In this paper we propose inheritance relations for a CSPbased component model (BRIC), which supports a constructive design based on composition rules that preserves desired properties such as deadlock freedom. We enhance this component model with support for extensibility via inheritance. The proposed relations allow extension of functionality, whilst preserving service conformance, which we define by means of a substitutability test. We also establish an algebraic connection between component extensibility and refinement. We illustrate our results by presenting a case study that consists of a bank system incrementally improved by inheritance.
INTRODUCTION
Component-based model driven development (CB-MDD) [17] is a well recognised approach to develop complex systems and has been successfully applied in industry. Its basic idea is that complex systems can be built from simpler ones, called components, with well-defined interface and behaviour. The BRIC component model [15, 14] formalises the core Component-Based Model Driven Development concepts [17] (components, interfaces, channels and behaviour) and, moreover, supports compositions, where deadlock freedom is ensured by construction. This approach covers not only tree topologies, but also cyclic topologies.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from Permissions@acm.org. An approach for CB-MDD is not complete without a notion of component inheritance, where behavioural [19, 9, 10] and contractual aspects are considered. The main contribution of this work is the definition of inheritance relations for BRIC based on the concept of behavioural convergence. Section 2 presents a summary of the BRIC model [15, 14] . We present our main contribution in Section 3, where we define notions of component convergence. Based on this relation, we establish our inheritance relations for BRIC components, which are suitable for any theory that distinguishes outputs from inputs [3] . We also algebraically relate component inheritance with refinement. Our results are illustrated by a case study of a bank system in Section 4. We conclude summarising our contributions and discussing related and future work in Section 5.
BRIC COMPONENT MODEL
The BRIC component model specifies components, connectors, their behaviour (given in the Communicating Sequential Processes (CSP) language [16] ) and the rules by which they are assembled. The behavioural properties (i. e. deadlock freedom) of compositions using the BRIC rules are guaranteed by construction. This is a direct consequence of the conditions imposed by the rules as demonstrated in [15] . A local analysis is achieved for most of the compositional rules which can be used to build non-cyclic networks. Based on architectural patterns [2] , local analysis can also be achieved for cyclic networks.
CSP
A process algebra like CSP can be used to describe systems composed of interacting components, which are independent self-contained processes with interfaces used to interact with the environment. Such formalisms provide a way to explicitly specify and reason about interaction between different components. Furthermore, phenomena that are exclusive to the concurrent world, that arise from the combination of components and not individual components, like deadlock and livelock, can be more easily understood and controlled using such formalisms. Tool support is another reason for the success of CSP in industrial applications, and consequently, for our choice to use it as the formal notation. For instance, FDR2 [8] provides an automatic analysis of model refinement and of properties like deadlock and divergence.
The two basic CSP processes are STOP (deadlock) and SKIP (successful termination). The prefixing c -> P is initially able to perform only the event c; afterwards it behaves like process P. A Boolean guard may be associated with a process: given a predicate g, if the condition g holds, the process g & c?x ->A inputs a value through channel c and assigns it to the variable x, and then behaves like A, which has the variable x in scope; it deadlocks otherwise. It can also be defined as if g then c?x -> A else STOP. Multiple inputs and outputs are also possible. For instance, c?x?y!z inputs two values that are assigned to x and y and outputs the value z.
The sequence operator P1;P2 combines processes P1 and P2 in sequence. The external choice P1 [] P2 initially offers events of both processes. The performance of the first event resolves the choice in favor of the process that performs it. The environment has no control over the internal choice P1 |~| P2. The sharing parallel composition P1 [| cs |] P2 synchronizes P1 and P2 on the channels in the set cs; events that are not listed occur independently. Processes composed in interleaving P1 ||| P2 run independently. The event hiding operator P \ cs encapsulates the events that are in the channel set cs, which become no longer visible to the environment.
In this work we need two denotational models of CSP: traces (T) and stable failures or just failures (F). A trace of a process P is a sequence of events that it can perform and we define T(P) to be the set of all its finite traces. For example T(e1 -> e2 -> STOP) = { , e1 , e1, e2 }. The F(P) consists, of all stable failures (s, X), where s is a trace of P (s ∈ T(P)) and X is a set of events P can refuse in some stable state after s. A stable state is one that can only be changed by a visible event (registered in the process trace). The unique invisible event CSP has is τ , it can happen, for example, in the internal choice P |~| Q, which will be implemented as a process which can take an invisible τ event to each of P and Q.
