Abstract. Given deterministic interfaces P and Q, we investigate the problem of synthesising an interface R such that P composed with R refines Q. We show that a solution exists iff P and Q ⊥ are compatible, and the most general solution is given by (P Q ⊥ ) ⊥ , where P ⊥ is the interface P with inputs and outputs interchanged. Remarkably, the result holds both for asynchronous and synchronous interfaces. We model interfaces using the interface automata formalism of de Alfaro and Henzinger. For the synchronous case, we give a new definition of synchronous interface automata based on Mealy machines and show that the result holds for a weak form of nondeterminism, called observable nondeterminism. We also characterise solutions to the synthesis problem in terms of winning input strategies in the automaton (P ⊗ Q ⊥ ) ⊥ , and the most general solution in terms of the most permissive winning strategy. We apply the solution to the synthesis of converters for mismatched protocols in both the asynchronous and synchronous domains. For the asynchronous case, this leads to automatic synthesis of converters for incompatible network protocols. In the synchronous case, we obtain automatic converters for mismatched intellectual property blocks in system-on-chip designs. The work reported here is based on earlier work on interface synthesis in Bhaduri (Third international symposium on automated technology for verification and analysis, ATVA 2005ATVA , pp 338-353, 2005 for the asynchronous case, and Bhaduri and Ramesh (Sixth international conference on application of concurrency to system design, ACSD 2006, pp 208-216) for the synchronous one.
Interface automata are a formalism for reasoning about composition and refinement of component interfaces in terms of the protocol aspects of component behaviour. They are like ordinary automata, except for the distinction between input and output actions. The input actions of an interface automaton P are controlled by its environment. Therefore an input action labelling a transition is an input assumption (or constraint on P's environment). Dually, an output action of P is under P's control, and represents an an output guarantee of P. Unlike I/O automata [LT87] , interface automata are not required to be input enabled. If an input action a is not enabled at a state s, it is an assumption on the automaton's environment that it will not provide a as an input in state s.
When two interfaces P and Q are composed, the combined interface may contain incompatible states: states where one interface can generate an output that is not a legal input for the other. In the combined interface it is the environment's responsibility to ensure that such a state is unreachable [dAH01] . This can be formalised as a two person game [dAH01] which has the same flavour as the controller synthesis problem of Ramadge and Wonham [RW89] ; in our setting the role of the controller is played by the environment. More formally, we follow de Alfaro [dA03] in modelling an interface as a game between two players, Output and Input. Player Output represents the system and its moves represent the outputs generated by the system. Player Input represents the environment; its moves represent the inputs the system receives from its environment. In general, the set of available moves of each player depends on the current state of the combined system. The interface is well-formed if the Input player has a winning strategy in the game, where the winning condition is to avoid all incompatible states. Clearly, the game aspect is relevant only when defining the composition of two interfaces.
Refinement of interfaces corresponds to weakening assumptions and strengthening guarantees. An interface P refines Q only if P can be used in any environment where Q can be. The usual notion of refinement is simulation or trace containment [LT87] . For interface automata, a more appropriate notion is that of alternating simulation [AHKV98] , which is contravariant on inputs and covariant on outputs: if P Q (P refines Q), P accepts more inputs (weaker input assumptions) and provides fewer outputs (stronger output guarantees). Thus alternating refinement preserves compatibility: if P and Q are compatible (i.e., P Q is well-formed) and P P, then so are P and Q. The basic notions of interface automata are summarised in Sect. 2.
In Sect. 3, we show that a solution to P R Q for R exists for deterministic interface automata iff P and Q ⊥ are compatible, and the most abstract (under alternating refinement) solution is given by (P Q ⊥ ) ⊥ . Further, in Sect. 4 we show that such an R can be constructed from the most permissive winning strategy for player Input in the combined game (P ⊗ Q ⊥ ) ⊥ . Here P ⊥ is the game P with the moves of the players Input and Output interchanged, and P ⊗ Q is the combined game obtained from P and Q by synchronising on shared actions and interleaving the rest. We say a strategy π is more permissive than π when, at every position in the game, the set of moves allowed by π includes those allowed by π . The most permissive winning strategy is one that is least restrictive. This result ties up the relation between composition, refinement, synthesis and winning strategies, and should be seen as one more step towards a "uniform framework for the study of control, verification, component-based design, and implementation of open systems", based on games [dA03] .
Note that the notation P ⊥ is borrowed from linear logic [Gir87] , where games play an important semantic role [Bla92] . Using the notation of linear logic, the solution R to the synthesis problem can be written as (P ⊗ Q ⊥ )
⊥ P ⊥ Q P Q, where ⊗, and are respectively, the linear logic connectives 'With', 'Par' and linear implication. In our setting, the ⊗ connective of linear logic is parallel composition . The striking similarity of this solution with submodule construction by von Bochmann in [vB02] and the language equation posed by Yevtushenko et al. in [YVB + 01, YVB + 02] is intriguing. In these works, the largest solution of the language equation P • R ⊆ Q for R is the language P • Q where P • Q is the synchronous (or parallel) composition of languages P and Q, and P is the complement of P. Clearly, there is a formal correspondence between P • Q and our P Q, between P and our P ⊥ , and between language inclusion and alternating simulation. We should also mention the formal resemblance of our work with Abramsky's Semantics of Interaction [Abr97] , based on the game semantics of linear logic. In particular, the strategy called Application (or Modus Ponens) in [Abr97] is the solution to our synthesis problem in a different setting. The solution R P Q suggests that the problem of synthesis can be seen as the construction of a suitable morphism in an appropriate category of interface automata, along the lines of [MT98, Tab04] . However, we do not pursue this thread in this paper.
