• Tidak ada hasil yang ditemukan

Reactive Contracts

Chapter V: Reactive Contracts

5.3 Reactive Contracts

haveEC =2𝐴andMC =2𝐴⇒𝐺. Therefore, ifC ≀ C1,C2, then by Definition 5.2.3, MC βŠ† MC1∩ MC2 = 2𝐴1⇒𝐺1 ∩2𝐴2⇒𝐺2 = 2(𝐴1⇒𝐺1)∧(𝐴2⇒𝐺2) and 2𝐴1∨𝐴2 =2𝐴1 βˆͺ 2𝐴2 =EC1βˆͺ EC2 βŠ† EC (since the intersection/union of powersets of two sets is the powerset of their intersection/union). By the fact that (𝐴1 ⇒𝐺1) ∧ (𝐴2β‡’ 𝐺2) is saturated, we haveC1∧ C2= (𝐴1∨ 𝐴2,(𝐴1β‡’ 𝐺1) ∧ (𝐴2 ⇒𝐺2)). By induction, we can conclude the following:

Proposition 10. If for𝑖=1,2, . . . , 𝑛,𝐢𝑖are assume-guarantee contracts, then

βˆ§π‘›π‘–=1C𝑖 =(βˆ¨π‘›π‘–=1𝐴𝑖,βˆ§π‘›π‘–=1𝐴𝑖 β‡’ 𝐺𝑖). (5.5) Note that we can apply an analogous argument to the disjunction of contracts (defined as their join) to conclude that the set of all saturated contracts forms a complete lattice. Equation (5.5) shows that the β€œparametric contract” formalism given in (Kim, Arcak, and Seshia, 2017) is exactly the result of applying the conjunction operation to the constituent contracts. That is, if 𝑀 is an implementation of the conjunctionβˆ§π‘–C𝑖containing𝜎 such that𝜎 ∈𝐸 where𝐸 is an environment ofβˆ§π‘–C𝑖, then there exists at least a π‘˜ ∈ {1,2, . . . , 𝑛} such that 𝜎 ∈ π΄π‘˜ and for all such π‘˜, 𝜎 ∈ πΊπ‘˜. In other words, for any behavior 𝜎 in which the environment satisfies any assumption π΄π‘˜ in {𝐴1, 𝐴2, . . . , 𝐴𝑛}, the system must react by providing the corresponding guarantee πΊπ‘˜. Thus in contract conjunctions, 1) the reactions are defined by pairing each π΄π‘˜ with the correspondingπΊπ‘˜, and 2) π΄π‘˜ β‡’πΊπ‘˜ must hold over the sequence𝜎in its entirety. The second restriction is partially relaxed in the

β€œdynamic contract” formalism, used for instance in (Kim, Sadraddini, et al., 2017), where assumptions are allowed to change over fixed time intervals. Our reactive contract framework will 1) remove the one-to-one restriction to allow for a more flexible assumption-guarantee pairing process, 2) enforces immediate guarantee reactions to assumption changes directly on each element 𝜎 ∈ B, and 3) enables automated synthesis.

5.3 Reactive Contracts

sequence concatenationoperator mapping from(Pref(B)Γ—Pref(B))βˆͺ(Pref(B)Γ—B) to Pref(B) βˆͺ B.

Definition 5.3.1(Witness). Let𝜎 ∈ B, π΄βŠ† B and𝑖, 𝑗 ∈N0βˆͺ {∞} :𝑖 < 𝑗. We say that𝜎is awitnessfor𝐴from𝑖up until 𝑗and write𝜎 |=𝑖→𝑗 𝐴ifπœŽπ‘–β†’π‘— ∈Pref(𝐴) βˆͺ𝐴. If 𝑗 β‰  ∞, we consider the witness relation as beingstrict and write 𝜎 |=𝑖𝑠→𝑗 𝐴 if 𝜎 |=𝑖→𝑗 𝐴, but𝜎 6|=𝑖→𝑗+1 𝐴. If 𝑗 =∞, the witness relation is always strict.

To describe and keep track of assumption changes, we appeal to the notion of assigningsignatures(or labels) to each behavior that undergoes those changes.

Definition 5.3.2 (Signature). Given a set of assertions A βŠ† 2B, an A-signature is any nonempty assertion sequence 𝛼 = hπ›Όπ‘˜iπ‘š

π‘˜=0 ∈ A∞ where π‘š ∈ Nβˆͺ {∞}. If π‘š < ∞, we say𝜎 ∈ B is a witness for𝛼and put𝜎 |=𝛼if there exists a partitioning sequencehπ‘–π‘˜iπ‘š

π‘˜=0inN0satisfying 0=𝑖0 < 𝑖1 < . . . < π‘–π‘š such that withπ‘–π‘š+1 B ∞, we have

βˆ€π‘˜ ∈ {0,1, . . . , π‘š}.𝜎 |=π‘–π‘˜β†’π‘–π‘˜+1 π›Όπ‘˜. (5.6) We say that𝜎 is a strict witness for the signature𝛼and write𝜎 |=𝑠 𝛼if the witness relation in equation (5.6) is strict. Analogously, if π‘š = ∞, then 𝜎 |= 𝛼 if there exists a (strictly monotone) partitioning sequencehπ‘–π‘˜i∞

π‘˜=0inN0satisfying𝑖0 =0 and equation (5.6) with{0,1, . . . , π‘š}replaced byN0.