BRIC
A component is defined as a contract (Definition 1) that specifies its behaviour, communication points (or channels) and their types.
Definition 1 (Component contract).
A component contract Ctr : B, R, I, C comprises an observational behaviour B specified as a CSP process, a set of communication channels C, a set of interfaces I, and a total function R : C → I between channels and interfaces of the contract, such that B is an I/O process.
We require the CSP process B to be an I/O process, which is a non-divergent processes with infinite traces. Moreover, it offers to the environment the choice over its inputs (external choice) but reserves the right to choose between its outputs (internal choice). It represents a widely range of specifications, including the server-client protocol, where the client sends requests (inputs) to the server, which decides the outputs to be returned to the client. Definition 2 (I/O process). We say that a CSP process P is an I/O process if it satisfies the following five conditions, which are formally presented in [15, 14] : (1) I/O channels: Every channel in P has its events partitioned between inputs and outputs. (2) infinite traces: P has an infinite set of traces (but finite state-space). (3) divergence-freedom: P is divergence-free.
(4) input determinism: If a set of input events in P are offered to the environment, none of them are refused. (5) strong output decisive: All choices (if any) among output events on a given channel in P are internal; the process, however, must offer at least one output on that channel.
Contracts can be composed using any of the four rules available in the model: interleaving, communication, feedback, or reflexive. Each of these rules impose different side conditions, which must be satisfied by the contracts and channels involved in the composition in order to guarantee deadlock freedom by construction.
The rules provide asynchronous pairwise compositions, mediated by infinite buffers, and focus on the preservation of deadlock freedom in the resulting component. Using the rules, developers may synchronise two channels of two components, or even of the same component.
The four rules are illustrated in Figure 1 . The result of an application of a composition rule is a new component. The interleave composition rule is the simplest form of composition. It aggregates two independent entities such that, after composition, these entities still do not communicate between themselves. They directly communicate with the environment as before, with no interference from each other. The communication composition states the most common way for linking complementary channels of two different entities. The next two compositions allow the link of two complementary channels of a same entity. First, the feedback composition provides the possibility of creating safe cycles for systems with a tree topology. In practice, however, there are more complex systems that indeed present cycles of dependencies in the topology of the system structure. The last composition rule, reflexive composition, is more general than the feedback one and allows cyclic topologies. However, it is also more costly regarding verification, since it is able to assemble dependent channels (feedback assembles only independent channels), and so in general requires a global analysis to ensure deadlock freedom.
BRIC INHERITANCE
In this section we present the main contributions of this work: the development of inheritance relations for behavioural specifications that distinguish inputs from outputs, in the context of rigorous trustworthy component development, where structural aspects are also considered. Our relations rely on top of a behavioural relation called convergence. It captures the idea that components can evolve by accepting new inputs or establishing a communication session after them but they are able to converge to the predicted behaviour exhibited by its abstractions. This is a concept that cannot be captured only by the hiding operator as we have in other inheritance relations [19] .
The concept of inheritance in the object-oriented paradigm is a well know field with a comprehensive literature [11] . Recently, efforts have been made to extend this concept to process algebras as CSP. Notably, in [19] the author proposes four types of behavioural inheritance relations to Labelled Transition Systems (LTS). Although very promising, these relations do not consider specifications that distinguish inputs from outputs, such as BRIC, in which behaviour is modelled as CSP I/O processes. Since I/O processes must satisfy behaviour restrictions such as input determinism and strong output decisiveness, we need relations that can capture these restrictions. We base our approach on a concept of convergence: a convergent process is allowed to do the same as or more inputs than its parent process, but is restricted to do the same or less outputs in convergent points. A convergent point represents a state reachable by both the original and the convergent process when doing two convergent sequences of events; these sequences differ only because the convergent process is allowed to do extra inputs (inputs not allowed by the original process) in converging points. First, we formalise the concept of convergent traces as follows.
In Definition 3 and others that follow: Σ stands for alphabet of all possible events, Σ * is the set of possible sequences of events from Σ, the input events are contained in Σ (inputs ⊆ Σ) and in(T, t) is a function that yields the set of input events that can be communicated by the I/O process T after some t ∈ T(T ), therefore in : I/OP rocess × Σ * → inputs. Additionally if t1 ≤ t2, it means that t1 is a subtrace of t2. A trace t is I/O convergent to t if they are equal or if its possible to make them so by concealing each event ne ∈ inputs soon as it makes their common subtrace differ (ne / ∈ in(T, t1)).
