Monographs in Computer Science Editors David Gries Fred B. Schneider Springer Science+Business Media, LLC Monographs in Computer Science Abadi and Cardelli, A Theory of Objects Brzozowski and Seger, Asynchronous Circuits Selig, Geometrical Methods in Robotics Nielson [editor], ML with Concurrency Castillo, Gutierrez, and Hadi, Expert Systems and Probabilistic Network Models Paton [editor], Active Rules in Database Systems Downey and Fellows, Parameterized Complexity Leiss, Language Equations Feijen and van Gasteren, On a Method of Multiprogramming Broy and St0len, Specification and Development of Interactive Systems: FOCUS on Streams. Interfaces, and Refinement Manfred Broy Ketil St01en Specification and Development of Interactive Systems Focus on Streams, Interfaces, and Refinement With 50 Figures i Springer Manfred Broy Ketil Stf1Jlen Institut fOr Informatik Sintef Telecom and Informatics Technische Universităt P.O. Box 124 Blindern Munchen N-0314 Oslo, Norway 80290 Munchen, Germany [email protected] [email protected] and Department of Informatics University of Oslo P.O. Box 1080 Blindern N-0314 Oslo, Norway Series Editors: David Gries Fred B. Schneider Department of Computer Science Department of Computer Science The University of Georgia Cornell University 415 Boyd Graduate Studies Research Upson Hali Center Ithaca, NY 14853-7501, USA Athens, GA 30602-7404, USA Library of Congress Cataloging-in-Publication Data Broy, M., 1949- Specification and development of interactive systems : Foeus on streams, interfaces, and refinement / Manfred Broy, Ketil St0len. p. cm. Includes bibliographical references and index. ISBN 978-1-4612-6518-4 ISBN 978-1-4613-0091-5 (eBook) DOI 10.1007/978-1-4613-0091-5 1. Software engineering. 2. Systems engineering. 1. St0len, Ketil. II. Title. QA76.758 .B783 2001 003--dc21 00-047090 Printed on acid-free paper. © 2001 Springer Seience+Business Media New York Originally published by Springer-Verlag New York, Ine. in 2001 Softcover reprint of the hardcover 1s t edition 2001 AII rights reserved. This work may not be translated or copied in whole or in par! without the writ!en permission of the publisher (Springer Science+Business Media, LLC), except for brief excerpts in connection with reviews or scholarly analysis. Use in connection with any form of information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed is forbidden. The use of general descriptive names, trade names, trademarks, etc., in this publication, even if the former are not especially identified, is not to be taken as a sign that such names, as understood by the Trade Marks and Merchandise Marks Act, may accordingly be used freely by anyone. Production managed by MaryAnn Brickner; manufacturing supervised by Jacqui Ashri. fl.1EX Photocomposed copy prepared from the authors' files. 98765 4 321 ISBN 978-1-4612-6518-4 SPIN 10771019 Preface This book presents a fundamental mathematical and logical approach to soft ware and systems engineering. Considering the large number of books de scribing mathematical approaches to program development, it is important to explain what we consider to be the specific contribution of our book, to identify our goals, and to characterize our intended target audience. Most books dealing with the mathematics and logics of programming and system development are mainly devoted to programming in the small. This is in contrast to our book where the emphasis is on modular system development with the help of component specifications with precisely identified interfaces and refinement concepts. Our book aims at systems development carried out in a systematic way, based on a clear mathematical theory. We do not claim that this book presents a full-blown engineering method. In fact, this is certainly not a book for the application-driven software engi neer looking for a practical method for system development in an industrial context. It is much rather a book for the computer scientist and the scientifi cally interested engineer who looks for basic principles of system development and, moreover, its mathematical foundations. It is also a book for method builders interested in a proper mathematical foundation on which they can build a practical development method and industrial-strength support tools. Our principal objective with this book is to show that system develop ment based on stepwise refinement can be completely carried out within a mathematical and scientifically respectable theory. We claim that all the en gineering steps usually found in system developments are supported by our approach. In this book we present our method in a rather puristic form. Many prag matic issues are simply ignored. Nevertheless, we demonstrate the connec tions and relationships to practical system development; in particular, we emphasize that there is a bridge from our mathematically well-defined ap proach to the description techniques used in practice today. It is our goal to demonstrate that our theory is a scientific basis for many of the prag matic system description techniques employed in industry. We concentrate on the scientific basis, however, and do not enter into the more pragmatic discussions of syntactic sugaring and concrete graphical and textual repre- vi Preface sentations. We hope that this book can contribute towards making software engineering methods cleaner, more systematic, and more reliable in practice. In our presentation we have tried to keep all the mathematical aspects as simple as possible. We expect that anyone who knows the most basic elements of mathematics and predicate logics to be able to read and understand our book. Our book addresses both a methodology for system development and its scientific foundation. We strongly believe that one can only gain a real understanding of the potential of our approach by trying it out and testing it on examples. Therefore, at the end of each chapter we