Connecting open systems of communicating finite state machines

Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476 Contents lists available at ScienceDirect Journal of Logical and Algebraic...

Download PDF

770KB Sizes 0 Downloads 49 Views

Report

PDF Reader
Full Text

Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

Contents lists available at ScienceDirect

Journal of Logical and Algebraic Methods in Programming www.elsevier.com/locate/jlamp

Connecting open systems of communicating ﬁnite state machines Franco Barbanera a,∗ , Ugo de’Liguoro b , Rolf Hennicker c a b c

Dipartimento di Matematica e Informatica, Università di Catania, Italy Dipartimento di Informatica, Università di Torino, Italy Institute of Informatics, LMU Munich, Germany

a r t i c l e

i n f o

Article history: Received 8 December 2018 Accepted 2 July 2019 Available online 6 September 2019 Keywords: Communicating ﬁnite state machine Communicating system Composition of open systems Communication properties Global type with interface roles

a b s t r a c t Communicating Finite State Machines (CFSMs) are an established model for describing and analysing distributed systems whose concurrently running components communicate via FIFO-channels. Systems of CFSMs are usually considered as closed systems which do not provide access points for communication with the environment. In our study we relax this view such that certain components of a CFSM system can be looked at as describing the behaviour of the environment interacting with the system. They are considered as interfaces and if two systems posses compatible interfaces (according to a natural notion of compatibility) they can be connected. We propose a novel connection mechanism such that interface CFSMs are replaced by automatically generated “gateway” CFSMs, enabling messages to be exchanged between the systems. As a crucial outcome of our approach we prove that, under mild assumptions, if CFSM systems are connected in such a way a number of important communicating properties is preserved: deadlock-freeness, strong deadlock-freeness, orphan-message freeness, freeness of unspeciﬁed receptions, and progress. The communication properties we consider are those enjoyed by CFSM systems obtained by end-point projections of certain global type formalisms used in the ﬁeld of asynchronous multiparty session types. To this end we introduce a parametric syntax to compose global types via interface roles. As a consequence of our preservation results we get for free that composed projected systems enjoy the communication properties. © 2019 Elsevier Inc. All rights reserved.

1. Introduction Communicating Finite State Machines (CFSMs) is a widely investigated formalism for the description and the analysis of distributed systems, originally proposed in [1]. CFSMs are a variant of ﬁnite state I/O-automata that represent processes which communicate by asynchronous exchanges of messages via FIFO channels. A communicating system, called “protocol” in [1], is a ﬁnite set of CFSMs over some vocabulary of messages such that senders and receivers are identiﬁed by the names of CFSMs. Following [2–4] such names are called roles or participants. The dynamics of a system is formalised as a transition relation of conﬁgurations, where a conﬁguration is a tuple of states of the machines in the system and of buffers representing the content of the channels. The overall behaviour of a system can be described (at least) by the traces of conﬁgurations that are reachable from a distinguished initial one. Conﬁg-

*

Corresponding author. E-mail addresses: [email protected] (F. Barbanera), [email protected] (U. de’Liguoro), hennicker@iﬁ.lmu.de (R. Hennicker).

https://doi.org/10.1016/j.jlamp.2019.07.004 2352-2208/© 2019 Elsevier Inc. All rights reserved.

2

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

urations may exhibit some pathological properties, like various forms of deadlock or progress violation, channels containing messages that will never be consumed (orphan messages) or just sent to a participant who is expecting another message to come (unspeciﬁed receptions). The goal of the analysis of communicating systems is to check whether such kind of conﬁgurations are reachable or not. Although the desirable system properties are undecidable in general [1], suﬃcient conditions are known that are effectively checkable relying, for instance, on half-duplex communication [2], on the form of network topologies [5], or on synchronous compatibility checking [6]. As such a system of CFSMs is essentially considered as a closed set of interacting processes. However, distributed systems are seldom developed as independent entities and, either directly in their design phase or even after their deployment, they should be considered as open entities ready for interaction with the environment. To overcome this limitation we propose that – according to the current needs – some roles of the system can be considered as interface roles modelling the environment. Technically there is no difference between an interface and any other role (the behaviour of both is described by CFSMs), but for the fact that an interface role can be used to connect the system to another one which possesses a compatible interface. Roughly, two CFSMs are compatible if, abstracting from the (local) names of senders and receivers, their traces of messages are dual, namely obtained one from the other by interchanging the input/output tags. In case of systems with compatible interfaces we show that one can effectively construct two new CFSMs, which we dub gateways, such that, once substituted for the interfaces, the union of the original systems is a new system connecting them. The main results in this paper ensure that, under mild assumptions requiring no mixed states and ?!-determinism of interface CFSMs, important communication properties are preserved by composition, namely deadlock-freeness, strong deadlock-freeness, orphan-message freeness, freeness of unspeciﬁed receptions, and progress. Hence any communicating system which is constructed by composing sub-systems where no pathological conﬁgurations are reachable will enjoy the same property. We shall also show that, by taking out one of the above mentioned assumptions, the communication properties are no longer preserved by system composition. First, we consider binary composition of systems which can only lead to tree-like architectures. We then extend the approach to “cyclic architectures” as well, we investigate multiple gateways connections and show that our preservation results are still valid, but progress, for which a counterexample is provided. Several formalisms, based on the notion of global type, have been proposed in the literature, such as [7–9], to provide syntactic (process algebraic) means for the description of the overall communication behaviour of a distributed system. The expressiveness of the investigated formalisms kept on increasing during the last decade, leading to representations of global behaviours as generalised global types [3], global graphs [4] and global choreographies [10], where the local end-point projections are interpreted as CFSMs. For instance, the interpretation in [3] identiﬁes a class of systems, called Multiparty Session Automata (MSAs), where properties such as safety, boundedness, progress and liveness are guaranteed by the syntactic constraints of the formalism. Similarly, strong deadlock-freeness is ensured by the systems obtained as end-point projections of global choreographies in [10]. To support the deﬁnition of open global types we introduce syntactic means, parametric in the underlying global type framework, which allow to deﬁne Global Types with Interface Roles (GTIRs) and their composition via compatible interfaces. As a consequence of the preservation results we obtain that (the interpretations of) composed global types enjoy the communication properties that are ensured by the underlying global type formalism. Outline. In Section 2 the main deﬁnitions concerning CFSMs and communicating systems of CFSMs are recalled, together with the deﬁnitions of communication properties. In Section 3 we deﬁne interface compatibility, gateways and system composition. Section 4 is devoted to the study of preservation of communication properties by system composition. In Section 5 we show by a number of counterexamples that if either the no mixed state assumption or the ?!-determinism assumption for interface CFSMs is removed our preservation results are not valid anymore. In Section 6 the composition of systems is extended from two to multiple gateways connections. The extension of global type formalisms to allow for open global types and their composition is presented in Section 7. Finally, in Section 8, we provide some concluding remarks. Comparison to the workshop version. The present paper is a completely revised and signiﬁcantly extended version of [11]. Following the suggestion of a reviewer we now focus the paper on CFSM systems rather than on global types. In [11] preservation results were provided for deadlock-freeness, orphan-message freeness, and reception-error freeness. The proofs of these results are now given in detail and a new result, preservation of progress, is added. Moreover, we consider a stricter version of deadlock-freeness that stems from [10] and is dubbed strong deadlock-freeness in the following. Its preservation proof is obtained out of progress and orphan-message freeness preservations. A section is added to show – by means of a number of counterexamples – that the preservation results do not hold if the conditions of either no mixed state or ?!-determinism are dropped from the deﬁnition of interface compatibility. Going beyond [11] we investigate multiple connections, obtaining systems connected in graph structures rather than just trees. Progress property preservation in case of cyclic architectures of system compositions is shown not to hold for multiple connections by means of a counterexample. The proofs of orphan-message freeness and reception-error freeness preservation for the single connection case, instead, are extended to the multiple connections case. The (parametric) syntax of Global Types with Interface Roles of [11], representing CFSM systems connected through gateways, is signiﬁcantly simpliﬁed taking into account that any role can be looked at as an interface role according to the current needs. GTIRs are now presented at the end of the paper.