Definition 3 (I/O convergent traces).
Consider two I/O processes T and T . Let t and t be two respective traces. We say that t is an I/O convergent trace of t (t cvg t) if, and only if:
Based on the definition of convergent traces, we are now able to define behavioural convergence.
Definition 4 (I/O convergent behaviour). Consider two I/O processes T and T . T is an I/O convergent behaviour of T (T io cvg T ) if, and only if:
An I/O process is convergent to another if in each converging point of their execution (t cvg t) it can offer more or equal inputs (Y ∩ inputs ⊇ X ∩ inputs) but is restricted to offer less or equal outputs (Y ∩ outputs ⊆ X ∩ outputs).
In what follows, we illustrate this definition. Let us consider the I/O processes T and T (Figures 2(a) and 2(b) , respectively).
Based on Definition 4, we have that T io cvg T . To explain why this is the case, let (t , X) and (t, Y ) be failures of T and T , respectively. Then by a non-exhaustive analysis, where {|c|} stands for all events that can be communicated through the channel c: A convergent I/O process can engage in more inputs to take more deterministic decisions on what to output. Nevertheless, it can be useful to offer other events after a new input and before converging to its counterpart according to the relation. This extension to convergence allows convergent processes to add more implementation details decreasing the abstraction level of specifications.
Definition 5 (I/O extended convergent traces).
Consider two I/O processes T and T . Let t and t be two of its traces, respectively. We say that t is an I/O extended convergent trace of t (t ecvg t) if and only if:
Informally, a trace t is I/O extended convergent to t if they are the same or if its possible to make them so by concealing each event ne, that is possible to T but not to T after a common subtrace, say t1, of t and t (ne / ∈ in(T, t1), but ne ∈ in(T , t1)), and, since we allow more events after a new input ne we also conceal them (set(t2) ∩ (in(T, t1) ∪ out(T, t1)) = ∅).
Definition 6 (I/O extended convergent behaviour).
Consider two I/O process T and T . We say that T is an I/O extended convergent behaviour of T (T io ecvg T ), if and only if:
Definition 6 is very similar to Definition 4, but allows the extended convergent process T to accept any event not expected by T (Σ Y ⊆ X) in an extended convergent point of their execution (t ecvg t), provided a new input ne (see Definition 5) has happened marking the start of the extended convergent behaviour of T . We illustrate this definition with by an example. Let us consider the processes T and T (Figures 2(a) and 2(c), respectively) , where T io ecvg T .
To gather some evidence that this is the case, we will analyse a couple of failures of these processes. Assume that (t , X) ∈ F(T ) and (t, Y ) ∈ F(T ), then if: As we expect, extended convergence is a generalisation of convergence. Lemmas 1 and 2 prove this fact. All profs of our results can be found in detail in the extended version of this paper [7] .
Lemma 1 (cvg ⊆ ecvg). Consider two I/O processes T and T , and t and t two of its traces, respectively. If t cvg t then t ecvg t.
Proof sketch. If t ecvg t, t can have a finite sequence of events after every input that makes their common trace (or convergent subtrace) differ. If such sequences are empty we have that t cvg t.
Lemma 2 (io cvg ⊆ io ecvg). Consider two I/O processes T and T . If T io cvg T then T io ecvg T .
Proof sketch. It is a direct consequence of Definitions 4 and 6 and Lemma 1.
Our definition of inheritance deals with component structural and behavioural aspects (Definition 7). Structurally, it guarantees that the inherited component preserves at least its parent's channels ant their types (RT ⊆ R T ). Regarding behaviour, they are related by convergence. Additionally, it guarantees, with substitutability purposes, that the inherited component only refines the protocols exhibited by common channels (default channel congruence) if this is not the case then additional inputs over common channels are not exercised by any possible client of its parent (input channel congruence).
Definition 7 (BRIC inheritance).
Consider T and T two BRIC components, such that RT ⊆ R T . We say that T inherits from T :
• by convergence, T cvg T ⇔ B T io cvg BT
• by extended convergence,
Default channel congruence: A process B T has a default congruent channel to BT , say c (B T def -cong {c} BT ), when there is a failures refinement relation between their projections over c, formally:
Input channel congruence: A process B T has an input congruent channel to BT , say c (B T inp-cong {c} BT ), if after a common trace t: either BT offers only outputs and B T does not offer inputs over c or BT does not offer outputs on c and B T offers on c only events outside the alphabet of BT .
