OPEN SYSTEM SPECIFICATIONS
SM 1 SM 2 prove
9.5 System factorization
9.5.2 General case of noninterleaving specifications
We now address the case when the property Assembly is an arbitrary non- interleaving specification. Specifically, we show that a component defined as Unzip(Assembly,x,y), which would require using the GeneralStep operator, has the same implementations as a component specified byUnzip(New), where the operator Step can be used for the property New, instead of the operator GeneralStep. This result allows applying the decomposition results of Chap- ter 6 to noninterleaving assembly specifications, provided that the assembly specification is first transformed from Assembly toNew.
This transformation removes what we call the “non-Cartesian” part from the actionNext of Assembly, because this part is unrealizable by a Moore compo- nent (due to constraints between x′ and y′).
The starting point for noninterleaving specifications is theorem CPreSimplerByConjunctivity =∆
assume
new Next, new SysNext, new EnvNext,new Target, Next ≡(SysNext ∧EnvNext) Conjunctivity
prove
(∧SysNext
∧EnvNext ⇒Target)
≡
(∧SysNext
∧EnvNext ⇒ ∧Next
∧Target)
Therefore, whenever Next is the conjunction ofSysNext andEnvNext, we can replace theGeneralStep operator with theStepoperator. When do the actions SysNext,EnvNext satisfy the above assumption?
For arbitrary SysNext,EnvNext there is not much we can say, unless Next(x,y,x′,y′) =∆ SysNext(x,y,y′)∧EnvNext(x,y,x′)
To see why, consider the case that we are interested in
SysNext(p,q,v) =∆ ∃u : SomeNext(p,q,u,v).
By the definition of Next,
(∃u : Next(x,y,u,v))≡(SysNext(x,y,v)∧ ∃u : EnvNext(x,y,u)).
So it is not necessarily the case that SysNext(x,y,v) ≡ ∃u : Next(x,y,u,v).
For this reason, we focus on the case that we are interested in:
SysNext(p, q, u, v) =∆ ∃u : Next(p,q, u, v) EnvNext(p, q, u, v) =∆ ∃v : Next(p,q, u, v)
This case corresponds to actions that occur within Unzip (whereas the pair Next,SysNext occurs in any instance of WhilePlusHalf).
We callCartesian an action Next that satisfies the formula Next ≡((∃x′ : Next)∧(∃y′ : Next)).
For example, this formula is false with Next ≜x′ =y′.
We show below that we can always transform a propertyUnzip(P) to a prop- erty Unzip(NewP), so that both properties have the same implementations.
The resulting actions EnvNext and SysNext are Cartesian, and constrain x′ and y′, respectively.
Conjunctivity ((EnvNext ∧ SysNext) ≡ Next) is insufficient to ensure that Next is Cartesian. In addition, the actions EnvNext and SysNext need to be enabled at the same states, and depend on only x′ and y′, respectively.
Assume that SysNext(x,y,y′) and EnvNext(x,y,x′) (dependence only on y′ and x′, respectively). Then, by letting
NewNext =∆ SysNext∧EnvNext
∃x′ : NewNext ≡ ∃x′ : (SysNext∧EnvNext)
≡SysNext∧ ∃x′ : EnvNext
≡SysNext∧enabled EnvNext
∃y′ : NewNext ≡ ∃y′ : (SysNext∧EnvNext)
≡EnvNext∧ ∃y′ : SysNext
≡EnvNext∧enabled SysNext
So whether |= SysNext ≡ ∃x′ : NewNext depends on whether |= (∃y′ : SysNext) ⇒ (∃x′ : EnvNext). Similarly, whether |= EnvNext ≡ ∃y′ : NewNext depends on whether |= (∃x′ : EnvNext) ⇒ (∃y′ : SysNext). Over- all, the condition is same enabledness:
(∃x′ : EnvNext(x,y,x′))≡(∃y′ : SysNext(x,y,y′)) which can be expressed as
(enabled EnvNext(x,y,x′))≡(enabled SysNext(x,y,y′)).
We arrive at the following theorem
theorem EquienablednessImpliesCartesianity =∆ assume
variable x, variable y, constant EnvNext( , , ), constant SysNext( , , ),
(∃u : EnvNext(x, y, u))≡ ∃v : SysNext(x, y, v) prove
The proof goal says that NewNext is Cartesian.
let
NewNext(p, q, u, v) =∆ ∧EnvNext(x, y, u)
∧SysNext(x, y, v) in
∧SysNext(x, y, y′) ≡ ∃u : NewNext(x, y, u, y′)
∧EnvNext(x, y, x′)≡ ∃v : NewNext(x, y, x′, v)
ActionsEnvNext,SysNext that result fromUnzip are enabled at the same states.
proposition EquiEnablednessFromUnzip =∆ assume
variable x, variable y, constant Next( , , , ), constant SysNext( , , ), constant EnvNext( , , ),
∧ ∀v : SysNext(x, y, v) ≡ ∃u : Next(x, y, u, v)
∧ ∀u : EnvNext(x, y, u)≡ ∃v : Next(x, y, u, v) prove
(∃u : EnvNext(x, y, u))≡ ∃v : SysNext(x, y, v)
corollary assume
variable x, variable y, constant Next( , , , ), constant SysNext( , , ), constant EnvNext( , , ),
∧ ∀v : SysNext(x, y, v) ≡ ∃u : Next(x, y, u, v)
∧ ∀u : EnvNext(x, y, u)≡ ∃v : Next(x, y, u, v) prove
let
NewNext(p, q, u, v) =∆ ∧EnvNext(x, y, u)
∧SysNext(x, y, v) in
∧SysNext(x, y, y′) ≡ ∃u : NewNext(x, y, u, y′)
∧EnvNext(x, y, x′)≡ ∃v : NewNext(x, y, x′, v)
By this theorem, given two actions that constrain x′,y′, we need to “balance”
their enabledness. Using the above results, we arrive at the following “sub- traction” of unrealizable steps from the action Next.
corollary assume
variable x, variable y, constant Next( , , , ) prove
let
The operatorsSysNext andEnvNext are already “balanced”, but may not implyNext when conjoined. This is why we have to do the factorization as the next theorem below.