In general, a given 𝜎 ∈ B may be a strict witness for more than one signature in A∞. For example, if A = {𝐴1, 𝐴2} where 𝐴1 ∩ 𝐴2 β‰  βˆ…, then any behavior 𝜎 ∈ 𝐴1∩ 𝐴2 satisfies 𝜎 |=𝑠 h𝐴𝑗i for 𝑗 ∈ {1,2}. This may still be the case even when 𝐴1∩ 𝐴2 =βˆ…. ForV = {π‘₯ , 𝑦}, 𝐴1 = {h{π‘₯}i∞

𝑖=0} and 𝐴2 = {h{𝑦}i∞

𝑖=0} βˆͺ {𝜎} where𝜎satisfiesπœŽπ‘˜ ={π‘₯}forπ‘˜ =0 andπœŽπ‘˜ ={𝑦}, otherwise. Then𝜎 |=𝑠 h𝐴1, 𝐴2i and 𝜎 |=𝑠 h𝐴2i. This non-uniqueness makes it unclear as to which assumption change sequence should be considered and how/when to properly react to it. Being able to restrict the set of assumptions so that this does not happen is necessary because in order to react at all, the system must be able to consistently detect which assumption to operate under next. The following proposition gives a necessary and sufficient condition.

Proposition 11. LetAbe a collection of assertions, then

βˆ€π›Ό, π›½βˆˆ A∞.βˆ€πœŽ ∈ B.(𝜎 |=𝑠 π›Όβˆ§πœŽ |=𝑠 𝛽) ⇒𝛼= 𝛽, (5.7)

if and only if

βˆ€π΄1, 𝐴2∈ A. 𝐴1β‰  𝐴2β‡’Pref1(𝐴1) ∩Pref1(𝐴2) =βˆ…. (5.8) Proof. First, assume thatAdoes not satisfy Formula (5.8). Let 𝐴1, 𝐴2be such that 𝐴1 β‰  𝐴2and Pref1(𝐴1) ∩Pref1(𝐴2) β‰ βˆ…. Observe that for anyπ‘˜ ∈N0and𝜎 ∈ B, if 𝜎0β†’π‘˜+1 ∈Prefπ‘˜+1(𝐴1) ∩Prefπ‘˜+1(𝐴2) then𝜎0β†’π‘˜ ∈ Prefπ‘˜(𝐴1) ∩Prefπ‘˜(𝐴2). Hence, either𝐴1∩𝐴2β‰ βˆ…, in which case (5.7) clearly does not hold, or there exists aπ‘˜0β‰₯ 1 such that Prefπ‘˜0(𝐴1)∩Prefπ‘˜0(𝐴2) β‰  βˆ…and Prefπ‘˜0+1(𝐴1)∩Prefπ‘˜0+1(𝐴2) =βˆ…. Let𝜎0∈ Prefπ‘˜0(𝐴1) ∩Prefπ‘˜0(𝐴2)and𝜎1 ∈ 𝐴1,𝜎2∈ 𝐴2be such that 𝜎10β†’π‘˜0 =𝜎20β†’π‘˜0 =𝜎0. If for all 0 < 𝑖 < π‘˜0, we have𝜎0

𝑖 = 𝜎0

0, then h𝜎0

0i∞

𝑖=0 |=𝑠 h𝐴1ior h𝜎0

0i∞

𝑖=0 |=𝑠 h𝐴1i∞

𝑖=0

while h𝜎0

0i∞

𝑖=0 |=𝑠 h𝐴2i or h𝜎0

0i∞

𝑖=0 |=𝑠 h𝐴2i∞

𝑖=0. On the other hand, if there is an 0 < π‘˜ < π‘˜0 such that 𝜎0

π‘˜ β‰  𝜎0

0, then for 𝜎00 B 𝜎0

0β†’π‘˜+1 Β· 𝜎0

0β†’π‘˜+1 Β· . . ., we have 𝜎00 |=𝑠 h𝐴1i∞

𝑖=0and𝜎00 |=𝑠 h𝐴1i∞

𝑖=0. Both of these cases contradict Formula (5.7).

