Interface Theories for (A)synchronously Communicating Modal I/O-Transition Systems

Interface specifications play an important role in component-based software development. An interface theory is a formal framework supporting composition, refinement and compatibility of interface specifications. We present different interface theories which use modal I/O-transition systems as their underlying domain for interface specifications: synchronous interface theories, which employ a synchronous communication schema, as well as a novel interface theory for asynchronous communication where components communicate via FIFO-buffers.Comment: In Proceedings FIT 2010, arXiv:1101.426

Role-Based Interface Automata

No abstract available

Richer Interface Automata with Optimistic and Pessimistic Compatibility

Modal transition systems are a popular semantic underpinning of interface theories, such as Nyman et al.’s IOMTS and Bauer et al.’s MIO, which facilitate component-based reasoning of concurrent systems. Our interface theory MIA repaired a compositional flaw of IOMTS-refinement and introduced a conjunction operator. In this paper, we first modify MIA to properly deal with internal computations including internal must-transitions, which were largely ignored already in IOMTS. We then study a MIA variant that adopts MIO’s pessimistic – rather than IOMTS’ optimistic – view on component compatibility and define, for the first time in a pessimistic, non-deterministic setting, conjunction and disjunction on interfaces. For the pessimistic MIA variant we also provide a mechanism for extending alphabets when refining interfaces, which is a desired feature in practice. We illustrate our advancements via a small example

Modal Interface Automata

De Alfaro and Henzinger's Interface Automata (IA) and Nyman et al.'s recent combination IOMTS of IA and Larsen's Modal Transition Systems (MTS) are established frameworks for specifying interfaces of system components. However, neither IA nor IOMTS consider conjunction that is needed in practice when a component shall satisfy multiple interfaces, while Larsen's MTS-conjunction is not closed and Bene\v{s} et al.'s conjunction on disjunctive MTS does not treat internal transitions. In addition, IOMTS-parallel composition exhibits a compositionality defect. This article defines conjunction (and also disjunction) on IA and disjunctive MTS and proves the operators to be 'correct', i.e., the greatest lower bounds (least upper bounds) wrt. IA- and resp. MTS-refinement. As its main contribution, a novel interface theory called Modal Interface Automata (MIA) is introduced: MIA is a rich subset of IOMTS featuring explicit output-must-transitions while input-transitions are always allowed implicitly, is equipped with compositional parallel, conjunction and disjunction operators, and allows a simpler embedding of IA than Nyman's. Thus, it fixes the shortcomings of related work, without restricting designers to deterministic interfaces as Raclet et al.'s modal interface theory does.Comment: 28 page

A Generalised Theory of Interface Automata, Component Compatibility and Error

Interface theories allow systems designers to reason about the composability and compatibility of concurrent system components. Such theories often extend both de Alfaro and Henzinger’s Interface Automata and Larsen’s Modal Transition Systems, which leads, however, to several issues that are undesirable in practice: an unintuitive treatment of specified unwanted behaviour, a binary compatibility concept that does not scale to multi-component assemblies, and compatibility guarantees that are insufficient for software product lines. In this paper we show that communication mismatches are central to all these problems and, thus, the ability to represent such errors semantically is an important feature of an interface theory. Accordingly, we present the error-aware interface theory EMIA, where the above shortcomings are remedied by introducing explicit fatal error states. In addition, we prove via a Galois insertion that EMIA is a conservative generalisation of the established MIA (Modal Interface Automata) theory

Moving from Specifications to Contracts in Component-Based Design

Abstract. Program properties that are automatically inferred by static analysis tools are generally not considered to be completely trustworthy, unless the tool implementation or the results are formally verified. Here we focus on the formal verification of resource guarantees inferred by automatic cost analysis. Resource guarantees ensure that programs run within the indicated amount of resources which may refer to memory consumption, to number of instructions executed, etc. In previous work we studied formal verification of inferred resource guarantees that depend only on integer data. In realistic programs, however, resource consumption is often bounded by the size of heap-allocated data structures. Bounding their size requires to perform a number of structural heap analyses. The contributions of this paper are (i) to identify what exactly needs to be verified to guarantee sound analysis of heap manipulating programs, (ii) to provide a suitable extension of the program logic used for verification to handle structural heap properties in the context of resource guarantees, and (iii) to improve the underlying theorem prover so that proof obligations can be automatically discharged.

