in D.Gabbay and H.Ohlbach (eds), "Temporal Logic", LNAI 827, Springer-Verlag 1994, 48-66
SOMETIMES "TOMORROW" IS "SOMETIME" Action Refinement in a Temporal Logic of Objects José Luiz Fiadeiro ILTEC & Department of Informatics Faculty of Sciences, University of Lisbon Campo Grande, 1700 Lisboa, Portugal
[email protected]
Tom Maibaum Department of Computing Imperial College of Science, Technology and Medicine 180 Queen's Gate, London SW7 2BZ, UK
[email protected] Abstract. We address the hierarchical (vertical) decomposition, or abstract implementation, of object specification in temporal logic. Whereas previous approaches to refinement in the context of temporal logic such as those developed by Lamport and by Barringer, Kuiper and Pnueli are based on a single logic that accommodates different levels of action granularity, our approach is based on relating different logics corresponding to different levels of granularity. More precisely, we map abstract actions (propositions) to concrete objects (theories) and, through inference rules that relate the different logics, derive properties of the abstracted actions from the behaviour of the corresponding objects. In this way, we keep a tighter control of action granularity and interference, enabling us to maintain the use of the "next" operator and make the development of reactive systems more tractable.
1 Introduction In this paper, we address the hierarchical (also called vertical) decomposition, or abstract implementation, of temporal logic specifications of reactive systems. We do so in the context of an object-based approach to system design. In this approach, objects are taken as the basic building blocks of the design process. Each object has a certain number of actions that it can perform, either in reaction to some change in its state or a request from another object. The actions update, atomically, the state of the object. As a means of localising change, each object has a private state structured in
2
J.FIADEIRO AND T.MAIBAUM
terms of a collection of attributes (e.g. program variables) to which no other object can have access except via the actions that were declared for that object. 1.1
Stepwise System Design
In the object-based approach that we have in mind, systems are designed following a stepwise discipline. Each layer of the design process is characterised by a collection of objects that constitute the components out of which more complex objects (systems) may be built. Objects are interconnected to form complex systems by identifying the actions they share, i.e. in which they synchronise. Indeed, we assume, for each layer, a synchronous, multiprocessor architecture, in which, at each execution step, several actions may be performed concurrently. All objects at a given layer of abstraction have the same action granularity: the granularity that is given by the (abstract) processors. When the actions cannot be considered atomic from the point of view of the (concrete) processors belonging to the intended implementation environment, it is necessary to refine the granularity associated with the abstract processors. Each step in this (vertical) decomposition process can be seen as the "implementation" of each abstract object in terms of a collection of concrete ones that are "assembled" in a configuration that provides the functionality required for implementing the abstract behaviour. Because each such configuration itself defines a (complex) object, the basic construction to be characterised in the formalisation of this refinement discipline is the implementation of an object in terms of another object. More precisely, what is required is that the actions of the abstract object be decomposed in terms of transactions defined over the actions of the concrete object. Each such transaction can be described as an object, e.g. it can have its own private state (auxiliary variables as they are usually called). In fact, a transaction is a special kind of object – one that is guaranteed to terminate. Hence, our approach to refinement will be based on "implementing" abstract actions as concrete (transactional) objects. 1.2
Object Specification in Temporal Logic
Following [Pnueli 77], temporal logic can be used for specifying and reasoning about the behaviour of reactive systems, and object-based systems in particular [Fiadeiro and Maibaum 92]. In the framework that we put forward in [Fiadeiro and Maibaum 92], and which we shall summarise in section 2, an object is specified as a theory presentation of a linear and discrete temporal logic. A theory presentation consists of a signature θ and a set of axioms Φ. The signature θ corresponds to the declaration of the non-logical symbols that are used in the specification, namely the attributes (program variables) and actions of the object. Each axiom in Φ specifies a particular aspect of the behaviour of the object.