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

3

2. Systems of communicating ﬁnite state machines In this section we recall (partly following [2–4]) the deﬁnitions of communicating ﬁnite state machine (CFSM) and systems of CFSMs. Throughout the paper we assume given a countably inﬁnite set PU of role (participant) names (ranged over by p, q, r, s, A, B, H, I, . . .) and a countably inﬁnite alphabet AU (ranged over by a, b, c , . . .) of messages. Deﬁnition 2.1 (CFSM). Let P and A be ﬁnite subsets of PU and AU respectively. i) The set C P of channels over P is deﬁned by

C P = {pq | p, q ∈ P, p = q} ii) The set ActP,A of actions over P and A is deﬁned by

ActP,A = C P × {!, ?} × A iii) A communicating ﬁnite-state machine over P and A is a ﬁnite transition system given by a tuple

M = ( Q , q0 , A, δ) where Q is a ﬁnite set of states, q0 ∈ Q is the initial state, and δ ⊆ Q × ActP,A × Q is a set of transitions. Notice that the above deﬁnition of a CFSM is generic w.r.t. the underlying sets P of roles and A of messages. This is necessary, since we shall not deal with a single system of CFSMs but with an arbitrary number of open systems that can be composed. We shall write C and Act instead of C P and ActP,A when no ambiguity can arise. We assume l, l , . . . to range over Act; ϕ , ϕ , . . . to range over Act∗ (the set of ﬁnite words over Act), and w , w , . . . to range over A∗ (the set of ﬁnite words over A). ε (∈ / A ∪ Act) denotes the empty word and | v | the length of a word v ∈ Act∗ ∪ A∗ . Given a word v with preﬁx v , i.e. such that v = v · v for a certain v , we deﬁne v \ v = v . Moreover, given a word v with ‘a’ as last element, i.e. v = v · a for a certain v , we deﬁne init( v ) = v and last( v ) = a. The transitions of a CFSM are labelled by actions; a label sr!a represents the asynchronous sending of message a from machine s to r through channel sr and, dually, sr?a represents the reception (consumption) of a by r from channel sr. We write M ⊆ Act∗ for the language over Act accepted by the automaton corresponding to machine M, where each state of M is an accepting state. A state q ∈ Q with no outgoing transition is ﬁnal; q is a sending (resp. receiving) state if it is not ﬁnal and all outgoing transitions are labelled with sending (resp. receiving) actions; q is a mixed state if there are at least two outgoing transitions: one labelled with a sending action and the other one labelled with a receiving action. A CFSM M = ( Q , q0 , A, δ) is: a) deterministic if for all states q ∈ Q and all actions l: (q, l, q ), (q, l, q ) ∈ δ imply q = q ; b) ?-deterministic (resp. !-deterministic) if for all states q ∈ Q and all actions (q, rs?a, q ), (q, pq?a, q ) ∈ δ (resp. (q, rs!a, q ), (q, pq!a, q ) ∈ δ ) imply q = q ; c) ?!-deterministic if it is both ?-deterministic and !-deterministic. The notion of ?!-deterministic machine is more demanding than in usual CFSM settings. It will be needed in order to guarantee preservation of communication properties when systems are connected. Note that a ?!-deterministic CFSM is also deterministic, but the converse does not hold (since the channel names are abstracted away in the deﬁnition of ?!-determinism). Deﬁnition 2.2 (Communicating system and conﬁguration). Let P and A be as in Deﬁnition 2.1. i) A communicating system (CS) over P and A is a tuple S = ( M p )p∈P where for each p ∈ P, M p = ( Q p , q0p , A, δp ) is a CFSM over P and A. ) where ii) A conﬁguration of a system S is a pair s = ( q, w – q = (qp )p∈P with qp ∈ Q p , = ( w pq )pq∈C with w pq ∈ A∗ . – w The component q is the control state of the system and qp ∈ Q p is the local state of machine M p . The component w represents the state of the channels of the system and w pq ∈ A∗ is the state of the channel for messages sent from p ) with q0 = (q0p )p∈P . to q. The initial conﬁguration of S is s0 = (q0 , ε

) and s = (q , w ) q, w Deﬁnition 2.3 (Reachable conﬁguration). Let S be a communicating system over P and A, and let s = ( l

be two conﬁgurations of S. Conﬁguration s is reachable from s by ﬁring a transition with action l, written s −→ s , if there is a ∈ A such that one of the following conditions holds:

4

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

1. l = sr!a and (qs , l, qs ) ∈ δs and a) for all p = s : qp = qp and b) w sr = w sr · a and for all pq = sr : w pq = w pq ; 2. l = sr?a and (qr , l, qr ) ∈ δr and a) for all p = r : qp = qp and b) w sr = a · w sr and for all pq = sr : w pq = w pq . l

We write s −→ s if there exists l such that s −→ s . As usual, we denote the reﬂexive and transitive closure of −→ by −→∗ . The set of reachable conﬁgurations of S is R S ( S ) = {s | s0 −→∗ s}. According to the last deﬁnition, communication happens via buffered channels following the FIFO principle. l2

l3

ln−1

ln

l2

We shall use ξ, ξ , . . . to range over sequences of transitions of the form s1 −→ s2 −→ . . . −→ sn−1 −→ sn . If ξ = s1 −→ ln

. . . −→ sn we denote by |ξ | its length, deﬁned as |ξ | = n − 1. In case n = 1 we have a degenerate transition sequence of length 0 made of a single conﬁguration. We shall denote by ξ/i the subsequence of the ﬁrst i transitions of a sequence ξ . l2

ln−1

ln

ln

Let ξ be a sequence of the form s1 −→ . . . −→ sn−1 , and let sn−1 −→ sn . We shall denote by ξ −→ sn the transition l2

ln−1

ln

sequence s1 −→ . . . −→ sn−1 −→ sn .

