Section: New Results
Specification enforcing refinement for convertibility verification
Protocol conversion deals with the automatic synthesis of an additional component or glue logic, often referred to as an adaptor or an interface , to bridge mismatches between interacting components, often referred to as protocols . A formal solution, called convertibility verification, has been recently proposed, which produces such a glue logic, termed as a converter , so that the parallel composition of the protocols and the converter also satisfies some desired specification. A converter is responsible for bridging different kinds of mismatches such as control , data , and clock mismatches. Mismatches are usually removed by the converter (similar to controllers in supervisory control of discrete event systems) by disabling undesirable paths in the protocol composition.
We have formulated a generalization of this convertibility verification problem, by using a new refinement relation called Specification Enforcing Refinement (SER) between a protocol composition and a desired specification. The existence of such a refinement is shown to be a necessary and sufficient condition for the existence of suitable a converter. We have also proposed an approach to automatically synthesize a converter if a SER refinement relation exists. These results have been published in  .
We are currently working on an improvement of this framework that supports incremental converter synthesis.
Compositional strategy mapping
In the context of our work on compositionality and reconfigurability, we are studying the issue of implementing a component system on a lower-level platform. With the increasing complexity of embedded systems, coupled with the need for faster time-to-market and high confidence in the reliability of the product, design methods that ensure correctness by construction are, when available, the solution of choice. When dealing with reactive systems, which interact with their environment, the behavior of the system to be designed has to be considered in terms of strategies : can some desired behavior be enforced in spite of the — potentially non cooperative — environment?
Computing a strategy satisfying some property is expensive, and although modular and compositional controller synthesis have been studied for some decades, this remains a hard problem. In particular, progress properties are notoriously more difficult to tackle compositionally than safety properties.
We are interested in a design flow supporting the refinement of strategies, rather than in controller synthesis performed on some given level of abstraction. We consider a platform-based design process consisting of successive mapping steps  . The goal of each step is to constructively map a strategy constructed so far onto a lower-level platform. The mapping is performed component-wise, using an abstraction of the environment of each component. We have developed compositionality results ensuring that the refinement carries over to the global strategy  .
The result of strategy mapping is a strategy for each target component, such that the composition of the strategies over-approximates the source strategy. We are currently investigating an improvement of this technique in order to effectively derive an implementation on the target platform, rather than an over-approximation.
Contracts have first been introduced as a type system for classes  : a method guarantees some post-condition under the assumption that its pre-condition is satisfied. In the component-based programming community, contracts are increasingly focus of research as a means to achieve one of the main goals of the component paradigm, namely the deployment and reuse of components in different, a priori unknown contexts. As components may interact under various models of communication, the notion of contract has been generalized from pre- and post-conditions in the form of predicates to behavioral interfaces such as interface automata  , allowing to reason about the temporal behavior of environments with which a component can be composed.
Modal Assume/Guarantee Contracts
We define contracts as pairs (A, G) of modal automata  : one describes an assumption on the usage of the component made by its environment; the other one corresponds to a guarantee offered by the component as long as the assumption is satisfied  . Modal automata extend automata with a modality that indicates for each transition whether it may or must be implemented. Modal contracts leverage the well-established theory of modal automata. They finitely represent an infinite number of implementations. In contrast to a premature choice of implementing or not a given transition, which would prematurely narrow the design space and rule out possible implementations, modal contracts allow to preserve a larger solution space along the design process.
In contrast to a specification defining how a component must behave, contracts can be seen as implications, providing a guarantee depending on an assumption on the context. Accordingly, different semantics of contract composition are conceivable, with the two special cases of conjunction of implications yielding a lazy composition, and implication of a conjunction for an eager composition. The latter approach is adopted by  , where the assumption of the composed contract is defined as the weakest assumption ensuring the conjunction of both guarantees. In the present work we choose the former approach: a component satisfying the composition of two contracts must satisfy each guarantee if and only if the corresponding assumption holds. This notion of composition is consistent with the component paradigm mentioned above, enabling the component to offer different guarantees depending on the context.
Our theory of modal assume/guarantee contracts relies on weak implication . This operation computes a modal specification whose implementations are also implementations of a given assume/guarantee contract C = (A, G) . This modal specification is thus called the implicit form of C . Based on weak implication, we have introduced three composition operations between modal contracts, responding to different requirements in the design flow and satisfying different properties. This is the first work formalizing and allowing to effectively combine these contract composition operations.
