An algebra of lters
Inthissetion,wedeneaproess-lterbythesetofproessesthatsatisfyagivenproperty.
Weproposeanorderrelation(⊑)onthesetofproess-ltersΦ. Weestablishthat(Φ,⊑)is
alattieand aBoolean algebra. A proess-lter Ris asubsetof P⋆ that ltersproesses.
It ontainsallproessesthat are equivalent with respet tosomeonstraintorproperty,
sothatallproessesinRareaeptedorallofthembut 0arerejeted. Aproess-lteris builtfrom auniqueproess generator byextendingit to largersets ofvariables, and then
byinludingsubproessesofthese maximalallowedbehaviorsets.
Denition8. [Proess-lter℄AsetofproessesRisaproess-lter i(∃r∈P⋆)(((r=▽r)
∧(R= [[↑r]↓⊆] ))). Theproessris agenerator ofR(Risgeneratedbyr). Wedenote
byΦis theset ofproess-lters.
Theproess-ltergeneratedbytheredutionofaproesspisdenotedbyc[p] =∆ [[↑▽p]↓⊆].
Left, a proess-lter is generated from the proess
p (depited byabold line)viatwosuessiveoper-
ations. The rst operation onsists of building the
uppersetoftheproess: takesalltheproessesthat
areompatiblewithpandthataredenedonabig-
ger set ofvariables. Theseond operationproeeds
usingtheinlusion lowersetofthisset ofproesses:
it takes all the proesses that are dened by sub-
sets ofbehaviorsfrom proessesin theupperset(in
otherwords,thoseproessesthatremainompatible
whenaddingonstraints,beauseaddingonstraints
removesbehaviors).
Aproess-lterR=c[r]satisesthefollowingproperties:
Property 6. Thevariablesetofaproessp ,thatbelongsto aproess-ltergeneratedby
areduedproess
▽
r,ontainsthevariablesetofthisproess
▽
r. Thegeneratorofaproess-
lteris unique;wereferto itas
▽
R. Finally Ωgeneratesthe set ofallproesses(inluding 0),0belongstoalllters. Formally(∀p,r,s∈P⋆):
(p∈c[r]) =⇒ (var(▽r)⊆var(p)) (18)
c[r] =c[s] ⇐⇒ ▽r =▽s (19)
Ω∈c[r] ⇐⇒ c[r] =P⋆ (20)
0∈R (21)
Letp∈P{x}beaproessdenedonx∈Vavariable whosebehaviorsareafuntionfromatotallyordered
domainoftimeTtorationalsQ. Denetheproess-
lterptosatisfy:
∀b∈p, b(x) :T7→Q
∀t, t′∈T, t≤t′⇔b(x)(t)≤b(x)(t′)
Thenc[p]isthesetofallproessess.t. ∀b∈B,b∈p, b(x) is monotoni inreasing funtion from the do-
mainoftimeTtoQ.
Weallstrit proess-lterstheproess-ltersthat areneitherP⋆nor{0}. Theltered variablesetofRisvar(R )dened by:
var(R )=∆ var(
▽
R) (22)
Theorem1. Astritproesspbelongsto aproess-lterRi
(∀X,Y⊂≀V)(var(R )⊆X⊆Y),(p∈R) ⇐⇒
(var(R )⊆var(p ))
(var(p )⊆Y) =⇒ ((p|Y)|X
⊆
▽
R
|X
)
Corollary1. Thetwoequivalentpropertiesaresatised:
R⊆S⇐⇒((var(S)⊆var(R ))∧(
▽
R|var(S)⊆
▽
S)) (23)
R⊆S⇐⇒
▽
R∈S (24)
Corollary2. Thefollowingpropertiesaresatised:
(R⊆(S∩T)) ⇐⇒ ((R⊆S)∧(R⊆T))(orollary1−equation24) (25) (R⊆(S∪T)) ⇐⇒ ((R⊆S)∨(R⊆T))(orollary1−equation24) (26)
Wedeneanorderrelationonproess-lters,whihweallrelaxation,andwriteR⊑Sto
meanthatRislesswidethanS.
Denition9. [Proess-lterrelaxation℄ForRandS,twoproess-lters,therelationRis
lesswidethanS,writtenR⊑Sisdenedby:
{0} ⊑S (R⊑ {0})⇐⇒ {0} =R (R⊑S⇐⇒
▽
R
|Z
⊆
▽
S
|Z
) (27)
whereZ =var(R )∪var(S )