Precise specification matching for adaptive reuse in embedded systems  by Guo, Hai-Feng et al.
Journal of Applied Logic 5 (2007) 333–355
www.elsevier.com/locate/jal
Precise specification matching for adaptive reuse in
embedded systems
Hai-Feng Guo a,∗, Miao Liu a, Partha S. Roop b, C.R. Ramakrishnan c, I.V. Ramakrishnan c
a Department of Computer Science, University of Nebraska at Omaha, Omaha, Nebraska 68182, USA
b Department of Electrical and Electronic Engineering, University of Auckland, Private Bag 92019, Auckland, New Zealand
c Department of Computer Science, Stony Brook University, Stony Brook, NY 11794, USA
Received 21 July 2004; accepted 12 December 2005
Available online 4 May 2006
Abstract
Specification matching is a key to reuse of components in embedded systems. Existing specification matching techniques for
embedded systems are designed to match reactive behaviors using adaptive techniques to dynamically alter behaviors. However,
correct specification matching demands both behavioral matching (that checks component adaptability) and functional matching
(that ensures that proper functionality is reused). While approaches for behavioral matching exist, combined functional and be-
havioral matching during component reuse in embedded systems is lacking. This paper presents a precise specification matching,
including both behavioral and functional matching. We introduce attributed labeled transition systems (ALTS) to formally specify
component behavior and functionalities. Given ALTS of a new specification (a functionF ) and an existing component (a deviceD),
a new refinement relation fromF toD, called an S-matching relation, is proposed for precise specification matching. The existence
of an S-matching relation is also shown to be a necessary and sufficient condition for the existence of a correct adapter to adapt D
to match F both behaviorally and functionally. Automated component adaptation is facilitated by a matching tool implemented
in a tabled logic programming environment, which provides distinct advantages for rapid implementation. Practical examples are
given to illustrate how the concrete adapter is derived automatically from specification matching.
© 2006 Elsevier B.V. All rights reserved.
Keywords: Component reuse; Specification matching; Formal methods; Tabled resolution; Logic programming; Justification
1. Introduction
Embedded Systems are ubiquitous digital systems that continuously interact with their immediate environment (also
known as reactive systems). With the widespread demand for embedded systems in applications ranging from home
appliances to complex controllers for aircraft and power plants, there is an increasing need for rapid implementation
and validation to tackle the short time to market for these products. Component reuse [13] (also known as IP (intellec-
tual property) reuse) is being proposed as an alternative design paradigm for these systems. Moreover, as embedded
* Corresponding author.
E-mail addresses: haifengguo@mail.unomaha.edu (H.-F. Guo), miaoliu@mail.unomaha.edu (M. Liu), p.roop@auckland.ac.nz (P.S. Roop),
cram@cs.sunysb.edu (C.R. Ramakrishnan), ram@cs.sunysb.edu (I.V. Ramakrishnan).1570-8683/$ – see front matter © 2006 Elsevier B.V. All rights reserved.
doi:10.1016/j.jal.2005.12.016
334 H.-F. Guo et al. / Journal of Applied Logic 5 (2007) 333–355systems are often safety critical, formal techniques [8,10,22,34] are increasingly applied to the design and validation
of these systems.
There are usually two main problems involved in component reuse: component retrieval and component adaptation.
The former is used to perform reusable component identification over a library of prefabricated components; and the
latter can adapt the retrieved component to a new function. To facilitate plug-and-play [20] component reuse both
retrieval and adaptation need to be automated. This paper addresses the component adaptation by developing a formal
approach for the problem.
Many studies have been carried out to seek different formal methods to handle component retrieval and adaptation.
Specification matching [2,9,12,24,27,36] for transformational software components has been developed as a foun-
dation for recognizing and retrieving a reusable component that fits the objectives of a new design. In this setting,
matching criteria are defined based on relationship between pre- and post-conditions of a query and the corresponding
component being matched. Such an approach to matching, while useful for conventional software, is inappropriate for
reactive systems such as embedded systems as the matching requires transformation of reactive behaviors using some
dynamic techniques.
Component adaptation techniques, such as superimposition [5], dynamic component adaptation [19] and behavioral
specification [31], specify behavioral matching similarly, but without a validation proof. Recently, Roop [28] proposed
a formal method, called forced simulation, which checks whether a given programmable device can be adapted to
match a given behavioral specification. When conventional refinement [1,17] fails, forced simulation may be used for
checking adaptive refinement. If such an adaptation is possible, a device driver (referred to as an adapter) is generated
to perform the adaptation. However, the proposed matching cannot guarantee that the matched components, after
adaptation, have the same functionality as desired in the requirements.
In this paper, we focus on the problem of adapting hardware or software components for embedded applications
(hereafter referred to simply as devices) for precise specification matching that includes behavioral and functional
matching. To automatically reuse devices during component synthesis, programmable devices are normally indexed
from a library. Subsequent to indexing, matching is essential to identify the exact device D that is both behaviorally
and functionally adaptable to the design function F (hereafter referred to as function). Behavioral matching is used to
check adaptability, while functional matching is to ensure the proper functionality.
Specification matching can be a tedious and time consuming activity. It is even more severe with programmable
and parameterizable devices which may not match the design function F exactly, but may be programmed via a device
adapter (referred to as an adapter I). This paper proposes a precise specification matching technique suitable for fast
logic programming based implementation. Our approach may be used for automatically deciding whether a given D
matches F . The matching tool, when successful, automatically generates an adapter I that can adapt D to F . On
the other hand, when the specification matching fails, the tool can justify the failure by showing partially matched
specification and highlighting critical mismatching states. This information may be useful for suitably modifying D
if it is available in the form of a soft core1 [28].
We introduce an attributed labeled transition system (ALTS) to formally specify both the behaviors and functional-
ities of a device as a whole. The proposed approach is suitable for modeling both hardware and software components
used in embedded systems. Behaviors are represented by a finite set of states and transitions defined over states, and
functionalities are defined by the relations between input and output behaviors. Therefore, specification matching is
to check whether a given ALTS M1, representing a programmable device, can be adapted to match another given
ALTS M2, representing a new device to design. This specification matching is different from forced simulation [28]
in the sense that our new approach includes a formal specification for high level functional matching, which leads to
a more precise component adaptation as a result.
This paper also demonstrates the advantages of tabled logic programming system such as XSB [35] to implement
a formal specification matching tool. XSB has already been used for building efficient model checkers [26] and
bisimulation checkers [4]. More importantly, the XSB system provides a justifier [23], which essentially constructs
concise evidence or debugging information to support the results of query evaluation. This justifier, with tabled logic
programming, can be easily extended to provide an attractive platform for encoding computational problems, such as
component matching and adaptation, in the specification and verification of systems.
1 A soft core is typically a block of digital logic defined at higher level (e.g., in terms of states and transitions) than a hard core, which is at the
gate level.
H.-F. Guo et al. / Journal of Applied Logic 5 (2007) 333–355 335(a) (b) (c)
Fig. 1. (a) A coffee brewer device D. (b) Specification of a simple coffee brewer F . (c) A device driver (an adapter I).
The main contributions of this paper are: (1) A new finite state model for the precise specification of program-
mable components is developed (for embedded systems). The model is capable of representing both the behavioral
and functional aspects of a component. (2) A formal specification matching scheme to check the adaptability of a
component (D) to match a new specification (F ) is proposed. We have developed an adaptive refinement from F
to D, called S-matching relation, for the automatic detection of component adaptability. (3) The existence of an
S-matching relation between F and D is shown to be a necessary and sufficient condition for precise specification
matching through an adapter. (4) A fully automated procedure to generate device adapters has been implemented and
the approach is validated by reusing several real embedded system components.
The rest of the paper is organized as follows: Section 2 introduces behavioral matching method and its drawbacks;
Section 3 presents a formal specification matching method which performs both behavioral and functional checking.
Section 4 addresses logic programming based implementation of our specification matching (S-matching) tool. Cof-
fee brewer adaptation problems will be used to illustrate the details of precise specification and automated adapter
generation. The same example will also highlight the problems with existing behavioral matching techniques. More
examples including both hardware and software components are developed in Section 5 to test our S-matching tool.
Section 6 presents related research in formal verification and discrete event control. Section 7 presents the conclusions
of this work.
2. Behavioral matching
This section presents a behavioral matching framework called forced simulation [28]. We use a coffee brewer
example, developed by Roop [28], to illustrate how to perform the simulation.
2.1. A coffee brewer adaptation problem
A general coffee brewer is presented in Fig. 1(a) as a programmable device D, allowing the user to brew 5 or 10
cups of coffee with brew strength switch. The user may select brew strength and number of cups in any combination,
where default means 5 cups of coffee with medium strength. A simple coffee brewer is also shown in Fig. 1(b) as
a design function F , demanding a brewer that provides only five cups of coffee. Now the question is how to reuse the
general coffee brewer D to realize the functionality of F .