There is also a similarity between our work and the solution to the rectification problem given in [BDWM93] , using Dill's trace theory [Dil89] . The results in [BDWM93] are applicable to combinational circuits, i.e., interfaces without any state. In [BDWM93] P, Q, R are combinational circuits modelled as input-output relations and || the circuit composition operator; mir is the mirror function that swaps inputs and outputs and complements the input-output relation; is the conformance relation which captures the implementation relation between circuits Interface synthesis and protocol conversion 207 and specifications. The rectification problem solved in [BDWM93] is the following: when can a small subnetwork of a combinational circuit be replaced by another less expensive one? The answer to the rectification problem is provided by a general theorem that states that if Q is a specification of the entire circuit then a replacement subnetwork P combined with the rest of the circuit R will satisfy the specification Q (i.e., P R ⊆ Q) iff R ⊆ mir(P mir(Q)) (modulo a projection operator used to ignore the internal signals of a composed circuit). Clearly, this has the same form as our solution to the synthesis problem.
As a practical application, in the asynchronous case, in Sect. 5 we show how to apply interface synthesis to the protocol conversion problem for mismatched network protocols. The heterogeneity of existing networks often results in incompatible protocols trying to communicate with each other. The protocol conversion problem is, given two network protocols P 1 and P 2 which are mismatched, to come up with a converter C which mediates between the two protocols, such that the combined system conforms to an overall specification S. We show that a converter C, if it exists, can be obtained as the solution to P C S, where P P 1 P 2 is the composition of the two protocols.
For the synchronous case, in Sect. 6 we present synchronous interface automata for reasoning about composition and refinement of synchronous hardware components, such as intellectual property (IP) blocks in system-on-chip (SoC) designs. In Sect. 7 we pose and solve the same synthesis problem as in the asynchronous case. What is remarkable is, the solutions for the asynchronous and synchronous versions have the same form, namely the most general solution to P R Q exists iff P and Q ⊥ are compatible, and is given by R (P Q ⊥ ) ⊥ . This points to a unified theory of interface synthesis underlying both the asynchronous and synchronous cases. The work on agent algebras by Passerone et al. [BPSV03, Pas04] seems to bear this out. In Sect. 8, we show how to apply the synthesis method to automatically synthesise protocol converters for mismatched IP blocks.
To summarise the main contributions of this paper, we have an algebraic characterisation of solutions to the problem of synthesis of interface automata, where the operators are parallel composition P Q and 'mirror' P ⊥ . The synthesis algorithm relies on the computation of winning strategies in games implicit in the definition of parallel composition for interface automata. The algorithm is the standard iterative fixed point computation using controllable predecessors for solving safety games (see [Tho95] ). The usefulness of the solution to the synthesis problem is demonstrated both in the asynchronous and synchronous cases by providing automated methods of constructing protocol converters. This provides a unified theory and an algorithm for solving protocol conversion problems which have appeared in the literature in many guises. The work reported here is based on earlier work on interface synthesis in [Bha05] for the asynchronous case, and [BR06] for the synchronous one. Merlin and von Bochmann [MvB83] proposed the submodule construction problem (also called equation solving or factorisation) for communication protocol specification and synthesis. Given a module specification S and a submodule specification M 1 in terms of labelled transition systems, they proposed a method to construct a submodule M 2 such that M 1 and M 2 together realise the specification S by synchronous interaction. Haghverdi and Ural [HU99] gave a more formal presentation of the problem and an algorithm for its solution using prefix-closed finite state machines as descriptions of submodules. One limitation of this solution is that the notion of correct realisation is trace equivalence which is well known not to preserve certain behavioural properties such as the presence of deadlock. This problem was addressed in the context of equation solving for CCS processes using observational equivalence or strong bisimulation (see [Mil89] ] study the related problem of language equation solving for both synchronous and parallel (interleaving) composition in the context of synchronous and asynchronous circuits. The main difference between the works cited above and ours is that we consider models of open systems with an asymmetry between inputs and outputs. This naturally leads to the game formulation and alternating simulation as the behavioural preorder captured by the interface automata formalism.
Related work
The controller synthesis problem and its solution as a winning strategy in a game has a long history, going back to Büchi and Landwebers' solution of Church's problem [BL69] . More recent applications of the idea in the synthesis of open systems occur in [PR89, MPS95, MT98] . The control of discrete event systems was introduced by Ramdage and Wonham [RW89] using a language theoretic approach, where the 'controllable' and 'uncontrollable' actions clearly correspond to the moves of the player and the opponent in a corresponding game. The use of games for the synthesis of converters for mismatched protocols by Passerone et al. [PdAHSV02] can be seen as applications of the same general principle. The present paper uses games to solve the interface synthesis problem, but the solution has a closed form reminiscent of the submodule construction problem referred to above and the rectification problem of Dill [BDWM93] . The combinatorial details of the game structure is hidden behind the algebraic form of the solution. Recent work on agent algebras [BPSV03, Pas04] formalises the notions of composition and conformance in an abstract algebraic framework, and makes use of the mirror function in an essential way. The work provides sufficient conditions for characterising all controllers that satisfy a specification when composed with a plant. One possible future work is to investigate the relationship between agent algebras and our interface synthesis framework.