Extensibility, refinement and substitutability
Any formal treatment of CB-MDD will not be complete without a notion of refinement, particularly if we aim to analyse how it relates to inheritance. We contribute with a refinement relation for BRIC, which is based on failures refinement of CSP.
Definition 8 (BRIC refinement).
Consider T and T two BRIC components. We say that T refines T (T bric F T ) if and only if:
The next theorem allows us to relate refinement and inheritance presenting inheritance as an evolutionary relation, by which we can always extract an abstraction component for another. Lemma 3 shows that the proposed relations form a hierarchy.
Theorem 1 (Inheritance and Refinement).
Let T , Tcon and T abs be component contracts, such that T abs cvg Tcon or T abs ecvg Tcon, then T bric F
Tcon.
Proof. It can be proved from Definitions 7 and 8.
Lemma 3 (Hierarchy). The relations bric F , cvg and ecvg form a hierarchy:
Proof. It can be proved from Lemma 2, failures semantics and Definitions 7 and 8.
Theorem 2 (Substitutability).
Let T , T to be two components such that T ecvg T . Consider S[T ] a deadlock free component contract, where T is a basic component contract that was composed within S using one of the BRIC composition rules, then S[T ] is deadlock free.
Note that this result also holds for the other two relations, as a consequence of the hierarchy established in the previous theorem.
CASE STUDY
In this case study we model a bank system, improved by the use of inheritance. The ATM process interacts with customers (CUS process) to provide services like withdraw, deposit, transfer and check balance, available after successful login. The ATM process responds to the CUS requests nondeterministically, since it has no ability to communicate with a server. Therefore we developed the ATM2 process, that has the ability to handle user requests to a bank server, in our case study the BankServer process. All the definitions bellow use CSPM , a CSP machine readable dialect.
We start by defining some data types: each account has a number (ACC_NUM), a pin (ACC_PIN), a balance (MONEY) and an associated card (CARD), which can be blocked. Success (SUCC_TYPES) and error (ERR_TYPES) values are also modelled. Input events for ATM are outputs for CUS and vice versa (ATM_IN and ATM_OUT stand for inputs and outputs of ATM). The ATM process communicates through channel atm_cus, whose type is I_DTATM_CUS. This tags ATM_IN and ATM_OUT with in and out labels, respectively, so we can distinguish inputs from outputs. The CUS process communicates though channel cus, whose type is I_DTCUS. Note that it labels values inversely to I_DTATM_CUS. When a card is inserted in the ATM machine, the machine can ask for the account's password or throws an error if the card is blocked atm_cus.out.error!cardBloked. In case of success, it decides internally if either the user has entered a wrong pin (atm_cus.out.error.wrongPin) or the card is unblocked but not recognised (atm_cus.out.error!wrongCard) or the user has entered a correct pin (atm_cus.out.success login) and can proceed by selecting between deposit, withdraw, transfer and balance check operations. In the ATM specification, note the non-determinism exhibited by the ATM when informing the balance (|~| vb:MONEY). It happens because ATM has no means to decide, i.e., it is not connected to any bank server. Initially, the customer CUS process communicates with ATM inserting his card. If unblocked, the user provides a password cus.out.password!p. If correct (cus.in.successlogin) it can proceed by choosing between deposit (cus.out.deposit. vd), withdraw (cus.out.withdraw.vw), transfer (cus.out. transfer!des!vt) or balance check (cus.out.askBalance). In BRIC, the processes ATM and CUS are encapsulated as the behaviour of the component contracts CtrAT M and CtrCUS.
