Chapter IV: Directive-response Assume-guarantee Contracts for an Auto-
4.6 Conclusion
if π .πππ is trying to back out of a parking spot, a stream of cars passing by can potentially block it forever. This is resolved by havingπ .πππ reserve the required area so that once any other car has cleared this area,π .πππis the only one that has the right to enter it.
Finally, we will show thatβπ‘ ::βπ‘0::π‘0> π‘ :: π(π‘) > π(π‘0). Letπ0be such thatπ0.πππ is betweenπ .πππand its destination. By the dynamical constraint on pedestrians and by assumptions π΄(4.16) and π΄(4.17), they will not block cars forever. Our algorithm guarantees that one of the following will happen at some timeπ‘0> π‘:
1. π0.πππis picked up byπ0.
2. π0.πππis parked andπ .πππ drives past it 3. π0.πππdrives pastπ .πππβs destination.
4. π0.πππbreaks down and by π΄(4.21)is eventually towed.
It is easy to see that each of these events implies that π(π‘) > π(π‘0). Since π is an integer and cannot drop below 0, the result follows.
References
Benveniste, Albert, Benoit Caillaud, Dejan Nickovic, Roberto Passerone, Jean- Baptiste Raclet, Philipp Reinkemeier, Alberto L Sangiovanni-Vincentelli, Werner Damm, Thomas A Henzinger, Kim G Larsen, et al. (2018). βContracts for system design.β In: Foundations and Trends in Electronic Design Automation 12.2-3, pp. 124β400.
Bosch (2020a). Automated valet parking service. url: https : / / www . bosch - mobility - solutions . com / en / products - and - services / passenger - cars-and-light-commercial-vehicles/automated-parking/automated- valet-parking/.
β (2020b).Ford, Bedrock and Bosch are exploring highly automated vehicle tech- nology in Detroit to help make parking easier. url: https : / / www . bosch - presse . de / pressportal / de / en / ford - bedrock - and - bosch - are - exploring-highly-automated-vehicle-technology-in-detroit-to- help-make-parking-easier-217984.html.
Burdick, Joel W., Noel du Toit, Andrew Howard, Christian Looman, Jeremy Ma, Richard M. Murray, and Tichakorn Wongpiromsarn (2007).Sensing, navigation and reasoning technologies for the DARPA Urban Challenge. Tech. rep. California Institute of Technology and Jet Propulsion Lab.
Censi, Andrea (2015). βA mathematical theory of co-design.β In: arXiv preprint arXiv:1512.08055.
Cowlagi, Raghvendra V. and Panagiotis Tsiotras (2011). βHierarchical motion plan- ning with dynamical feasibility guarantees for mobile robotic vehicles.β In:IEEE Transactions on Robotics28.2, pp. 379β395.
Damm, Werner, Hardi Hungar, Bernhard Josko, Thomas Peikenkamp, and Ingo Stierand (2011). βUsing contract-based component specifications for virtual inte- gration testing and architecture design.β In:2011 Design, Automation & Test in Europe. IEEE, pp. 1β6.
Damm, Werner, Angelika Votintseva, Alexander Metzner, Bernhard Josko, Thomas Peikenkamp, and Eckard BΓΆde (2005). βBoosting re-use of embedded automo- tive applications through rich components.β In: Proceedings of Foundations of Interface Technologies.
Dvorak, Daniel, Robert Rasmussen, Glenn Reeves, and Allan Sacks (2000). βSoft- ware architecture themes in JPLβs Mission Data System.β In:2000 IEEE Aerospace Conference. Proceedings. Vol. 7. IEEE, pp. 259β268.
Filippidis, Ioannis, Sumanth Dathathri, Scott C. Livingston, Necmiye Ozay, and Richard M Murray (2016). βControl design for hybrid systems with TuLiP: The temporal logic planning toolbox.β In:2016 IEEE Conference on Control Appli- cations (CCA). IEEE, pp. 1030β1041.
Fliess, Michel, Jean LΓ©vine, Philippe Martin, and Pierre Rouchon (1995). βFlat- ness and defect of non-linear systems: introductory theory and examples.β In:
International Journal of Control61.6, pp. 1327β1361.
