What is an Interface - PowerPoint PPT Presentation

1 / 97
About This Presentation
Title:

What is an Interface

Description:

What is an Interface? Thomas A. Henzinger. University of California, Berkeley ... Construct product automaton. Mark deadlock states as incompatible. ... – PowerPoint PPT presentation

Number of Views:54
Avg rating:3.0/5.0
Slides: 98
Provided by: valued86
Category:

less

Transcript and Presenter's Notes

Title: What is an Interface


1
What is an Interface?
Thomas A. Henzinger University of California,
Berkeley
joint work with Luca de Alfaro
2
A Component Specification
x ? Nat
z x?y
y ? Nat\0
Descriptive What does the component do?
3
An Interface Specification
x ? Nat
z ? Real
y ? Nat\0
Prescriptive How can the component be put
together with other components?
4
Whats the Difference?
5
Whats the Difference?
x ? Nat
z x?y
y ? Nat\0
x ? Nat
z ? Real
y ? Nat\0
Language (syntax) No
6
Whats the Difference?
x ? Nat
z x?y
y ? Nat\0
x ? Nat
z ? Real
y ? Nat\0
Language (syntax) No Level of detail
7
Whats the Difference?
x ? Nat
z x?y
y ? Nat\0
x ? Nat
z ? Real
y ? Nat\0
Language (syntax) No Level of detail No
8
Whats the Difference?
x ? Nat
z x?y
y ? Nat\0
x ? Nat
z x?y
y ? Nat\0
Language (syntax) No Level of
detail No Interpretation (semantics) Yes
9
The Component Interpretation
x ? Nat ? y? Nat\0 ? z x?y
-(mis)behaves in every environment
-examples circuit executable
10
The Component Interpretation
x ? Nat ? y? Nat\0 ? z x?y
-(mis)behaves in every environment
-examples circuit executable
The Interface Interpretation
x ? Nat ? y? Nat\0 ? z x?y
-constrains the environment
---other environments are rejected (by compiler)

-example type declaration of procedure
11
Component Specification is Well-formed iff
?x,y. ?z. ( x ? Nat ? y? Nat\0 ? z x?y )
-specification is implementable
-input-universal
12
Component Specification is Well-formed iff
?x,y. ?z. ( x ? Nat ? y? Nat\0 ? z x?y )
-specification is implementable
-input-universal
Interface Specification is Well-formed iff
?x,y. ?z. ( x ? Nat ? y? Nat\0 ? z x?y )
-specification is satisfiable
---(i.e., usable in some
environment) -input-existential
13
  • The logic view ?
  • The block-diagram view
  • The state-transition view

14
Components Total Functions
y 2x
y
x ? Nat
x 2y1
x
y ? Nat
15
Components Total Functions
y 2x
y
x ? Nat
x 2y1
y ? Nat
x
Composition always defined.
16
Components Total Functions
y 2x
y
x ? Nat
odd
even
x 2y1
y ? Nat
x
17
Interfaces Partial Functions
y ? Even
x ? Odd
x ? Odd
y ? Even
Output guarantee
Input assumption
18
Interfaces Partial Functions
y ? Even
x ? Odd
x ? Odd
y ? Even
Composition defined Compatible interfaces.
19
Interfaces Partial Functions
y ? Nat
x ? Nat
X
x ? Odd
y ? Even
Composition undefined Incompatible interfaces.
20
  • The logic view ?
  • The block-diagram view ?
  • The state-transition view