In order for D to simulate F , a device driver (an adapter 2 I shown in Fig. 1(c)) is needed which can dynamically
adapt D in the following way, starting from the state 0:
2 The term adapter here is same as the term interface used in [28].
336 H.-F. Guo et al. / Journal of Applied Logic 5 (2007) 333–355(a) (b)
Fig. 2. (a) I//D. (b) A valid but bad adapter I .
(1) When D is in state 0, the adapter I can enable the transition 0 → 1 with action on since there is a matched
transition in F . Such an action is called a matched action, which is shown in I as a normal action.
(2) WhenD is in state 1, I must disable the two actions 10_cups and 10_strong_cups since they are not present
in F . Such actions are named as disabled actions, which simply are not shown in the adapter I .
(3) When D is in state 2 (or 3), I has to forcefully perform the action brew to reach its next state 6 (or 7), so that
further simulation can be continued. Such an action is called a forced action. In the adapter, forcing signals are
enclosed in [ ] to clearly distinguish them from other signals.
(4) The adapter I must perform such forced and matched actions until the desired behavior is realized.
This example raises the following additional questions: (1) Given an arbitrary pair of F and D, how do we decide
whether an adapter exists or not? (2) If such an adapter exists, how can we automatically derive it? (3) Given an
adapter for a known pair of F and D, how can we ensure that D implements all behaviors in F? In other words, how
do we know that the adapter is correct?
2.2. Forced simulation
Forced simulation was proposed as a formal method to handle the questions in the previous section. Given a pair
of F and D, the main idea is to build an adapter I such that the composition of I and D exhibits the same behavior
as F . The processes F , D, and I are modeled as labeled transition systems3 [21].
The composition of I and D is defined by introducing a new parallel operator // [29] which combines a forced
move in I with a corresponding transition in D to generate an unobservable τ move in I//D. Similarly, the //
operator combines a matched move in I with an identical move in D resulting in an observable external move in
I//D. For the coffee brewer example, the I//D is shown in Fig. 2(a).
For D to match F , I//D must be behaviorally equivalent to F . This is checked by using Milner’s weak bisimula-
tion [21] (also known as observational equivalence). Intuitively, two processes are weakly bisimilar if their behaviors
cannot be distinguished by an external observer. Note that, for the coffee brewer example, the behavior of F in
Fig. 1(b) is observationally equivalent to I//D in Fig. 2(a) (the only difference between I//D and F are some
internal τ steps of I//D which are unobservable).
The matching algorithm based on forced simulation overlooked an important fact that forced actions are different
from unobservable τ steps in the sense that forced actions contain behaviors which may affect the final result. For
3 A process is described by a labeled transition system (LTS) which is a tuple of the form 〈S, s0,Σ,→〉, where: S is a finite set of states, s0 ∈ S
is a unique start state, Σ is a finite set of events or signals and →⊆ S × Σ × S is the transition relation.
H.-F. Guo et al. / Journal of Applied Logic 5 (2007) 333–355 337(a) (b) (c)
Fig. 3. (a) A coffee/cappuccino brewer device D. (b) Specification of a coffee-only brewer F . (c) A bad device adapter I .
instance, Fig. 2(b) is another valid adapter to the coffee brewer adaptation problem, since if we replace all the forced
actions by τ transitions, the resulting LTS is observationally equivalent to F . However, the adapted coffee brewer
with adapter I in Fig. 2(b) will produce ten cups of coffee every cycle from action on to off, which is obviously not
the expected behavior.
Even worse, Fig. 3 shows another adaptation example, where the adapter I , generated using forced simulation,
behaves completely different from the expected simple coffee brewer with 15 seconds per cup. In fact, it is not
possible to adapt the given device to the function.
It may be argued that we can simply put a constraint to avoid loops during simulation. However, the self-loop is
sometimes required in simulation, for example, in order to simulate a new simple brewer coffee machine producing
two cups of coffee every cycle using the coffee/cappuccino brewer device (shown in Fig. 3(a)), the adapter has to
involve two cycles of the original brewer device (Fig. 3(a)).
2.3. Problems in behavioral matching
Forced simulation is actually used to produce a standard adapter for component reuse at the behavioral level. We
denote the formal description at the behavioral level as behavioral specification. And the formalized matching defined
on behavioral specification is called behavioral matching. Generally, behavioral matching has the following problems:
• Behavioral specification usually describes components in a syntactic way, encapsulating the functional behaviors
as a black box. However, component reuse is essentially a matter of reusing the correct functionality, while
preserving behavior.
• Behavioral matching using weak bisimulation loses accuracy by replacing forced actions with unobservable τ
transitions. Such an action, ignores the semantics of any functional operations that are performed on a transition
being forced by just hiding this in the composite system. This may lead to incorrect reuse of functionality as
illustrated by the adapter in Fig. 3(c). In this case, the adapter actually forced a 30-second transition as well as a
cappuccino transition while also forcing the off, on switches in between. As a result, the user waits 45 minuets
to get coffee while he also gets a cappuccino before getting the coffee he requested. This was not the intended
behavior of the coffee machine in Fig. 3(b).
• The adapter produced by the behavioral matching can only be used to adapt the device to be reused at a physical
or mechanical level instead of a functional level. Consequently, properties of the adapter have to be verified
separately in a different way to ensure that its functionality correct.
3. Precise specification matching
In this section, we firstly introduce an attributed labeled transition system (ALTS) to formally specify both the
behaviors and functionalities of an embedded device. Then, we present a mathematical relation, called specification
matching (S-matching), between two given ALTSs. We show that existence of an S-matching relation between the
338 H.-F. Guo et al. / Journal of Applied Logic 5 (2007) 333–355ALTS specifications of a programmable device D and a new design function F is a necessary and sufficient condition
for adaptability from D to F . Finally, we explain how device adaptation can be achieved in our specification matching
framework.
3.1. Attributed labeled transition systems
We present a new automaton notation called attributed labeled transition system (ALTS) for precisely specifying
components used in embedded systems to capture both behavioral and functional aspects. Models like labeled tran-
sition systems (LTS) used in [28] cannot distinguish between inputs and outputs. Later IP matching algorithms [30]
used codesign finite state machine (CFSM) [3] like FSM models to alleviate this problem. Each transition in a CFSM
is triggered based on some inputs and may produce some outputs. ALTSs are similar in that they distinguish between
inputs and outputs; the outputs are specifically modeled as attribute pairs to enable functional matching of quantitative
attributes of the system.
Attributes, in the form of a pair 〈A,V 〉, are used to describe functional behaviors of processes, including timings,
number of products, or any other quantitative measures of a system, where A is an attribute name and V is the attribute
value. Attribute values are atomic, such as integers, or reals. For simplicity, we only consider the numeral types and
arithmetic operations in this paper. However, the attributes can be easily extended to support other types of values,
such as strings or other compound data.
Definition 1 (ALTS). A process is described by an attributed labeled transition system (ALTS) which is a tuple of the
form 〈Q,Σ,δ, q0,Γ,λ〉, where:
(1) Q is a finite set of states, q0 ∈ Q is a unique start state;
(2) Σ is a finite set of events or input signals;
(3) δ :Q × Σ → Q⊥ is a transition partial function that takes as arguments a state and an input signal and returns a
state or a special symbol ⊥ denoting no such transition, where Q⊥ = Q ∪ {⊥};
(4) Γ is a finite set of attribute pairs;
(5) λ :Q×Σ → Γ ∗⊥, denoted as an output partial function, takes as arguments a state and an input signal and returns
a list of attribute pairs or a special symbol ⊥, where δ(q, a) = ⊥ if and only if λ(q, a) = ⊥ for any state q and
input signal a.
In our informal transition diagram representation of ALTS, δ and λ were represented by arcs between states and
the labels on the arcs. If q is a state, and a is an input signal, then δ(q, a) is the state p such that there is an arc labeled
a/λ(q, a) from q to p, usually written as q a/λ(q,a)−→ p, where λ(q, a) is a list of attributes paired with {}. Because of
this, a is usually called input labels, and λ(q, a) called output labels. We use functions instead of relations
in the above definition, because it is assumed that all processes are deterministic.
(a) (b)
Fig. 4. (a) An ALTS diagram of coffee/cappuccino brewer device D. (b) An ALTS specification of a coffee-only brewer F .
H.-F. Guo et al. / Journal of Applied Logic 5 (2007) 333–355 339The motivations for using attributes in ALTSs to model embedded systems are as follows: (1) by using the attribute
pairs as output labels, the transitions are simpler to specify in the sense that they trigger based on abstract actions;
(2) the attribute pairs are particularly used during the matching process to check correct functionality.
