Chapter V: Reactive Contracts
5.2 Systems and Contracts
To keep things concise without losing generality, we will only cover assume- guarantee contracts defined over a common set of Boolean variables V called thealphabet. For any set π, let ππ be the set of infinite sequences generated from π, namely {hπ₯πiβ
π=0 = hπ₯0, π₯1, . . .i | π₯π β π}, πβ be the set of finite sequences, and
2π be the powerset of π. Define πβ as πββͺ ππ. Inimplementationsa contract.
accordance with the metatheory, we term any pair of collections of environments and implementations a contract. The theory of assume-guarantee contracts is a model of the metatheory and can be described as follows.
Definition 5.2.1(Behaviors and Assertions). A behavior π is an element ofB B (2V)π. An assertionπ΄is a subset ofB, namely,π΄ β2B.
We lift the set of all assertions 2B to a Boolean algebra by defining a unary operator
Β¬and two binary operatorsβ§,β¨on it in the standard way: ifπ΄, π΄1, π΄2are assertions, thenΒ¬π΄ B B \ π΄, π΄1β¨ π΄2 B π΄1βͺπ΄2, π΄1β§π΄2 B π΄1β©π΄2. The induced partial ordering relationβ€ on 2B is simply the subset relation β. Additionally, we define a secondary binary operatorβin π΄1β π΄2as a shorthand forΒ¬π΄1β¨π΄2.
Acomponent π is an assertion designated as such. Via locality assumptions, the assertion characterizing a component is often restricted to a subset ofV (with no constraints on variables outside the set). If π1 and π2are components, theinter- connectionbinary operatorβ is defined by π1β π2 B π1β§π2. That is, the set of behaviors of the interconnection consists only of those common to (or witnessed by) both implementations. We note that depending on how the variables and asser- tions making up the components being interconnected are defined, β can assume the meaning of either a parallel, series, coproduct, or feedback connection (Censi, 2015). In fact, contracts and the corresponding algebra can be used to constrain components satisfying them so that the meaning of their interconnection will be clear.
Definition 5.2.2 (Contracts). An assume-guarantee contract C is a pair of asser- tions (π΄, πΊ), called the assumption and the guarantee respectively. The set of environments ofC, denoted byEC, captures all componentsπΈ such that
πΈ β€ π΄. (5.1)
In other words,EC =2π΄. The set of implementations ofC, denoted byMC, consists of all componentsπ such that
βπΈ β EC. π βπΈ β€ πΊ . (5.2)
Example 5.2.1. LetV ={π₯ , π¦},C =(π΄, πΊ)whereπ΄ B {π | π₯ βππ βπ mod 2= 0}, πΊ B {π | π¦ β ππ β π mod 2 β 0}, π1 B h{π₯},{π¦},{π₯},β ,{π₯},β , . . .i and π2 B h{π₯},{π¦},{π₯},{π¦}, . . .i. IfπΈ B {π1, π2}, thenπΈ β EC becauseπ1, π2 β π΄.
Let π1 B {π1} and π2 B {π2}. Then π1 βMC because π1β πΈ = {π1} βπΊ. However, one can check that π2 β MC. Note that if π3 B β , thenπ3 β MC as well. The interpretation here is thatπ3satisfies the assume-guarantee semantics of Cvacuously.
Since 2B is a Boolean algebra, we infer from inequality (5.2) and the definition of
β that π is an implementation if βπΈ β EC. π β€ Β¬πΈ β¨πΊ. Choosing πΈ = π΄ in inequality (5.1) gives π β€ Β¬π΄β¨πΊ. Conversely, satisfying π β€ Β¬π΄β¨πΊ implies that π is an implementation becauseΒ¬πΈ β¨πΊ is antitone inπΈ. Thus, we have the following proposition.