For the other direction, assume thatAsatisfies (5.8). Let𝛼, π›½βˆˆ A∞and𝜎 ∈ Bbe such that𝜎 |=𝑠 𝛼and𝜎 |=𝑠 𝛽. Letπ‘š ∈ Nβˆͺ {∞}be the length of𝛼. By the fact that𝜎0 ∈Pref1(𝛼0) ∩Pref1(𝛽0)andβˆ€π΄ ∈ A. 𝐴≠ 𝛼0 β‡’Pref1(𝐴) ∩Pref1(𝛼0)=βˆ…, we conclude that 𝛼0 = 𝛽0. Suppose that up to𝑛 < π‘š, π›Όπ‘˜ = π›½π‘˜ for all π‘˜ satisfying 0 ≀ π‘˜ ≀ 𝑛. We will show that𝛼𝑛+1and 𝛽𝑛+1are defined and equal to one another.

Indeed, since 𝑛 < π‘š, the (𝑛 + 1)th term of 𝛼, 𝛼𝑛+1, exists. Let hπ‘–π‘˜iπ‘š

π‘˜=0 be a partitioning sequence for𝜎 |=𝑠 𝛼 given by Definition 5.3.2. By strictness and the induction hypothesis, we have πœŽπ‘–

𝑛→(𝑖𝑛+1+1) 6|= 𝛼𝑛 = 𝛽𝑛. Since 𝜎 |=𝑠 𝛽, it follows that 𝛽𝑛+1 exists as well. From 𝜎 |=𝑠 𝛼, if𝑛+2 ≀ π‘š, we have 𝜎 |=𝑖𝑠

𝑛+1→𝑖𝑛+2

𝛼𝑛+1 and, in particular,πœŽπ‘–

𝑛+1 ∈Pref1(𝛼𝑛+1) ∩Pref1(𝛽𝑛+1), which by Formula (5.8) yields 𝛼𝑛+1= 𝛽𝑛+1. If𝑛+2> π‘š, then𝜎 |=𝑠

𝑖𝑛+1β†’βˆžπ›Όπ‘›+1, arguing similarly, we arrive at the additional conclusion that 𝛽also has lengthπ‘š. This implies Formula (5.7).

AnyAthat satisfies (5.8) is calledinitially disjoint. Hence, Proposition 11 says that Ais a set of assertions that are initially disjoint if and only if any behavior is a strict witness for at most oneA-signature. LetBA B {𝜎 ∈ B | βˆƒπ›Όβˆˆ A∞.𝜎 |=𝑠 𝛼}, the set of behaviors that haveA-signatures. IfAis initially disjoint, then the function UA : BA β†’ A∞ mapping each 𝜎 ∈ BA to the unique signature UA(𝜎) ∈ A∞ for which it is a witness is well-defined. Lastly, for any 𝑀 βŠ† BA, we denote by UA(𝑀) the set of signatures generated by𝑀, namely,{UA(𝜎) | 𝜎 ∈ 𝑀}.

Contracts

Definition 5.3.3(Reactive contracts). A reactive assume-guarantee contractCis a 4-tuple(A,G,Ξ”, 𝑅) where

1. A,G βŠ† 2B are called theassumptionandguarantee sets, respectively. A is required to be initially disjoint.

2. Ξ” βŠ† A∞ is called the contingency set, consisting of assumption change scenarios that may happen.

3. 𝑅 βŠ† (A Γ— G)∞ is called thereaction set.

Observe thatAandGare not necessarily of the same cardinality and that from each π‘Ÿ ∈ 𝑅, we can obtain a uniqueA-signature by β€œprojecting away theGdimension.”

We denote the projection function byΞ A : 𝑅 β†’ A∞ so thatΞ A(hπ΄π‘˜, πΊπ‘˜iπ‘š

π‘˜=0) B hπ΄π‘˜iπ‘š

π‘˜=0for any hπ΄π‘˜, πΊπ‘˜iπ‘š

π‘˜=0 ∈ 𝑅.

Definition 5.3.4(Environment). Anenvironment forC = (A,G,Ξ”, 𝑅) is any 𝐸 βŠ† BA such that UA(𝐸) βŠ† Ξ”, namely each 𝜎 ∈ 𝐸 is a strict witness for some A- signature inΞ”.

Thus, for a reactive contract, assumptions about its environment’s behaviors are allowed to change according to the contingency specified inΞ”. As these assumptions change, the system should provide the corresponding guarantees as specified by the reaction set𝑅. We characterize𝑅via the following definitions.

Definition 5.3.5 (Reactive satisfaction). Let 𝜎 ∈ B, π‘Ÿ = h(π΄π‘˜, πΊπ‘˜)iπ‘š

π‘˜=0 ∈ 𝑅. We say that𝜎 reactively satisfiesπ‘Ÿ and write𝜎 |=πœŒπ‘Ÿ if the following hold

1. 𝜎 |=𝑠 Ξ A(π‘Ÿ) with the partitioning sequencehπ‘–π‘˜iπ‘š

π‘˜=0. 2. a) Ifπ‘š < ∞, thenβˆ€π‘˜ ∈ {0,1, . . . , π‘š}.πœŽπ‘–

π‘˜β†’π‘–π‘˜+1 |=πΊπ‘˜ withπ‘–π‘š+1B ∞;

b) otherwise,βˆ€π‘˜ ∈N0.πœŽπ‘–

π‘˜β†’π‘–π‘˜+1 |=πΊπ‘˜.