21
a!
a
b!
b
a?
b?
22
a!
b!
?
a?
23
Components, Alternative 1
Be Prepared for Every Input
a!
b!
a?
This is an illegal component, because it is not
prepared to accept input b.
I/O Automata, TLA, Reactive Modules
24
Components, Alternative 2
Compose, then Check
a!
a
b!
a?
Composition may lead to deadlocks, and requires
verification if this is undesirable.
CSP/CCS, Statecharts, Esterel
25
Interfaces Check, then Compose
a!
These interfaces are incompatible, because the
receiver expects the environment to provide input
b.
b!
a?
Trace Theory, Interface Automata
26
Simple interfaces (traditional types)
value constraints Rich interfaces
(types for component interaction) temporal
ordering constraints, real-time constraints, etc.
get_record
close_file
open_file
put_record
open_file?
get_record?
close_file?
put_record!
27
Interface specifications are a programmer's task,
in burden between type declarations and invariant
annotations.
Interface compatibility checking is a program
analysis opportunity, in difficulty between type
checking and behavioral verification. (Note
unlike software contracts, interfaces are checked
statically, at compile time.)
28
Components
Interfaces
  • no environment constraints
  • environment constraints

environment constraints propagate by composition
29
Components
Interfaces
  • no environment constraints
  • composition is total
  • environment constraints
  • composition is partial

environment constraints propagate by composition
interface compatibility checking is game solving
30
Components
Interfaces
  • no environment constraints
  • composition is total
  • refinement is covariant
  • environment constraints
  • composition is partial
  • refinement is contravariant

environment constraints propagate by composition
interface compatibility checking is game solving
I/O alternating simulation relations
31
Components
Interfaces
  • no environment constraints
  • composition is total
  • refinement is covariant
  • for compositional analysis
  • environment constraints
  • composition is partial
  • refinement is contravariant
  • for compositional design

environment constraints propagate by composition
interface compatibility checking is game solving
I/O alternating simulation relations
32
Interface Composition and Propagation of
Environment Constraints The Block-Diagram View
33
x
z
y
x0 ? y0
true
34
x
z
y
x0 ? y0
true
35
x
z
y
x0 ? y0
true
y 0
?x,z. ( true ? xz ? ( x0 ? y0 ))
36
y
z
y 0
true
The resulting interface.
37
y
z
y 0
true
Illegal connection.
38
x
z
y
x0 ? y0
true
39
x
z
y
x0 ? y0
true
x ? 0
40
x
z
x ? 0
true
The resulting interface.
41
x
z
x ? 0
true
Illegal connection.
42
Interface Composition is Not Associative.
x
z
y
x0 ? y0
true
true
43
Interface Composition and Propagation of
Environment Constraints The State-Transition View
44
msg
fail
ok
ok!
ack?
ack?
msg?
send!
send!
nack?
nack?
fail!
ack
nack
send
45
msg!
ok?
msg
ok
fail
msg
fail
ok
ok!
ack?
ack?
msg?
send!
send!
nack?
nack?
fail!
ack
nack
send
46
ok
ack?
ack?
msg
send!
send!
nack?
nack?
fail!
ack
nack
send
Incompatible product state, but environment can
prevent this state.
47
ok
ack?
ack?
msg
send!
send!
nack?
nack?
fail!
ack
nack
send
The Composite Interface.
48
Computing the Composite Interface
  • Construct product automaton.
  • Mark deadlock states as incompatible.
  • Until no more incompatible states can be added
    mark state q as incompatible if the environment
    cannot prevent an incompatible state to be
    entered from q.
  • If the initial state is incompatible, then the
    two interfaces are incompatible. Otherwise, the
    composite interface is the product automaton
    without the incompatible states.

49
Computing the Composite Interface
  • Construct product automaton.
  • Mark deadlock states as incompatible.
  • Until no more incompatible states can be added
    mark state q as incompatible if the environment
    cannot prevent an incompatible state to be
    entered from q.
  • If the initial state is incompatible, then the
    two interfaces are incompatible. Otherwise, the
    composite interface is the product automaton
    without the incompatible states.

50
Computing the Composite Interface
  • Construct product automaton.
  • Mark deadlock states as incompatible.
  • Until no more incompatible states can be added
    mark state q as incompatible if the environment
    cannot prevent an incompatible state to be
    entered from q.
  • If the initial state is incompatible, then the
    two interfaces are incompatible. Otherwise, the
    composite interface is the product automaton
    without the incompatible states.