SysNext(p, q, v) =∆ ∃u : Next(p, q, u, v) EnvNext(p, q, u) =∆ ∃v : Next(p, q, u, v) NewNext(p, q, u, v) =∆
∧ SysNext(x, y, v)
∧ EnvNext(x,y,u)
NewNext is conjunctive and Cartesian, so the controllable step operator is simpler when we applyUnzip to a property defined usingNewNext.
in
∧SysNext(x, y, y′) =∃u : NewNext(x, y, u, y′)
∧EnvNext(x, y, x′) = ∃v : NewNext(x, y, x′, v) theorem SeparatingTheRealizablePart =∆
assume
variable x, variable y, constant Next( , , , ), constant Target( , ), constant EnvNext( , , ), constant SysNext( , , ),
(enabled SysNext(x, y, y′))⇒enabled EnvNext(x,y, x′) prove
let
NewNext(u,v) =∆
∧ SysNext(x, y, v)∧EnvNext(x, y, u)
∧ ∀w : EnvNext(x, y, w)⇒Next(x, y, w, v)
The second conjunct shrinks the first in order to ensure receptivity at those states.
NewSysNext(v) =∆ ∃u : NewNext(u,v) NewEnvNext(u) =∆ ∃v : NewNext(u,v) A =∆ ∃v :
∧SysNext(x, y, v)
∧ ∀u : EnvNext(x, y, u)⇒ ∧Next(x, y, u, v)
∧Target(u, v) B =∆ ∃v :
∧NewSysNext(v)
∧ ∀u : NewEnvNext(u)⇒ ∧NewNext(u, v)
∧Target(x′, v) C =∆ ∃v :
∧NewSysNext(v)
∧ ∀u : NewEnvNext(u)⇒Target(u, v) in
∧NewNext(x′, y′)⇒Next(x, y, x′, y′)
∧A≡B
∧A≡C
∧NewNext(x′, y′)≡(NewSysNext(y′)∧NewEnvNext(x′)) corollary
assume
variable p, variable q, constant Next( , , , ),
constant Target( , ) prove
let
SysNext(x, y, v) =∆ ∃u : Next(x, y, u, v) EnvNext(x, y, u) =∆ ∃v : Next(x, y, u, v) NewNext(x, y, u,v) =∆
∧ SysNext(x, y, v)∧EnvNext(x, y, u)
∧ ∀w : EnvNext(x, y, w)⇒Next(x, y, w, v) NewSysNext(x,y,v) =∆ ∃u : NewNext(x, y, u,v) NewEnvNext(x, y, u) =∆ ∃v : NewNext(x, y, u,v) A(x,y) =∆ ∃v : ∀u :
∧SysNext(x, y, v)
∧EnvNext(x, y, u)⇒ ∧Next(x, y, u, v)
∧Target(u, v) in
∧NewNext(p, q, p′, q′)⇒Next(p, q, p′, q′)
Conjunctivity and Cartesianity
∧NewNext(p, q, p′, q′)
≡ ∧NewSysNext(p, q, q′)
∧NewEnvNext(p,q, p′)
∧A(p, q)≡ ∃v : ∀u :
∧NewSysNext(p, q, v)
∧NewEnvNext(p,q, u)⇒ ∧NewNext(p, q, u, v)
∧Target(u, v)
∧A(p, q)≡ ∃v : ∀u :
∧NewSysNext(p, q, v)
∧NewEnvNext(p,q, u)⇒Target(u, v)
Thus, we can always transform anUnzip property so that the generator closed- system property is Cartesian, without changing the realizable part. In other words, if P ≜ I ∧2[Next]vars is used to define an open-system using Unzip, then even if the action Next includes noninterleaving changes where variables of more than two components change in a coupled way, then the coupling is unrealizable unless Cartesian.
Table 9.1: Controllable step operators.
Strategy
Implication Moore Mealy
UpToNow
∃y′ : ∀x′ :
EnvNext ⇒ ∧SysNext
∧Target
∀x′ : ∃y′ :
EnvNext ⇒ ∧SysNext
∧Target
Earlier
∃y′ : ∀x′ :
∧SysNext
∧EnvNext ⇒Target
∀x′ : ∃y′ :
∧SysNext
∧EnvNext ⇒Target
By showing that the realizable part remains unchanged when we remove the non-Cartesian part from a system, we have shown that there is no loss of generality in assuming that we are given a system with Cartesian action.
In summary, conjunctivity (Next ≡ (SysNext ∧EnvNext)) is useful for using the Step operator in place of GeneralStep (see the theorem CPreSimplerBy- Conjunctivity. A Cartesian action (Next ≡ ((∃x′ : Next)∧(∃y′ : Next))) is useful for ensuring conjunctivity in the case of open-system properties that are defined using the operator Unzip.
9.6 Composition without circularity