Modal Interface Theories for Specifying Component-based Systems

Large software systems frequently manifest as complex, concurrent, reactive systems and their correctness is often crucial for the safety of the application. Hence, modern techniques of software engineering employ incremental, component-based approaches to systems design. These are supported by interface theories which may serve as specification languages and as semantic foundations for software product lines, web-services, the internet of things, software contracts and conformance testing. Interface theories enable a systems designer to express communication requirements of components on their environments and to reason about the mutual compatibility of these requirements in order to guarantee the communication safety of the system. Further, interface theories enrich traditional operational specification theories by declarative aspects such as conjunction and disjunction, which allow one to specify systems heterogeneously. However, substantial practical aspects of software verification are not supported by current interface theories, e.g., reusing components, adapting components to changed operational environments, reasoning about the compatibility of more than two components, modelling software product lines or tracking erroneous behaviour in safety-critical systems. The goal of this thesis is to investigate the theoretical foundations for making interface theories more practical by solving the above issues. Although partial solutions to some of these issues have been presented in the literature, none of them succeeds without sacrificing other desired features. The particular challenge of this thesis is to solve these problems simultaneously within a single interface theory. To this end, the arguably most general interface theory Modal Interface Automata (MIA) is extended, yielding the interface theory Error-preserving Modal Interface Automata (EMIA). The above problems are addressed as follows. Quotient operators are adjoint to composition and, therefore, support component reuse. Such a quotient operator is introduced to both MIA and EMIA. It is the first one that considers nondeterministic dividends and compatibility. Alphabet extension operators for MIA and EMIA allow for the change of operational environment by permitting one to adapt system components to new interactions without breaking previously satisfied requirements. Erroneous behavior is identified as a common source of problems with respect to the compatibility of more than two components, the modelling of software product lines and erroneous behaviour in safety-critical systems. EMIA improves on previous interface theories by providing a more precise semantics with respect to erroneous behaviour based on error-preservation. The relation between error-preservation and the usual error-abstraction employed in previous interface theories is investigated, establishing a Galois insertion from MIA into EMIA that is relevant at the levels of specifications, composition operations and proofs. The practical utility of interface theories is demonstrated by providing a software implementation of MIA and EMIA that is applied to two case studies. Further, an outlook is given on the relation between type checking and refinement checking. As a proof of concept, the simple interface theory Interface Automata is extended to a behavioural type theory where type checking is a syntactic approximation of refinement checking.Große Softwaresysteme bilden häufig komplexe, nebenläufige, reaktive Systeme, deren Korrektheit für die Sicherheit der Anwendung entscheidend ist. Daher setzen moderne Verfahren der Softwaretechnik inkrementelle, komponentenbasierte Ansätze zum Software-Entwurf ein. Diese werden von Interface-Theorien unterstützt, die als Spezifikationssprachen und semantische Grundlagen für Softwareproduktlinien, Web-Services, das Internet der Dinge, Softwarekontrakte und Konformanztests dienen können. Interface-Theorien ermöglichen es, Kommunikationsanforderungen von Komponenten an ihre Umgebung auszudrücken, um die gegenseitige Kompatibilität dieser Anforderungen zu überprüfen und die Kommunikationssicherheit des Systems zu garantieren. Zudem erweitern Interface-Theorien traditionelle operationale Spezifikationstheorien um deklarative Aspekte wie beispielsweise Konjunktion und Disjunktion, die heterogenes Spezifizieren ermöglichen. Allerdings werden wesentliche praktische Aspekte der Softwareverifikation von Interface-Theorien nicht unterstützt, z.B. das Wiederverwenden von Komponenten, das Anpassen von Komponenten an geänderte operationale Umgebungen, die Kompatibilitätsprüfung von mehr als zwei Komponenten, das Modellieren von Softwareproduktlinien oder das Zurückverfolgen von Fehlverhalten sicherheitskritischer Systeme. Diese Arbeit untersucht die theoretischen Grundlagen von Interface-Theorien mit dem Ziel, die oben genannten praktischen Probleme zu lösen. Obwohl es in der Literatur Teillösungen zu manchen dieser Probleme gibt, erreicht keine davon ihr Ziel, ohne andere wünschenswerte Eigenschaften aufzugeben. Die besondere Herausforderung dieser Arbeit besteht darin, diese Probleme innerhalb einer einzigen Interface-Theorie zugleich zu lösen. Zu diesem Zweck wurde die wohl allgemeinste Interface-Theorie Modal Interface Automata (MIA) zu der Interface-Theorie Error-preserving Modal Interface Automata (EMIA) weiterentwickelt. Die obigen Probleme werden wie folgt gelöst. Ein zur Komposition adjungierter Quotientenoperator, der das Wiederverwenden von Komponenten ermöglicht, wurde für MIA und EMIA eingeführt. Es handelt sich dabei um den ersten Quotientenoperator, der nichtdeterministische Dividenden und Kompatibilität betrachtet. Alphabeterweiterungsoperatoren erlauben eine Änderung der operationalen Umgebung, indem sie es ermöglichen, Komponenten an neue Interaktionen anzupassen, ohne zuvor erfüllte Anforderungen zu missachten. Fehlerhaftes Verhalten wird als eine gemeinsame Ursache von Problemen bezüglich der Kompatibilität von mehr als zwei Komponenten, der Modellierung von Softwareproduktlinien und des Fehlverhaltens sicherheitskritischer Systeme erkannt. EMIA verbessert bisherige Interface-Theorien durch eine präzisere Fehlersemantik, die auf dem Erhalten von Fehlern beruht. Als Beziehung zwischen diesem Fehlererhalt und der in bisherigen Interface-Theorien üblichen Fehlerabstraktion ergibt sich eine Galois-Einbettung von MIA in EMIA, die auf den Ebenen der Spezifikationen, Operatoren und Beweise relevant ist. Die praktische Anwendbarkeit von Interface-Theorien wird mittels einer Implementierung von MIA und EMIA als Software und deren Anwendung auf zwei Fallstudien demonstriert. Zudem wird das Verhältnis zwischen Verfeinerung und Typprüfung diskutiert. In einer Machbarkeitsstudie wurde die einfache Interface-Theorie Interface Automata zu einer Verhaltenstyptheorie erweitert, bei der die Typprüfung eine syntaktische Approximation der Verfeinerung ist