) be a conﬁguration of S. q, w Deﬁnition 2.4 (Communication properties). Let S be a communicating system, and let s = ( i) s is a deadlock conﬁguration if

= ε ∧ ∀p ∈ P. qp is a receiving state w i.e. all buffers are empty, but all machines are waiting for a message. We say that S is deadlock-free whenever, for any s ∈ R S ( S ), s is not a deadlock conﬁguration. ii) s is an orphan-message conﬁguration if

= ε (∀p ∈ P. qp is ﬁnal) ∧ w i.e. each machine is in a ﬁnal state, but there is still at least one non-empty buffer. We say that S is orphan-message free whenever, for any s ∈ R S ( S ), s is not an orphan-message conﬁguration. iii) s is an unspeciﬁed reception conﬁguration if a) ∃r ∈ P. qr is a receiving state; and b) ∀s ∈ P.[ (qr , sr?a, qr ) ∈ δr =⇒ (| w sr | > 0 ∧ w sr ∈ a · A∗ ) ]. i.e. there is a receiving state qr which is prevented from receiving any message from any of its buffers. (In other words, in each channel sr from which role r could consume there is a message which cannot be received by r in state qr .) We say that S is reception-error free whenever, for any s ∈ R S ( S ), s is not an unspeciﬁed reception conﬁguration. iv) S satisﬁes the progress property if ) ∈ R S ( S ), either there exists s such that s −→ s or (∀p ∈ P. qp is ﬁnal). for all s = ( q, w Note that progress property (iv) implies deadlock-freeness. The other properties are mutually independent. The above deﬁnitions of communication properties are the same as the properties considered in [3], though our formulation of progress is slightly simpler but equivalent to the one in [3]. The notions of orphan message and unspeciﬁed reception are also the same as in [4]. The same notions of deadlock and unspeciﬁed reception are given in [2] and inspired by [1]. The deadlock notions in [1] and [4] coincide with [2] and [3] if the local CFSMs have no ﬁnal states. Otherwise deadlock in [4] is weaker than deadlock above. A still weaker notion of deadlock conﬁguration, and hence a stronger notion of deadlock-freeness, has been suggested in [10]. To distinguish it from the notion above, we call it strong deadlock-freeness.

) be a conﬁguration of S. Deﬁnition 2.5 (Strong deadlock-freeness). Let S be a communicating system, and let s = ( q, w s is a weak deadlock conﬁguration if s −→ and either rs?a

a) ∃r ∈ P such that qr −→ qr , or = ε b) w i.e. s is stuck and at the same time either a machine is still waiting for a message or there is a message waiting in a buffer which cannot be consumed (or both). We say that S is strongly deadlock-free whenever, for any s ∈ R S ( S ), s is not a weak deadlock conﬁguration.

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

5

As it is natural to expect, a stuck conﬁguration made of ﬁnal states and empty buffers is not a weak deadlock conﬁguration. But any orphan-message conﬁguration is a weak deadlock conﬁguration. It can be shown that the strong deadlock-freeness property is equivalent to the properties of progress and orphanmessage freeness. Moreover, progress is just the same as strong deadlock-freeness when alternative (b) of Deﬁnition 2.5 is omitted. Proposition 2.6. Let S be a communicating system. i) If S is strongly deadlock-free, then S is deadlock-free. ) ∈ R S ( S ) if and only if ii) There is no progress in a reachable conﬁguration s = ( q, w 1. s −→ and rs?a

2. ∃r ∈ P such that qr −→ qr . iii) S is strongly deadlock-free if and only if S is orphan-message free and satisﬁes the progress property. Proof. i) is obvious. ). Then s −→ ii) ⇒: Assume that there is no progress in s = ( q, w and there exists r ∈ P such that qr is not ﬁnal. Thus rs?a

no sending action is possible in qr . Therefore there must exist a transition qr −→ qr and thus (ii2) holds. rs?a

⇐: The converse direction is clear, since s −→ and, by (ii2), there exists r ∈ P and qr −→ qr . Thus qr is not ﬁnal. iii) ⇒: Assume that there exists an orphan-message conﬁguration s ∈ R S ( S ). Since for all p ∈ P, qp is ﬁnal, we have = ε since s is an orphan-message conﬁguration. Thus s is a weak deadlock conﬁguration. Now assume s −→ . Moreover, w that there exists a conﬁguration s ∈ R S ( S ) with no progress. Then, using (ii), s is a weak deadlock conﬁguration. ⇐: Assume that there is a weak deadlock conﬁguration s ∈ R S ( S ). Then s −→ . If a) of Deﬁnition 2.5 holds then, according to (ii), there is no progress in s. If a) does not hold, then ∀p ∈ P. qp is ﬁnal and, since s is a weak deadlock conﬁguration, = ε . In this case s is an orphan-message conﬁguration. 2 b) in Deﬁnition 2.5 must hold, i.e. w 3. Open systems and their composition A system of concurrent components is considered to be open if the system is ready for communication with the “outside”, i.e. with its environment. This ability provides means for composing open systems into larger systems (which may still be open). To do the composition in a proper way it is common practice to rely on interface descriptions. Systems of CFSMs, as deﬁned in the literature and in the previous section, are usually assumed to be closed systems since all components needed for a functioning of the system are already there. In our approach, we introduce a novel view on CFSM systems as open systems if we regard certain roles of the system as interface roles. An interface role is intended to represent (part of) the expected communication behaviour of the environment. Identifying a role as interface corresponds to expecting its behaviour to be realised by the environment rather than an actual component of the system. Then, according to such an approach there is actually no distinction between closed and open systems. In principle, since any role could be looked at – depending on the current needs – as an interface, any system can be looked at as open. In particular, once two systems of CFSMs possess two “compatible” CFSMs which have been identiﬁed as interfaces, they can be connected. In our approach we use suitable “gateways” for this purpose. The gateways are automatically synthesised out of the interface CFSMs and the connection simply consists in replacing the latter by the former. 3.1. Interface compatibility We shall introduce the relation of compatibility between interface CFSMs and their connection by means of a working example (which will be further detailed in Section 7). Let us assume we wish to develop an open system, let us dub it S, which can receive a text message from the outside. Once a text is received, the system tries to transmit it to a social network. If the message is accepted by the network, the system sends an ok message back to the environment, otherwise it sends a fail message. We assume that the system includes a system manager, modelled by role M, which (among others) is responsible for communication with the outside. We model that part of the environment of system S which sends a text and waits for a positive or negative answer by an interface role J. The behaviour of J is described by the CFSM M J shown in Fig. 1. Let us consider now another open system S , having, among others, roles A, B and L, where L is an interface role of S . Within S the roles A and B keep on sending a text message to L, which replies with a positive or negative acknowledgement (ok or fail, respectively). L accepts a message of role B only after a successful sending by A, and vice versa, in an alternating manner. A fail message from L forces the resending of the message. The behaviour of interface role L is given by the CFSM M L shown in Fig. 2. The interface roles J and L are compatible, in that the text message asked for by L can be the one provided by J to system S, whereas the ok and fail messages J receives can be the ones that L sends to system S . In a nutshell, if we do not take into account channels in the labels, the language accepted by J is the dual (i.e. ’!’ and ’?’ are exchanged) of that accepted by L.