Definition 5.3.6(Implementation). An implementation of a reactive contract C = (A,G,Ξ”, 𝑅) is any𝑀 βŠ† Bsuch that for any environment𝐸 ofC, we have

βˆ€πœŽ ∈ (π‘€βˆ©πΈ).βˆƒπ‘Ÿ βˆˆπ‘… .𝜎 |=𝜌 π‘Ÿβˆ§Ξ A(π‘Ÿ) =UA(𝜎).

Intuitively, an implementation consists of all behaviors 𝜎 in which either the as- sumptions do not change according to Ξ”, i.e., UA(𝜎) βˆ‰ Ξ”, or the system reacts according to instructions specified by the set𝑅, namely there exists a reactionπ‘Ÿ ∈ 𝑅, such that𝜎reactively satisfiesπ‘Ÿ, in which the system must satisfy the guarantee cor- responding to the current assumption for as long as the latter holds and is required to immediately adapt to any new assumption by committing itself to the corresponding new obligation. Let us compare this formalism to β€œstandard” assume-guarantee contracts. First, we mention that the following holds.

Proposition 12. Corresponding to each standard assume-guarantee contract C = (𝐴, 𝐺) is a reactive assume-guarantee contract Cπ‘Ÿ = (A,G,Ξ”, 𝑅) with A = {𝐴},G = {𝐺},Ξ” = {h𝐴i}, and 𝑅 = {h(𝐴, 𝐺)i} such that C = Cπ‘Ÿ in the sense that they have same sets of environments and implementations.

Recall that any parametric assume-guarantee contract is a standard assume-guarantee contract obtained by taking the conjunction of a set of standard assume-guarantee contracts. Therefore, by Proposition 12, each parametric assume-guarantee contract has a reactive version. In particular, when all assumptions are initially disjoint, we have the following generalization of Proposition 12.

Proposition 13. If 𝑛 β‰₯ 1, {𝐴1, 𝐴2, . . . , 𝐴𝑛} is a set of initially disjoint assertions and for𝑖 ∈ {1,2, . . . , 𝑛}, C𝑖 = (𝐴𝑖, 𝐺𝑖) are assume-guarantee contracts, then there exists a reactive assume-guarantee contractCπ‘Ÿ such thatβˆ§π‘›

𝑖=1C= Cπ‘Ÿ. Proof. LetCπ‘Ÿ =(A,G,Ξ”, 𝑅) be defined with

β€’ A B {𝐴1, 𝐴2, . . . , 𝐴𝑛},

β€’ G B {𝐺1, 𝐺2, . . . , 𝐺𝑛},

β€’ Ξ”B {h𝐴1i,h𝐴2i, . . . ,h𝐴𝑛i},

β€’ 𝑅 B {h(𝐴1, 𝐺1)i,h(𝐴2, 𝐺2)i, . . . ,h(𝐴𝑛, 𝐺𝑛)i}. Then,𝐸 ∈ EC if and only if

βˆ€πœŽ ∈𝐸 .𝜎 ∈ βˆ¨π‘–π‘›=1𝐴𝑖

⇔ βˆ€πœŽ ∈𝐸 .βˆƒπ‘– ∈ {1,2, . . . , 𝑛}.𝜎 ∈ 𝐴𝑖

⇔ βˆ€πœŽ ∈ 𝐸 .βˆƒπ‘– ∈ {1,2, . . . , 𝑛}.UA(𝜎) =h𝐴𝑖i βŠ†Ξ”

which holds if and only if𝐸 ∈ ECπ‘Ÿ. Also, 𝑀 ∈ MC ⇔ βˆ€πœŽ ∈ 𝑀 .𝜎 ∈ βˆ§π‘›

𝑖=1(𝐴𝑖 β‡’ 𝐺𝑖). Since the 𝐴𝑖’s are initially disjoint, and therefore disjoint, there are two cases: either𝜎 ∈ βˆ§π‘›

𝑖=1¬𝐴𝑖, in which caseUA(𝜎) βˆ‰ Ξ”, or there is an 𝐴𝑖 such that 𝜎 ∈ π΄π‘–βˆ§πΊπ‘–, in which case,𝜎 |=𝜌 h(𝐴𝑖, 𝐺𝑖)iandUA(𝜎) = Ξ A(h(𝐴𝑖, 𝐺𝑖)i) = h𝐴𝑖i.

This implies 𝑀 ∈ MCπ‘Ÿ. On the other hand, 𝑀 ∈ MCπ‘Ÿ implies βˆ€πœŽ ∈ 𝑀, either 𝜎 |=𝜌 h(𝐴𝑖, 𝐺𝑖)i for some𝑖 ∈ {1,2, . . . , 𝑛}, which by Definition 5.3.5, shows that 𝜎 ∈ π΄π‘–βˆ§πΊπ‘–, orUA(𝜎) βˆ‰ Ξ”, which implies that𝜎 ∈ βˆ§π‘›

𝑖=1¬𝐴𝑖.