An attributed labeled transition system is a generalization of a labeled transition system with an output function
(similar to Mealy machines [33]). It uses a combination of the transition function and the output function to precisely
describe the behaviors of hardware/software components. Two example ALTS diagrams are illustrated in Fig. 4(a)
and (b), which correspond to the coffee/cappuccino brewer device D and a design specification of a coffee-only
brewer F respectively. Behaviors, such as turning on, choosing coffee or cappuccino, producing the selected product,
or turning off, are represented by the input labels. On the other hand, functional properties, such as the quantity of
produced goods and temporal information, are indicated by the output labels.
3.2. Specification matching
To precisely describe the behavior of an ALTS, we must extend the transition function δ and the output function λ
to apply to a signal sequence rather than a single input signal. The function δ can be extended to a function δˆ mapping
Q× Σ∗ to Q⊥:
1. δˆ(q, ) = q , where  is an empty sequence, and
2. for any input signal sequence ω and an input label a,
δˆ(q,ωa) =
{
⊥ if δˆ(q,ω) = ⊥;
δ(δˆ(q,ω), a) otherwise.
The intention is that δˆ(q,ω) is the state in which the ALTS will be after reading the input signal sequence ω starting
in state q . Similarly, the function λ can be extended to a function λˆ mapping Q × Σ∗ to Γ ∗⊥, which can be formally
defined as:
1. λˆ(q, ) = ∅ (or {}), where  is an empty sequence, and
2. for any input signal sequence ω and an input label a,
λˆ(q,ωa) =
{
⊥ if δˆ(q,ωa) = ⊥;
λˆ(q,ω)unionmulti λ(δˆ(q,ω), a) otherwise,
where the binary operator unionmulti is to union two sets of attribute pairs with the values for the same attribute added together:
S1 unionmulti S2 =
{〈a, v1 + v2〉 | 〈a, v1〉 ∈ S1 ∧ 〈a, v2〉 ∈ S2}
∪{〈a, v〉 | 〈a, v〉 ∈ S1 ∧ 〈a,_〉 /∈ S2}
∪{〈a, v〉 | 〈a,_〉 /∈ S1 ∧ 〈a, v〉 ∈ S2},
where S1 and S2 are sets of attribute pairs, and the notation ‘_’ represents any numeral value.
An attribute-based constraint is a simple inequality on an output function λ or its extended one λˆ. For example:
λˆ(p,ω1) = λˆ(q,ω2) means that the signal sequence ω1 starting from state p has the same functional behaviors as the
signal sequence ω2 starting from state q .
Definition 2 (Specification matching (S-matching)). Given two ALTSs: F = 〈Qf ,Σf , δf , qf0 ,Γf ,λf 〉, D =
〈Qd,Σd, δd, qd0 ,Γd,λd〉, a relation R ⊆ Qd × Qf is a specification matching relation (in short, an S-matching
relation where qdRqf is a shorthand for (qd, qf ) ∈ R) provided that:
(1) ∀qf ∈ Qf , ∃qd ∈ Qd s.t. qdRqf ; and
(2) ∀(qd, qf ) ∈ Qd × Qf , whenever qdRqf , it holds that ∀a ∈ Σf s.t. q ′f = δf (qf , a) = ⊥, ∃ω ∈ Σ∗d s.t.
q ′ = δˆd (qd, aω), q ′ Rq ′ ∧ λf (qf , a) = λˆd (qd, aω),d d f
340 H.-F. Guo et al. / Journal of Applied Logic 5 (2007) 333–355Fig. 5. An adaptive simulation relation.
where the signal a is called matched signal, the sequence of signals ω are called automated signals, and the rest of
signals in Σd other than matched and automated ones are called disabled signals.
In the definition of specification matching, behavioral matching is defined through q ′dRq ′f , where q ′d = δˆd (qd, aω),
q ′f = δf (qf , a) = ⊥, and qdRqf ; and functional matching is defined through λf (qf , a) = λˆd (qd, aω). Based on the
S-matching relation, the input signals of a given device can be differentiated into three sets: matched signals,
automated signals, and disabled signals.
Fig. 5 illustrates an example of S-matching relation:
R = {(0, a), (1, b), (3, c), (6, d)}.
Consider the transition
c
brew/{〈tea,1〉,〈second,10〉}
d
in F and the corresponding transitions
3 brew/{〈second,10〉} 5 product/{〈tea,1〉} 6
in D. Both of them have the same starting input label brew and the same functional behaviors (output labels)
{<tea,1>,<second,10>}, which is consistent to the (2) of the S-matching definition.
3.3. Adaptability
The main problem of adaptability is to decide whether there exists an adapter, as informally addressed in Sec-
tion 2.1, which is able to adapt a given device to match all the specifications of a given design function. We formalize
the definitions of an adapter, a valid adapter, and adaptability as follows.
Definition 3 (Adapter). An adapter is described by a five-tuple labeled transition system 〈Q,Σe,Σi, q0, δ〉, where
(1) Q is a finite set of states, q0 ∈ Q is a unique start state;
(2) Σe is a finite set of external actions—those actions which can be observed by the users;
(3) Σi is a finite set of internal actions—those actions which cannot be observed by the users;
(4) δ :Q× (Σe ∪Σi) → Q⊥ is a transition partial function that takes as arguments a state and an input signal (either
external or internal), returning a state or ⊥ meaning that there is no such transition.
H.-F. Guo et al. / Journal of Applied Logic 5 (2007) 333–355 341The external actions in Σe correspond to matched signals in device adaptation, while the internal actions in Σi
represent automated signals. In the diagram representation of an adapter, we usually display internal actions paired
with [] to distinguish them from external actions. Additionally, the function δ can also be extended to a function δˆ
mapping Q × (Σe ∪ Σi)∗ to Q⊥ defined similar to the function δ in ALTS.
Definition 4 (Valid adapter). Given an ALTS of device D = 〈Qd,Σd, δd, qd0,Γd,λd〉, a valid adapter I =
〈Q,Σe,Σi, q0, δ〉 of D is an adapter with the following constraints:
(1) Σe ∪Σi ⊆ Σd ;
(2) there is a mapping function Md : Q → Qd such that for any state p ∈ Q, if δ(p, a) = ⊥ for some a ∈ Σe ∪ Σi ,
then δd(Md(p), a) = Md(δ(p, a));
(3) for any state q ∈ Q, if there exists a signal a ∈ Σi such that δ(q, a) = ⊥, then for any other signal a1 ∈ Σi ∪ Σe
satisfying a1 = a, we have δ(q, a1) = ⊥.
Definition 4 specifies the constraints for an adapter which can be used for adapting a given device. Constraint (2)
shows that for any two states p ∈ Q and q ∈ Qd such that q = Md(p), if p has a transition labeled a to a next
state δ(p, a), then q must have the same labeled transition to a next state δd(q, a), and their next states are also
mapped through the function Md , that is, Md(δ(p, a)) = δd(q, a). Constraint (3) guarantees that with a valid adapter,
it is impossible to have both internal (automated) actions and external (matched) actions out of any adapter states.
Otherwise, the adapted device will have uncertainty at those states. For the same reason, at most one internal action is
allowed from any adapter state.
Definition 5 (Adaptability). Given ALTSs F = 〈Qf ,Σf , δf , qf0 ,Γf ,λf 〉 and D = 〈Qd,Σd, δd, qd0 ,Γd,λd〉. We say
that D is adaptable to implement F if there exists a valid adapter I = 〈Q,Σe,Σi, q0, δ〉 with a mapping function
Md :Q → Qd for the device D such that:
(1) Σe = Σf ;
(2) there is an one-one mapping function Mf :Qf → Q, such that given any two states qf , q ′f ∈ Qf , if δf (qf , a) =
q ′f for some a ∈ Σf , then there exists a sequence of signals ω ∈ Σ∗i such that:
(a) δˆ(Mf (qf ), aω) = Mf (q ′f ), and
(b) λf (qf , a) = λˆd (Md(Mf (qf )), aω).
Definition 5 gives a formal reason why a device D can be adapted to a design function F through a valid adapter I
of D. The reason is based on the existence of two mapping functions Md and Mf . The mapping function Md ensures
that the adapter I is a valid one for the device D. And the mapping function Mf makes sure both behavioral and
functional matching between D and F . That is, for each transition with an input signal a and attributes o in F , the
corresponding transitions in I and D start with a transition with a matched signal a (see (2)(a) in Definition 5), and
their accumulated attributes for the corresponding transitions in D is same as o (see (2)(b) in Definition 5).
Fig. 6 illustrates an example where a deviceD is adaptable to implement a design function F through an adapter I .
