1 Flexible Subtyping Relations for Component- Oriented Formalisms and their Verification David Hurzeler PhD Examination, 9/11/2004

1

Flexible Subtyping Flexible Subtyping Relations for Relations for Component-Component-

Oriented Oriented Formalisms and Formalisms and their Verificationtheir VerificationDavid HurzelerDavid Hurzeler

PhD Examination, 9/11/2004PhD Examination, 9/11/2004

2

Plan of the presentationPlan of the presentation

IntroductionIntroduction The component-oriented formalismThe component-oriented formalism SubtypingSubtyping VerificationVerification Conclusion and future workConclusion and future work

3

IntroductionIntroduction

The problems:The problems:• « In a given system specified with the « In a given system specified with the

Concurrent Object-Oriented Petri Concurrent Object-Oriented Petri Nets formalism, can we safely replace Nets formalism, can we safely replace a component ? »a component ? »

• Can we generalize our work to other Can we generalize our work to other formalisms ?formalisms ?

4


Subtyping: Subtyping:

• Which existing definition(s) do we Which existing definition(s) do we need ?need ?

• Do we need to extend these ?Do we need to extend these ? Verification: Verification:

• How can we guarantee this safety ?How can we guarantee this safety ?

SafesubstitutabilitySafesubstitutabilitySafesubstitutability

5


Generality of our work:Generality of our work: If we define new subtype definitions, If we define new subtype definitions,

can we make them applicable to other can we make them applicable to other formalisms ?formalisms ?

Can we find an abstract and high-level Can we find an abstract and high-level component-oriented formalism on component-oriented formalism on which we can define our notion of which we can define our notion of subtyping, and which is still compatible subtyping, and which is still compatible with a large set of formalisms ?with a large set of formalisms ?

6


IntroductionIntroduction The component-oriented The component-oriented

formalismformalism SubtypingSubtyping VerificationVerification Conclusion and future workConclusion and future work

7

The component oriented The component oriented formalismformalism

Aim: Aim: Give the basic definitions and concepts on Give the basic definitions and concepts on

which we can develop notions of subtyping which we can develop notions of subtyping and verification.and verification.

Define a formalism, Define a formalism, notnot a concrete a concrete language.language.

What we want is a What we want is a meta-language giving meta-language giving the pre-requisites for the core of our the pre-requisites for the core of our workwork..

8

The component oriented The component oriented formalismformalism

A component is a tuple: A component is a tuple:

<<c c , , B B , , I I , , TransTrans> , where:> , where: cc is the component name, is the component name, BB is the set of attributes, is the set of attributes, II is the interface, is the interface,

containing both methods containing both methods (provided services) and (provided services) and gates (required services), gates (required services), andand

TransTrans is the transition is the transition system,system,

Trans Trans StatesStates × × EventsEvents × × StatesStates

m1

g1

c

9

Main features of the Main features of the formalismformalism

ConcurrencyConcurrency inside and outside inside and outside components,components,

Non-determinismNon-determinism,, ModularityModularity: Component orientation with : Component orientation with

strict encapsulation,strict encapsulation, ComponentComponent interaction interaction: Synchronization : Synchronization

between components,between components, Component Component compositioncomposition,, Component Component mobilitymobility..

10

InteractionInteraction

Synchronizations, both Synchronizations, both insideinside and in and in between components:between components:

g1

g2

g3

m1 m2 m3 m4

//

m1 with (g1//g2)

11

The buffer exampleThe buffer example

put

buffer

get

failput

failget

(-,-,e,-) (@,-,-,-)

(-,@,-,-) (@,@,-,f)

put

put put

put

get

get

get

get

get with failget

put with failput

12

InteractionInteraction

Synchronizations, both inside and Synchronizations, both inside and in in betweenbetween components: components:

g1g3

m1 m2 m3 m4

//

g1 with m3, g2 with m4

g2

g1 with m3

13

Component compositionComponent composition

Given:Given: a set of components,a set of components, a synchronization expression, anda synchronization expression, and a new interface,a new interface,

getput

failput

failget

put get

buffer1

failput

failget

put get

buffer2

failput

failget

{b1.failput with b2.put, b1.failget with b2.get}

We can definea new component.

