• No se han encontrado resultados

ASMedios de acción

6. LA INFRAESTRUCTURA PRODUCTIVA

6.5. SERVICIO DE TRANSPORTE URBANO DE FORMOSA

12.2

Soundness of Component Verification

When a possibility map is found for the two automata, the sets of traces of the two automata form a set inclusion relation with respect to the selected set of actions. If the set of actions comprises of all actions the simulated automaton can take, this inclusion result becomes even stronger, in the sense that the simulator automaton must be able to deal with the input actions the simulated automaton can receive.

Theorem 12.1 (Soundness of possibility maps[NS94]):

Let C1, C2be (configuration) automata, Act a set of actions and r a possibility map from C1to C2 with respect to Act. Then, the following holds.

traces(C1)↓Act ⊆ traces(C2)

To apply this reasoning technique to our verification problem (Definition12.3), we need to determine an appropriate set of actions. The interest lies on the ex- ternal events a component instance can take part. These external events can be generically defined by the following function given the initial actor of the compo- nent instance.

extEv(a) = {e | isMethod(e) ∧ isEmit(e) ∧ (caller(e) /∈ ancestors(a) ∨

target(e) /∈ ancestors(a))}

In addition to the external events, the component specification utilizes the reac- tion events of the input events, as captured by Ecmpdefined in Proposition9.2.

Ecmp(a) = extEv(a) ∪ {e | emitOf(e) ∈ extEv(a)}

Consequently, Ecmp becomes the basis for defining the possibility map. If a pos- sibility map with respect to envEv between the CCA containing the component automaton of component specification and the CCA containing the actor automa- ton of the class specification can be found, then it shows that the component specification is satisfied by its implementation.

Lemma 12.1 (Reasoning soundness for component specification):

Let

• [C] be a component,

• D = {C1, . . . , Ci,[Ci+1], . . . , [Cj]} a creation-complete set of subcompo- nents with respect to C,

• SC, SC1, . . . , SCi the respective class specifications, and

Let C1be a component configuration automaton whose set of activator classes is D and whose set of initial states are mapped to the configurations contain- ing an actor automaton of SC. Similarly, we define C2as a component config- uration automaton whose set of initial states are mapped to configurations containing a component automaton S[C]. The initial actor of C1 and C2 is the same: a. If there exists a possibility map r from C1to C2 with respect to

Ecmp(a),

xtraces(C1) ⊆ xtraces(C2) .

Lemma 12.1 (Continued)

Proof:

From Theorem12.1, traces(C1)↓Ecmp(a) ⊆ traces(C2). From Proposition9.2, the set of events E overapproximates the state signatures of the CompA of S[C]. Be- cause the transitions of C2 depend exclusively on the transitions of the CompA, each trace of C2 consists only of events in Ecmp(a). The external traces are ob- tained from the traces by projecting them to the emittance events, i.e., extEv(a). Because extEv(a) ⊆ Ecmp(a), xtraces(C1) ⊆ xtraces(C2). ƒ Every possibility map that links two CCA shares the same properties, namely it relates only configurations that have the same set of exposed actors and input events accumulated in the buffer of the actors. Linking configurations where these properties do not hold means that different core traces are needed to reach the configurations. Because the AA and CompA also store information on the tasks the instances are working on, the paired configurations should agree on the external tasks. To ensure that the input events of both CCA process are the same, the set of received future and target actor pairs must be the same. The properties should be valid for states that are reachable from the initial states. Other (non-reachable) states may be part of the map, but because these states may never be part of the set of executions of the CCA, they do not affect the generated set of traces. In fact, it is sufficient for our verification purpose to consider maps that provide a mapping from reachable states of the first CCA to the second CCA. The following lemma sums it all.