The following example shows the greater flexibility offered by reactive contracts over parametric ones.

Example 5.3.1. Let 𝐴1, 𝐴2 be initially disjoint and C = (𝐴1∨ 𝐴2,(𝐴1 β‡’ 𝐺1) ∧ (𝐴2 β‡’ 𝐺2)) and ˜Cπ‘Ÿ = (A˜,G˜,Ξ”Λœ,π‘…Λœ) where ˜A = {𝐴1, 𝐴2}, ˜G = {𝐺1, 𝐺2}, ΛœΞ” = {h𝐴1i,h𝐴2i,h𝐴1, 𝐴2i}, Λœπ‘… = {h(𝐴1, 𝐺1)i,h(𝐴2, 𝐺2)i,h(𝐴1, 𝐺1),(𝐴2, 𝐺2)i}. We can verify that ˜Cπ‘Ÿ Cusing the fact that by Proposition 13,C=Cπ‘Ÿ = (A,G,Ξ”, 𝑅) where 𝐴 =A˜, 𝐺 = G˜, Ξ” ={h𝐴1i,h𝐴2i}, and 𝑅 ={h(𝐴1, 𝐺1)i,h(𝐴2, 𝐺2)i}. With the inclusion of h(𝐴1, 𝐺1),(𝐴2, 𝐺2)i in Λœπ‘…, ˜Cπ‘Ÿ is receptive to environments whose behaviors exhibit a change in assumptions from 𝐴1to𝐴2and requires implementa- tions to adapt accordingly by changing their guarantee from𝐺1to𝐺2. On the other hand, Cπ‘Ÿ only specifies the set of implementations to be those behaviors in which either neither 𝐴1or 𝐴2is satisfied or at least a pair (𝐴𝑖, 𝐺𝑖)is always satisfied.

Algebra

Let A be a set of initially disjoint assumptions andG be a set of guarantees. We can construct an algebra on the set β„­(A,G) of all reactive contracts obtained from A and G as follows. Let β„œ B (A Γ— G)∞, the set of all (A Γ— G)-signatures and Ξ”β‡’ 𝑅 B {π‘Ÿ |π‘Ÿ βˆˆβ„œβˆ§Ξ A(π‘Ÿ) βˆ‰ Ξ”} βˆͺ𝑅, the set of all (A Γ— G)-signatures that are either a reaction in 𝑅 or have an assumption change sequence not specified in the contingency Ξ”. Also, let 𝑅↓Δ = {π‘Ÿ ∈ 𝑅 | Ξ A(π‘Ÿ) ∈ Ξ”} and Ξ”\R = {𝛿 ∈ Ξ” | βˆ€π‘Ÿ ∈ 𝑅 .Ξ A(π‘Ÿ) βˆ‰ Ξ”}. From these definitions, we have:

Proposition 14.IfC= (A,G,Ξ”, 𝑅)is a reactive contract, thenCβ˜…B (A,G,Ξ”,Ξ”β‡’ 𝑅) satisfiesCβ˜…=C.

Proof. First, by Definition 5.3.4, it is clear that EC = ECβ˜…. Also, 𝑀 ∈ MC is

equivalent to

βˆ€πΈ ∈ EC.βˆ€πœŽ ∈ (π‘€βˆ©πΈ).βˆƒπ‘Ÿ ∈ 𝑅 .𝜎 |=𝜌 π‘Ÿβˆ§Ξ A(π‘Ÿ)=UA(𝜎)

⇔ βˆ€πΈ ∈ ECβ˜….βˆ€πœŽ ∈ (π‘€βˆ©πΈ).βˆƒπ‘Ÿ ∈ 𝑅 .𝜎 |=𝜌 π‘Ÿβˆ§Ξ A(π‘Ÿ)=UA(𝜎)

⇔ βˆ€πΈ ∈ ECβ˜….βˆ€πœŽ ∈ (𝑀 ∩𝐸).βˆƒπ‘Ÿ βˆˆΞ”β‡’ 𝑅 .𝜎 |=𝜌 π‘Ÿβˆ§Ξ A(π‘Ÿ)=UA(𝜎) which is equivalent to 𝑀 ∈ MCβ˜…. Note that the forward direction of the last β€œβ‡”β€ follows from the fact that 𝑅 βŠ† Ξ”β‡’ 𝑅. The reverse direction holds because for any 𝜎 ∈ π‘€βˆ©πΈ where𝐸 ∈ ECβ˜… =EC, we haveUA(𝜎) βˆˆΞ”, which implies that for any π‘Ÿ0 ∈ {π‘Ÿ | π‘Ÿ ∈ β„œβˆ§Ξ A(π‘Ÿ) βˆ‰ Ξ”}, we obtain 𝜎 6|=𝑠 Ξ A(π‘Ÿ0) by the initial disjointness ofA. By the first condition of Definition 5.3.5, we have𝜎 6|=𝜌 π‘Ÿ0. Therefore, theπ‘Ÿ

that satisfiesΞ”β‡’ 𝑅must satisfyπ‘Ÿ ∈ 𝑅.