provide a number of exercises. A reader should be able to carry out these exercises after having read the corresponding chapter carefully. The work we present in this book is built on top of research carried out by many scientists within the field of computer science. Our book puts to gether a variety of their results. In fact, it is based on numerous enlightening articles written by other computer scientists. Moreover, we owe a lot to our colleagues at the Technical University in Munich; they have helped us to develop a better understanding of our method and how it should be pre sented and explained. We, in particular, gratefully acknowledge the help of Max Breitling, Frank Dederichs, Max Fuchs, Radu Grosu, IngolfKriiger, Jan Philipps, Robert Sandner, Bernhard Schatz, Katharina Spies, and Rainer We ber. 0ystein Haugen visited us on several occasions during a critical stage of the book work. We thank him for critically reading early drafts and making many useful suggestions. We also gratefully acknowledge the help of Michael Streichsbier who during several years patiently implemented our handwritten notes in Latex. To all these people we are deeply grateful. We hope the book can be recognized as an attempt to give back at least some of the understanding we have gained from them. November 2000 Manfred Bray K etil St¢len Contents Preface....................................................... v Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. xiii 1. Introduction.............................................. 1 1.1 Systems............................................... 2 1.2 Specifications.......................................... 3 1.3 Refinement............................................ 6 1.4 Application Domains. . . .. .. . . .. ... . .. . . .. . . . . .. . . .. . . . . . 7 1.5 Development Process and Methodology ................... 8 1.6 Rationale of Focus. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.6.1 Classification of Modeling Techniques. . . . . . . . . . . . . . . 9 1.6.2 Description Paradigm. . . . . . . . . . . . . . . . . . . . . . . . . . . .. 10 1. 7 Overview of the Book. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 13 1.7.1 Part 1: Introductory Section. . . . . . . . . . . . . . . . . . . . . .. 13 1. 7.2 Part 2: Mathematical Foundations. . . . . . . . . . . . . . . . .. 14 1. 7.3 Part 3: Specification. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 14 1.7.4 Part 4: Refinement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 14 1.8 How the Book Should Be Read. . . . . . . . . . . . . . . . . . . . . . . . . .. 15 2. A Guided Tour. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 19 2.1 Plan for the Tour. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 19 2.2 Station 1: Unbounded Buffer. . . . . . . . . . . . . . . . . . . . . . . . . . . .. 21 2.2.1 Streams......................................... 21 2.2.2 Informal Specification. . . . . . . . . . . . . . . . . . . . . . . . . . . .. 22 2.2.3 Task 1.1: A/G Specification.. . .. . . .. .. . . . . .. . . .. . .. 23 2.2.4 Task 1.2: Equational Specification. . . . . . . . . . . . . . . . .. 25 2.2.5 Task 1.3: Equational Specification with Local States.. 28 2.3 Station 2: Unbounded Lossy Buffer. . . . . . . . . . . . . . . . . . . . . .. 29 2.3.1 Task 2.1: Combined Equational and A/G Specification with Oracles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 30 2.3.2 Task 2.2: Table-Based Specification. . . . . . . . . . . . . . . .. 32 2.4 Station 3: Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 33 2.5 Station 4: Composite Specifications. . . . . . . . . . . . . . . . . . . . . .. 34 viii Contents 2.5.1 Task 4.1: Graphical Specification. . . . . . . . . . . . . . . . . .. 34 2.5.2 Task 4.2: Constraint-Based Specification ............ 34 2.5.3 Task 4.3: Behavioral Refinement ................... 35 2.5.4 Task 4.4: Glass-Box Specification. . . . . . . . . . . . . . . . . .. 36 2.6 Station 5: Time-Sensitive Buffer. . . . . . . . . . . . . . . . . . . . . . . . .. 37 2.6.1 Timed Streams. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 37 2.6.2 Task 5.1: AjG Specification .......... , . . .. . . .. .. . .. 38 2.6.3 Timed versus Untimed Specifications ............... 39 2.6.4 Task 5.2: Conditional Behavioral Refinement. . . . . . . .. 40 2.7 Station 6: Timed Lossy Buffer. . . . . . . . . . . . . . . . . . . . . . . . . . .. 40 2.7.1 Informal Specification. . .. .. . . .. . . . . . . . . . . .. . .. . . .. 41 2.7.2 Task 6.1: AjG Specification ........................ 41 2.7.3 Task 6.2: Conditional Interface Refinement. . . . . . . . .. 42 2.8 Station 7: Timed Driver. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 45 2.8.1 Task 7.1: AjG Specification. . .. . . . .. . . .. .. . . .. . .. .. 46 2.8.2 Task 7.2: State Transition Diagram. . . . . . . . . . . . . . . .. 47 2.8.3 Task 7.3: Refinement ............................. 48 2.9 Station 8: Timed Composite Specification ................. 48 2.9.1 Development..................................... 48 3. Basics.................................................... 51 3.1 Sets.................................................. 51 3.2 Tuples................................................ 52 3.3 Functions.............................................. 53 3.4 Types................................................. 53 3.5 Logic................................................. 54 4. Streams.................................................. 57 4.1 Formal Definition of Streams. . . . . . . . . . . . . . . . . . . . . . . . . . . .. 59 4.2 Basic Operators on Streams ............................. 59 4.3 Additional Operators on Streams. . . . . . . . . . . . . . . . . . . . . . . .. 62 4.4 Formal Definition of Timed Streams ...................... 64 4.5 Operators on Timed Streams ............................ 65 5. Specifications............................................. 