Each transition in F can be implemented by its corresponding transitions inD with a two-step mapping procedure Mf
and Md . For instance, the transition
c
brew/{〈tea,1〉,〈second,10〉}
d
in F is implemented using
3 brew/{〈second,10〉} 5 product/{〈tea,1〉} 6
in D with the same functionalities (output labels); and the same behaviors (input labels) are achieved through the
adapter by starting with the same input and then automating the internal action product. State (5, c)0 in I represents
an internal state, i.e., an state that is not observable by an external observer.
342 H.-F. Guo et al. / Journal of Applied Logic 5 (2007) 333–355Fig. 6. An example of adaptability.
3.4. Component adaptation
This subsection explains how to achieve adaptation once the adapter is constructed. In our specification matching
framework, component adaptation is achieved through the interaction between the adapter I and the device D. This
interaction is formally defined by a new parallel composition operator //, which combines a forced action in I with
a corresponding transition in D that is forced to give an unobservable τ action in I//D. In addition, the // operator
combines an external action in I with an identical external action in D resulting in an observable external move in
I//D. The // operator is defined as follows:
Definition 6 (Adaptation). Given a valid adapter I = 〈Q,Σe,Σi, qi0, δ〉 and a device D = 〈Qd,Σd, δd, qd0 ,Γd,λd〉,
I//D is defined to be a process described by the ALTS 〈QI//D,ΣI//D, δI//D, q0,ΓI//D,λI//D〉, where
• QI//D = Qd ×Q;
• ΣI//D = Σe ∪ {τ };
• q0 = (qd0 , qi0);• ΓI//D = Γd ;
• δI//D and λI//D are defined by the following rules:
Automated move: I//D makes an unobservable τ move, when I forces a transition in D:
qd
a/λ(qd ,a) qd1, qi
[a] qi1
(qd, qi)
τ/λ(qd ,a)
(qd1, qi1)
Matched move: I//D makes an observable move, with both D and I simultaneously responding to the same
external signal:
qd
a/λ(qd ,a) qd1, qi a qi1
(qd, qi)
a/λ(qd ,a)
(qd1, qi1)
Otherwise: For any other combination of q ∈ QI//D and a ∈ ΣI//D , we have δ(q, a) = ⊥ and λ(q, a) = ⊥ as
well.
This composition operator // is different from the one defined in [29] in that the new operator differentiates the
functionalities from the behaviors on each transition. Only the behaviors are shadowed on the forced moves, while
the functionalities are properly inherited to the composition. Additionally, the // operator is quite different from
H.-F. Guo et al. / Journal of Applied Logic 5 (2007) 333–355 343synchronous parallel || operator of CCS [21]. First, unlike synchronous parallel operator, the new operator disallows
autonomous moves. Secondly, forced move is different from synchronous parallel with global hiding, as forcing
essentially leads to state-based hiding.
For D to match F , D and F have to satisfy the adaptability (Definition 5); on the other hand, D//I must be
equivalent to F in both behavioral and functional aspects. Behavior equivalence is checked by using Milner’s weak
bisimulation [21] (denoted as ≈ and also known as observational equivalence); functional equivalence is checked by
the following φ-rule: Given q ≈ qf (behavioral equivalent) for any q ∈ QD//I and qf ∈ Qf , if δf (qf , a) = q ′f for
some a ∈ Σf , then there exists a sequence of signals ω ∈ Σ∗D//I satisfying:
(1) δˆ(q, aω) = q ′ such that q ′ ≈ q ′f ; and
(2) λf (qf , a) = λˆD//I (q, aω).
Thus, an alternative definition for Adaptability (Definition 5) is given as follows based on the composition opera-
tor //:
Definition 7. A device D can implement a function F (D matches F ) if there exists an adapter I such that (I//D)
and F are equivalent in both behavioral and functional aspects, where behavioral equivalence is checked by using
Milner’s weak bisimulation, and functional equivalence is checked by using φ-rule defined as above.
Intuitively, D is adaptable to implement F if the behaviors of D//I and F cannot be distinguished by an external
observer.
3.5. Adaptability checking via specification matching
For convenience, we assume that I = 〈Q,Σe,Σi, q0, δ〉 is a valid adapter for the deviceD = 〈Qd,Σd, δd, qd0 ,Γd,
λd〉 to implement the design function F = 〈Qf ,Σf , δf , qf0,Γf ,λf 〉, and Md :Q → Qd and Mf :Qf → Q are its
two associated mapping functions. Thus, we have the following properties.
Lemma 1. For any state p ∈ Q in I , if δˆ(p,ω) = ⊥ for some ω ∈ (Σe ∪ Σi)∗, then δˆd (Md(p),ω) = Md(δˆ(p,ω)).
Proof. This lemma can be easily proved based on Definition 4(2) by the induction on the length of ω. 
Lemma 2. Given two states qf , q ′f ∈ Qf such that δf (qf , a) = q ′f for some a ∈ Σf , there exists a sequence of signals
ω ∈ Σ∗d such that
δˆd
(
Md
(
Mf (qf )
)
, aω
)= Md(Mf (q ′f )).
Proof. According to Definition 5, there exists a sequence of signals ω ∈ Σ∗i ⊆ Σ∗d satisfying
δˆ
(
Mf (qf ), aω
)= Mf (q ′f )
⇒ Md
(
δˆ
(
Mf (qf ), aω
))= Md(Mf (q ′f )) applying Md on both sides
⇒ δˆd
(
Md
(
Mf (qf )
)
, aω
)= Md(Mf (q ′f )) Lemma 1. 
Lemma 2 extends the behavioral matching property from between F and I to between F and D through the
composition of Md and Mf .
Theorem 1. If D is adaptable to implement F with a valid adapter I and its two associated mapping functions Md
and Mf , then R = {(Md(Mf (qf )), qf ) | qf ∈ Qf } is an S-matching relation.
Proof. We show how R satisfies Definition 2.
344 H.-F. Guo et al. / Journal of Applied Logic 5 (2007) 333–355(i) ∀qf ∈ Qf , there exists Md(Mf (qf )) ∈ Qd such that (Md(Mf (qf )), qf ) ∈ R;
(ii) for any (qd, qf ) ∈ Qd × Qf , qdRqf implies qd = Md(Mf (qf )) according to the definition of R. Then, for
∀a ∈ Σf s.t. q ′f = δf (qf , a) = ⊥, according to Definition 5 (Adaptability), there exists a sequence of signals
ω ∈ Σ∗i ⊆ Σ∗d such that:
(1) λf (qf , a) = λˆd (Md(Mf (qf )), aω) = λˆd (qd, aω) (functional matching);
(2)
Md
(
Mf (q
′
f )
)= δˆd(Md(Mf (qf )), aω) Lemma 2
= δˆd
(
qd, aω
)
since qd = Md
(
Mf (qf )
)
= q ′d let q ′d = δˆd (qd, aω) (behavioral matching).
Thus, we have q ′dRq ′f based on the definition of R.
Therefore, R satisfies Definition 2, which completes the proof. 
Theorem 1 shows that the existence of an S-matching relation is a necessary condition for the existence of adapt-
ability from D to F via a valid adapter I . Both functional matching and behavioral matching between D and F can
be derived by applying the mapping functions Md and Mf .
Theorem 2. If there exists an S-matching relation R from D to F , then there exists a valid adapter I such that D is
adaptable to implement F .
Proof. The adapter I = 〈Q,Σe,Σi, q0, δ〉 with its two associated mapping functions Md and Mf can be constructed
as follows:
(1) Q = Qe ∪Qi , where Qe = {(qd, qf ) | qdRqf } and Qi is shown in the next item;
(2) Σi , Qi and δ can be constructed in the following way: ∀qf , q ′f ∈ Qf s.t. δf (qf , a) = q ′f for some matched signal
a ∈ Σf , let qdRqf and q ′dRq ′f (that is, (qd, qf ) ∈ Qe and (q ′d , q ′f ) ∈ Qe), according to Definition 2, there exists
an automated signal sequence ω ∈ Σ∗d such that q ′d = δˆd (qd, aω),• If ω = , δ((qd, qf ), a) = (q ′d, q ′f );
• If ω = , let ω = a1a2 · · ·an, where n > 0 and aj ∈ Σi for any 1  j  n, we have (δˆd (qd, aωk), q ′f )k ∈ Qi
where ωk = a1 · · ·ak and 0 k < n (ω0 = ), and δ for 0m < n:
δ
(
(qd, qf ), a
)= (δd(qd, a), q ′f )0 = (δˆd (qd, aω0), q ′f )0,
δ
((
δˆd (qd, aωm), q
′
f
)
m
,am+1
)= (δˆd (qd, aωm+1), q ′f )m+1,
δ
((
δˆd (qd, aωn−1), q ′f
)
n−1, an
)= (q ′d , q ′f ).