Asynchronous interfaces: interface automata
In this section, we define interface automata and their composition and refinement. We follow the game formulation presented in [dA03] . Throughout this work we consider only deterministic interface automata. • δ P : S P × A P → S P is a transition function associating a target state δ P (s, a) with each state s ∈ S P and action a ∈ A P . Note that the value δ P (s, a) makes sense only when a ∈ P (s). When a ∈ P (s), the value can be arbitrary.
The interface automaton P is said to be empty when its set of initial states S 0 P is empty. Empty interface automata arise when incompatible automata are composed. Note In keeping with [dA03] , we have given the general definition of strategy, where the moves can depend on the history of the game. It turns out that for the case of safety games we consider in this paper, it is enough to consider only memoryless strategies, where the current state suffices to define the set of moves. This simplification will be made in Sect. 6 while discussing the synchronous interface automata.
An input and output strategy jointly determine a set of traces in S 
A state s ∈ S P is said to be reachable in P, if there is a sequence of states s 0 , s 1 , . . . , s n with s 0 ∈ S 0 P , s n s, and for all 0 k < n there is a k ∈ P (s k ) such that δ P (s k , a k ) s k+1 . Reach(P) denotes the set of reachable states of P.
The refinement of interface automata is known as alternating simulation, the right notion of simulation between games [AHKV98] . Intuitively, an alternating simulation ρ ⊆ S P × S Q from P to Q is a relation for which (s, t) ∈ ρ implies all input moves from t can be simulated by s and all output moves from s can be simulated by t.
Definition 2.4
An alternating simulation ρ from P to Q is a relation ρ ⊆ S P × S Q such that, for all (s, t) ∈ ρ and all a ∈ 
Refinement between interface automata is defined as the existence of an alternating simulation between the initial states.
Definition 2.5 An interface automaton P refines an interface automaton Q, written P Q, if the following conditions are satisfied:
there is an alternating simulation ρ from P to Q, such that (s 0 , t 0 ) ∈ ρ for some s 0 ∈ S 0 P and t 0 ∈ S 0 Q . We now define the parallel composition P Q of interface automata P and Q in a series of steps.
Definition 2.6 P and Q
We first define the product automaton P ⊗ Q of two composable interface automata P and Q, by synchronising their shared actions and interleaving all others. The set of shared actions of P and Q is defined by Shared(P, Q)
Definition 2.7 The product P ⊗ Q of two composable interface automata P and Q is defined by
There is an asymmetry between input and output actions in the above definition. An input and output action with the same label combine to form an output action. The intent is to model multi-way broadcast communication, as in the version of interface automata defined in [dA03] and in I/O automata [LT87] . This is in contrast to the original version defined in [dAH01] , where an input and an output action with the same name combine to give an internal action. Since interface automata need not be input enabled, there may be reachable states in P ⊗ Q where a communication action can be output by one of the automaton but cannot be accepted as input by the other. These states are called locally incompatible.
Definition 2.8
The set Incomp(P, Q) of locally incompatible states of P and Q consists of all pairs (s, t) ∈ S P × S Q for which one of the following two conditions hold:
A local incompatibility can be avoided if there is a helpful environment, which by providing the right sequence of inputs can steer the automaton away from such an undesirable state. The states from which Input can prevent the product P ⊗ Q from reaching a state in Incomp(P, Q) are called compatible. In other words, the compatible states are those from which Input has a winning strategy. 
Definition 2.11
The composition P Q of two interface automata P and Q, with T the set of backward compatible states of the product P ⊗ Q, is an interface automaton defined by
Definition 2.12 P and Q are said to be compatible if their composition is non-empty, i.e., S 0 P Q ∅. This is equivalent to s 0 P⊗Q ∈ T , where T is the set of backward compatible states of P ⊗ Q.
Notation We write Reach
O (P) to denote the set of states of P that are reachable from the initial state s 0 P by following only output actions.
We use the following lemma in our proof of Theorems 3.3 and 3.4 in Sect. 3. Since the best input strategy to avoid locally incompatible states is simply to generate no inputs to P ⊗ Q at any state, the set of compatible states in P ⊗ Q is simply the set of states from which P ⊗ Q cannot reach a state in Incomp(P, Q) by a sequence of output actions.
Lemma 2.13 P and Q are compatible iff the states in Reach
Proof. Suppose P and Q are compatible. Then s 0 P⊗Q is a backward compatible state in P ⊗ Q. This implies there is an input strategy π I for P ⊗ Q which avoids all locally incompatible states starting from s 0 P⊗Q , no matter what the output strategy is. Now Output can always force P ⊗ Q to enter any state in Reach O (P ⊗ Q). In other words, an output strategy π O exists for which every state s in Reach
Conversely, suppose the states in Reach O (P ⊗ Q) are locally compatible. This implies that any state in Incomp(P, Q) can be reached, if at all, by following a sequence of actions which includes at least one input action. Then the input strategy which disables all such input actions avoids all locally incompatible states and so s 0 P⊗Q is backward compatible. 