6

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

J 1

(1)

JM!text MJ?ok

2

MJ?fail

Fig. 1. CFSM M J for interface role J.

L

LB!fail

3

1

BL?text

AL?text

4

LB!ok

LA!ok

2

(2)

LA!fail

Fig. 2. CFSM M L for interface role L.

For the general deﬁnition of compatibility, we want to consider the dual of the language accepted by a CFSM when input and output are reversed and the names of communication channels are forgotten. For that purpose we need the following preliminary deﬁnitions: Deﬁnition 3.1. Let P and A be as in Deﬁnition 2.1. i) For any

ϕ ∈ Act∗ , the word ϕ C/ ∈ ({!, ?} × A)∗ is inductively deﬁned by:

εC/ = ε

(pq?a · ϕ )C/ =?a · ϕ C/

(pq!a · ϕ )C/ =!a · ϕ C/ .

Moreover, for A ⊆ Act∗ , A C/ = {ϕ C/ | ϕ ∈ A }. ii) The dualisation function (·) : ({!, ?} × A) → ({!, ?} × A) is deﬁned by !a =?a, ?a =!a and straightforwardly extended to words in ({!, ?} × A)∗ and ﬁnite sets of words. Our notion of interface compatibility requires that the languages of the CFSMs of two interface roles are dual to each other (up to channel names). Additionally we require the absence of mixed states as well as input and output determinism for each of the two CFSMs. In fact, if either of these two conditions were omitted one can provide counterexamples showing that our forthcoming results on preservation of communication properties would generally no longer be valid; see the discussion in Sect. 5. Deﬁnition 3.2 (Interface compatibility). i) Let M 1 and M 2 be two CFSMs over P1 and A1 (P2 and A2 resp.). M 1 and M 2 are compatible, denoted by M 1 ↔ M 2 , whenever 1) L( M 1 )C/ = L( M 2 )C/ , 2) M 1 and M 2 do not contain mixed states, and 3) M 1 and M 2 are ?!-deterministic. ii) Let S 1 = ( M p )p∈P1 and S 2 = ( M p )p∈P2 be two communicating systems over P1 and A1 (P2 and A2 resp.). Two roles H ∈ P1 and K ∈ P2 are interface compatible, denoted by H ↔K, if M H ↔ M K . In our example we have J ↔L, since the CFSMs (1) and (2) are compatible. As already pointed out above, their languages are dual to each other (after forgetting channel names) and, moreover, none of the two CFSMs has mixed states and both are ?!-deterministic. Remark 3.3. Condition 1) of our compatibility notion relies on trace equivalence when reversing input and output signs. One may wonder what would happen, if we would require instead a (strong) bisimulation relation between the CFSMs M 1 and M 2 if channel names on the labels are forgotten and input and output are reversed. In fact this would make no difference, since under the ?!-determinism assumption bisimulation and trace equivalence under reversal of input and output would be the same. This is a consequence of the general fact that for deterministic labelled transition systems trace equivalence

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

J

L

BL?text

LB!fail

LJ?text JL!ok

3

4

2

1

4

JL?fail

MJ?fail

4

LA!fail

LA!ok 2

2

1

LJ!text

JM!text 2

AL?text LB!ok

JL!fail

MJ?ok

1

3

1

2

7

LJ!text JL?ok

JL?ok

2

JL?fail

Fig. 3. gw( M J , L) and gw( M L , J).

and bisimulation equivalence coincide; see Theorem 2.3.12 in [12]. An interesting question for future research is to ﬁgure out which conditions stronger than (dual) language equivalence could guarantee our preservation results in Section 4, if we would drop the ?!-determinism assumption. Interestingly requiring a bsimulation relation (up to duality of ? and !) would not help. (Fig. 5 would provide a counterexample.) 3.2. Connecting open systems In the next step we want to connect systems with compatible interfaces. The idea is to establish a communication between the two interfaces by constructing gateway processes out of them. Looking again to our example, once the compatibility of J and L is ascertained, the behaviours of two gateway processes can be easily constructed from M J and from M L , respectively. For that purpose we insert an intermediate state with appropriate transitions in the middle of any transition of M J (and similarly of M L ) enabling to pass messages from the interface role of one system to the other. For instance, the transition of M J from state 1 to state 2 labelled with JM!text is split into two transitions (see Fig. 3, left), where J ﬁrst receives a text from L, i.e. from the outside, and then sends it to M, i.e. to the inside. On the other hand, the transition of M L from state 1 to state 2 labelled with AL?text is split into two transitions (see Fig. 3, right), where L ﬁrst receives a text from A, i.e. from the inside, and then sends it to J, i.e. to the outside. That way a text sent from role A in system S can ﬁnally be received by the manager M in system S when the two systems are composed. The composition simply takes all CFSMs of the single systems together but replaces M J by gw( M J , L) and M L by gw( M L , J) where both gateway CFSMs are shown in Fig. 3. In general, such gateway processes can be constructed by means of an algorithm that we dub gw(·). It takes two arguments: the CFSM M H (of some role H) to be transformed and the name K of a role (of the other system) and returns the gateway CFSM gw( M H , K). The gateway function transforms M H by inserting a new state in between any transition. In such a way a transition from q to q receiving a message a from a role s(= K) is transformed into two transitions: one from q q receiving a from s, and one from q to q sending a to K. Conversely, a transition from q to q sending a to the new state message a to a role s(= K) is transformed into two transitions: one from q to the new state q receiving a from K, and one from q to q sending a to s. We distinguish the new “inserted” states by superscripting them by the transition where they are “inserted in between”. Deﬁnition 3.4 (The gw(·) transformation). Let P and A be as in Deﬁnition 2.1. Let M H = ( Q , q0 , A, δ) be the CFSM of a role H ∈ P and let K be a role name such that K ∈ / P. Then

gw( M H , K) = ( Q , q0 , A, δ ) is the CFSM over P ∪ {K} and A where

, with Q = – Q= Q ∪Q – δ = {(q, KH?a, q (q, sH?a, q ) ∈ δ}.

q∈ Q

(q,Hs!a,q )

{q(q,l,q ) | (q, l, q ) ∈ δ}, and

), (q(q,Hs!a,q ) , Hs!a, q ) | (q, Hs!a, q ) ∈ δ} ∪ {(q, sH?a, q(q,sH?a,q ) ), (q(q,sH?a,q ) , HK!a, q ) |

by q. For the sake of readability, we shall often denote elements q(q,l,q ) ∈ Q built out of M H as Q H when ambiguities could arise. We shall also refer to a Q We can now deﬁne the composition of two communicating systems S 1 and S 2 w.r.t. compatible interface roles H and K. We assume that the roles of S 1 and S 2 are disjoint. Then we take the union of the CFSMs of S 1 and S 2 but replace the CFSMs M H and M K of the interface roles H and K by their gateway CFSMs gw( M H , K) and gw( M K , H).