14


(-,-,e,-)

get with failget

(@,-,-,-)

(-,@,-,-) (@,@,-,f)

put

put put

put

get

get

get

get

put with failput

b1 b2 b1°b2

(@,-,-,-)(-,-,e,-)get

get with failget

(-,@,-,-) (@,@,-,f)

put

put put

put

get

get

get

put with failput

(-,-,e,-,@,-,-,-)

(-,-,e,-,@,-,-,-)

get with failget

{b1.failput with b2.put

, b1.failget with b2.get}

15


(-,-,e,-)

get with failget

(@,-,-,-)

(-,@,-,-) (@,@,-,f)

put

put put

put

get

get

get

get

put with failput

b1 b2 b1°b2

(@,-,-,-)(-,-,e,-)get

get with failget

(-,@,-,-) (@,@,-,f)

put

put put

put

get

get

get

put with failput

(-,-,e,-,@,-,-,-)

(-,-,e,-,-,-,e,-)

get

{b1.failput with b2.put

, b1.failget with b2.get}

16

MobilityMobility

g3

m3 m4

g1

m1 m2

g2

m1 m2 m3

g3

g4

m7 m8

g5

m6 m5

m3

g3

m3 m4

m3

17

Mobility: componentsMobility: components

Regular componentsRegular components Containers: <Containers: <cc,,II,,MCMC,,ExpExp,,MSyncExpMSyncExp,,BB,,TransTrans>>

• cc is its name, is its name,• II is its interface, is its interface,• MCMC is the set of acceptable components, is the set of acceptable components,• ExpExp is a set of sync. expressions between all is a set of sync. expressions between all

mc in MC,mc in MC,• MSyncExpMSyncExp is a set of mobile sync. expressions, is a set of mobile sync. expressions,• BB is the set of attributes (= union of attributes of is the set of attributes (= union of attributes of

mc in MC),mc in MC),• TransTrans is its transition system. is its transition system.

18

Mobility: Transition Mobility: Transition systemsystem

State of a container:State of a container:

If a container contains components If a container contains components c1,c2,...,cnc1,c2,...,cn from from MCMC respectively in respectively in states states s1,s2,...,sns1,s2,...,sn, its state is noted:, its state is noted:

If component If component c1c1 is container containing is container containing regular components regular components c11 c11 and and c12c12 in in states states s11 s11 and and s12s12, this is also:, this is also:

(s1 s2 ...sn )c1 c2 cn

((s11 s12 ) s2 ... sn )c11 c12 c1 c2 cn

19

Mobility: Transition Mobility: Transition systemsystem

((s1) (s2) ) ((s4) (s5) )c1 c2 c3 c4 c5 c6

m1m1

g1

c2c1

c5c4

c6

c3

c2((s1’) ) ((s4) (s5) (s2’) )

c1c3 c4 c5 c2 c6

Exp:m1 with g1m1 mwith Send c2

g1 mwith Receive c2

MSyncExp:

20

Example of formalism: Example of formalism: CO-OPNCO-OPN

CO-OPN objects correspond to regular CO-OPN objects correspond to regular components,components,

CO-OPN contexts correspond to CO-OPN contexts correspond to containers,containers,

Composition is exactly similar in both Composition is exactly similar in both formalisms,formalisms,

Concurrency, non-determinism , Concurrency, non-determinism , component interaction and modularity are component interaction and modularity are equivalent.equivalent.

Mobility is more general in our formalism.Mobility is more general in our formalism.

21

Results so farResults so far

Composition: From two given Composition: From two given components, we know how to build a components, we know how to build a third component.third component.

Mobility: We are able to give the Mobility: We are able to give the semantics of a container, and to build semantics of a container, and to build a container from a set of components a container from a set of components (containers or regular).(containers or regular).

This implies a formalisation of the This implies a formalisation of the mobility of contexts in CO-OPN.mobility of contexts in CO-OPN.

22



23

SubtypingSubtyping

« Can we « Can we safelysafely replace a component replace a component in a given system ? »in a given system ? »

Many existing definitions,Many existing definitions, Each have their advantages,Each have their advantages, particular situations where particular situations where they are useful,they are useful, But sometimes of little use in other But sometimes of little use in other

situations:situations: Often Often notnot very flexible. very flexible.

Strength

Ease of use

24

SubtypingSubtyping

A set of properties will be preserved A set of properties will be preserved during the substitution.during the substitution.

The substitutability depends on the The substitutability depends on the context.context.

