View
219
Download
3
Embed Size (px)
Citation preview
Interface Automata
29-September-2011
Modeling Temporal Behavior of Component
• Component behaves with Environment• Traditional (pessimistic) approach
– Environment is free to behave as it wants to– Two components are compatible if no environment leads
them into an error state• Optimistic approach of Interface Automata
– Components designed with assumptions about environment– Two components are compatible if some environment can
make both of them work together• In context of this course
– Write code ONCE and know that it works
Interface Automata
• Interaction specified by synchronizing input and output actions– Internal actions of concurrent automata are interleaved
asynchronously• Input actions
– Model methods that can be called– Receiving ends of communication channels
• Output actions– Model method calls– Messages being transmitted– Exceptions
• Component designed under environmental assumptions– i.e., an object works if methods called in specific order
Sample Automata
• Internal state machineexternally invisible
• Labels– msg? means message received– send! means action sent out– Dot/arrow on interface species in- or out-connection– Internal transitions are arrows between states based upon
interface interactions
• Let’s discuss possible valid/invalid interactions
Sample Interface Automata
• User– Designed to be used only with message-transmission
services that cannot fail
Comp User
• Compose Comp with User– msg? and msg! collapsed to msg;– Error state 6 upon second failed nack?
• Composition– Note how a “new” automata
is created from thecomposition with its own In/Out actions
• Handling errors– Why does 6 have no exiting
arrows?– Declared “Illegal” state(s)
Interface Automata
• Definition in paper– Review page 113
• Compatibility and Composition– All independent actions are asynchronous– All shared actions force automata to synchronize state
transitions• Two automata P and Q are composable if– They don’t share states– There is no duplication of Input or Output actions– That is, “shared” means pairing Input with Output
Component Product
• Review Definition (p114)• Legal environments– Steers away from Illegal states– How to specify? Use an Interface Automata!
• Environment Automata E– E is composable with R and non-empty– Input of E is the output of R– Illegal(R, E) =
Example
• Channel wraps error-prone send (ack/nack) with an error-free get_token / put_token to ensure delivery– Parse this from the graphics
Final Notation
• Automata Product Composition: Comp User• Restricted Composition: Comp || User• Nice features of composition– Associative (P || Q) ||R == P || (R || Q) if either is
defined– Some automata cannot
be composed in thisrestrictive way
Refinement
• Consider relation between abstract and concrete version of a component
• QuickComp (next slide)– Provides try-twice msg service– Provides try-once once service
• Shouldn’t QuickComp be considered a refinement of Comp?
QuickComp
• Comp QuickComp means QC refines C
Contravariance
• Refined automata must allow for (possibly) more legal inputs and (possibly) fewer outputs– Weaken the pre-condition– Strengthen the post-condition
• Notion of alternating simulation– Q refines P if – all input steps of P can be simulated by Q– all output steps of Q can be simulated by P– works because internal state transitions are invisible to external
viewers• Captures a simple kind of subclassing
– If Q refines P then implementation Q is able to provide more services than specification P
– Q must be consistent with P on shared services
More definitions
• Transitive: Q refines P and R refines Q– If P Q and Q R then P R
• Reflexive: P refines P – P P
• Refinement and compatibility are related– Replace P with Q if
(a) P and Q are connected to the environment by same input/output; and (b) P Q
Refinement is Compositional
• Is P||R S||T?– One need only check two smaller cases– Is P S?– Is R T?
• Compositional reasoning is the key to dealing with large scale systems
Refinement and Composition
• Given interface automata P, Q, and R where– Q and R are composable– InputQ OutputR InputP OutputR
• If P and R are compatible and P Q– Q and R are compatible– P||R Q||R
Single-Threaded Interface Automata
• Many compositions can be restricted to single-threaded– Client makes request (and then blocks); during this
time client cannot alter state– Server receives request and once it has
responded, it becomes quiescent and won’t alter state
• See Figure 7
Single-Threaded vs. Multi-Threaded