8

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

Deﬁnition 3.5 (Composition of communicating systems). Let S 1 = ( M p1 )p∈P1 and S 2 = ( M q2 )q∈P2 be two communicating systems over P1 and A1 (P2 and A2 resp.) such that P1 ∩ P2 = ∅. Moreover, let H ∈ P1 and K ∈ P2 such that H ↔K (i.e. M H1 ↔ M K2 ). The composition of S 1 and S 2 via H and K is the communicating system

S 1H↔K S 2 = ( M p )p∈(P1 ∪P2 ) over P1 ∪ P2 and A1 ∪ A2 where M H = gw( M H1 , K), M K = gw( M K2 , H), M p = M p1 for all p ∈ P1 \ {H} and M p = M p2 for all

p ∈ P2 \ {K}.1 Remark 3.6. 1. One could wonder what would change if, instead of using gateways, one would simply remove the interface roles and establish a direct communication between roles of the two systems. This would mean that we had to rename in the CFSMs of both systems any target and source of communication which refers to an interface role by an appropriate role name of the other system. But this is generally unfeasible (unless a rather strict relation of compatibility were used). The problem can be illustrated by our working example: whereas in S, and also in the new system with gateways, role M receives the text from role J, in a composed system without gateways M must be ready to receive the text from both A and B. This would, however, require a signiﬁcant redesign of the machine M M describing the behaviour of M. 2. Another option could be to connect systems by implementing a single “two-sided” gateway process. But this would imply to change in (at least one of) the two systems all the names in the channels that refer to an interface role. This would be inconvenient and also there would be no straightforward generation of a single two-sided gateway process. 4. Preservation of communication properties In the present section we show that if we take two communicating systems S 1 and S 2 such that S 1 possesses a CFSM M H1 and S 2 a CFSM M K2 which is compatible with M H1 , replace both CFSMs by their gateway transformations and then join the resulting systems, we get a system which satisﬁes all the communication properties which are satisﬁed by both S 1 and S2. General assumption: In the following, we generally assume given a system

S = ( M p )p∈P = S 1H↔K S 2 composed as described in Deﬁnition 3.5 from systems

S 1 = ( M p1 )p∈P1

and

S 2 = ( M p2 )p∈P2

where the CFSMs M H1 and M K2 are compatible . Notation: The roles of S are P = P1 ∪ P2 with P1 ∩ P2 = ∅. The channels of S i are C i = {pq | p, q ∈ Pi , p = q} for i = 1, 2. The channels of S are C = C 1 ∪ C 2 ∪ {HK, KH}. The transitions of M p in S will be denoted by δp . The transitions of M p1 in S 1 will be denoted by δp1 , whereas the transitions of M p2 in S 2 will be denoted by δp2 . Notice that δp = δp1 for all p ∈ P1 \ {H} and δp = δp2 for all p ∈ P2 \ {K}. 4.1. Technical notions and results

) ∈ R S ( S ), where q = (qp )p∈P and w = ( w pq )pq∈C . We deﬁne, for i = 1, 2, Deﬁnition 4.1. Let s = ( q, w

|i ) s|i = ( q|i , w |i = ( w pq )pq∈C i . where q|i = (qp )p∈Pi and w Notice that s|i is not necessarily a conﬁguration of S i , because of possible additional states of the gateways. The following fact easily descends from the deﬁnition of gw(·). In particular from the fact that the gateway transformation of a machine M does insert an intermediate state between any pair of states of M connected by a transition. By deﬁnition, the intermediate state possesses exactly one incoming transition and one outgoing transition.

1

The CFSMs over P1 and A1 (P2 and A2 resp.) are considered here as CFSMs over P1 ∪ P2 and A1 ∪ A2 .

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

9

) ∈ R S ( S ) be a reachable conﬁguration of S = S 1H↔K S 2 . Fact 4.2. Let s = ( q, w H then qH is not ﬁnal and there exists a unique transition (qH , _, _) ∈ δH . Moreover such a transition is of the 1. If qH ∈ Q H . Similarly for K. form (qH , Hs!a, q ) with q ∈ Q H then either qH is ﬁnal, or any transition (qH , _, _) ∈ δH is an input one, that is of the form (qH , sH?a, qH ) with 2. If qH ∈ Q H . Similarly for K. qH ∈ Q H then 3. If qH ∈ Q a) If (qH , KH?a, qH ) ∈ δH then there exists (qH , Hs!a, qH ) ∈ δH with s ∈ P1 (and hence s = K) such that (qH , Hs!a, qH ) ∈ δH1 . The same holds for δK and by exchanging H with K and vice versa. b) If (qH , sH?a, qH ) ∈ δH with s ∈ P1 (and hence s = K) then there exists (qH , HK!a, qH ) ∈ δH such that (qH , sH?a, qH ) ∈ δH1 . The same holds for δK and by exchanging H with K and vice versa. Lemma 4.3. Let J ∈ {H, K} and let s, s , s ∈ R S ( S ) such that l

Js!a

s −→ s −→ s where l is not of the form _J?_. Js!a

l

Then, there exists s ∈ R S ( S ) such that s −→ s −→ s Proof. Let us consider just the case J = H, the other one being similar. Since s ∈ R S ( S ) and by deﬁnition of gw(·), l cannot be of the form _H!_. So, for all r ∈ P1 ∪ {K}, the action l cannot affect the buffer w rH . It is now easy to check that, by deﬁning s = (q , w ) such that q H = q H , and q p = qp for p = H, and such that Hs!a

l

w Hs = w Hs · a and w pq = w pq for pq = Hs, we get s −→ s −→ s .

2

Lemma 4.4. i) s0 |1 ∈ R S ( S 1 ) and s0 |2 ∈ R S ( S 2 ). l

ii) Let s −→ s and l is neither of the form _H?_ nor of the form H_!_. l

Then either s|1 −→ s |1 or s|1 = s |1 . l

iii) Let s −→ s and l is neither of the form _K?_ nor of the form K_!_. l

Then either s|2 −→ s |2 or s|2 = s |2 . rH?a

Hs!a

rK?a

Ks!a

iv) Let s −→ s −→ s . Then, s|1 −→ s |1 . v) Let s −→ s −→ s . Then, s|2 −→ s |2 . Proof. Easy by deﬁnitions of s|1 and s|2 , by deﬁnition of −→ and by deﬁnition of gw(·).

