(A, G),A,C) be a composite component. If C is correct, then the external view CExt is correct.
Proof of theroem 3. Since C is correct, it follows from (1) that all c∈ C are correct, and hence Mc cΣc (Ac, Gc). Let MInt = k
A
c∈CMc. By Lemma 2,
it follows that MInt cΣ k A
c∈C(Ac, Gc). By (4) and Lemma 2, it follows that
MInt cΣ (A, G)↑Σ. Hence, M = MInt↓ext(Σ)cext(Σ) (A, G). Furthermore, M is Req-receptive by (6).
To verify that a composite component C satisfies its external contract, we therefore have to verify that the external contract (A, G) is refined by the composition of the contracts of its internal componentsC under the assembly specification A.
Up to now, we introduced a semantic assume-guarantee framework. In the next section, we discuss how contracts and their satisfaction can be verified on the syntactic level by using real-time temporal logic.
4.2
Real-time logic for reconfiguration
In this section a real-time temporal logic is introduced for the specification of component-based systems that are subject to reconfiguration. This logic provides a syntax for specifying assertions, guarantees and assembly spec- ifications in the described semantic assume-guarantee contract framework. Our starting point is the real-time temporal logic MITL (Metric Interval
Temporal Logic) which was introduced in [8]. In general, real-time temporal logics are not decidable [77, 84, 6, 10]. This drawback has often been tackled by sacrificing continuous time in order to achieve decidability and hence a feasible verification [93, 10, 11]; for a discussion on this trade-off see also [9]. The reason for undecidability lies in punctual timing constraints as for example in the formula 2(p→3=3.7q) expressing that wheneverp is true,q must hold after exactly 3.7 time units. In [8] it is shown that allowing only relaxed versions of this formula as in2(p→3(3.6,3.8)q), which expresses that
q must hold between 3.6 and 3.8 time units afterp, yields the decidable logic
MITL for a continuous time model with non-singular time intervals. We
believe that removing the ability to specify punctuality properties shall not be seen as a drawback since punctuality is hard to achieve in practice, and also not required in general.
To be expressive enough for the purpose of specifying reconfigurable sys- tems and reconfigurations in particular, we extendMITLby a binary predi-
cate∼on port sets in order to express connectivity, i.e. given two portsp1and
p2,p1 ∼p2 states the existence of a connector betweenp1 and p2. The predi- cate∼is used in two manners: either∼states connectivity between required and provided ports of components by an internal connector, or it states that a delegate connector connects an external provided (required) port with an internal provided (required) port, respectively. The resulting logicreMITL
(Metric Interval Temporal Logic for Reconfigurable Components) is used for specifying assertions and assembly specifications, i.e., interconnections be- tween components and their dynamic evolution; Moreover, we introduce a significant set of derived inference rules for use when verifying global system properties.
In the following definition of reMITL formulas, we use the same time
intervals as defined in Section 2.4, Definition 14.
Definition 36 (reMITL-formulas). The set of reMITL-formulas over a
(simple or composite component) signature Σ is inductively defined by
φ ::=> |p|p1 ∼p2 | ¬φ |φ1∧φ2 |φ1UIφ2 |φ1SIφ2
where p ∈ ports(Σ) is a port, (p1, p2) ∈ conns(Σ) is a (delegate) connector, and I is a non-singular time interval. For brevity, a reMITL-formula φ
over a signature Σ is also called a Σ-formula.
As before (cf. Section 2.4), the abbreviations3Iφ,2Iφ,φ1∨φ2,φ1 →φ2, and φ1 ↔φ2 are defined.
The semantics of reMITL-formulas is again given as sets of runs over
the formula signature. Each run provides, for every point in time, an inter- pretation of the ports and the connectors of the given signature.
Definition 37(Satisfaction of reMITL-formulas). AΣ-runρ∈ R(Σ) satis- fiesaΣ-formula φ(orφis valid inρ), denoted byρΣ φ, if(ρ,0)Σ φ, where the satisfaction relation Σ between pairs(ρ, t), t∈R+0, and Σ-formulas φ is
4.2 Real-time logic for reconfiguration 151 inductively defined as follows:
(ρ, t)Σ > (ρ, t)Σ p iff p∈ρ(t); (ρ, t)Σ p1 ∼p2 iff (p1, p2)∈ρ(t); (ρ, t)Σ ¬φ iff (ρ, t)6Σ φ; (ρ, t)Σ φ1∧φ2 iff (ρ, t)Σ φ1 and (ρ, t)Σ φ2; (ρ, t)Σ φ1UIφ2 iff ∃t0 ∈R+0, t0 ∈t+I.(ρ, t0)Σ φ2 and ∀t00∈R+ 0, t < t 00 < t0.(ρ, t00) Σ φ1; (ρ, t)Σ φ1SIφ2 iff ∃t0 ∈R+0, t 0 ∈t−I.(ρ, t0) Σ φ2 and ∀t00∈R+ 0, t0 < t00 < t.(ρ, t00)Σ φ1.