Graebener, Josefine (2020). Automated Valet Parking Simulation. url: https : //youtu.be/dtDz9zlj46w.
Ingham, Michel D., Robert D. Rasmussen, Matthew B. Bennett, and Alex C. Mon- cada (2005). βEngineering complex embedded systems with state analysis and the mission data system.β In:Journal of Aerospace Computing, Information, and Communication2.12, pp. 507β536.
Maasoumy, Mehdi, Pierluigi Nuzzo, and Alberto Sangiovanni-Vincentelli (2015).
βSmart buildings in the smart grid: Contract-based design of an integrated energy management system.β In: Cyber Physical Systems Approach to Smart Electric Power Grid. Springer, pp. 103β132.
Nuzzo, Pierluigi, Huan Xu, Necmiye Ozay, John B Finn, Alberto L Sangiovanni- Vincentelli, Richard M Murray, Alexandre DonzΓ©, and Sanjit A Seshia (2013).
βA contract-based methodology for aircraft electric power system design.β In:
IEEE Access2, pp. 1β25.
Rasmussen, Robert D. (2001). βGoal-based fault tolerance for space systems using the Mission Data System.β In: 2001 IEEE Aerospace Conference Proceedings (Cat. No. 01TH8542). Vol. 5. IEEE, pp. 2401β2410.
Sakai, Atsushi, Daniel Ingram, Joseph Dinius, Karan Chawla, Antonin Raffin, and Alexis Paques (2018). βPythonrobotics: a python code collection of robotics algorithms.β In:arXiv preprint arXiv:1808.10703.
SchΓΌrmann, Bastian and Matthias Althoff (2017). βGuaranteeing constraints of dis- turbed nonlinear systems using set-based optimal control in generator space.β In:
IFAC-PapersOnLine50.1, pp. 11515β11522.
Siemens (2020).Improving Autonomous Valet Parking with simulation and testing.
url:https://blogs.sw.siemens.com/simcenter/autonomous-valet- parking - using - simulation - and - testing - for - safe - and - robust - system-and-algorithms-developments/.
Smith, Nathaniel J. (2017). βTrio: a friendly Python library for async concurrency and I/O.β In:https://trio.readthedocs.io/en/latest/, accessed 03/24/2020.
Wongpiromsarn, Tichakorn and Richard M Murray (2008). βDistributed mission and contingency management for the DARPA urban challenge.β In:International Workshop on Intelligent Vehicle Control Systems (IVCS). Vol. 5.
Yamazaki, Akio, Yuki Izumi, Katsuya Yamane, Tetsuya Nomura, and Yasushi Seike (n.d.).Development of Control Technology for Controlling Automated Valet Park- ing. url:https://www.denso- ten.com/business/technicaljournal/
pdf/Vol03-03.pdf.
C h a p t e r 5
REACTIVE CONTRACTS
5.1 Introduction
A premise central to formal methods is the idea that the model being verified is a correct description of the system in question. Oftentimes, especially for physical systems, this is not the case since adding too many details would make the model too large to be verified efficiently, if at all (Henzinger et al., 1998). Model uncertainties, environmental disturbances, simplifying assumptions etc. must be accounted for separately, often using heuristics. In the reactive synthesis setting (Bloem, 2015), attempts have been made to automatically generate systems that satisfy specifi- cations with some measure of robustness to certain classes of uncertainties. For instance, (Livingston et al., 2013) exploits βlocalityβ to compute modalπ-calculus fixpoints (Arnold and Niwinski, 2001) that enable patching system strategies in the presence of updated information about the game graph. Similarly, (Dathathri, Livingston, and Murray, 2017) discusses a way to recover from a finite number of un- expected actuation or sensing errors with pre-computed safe strategies that attempt to bring the system back to the nominal control trajectory. In addition to making specific assumptions on the environment, these methods also rely on the fact that such recovery strategies are always feasible for the original set of objectives. On the specification side of things, (Azzopardi, Pace, and Schapachnik, 2014) represents an elementary and direct means to add βreparationβ handling to contract automata.
Unfortunately, the obligation to define contract states and transitions explicitly does not make the automaton approach amenable to expressing and extracting complex properties.