For any other combination of q ∈ Q and a ∈ Σi ∪ Σe, we have δ(q, a) = ⊥; The purpose that each state in Qi
uses a subscript is to make itself a distinct state name.
(3) q0 = (qd0 , qf0), where qd0Rqf0 ; (For simplicity, we assume that qd0Rqf0 . Otherwise, a sequence of automated
signals might be used to find an new initial state having the relation R with f0.)
(4) Md is defined as the following:
• Md((qd0 , qf0)) = qd0 ;• ∀p,q ∈ Q s.t. δ(p, a) = q and Md(p) = pd for some signal a ∈ Σe ∪ Σi , we have Md(q) = δd(pd, a).
(5) Mf (qf ) = (qd, qf ) for any qf ∈ Qf , where qdRqf ;
(6) Σe = Σf .
We then prove that I is a valid adapter by showing how the three constraints in Definition 4 are satisfied:
H.-F. Guo et al. / Journal of Applied Logic 5 (2007) 333–355 345• Σi ⊆ Σd since in the item (2), every single aj ∈ Σi is originally from the automated signal sequence ω ∈ Σ∗d .
Σe ⊆ Σd since Σe = Σf , and Σf ⊆ Σd due to the behavioral matching given in the S-matching relation from D
to F .
• The construction of Md in the item (4) ensures the satisfaction of the second constraint in Definition 4. The proof
is trivial.
• As δ is defined in the item (2), there is only one defined transition from each internal state in Qi , and every internal
state in Qi is generated with a subscript to make itself a distinct state name. Therefore, the third constraint is also
satisfied.
Finally, we conclude that D is adaptable to implement F , according to Definition 5 (Adaptability), because there
exists a valid adapter I with two mapping functions Md and Mf such that:
• Σe = Σf , as given in the item (6); and
• Consider two states qf , q ′f ∈ Qf if δf (qf , a) = q ′f for some a ∈ Σf . Let qdRqf and q ′dRq ′f , where qd, q ′d ∈ Qd .
Then, there exists a sequence of signals ω ∈ Σ∗i satisfying:
δˆ(Mf (qf ), aω) = (q ′d , q ′f ) according to item (2)
= Mf (q ′f ) according to item (5)
and
λf (qf , a) = λˆd (qd, aω) according to S-matching relation R
= λˆd
(
Md
(
(qd, qf )
)
, aω
)
according to item (4)
= λˆd
(
Md
(
Mf (qf )
)
, aω
)
. according to item (5). 
Theorem 2 shows that the existence of an S-matching relation is also a sufficient condition for the existence of
adaptability from D to F . As shown in the proof, a valid adapter I and two associated mapping functions Md and Mf
can be constructed based on the given S-matching relation R. And the adapter I is constructed in such a way that
matched signals in the S-matching relation have to be defined as external actions to simulate a given design function,
automated signals are masked as internal actions, and disabled signals are simply ignored since they will not be used
after adaptation.
Theorem 3 (Adaptability using specification matching). Given a device D and a function F , D is adaptable to
implement F if and only if there exists an S-matching relation between D and F .
Proof. Based on Theorems 1 and 2. 
Theorem 3 gives the theoretical foundation for applying specification matching on adaptive reuse in the domains
of embedded systems. To see whether there exists an adaptive reuse from a device D to a design function F , we can
simply check the S-matching relation between D and F instead of constructing the adapter directly. If the S-matching
relation does exist, we can then construct the adapter automatically based on the S-matching relation.
4. Logic-based S-matching tool
Theorem 3 gives a theoretical foundation for our logic-based specification matching tool (S-matching tool in short).
Component adaptability can be identified by checking a pure mathematical S-matching relation between components,
and further an adapter can be constructed based on the S-matching relation. Given two ALTSs: a device D and a
design function F , the S-matching tool will generate an automated adapter I if D can be adapted to implement F ,
otherwise, a partial adapter with error feedback will be shown.
346 H.-F. Guo et al. / Journal of Applied Logic 5 (2007) 333–355Fig. 7. An architecture for S-matching tool.
4.1. Architecture
The S-matching tool can be described as the architecture shown in Fig. 7, which is an overview of the interaction
between specification matching and a tabled logic programming (TLP) system. The S-matching tool, from the given
specification of a device and a design function to the adapter generation, is reduced elegantly to S-matching checker
with tabled logic programming. The S-matching checker, running on a TLP system, establishes the truth value of
the goal by query evaluation, and then justifies the truth value to provide evidence, in terms of a proof. The reduction
includes a forward step, which encodes the specification of both device and function as logic programs, and a backward
step, which decodes the query result and justification providing the adapter or a partial adapter if S-matching fails.
We adopt XSB [35] system to implement the S-matching tool. XSB is a logic programming system that extends
Prolog-style resolution with tabled resolution [6,32]. Traditional logic programming systems (e.g., Prolog) use SLD
resolution [15] with the following computation strategy: subgoals of a resolvent are solved from left to right and
clauses that match a subgoal are applied in the textual order they appear in the program. It is well known that SLD
resolution may lead to non-termination for certain programs, even though an answer may exist via the declarative
semantics. That is, given any static computation strategy, one can always produce a program in which no answers can
be found due to non-termination even though some answers may logically follow from the program. In case of Prolog,
programs containing certain types of left-recursive clauses are examples of such programs.
The XSB system eliminates such infinite loops by extending logic programming with tabled resolution. The main
idea of tabled resolution is to memoize the answers to some calls and use the memoized answers to resolve subse-
quent variant calls.4 Tabled resolution adopts a dynamic computation strategy while resolving subgoals in the current
resolvent against matched program clauses or tabled answers. It keeps track of the nature and type of the subgoals; if
the subgoal in the current resolvent is a variant of a former tabled call, tabled answers are used to resolve the subgoal;
otherwise, program clauses are used following SLD resolution.
The main advantages of tabled resolution are that a TLP system terminates more often by computing fixed-points,
avoids redundant computation by memoing the computed answers, and keeps the declarative and procedural semantics
consistent for pure logic programs with bounded-size terms. A tabled logic programming system can be thought of
as an engine for efficiently computing fixed-points, which is critical for many practical applications. XSB has already
been used for building efficient model checkers [26] and bisimulation checkers [4]. More importantly, the XSB system
provides a justifier [23], which essentially constructs concise evidence or debugging information to support the results
of query evaluation. This justifier can be easily extended to provide a solution to generate automated adapter for
reusing hardware/software components.
In a tabled logic programming system, only tabled predicates are resolved using tabled resolution. Tabled predicates
are explicitly declared as follows:
:- table p/n.
where p is a predicate name and n is its arity. A global data structure table [6,32] is introduced to memoize the answers
of any subgoals to tabled predicates, and to avoid their recomputation.
4 We say two Prolog calls C1 and C2 are variant if there exist substitutions φ and σ such that C1 = C2φ and C2 = C1σ .
H.-F. Guo et al. / Journal of Applied Logic 5 (2007) 333–355 347Consider a simple tabled Prolog program checking reachability as follows.
:- table reach/2.
reach(X, X).
reach(X, Y) :- arc(X, Z), reach(Z, Y).
reach(X, Y) :- arc(X, Y).
arc(a, b). arc(b, a). arc(b, c).
:- reach(a, X).
Without tabling :- table reach/2, this program cannot terminate in a traditional Prolog system due to the
left-recursive definition of reach/2 and cyclic arcs between a and b. To solve such a non-termination program
in a traditional Prolog system, the programmer has to code the traversal of the graph (arcs) explicitly to somehow
maintain visited nodes. However, using a tabled Prolog system, the programmer does not need to worry about such a
termination problem. At the code level, it is devoid of all graph traversal. All the programmer needs to do is to define
the reachability relation correctly, how the traversal of graph is solved is hidden at the system level. For the above
example, the tabled Prolog gives the correct answers: X = a, X = b and X = c, and then terminates.
4.2. Encoding ALTS
An ALTS A = 〈Q,Σ,δ, q0,Γ,λ〉 is encoded as a set of facts in a logic program such that whenever δ(p, a) = q and
λ(p,a) = {〈n1, v1〉, . . . , 〈nk, vk〉}, where k  0, trans(p, a, [(n1, v1), . . . , (nk, vk)], q) is a fact. Predicate trans/4
encodes a given transition where the first and the last parameters indicate the source and destination states, the second
parameter a indicates the input signal that triggers this transition, and the third one is the attributes associated with the
transition. An example coding of the coffee/cappuccino brewer ALTS (see Fig. 4(a)) is shown below as a sequence of
facts:
trans(0, on, [], 1).
trans(1, coffee, [(coffee, 1)], 2).
trans(1, cappuccino, [(cappuccino, 1)], 3).
trans(2, produce, [(second, 30)], 4).
trans(3, produce, [(second, 15)], 4).
trans(4, off, [], 0).
