Project-espresso:A contract-based module system

Inria / Raweb 2009
Presentation of the Project espresso

Section: New Results

A contract-based module system

Participants : Yann Glouche, Thierry Gautier, Paul Le Guernic, Jean-Pierre Talpin.

Contract-based systems, based on the assume-guarantee paradigm, have become a popular formalism for the modular specification of object-oriented programs. In the context of the development of embedded systems, functional (behavioral) contracts are being applied and become part of mainstream industrial tool. Our goal is to exploit contracts during the developement phase, for instance as a support for early execution (simulation). In this context, we have introduce a new paradigm to express the essence of encapsulation and inheritance in a synchronous and a concurrent modeling framework.

A contract is a pair ( assumptions, guarantees ). Assumptions describe properties expected by a component to be satisfied by the context in which this component is used; on the opposite guarantees describe properties that are satisfied by the component when the context satisfies assumptions . We want to provide designers with such a formal model allowing “simple” but powerful and efficient computation on contracts. Thus we define a novel algebraic framework to enable logical reasoning on contracts [29] . It is based on two simple concepts.

First, the assumptions and guarantees of a component are defined as filters: assumptions filter the processes a component may accept and guarantees filter the processes a component provides. A filter is the set of processes, whatever their input and output variables are, that are compatible with some property (or constraint), expressed on the component variables.

Second and foremost, the structure of filters is a Boolean algebra and allows for reasoning on contracts with great flexibility to abstract, refine and combine them. In addition to that, and unlike the related work, the negation of a contract can formally be expressed from within the model. Moreover, contracts are not limited to expressing safety properties, as is the case in most related frameworks, but encompass the expression of liveness properties. This is all again due to the central notion of filter.

We use this algebra to work for the definition of a general purpose module language based on the paradigm of contract described in [30] , for a synchronous multi-clocked formalism, Signal , and applied it to the specification of a component-based design process. The paradigm we are putting forward is to regard a contract as the behavioral type of a component and to use it for the elaboration of the functional architecture of a system together with a proof obligation that validates the correctness of assumptions and guarantees made while constructing that architecture.

The module system embedding data-flow equations defined in syntax, has been implemented in OCaml. It produces a proof tree that consists of

an elaborated Signal program, that hierarchically renders the structure of the system described in the original module expressions,
a static type assignment, that is sound and complete with respect to the module type inference system,
a proof obligation consisting of refinement constraints, that are compiled as an observer or a temporal property in Signal.

The property is then tended to Signal 's model-checker, Sigali, which allows to prove or disprove that it is satisfied by the generated program. Satisfaction implies that the type assignment and produced Signal program are correct with the initially intended specification. The use of our module system is demonstrated by considering the specification of a protocol for Loosely Time-Triggered Architectures.

This works is presented in the PhD thesis of Yann Glouce [17] .

Logo Inria