Consider anassume-guarantee specificationππ for a parking garage system π op- erated by robot valets of the form ππ B π΄ β πΊ (see (Phan-Minh, 2019b) for a concrete specification in TLA+), where π΄ encodes a set of input constraints or assumptions such as garage characteristics, quantity of valets, how fast they can park and retrieve cars, andπΊ consists ofguaranteesthe system must provide in the event that the constraints inπ΄are satisfied, such as an upper bound on the maximum wait times for customers. Under this assume-guarantee framework, any system that satisfies the requirement
unless a constraint in π΄is violated, all guarantees inπΊ are provided
is said to implement the contract. In practice, we tend to come up with an assumption-guarantee pair that is
1. fragile: suppose that a car has a flat tire and thereby invalidates the assumption on the performance of the valet assigned to it, are other valets suddenly allowed to indiscriminately abandon their responsibilities? According toππ, the answer is yes even though the βintuitively correctβ answer is that they should not.
2. underpromising: the guarantee must often be very conservative when it must hold against worst case assumptions such as a single abnormally slow valet in the fleet that biases the worst wait time.
3. maladaptive: with only one assume-guarantee pair, the implementation does not have to adapt when the current environment βslightlyβ deviates from the assumption. Even if more pairs are specified and combined using, for example, the βcontract conjunctionβ operator, there is no clear procedure on how to specify controlling or switching between specific assumptions and guarantees when such an opportunity arises.
To address these issues, we propose a contract formalism that explicitly takes into account the notion of uncertainty in the system being modelled and emphasizes its obligation to adapt to possible changes in the behavior of the environment. The structure of the chapter is as follows: in Section 5.2, basic notations are defined and a formal definition of assume-guarantee contracts is given as a point of reference.
In Section 5.3, our theory of reactive contracts is presented and contrasted with the non-reactive formalism. In Section 5.4, we specialize this theory to the context of GR(1) games and derive a procedure for formulating and synthesizing their reactive contracts. In Section 5.5, we apply results from Section 5.4 to a concrete example/simulation and explore notions of optimal and robust reactivity.
5.2 Systems and Contracts
To keep things concise without losing generality, we will only cover assume- guarantee contracts defined over a common set of Boolean variables V called thealphabet. For any set π, let ππ be the set of infinite sequences generated from π, namely {hπ₯πiβ
π=0 = hπ₯0, π₯1, . . .i | π₯π β π}, πβ be the set of finite sequences, and
2π be the powerset of π. Define πβ as πββͺ ππ. Inimplementationsa contract.
accordance with the metatheory, we term any pair of collections of environments and implementations a contract. The theory of assume-guarantee contracts is a model of the metatheory and can be described as follows.
Definition 5.2.1(Behaviors and Assertions). A behavior π is an element ofB B (2V)π. An assertionπ΄is a subset ofB, namely,π΄ β2B.
We lift the set of all assertions 2B to a Boolean algebra by defining a unary operator
Β¬and two binary operatorsβ§,β¨on it in the standard way: ifπ΄, π΄1, π΄2are assertions, thenΒ¬π΄ B B \ π΄, π΄1β¨ π΄2 B π΄1βͺπ΄2, π΄1β§π΄2 B π΄1β©π΄2. The induced partial ordering relationβ€ on 2B is simply the subset relation β. Additionally, we define a secondary binary operatorβin π΄1β π΄2as a shorthand forΒ¬π΄1β¨π΄2.
Acomponent π is an assertion designated as such. Via locality assumptions, the assertion characterizing a component is often restricted to a subset ofV (with no constraints on variables outside the set). If π1 and π2are components, theinter- connectionbinary operatorβ is defined by π1β π2 B π1β§π2. That is, the set of behaviors of the interconnection consists only of those common to (or witnessed by) both implementations. We note that depending on how the variables and asser- tions making up the components being interconnected are defined, β can assume the meaning of either a parallel, series, coproduct, or feedback connection (Censi, 2015). In fact, contracts and the corresponding algebra can be used to constrain components satisfying them so that the meaning of their interconnection will be clear.