Notice that in S-matching tool, we use predicate transD/4 and transF/4 to represent the ALTSs device D
and F respectively. The predicates transD/4 and transF/4 are defined similar to the definition of the predicate
trans/4. And we assume that all states in the ALTS are connected.
The number of facts in a coding of ALTS is proportional to the number of transitions in the ALTS. However,
the number of transitions is generally quadratic to the number of states since in most practical ALTSs or LTSs for
embedded systems, there is at most one transition from one state to another, that is, a control state with a different
labeled transition usually reaches a different control state. Otherwise, there is no deterministic relation between the
number of transitions and the number of states.
4.3. S-matching checker
Rather than encoding the S-matching relation directly, it is more convenient to encode the dual of S-matching
relation as a tabled logic program within XSB. The reason is that XSB is a least fixed point engine whereas S-matching
computation is based on a greatest fixed point (the greatest S-matching relation between F and D is computed when
it exists). The rules for a pair of states to be non-S-matching are directly encoded as XSB clauses.
In the following, we provide the formal definition and the corresponding encoding in XSB. Let R be an S-matching
relation, then R, the dual relation of R, is defined as follows.
348 H.-F. Guo et al. / Journal of Applied Logic 5 (2007) 333–355:- table nsmatch/2. findD(D, D, []).
:- table attr/4. findD(D, D2, A) :-
:- table findD/3. transD(D, _, A1, D1),
sub(A, A1, AR),
nsmatch(D, F) :- findD(D1, D2, AR).
transF(F, I, A, F1),
findall(D1, sub(A, [], A).
attr(D, I, D1, A), L), sub(A, [Pair|L], A1) :-
all_nsmatch(L, F1). sub1(A, Pair, A2),
sub(A2, L, A1).
all_nsmatch([], _).
all_nsmatch([D|L], F) :- sub1([(N,V)|L], (N,V), L).
nsmatch(D, F), sub1([(N,V1)|L], (N,V2),
all_nsmatch(L, F). [(N,V3)|L]) :-
V3 is V1-V2,
attr(D, I, D1, A) :- V3 > 0, !.
transD(D, I, A1, D2), sub1([A|L], (N,V), [A|L1])
sub(A, A1, AR), :- sub1(L, (N,V),L1).
findD(D2, D1, AR).
Fig. 8. Coding for S-matching checker.
Definition 8 (Dual of S-matching). Given two ALTSs:F = 〈Qf ,Σf , δf , qf0,Γf ,λf 〉,D = 〈Qd,Σd, δd, qd0 ,Γd,λd〉,
∀(qd, qf ) ∈ Qd ×Qf , qdRqf if
• ∃a ∈ Σf s.t. q ′f = δf (qf , a) = ⊥,
∀ω ∈ Σ∗d s.t. q ′d = δˆd (qd, aω)∧ λf (qf , a) = λˆd (qd, aω), q ′dRq ′f .
This definition is equivalent to Definition 2 but emphasizes the fact that a pair (qd, qf ) is not S-matching if for a
transition a from qf in F , all reachable states q ′d from qd in D with some transition sequence aω cannot simultane-
ously satisfy the following conditions: (i) aω has the same output attributes as that with a in F , and (ii) q ′dRq ′f .
To implement the S-matching checker, we use the predicate name nsmatch/2 as the dual relation R. The least
model computation of R can be encoded as shown in Fig. 8, where nsmatch/2, attr/4, and findD/4 are
tabled predicates. Predicate attr(D,I,D1,A) is to find a reachable state D1 from the state D through a sequence
of transitions, whose first input label is I and whose total attributes equal to A. Predicate findall(X, Goal,
List) collects all instances of X to List such that Goal is provable. If Goal is not provable, List will be an
empty list []. Predicate all_nsmatch(L, Q) is used to verify the relation R between each state in the given list
L with the state Q in F . sub/3 and sub1/3 are auxiliary predicates to verify the attributes equivalence. And ! is
the cut operation for efficiency purposes.
The generated code was very compact and extremely readable since it is devoid of all graph traversal and compu-
tation intensive routines, as these are automatically performed by the tabled logic programming engine.
Our S-matching tool takes longer to succeed than to fail in general. Since we implement the dual of S-matching,
the failure case represents a successful match. The main reason why failure takes less time is as follows: consider the
code of nsmatch/2 shown in Fig. 8. To make nsmatch succeed, all_nsmatch(L, F1) has to be true, which
means that F1 has to not match with all the nodes in the list L; however, for the failure case, it is enough as long as
one node in L matches with F1.
4.4. Evaluation and justification
Query evaluation of a goal with respect to a logic program establishes the truth or falsehood of the goal. Given two
ALTSs F and D and the codes shown above, nsmatch(d0,f0) can be queried in XSB system to evaluate whether
there is a complement of S-matching relation d0Rf0, where d0 and f0 are the initial states of the device D and the
design function F respectively.
H.-F. Guo et al. / Journal of Applied Logic 5 (2007) 333–355 349Fig. 9. Justification segment for a true literal.
However, the underlying evaluation typically provides little or no information as to why the conclusion was
reached. In [23] we proposed an efficient justifier to provide evidence, in terms of proof, for the truth value of the
result generated by query evaluation of a tabled logic program. The justification is based on program transformation.
Specifically, every predicate in the original program corresponds to two predicates in the transformed program: an
evidence predicate and a dual predicate. Whenever a query in the original program is true, the corresponding query to
its evidence predicate generates the answer and its evidence simultaneously. Whenever a query in the original program
fails, the corresponding query to its dual predicate generates an evidence for the failure.
Justification succinctly conveys to the user only those parts of the proof search which are relevant to the
proof/disproof of the goal. The naturalness of using a tabled LP system for justification is that the answer memo
tables created represent the lemmas that were tried and proved during query evaluation. By using these lemmas stored
in the tables, the justifier presents only relevant parts of the derivation to the user.
The result of justification is in the form of evidence trees [23], which reflect the derivation relation between the sub-
goals represented by the literals. For the S-matching problem, the justification results contain sufficient information,
which can be converted later to the adapter.
Fig. 9 illustrates a justification segment5 of nsmatch(d , f ), where d and f represent two state instances of D
and F , respectively. Each node in the segment contains a literal and its truth value, and the parent/children relation
represents that the truth value of the parent literal depends on those values of its children. For example, nsmatch(d ,
f ) is true because transF(f , i, a, f 1), findall(d ′, attr(d , i, d ′, a), l) and all_nsmatch(l, f 1) are true.
The literals trans/3 and findall/3 are shown as leaf nodes due to the fact definitions and built-in predicates
respectively, and the literal all_nsmatch(l, f 1) is justified recursively by its child literals until all of literals are
justified by true facts or built-in literals.
Similarly, Fig. 10 displays a justification segment showing the evidence why nsmatch(d , f ) is false—d and f has
an S-matching relation. The clause definition of nsmatch/2 implies that there are two possibilities for a nsmatch
literal to fail. One is due to no transitions from state f , whose justification is shown in Fig. 10(a). That is, if a state
f in the design function has no outgoing transitions, then any state in the device has an S-matching relation R with
f , therefore, the R fails. The other possibility shows that for any instance transF(f,j,a,f1), we can always
find di such that di is S-matched to f 1. Notice that the node nsmatch(d , f ) may contain more than three children
depending on how many instances of transF(f,I,A,F1) in the given design function F .
4.5. Decoding
The last step of the S-matching tool is to extract the adapter from the justification results. This extraction procedure
is called decoding in the sense that contrary to encoding step, it maps the justification results in logic programming
level to the proof/disproof evidence in S-matching system. If there is an S-matching relation between D and F , the
5 In the real justification trees, all the variables, such as D, F , and etc., are bound to concrete state or label instances, which are usually represented
by lower-case letters such as d , f , and etc. Figs. 9 and 10 just show a skeleton of justification segments.
350 H.-F. Guo et al. / Journal of Applied Logic 5 (2007) 333–355Fig. 10. Justification substructure for a false literal.
decoding step essentially generates an adapter validating the adaptation of D to the design function F . Otherwise, if
there is no S-matching relation, it shows a partial adapter highlighting from which states no further adaptation can be
made.
The decoding step contains a few rewriting rules mapping from the possible justification segments to the primitive
evidence, which, in the S-matching tool, includes matched and automated transitions. Since the implementation of S-
matching checker follows the formal logic definition of R exactly, both matched and automated transitions, as defined
in Definition 2(2), must be embedded in the justification results.