69 5.1 Classification of Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . .. 70 5.2 Elementary Specifications ............................... 73 5.2.1 Syntax.......................................... 73 5.2.2 Examples ....................................... 74 5.2.3 Semantics....................................... 80 5.2.4 Graphical Representation of Syntactic Interfaces ..... 83 5.3 Composite Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 84 5.3.1 Graphical Style ..................... . . . . . . . . . . . .. 84 5.3.2 Constraint Style. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 85 5.3.3 Operator Style. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 86 Contents ix 5.3.4 Methodological Advice. . . . . . . . . . . . . . . . . . . . . . . . . . .. 87 5.4 Black-Box and Glass-Box Views. . . . . . . . . . . . . . . . . . . . . . . . .. 88 5.5 Parameterized Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . .. 89 5.6 Sheafs and Replications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 91 5.6.1 Sheafs of Channels ............................... 91 5.6.2 Specification Replication. . . . . . . . . . . . . . . . . . . . . . . . .. 93 5.6.3 Dependent Replications . . . . . . . . . . . . . . . . . . . . . . . . . .. 96 6. Examples ................................................. 101 6.1 Alternating Bit Protocol ................................ 101 6.2 Steam Boiler ........................................... 104 6.3 Memory Components ................................... 107 6.3.1 Basic Definitions ................................. 108 6.3.2 Sequential Memory Component .................... 109 6.3.3 Concurrent Memory Component ................... 110 6.3.4 Repetitive Memory Component .................... 111 7. Properties of Specifications ............................... 115 7.1 Safety and Liveness Properties ........................... 115 7.1.1 Formalization of Safety ............................ 116 7.1.2 Formalization of Liveness .......................... 118 7.1.3 Decomposition into Safety and Liveness Parts ........ 119 7.1.4 Safety and Liveness for Specifications ............... 120 7.2 Realizability ........................................... 121 7.2.1 Strategies ....................................... 123 7.2.2 Weak and Strong Realizability ..................... 123 7.2.3 Full Realizability ................................. 126 7.2.4 Preserving Realizability by Composition ............. 128 7.3 Causality for Specifications .............................. 129 7.3.1 Adding Causality to Specifications .................. 129 7.3.2 A Proof Principle Based on Strong Causality ........ 131 7.3.3 Causality and Feedback ........................... 132 8. Equational Specification of State Transitions .............. 137 8.1 I/O Transitions ........................................ 140 8.2 Local States ........................................... 147 8.3 Control States ......................................... 150 8.4 Oracles ................................................ 155 9. Access Control System ................................... 161 9.1 System Architecture .................................... 161 9.2 Functional Properties of the Controllers ................... 165 9.2.1 Central Controller ................................ 165 9.2.2 Local Controller .................................. 165 9.2.3 Panel Controller .................................. 168 x Contents 9.3 Introducing Exception Handling .......................... 170 9.4 Imposing Timing Constraints ............................ 172 9.4.1 Introducing Timeouts ............................. 172 9.4.2 Imposing Constraints On the Response Time ......... 175 10. Tables and Diagrams ..................................... 177 10.1 State Transition Tables .................................. 178 10.2 State Transition Diagrams ............................... 182 10.3 Semantics of State Transition Tables and Diagrams ......... 188 10.3.1 Syntax of State Transition Diagrams ................ 188 10.3.2 Semantics of Deterministic State Transition Diagrams ....................................... , 189 10.3.3 Semantics of Nondeterministic State Transition Tables ................................. 191 11. Abracadabra Protocol .................................... 195 11.1 Informal Specification ................................... 195 11.1.1 Protocol Data Units and Parameters ............... , 196 11.1.2 Connection Phase ................................ 197 11.1.3 Data Transfer Phase ............................. , 197 11.1.4 Disconnection Phase .............................. 197 11.1.5 Error Phase ..................................... 198 11.1.6 Underlying Medium Service ........................ 198 11.2 Formalization .......................................... 198 11.2.1 Overall Structure ................................. 198 11.2.2 Sender/Receiver .................................. 200 11.2.3 Formalization of State Transitions .................. 202 12. AjG Specifications ....................................... 213 12.1 Simple Examples ....................................... 214 12.2 Semantics ............................................. 221 12.3 More Examples ........................................ 223 13. Memory with Locking .................................... 229 13.1 Black-Box Description .................................. 229 13.2 Distributed Implementation .............................. 234 14. Refinement ............................................... 241 14.1 Behavioral Refinement .................................. 242 14.2 Interface Refinement .................................... 242 14.3 Conditional Refinement ................................. 245 14.4 Verification ............................................ 247 14.5 Glass-Box Refinement ................................... 249 14.6 Development Method ........ , .......................... 250