Validation formula

Observer component

« Can wesafelyreplace a componentin a givensystem ? »

safely in a givensystem ? »

Subtype relation

25

Subtyping: DefinitionSubtyping: Definition

Component Component rcrc is a subtype of component is a subtype of component cc w.r.t. observer w.r.t. observer obsobs and validation and validation formula formula vfvf iff: iff:

((obsobs ° °cc vf vf ) () (obsobs ° °rcrc vf vf ))

! This relation is ! This relation is notnot symetric! symetric!

c c

26

The buffer exampleThe buffer example

produce consume

put get

BufferCapacity 1

Producer Consumer

Observerput

get

gput

gget

s

s’

put with gputget with gget

New Bufferput

get

put

getvf

?

VerificationTool

feedback

27

ResultsResults

Substitutability:Substitutability:If If ss is a subtype of is a subtype of tt w.r.t. observer w.r.t. observer obsobs

and validation formula and validation formula ff, we may safely , we may safely substitute substitute ss for for tt in the sense that for in the sense that for the kind of interaction depicted by the kind of interaction depicted by obsobs, , the satisfaction of the satisfaction of ff is preserved. is preserved.

Flexibility and generality of our definition Flexibility and generality of our definition of subtyping.of subtyping.

28

Observer conceptionObserver conception

ProblemsProblems:: Often impossible to build an optimal observer.Often impossible to build an optimal observer.SolutionsSolutions:: Incremental conception from heuristics,Incremental conception from heuristics,

For some class of interaction, conception For some class of interaction, conception decidable (for example, for regular languages).decidable (for example, for regular languages).

Obs forheuristic2

Obs forheuristic3

Obs forheuristic1

29



30

VerificationVerification

p p’ ?

Transformation f

p p ?

31


p p’ ?

f(p) f(p)’ ?

??

32


Three axis of research:Three axis of research: Restrict transformations,Restrict transformations, Restrict properties to check,Restrict properties to check, Restrict composition.Restrict composition.

33

Verification: ResultsVerification: Results

Properties

Existence

Containing

Contained

TIP

TCP

Quite-strong

StrongIncluding

Trace preservingcomposition

Connectionpreserving

ci pi

ci pi

c1°c2 p1 p2

c1°c2 p1 p2

ci pi

if i

f(ci) (pi)

if i

f(ci) (pi)

1°2f (c1°c2)

1°2f (p1

p2) 1°2f (c1°c2)

1°2f (p1

p2)

1°2f (c1°c2)

1°2f (p1

p2)

StrongStrong

c1°c2 p1 p2

c1°c2 p1 p2

1°2f (c1°c2)

1°2f (p1

p2)

1°2f

34

Verification: The Buffer Verification: The Buffer exampleexample

We have two buffers of transition system:We have two buffers of transition system:

If we compose these two buffers, can we get If we compose these two buffers, can we get a buffer of capacity two which is such that a buffer of capacity two which is such that EG is true?EG is true?

put

get...

...

...

...

...

put

get

IncludingTransformation

NO

Contained property

35



36

Conclusions: Conclusions: ContributionContribution

Definition of an abstract component-Definition of an abstract component-oriented formalism including oriented formalism including composition semantics and mobility composition semantics and mobility semantics.semantics.

Complete formalisation of the extension Complete formalisation of the extension of CO-OPN ot the case of mobile of CO-OPN ot the case of mobile contexts.contexts.

Definition of an adaptable notion of Definition of an adaptable notion of subtyping which englobes many existing subtyping which englobes many existing works.works.

37

Conclusions: Conclusions: ContributionsContributions

Description of a verification technique based on Description of a verification technique based on component transformation, which, again, is component transformation, which, again, is intended to include many existing techniques. intended to include many existing techniques. Proof of several results on property satisfaction Proof of several results on property satisfaction which depend on the type of transformation, which depend on the type of transformation, property and composition.property and composition.

If we have a substitutability problem in a If we have a substitutability problem in a language L which may be seen as an instance language L which may be seen as an instance of our own formalism, we may apply the of our own formalism, we may apply the subtyping and verification techniques defined subtyping and verification techniques defined in this thesis.in this thesis.

Case study as a means of illustrating our Case study as a means of illustrating our concepts in the COOPN formalism.concepts in the COOPN formalism.

38

Future workFuture work

Implementation in a tool,Implementation in a tool, Include active component behavior in Include active component behavior in

our formalism,our formalism, Include asynchrony ?Include asynchrony ? More work on observer conception,More work on observer conception, Further development of verification Further development of verification

techniques, by exploring other classes techniques, by exploring other classes of properties, transformations, and of properties, transformations, and composition.composition.

Translation of existing techniques.Translation of existing techniques.

Documents

1 Flexible Subtyping Relations for Component- Oriented Formalisms and their Verification David Hurzeler PhD Examination, 9/11/2004