Let’s first consider how to generate an adapter if there is an S-matching relation between given D and F . Consider
its two skeletons of justification segments. Fig. 10(a) shows that a state d in device can be S-matched to a state f
without any outgoing transitions. Therefore, a state (d, f ) without any outgoing transitions can be generated in the
adapter. From Fig. 10(b), a sequence of transitions, decided by the path from d to di , are generated for the adapter
from state (d, f ) to state (di, f 1), where the label i must be the one for the first transition and the rest transitions can
be easily found out following the construction method in Theorem 2.
On the other hand, if there is no S-matching relation between given D and F , a partial adapter is required. The
partial adapter is based on an assumption that d0 is S-matched to f0, where d0 and f0 are the start states in D and F
respectively. Consider the justification of a true literal nsmatch(d,f) as shown in Fig. 9. This segment implies a
sequence of valid transitions from state (d, f ) to (di, f 1) for the partial adapter, similar to the generation of transitions
for a complete adapter. Some critical failure nodes are highlighted in a partial adapter. The highlighted failure states
come from the same justification segment when L is an empty list, that is, there exists a transition in F which has no
matching transitions from D.
Figs. 11 and 12 show a failure example of specification matching. The device D (Fig. 11) is a car controller having
both cruise control facility as wells as acceleration through manual mode. The design function F (Fig. 12(a)) specifies
a car controller that drives in the manual mode alone. The specification matching fails because when the controller
finds belts unfastened, the device gives a two-beep alarm, while the design function needs a three-beep alarm. Notice
that the attribute pairs <cruise, 1> and <accl-dec, 1> mean that the cruise control and manual control are
selected once.
5. Experiments
The running time complexity of the S-matching checker is mainly determined by the computation of nsmatch
(see Fig. 8), which is O(|Qf |× |Qd |×mf × td × vf ), where |Qf | and |Qd | denote the number of states of F and D,
respectively, mf denotes the maximum number of transitions from a single node in F , td denotes the total number
of transitions in D, and vf denotes the maximum number of attribute values in F . The first two terms |Qf | × |Qd |
H.-F. Guo et al. / Journal of Applied Logic 5 (2007) 333–355 351Fig. 11. Controller for a car which drives in manual and cruise modes (D).
(a) (b)
Fig. 12. (a) Simple controller for a car having manual mode alone (F ). (b) A partial adapter (I).
arise from the recursive definition of the tabled predicate nsmatch/2. Since nsmatch/2 is a tabled predicate,
nsmatch(D, F)will be computed at most |Qf |×|Qd | times in the worst case for every D in Qd and every F in Qf ;
the term mf arises from transF(F, I, A, F1), which represents every transition from F to F1 with an input
label I and attributes A; the td × vf term arises from the subgoal findall(D1, attr(D, I, D1, A), L) to
352 H.-F. Guo et al. / Journal of Applied Logic 5 (2007) 333–355Table 1
Benchmarks
Benchmark Function Device
Test1 Simple coffee brewer Complex coffee brewer
States(7) Transitions(8) States(15) Transitions(18)
Test2 Coffee vending machine Beverage vending machine
States(3) Transitions(4) States(9) Transitions(13)
Test3 Stamp vending machine Post-accessory vending machine
States(5) Transitions(9) States(7) Transitions(15)
Test4 Car having manual mode Car having manual and cruise modes
States(4) Transitions(4) States(9) Transitions(11)
Test5 Port of a lathe controller Intel 8255
States(13) Transitions(13) States(45) Transitions(48)
Test6 A down counter Intel 8254
States(6) Transitions(8) States(53) Transitions(63)
Test7 Simple Image Encoder General Purpose Encoder
States(3) Transitions(3) States(13) Transitions(16)
Table 2
Experiments on successful specification matching
Benchmark Adapter Time (secs)
Test1 States(9) Transitions(10) 0.03
Test2 States(21) Transitions(22) 0.03
Test3 States(33) Transitions(37) 0.03
Test4 States(11) Transitions(12) 0.03
Test5 States(20) Transitions(20) 0.06
Test6 States(12) Transitions(13) 0.05
Test7 States(6) Transitions(6) 0.03
find all reachable states D1 such that the sequence from D and D1 starts with the input label I and has total attributes A,
where in the worst case, the findall computation may go through all the transitions vf times. In practical running
instances, finding reachable states based on attr/4 is much faster because the constraints of the starting input label I
and the bound attribute value for vf makes the list L short.
Several examples, as shown in Table 1, were developed to test the S-matching tool to see how easy it was to reuse
existing IPs (intellectual properties) which include both hardware and software components. Each design function or
device is given with the number of states and the number of transitions.
Certain general purpose programmable devices such as Intel 8254 and Intel 8255 were selected to demonstrate
component matching. These devices are normally reused by human designers by writing device drivers which supply
appropriate mode and command words to select the desired mode. Automatic reuse of such programmable chips
entails automation of tasks previously performed by expert human designers.
In addition to these hardware components, we tested our work on software components. A number of reactive con-
trollers including vending machines, coffee brewers and automobile cruise controllers were also selected to illustrate
the reusability of such controllers. In addition, we took a general purpose encoder developed recently [14]. Using the
S-matching tool, we could automatically reuse this IP as a JPEG encoder.
All the devices and design functions were encoded using attributed labeled transition system (ALTS) specifications
as F and D pairs. The control states and labeled transitions in ALTSs were derived by hand, which is actually very
time consuming. Four undergraduate students, having good background in signal processing, have worked on this
project for two semesters and figured out those benchmarks by reusing existing open-source IPs. Note that the number
of control states are not huge. However, we are demonstrating that data transformations are standard and we are
reusing the data part “as is”—the data path in F and D are identical. Our approach only changes the control part to
suit the new specification.
The performance of the S-matching tool in XSB is summarized in Table 2, which represents the experiments on
successful specification matching. The tool was tested on a laptop with a Pentium 4 2.4 GHz CPU and 512M RAM;
the running time was measured in seconds, including both specification matching and its justification. Each generated
H.-F. Guo et al. / Journal of Applied Logic 5 (2007) 333–355 353Table 3
Experiments on unsuccessful specification matching
Benchmark Parital adapter Time (secs)
Test1 States(7) Transitions(7) 0.03
Test2 States(9) Transitions(9) 0.04
Test3 States(17) Transitions(20) 0.04
Test4 States(7) Transitions(7) 0.04
Test5 States(20) Transitions(19) 0.04
Test6 States(12) Transitions(12) 0.03
Test7 States(6) Transitions(5) 0.04
adapter is given with the number of states and the number of transitions. The experimental results are mainly used to
validate the correctness of our S-matching for reusing real embedded system components.
In general, our S-matching tool takes longer time to find an unsuccessful specification matching than a successful
one. The experimental results on unsuccessful specification matching are shown in Table 3, where the benchmarks
in each test have been changed a bit for mismatch (compared to the tests in Table 2 for successful matching). Since
we implement the dual of S-matching, the failure case for a predicate query (e.g., nsmatch(d0, f0)) represents a
successful specification match. Consider the code of nsmatch/2 shown in Fig. 8. To make nsmatch succeed,
all_nsmatch(L, F1) has to be true, which means F1 has to not match with all the nodes in the list L; however,
for the failure case, it is enough as long as one node in L matches with F1. However, in the practical experiments, the
unsuccessful specification matching does not slow much due to the short list L, as explained earlier in this section.
6. Related work
In this paper, we introduced ALTS to model components both behaviorally and functionally. System behavior is
captured by the ALTS transition structure that reacts to environment inputs. Functionality is captured as outputs on
the transitions which are attribute-value pairs. Syntactically, ALTS looks similar to input-output boolean automata
(IOBA) [18], which are used to model synchronous programs. In an IOBA, a transition triggers based on a Boolean
guard over inputs and produces a set of outputs. Our transitions are simpler in the sense that they trigger based on some
abstract action (similar to labelled transition systems [11]) and produce a list of output actions that are attribute pairs.
The attribute pairs are syntactically like outputs generated by IOBA. However, they have special semantics that is
used during the matching process to generate correct functionality. Lynch and Tuttle [16] have proposed input output
automata (IOA) for the modelling of distributed systems. An IOA can capture a system or a communication channel.
An IOA transition also triggers based on some environment condition and produces some outputs as a result. Unlike
ALTS, which are specifically designed for embedded systems, IOA is designed for distributed systems and hence is
much more general—it may be nondeterministic, can have communication using send and receive primitives and have
more complex synchronization. An ALTS may be thought of as a specialization of IOAs to suit embedded systems.