Definition 5.2.2 (Contracts). An assume-guarantee contract C is a pair of asser- tions (π΄, πΊ), called the assumption and the guarantee respectively. The set of environments ofC, denoted byEC, captures all componentsπΈ such that
πΈ β€ π΄. (5.1)
In other words,EC =2π΄. The set of implementations ofC, denoted byMC, consists of all componentsπ such that
βπΈ β EC. π βπΈ β€ πΊ . (5.2)
Example 5.2.1. LetV ={π₯ , π¦},C =(π΄, πΊ)whereπ΄ B {π | π₯ βππ βπ mod 2= 0}, πΊ B {π | π¦ β ππ β π mod 2 β 0}, π1 B h{π₯},{π¦},{π₯},β ,{π₯},β , . . .i and π2 B h{π₯},{π¦},{π₯},{π¦}, . . .i. IfπΈ B {π1, π2}, thenπΈ β EC becauseπ1, π2 β π΄.
Let π1 B {π1} and π2 B {π2}. Then π1 βMC because π1β πΈ = {π1} βπΊ. However, one can check that π2 β MC. Note that if π3 B β , thenπ3 β MC as well. The interpretation here is thatπ3satisfies the assume-guarantee semantics of Cvacuously.
Since 2B is a Boolean algebra, we infer from inequality (5.2) and the definition of
β that π is an implementation if βπΈ β EC. π β€ Β¬πΈ β¨πΊ. Choosing πΈ = π΄ in inequality (5.1) gives π β€ Β¬π΄β¨πΊ. Conversely, satisfying π β€ Β¬π΄β¨πΊ implies that π is an implementation becauseΒ¬πΈ β¨πΊ is antitone inπΈ. Thus, we have the following proposition.
Proposition 8. GivenC= (π΄, πΊ), a componentπ satisfiesπ β MCif and only if
π β€ π΄β πΊ . (5.3)
Proposition 8 characterizes implementations π of C as those components whose behaviors either do not conform to the behaviors specified in π΄ or are compatible withπΊ. Specifically, it says thatMC =2π΄βπΊ. Furthermore, since
π΄β (π΄β πΊ) =Β¬π΄β¨ (Β¬π΄β¨πΊ) =Β¬π΄β¨πΊ = π΄ βπΊ , (5.4) inequalities (5.1) and (5.3) yield the following proposition.
Proposition 9. If C = (π΄, πΊ) and Cβ = (π΄, π΄ β πΊ), then MC = MCβ and EC =ECβ.
It may be seen from equation (5.4) why any assume-guarantee contract of the form C = (π΄, π΄ β πΊ) is called saturated. By the metatheory, we will consider contracts that have the same sets of environments and implementations to be equal, and so by Proposition 9, every contract C has a unique saturated canonicalform Cβ. This saturated form makes contract algebra more convenient and sheds light on the meaning of the conjunction operation, which motivates our development of
βreactive contracts.β To describe the conjunction, we will need the idea of contract refinement whose definition is repeated here for ease of reference.
Definition 5.2.3. We say contract C1 = (π΄1, πΊ1) refines a contract C2 = (π΄2, πΊ2) and writeC1 C2ifMC1 β MπΆ2 andEπΆ2 β EπΆ1.
Theconjunctionof two contractsC1andC2, denoted byC1β§ C2, is a contract that is their largest lower bound (or meet) with respect to . For any contract C, we
haveEC =2π΄andMC =2π΄βπΊ. Therefore, ifC β€ C1,C2, then by Definition 5.2.3, MC β MC1β© MC2 = 2π΄1βπΊ1 β©2π΄2βπΊ2 = 2(π΄1βπΊ1)β§(π΄2βπΊ2) and 2π΄1β¨π΄2 =2π΄1 βͺ 2π΄2 =EC1βͺ EC2 β EC (since the intersection/union of powersets of two sets is the powerset of their intersection/union). By the fact that (π΄1 βπΊ1) β§ (π΄2β πΊ2) is saturated, we haveC1β§ C2= (π΄1β¨ π΄2,(π΄1β πΊ1) β§ (π΄2 βπΊ2)). By induction, we can conclude the following:
Proposition 10. If forπ=1,2, . . . , π,πΆπare assume-guarantee contracts, then
β§ππ=1Cπ =(β¨ππ=1π΄π,β§ππ=1π΄π β πΊπ). (5.5) Note that we can apply an analogous argument to the disjunction of contracts (defined as their join) to conclude that the set of all saturated contracts forms a complete lattice. Equation (5.5) shows that the βparametric contractβ formalism given in (Kim, Arcak, and Seshia, 2017) is exactly the result of applying the conjunction operation to the constituent contracts. That is, if π is an implementation of the conjunctionβ§πCπcontainingπ such thatπ βπΈ whereπΈ is an environment ofβ§πCπ, then there exists at least a π β {1,2, . . . , π} such that π β π΄π and for all such π, π β πΊπ. In other words, for any behavior π in which the environment satisfies any assumption π΄π in {π΄1, π΄2, . . . , π΄π}, the system must react by providing the corresponding guarantee πΊπ. Thus in contract conjunctions, 1) the reactions are defined by pairing each π΄π with the correspondingπΊπ, and 2) π΄π βπΊπ must hold over the sequenceπin its entirety. The second restriction is partially relaxed in the
βdynamic contractβ formalism, used for instance in (Kim, Sadraddini, et al., 2017), where assumptions are allowed to change over fixed time intervals. Our reactive contract framework will 1) remove the one-to-one restriction to allow for a more flexible assumption-guarantee pairing process, 2) enforces immediate guarantee reactions to assumption changes directly on each element π β B, and 3) enables automated synthesis.