SOMETIMES "TOMORROW" IS "SOMETIME" The granularity of time in the underlying Kripke structure corresponds to the granularity of the corresponding (abstract) processor. Therefore, it also corresponds to the granularity of the actions that the object can perform. Actions give rise to propositions of the temporal language. An action proposition is true at an instant i iff the action is performed in the transition from i to i+1. Hence, typical axioms which describe the way in which actions change the state of an object are of the form action∧condition1 → Xcondition2 where X is the "next" or "tomorrow" temporal operator and the conditions are firstorder formulae over the attributes of the object. The use of X reflects the fact that actions determine the granularity of "change": actions are atomic in the sense that the object cannot be "caught" (its attributes cannot be accessed) while it is performing an action. 1.3
Action Granularity and Temporal Logic
Because, from the point of view of the object that implements it, an action has a duration (it lasts while the object is executing), the intended notion of action refinement requires us to deal with different action granularities in temporal logic. The problem of working with different granularities in temporal logic is not new. Lamport's work on hierarchical decomposition and refinement [Lamport 83, 89] addresses this problem by forbidding the use of the "next" operator and introducing stuttering. Lamport addresses action decomposition within a single logic. That is why the use of "next" has to be avoided: it commits the logic to a fixed (multi purpose) granularity. The adoption of the reals in [Barringer et al 86] serves the same purpose: to allow several granularities of action to be accommodated within the same logic. However, both from the specification and verification points of view, there are advantages in working with a discrete granularity of time. The use of the "next" operator is, indeed, intuitive when associated with the granularity of the actions that the system may perform: the use of "primed variables" as in [Lamport 89] is, in our opinion, a good indication of this fact. Furthermore, as recently pointed out by other researchers [e.g. Jones 92], control of granularity is essential for making the development of concurrent programs more tractable. Together with its control on interference, this is a clear advantage of object-based methods over more traditional ones, which suggests that we seek formal support for action refinement that does not require granularities to be collapsed and maintains the use of "next". Hence, our approach is radically different from both Lamport and Barringer/Kuiper/ Pnueli. It is not based on a single logic but on the decomposition of the logic itself. That is, rather than accommodating different levels of granularity within the same logic, we propose to establish relationships between different logics, each corresponding to a different level of granularity.
3
4
J.FIADEIRO AND T.MAIBAUM
As a result, the use of "next" is allowed at each level of abstraction. From a modeltheoretic point of view, such relationships have to provide for the abstraction of atomic transitions (caused by abstract actions) from sequences of concrete ones (i.e. from the behaviours of the corresponding transactional objects). This is achieved by relating the Kripke structures of both levels, i.e. by relating abstract and concrete "time", namely, abstract instants to intervals of concrete instants of time. i
i+1
abstract
concrete
From a proof-theoretic point of view, the required relationships between logics will have to establish a way of deriving what will happen in the "abstract tomorrow" from the "concrete future". That is, we will have to implement the abstract X in terms of the concrete F. This will be achieved via inference rules that relate the two levels. There will not be enough room in the paper to discuss structure and compositionality in depth. A summary of the main results on these two important issues will be given in section 4.
2 Temporal Logic of Objects As already mentioned, the specification of an object at a given level of abstraction is based on a certain action granularity. More precisely, each level of abstraction is characterised by a collection of data types that are assumed to be available for manipulating the attributes. In other words, each level of abstraction defines the primitives that are available for structuring the "memory" of the component (the types of the attributes) and the corresponding operations to manipulate those structures. These operations constrain the nature of the actions that may be declared for the component. For instance, if the data type INT of integers is available with addition as an operation, actions may add integers to integer attributes. If, however, only the successor operation is made available, additions are not possible as (atomic) actions: transactions are required to implement them.
SOMETIMES "TOMORROW" IS "SOMETIME"
5
Hence, our formal model of object specification includes, as a means of identifying the level of abstraction to which that object belongs, the specification of the abstract data type (ADT) that is necessary to support its actions and attributes. Because abstract data type specification is already a well-studied subject, we shall not get into detailed descriptions of this aspect of object specification. Instead, we shall assume that ADT specification is given in the traditional algebraic flavour, i.e. we shall take an ADT specification as a pair (Σ,∆) where Σ=(S,Ω) is a signature (i.e. S is a set of sorts and Ω is an S-indexed set of operation symbols) and ∆ a collection of formulae over that signature (e.g. in first-order logic). In order to make the paper self-contained, we shall now summarise the temporal logic (institution) of objects that we have defined in [Fiadeiro and Maibaum 92]. Definition 2.1: An object signature is a triple (Σ,Α,Γ) where – Σ=(S,Ω) is a data signature (the universe signature). – Α is an S*×S-indexed family of sets (of attribute symbols). – Γ is an S*-indexed family of sets (of action symbols).