A Σ-formula φ is called a consequence of a set Γ of Σ-formulas, denoted by Γ Σ φ, if ρ Σ φ holds for every ρ such that ρ Σ ψ for all ψ ∈ Γ. φ is called universally valid, denoted by Σ φ, if ∅Σ φ.
Again, non-strict versions of U and S can be defined from the versions above just as in Schobbens et al. [104].
Given a set Γ of Σ-formulas, the semantics of Γ is defined by the set of all runs satisfying Γ, i.e. JΓK={ρ∈ R()Σ|ρ|= Γ}; if Γ ={φ}, thenJφK=JΓK. Lemma 3 (Semantic Equivalences). For any Σ-formulas φ and ψ, and any set Γ of Σ-formulas it holds
1. J¬φK=R(Σ)\JφK, and Jφ∧ψK =JφK∩JψK, 2. ΓΣ φ→ψ iff JΓK∩JφK⊆JψK.
Proof of Lemma 3.
First, we prove that J¬φK=¬JφK.
Proof of J¬φK ⊆ ¬JφK: Let ρ ∈J¬φK. By Definition 37, (ρ,0)6Σ φ. There- fore, ρ6∈JφK, and henceρ∈ ¬JφK.
Proof of J¬φK ⊇ ¬JφK: Let ρ ∈ ¬JφK. Hence, ρ 6∈ JφK. By Definition 37, it follows that (ρ,0)6Σ φ. Hence,ρ∈J¬φK.
Now, we prove that Jφ∧ψK=JφK∩JψK.
Proof of Jφ∧ψK ⊆ JφK∩JψK: Let ρ ∈ Jφ∧ψK. By Definition 37, it holds that (ρ,0)Σ φ and (ρ,0)Σ ψ. Therefore, ρ∈JφK∩JψK.
Proof of Jφ ∧ψK ⊇ JφK ∩JψK: Let ρ ∈ JφK∩JψK. I.e., by Definition 37, (ρ,0)Σ φ and (ρ,0)Σ ψ. Thus, (ρ,0)Σφ∧ψ. Finally, ρ∈Jφ∧ψK. Next, we prove that ΓΣ φ →ψ iff JΓK∩JφK ⊆JψK holds.
Proof direction “⇒”: Let Γ Σ φ → ψ, i.e. ∀ρ ∈ R(Σ).(∀γ ∈ Γ.ρ Σ γ) ⇒
ρ Σ φ → ψ. This is equivalent to ∀ρ ∈ JΓK.ρ Σ φ → ψ. Let ρ ∈ JΓK. By Definition 37, it follows that ρ 6Σ ψ or ρ Σ φ. Assuming that ρ Σ ψ therefore implies that ρΣ φ. Hence, JΓK∩JψK⊆JφK.
Proof direction “⇐”: Let JΓK∩JφK ⊆ JψK, i.e. ∀ρ ∈ JΓK∩JφK.ρ Σ ψ. Let
ρ∈JΓK. For this ρ, it holds that ρ6Σ φ orρ6Σ ψ. Therefore,ρ Σ φ→ ψ. It follows that ∀ρ ∈ R(Σ).(∀γ ∈ Γ.ρ Σ γ) ⇒ ρ Σ φ → ψ, and hence ΓΣφ →ψ.
With the help of Lemma 3, it is possible to specify assume-guarantee contracts and implementations with the help of MITL formulas over the
correct signature.
Contract satisfaction can now be expressed by satisfaction of reMITL-
formulas which means that we have decidability of contract satisfaction as long as all assertions (contract, assumption and guarantee) are given as re-
MITL-formulas. By applying Definition 29 and Lemma 3 we obtain the
following corollary.
Corollary 1 (Contract satisfaction expressed by model satisfaction). Let
φA and φB be Σ-formulas, and Γ a set of Σ-formulas. Then it holds that
ΓΣφA→φG if and only if JΓKcΣ (JφAK,JφBK).
Furthermore, contract refinement can expressed by satisfaction of re- MITL-formulas.
Corollary 2 (Contract refinement expressed by model satisfaction). Let
φA1, φA2, φG1, and φG2 be Σ-formulas. Then it holds that (JφA2K,JφG2K)
(JφA1K,JφG1K) if and only if Σ (φA2 →φA1)∧(φG1 →φG2).
Finally, parallel composition of contracts can be computed directly on
reMITL-formulas.