In light of this, we will say that a reactive contractC= (A,G,Ξ”, 𝑅)is incanonical form if𝑅 = Ξ”β‡’ 𝑅. We will also denote by𝐸C,maxthe set{𝑒 ∈ B | βˆƒπ›Ώ βˆˆΞ”. 𝑒 |=𝑠 𝛿}. Observe thatMC B {π‘š ∈ B | π‘š βˆ‰ 𝐸C,max∨ (π‘š ∈ 𝐸C,max∧ βˆƒπ‘Ÿ ∈ 𝑅 .π‘š |=𝜌 π‘Ÿ}) = B βˆ’ {π‘š ∈ B | π‘š ∈ 𝐸C,max∧ Β¬(βˆƒπ‘Ÿ ∈ 𝑅 .π‘š |=𝜌 π‘Ÿ)} = B βˆ’ {π‘š ∈ 𝐸C,max | Β¬(βˆƒπ‘Ÿ ∈ 𝑅 .π‘š |=𝜌 π‘Ÿ)}. In the following, for𝑖 ∈ {1,2}, let C𝑖 = (A,G,Δ𝑖, 𝑅𝑖) be canonical reactive contracts. The next lemma follows from the fact thatAis initially disjoint:

Lemma 1. Ξ”2 βŠ†Ξ”1⇔𝐸C

2,max βŠ† 𝐸C

1,max. Proof. Assume that𝐸C

2,max βŠ† 𝐸C

1,max. For any 𝛿 ∈ Ξ”2, choose a𝜎 ∈ B such that 𝜎 |=𝑠 𝛿. By Definition 5.3.4, 𝜎 ∈ 𝐸C

2,max and therefore 𝜎 ∈ 𝐸C

1,max. Since A is initially disjoint, by Proposition 5.8, any 𝛿0 ∈ Ξ”1 such that 𝜎 |=𝑠 𝛿0 must satisfy 𝛿 =𝛿0. Thus,𝛿 βˆˆΞ”1. The other direction follows directly from the definition of the 𝐸C

𝑖,max’s.

Proposition 15. (Ξ”2 βŠ† Ξ”1βˆ§π‘…1 βŠ† 𝑅2) β‡’ C1 C2. Proof. We have𝐸 ∈ EC2 ⇔𝐸 βŠ† 𝐸C

2,max

𝐿 π‘’π‘š π‘š π‘Ž1

β‡’ 𝐸 βŠ† 𝐸C

1,max ⇔𝐸 ∈ EC1. On the other hand, 𝑀 ∈ MC1 ⇔ 𝑀 ∈ B βˆ’ {π‘š ∈ 𝐸C

1,max | Β¬(βˆƒπ‘Ÿ ∈ 𝑅1.π‘š |=𝜌 π‘Ÿ)} 𝐿 π‘’π‘š π‘š π‘Žβ‡’ 1 𝑀 ∈ B βˆ’ {π‘š ∈ 𝐸C

2,max | Β¬(βˆƒπ‘Ÿ ∈ 𝑅1.π‘š |=𝜌 π‘Ÿ)} 𝑅1β‡’βŠ†π‘…2 𝑀 ∈ B βˆ’ {π‘š ∈ 𝐸C

2,max |

Β¬(βˆƒπ‘Ÿ ∈ 𝑅2.π‘š |=𝜌 π‘Ÿ)} ⇔𝑀 ∈ MC2.

Lemma 2. C1 C2β‡’ βˆƒC0

2 βˆˆβ„­(𝐴,𝐺).EC0

2 =EC2∧MC0

2 =MC2βˆ§Ξ”0

2 βŠ† Ξ”1βˆ§π‘…1 βŠ† 𝑅0

2. Proof. We claim that C0

2 can be obtained by lettingΞ”02 B Ξ”2 and 𝑅0

2 B 𝑅1βˆͺ𝑅2. Then, clearly, EC0

2 = EC2, 𝑅1 βŠ† 𝑅0

2. Since C1 C2, we have EC2 βŠ† EC1, and in

particular, 𝐸C

2,max ∈ EC1. This implies that 𝐸C

2,max βŠ† 𝐸C

1,max asβˆ€πΈ ∈ EC1. 𝐸 βŠ† 𝐸C

1,max. HenceΞ”02 = Ξ”2 βŠ† Ξ”1. Now since MC1 βŠ† MC2, we have {π‘š ∈ 𝐸C

2,max |

Β¬(βˆƒπ‘Ÿ ∈ 𝑅2.π‘š |=𝜌 π‘Ÿ)} βŠ† {π‘š ∈ 𝐸C

1,max | Β¬(βˆƒπ‘Ÿ ∈ 𝑅1.π‘š |=𝜌 π‘Ÿ)}. In particular, because𝐸C

2,max βŠ† 𝐸C

1,max,βˆ€π‘š ∈𝐸C

2,max.Β¬(βˆƒπ‘Ÿ ∈ 𝑅2.π‘š |=πœŒπ‘Ÿ) β‡’ Β¬(βˆƒπ‘Ÿ ∈ 𝑅1.π‘š |=𝜌 π‘Ÿ). Thereforeβˆ€π‘š ∈ 𝐸C