Synthesis of interface automata
The synthesis problem for interface automata is as follows. Given interface automata P and Q, we want to find the most general solution R to P R Q when it exists, and characterise the conditions under which it exists. By a most general solution we mean, a solution U , such that for any solution V , it is the case that V U . In this section, we prove our main result for asynchronous interfaces, viz., the most general solution to P R Q exists iff P and Q ⊥ are compatible and is given by R (P Q ⊥ ) ⊥ . Here P ⊥ is the same as P, except all the input actions in P become output actions in P ⊥ and similarly the output actions of P are the input actions of P ⊥ .
Example 3.1 Figure 1 presents three examples to illustrate the synthesis idea with given interface automata P and Q. The construction of Q ⊥ , P Q ⊥ and R (P Q ⊥ ) ⊥ are shown in each case. {b, d}. Note that in P Q ⊥ , the transition labelled c? does not appear, as it is a shared action, and has to be present in both P and Q ⊥ to appear in their product. Note also, how b appears as an input action in the result (P Q ⊥ ) ⊥ .
2. In in some sense, R can be thought of as a controller for P, and hence should be allowed to use all the output actions of P as input, in addition to driving the input actions of P. Note that if we changed the the input action set of P to be A I P A I Q {a, c}, then there would be no solution R, because P and Q ⊥ would not be compatible: in the initial state, Q ⊥ is ready to output a c, but P is not ready to accept it as input, even though c is a communication action between the two. 3. In Fig. 1(c {a}. In this example, an input of P appears as an output of Q. The result (P Q ⊥ ) ⊥ adds the input b and also converts a from an input to an output. In this case, R is identical to Q.
Note Throughout this section we make the weak assumption that A
. This is to ensure that an environment E for which Q E is a closed system (i.e., has no inputs) will also make (P R) E a closed system. So any inputs to P will be provided by an output from the environment of Q or from R. In the latter case, such an input of P will be an output of Q. 
Since the interface automata we consider are deterministic, it must be the case that p p . This implies that there exists an a ∈ Comm(P, (
Theorem 3.3 A solution R to P R Q exists iff P and Q ⊥ are compatible.
Proof. (⇐) Suppose P and Q ⊥ are compatible. By Lemma 3.2 so are P and (P Q ⊥ ) ⊥ . Take R (P Q ⊥ ) ⊥ . We show that there exists an alternating simulation ρ between P R and Q.
and so an input transition in (P
Since we consider only deterministic automata, p p . Also, it must be the case that a ∈ Comm (P, (P Q ⊥ ) ⊥ ), because an output action of P is an output action of P Q ⊥ , and therefore an input action of (P Q ⊥ ) ⊥ . Suppose p a −→ p is an output transition in P, and because P and Q ⊥ are compatible, and (p , q ) ), q ) ∈ ρ, hence ρ is an alternating simulation as required.
(⇒) We show the contrapositive. Suppose P and Q ⊥ are not compatible. Then, by Lemma 2.13, there exists a state (p, q) ∈ Reach O (P, Q) which is incompatible, i.e., there is an a such that either (a) a ∈ O P (p) and a ∈ O Q (q) or (b) a ∈ I P (p) and a ∈ I Q (q). Both possibilities rule out the existence of an alternating simulation between P R and Q for any R.
2
Theorem 3.4 When the condition stated in Theorem 3.3 is satisfied, the most general solution to P R Q exists and is given by
Proof. In the proof of Theorem 3.3 (If part) we have already shown that R (P Q ⊥ ) ⊥ is a solution. Suppose U is any solution to P R Q. We construct an alternating simulation ν from U to (P Q ⊥ ) ⊥ as follows. By assumption, there exists an alternating simulation ρ from P U and Q. , (p , q ) Further (u , (p , q ) ) ∈ ν, since ((p , u ), q ) ∈ ρ, and the conclusion follows. 2
Winning strategies and synthesis
We now characterise the most general solution to P R Q in terms of winning strategies. Specifically, we show that the most general solution corresponds to the most permissive winning strategy for Input in P ⊗ (P Q ⊥ ) ⊥ . First, we define winning strategies for Input and Output in games corresponding to the product P ⊗ Q of two interface automata P and Q. We also define a natural partial order I on input strategies, such that σ
if the strategy τ I P generates more inputs than σ I P at every state of P. A similar order O is defined on output strategies. Since the orders are lattices, the most permissive strategy exists, as is given by the lattice join. We then show that the parallel composition P Q can be extracted from the most permissive winning strategy for Input.
Definition 4.1 Let
, and all incompatible states w ∈ Incomp(P, Q), the state w does not appear in the sequence σ . The definition of a winning output strategy is symmetric, where the winning condition is that a state in Incomp(P,Q) must be reached in every run σ ∈ Outcomes P⊗Q (s 0 , π
We now define the order on strategies. The idea is that an input strategy is higher in the order if it accepts more inputs. Dually an output strategy is higher in the order if it generates more outputs.
Definition 4.2 The binary relation
I on input strategies for P is defined by π Proof. Simply take the join of the set of all winning strategies for the player. Next we show how to extract an interface automaton π I (P ⊗Q) from an input strategy π I for the game P ⊗Q, by cutting down some of its states and transitions. The following proposition states that the parallel composition P Q of interface automata P and Q is the interface automaton π Next we characterise solutions to P R Q in terms of winning strategies for Input in (P ⊗ Q ⊥ ) ⊥ , and show that the most general solution arises from the most permissive strategy.