5.3 Reactive Contracts Reactivity
For each π β B, and π, π β N0 : π < π, we denote by ππβπ the subsequence of π spanning from ππ up to but not including ππ, namely hππiπβ1
π=π, and byππββ the infinite sequence hππiβ
π=π. For π΄ β B and π β₯ 0, denote by Prefπ(π΄) the set of all prefixes of behaviors in π΄ of length π, Prefπ(π΄) B {π0βπ | π β π΄} and Pref(π΄) B βͺβ
π=1Prefπ(π΄), the set of all prefixes of π΄. Let Β· be the standard string
sequence concatenationoperator mapping from(Pref(B)ΓPref(B))βͺ(Pref(B)ΓB) to Pref(B) βͺ B.
Definition 5.3.1(Witness). Letπ β B, π΄β B andπ, π βN0βͺ {β} :π < π. We say thatπis awitnessforπ΄fromπup until πand writeπ |=πβπ π΄ifππβπ βPref(π΄) βͺπ΄. If π β β, we consider the witness relation as beingstrict and write π |=ππ βπ π΄ if π |=πβπ π΄, butπ 6|=πβπ+1 π΄. If π =β, the witness relation is always strict.
To describe and keep track of assumption changes, we appeal to the notion of assigningsignatures(or labels) to each behavior that undergoes those changes.
Definition 5.3.2 (Signature). Given a set of assertions A β 2B, an A-signature is any nonempty assertion sequence πΌ = hπΌπiπ
π=0 β Aβ where π β Nβͺ {β}. If π < β, we sayπ β B is a witness forπΌand putπ |=πΌif there exists a partitioning sequencehππiπ
π=0inN0satisfying 0=π0 < π1 < . . . < ππ such that withππ+1 B β, we have
βπ β {0,1, . . . , π}.π |=ππβππ+1 πΌπ. (5.6) We say thatπ is a strict witness for the signatureπΌand writeπ |=π πΌif the witness relation in equation (5.6) is strict. Analogously, if π = β, then π |= πΌ if there exists a (strictly monotone) partitioning sequencehππiβ
π=0inN0satisfyingπ0 =0 and equation (5.6) with{0,1, . . . , π}replaced byN0.
In general, a given π β B may be a strict witness for more than one signature in Aβ. For example, if A = {π΄1, π΄2} where π΄1 β© π΄2 β β , then any behavior π β π΄1β© π΄2 satisfies π |=π hπ΄πi for π β {1,2}. This may still be the case even when π΄1β© π΄2 =β . ForV = {π₯ , π¦}, π΄1 = {h{π₯}iβ
π=0} and π΄2 = {h{π¦}iβ
π=0} βͺ {π} whereπsatisfiesππ ={π₯}forπ =0 andππ ={π¦}, otherwise. Thenπ |=π hπ΄1, π΄2i and π |=π hπ΄2i. This non-uniqueness makes it unclear as to which assumption change sequence should be considered and how/when to properly react to it. Being able to restrict the set of assumptions so that this does not happen is necessary because in order to react at all, the system must be able to consistently detect which assumption to operate under next. The following proposition gives a necessary and sufficient condition.