2,max.Β¬(βˆƒπ‘Ÿ ∈ 𝑅2.π‘š |=𝜌 π‘Ÿ) ⇔ Β¬(βˆƒπ‘Ÿ ∈ 𝑅1βˆͺ𝑅2.π‘š |=𝜌 π‘Ÿ).

Therefore,MC0

2 =MC2.

A reaction setR is said to beunambiguousfor a contingency setΞ”if for each𝛿 βˆˆΞ”, there is at most oneπ‘Ÿ ∈ 𝑅withΞ A(π‘Ÿ) =𝛿.

Proposition 16. If 𝑅1↓Δ

1 βˆͺ𝑅2↓Δ

2is unambiguous forΞ”1βˆͺΞ”2, thenC =C1∧ C2 B (A,G,Ξ”1βˆͺΞ”2, 𝑅1βˆ©π‘…2)is the infimum for C1andC2inβ„­(A,G).

Proof. It is not hard to see that C is a canonical reactive contract in β„­(𝐴,𝐺). The main thing to check here is that ifπ‘Ÿ βˆˆβ„œandΞ A(π‘Ÿ) βˆ‰ Ξ”1βˆͺΞ”2, thenπ‘Ÿ ∈ 𝑅1βˆ©π‘…2. Indeed, sinceΞ A(π‘Ÿ)βˆ‰ Ξ”1∧ΠA(π‘Ÿ) βˆ‰ Ξ”2, we haveπ‘Ÿ ∈ 𝑅1βˆ§π‘Ÿ ∈ 𝑅2sinceC1andC2 are canonical. By Proposition 15, we haveC C1andC C2. Next, we will show that, if 𝜎 is a behavior such that {𝜎} ∈ MC1 ∩ MC2, then {𝜎} ∈ MC. Because any subset of an implementation is also an implementation, this will imply that MC1∩ MC2 βŠ† MCand henceMC1∩ MC2 =MC. If𝜎 βˆ‰BA orUA(𝜎) βˆ‰ Ξ”1βˆͺΞ”2, then this is obvious. Suppose therefore that UA(𝜎) ∈ Ξ”1 βˆͺΞ”2. Consider the following cases:

1. Without loss of generality, suppose that 𝜎 ∈ Ξ”1 and 𝜎 βˆ‰ Ξ”2. Then since {𝜎} ∈ MC1, there is anπ‘Ÿ ∈ 𝑅1 such that𝜎 |=𝜌 π‘Ÿ. SinceΞ A(π‘Ÿ) βˆ‰ Ξ”2 by the initial disjointness of A and 𝑅2 is in canonical form, we have π‘Ÿ ∈ 𝑅2 and thereforeπ‘Ÿ βˆˆπ‘…1βˆ©π‘…2.

2. 𝜎 βˆˆΞ”1βˆ©Ξ”2, then there areπ‘Ÿ1 βˆˆπ‘…1andπ‘Ÿ2∈ 𝑅2such that𝜎 |=πœŒπ‘Ÿ1∧𝜎 |=𝜌 π‘Ÿ2. By the unambiguity assumption, we haveπ‘Ÿ1=π‘Ÿ2. Therefore,{𝜎} ∈ MC. Let C0 = (A,G,Ξ”0, 𝑅0) be such that C0 C1 and C0 C2. This implies that MC0 βŠ† MC1∩ MC2. By the initial disjointness ofA, we haveΞ”1βˆ©Ξ”2 βŠ† Ξ”0. Since CsatisfiesMC =MC1∩ MC2andΞ”1βˆ©Ξ”2= Ξ”andEC0 is monotone inΞ”0, we have

C0 C.

Proposition 17. C =C1∨ C2 B (A,G,Ξ”1βˆ©Ξ”2, 𝑅1βˆͺ𝑅2) is the supremum forC1 andC2inβ„­(A,G).

Proof. LetC0 = (A,G,Ξ”0, 𝑅0) be such that C1 C0and C2 C0. Applying (the proof of) Lemma 2 twice, we obtain the contract (A,G,Ξ”0, 𝑅0βˆͺ𝑅1βˆͺ𝑅1) that is equal to C. In addition, since EC0 βŠ† EC1 and EC0 βŠ† EC2, Ξ”0 βŠ† Ξ”1 βˆ©Ξ”2. By Proposition 15, we have C1 C, C2 C, and C C0. Since C0 is an arbitrary

upper bound, we are done.