Theorem 4.6 A solution to P R Q exists iff a winning input strategy π exists for (P
, where π I w is the most permissive winning input strategy. Proof. From Theorems 3.3 and 3.4 it follows that a solution exists iff P and Q ⊥ are compatible, and in such a case R (P Q ⊥ ) ⊥ is the most general solution. By Proposition 4.5, (P Q ⊥ )
w is the most permissive winning strategy for (P ⊗ Q ⊥ ) ⊥ .
2
Computing winning strategies The calculation of winning strategy in such safety games, if one exists, is by standard iterative refinement using the controllable predecessors operator [Tho95] . The complexity of the algorithm is linear in the size of the game graph. Since the game graph in computing the composition P Q of two interface automata P and Q is given by the product P ⊗ Q, computing P Q can be performed in time O(|P||Q|). Here |P| is the size of P, given by the sum of the states and transitions in P. It follows that (P Q ⊥ ) ⊥ is also computable in O(|P||Q|), since P ⊥ can be obtained from P in linear time.
Application: network protocol conversion
In this section, we describe an application of interface synthesis to the protocol conversion problem. In today's world, global communication over heterogeneous networks of computers can often lead to protocol mismatches between communicating entities. The lack of a uniform global standard for communication protocols entails that protocol converters have to be built for mediating between incompatible protocols [Lam88, CL90] . We illustrate the use of interface synthesis to the protocol conversion problem through an example adapted from [KNM97] . Consider the two interface shown in Fig. 2 representing two incompatible protocols. Figure 2a is a simplified version of a sender using the Alternating Bit Protocol (ABP), while the one in Fig. 2b is a receiver using the Nonsequenced Protocol (NS). The ABP sender accepts data from the user (a higher level protocol) using the input action snd? and transmits it with label 0 using output action data0!. After receiving an acknowledgement with the correct label 0 via the input action ack0? the sender is ready to accept the next piece of data from the user and transmit it with label 1. The protocol performs in a loop, alternating labels between 0 and 1. In this simplified version we ignore retransmissions due to timeouts and receipt of acknowledgements with wrong labels. The NS receiver in Fig. 2b is much simpler, which on receiving a data packet via input action data? delivers it to the user via the output action rcv! and sends an acknowledgement to the sender via ack!. Since the NS receiver does not use any labels for the data and acknowledgement packets there is a protocol mismatch between ABP and NS.
When we want the two protocols above to work together without causing any inconsistency by using a converter, we need to specify what the converter is allowed and not allowed to do. This idea was proposed in [PdAHSV02] in the setting of synchronous hardware-like protocols. We require that the system as a whole (the two protocols along with the converter) satisfies the interface described by Fig. 3 . This specification interface is obtained as the parallel composition of two interfaces. The one on the left specifies that the converter can send data packets and acknowledgements to the NS receiver and ABP sender, only after receiving a data packet or acknowledgement from the other protocol. No data or acknowledgement can be sent speculatively, nor can packets be lost or duplicated. The interface on the right specifies the overall behaviour that the user expects from the system: the snd and rcv events will alternate strictly in any system run. Note that every action in Fig. 3 is of type output, except for snd?
The correct converter for the two protocols is shown in Fig. 4 . The converter can be obtained be as follows. Let P be the parallel composition of the two protocols which need conversion. Since we assume the two sets of actions to be disjoint, the composition is always well defined. The specification S for the converter relates the two actions sets by specifying temporal ordering of actions. For instance, in our example, the specification dictates that a data action can only follow a corresponding data0 or data1 action. The converter C is then the (most general) solution to P C S. Intuitively, the goal of the converter is to meet the specification, while satisfying the input assumptions of the two protocols. Moreover, the converter can control only the inputs to the protocols and not their outputs.
Synchronous interface automata
In earlier sections we have presented the synthesis problem and its solution for interface automata, a formalism intended for component-based modelling and development of asynchronous systems. Typical examples include software modules interacting through method invocations, distributed systems and network protocols. In this section, we want to extend the synthesis problem to the synchronous setting, where all actions are triggered by clock ticks, as in sequential circuits and synchronous reactive programs. One of the motivations for studying the synthesis problem in the synchronous setting is to enable better reuse of intellectual property (IP) blocks in system-on-chip (SoC) designs. Automated design reuse by composing IP blocks is inherently difficult because components often come from different manufacturers and are designed using different protocols of interactions.
We propose the synchronous interface automata (SIA) model as the synchronous counterpart of interface automata. The interface synthesis problem considered in Sect. 3-find the most general interface R, which combined with P is a refinement of Q-is reconsidered in this framework with appropriate modifications in the definitions. We show that in our SIA framework the solution is again given by R (P Q ⊥ ) ⊥ . From this general 216 P. Bhaduri and S. Ramesh Fig. 5 . Block diagram for P ⊗ Q framework we are able to derive a solution to the specific problem of converter synthesis for mismatched protocols in SoC designs.