2

If a reachable conﬁguration of the connected system S = S 1H↔K S 2 does not involve an intermediate state of the gateway M H = gw( M H1 , K), then by taking into account only the states of machines of S 1 and disregarding the channels between the gateways, we get a reachable conﬁguration of S 1 . Similarly for S 2 .

) ∈ R S ( S ) be a reachable conﬁguration of S = S 1H↔K S 2 . Lemma 4.5. Let s = ( q, w H =⇒ s|1 ∈ R S ( S 1 ); i) qH ∈ Q K =⇒ s|2 ∈ R S ( S 2 ). Q ii) qK ∈ Proof. (i) If s ∈ R S ( S ), then there exists a transition sequence leading to s from the initial state, say

s0 −→ s1 −→ . . . −→ sn−1 −→ sn = s si = (qi , w i ) (i = 0, . . . , n). H and q j +1 ∈ Q H (if there is not such a j, then the thesis follows Let j ≥ 0 be the smallest index such that q j H ∈ Q H rH?a

immediately). By deﬁnition of gw(·) we have that s j −→ s j +1 for a certain r. Now let t be the smallest index such that H . Such an index t does exist because of the hypothesis qH ∈ Q H (moreover, notice that t ≥ j + 1, qt H = q j +1 H and qt +1 H ∈ Q Hs!a

H ). By deﬁnition of gw(·) we have that st −→ st +1 for a certain s. no self loop transitions are possible out of a state in Q We can now proceed by induction on the length of the transition sequence rH?a

Hs!a

s j −→ . . . −→ st +1

10

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

using Lemma 4.3, in order to show that it is possible to build a transition sequence like the following one rH?a

Hs!a

s0 −→ s1 −→ . . . s j −→ s j +1 −→ sj +2 −→ . . . −→ sn −1 −→ sn = s

H . where q j +2 H ∈ Q The iteration of this procedure trivially converges and allow us to get a sequence s0 −→ . . . −→ sn = s

(3)

such that any transition of the form rH?a is immediately followed by a transition Hs!a. Now, by using Lemma 4.4, it is possible to proceed by complete induction over the length of the transition sequence (3) in order to get a transition sequence s0 |1 −→∗ s|1 . So s|1 ∈ R S ( S 1 ). (ii) This case can be treated similarly to (i). 2 Given a transition sequence ξ , we now deﬁne the subsequence of ξ made only of transitions having a given role as sender or receiver. Deﬁnition 4.6. Let ξ be a transition sequence for a system S and let p ∈ P( S ). We deﬁne ξ |p ∈ Act∗ by

⎧ if ξ = s (i.e. |ξ | = 0) ⎪ ⎨ε l |p |p ξ = ξ · l if ξ = ξ −→ s and [l = _p?_ ∨ l = p_!_] ⎪ ⎩ |p ξ otherwise

Notice that by deﬁnitions of gw(·) and (·)|(·) , if ξ is a transition sequence leading to an s ∈ R S ( S ), then ξ |H is made (but for its last element, in case |ξ |H | is odd) of consecutive pairs of elements of Act of the form KH?a Hs!a or sH?a HK!a, with s = K. Moreover, in case |ξ |H | is odd, it ends with an action of the form KH?a or sH?a, with s = K. Similarly for ξ |K . We deﬁne now two functions, one enabling to map traces of M H (i.e. the gateway gw( M H1 , K)) into the corresponding traces of M H1 and one enabling to map traces of M K (i.e. the gateway gw( M K2 , H)) into the corresponding traces of M K2 . Traces H or Q K will be treated differently for what concerns their last elements. ending in elements of Q Deﬁnition 4.7. Given

aHK (ϕ ) =

ϕ ∈ Act∗ , we deﬁne aHK (ϕ ) ∈ ({?, !} × A)∗ by

⎧ ε ⎪ ⎪ ⎪ ⎨ !a

?a · aHK (ϕ ) ⎪ ⎪ ⎪ ⎩ !a · aHK (ϕ ) undeﬁned

if ϕ = ε or ϕ = sH?_ with s = K if ϕ = KH?a if ϕ = sH?a · HK!a · ϕ with s = K if ϕ = KH?a · Hs!a · ϕ with s = K otherwise

The function aKH (ϕ ) is deﬁned by simply exchanging the roles of H and K in the above deﬁnition. Lemma 4.8. Let φ ∈ L( M H1 )C/ . Then there are no two messages a, c ∈ A such that

φ·!a ∈ L( M H1 )C/ and φ·?c ∈ L( M H1 )C/ . Similarly for L( M K2 )C/ Proof. Easy, by induction on the length of φ , using the ?!-determinism and no mixed states assumption for M H1 imposed by compatibility. 2 Lemma 4.9. Let ξ be a transition sequence for a system S = S 1H↔K S 2 starting from the initial state. Then

aHK (ξ |H ) ∈ L( M H1 )C and aKH (ξ |K ) ∈ L( M K2 )C /

/

Proof. We prove only aHK (ξ |H ) ∈ L( M H1 )C/ , since aKH (ξ |K ) ∈ L( M K2 )C/ can be proved in a similar way. Let ξ be l1

l2

ln−1

ln

s0 −→ s1 −→ . . . −→ sn−1 −→ sn where si = (qi , w i ). We can proceed by induction on n.

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

11

Base case n = 0. This case is trivial since ξ = ξ |H = ε . Inductive case n = 0. ln−1 l1 Let ξ be the sequence s0 −→ . . . −→ sn−1 . We distinguish now two possible cases:

H . qn H ∈ Q If ln = KH?a then, by deﬁnition of ·|H , |H |H aHK (ξ )·!a with aHK (ξ ) ∈ L( M H1 )C/ by tion of gw(·), we have that, for a certain

|H

we have that ξ |H = ξ · KH?a. Then, by deﬁnition of aHK (·), aHK (ξ |H ) = the induction hypothesis. We can now obtain the thesis since, by deﬁniq belonging to the states of M H1 , (qn−1 H , KH?a, qn H ), (qn H , Hs!a, q ) ∈ δH and

(qn−1 H , Hs!a, q ) ∈ δH1 where s ∈ P1 . Hence aHK (ξ |H ) = aHK (ξ |H )·!a ∈ L( M H1 )C/ . |H If ln = sH?a then, by deﬁnition of ·|H and aHK (·|H ), we have that aHK (ξ |H ) = aHK (ξ ) and hence the thesis follows

immediately from the induction hypothesis. |H All the other possible forms of ln do not involve H and hence ξ |H = ξ . So the thesis follows immediately from the induction hypothesis. H qn H ∈ Q It is possible to proceed similarly to the previous case, distinguishing the possible forms of ln involving H. 2 The next deﬁnition and the subsequent lemma are used to prove Proposition 4.12 and Corollary 4.13 below. In the lemma we shall check (besides other things) that the application of the function a _ _ (·) on a transition sequence yields a sequence of messages all preﬁxed by ‘?’ and that such a sequence does coincide with the content of a buffer. In order to formalise such an equality, we deﬁne below a function that inserts a ‘?’ in front of any message in a buffer. Deﬁnition 4.10. We deﬁne ? : A∗ → ({?} × A)∗ by