Proposition 11. LetAbe a collection of assertions, then
βπΌ, π½β Aβ.βπ β B.(π |=π πΌβ§π |=π π½) βπΌ= π½, (5.7)
if and only if
βπ΄1, π΄2β A. π΄1β π΄2βPref1(π΄1) β©Pref1(π΄2) =β . (5.8) Proof. First, assume thatAdoes not satisfy Formula (5.8). Let π΄1, π΄2be such that π΄1 β π΄2and Pref1(π΄1) β©Pref1(π΄2) β β . Observe that for anyπ βN0andπ β B, if π0βπ+1 βPrefπ+1(π΄1) β©Prefπ+1(π΄2) thenπ0βπ β Prefπ(π΄1) β©Prefπ(π΄2). Hence, eitherπ΄1β©π΄2β β , in which case (5.7) clearly does not hold, or there exists aπ0β₯ 1 such that Prefπ0(π΄1)β©Prefπ0(π΄2) β β and Prefπ0+1(π΄1)β©Prefπ0+1(π΄2) =β . Letπ0β Prefπ0(π΄1) β©Prefπ0(π΄2)andπ1 β π΄1,π2β π΄2be such that π10βπ0 =π20βπ0 =π0. If for all 0 < π < π0, we haveπ0
π = π0
0, then hπ0
0iβ
π=0 |=π hπ΄1ior hπ0
0iβ
π=0 |=π hπ΄1iβ
π=0
while hπ0
0iβ
π=0 |=π hπ΄2i or hπ0
0iβ
π=0 |=π hπ΄2iβ
π=0. On the other hand, if there is an 0 < π < π0 such that π0
π β π0
0, then for π00 B π0
0βπ+1 Β· π0
0βπ+1 Β· . . ., we have π00 |=π hπ΄1iβ
π=0andπ00 |=π hπ΄1iβ
π=0. Both of these cases contradict Formula (5.7).
For the other direction, assume thatAsatisfies (5.8). LetπΌ, π½β Aβandπ β Bbe such thatπ |=π πΌandπ |=π π½. Letπ β Nβͺ {β}be the length ofπΌ. By the fact thatπ0 βPref1(πΌ0) β©Pref1(π½0)andβπ΄ β A. π΄β πΌ0 βPref1(π΄) β©Pref1(πΌ0)=β , we conclude that πΌ0 = π½0. Suppose that up toπ < π, πΌπ = π½π for all π satisfying 0 β€ π β€ π. We will show thatπΌπ+1and π½π+1are defined and equal to one another.
Indeed, since π < π, the (π + 1)th term of πΌ, πΌπ+1, exists. Let hππiπ
π=0 be a partitioning sequence forπ |=π πΌ given by Definition 5.3.2. By strictness and the induction hypothesis, we have ππ
πβ(ππ+1+1) 6|= πΌπ = π½π. Since π |=π π½, it follows that π½π+1 exists as well. From π |=π πΌ, ifπ+2 β€ π, we have π |=ππ
π+1βππ+2
πΌπ+1 and, in particular,ππ
π+1 βPref1(πΌπ+1) β©Pref1(π½π+1), which by Formula (5.8) yields πΌπ+1= π½π+1. Ifπ+2> π, thenπ |=π
ππ+1ββπΌπ+1, arguing similarly, we arrive at the additional conclusion that π½also has lengthπ. This implies Formula (5.7).
AnyAthat satisfies (5.8) is calledinitially disjoint. Hence, Proposition 11 says that Ais a set of assertions that are initially disjoint if and only if any behavior is a strict witness for at most oneA-signature. LetBA B {π β B | βπΌβ Aβ.π |=π πΌ}, the set of behaviors that haveA-signatures. IfAis initially disjoint, then the function UA : BA β Aβ mapping each π β BA to the unique signature UA(π) β Aβ for which it is a witness is well-defined. Lastly, for any π β BA, we denote by UA(π) the set of signatures generated byπ, namely,{UA(π) | π β π}.