Our SIA model should be contrasted with the synchronous Moore interfaces proposed in [CdAHM02] to model interactions between components typical in hardware. The main differences are, we use Mealy rather than Moore machines, and instead of specifying initial states and transitions in terms of predicates on state variables, we take the state transition framework, where transitions are triggered by input signals and emit output signals. The advantage of the Mealy framework is that our systems satisfy the synchrony hypothesis, i.e., have zero response time, which is an useful abstraction at the specification level (see [BB91] ). The price to pay is the difficulty in composition due to the possibility of causality cycles. We come back to this point later.
Our SIA model essentially defines Mealy automata with explicit input assumptions and output guarantees. The game view of interface composition and refinement then applies mutatis mutandis to the synchronous setting. Of course, the specific details of the SIA formalism, as described in the following paragraphs, are quite different from the (asynchronous) interface automata formalism.
We start by fixing some notation and conventions. An I/O-signature is a pair [ • S P is a finite set of states.
• S 0 P ⊆ S P is the set of initial states, which has at most one element. As in the asynchronous case, the SIA P is said to be empty when its set of initial states S 0 P is empty. Again, such automata arise when incompatible automata are composed.
The meaning of δ P (s, i, o) s is that the SIA P can transit from state s to s on input i, and perform the output o. Although a given pair (s, i) of current state and input value does not uniquely determine the next state, the triple (s, i, o) of current state with input and output values certainly does, when it is defined. This is the property of observable nondeterminism. It allows us to treat SIA as deterministic automata when we forget the distinction between inputs and outputs by clubbing them together. As in the asynchronous case we define an input strategy as a predetermined way of choosing the input at any stage of the game. Definition 6.3 An input strategy for P is a map π I : S P → A I P .
Notation We write
Note We consider only memoryless strategies here, since they suffice for safety games. Also, we restrict to deterministic strategies-at every state there is exactly one choice of input action. This is in keeping with the deterministic nature of synchronous hardware. Given an input strategy π I , only a subset of states in Reach(P) can be reached. Let Reach(P, π I ) ⊆ S P , the states reached under input strategy π I , be defined inductively as follows:
, and
The set Reach(P, p, π I ) of states reached under π I starting from state p in P is defined in the obvious way. The composition of two SIA is a partial operation, as two synchronous interfaces may not be compatible. We give the precise definitions below. Two SIA P and Q with I/O signatures [
To define composition, we first define the product of two synchronous interfaces, just as in the asynchronous case. In the definition below, we require that
In the signatures of the composable SIA P and Q, − → I is the list of shared input variables. The output variables − → U of P and − → V of Q appear as input variables of the other automaton, as in Fig. 5 . Definition 6.4 Let P and Q be two composable SIA with I/O signatures [ 2 ) ), when both are defined.
The block diagram for the product P ⊗ Q is illustrated in Fig. 5 . Note that the above definition and Fig. 5 describe the most general situation. For instance, if P and Q do not share any input signal then − → I is the empty tuple, so P has signature [
. The transition function δ P⊗Q has the following interpretation: when P ⊗ Q is in state (p, q) and there is a P-transition from p that accepts (i, i 1 , v) as input and generates (u, o 1 ) as output and a Q-transition from q that accepts (i, i 2 , u) as input and generates (v, o 2 ) as output, then there is a transition from (p, q) that accepts (i, i 1 , i 2 ) as input and generates (u, v, o 1 , o 2 ) as output.
Intuitively, a state (p, q) in the product P ⊗ Q is locally compatible if the environment can provide a suitable input such that both P and Q can separately satisfy the input assumption of the other SIA in states p and q, respectively. Otherwise the state is locally incompatible. We say that two SIA P and Q are compatible, if there is a way to provide inputs to P ⊗ Q so that locally incompatible states are not reached. Definition 6.5 Let P and Q be two SIA with I/O signatures as above. The set of locally compatible states of P and Q consist of all pairs (p, q) ∈ S P × S Q such that the following two conditions are satisfied: 
The set Incomp(P, Q) of locally incompatible states of P and Q is the set of states in P ⊗ Q which are not locally compatible.
Just as in the asynchronous case, we would like a benign environment to provide the right inputs to avoid hitting the locally incompatible states. The states from which this is possible are called compatible. Definition 6.6 Let P and Q be two composable SIA. A state (p, q) in P ⊗ Q is compatible if there is an input strategy π I for P ⊗ Q, such that Reach(P ⊗ Q, (p, q), π I ) does not contain a locally incompatible state of P ⊗ Q. We write Comp(P, Q) for the set of compatible states of P ⊗ Q. Two SIA P and Q are compatible if the sole initial state of P ⊗ Q is compatible.
Definition 6.7 The composition P Q of two SIA is defined by restricting the product P ⊗ Q to the set of compatible states
and it is undefined otherwise.
The motivation for the above definitions are exactly the same as in the asynchronous case, and should not come as a surprise. To summarise, P and Q are considered compatible if there is some environment in which they can be used together without violating each other's input assumption. This is equivalent to saying that there is a winning input strategy in the product P ⊗ Q. As pointed out earlier, the solution of such safety games is entirely classical.
Note
The SIA model essentially defines Mealy automata, the novelty being in the definition of composition using the game interpretation. It is well known that the synchronous composition of non-blocking Mealy automata may have causality cycles-circular dependencies between input and output signals in the composed Mealy automaton. We assume that all our SIA are statically typed, i.e., the dependencies between input and output signals are fixed. When composing two SIA we require that the the combined dependency relation is acyclic. This condition can be enforced syntactically and checked in linear time-see [dAHM00] for details.