Lemma 12.2 (Mapping prerequisites for CCA):

Let C1 and C2 be two component configuration automata such that a is the initial actor. Assuming the interface implemented by all classes is not empty, a possibility map r from C1to C2with respect to Ecmp(a) fulfills the following condition:

12.2. Soundness of Component Verification

PREREQdef= ∀x ∈ rStates(C1) : ∃C1, C2, A0, s0, b0: r(x) 6=

undef

=⇒ C1= config(C1)(x) ∧ C2= config(C2)(x0) ∧ names(C2) ⊆ names(C1) ∧ exposed(C1) = exposed(C2) ∧ (A0, s0, b0) ∈ C2∧

( S cond

s(bufc) ∪ s(bufr)) ∩ extEv(a) = s0(bufc) ∪ s(bufr) ∧

( S cond

s(tasks)) ∩ {eCore(e) | e ∈ extEv(a)} = s0(tasks) ∧

( S cond

s(rcvFutTgt)) ∩ {〈u, a0〉 | gen(u) ∈ ancestors(a) ∧ a0∈ exposed(C1)})

= s0(rcvFutTgt) where rStates(C1) is the set of (reachable) states of C1to each of which there is an execution from the initial state, and

conddef= (A, s, b) ∈ C1∧ names(A) ∩ exposed(C1) 6= ; .

Lemma 12.2 (Continued)

Proof (by contradiction):

Assume that r is a map from C1to C2such that the PREREQis not fulfilled. Then, we need to show that r is not a possibility map (i.e., r does not satisfy Defini- tion 12.4). This means that there is x ∈ rStates(C1) where at least one of the conjuncts does not hold.

Case

names(C2) ⊃ names(C1)

:

The set of actor names represented by a CompA is equivalent to the set of its exposed actors. This means that exposed(C2) ⊃

exposed(C1). However, by Definition9.5there is a transition that causes an actor to be exposed in C2but not in C1. Since x is reachable from C1and the initial states all have the same set of exposed actors (i.e., the initial actor), by Definition12.4.2 there should be x0such that x0 e−→C1 xand r(x

0)e

C2 r(x). However, both transitions have the same effect because C1and C2 are both CCA. Therefore, Definition12.4.2 cannot hold.

Case

exposed(C1) ⊃ exposed(C2)

:

The same argument as before.

Case

( S cond

s(bufc) ∪ s(bufr)) ∩ extEv(a) 6= s0(bufc) ∪ s(bufr)

:

The same argument as before, with e taken as an input event.

Case

( S cond

s(tasks)) ∩ {eCore(e) | e ∈ extEv(a)} 6= s0(tasks)

:

The same argument as before, with e taken as a reaction to an input event.

Case

( S cond

s(rcvFutTgt)) ∩ {〈u, a0〉 | gen(u) ∈ ancestors(a) ∧ a0∈ exposed(C1)})

CCA are input enabled (Definition9.6). Because we assume that every class is defined such that its instances can receive input messages, there can be an input event sent to a0with future u on C1 but not on C2 or vice versa. Therefore, Definition12.4.2 does not hold.

For all cases, contradiction is reached and thus the lemma holds. ƒ The lemma above is applied when each class implements a non-empty inter- face. If class C implements an empty interface, we can always construct a map where a state in C1 is related to some state y in C2 where actors of class C have spuriously received more input events in y. Since these actors cannot receive (any further) input events that may influence their internal states (in fact, they should not receive input events to begin with), we can always pick a map where PREREQ

holds. Therefore, we can use PREREQ as the basis for constructing a possibility

map.

To verify whether a component specification is fulfilled, we define a map be- tween the states of the CCA. To show the map is a possibility map, we typically use a CCA whose initial states are mapped to a configuration where the SIOA representing the initial actor is not marked as a component instance. From The- orem9.1, this decision does not affect the observable behavior of the CCA, but it eases the comparison of the configuration without having to refer to the composed states.

To illustrate the reasoning technique, we verify the[Worker] component specifi-

cation S[Worker]. The verification of the[Server] component specification follows

the same line of reasoning.