Finally, for composing reactive contracts, we have the following proposition.

Proposition 18. If𝑅1↓Δ

1βˆͺ𝑅2↓Δ

2 is unambiguous forΞ”1βˆͺΞ”2, thenC=C1βŠ— C2 B (A,G,(Ξ”1 βˆ©Ξ”2) βˆͺ Ξ”1\𝑅1 βˆͺ Ξ”2\𝑅2), 𝑅1 ∩ 𝑅2) is the least contract that has the composition property, namely, for any 𝑀1 ∈ MC1, 𝑀2 ∈ MC2, and 𝐸 ∈ EC, we have 𝑀1βŠ• 𝑀2 ∈ MC, 𝑀1βŠ• 𝐸 ∈ EC2, and𝑀2βŠ•πΈ ∈ EC1.

Proof. Let𝜎 ∈ 𝑀1βŠ•π‘€2and𝛿 ∈ (Ξ”1βˆ©Ξ”2) βˆͺΞ”1\𝑅1βˆͺΞ”2\𝑅2such that𝜎 |=𝑠 𝛿. Then as𝜎 ∈ 𝑀1and𝜎 ∈ 𝑀2,𝛿 βˆˆΞ”1βˆ©Ξ”2, and there existπ‘Ÿ1 βˆˆπ‘…1andπ‘Ÿ2 ∈ 𝑅2such that 𝜎 |=πœŒπ‘Ÿ1withΞ A(π‘Ÿ1)=𝛿and𝜎 |=πœŒπ‘Ÿ2withΞ A(π‘Ÿ2)=𝛿. By the initial disjointness of A and the unambiguity assumption onC1and C2, we haveπ‘Ÿ1 =π‘Ÿ2 ∈ 𝑅1βˆ©π‘…2. Therefore{𝜎} ∈ MC. This implies 𝑀1βŠ• 𝑀2 ∈ MC. Now, let𝜎 ∈ 𝑀1βŠ•πΈ. Then there exists𝛿 ∈ (Ξ”1βˆ©Ξ”2) βˆͺΞ”2\𝑅2 such that 𝜎 |=𝑠 𝛿. As (Ξ”1βˆ©Ξ”2) βˆͺΞ”2\𝑅2 βŠ† Ξ”2, clearly {𝜎} ∈ EC2, which implies 𝑀1βŠ• 𝐸 ∈ EC2. Arguing similarly, we also have 𝑀2βŠ• 𝐸 ∈ EC1. This shows that Chas the composition property. Suppose that C0 also has the composition property, then Ξ”0 βŠ† Ξ”. Indeed, suppose that there is a 𝛿 ∈ Ξ”0 such that 𝛿 βˆ‰ (Ξ”1 βˆ©Ξ”2) βˆͺΞ”1\𝑅1 βˆͺΞ”2\𝑅2. Let 𝜎 |=𝑠 𝛿. If 𝛿 βˆ‰ Ξ”1βˆͺΞ”2. Then clearly, {𝜎} ∈ MC1 ∩ EC0. However, 𝜎 βˆ‰ EC2. Suppose on the other hand that𝛿 βˆˆΞ”1βˆͺΞ”2. Without loss of generality, assume that𝛿 βˆˆΞ”1. Then the fact that 𝛿 βˆ‰ Ξ”1βˆ©Ξ”2 implies𝛿 βˆ‰ Ξ”2 and {𝜎} βˆ‰ EC2. Furthermore, 𝜎 βˆ‰ Ξ”1\𝑅1 means that {𝜎} ∈ MC1 ∩ EC0, a contradiction. Next, we will show thatMC βŠ† MC0. Indeed, the requirement that for any 𝑀1 ∈ MC1and𝑀2 ∈ MC2, 𝑀1βŠ•π‘€2∈ MC0 (implying MC1∩ MC2 βŠ† MC0) will enforce this. It suffices to show that for any𝜎 ∈ Bsuch that{𝜎} ∈ MC, we have{𝜎} ∈ MC1∩ MC2. We will prove the contrapositive. Let 𝜎 ∈ B be such that {𝜎} βˆ‰MC1 ∩ MC2. Let us show{𝜎} βˆ‰MC. Without loss of generality, assume that {𝜎} βˆ‰ MC1. Then there is a 𝛿 ∈ Ξ”1\𝑅1 such that 𝜎 |=𝑠 𝛿. But this implies that there exists no π‘Ÿ ∈ 𝑅1∩ 𝑅2 such that 𝜎 |=𝜌 π‘Ÿ. Therefore, {𝜎} βˆ‰ MC. Thus,C0satisfiesMC βŠ† MC0 andΞ”0 βŠ† Ξ”. SinceEC0 is monotone in Ξ”0, Cis indeed the least contract with the composition property.

In the next section, we will show how this formalism can be applied to reactive synthesis.

Unduh sekarang "Contract-based Design:..."

Garis besar

Dokumen terkait