Corollary 3 (Contract composition in reMITL).
LetφA1,φA2,φG1,φG2, andφAbeΣ-formulas. Then it holds that(JφA1K,JφG1K)
kJφAK(Jφ
A2K,JφG2K) = (JφA∨ ¬φGK,JφGK), where φA = φA1 ∧φA2 ∧φA and φG =φG1 ∧φG2 ∧φA.
Now, we discuss soundness and completeness results for reMITL. As
shown by Schobbens et al. [104]MITLwith nonsingular intervals has a sound and complete proof system (consisting of one rule and 59 axiom schemata); we call this proof system ΠMITL.
4.2 Real-time logic for reconfiguration 153
(1) all propositional tautologies are derivable (2) φ∈Γ Γ`Σ φ Γ∪ {φ} `Σ ψ (3) Γ`Σ φ→ψ Γ`Σ ψ (4) Γ∪ {φ} `Σ ψ Γ`Σ φ→ψ Γ`Σ φ (5) Γ`Σ ψ Γ`Σ p∼q (6) Γ`Σ q↔p Γ, φ`Σ ψ Γ,¬φ`Σ ψ (7) Γ`Σ ψ Γ`Σ φ1 →(φ2 →ψ) (8) Γ`Σ φ1∧φ2 →ψ Γ`Σ φ (9) 2IΓ`Σ 2Iφ Γ`Σ 2Iφ (10) Γ`Σ3Iφ Γ`Σ 2Iφ (11) 0∈I Γ`Σ φ Γ`Σ2I(φ→ψ) Γ`Σ 3Jφ (12) I ⊇J Γ`Σ 3Jψ Γ`Σ 2Iφ Γ`Σ 2I(φ↔ψ) (13) Γ`Σ2Iψ Γ`Σ 2Iφ Γ`Σ 2Iψ (14) Γ`Σ 2I(φ∧ψ) Γ`Σ 2Jφ (15) J ⊇I Γ`Σ 2Iφ Γ`Σ3Jφ (16) J ⊆I Γ`Σ 3Iφ Γ`Σ 2I2Jφ (17) Γ`Σ2I+Jφ Γ`Σ 3I3Jφ (18) Γ`Σ 3I+Jφ Γ`Σ2I(φ1∧φ2) (19i) i∈ {1,2} Γ`Σ 2Iφi Γ`Σ 3Iφ Γ`Σ 2Iψ (20) Γ`Σ 3I(φ∧ψ) Γ`Σ 2I(p∼q) (21) Γ`Σ 2I(p↔q) Γ`Σ 2I(p∼q) (22) Γ`Σ 2I(¬p↔ ¬q) Γ`Σ 2Iφ∧2Jφ (23) I∪J convex Γ`Σ 2I∪Jφ
For the completeness proof, Schobbens et al. translate MITL formulas
into formulas of a real-time temporal logic over clocks, called EventClockTL, and then prove the completeness of EventClockTL w.r.t. a proof system we call ΠEvCTL. We use this result for proving the completeness of reMITL as
follows.
For any composite component signature Σ we add the following axiom schema ConnAx of propositional formulas of the form
(p∼q)→(p↔q)
where p, q are ports of Σ to the proof systems and call these extensions ΠΣ
reMITL and Π
Σ
reEvCTL.
Theorem 4(Completeness of reMITL). For any composite component sig-
natureΣ the proof system ΠΣreMITL is a complete proof system for reMITL.
Proof of Theorem 4. For reasons of succinctness we discuss only a sketch of the proof; in particular, all omitted definitions can be found in [104].
Obviously, the propositional axioms ConnAx are consistent with the ax- ioms of propositional Metric Interval Temporal LogicMITL; thus the proof
system ΠΣ
reMITL is sound. For the completeness we observe that the transla-
tion of MITL into EventClockTL is the identity for propositional formulas
of the formConnAx. Thus it suffices to show the completeness of ΠΣreEvCTL. This proof is completely analogous to the completeness proof for ΠEvCTL in [104]. It suffices to extend the notion of propositional consistency in [104] by the clause
(p∼q)∈F implies ((p∧q)∈F or (¬p∧ ¬q)∈F)
for any set F of formulas (which is contained in the closure of a formula α). Then the model construction forα is the same as in [104].
For the soundness of ΠΣ
reMITL, it suffices to show that the axiom schemata
and additional, derived rules introduced in Figure 4.2 are sound.
Theorem 5 (Soundness of reMITL). The axiom scheme ConnAx and the
inference rules in Figure 4.2 are sound: Γ `Σ φ implies Γ Σ φ for every finite set of Σ-formulas Γ and every Σ-formula φ.
4.3 Simple framework application case study 155