Contracts
Definition 5.3.3(Reactive contracts). A reactive assume-guarantee contractCis a 4-tuple(A,G,Ξ, π ) where
1. A,G β 2B are called theassumptionandguarantee sets, respectively. A is required to be initially disjoint.
2. Ξ β Aβ is called the contingency set, consisting of assumption change scenarios that may happen.
3. π β (A Γ G)β is called thereaction set.
Observe thatAandGare not necessarily of the same cardinality and that from each π β π , we can obtain a uniqueA-signature by βprojecting away theGdimension.β
We denote the projection function byΞ A : π β Aβ so thatΞ A(hπ΄π, πΊπiπ
π=0) B hπ΄πiπ
π=0for any hπ΄π, πΊπiπ
π=0 β π .
Definition 5.3.4(Environment). Anenvironment forC = (A,G,Ξ, π ) is any πΈ β BA such that UA(πΈ) β Ξ, namely each π β πΈ is a strict witness for some A- signature inΞ.
Thus, for a reactive contract, assumptions about its environmentβs behaviors are allowed to change according to the contingency specified inΞ. As these assumptions change, the system should provide the corresponding guarantees as specified by the reaction setπ . We characterizeπ via the following definitions.
Definition 5.3.5 (Reactive satisfaction). Let π β B, π = h(π΄π, πΊπ)iπ
π=0 β π . We say thatπ reactively satisfiesπ and writeπ |=ππ if the following hold
1. π |=π Ξ A(π) with the partitioning sequencehππiπ
π=0. 2. a) Ifπ < β, thenβπ β {0,1, . . . , π}.ππ
πβππ+1 |=πΊπ withππ+1B β;
b) otherwise,βπ βN0.ππ
πβππ+1 |=πΊπ.
Definition 5.3.6(Implementation). An implementation of a reactive contract C = (A,G,Ξ, π ) is anyπ β Bsuch that for any environmentπΈ ofC, we have
βπ β (πβ©πΈ).βπ βπ .π |=π πβ§Ξ A(π) =UA(π).
Intuitively, an implementation consists of all behaviors π in which either the as- sumptions do not change according to Ξ, i.e., UA(π) β Ξ, or the system reacts according to instructions specified by the setπ , namely there exists a reactionπ β π , such thatπreactively satisfiesπ, in which the system must satisfy the guarantee cor- responding to the current assumption for as long as the latter holds and is required to immediately adapt to any new assumption by committing itself to the corresponding new obligation. Let us compare this formalism to βstandardβ assume-guarantee contracts. First, we mention that the following holds.
Proposition 12. Corresponding to each standard assume-guarantee contract C = (π΄, πΊ) is a reactive assume-guarantee contract Cπ = (A,G,Ξ, π ) with A = {π΄},G = {πΊ},Ξ = {hπ΄i}, and π = {h(π΄, πΊ)i} such that C = Cπ in the sense that they have same sets of environments and implementations.
Recall that any parametric assume-guarantee contract is a standard assume-guarantee contract obtained by taking the conjunction of a set of standard assume-guarantee contracts. Therefore, by Proposition 12, each parametric assume-guarantee contract has a reactive version. In particular, when all assumptions are initially disjoint, we have the following generalization of Proposition 12.
Proposition 13. If π β₯ 1, {π΄1, π΄2, . . . , π΄π} is a set of initially disjoint assertions and forπ β {1,2, . . . , π}, Cπ = (π΄π, πΊπ) are assume-guarantee contracts, then there exists a reactive assume-guarantee contractCπ such thatβ§π
π=1C= Cπ. Proof. LetCπ =(A,G,Ξ, π ) be defined with
β’ A B {π΄1, π΄2, . . . , π΄π},
β’ G B {πΊ1, πΊ2, . . . , πΊπ},
β’ ΞB {hπ΄1i,hπ΄2i, . . . ,hπ΄πi},
β’ π B {h(π΄1, πΊ1)i,h(π΄2, πΊ2)i, . . . ,h(π΄π, πΊπ)i}. Then,πΈ β EC if and only if
βπ βπΈ .π β β¨ππ=1π΄π
β βπ βπΈ .βπ β {1,2, . . . , π}.π β π΄π
β βπ β πΈ .βπ β {1,2, . . . , π}.UA(π) =hπ΄πi βΞ