?(a · w ) =?a·?( w )

?(ε ) = ε

) ∈ R S ( S ) be a reachable conﬁguration of S = S 1H↔K S 2 , and let ξ be a transition sequence of length n Lemma 4.11. Let s = ( q, w leading to s ∈ R S ( S ) from the initial state such that, for all 0 ≤ i ≤ n, w i HK = ε =⇒ w i KH = ε . i) If w HK = w KH = ε , then aHK (ξ |H ) = aKH (ξ |K ); ii) If w HK = ε then a) aKH (ξ |K ) is a strict preﬁx of aHK (ξ |H ); b) aHK (ξ |H ) \ aKH (ξ |K ) =?( w HK ). iii) If w KH = ε then a) aHK (ξ |H ) is a strict preﬁx of aKH (ξ |K ); b) aKH (ξ |K ) \ aHK (ξ |H ) =?( w KH ) Proof. Let ξ be the following transition sequence leading to s ∈ R S ( S ) from the initial state l2

l1

ln−1

ln

s0 −→ s1 −→ . . . −→ sn−1 −→ sn = s where si = (qi , w i ). We show (i), (ii) and (iii) by simultaneous induction over |ξ |. Base case |ξ | = n = 0. It is immediate to check that w 0 KH = w 0 HK = ε and ξ |H = ξ |K = ε . Then (i) trivially holds, whereas (ii) and (iii) are vacuously satisﬁed. Inductive case |ξ | = n = 0. In case the action ln does not involve neither H nor K, the thesis descends immediately from the induction hypothesis ln−1 l1 |K |H on ξ ≡ s0 −→ . . . −→ sn−1 , since w n−1 HK = w HK , w n−1 KH = w KH , aKH (ξ ) = aKH (ξ |K ) and aHK (ξ ) = aHK (ξ |H ). Otherwise, we distinguish two cases: either ln corresponds to an action performed by H or by an action performed by K. Let us consider only the ﬁrst case, since the second one can be treated in the same way. Now we need to consider the following further possibilities concerning the form of ln .

ln = HK!a. In such a case, we can infer that w n HK = w n−1 HK · a = ε . In this case, (i) and also (iii), since by assumption w n KH = ε , when w n HK = ε , are vacuously satisﬁed and only item (ii) has to be proved. Since ln = HK!a, we have that |K

ξ = ξ |K

(4)

12

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

|K

and hence aKH (ξ ) = aKH (ξ |K ). Moreover, by deﬁnition of gw(·) and aHK (·), |H

aHK (ξ |H ) = aHK (ξ )·?a

(5)

By the hypothesis ∀0 ≤ i ≤ n. w i HK = ε =⇒ w i KH = ε , we have to consider only the following subcases: w n−1 HK = w n−1 KH = ε and w n HK = a. By the induction hypothesis for (i),we get |K

aHK (ξ |H ) = aKH (ξ ) = aKH (ξ |K ) Hence, |H

aHK (ξ ) = aKH (ξ |K ) Then, by (5), we get |H

aHK (ξ |H ) = aHK (ξ )·?a = aKH (ξ |K )·?a Thus we obtain the thesis, namely a) aKH (ξ |K ) is a strict preﬁx of aHK (ξ |H ); b) aHK (ξ |H ) \ aKH (ξ |K ) =?a =?(a) =?( w n HK ) w n−1 HK = ε and w n HK = w n−1 HK · a Let us hence assume w n−1 HK to be of the form φ · b. By the induction hypothesis for (ii) we have |H

a) aKH (ξ |K ) is a strict preﬁx of aHK (ξ ); |H

|K

b) aHK (ξ ) \ aKH (ξ )) =?( w n−1 HK ) By the above, by (4) and (5) and by the fact that w n HK = w n−1 HK · a we obtain

c) aKH (ξ |K ) is a strict preﬁx of init(aHK (ξ |H )) with last(aHK (ξ |H )) =?a; d) init(aHK (ξ |H )) \ aKH (ξ |K ) =?(init( wn HK )) with last( wn HK ) =?a Out of the above the thesis descends immediately. ln = Hs!a with s ∈ P1 (hence s = K). Since ln = Hs!a, we have |K

ξ = ξ |K

(6)

w n−1 KH = w n KH and w n−1 HK = w n HK

(7)

and

Moreover, by deﬁnition of gw(·) and aHK (·), |H

aHK (ξ |H ) = aHK (ξ )

(8)

The thesis hence follows by the induction hypothesis. ln = KH?a Since ln = KH?a, we have |K

ξ = ξ |K

(9)

Moreover, by deﬁnition of gw(·) and aHK (·), |H

aHK (ξ |H ) = aHK (ξ )·!a

(10)

By the hypothesis ∀0 ≤ i ≤ n. w i HK = ε =⇒ w i KH = ε , we have to consider only the following subcases: w n−1 KH = a · w n KH with w n KH = ε In this case, (i) and (ii) are vacuously satisﬁed. For what concerns (iii), by the induction hypothesis we have |K

i) aHK (ξ |H ) is a strict preﬁx of aKH (ξ );

|K ii) aKH (ξ ) \ aHK (ξ |H ) =?( w n−1 KH )

By the above, using (9), (10), we get c) init(aHK (ξ |H )) is a strict preﬁx of aKH (ξ |K ) with last(aHK (ξ |H )) =?a; d) aKH (ξ |K ) \ init(aHK (ξ |H )) =?( w n−1 KH ) =?a·?( w n KH ) and then, by c) and d) above the thesis descends immediately.

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

13

w n−1 KH = a · w n KH with w n KH = w n HK = ε In this case, (ii) and (iii) are vacuously satisﬁed. For what concerns (i), by the induction hypothesis for (iii) we have |K

a) aHK (ξ |H ) is a strict preﬁx of aKH (ξ );

(ξ |K ) \ a

(ξ |H ) =?( w

b) aKH HK n−1 KH ) =?a By the above, using (9), (10), we get c) init(aHK (ξ |H )) is a strict preﬁx of aKH (ξ |K ) with last(aHK (ξ |H )) =?a; d) aKH (ξ |K ) \ init(aHK (ξ |H )) =?a and then, by c) and d) above we can infer the thesis, namely

aHK (ξ |H ) = aKH (ξ |K ) ln = sH?a with s ∈ P1 (hence s = K) Since ln = sH?a, we have |K

ξ = ξ |K

(11)

w n−1 KH = w n KH and w n−1 HK = w n HK

(12)

and

Moreover, by deﬁnition of gw(·) and aHK (·), |H

aHK (ξ |H ) = aHK (ξ )

(13)

The thesis hence follows by the induction hypothesis.

