Interface Automata
29-September-2011
Modeling Temporal Behavior of Component
• Component behaves with Environment
• Traditional (pessimistic) approach
– Environment is free to behave as it wants to
– Two components are compatible if no environment leads
them into an error state
• Optimistic approach of Interface Automata
– Components designed with assumptions about
environment
– Two components are compatible if some environment can
make both of them work together
• In context of this course
– Write code ONCE and know that it works
Interface Automata
• Interaction specified by synchronizing input and output
actions
– Internal actions of concurrent automata are interleaved
asynchronously
• Input actions
– Model methods that can be called
– Receiving ends of communication channels
• Output actions
– Model method calls
– Messages being transmitted
– Exceptions
• Component designed under environmental assumptions
– i.e., an object works if methods called in specific order
Sample Automata
• Internal state machine
externally invisible
• Labels
–
–
–
–
msg? means message received
send! means action sent out
Dot/arrow on interface species in- or out-connection
Internal transitions are arrows between states based upon
interface interactions
• Let’s discuss possible valid/invalid interactions
Sample Interface Automata
• User
– Designed to be used only with message-transmission
services that cannot fail
Comp  User
• Compose Comp with User
– msg? and msg! collapsed to msg;
– Error state 6 upon second failed nack?
• Composition
– Note how a “new” automata
is created from the
composition with its
own In/Out actions
• Handling errors
– Why does 6 have no exiting
arrows?
– Declared “Illegal” state(s)
Interface Automata
• Definition in paper
– Review page 113
• Compatibility and Composition
– All independent actions are asynchronous
– All shared actions force automata to synchronize state
transitions
• Two automata P and Q are composable if
– They don’t share states
– There is no duplication of Input or Output actions
– That is, “shared” means pairing Input with Output
Component Product
• Review Definition (p114)
• Legal environments
– Steers away from Illegal states
– How to specify? Use an Interface Automata!
• Environment Automata E
– E is composable with R and non-empty
– Input of E is the output of R
– Illegal(R, E) = 
Example
• Channel wraps error-prone
send (ack/nack) with an
error-free get_token /
put_token to ensure delivery
– Parse this from the graphics
Final Notation
• Automata Product Composition: Comp  User
• Restricted Composition: Comp || User
• Nice features of composition
– Associative (P || Q) ||R == P || (R || Q) if either is
defined
– Some automata cannot
be composed in this
restrictive way
Refinement
• Consider relation between abstract and
concrete version of a component
• QuickComp (next slide)
– Provides try-twice msg service
– Provides try-once once service
• Shouldn’t QuickComp be considered a
refinement of Comp?
QuickComp
• Comp QuickComp means QC refines C
Contravariance
• Refined automata must allow for (possibly) more legal
inputs and (possibly) fewer outputs
– Weaken the pre-condition
– Strengthen the post-condition
• Notion of alternating simulation
–
–
–
–
Q refines P if
all input steps of P can be simulated by Q
all output steps of Q can be simulated by P
works because internal state transitions are invisible to
external viewers
• Captures a simple kind of subclassing
– If Q refines P then implementation Q is able to provide
more services than specification P
– Q must be consistent with P on shared services
More definitions
• Transitive: Q refines P and R refines Q
– If P Q and Q R then P R
• Reflexive: P refines P
–P P
• Refinement and compatibility are related
– Replace P with Q if
(a) P and Q are connected to the environment by
same input/output; and
(b) P Q
Refinement is Compositional
• Is P||R S||T?
– One need only check two smaller cases
– Is P S?
– Is R T?
• Compositional reasoning is the key to dealing
with large scale systems
Refinement and Composition
• Given interface automata P, Q, and R where
– Q and R are composable
– InputQ  OutputR  InputP  OutputR
• If P and R are compatible and P Q
– Q and R are compatible
– P||R Q||R
Single-Threaded Interface Automata
• Many compositions can be restricted to singlethreaded
– Client makes request (and then blocks); during
this time client cannot alter state
– Server receives request and once it has
responded, it becomes quiescent and won’t alter
state
• See Figure 7
Single-Threaded vs. Multi-Threaded