Refinement is a formal approach for relating two levels of abstraction of the same design. Abadi and Lamport [1]
introduced refinement mappings to check if a low-level implementation correctly refines a high-level specification
using the notion of trace containment. Milner [21] proposed simulation and bisimulation over processes defined using
the process algebra CCS. Simulation is a preorder that is stronger than trace containment but weaker than bisimulation
equivalence (bisimulation has been shown to be the strongest notion for comparing two systems behaviorally [7]). This
paper proposes S-matching relation, that is also a refinement from a specification (function F ) to an implementation
(a device D). However, the proposed refinement comes into play when normal refinement fails as the device to be
reused is general and needs to be specialized dynamically. Hence, S-matching leads to dynamic refinement using an
adapter.
One of the main ideas of dynamic reuse using the S-matching approach is that some behavior inD is hidden so that
extra control paths not required in F will be removed. This hiding, however, is state-based unlike the global hiding
operator in process algebras [11,21]. Consider, for example, F and D as shown in Fig. 13. In this example, F is a
coffee vending machine that delivers coffee after a dollar coin is inserted. If D is an existing machine that delivers
coffee only after two one dollar coins are inserted. If we want to reuse D to crate F then we need an adapter that waits
for a coin to be inserted and subsequently forces the second coin (we might have another adapter that first forces a
354 H.-F. Guo et al. / Journal of Applied Logic 5 (2007) 333–355Fig. 13. State-based hiding.
coin before waiting for the second coin to be inserted). Thus, in the composite system, coin is visible in the first state
while it is hidden in the next state. If we use hiding operator of process algebras, coin will be hidden globally, unlike
the state-based hiding performed by our adapters.
The specification matching problem using S-matching looks superficially similar to the controllability problem [25]
of discrete event systems (DES). In DES, a supervisor is synthesized to make a plant behave as the desired specifica-
tion. The task of the supervisor is to disable certain actions of the plant at specific points. However, in DES control, the
supervisor is not capable of state-based hiding which is induced in the composite system because of forcing actions
of the adapter (which are not performed by the supervisor). Hence, for the reuse example in Fig. 13, no supervisors
will be created.
7. Conclusion
The paper presents a new formal method for adaptive reuse in the domain of embed systems. Specifically, we
have shown that: (1) a new automaton notation ALTS for precise specification of programmable devices; (2) a for-
mal specification matching scheme to check the adaptability between two devices; (3) a specification matching tool
implemented in tabled logic programming environment, which provides distinct advantages of rapid implementation;
(4) a fully automated procedure to generate device adapter if there exists a specification matching relation; (5) a partial
adapter for mismatching feedback; and (6) an application of the S-matching tool on intellectual property matching
problems.
This work should be of interest to many communities involved in the research areas of computer science. First,
for the formal methods and software engineering communities, specification matching provides a formal yet practical
method for rapidly developing a reliable software for component adaptation. Second, for the logic programming
community, this paper shows an attractive platform for encoding computational problems in both specification and
verification of systems. And third, for the database community, specification matching can be used as a search key for
component retrieval from a library of prefabricated components; attribute constraints in ALTS specification can make
it possible to design a powerful and flexible search query scheme.
References
[1] M. Abadi, L. Lamport, The existence of refinement mappings, Theoretical Computer Science 82 (2) (1991) 253–284.
[2] S. Atkinson A formal model for integrated retrieval from software libraries, in: Proceeding of Technology of Object-Oriented Languages and
Systems, 1996.
[3] F. Balarin, M. Chiodo, P. Guisto, H. Hsieh, A. Jurecska, L. Lavagno, C. Passerone, A. Sangiovanno-Vincentelli, E. Sentovich, K. Suzuki,
B. Tabbara, Hardware Software Codesign of Embedded Systems—The POLIS Approach, Kluwer, 1997.
[4] S. Basu, M. Mukund, C.R. Ramakrishnan, I.V. Ramakrishnan, R.M. Verma, Local and symbolic bisimulation using tabled constraint logic
programming, in: International Conference on Logic Programming, 2001, pp. 166–180.
H.-F. Guo et al. / Journal of Applied Logic 5 (2007) 333–355 355[5] J. Bosch, Superimposition: A component adaptation technique, Information and Software Technology 41 (5) (1999).
[6] W. Chen, D.S. Warren, Tabled evaluation with delaying for general logic programs, Journal of the ACM 43 (1) (1996) 20–74.
[7] R. J. van Glabbeek, The linear time—branching time spectrum, in: International Conference on Concurrency Theory, 1990, pp. 278–297.
[8] E.M. Clarke, O. Grumberg, D. Peled, Model Checking, MIT Press, 2000.
[9] B. Fischer, Specification-based browsing of software component libraries, in: Proc. 13th Automated Software Engineering, 1998, pp. 74–83.
[10] T.A. Henziger, Z. Manna, A. Pnueli, Temporal proof methodologies for real-time systems, in: Principles of Programming Languages, 1991,
pp. 353–366.
[11] C.A.R. Hoare, Communicating Sequential Processes, Prentice-Hall International, 1985.
[12] J. Jeng, B.H.C. Cheng, Specification matching for software reuse: A foundation, in: Proc. the ACM SIGSOFT Symposium on Software
Reusability, 1995, pp. 97–105.
[13] J. Jussel, System-on-a-chip reuse platforms can dramatically shorten design cycles, Electronic Design 48 (21) (2000).
[14] V. Krishnan, S. Sethuraman, Reuse oriented slicing of specifications for embedded systems, Department of Electrical Engineering, Final Year
Project Report, University of Auckland, 2002.
[15] J. Lloyd, Foundations of Logic Programming, Springer-Verlag, 1987.
[16] N.A. Lynch, M.R. Tuttle, An introduction to input/output automata, CWI Quarterly 2 (3) (1989) 219–246.
[17] N. Lynch, F. Vaandrager, Forward and backward simulations, part I: Untimed systems, Information and Computation 121 (2) (1995) 214–233.
[18] F. Maraninchi, N. Halbwachs, Compositional semantics of nondeterministic synchronous languages, in: Proceedings of the European Sympo-
sium on Programming (ESOP), 1996, pp. 235–249.
[19] K. Matzel, P. Schnorf, Dynamic component adaptation, Technical Report 97-6-1, Union Bank of Switzerland, 1997.
[20] M. Mezini, K. Lieberherr, Adaptive plug-and-play components for evolutionary software development, ACM Sigplan Notices 33 (10) (1998)
97–116.
[21] R. Milner, Communication and Concurrency, Prentice-Hall International, 1989.
[22] D.A. Peled, Software Reliability Methods, Springer-Verlag, 2001.
[23] G. Pemmasani, H.-F. Guo, Y. Dong, C.R. Ramakrishnan, I.V. Ramakrishnan, Online justification for tabled logic programs, in: International
Symposium on Functional and Logic Programming, 2004, pp. 24–38.
[24] J. Penix, Automated component retrieval and adaptation using formal specifications, PhD Thesis, Univ. of Cincinnati, 1998.
[25] P.J.G. Ramadge, W.M. Wonham, The control of discrete event systems, Proceedings of the IEEE 77 (1989) 81–98.
[26] C.R. Ramakrishnan, I.V. Ramakrishnan, S.A. Smolka, D.S. Warren, LMC: A system for the specification and evaluation of logic-based model
checking, ACM Software Engineering Notes 25 (1) (2000).
[27] E.J. Rollins, J.M. Wing, Specifications as search keys for software libraries, in: The International Conference on Logic Programming, MIT
Press, 1991, pp. 173–187.
[28] P. Roop, Forced simulation: A formal approach to component based development of embedded systems, PhD Thesis, The Univ. of New South
Wales, Sydney, 2000.
[29] P. S Roop, A. Sowmya, S. Ramesh, Forced simulation: A technique for automating component reuse in embedded systems, ACM Transactions
on Design Automation of Electronic Systems 6 (4) (2001).
[30] P. S Roop, A. Sowmya, S. Ramesh, k-time forced simulation: A formal verification technique for IP reuse, in: IEEE International Conference
on Computer Design, 2002, pp. 50–55.
[31] P. Schaumont, R. Cmar, S. Vernalde, M. Engels, I. Bolsens, Hardware reuse at the behavioral level, in: Proceedings of the 36th Design
Automation Conference, 1999, pp. 784–789.
[32] H. Tamaki, T. Sato, Old resolution with tabulation, in: International Conference on Logic Programming (ICLP), 1996, pp. 84–98.
[33] J.D. Ullman, J.E. Hopcroft, Introduction to Automated Theory Languages, and Computation, Addison-Wesley, 1990.
[34] M.Y. Vardi, Verification of concurrent programs: The automata-theoretic framework, in: IEEE Symposium on Logic in Computer Science,
1987, pp. 167–176.
[35] The XSB logic programming system v2.5, http://xsb.sourceforge.net/, 2003.
[36] A.M. Zarernski, J.M. Wing, Specification matching of software components, in: 3rd ACM SIGSOFT Symposium on the Foundations of
Software Engineering, 1995, pp. 6–17.