Proposition 8. GivenC= (π΄, πΊ), a componentπ satisfiesπ β MCif and only if
π β€ π΄β πΊ . (5.3)
Proposition 8 characterizes implementations π of C as those components whose behaviors either do not conform to the behaviors specified in π΄ or are compatible withπΊ. Specifically, it says thatMC =2π΄βπΊ. Furthermore, since
π΄β (π΄β πΊ) =Β¬π΄β¨ (Β¬π΄β¨πΊ) =Β¬π΄β¨πΊ = π΄ βπΊ , (5.4) inequalities (5.1) and (5.3) yield the following proposition.
Proposition 9. If C = (π΄, πΊ) and Cβ = (π΄, π΄ β πΊ), then MC = MCβ and EC =ECβ.
It may be seen from equation (5.4) why any assume-guarantee contract of the form C = (π΄, π΄ β πΊ) is called saturated. By the metatheory, we will consider contracts that have the same sets of environments and implementations to be equal, and so by Proposition 9, every contract C has a unique saturated canonicalform Cβ. This saturated form makes contract algebra more convenient and sheds light on the meaning of the conjunction operation, which motivates our development of
βreactive contracts.β To describe the conjunction, we will need the idea of contract refinement whose definition is repeated here for ease of reference.
Definition 5.2.3. We say contract C1 = (π΄1, πΊ1) refines a contract C2 = (π΄2, πΊ2) and writeC1 C2ifMC1 β MπΆ2 andEπΆ2 β EπΆ1.
Theconjunctionof two contractsC1andC2, denoted byC1β§ C2, is a contract that is their largest lower bound (or meet) with respect to . For any contract C, we
haveEC =2π΄andMC =2π΄βπΊ. Therefore, ifC β€ C1,C2, then by Definition 5.2.3, MC β MC1β© MC2 = 2π΄1βπΊ1 β©2π΄2βπΊ2 = 2(π΄1βπΊ1)β§(π΄2βπΊ2) and 2π΄1β¨π΄2 =2π΄1 βͺ 2π΄2 =EC1βͺ EC2 β EC (since the intersection/union of powersets of two sets is the powerset of their intersection/union). By the fact that (π΄1 βπΊ1) β§ (π΄2β πΊ2) is saturated, we haveC1β§ C2= (π΄1β¨ π΄2,(π΄1β πΊ1) β§ (π΄2 βπΊ2)). By induction, we can conclude the following:
Proposition 10. If forπ=1,2, . . . , π,πΆπare assume-guarantee contracts, then
β§ππ=1Cπ =(β¨ππ=1π΄π,β§ππ=1π΄π β πΊπ). (5.5) Note that we can apply an analogous argument to the disjunction of contracts (defined as their join) to conclude that the set of all saturated contracts forms a complete lattice. Equation (5.5) shows that the βparametric contractβ formalism given in (Kim, Arcak, and Seshia, 2017) is exactly the result of applying the conjunction operation to the constituent contracts. That is, if π is an implementation of the conjunctionβ§πCπcontainingπ such thatπ βπΈ whereπΈ is an environment ofβ§πCπ, then there exists at least a π β {1,2, . . . , π} such that π β π΄π and for all such π, π β πΊπ. In other words, for any behavior π in which the environment satisfies any assumption π΄π in {π΄1, π΄2, . . . , π΄π}, the system must react by providing the corresponding guarantee πΊπ. Thus in contract conjunctions, 1) the reactions are defined by pairing each π΄π with the correspondingπΊπ, and 2) π΄π βπΊπ must hold over the sequenceπin its entirety. The second restriction is partially relaxed in the
βdynamic contractβ formalism, used for instance in (Kim, Sadraddini, et al., 2017), where assumptions are allowed to change over fixed time intervals. Our reactive contract framework will 1) remove the one-to-one restriction to allow for a more flexible assumption-guarantee pairing process, 2) enforces immediate guarantee reactions to assumption changes directly on each element π β B, and 3) enables automated synthesis.
5.3 Reactive Contracts