A contract may be used to describe the guarantees a component is able to give, depending on its environment. We call this a component contract . For component contracts over disjoint components we define a “best effort” composition operation that is parametrized by an interaction model inspired by the BIP framework  . The composition ensures each guarantee depending on the satisfaction of its assumption, provided that the guarantee is feasible under the specified interaction model. We show that this composition is the strongest contract satisfying the property of independent implementability: the component composition of two contracts is satisfied by the composition of any pair of implementations of both contracts, which allows to reason about contracts in a bottom-up manner.
On the other hand, a contract may specify a requirement as a guarantee that must be ensured under some hypothesis. We call this a requirement contract, or aspect . Aspects are usually implemented top-down. For a set of aspects on the same component or sub-system, a crucial question is whether they are consistent, and how to compute a common implementation, also called their shared refinement  . We define a composition operation based on modal conjunction, as the weakest contract refining both arguments. This is motivated by the fact that different aspects express different requirements whose conjunction is to be satisfied. The conjunction of contracts is shown to be sound and, under some conditions, complete.
Therefore, contracts are an elegant way to combine bottom-up construction of a system from simpler components, and top-down design by successive refinement of abstract components.
In practice, aspects are not equally important. For instance, an aspect “safety” may be chosen to override an aspect “quality of service”. Therefore we define the operation of priority which composes aspects in a hierarchical order, such that in case of inconsistency, an aspects of higher priority overrides a lower-priority contract.
Probabilistic contracts for reliability of components
We are studying probabilistic contracts as a means to reason about reliability in a component-based framework. A probabilistic contract is an interactive Markov chain specification (IMCS) where each state is either an interaction state or a probabilistic state. From interaction states, only interactions (in the sense of the BIP component framework) are enabled. From probabilistic states, only probabilistic transitions are enabled. Each of the latter is labeled with an interval of allowed probabilities. We have defined operations such as refinement and composition allowing to reason about probabilistic contracts. This work is still in progress.
A modal interface theory
Nowadays, OEM perform system design and integration by importing/reusing entire subsystems provided by equipment suppliers. It is crucial that the subsystems are designed according to some rules; which highlights the importance of providing good notions of component interfaces. According to our understanding of industrial needs, the following list of requirements applies to the notion of interface in the context of embedded systems: (i) Interfaces act as legal bindings and therefore must clearly identify roles and responsibilities. (ii) Interfaces must support the operation of conjunction; the two reasons for this are, one the one hand, that current practice of requirements capture leads to large data bases of requirements to be seen in a conjunctive way, and, on the other hand, that large systems possess multiple viewpoints (functional, timing, safety, etc) that concern the same sub-systems or component and apply conjunctively. (iii) Interface-based design must allow for flexible architecture choices. The mathematical requirements for interfaces are then:
Interfaces must explicit roles (component versus environment, at least)
They must be equipped with a parallel composition and a conjunction; in addition, it is useful to have the adjoint of parallel composition to address incomplete designs, the latter is called quotient or residuation.
They must support the following fundamental relations, involving interfaces and their associated implementations (or models): satisfaction, consistency, compatibility, and refinement.
Last but not least, interfaces must support local alphabets of actions.
We have reviewed candidate classes for interface theories failing to address all these requirements. Then we have advocated using modal interfaces, a unification of interface automata by de Alfaro and Henzinger and modal specifications by Larsen. (see  and  ). This work is conducted in collaboration with E. Badouel, A. Benveniste, B. Caillaud and A. Legay (S4 team from Irisa /Inria -Rennes) and R. Passerone (University of Trento).
Timed aspects of interface theories
As we have seen, modal interfaces are classic, convenient, and expressive mathematical objects to represent interfaces of component-based systems. On the other hand, time is a crucial aspect of systems for practical applications, e.g. in the area of embedded systems. And yet, only few results exist on the design of timed component-based systems. In  , we have proposed a timed extension of modal specifications, defined their notions of refinement and consistency, and established their decidability. In  , we have considered the subclass of modal event-clock automata, where clock resets are easy to handle. We then have developed an entire theory with conjunction, product, and quotient, that promotes efficient incremental design techniques and that enables to reason in a compositional way about timed system. This work is conducted in collaboration with N. Bertrand (Vertecs team from Irisa /Inria -Rennes) and S. Pinchinat (S4 team from Irisa /Inria -Rennes).