º
The families Ω, Α, and Γ are assumed to be disjoint and finite (i.e., there are only a finite number of function, attribute and action symbols). Attribute parameters allow us to define complex data structures such as arrays, and action parameters allow us to model exchange of data (input and output). A semantic interpretation structure for an object signature is given by an algebra that interprets the data parameters, a mapping that gives the values taken by the attributes at each instant, and a mapping that gives the actions that will occur at each instant: Definition 2.2: A θ− interpretation structure for a signature θ=(Σ,Α,Γ) is a triple (U,A,G) where: • U is a Σ-algebra, i.e. to each sort symbol s∈S a set sU is assigned, and to each function symbol f∈ Ω ,s a function fU : s1 U ×...× s n U → sU i s assigned; • A maps f∈Α ,s to A (f): s1U ×...×snU × ω→ sU ; • G maps a∈Γ to G (a): s1U ×...×snU → ℘(ω). º The natural numbers are being used as a canonical frame for linear temporal logic. Actions are being interpreted as predicates over instants of time (states): the fact that an instant i belongs to the interpretation of an action means that the action occurs in the transition from i to i+1. Notice that we allow for more than one action to be performed during such a transition. Our overall view of an object is, therefore, that of a collection of actions that can be executed concurrently upon a set of attributes that are private to the object. That is, actions provide the granularity of concurrency in a synchronous, multi-processor architecture. Notice that it is also possible that no action occurs during a state transition. Such transitions correspond to steps performed by the environment and reflect an open
6
J.FIADEIRO AND T.MAIBAUM
semantics of behaviour. Such an open semantics is an essential ingredient for structure and compositionality, as argued in [Barringer and Kuiper 84]. The semantics of behaviour is not completely open. Objects have an intrinsic notion of locality or encapsulation according to which only the actions declared for an object can change the values of its attributes. This notion of locality is captured as follows: Definition 2.3: Given an object signature θ=(Σ,Α,Γ) and a θ-interpretation structure (U ,A ,G ), let E ={i∈ω i∈ G (a)(v 1 ,…,v n ) for some a∈Γ , (v1 ,…,v n )∈ s 1 U ×...× s n U }. That is, E consists of those instants during which an action of the object occurs, i.e. these instants denote state transitions in which the object will be engaged. The θ-interpretation structure (U ,A ,G ) is said to be a locus iff, for every instant i∉E and every f∈Α, A(f)(i) = A(f)(i+1). º Attribute symbols generate terms whose denotation varies in time (non-rigid designators) and action symbols generate predicates of a linear and discrete temporal language [Goldblatt 87] which we shall use to specify objects: Definition 2.4: The set of terms for a signature θ is inductively defined as follows: (a) variables of sort s are terms of sort s; (b) every nullary symbol in Ω s or Α s is a term of sort s; (c) if t1 , … , t n are terms of sorts s1 , … , s n and f belongs to Ω ,s or Α ,s , then f(t1,…,tn) is a term of sort s.
The formulae for a signature θ are inductively defined as follows: (a) if t1,…,tn are terms of sorts s1,…,sn and a belongs to Γ,s , then a(t1,…,tn) is a formula; (b) if t1 and t2 are terms of sort s, (t1= st2) is a formula; (c) if φ is a formula so are (¬φ) and (Xf); (d) if φ1 and φ2 are formulae so are (φ1→φ 2) and (φ1Uφ2); (e) if φ is a formula and x is a variable of sort s, (∀x:s)φ is a formula. We call state formulae those which are constructed from equations and the first-order connectives. º Terms and formulae are interpreted as follows: Definition 2.5: Given an interpretation structure S =( U , A , G ) for an object signature (Σ,Α,Γ) and an assignment V of values to variables, we define the value œt“(i) of t at time i for every term t as follows: (a) œx“(i)=V(x) for every variable x; (b) if f∈ Ω < s 1 , … , s n > ,s , œ f(t 1 , … , t n ) “ (i) = fU ( œ t 1 “ ( i ) , … , œ t n “ (i)); (c) if f∈Α ,s, œ f(t1 ,…,t n )“ (i) = A (f)(œ t1 “ (i),…,œ tn “ (i),i).
Satisfaction of a formula at time i is defined as follows: (a) (S ,V )‚ia(t1 ,…,t n ) iff i i∈ G (a)( œ t 1 “ ( i ) , … , œ t n “ (i)); (b) (S , V ) ‚ ( t 1 = s t 2 ) iff œ t 1 “ ( i ) = œ t 2 “ ( i ) ; (c) (S ,V )‚i(¬φ) if and only if it is not the case that (S,V )‚iφ; (d) (S ,V )‚i(Xφ) if and only if (S,V )i+1 ‚ φ; (e) (S ,V )‚i(φ1→φ 2) if and only if (S ,V )‚iφ 1 implies (S ,V )‚iφ 2 ; i (f) (S,V)‚ (φ 1 Uφ 2 ) if and only if, for some j≥i, (S , V ) ‚jφ 2 and, for every i≤k