Example 12.2.1:

Let C1and C2be CCA whose initial states are mapped to a configuration containing the AA of SWorkerand the CompA of S[Worker], respectively. The initialWorkeractor is represented by w. We also let the component instance mapping of the AA to be set to false, allowing the creation of actors to be represented in the configuration as a separate SIOA. The map r from C1 to C2 is defined as follows:

PREREQ∧ ∀x ∈ rStates(C1), y ∈ states(C2) : ∃A1, A2, s1, s2, u, u0, q : (A1, s1, false) ∈ config(C1)(x) ∧ (A2, s2, true) ∈ config(C2)(y) ∧

{w} = names(A1) ∧ w ∈ names(A2) ∧ s2(known) = {a | w ∈ ancestors(a)}∧ s2(outCalls) = s2(genFut) = ; ∧ uniqueFut(s1(

futTriple

)) ∧

uniqueFut(s2(

futQPair

)) ∧ s2(

futQPair

) = {〈u, q〉 | 〈u, u0, q〉 ∈ s1(

futTriple

)} =⇒ r(x) = y

where uniqueFut is a function that disallows the internal state of a Worker AA and CompA from having two elements of the same future. In other words, each

12.2. Soundness of Component Verification element of

futTriple

and

futQPair

can be uniquely identified by the futures (from the environment calls). The condition placed on the states of the CompA ensures that there is no ambiguity to which state of C2 a state of C1 is mapped to. This map is a possibility map as reasoned below.

0. For every x∈ states(C1) there is at most one y ∈ states(C2) that fulfills the condition. This follows from the precise description of the internal state of

y on the map definition.

1. C1 has a single initial state x0 that is mapped to a configuration C1 such that exposed(C1) = {w}, futs(C1) = ; and (A(w), s0, false) ∈ C where A(w) is the AA of SWorker parameterized with w and s0 is the initial state of the worker with empty set as the value of the internal state. C2also has a single initial state y0 that is mapped to a similar configuration, except that the A(w) represents the CompA of S[Worker]. Because these two states fulfill the conditions, r(x0) = y0.

2. The related states of both CCA can receive the same input events, because of the restriction on rcvFutTgt of the AA/CompA representing w. Executing the reaction event u  w : do(p) adds the internal state in the same way

such the post-states of the transition on both CCA are connected. All other events map the post-states x0 to the same y. We only concentrate on the output events eo= u ← w :do/ v. If the query q ofdois a singleton, then

vcontains the expected value ofcompute(q). Because x is a state reachable from some initial state, we can reason that the event sequence transitions and event transitions of theWorkerand[Worker] specifications must hold in

order to reach x. From SWorker, the transition u← w :do/ v if 〈u, u0, q〉 is

in

futTriple

and v is formed frommerge(compute(firstQuery(q), v0)), where

v0 is obtained from the value stored in u0. The u0 is generated alongside the calldoon a fresh[Worker] instance. From S[Worker], the value returned by this component instance iscompute(restQuery(q)). From the assumption on themergefunction, we have that v = compute(q). Thus, the transition labeled by the output event eo on C1 mimics the transition with the same label done C2. The Definition12.4.2 is fulfilled.

4

Example 12.2.2:

Let C1and C2be CCA whose initial states are mapped to a configuration containing the AA of SServerand the CompA of S[Server], respectively. The initial server actor is represented by serv. The map r from C1 to C2 is defined as follows:

PREREQ∧ ∀x ∈ rStates(C1), y ∈ states(C2) : ∃A1, A2, s1, s2, u, q : (A1, s1, false) ∈ config(C1)(x) ∧ (A2, s2, true) ∈ config(C2)(y) ∧

names(A1) = {serv}∧serv ∈ names(A2)∧s2(known) = {a | serv ∈ ancestors(a)} ∧ s2(outCalls) = s2(genFut) = ; ∧ uniqueFut(s1(

futPair

)) ∧

uniqueFut(s2(

futQPair

)) ∧ s2(

futQPair

) = {〈u, q〉 | 〈u, q〉 ∈ s1(

futPair

)} =⇒ r(x) = y

We can show that r is a possibility map by following a similar reasoning as for the[Worker] component. The main difference lies on the method calls being

called on the server. Because there is no need to show how a[Worker] component

instance functions, the reasoning is simpler. 4