As in the asynchronous case, the game view of interfaces leads to alternating refinement [AHKV98] as the correct notion of refinement. Informally, P Q (P refines Q) if all legal inputs of Q are also legal for P, and when P and Q are fed the same legal input, Q generates more output than P does. This definition ensures that whenever P Q, P can safely be substituted for Q in any design without creating any incompatibility.
Definition 6.8 Let P and Q be two SIA with identical I/O signatures. An alternating simulation ρ from P to Q is a relation ρ ⊆ S P × S Q such that, for all (s, t) ∈ ρ the following conditions are satisfied:
Given two SIA P and Q with identical I/O signatures, we say P refines Q, written P Q, if the following conditions are satisfied:
there is an alternating simulation ρ from P to Q, such that (s 0 , t 0 ) ∈ ρ for some s 0 ∈ S 0 P and t 0 ∈ S 0 Q .
Synthesis of synchronous interfaces
In this section, we revisit the synthesis problem, in the context of SIA. We prove the synchronous analogue of Theorems 3.3 and 3.4: the most general solution to P R Q exists iff P and Q ⊥ are compatible and is given by R (P Q ⊥ ) ⊥ . Here P ⊥ has the same interpretation as in the asynchronous case.
Note Throughout the section we assume that the list of output variables of Q includes all the output variables of P and the input variables of P that are not input variables of Q:
So any inputs to P will be provided by an output from the environment of Q or from R. In the latter case, such an input of P will be an output of Q. We fix the I/O signatures of the various interfaces involved, once and for all
Notice that Q and P ⊗ (P Q ⊥ ) ⊥ have the same I/O signature. First, we prove a result about compatibility that is used in Theorem 7.2 below. Here we make use of the fact that if (p, (p , q) ) is a reachable state in P ⊗ (P Q ⊥ ) ⊥ , then it follows from the property of observable nondeterminism that p p .
Lemma 7.1 If P and Q
⊥ are compatible, then P and (P Q ⊥ ) ⊥ are compatible.
Proof. Suppose P and Q ⊥ are compatible, but P and (P Q ⊥ ) ⊥ are not compatible. This means that for all input strategies π
It follows from Definition 6.5 that at least one of the following cases must hold:
⊥ . Now, since P and Q ⊥ are compatible, and (p, q) ((p, (p, q) )), and there is a transition (p, (p, q) )
q is a transition in Q and ((p , (p , q ), q ) ∈ ρ by the assumption that (p , (p , q )) is a state in P R. Likewise, for the input side, 
(⇒) Suppose a solution to P R Q exists. Let ρ be an alternating simulation from P R to Q such that ((s
We use R and ρ to construct a winning input strategy in P ⊗ Q ⊥ . It is easy to see that for states (p, r) in P R and q in Q, if ((p, r), q) ∈ ρ then (p, q) is locally compatible in P ⊗ Q ⊥ . The winning input strategy π I (p, q) in P ⊗ Q ⊥ is given by an input move (i 1 , o 2 ) such that there exist a state r and
(p , r ) and
is arbitrary. To show that π I is winning, we prove by induction on the
Theorem 7.3 When the condition stated in Theorem 7.2 is satisfied, the most general solution to P R Q exists and is given by R (P Q ⊥ ) ⊥ .
Proof. In the proof of Theorem 7.2 (If part) we have already shown that R (P Q ⊥ ) ⊥ is a solution. Suppose T is any solution to P R Q. We construct an alternating simulation ν from T to (P Q) ⊥ as follows. By assumption, there exists an alternating simulation ρ from P T to Q. Define ν
The complexity of computing (P Q ⊥ ) ⊥ is again O(| P || Q |) using the standard iterative refinement technique as in the asynchronous case.
Converter synthesis
In this section, we show how the SIA framework and the interface synthesis procedure described in Sect. 7 can be used to synthesise a protocol converter for two IP blocks that have incompatible protocols of interaction. Our work is inspired by Passerone et al. in [PdAHSV02] , and should be seen as both a generalisation and a simplification of that work.
Let P 1 and P 2 be the SIA describing two mismatched protocols, such as a sender using a handshake and a receiver using a serial protocol, as in [PdAHSV02] . We assume that P 1 and P 2 have disjoint alphabets. Just as in network protocol conversion in Sect. 5, it is the responsibility of the designer to specify the exact relationship between the two, through another SIA S, the specification. To summarise, the specification S expresses the causal relationships between the actions of P 1 and P 2 . In addition, the specification S captures the capabilities of the converter in terms of storage and retransmission capabilities. See the example below and [PdAHSV02] for more details.
We think of the specification as accepting inputs from the two protocols as well as the converter, as shown in Fig. 6 . This is in contrast to the network protocol conversion discussed in Sect. 5, where we took the dual 'output' view. Intuitively, the goal of the converter is to meet the specification, while satisfying the input assumptions of the two protocols. Moreover, the converter can control only the inputs to the protocols and not their outputs. The converter can then be obtained by using our interface synthesis procedure as in Sect. 5. Let P P 1 P 2 be the parallel composition of the two mismatched protocols, which is well formed, since we assume that the input and output actions of P 1 and P 2 are disjoint. Then a converter C, if it exists, is the (most general) solution for C to the interface synthesis problem instance P C S ⊥ , where S is the specification. The meaning of this relation is that P C is a safe environment for S, that is, the composite P C of protocols plus converter will not give rise to an incompatibility when combined with S.