51
Computing the Composite Interface
  • Construct product automaton.
  • Mark deadlock states as incompatible.
  • Until no more incompatible states can be added
    mark state q as incompatible if the environment
    cannot prevent an incompatible state to be
    entered from q.
  • If the initial state is incompatible, then the
    two interfaces are incompatible. Otherwise, the
    composite interface is the product automaton
    without the incompatible states.

52
Computing the Composite Interface
  • Construct product automaton.
  • Mark deadlock states as incompatible.
  • Until no more incompatible states can be added
    mark state q as incompatible if the environment
    cannot prevent an incompatible state to be
    entered from q.
  • If the initial state is incompatible, then the
    two interfaces are incompatible. Otherwise, the
    composite interface is the product automaton
    without the incompatible states.

This computes the states from which the
environment has a strategy to avoid deadlock.
The propagated environment constraint is that it
will apply such a strategy.
53
Interface Compatibility Checking as Game Solving
AND-OR game graph AND player -interface product
OR player -environment
Deadlock states Does the OR player have a
strategy to avoid them?
54
Interface Compatibility Checking as Game Solving
AND-OR game graph AND player -interface product
OR player -environment
Deadlock states Does the OR player have a
strategy to avoid them?
55
Interface Compatibility Checking as Game Solving
AND-OR game graph AND player -interface product
OR player -environment
Deadlock states Does the OR player have a
strategy to avoid them?
56
Interface Compatibility Checking as Game Solving
AND-OR game graph AND player -interface product
OR player -environment
Deadlock states Does the OR player have a
strategy to avoid them?
57
Interface Compatibility Checking as Game Solving
AND-OR game graph AND player -interface product
OR player -environment
Deadlock states Does the OR player have a
strategy to avoid them?
58
Interface Compatibility Checking as Game Solving
AND-OR game graph AND player -interface product
OR player -environment
Deadlock states Does the OR player have a
strategy to avoid them?
NO
59
Interface Compatibility Checking as Game Solving
AND-OR game graph AND player -interface product
OR player -environment
Deadlock states Does the OR player have a
strategy to avoid them?
COMPLEXITY?
60
Interface Compatibility Checking as Game Solving
2
AND-OR game graph AND player -interface product
OR player -environment
2
Deadlock states Does the OR player have a
strategy to avoid them?
LINEAR TIME (P-COMPLETE)
61
Interface Compatibility Checking as Game Solving
2
AND-OR game graph AND player -interface product
OR player -environment
1
Deadlock states Does the OR player have a
strategy to avoid them?
LINEAR TIME (P-COMPLETE)
62
Interface Compatibility Checking as Game Solving
1
AND-OR game graph AND player -interface product
OR player -environment
0
Deadlock states Does the OR player have a
strategy to avoid them?
LINEAR TIME (P-COMPLETE)
63
Asynchronous Interfaces lead to Buechi Games
Environment should not block interface moves
Does the OR player have a strategy to hit the
target states infinitely often?
Target
64
Asynchronous Interfaces lead to Buechi Games
Hit target once
Environment should not block interface moves
Does the OR player have a strategy to hit the
target states infinitely often?
Target
65
Asynchronous Interfaces lead to Buechi Games
Hit original target once
Environment should not block interface moves
Does the OR player have a strategy to hit the
target states infinitely often?
New Target
66
Asynchronous Interfaces lead to Buechi Games
Hit original target once
Environment should not block interface moves
Hit original target twice
Does the OR player have a strategy to hit the
target states infinitely often?
New Target
67
Asynchronous Interfaces lead to Buechi Games
Hit target once
Environment should not block interface moves
Hit target twice
Does the OR player have a strategy to hit the
target states infinitely often?