Ctr AT M = ATM, atm cus → I DTATM CUS , {I DTATM CUS}, {atm cus}
These can be connected by the channels atm_cus and cus generating CtrSY S , which, since it has been built from basic deadlock-free components and the BRIC communication composition rule (COMM), is also deadlock free as we can check using FDR2 [8] . In this system we can guarantee that the communications between ATMs and customers do not deadlock, but actually ATM does not provide reliable services to CUS, since, for example, it is possible to be charged an amount that is different to that dispensed in a withdraw. It happens because ATM does not have the ability to connect to any kind of server. We address such concerns by creating the process BankServer and by improving the ATM behaviour, as ATM2 process, which is able to communicate with the process BankServer. As we did before, we create two subsets of data types: SER_IN and SER_OUT. They stand, respectively, for the BankServer's inputs and outputs. The interface I_DTSER just tags these sets with in and out labels. Inputs for the BankServer will be outputs for ATM2, and vice-versa, so the interface I_DTATM tags values inversely to I_DTSER. The channels bk and atm_bk will be used, respectively, by BankServer and ATM2 to establish a communication medium between them. The BankServer is parameterised by a set of accounts. When it is ready to interact (bk.out.alive), the server receives the user's credentials, (bk.in.login? num?pin) and, if either the account number is unknown (bk.out.error!wrong Number) or a wrong pin (bk.out.error!wrongPin) is provided, the process goes back to its initial state, without any change. Otherwise, it acknowledges a successful login (bk.out.success.succLog) and offers (bk.out.offerOperations) the aforementioned bank's operations (We omit the BankServer specification due to size limitations).
The process ATM2, from the CUS's perspective, continues to offer the same services offered by ATM, but now it has the ability to communicate with the BankServer process and to deliver more deterministic and sound services. As well as ATM, ATM2 receives the user's card atm_cus.in.card, then ask for his password . Nevertheless, instead of taking a non-deterministic decision about the correctness of login credentials, the process ATM2 waits for a server's alive acknowledge (atm_bk.in.alive), sends the user's credentials (atm_bk.out .login!number!p) to the server, and waits a server response informing either that the pin is wrong (atm_bk.in.error. wrongPin) or there is no account with this number( atm_bk. in.error.wrongNumber) or the user credentials are correct (atm_bk.in. success.succLog). Whatever ATM2 receives form the BankServer it retransmits to CUS. This pattern is repeated for operations that follow a successful login. In the BRIC model, the processes ATM2 and BankServer (accs) are represented, respectively, by:
ATM2, atm cus → I DTATM CUS, atm bk → I DTATM , {I DTATM CUS, I DTATM}, {atm cus, atm bk}
The most important result is that, by Definition 7, we have that CtrAT M ecvg CtrAT M 2 and by Theorem 2 CtrSY S2 (see bellow) is deadlock free. This exemplifies that it is always possible replacing a component by one that inherits from it, without compromising the property of deadlockfreedom.
Ctr SY S2 = Ctr AT M 2 [atm cus ↔ cus]Ctr CU S We complete our design by connecting Ctr BankServer(accs) and CtrSY S2 by their channels and bk and atm_bk respectively. The resulting component is deadlock free by construction.
Ctr SY S2 [atm bk ↔ bk]Ctr BankServer(accs)
RELATED WORK AND CONCLUSION
Some works have proposed inheritance relations for behavioural specifications [11, 19, 1, 4, 13, 6] . In [1, 11] inheritance relations are defined in terms of invariants over state components and by pre/post conditions over defined methods. The remaining works define subtype relations based on models like failures and failures-divergences (denotational models of CSP), relating refinement with inheritance [19] .
We also state our relation in terms of failures but we distinguish inputs from outputs, as in [3] , which presents a relation named I/O abstraction that has a connection with our convergence relation since it allows an abstraction to output more and to input less than their implementations, but it does not deal with what happens after a new input of the implementation, what compromises substitutability. Another relation, ioco [18] was originally designed for testing; it can also be connected to our concept in the sense that new inputs are also allowed, but differs from our work by not considering what the implementation can do after them. The treatment of inputs as an environment decision and outputs as a process internal decision is also adopted by [5] .
The rCOS [12] is an approach for CB-MDD that, as BRIC, aims to formalise its concepts. As in rCOS, we propose a refinement relation that considers structural (interface preservation) and behavioural (CSP failures refinement) aspects. The adoption of BRIC was motivated by the existence of a set of composition rules, which supports constructive designs.
We have developed in this work a novel concept called behavioural convergence for specifications that distinguish inputs from outputs. Based on that we developed refinement and inheritance relations for an approach to CB-MDD, where we consider structural and behavioural aspects. We incorporated these relations in a set of composition rules that guarantee deadlock freedom by construction. We concluded with a case study that exemplifies the use of inheritance to improve a bank system, by decreasing the level of abstraction and increasing the determinism. We plan to automatise our work and to enable mechanical suggestion and system evolutions by identifying refinement and inheritance opportunities.