We illustrate the converter synthesis problem for IP blocks via an example adapted from [DRS04a] . We adopt the following convention in drawing synchronous interfaces for IP blocks. When only boolean valued signals are involved, as is the case in this example, values not mentioned in a transition are don't cares (either low or high). Sometimes we indicate a do not care explicitly by a signal T. Figure 7 illustrates the synchronous interfaces for two mismatched protocols. Figure 7a is a protocol called Pipeline, with input variables [Ack, Rdy, Data] and output variables [Req, Address, SingleRead, MultiRead], that requests data from specified addresses in memory. When the protocol wants to read some data it raises the line Req! to high, and places the value of the memory address on Address! and waits for an acknowledgement Ack? in the following clock cycle. In this simplified example, we ignore all data values such as addresses, and consider only boolean control values. In the next clock cycle the protocol checks that the signal Rdy? is high. If a single read is desired the protocol reads the input Data? and completes the transaction. If a sequence of reads is to be performed, the protocol pipelines the address phase of the next transfer with the current data phase. The protocol stops in state 5 after completing a finite sequence of transfers until it is ready to begin a fresh read request. Note that in state 2, the same input Rdy? can lead to two distinct states, but the output values associated with the transitions are distinct-SingleRead! in one, and MultiRead! in the other, so the observable nondeterminism property is satisfied. Figure 7b is an interface, with input variables [Sel, Read, Addr, Enable] and output variable [RData] , that performs reads from memory addresses, but it uses a handshake protocol. When it is selected for a read transfer by raising its input lines Sel? and Read? it reads the address from Addr?. If the signal Enable? is high in the next clock cycle, it writes the data on the output line RData! and is ready to handle a new read request, while waiting in state 3. The protocols in Fig. 7 are mismatched and will not work properly unless there is a converter which mediates between the two. Now, we need to specify what the converter is allowed and not allowed to do. We require that the system as a whole (the two protocols along with the converter) satisfies the interface described by Fig. 8 . This specification interface is obtained as the parallel composition of two interfaces. The one on the left specifies that the converter can send a Addr! signal to Handshake only after receiving a corresponding Address? signal from Pipeline. The signal cannot be sent speculatively, but can be stored in memory and sent at a later instant. Similarly the interface on the right specifies that the converter can send a Data! to Pipeline, only after a corresponding RData? signal has been received from Handshake. Note that every action in Fig. 8 is of type input, in conformance with Fig. 6 .
The correct converter for the two protocols, as synthesised by our method, is shown is Fig. 9 . Our solution to the synthesis problem is identical to the one in [PdAHSV02] for the special cases considered there for a pair of protocols, one of which is the sender, and the other the receiver. Our solution is more generals, as it applies to Mealy machines with both inputs and outputs. In addition, our closed form solution is more algebraic and hides the details of the game solution involved in the composition of synchronous interfaces.
Conclusion and future work
We have presented the synthesis problem and its solution for both asynchronous and synchronous interface automata, a game based formalism for reasoning about composition and refinement of components. It is aesthetically pleasing that the solutions for the asynchronous and synchronous versions have the same form R (P Q ⊥ ) ⊥ . We have already noted the formal resemblance of our solution to solutions to the submodule construction problem in [vB02] , the language equation problem in [YVB + 01, YVB + 02] , and the rectification problem in [BDWM93] . Recently, agent algebras [BPSV03, Pas04] have been proposed as a general framework for modelling a wide variety of concurrent systems. They are intended as a model for reasoning about compositionality and refinement of concurrent systems, and are an extension of Dill's trace theory [Dil89] . An agent algebra is an abstract algebraic structure with three operations-parallel composition, projection and renaming-which must satisfy certain axioms. The domain of the algebra is intended to represent a set of processes or agents. New agent algebras can be built from old ones by using the familiar constructions of direct product, direct sum and subalgebra. Agent algebras may be equipped with a preorder on the agents that represents the refinement relation. To support compositional proofs of refinement, agent algebras must satisfy a monotonicity of each operation with respect to the refinement order. The refinement preorder can often be characterised as a conformance relation, a relation that holds between two agents when one can be substituted for another in all possible contexts. Our synthesis problem appears in the context of agent algebras as the "problem of synthesising a local specification subject to a context". The works cited above provides sufficient conditions for characterising all controllers that satisfy a specification when composed with a plant. These conditions resemble our Theorems 3.3, 3.4, 7.2 and 7.3 Based on this, it appears that both our asynchronous and synchronous interface automata are interesting instances of agent algebras.
As future work, we would like to relax some restrictions we have put on the synchronous interface model, such as the requirement of observable nondeterminism. Weaker notions of determinism, such as weak determinism [DRS04b] could be investigated. Other possibilities would be to include the effect of hiding internal signals and including fairness specifications to both asynchronous and synchronous interfaces. An important advance would be to include asynchrony and synchrony within the same framework for modelling SoC designs, as the complexity of today's circuits requires locally clocked components that communicate via asynchronous signals. The work on agent algebras related to semantic foundations for heterogeneous systems (see [Pas04] ) has a similar goal, and it will be interesting to investigate the connections between the two.