Hit target infinitely often
Target
Linear number of finite games QUADRATIC TIME Can
this be improved ???
68
Interface Refinement The Block-Diagram View
69
Component Refinement
x ? Odd ? y 2x
x ? Nat
y
?
y 2x
y
x ? Nat
Refinement is implication (simulation trace
containment).
70
Component Refinement
x ? Odd ? y 2x
x ? Nat
y
more behaviors
?
?
?
y 2x
y
x ? Nat
fewer behaviors
Refinement is implication (simulation trace
containment).
71
Interface Refinement
x ? Nat
x ? Even
?
?
?
x ? Odd
x ? Nat
Like subtyping, refinement is I/O contravariant.
72
Interface Refinement
x ? Odd
x ? Nat
?
?
X
X
?
x ? Nat
x ? Nat
1. Implementation must obey output guarantee.
73
Interface Refinement
x ? Nat
x ? Nat
?
?
X
X
?
x ? Nat
x ? Even
2. Implementation must accept all permissible
inputs.
74
Interface Refinement The State-Transition View
75
msg
fail
ok
ok!
ack?
ack?
msg?
send!
send!
nack?
nack?
fail!
ack
nack
send
76
msg
fail
ok
ok!
ack?
ack?
msg?
send!
send!
nack?
nack?
fail!
ack
nack
send
?
once
msg
fail
ok
ok!
ack?
ok!
ack?
ack?
send!
once?
msg?
send!
send!
nack?
fail!
nack?
nack?
fail!
ack
nack
send
77
I/O Alternating Simulation
Q ? q iff 1. for all inputs i, if q i?-gt q ,
then there exists Q such that Q i?-gt Q and
Q ? q , and 2. for all outputs o, if Q o!-gt
Q , then there exists q such that q o!-gt q
and Q ? q .
78
I/O Alternating Simulation
Q ? q iff 1. for all inputs i, if q i?-gt q ,
then there exists Q such that Q i?-gt Q and
Q ? q , and 2. for all outputs o, if Q o!-gt
Q , then there exists q such that q o!-gt q
and Q ? q .
If there is a helpful environment at q, then
there is a helpful environment at Q. This can be
checked in quadratic time Alur/Henzinger/Kupferma
n/Vardi '98.
79
Compositionality The Interplay between
Composition and Refinement
80
Top-down Design
81
Top-down Design
82
Top-down Design
83
Top-down Design
84
Top-down Design
85
Compositionality for Top-down Design
If ab is defined and A ? a and B ? b , then
AB is defined and AB ? ab.
-enables independent interface implementation
-examples subtypes, interface
automata
86
Compositionality for Top-down Design
If ab is defined and A ? a and B ? b , then
AB is defined and AB ? ab.
-enables independent interface implementation
-examples subtypes, interface
automata
Compositionality in Formal Methods
If AB is defined and A ? a and B ? b , then
ab is defined and AB ? ab.
-enables independent component verification
-examples I/O Automata, CSP,
Reactive Modules, etc.
87
Compositional Verification
88
Compositional Verification
89
Compositional Verification
90
Compositional Verification
91
Compositional Verification
92
Compositional Verification
93
Compositional Verification
94
Compositionality for Bottom-up Verification
If AB is defined and A ? a and B ? b , then
ab is defined and AB ? ab.
(A ? B) ? false A ? a B ? b (a
? b) ? false (A ?B) ? (a ? b)
95
"Definition" of Component Formalism
Bottom-up Compositional
If AB is defined and A ? a and B ? b , then
ab is defined and AB ? ab.
"Definition" of Interface Formalism
Top-down Compositional
If ab is defined and A ? a and B ? b , then
AB is defined and AB ? ab.
What is yours?
96
Applications of Interfaces, So Far
Software module interfaces -Java
extension with interface compatibility checking
in Jbuilder -interfaces for TinyOS, an OS for
ad-hoc networks Culler Hardware module
interfaces -bidirectional interfaces for PCI bus
and clients
-interfaces with timing constraints for TTA, an
architecture for -safety-critical embedded
systems Kopetz
97
References
de Alfaro, Henzinger,
Interface
Automata, Foundations
of Software Engineering (FSE) 2001. de Alfaro,
Henzinger,
Interface Theories
for Component-based Design, Embedded Software
(EMSOFT) 2001. Chakrabarti, de Alfaro, Henzinger,
Jurdzinski, Mang, "Interface
Compatibility Checking for Software Modules",
Computer-Aided Verification (CAV) 2002.
www.eecs.berkeley.edu/tah
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "What is an Interface" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!