2

The following proposition essentially shows that in gateway-connected systems any pair of FIFO channels connecting gateways is such that in each reachable conﬁguration at least one of the two buffers is empty, that is they can be replaced by a half-duplex channel.

) ∈ R S ( S ) be a reachable conﬁguration of S = S 1H↔K S 2 . Then w HK and w KH cannot be both nonq, w Proposition 4.12. Let s = ( empty. That is w HK = ε =⇒ w KH = ε Proof. Towards a contradiction, we assume the thesis not to hold. We then take, among all the transition sequences ζ leading (from the initial state) to a state sζ = (qζ , wζ ) ∈ R S ( S ) such that

w ζ HK = ε and w ζ KH = ε ,

(14)

a sequence having a minimal length. Let the following sequence ξ be such a sequence. l1

l2

ln−1

ln

s0 −→ s1 −→ . . . −→ sn−1 −→ sn

) ∈ R S ( S ). Since w 0 HK = w 0 KH = ε , we have that |ξ | > 0. where si = (qi , w i ). And let sξ be s = ( q, w By the minimality of |ξ |, we can infer that one of the following two cases necessarily holds: either w n−1 KH = w n−1 HK = ε . Without loss of generality, assume w n−1KH = ε . In this case, as a consequence of (14), we have that w n−1 HK = w ξ HK = ε . So we are assuming that w i HK = ε =⇒ w i KH = ε

for all 0 ≤ i ≤ n − 1

ε or

(15)

and

w n−1 HK = ε and w n−1 KH = ε and w n KH = ε

(16)

To get a contradiction, the idea is the following: First, since w n−1 HK = ε , 4.11(ii) implies, that the next action of M K in conﬁguration sn−1 can only be the consumption of an element c of the channel w n−1 HK . On the other hand, since w n−1 KH = ε and w n KH = ε , to progress from sn−1 to sn M K must put an element a into the buffer w n−1 KH . But both is not possible. Let us now do the formal proof of the contradiction. By Lemma 4.9, aHK ((ξ/n−1 )|H ) ∈ L( M H1 )C/ and aKH ((ξ/n−1 )|K ) ∈ L( M K2 )C/ . Moreover, since we have (15) and (16), by Lemma 4.11 we can infer that

14

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

a) aKH (ξ/n−1 |K ) is a strict preﬁx of aHK (ξ/n−1 |H ); b) aHK (ξ/n−1 |H ) \ aKH (ξ/n−1 |K ) =?( w n−1 HK ). Recall that by deﬁnitions of gw(·) and (·)|(·) , we have that ξ |H is made (but for its last element, in case |ξ |H | is odd) of consecutive pairs of elements of Act either of the form KH?a Hs!a, with s = K, or sH?a HK!a, with s = K. Moreover, in case |ξ |H | is odd, it ends with an action either of the form KH?a or sH?a, with s = K. Similarly for ξ |K . Hence, as a consequence of (a) and (b) above, there exists a message c such that

aKH (ξ/n−1 |K )·?c ∈ L( M H1 )C /

Now, from (16) (in particular w n−1 KH = ε and w n KH = ε ), we can infer also that, for a certain message a,

aKH ((ξ/n−1 )|K )·?a ∈ L( M K2 )C . /

By deﬁnition of compatibility we have L( M H1 )C/ = L( M K2 )C/ and hence

aKH ((ξ/n−1 )|K )·?a = aKH ((ξ/n−1 )|K )·!a ∈ L( M H1 )C /

So we have both aKH (ξ/n−1 |K )·?c ∈ L( M H1 )C/ and aKH ((ξ/n−1 )|K )·!a ∈ L( M H1 )C/ , which, by Lemma 4.8 is a contradiction.

2

The next corollary is an immediate consequence of Lemma 4.11 and Proposition 4.12. It is the key for getting our preservation results in the next section.

) ∈ R S ( S ) be a reachable conﬁguration of S = S 1H↔K S 2 , and let ξ be a transition sequence leading to q, w Corollary 4.13. Let s = ( s ∈ R S ( S ) from the initial state. i) If w KH = w HK = ε , then aHK (ξ |H ) = aKH (ξ |K ); ii) If w HK = ε then a) aKH (ξ |K ) is a strict preﬁx of aHK (ξ |H ); b) aHK (ξ |H ) \ aKH (ξ |K ) =?( w HK ). iii) If w KH = ε then a) aHK (ξ |H ) is a strict preﬁx of aKH (ξ |K ); b) aKH (ξ |K ) \ aHK (ξ |H ) =?( w KH ). Proof. Immediate by Lemma 4.11 and Proposition 4.12.

2

4.2. Preservation of deadlock-freeness

) be a deadlock conﬁguration of S = S 1H↔K S 2 . Then there exists i ∈ {1, 2} such that s|i ∈ R S ( S i ) and s|i is a Lemma 4.14. Let s = ( q, ε deadlock conﬁguration for S i . H nor qK ∈ Q K . Otherwise Proof. By deﬁnition of deadlock conﬁguration and by Fact 4.2(1), we have that neither qH ∈ Q there will be an output transition from either qH or qK , contradicting s to be a deadlock conﬁguration. Hence necessarily H and qK ∈ Q K . So, by Lemma 4.5 we get s| ∈ R S ( S i ) for i = 1, 2. qH ∈ Q i Now, since s is a deadlock conﬁguration, we have

= ε and ∀p ∈ P. qp is a receiving state. w By deﬁnition of gw(·) and by the no mixed state condition on M H1 and M K2 imposed by compatibility, we need to take into account only the following possible cases concerning the shapes of the transitions from qH in δH and from qK in δK .

All the transitions from qH in δH are of the form (qH , KH?_, _) and all the transitions from qK in δK are of the form (qK , sK?_, _) with s ∈ P2 (and hence s = H). Since all the transitions from qK in δK are of the form (qK , sK?_, _) with s ∈ P2 (and hence s = H), we can infer, from the deﬁnition of gw(·), that also all the transitions from qK in δK2 are of the form (qK , sK?_, _). Hence we obtain that s|2 is a deadlock conﬁguration of S 2 .

All the transitions from qH in δH are of the form (qH , sH?_, _) with s ∈ P1 (and hence s = K) and all the transitions from qK in δK are of the form (qK , HK?_, _). This case can be treated similarly to the previous one, obtaining s|1 to be a deadlock conﬁguration of S 1 .

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

15

All the transitions from qH in δH are of the form (qH , sH?_, _) with s ∈ P1 and all the transitions from qK in δK are of the form (qK , sK?_, _) with s ∈ P2 . Actually this case cannot occur, but even if it could, we could argue as in the previous cases, obtaining both s|1 and s|2 to be deadlock conﬁgurations, respectively of S 1 and S 2 . All the transitions from qH in δH are of the form (qH , KH?_, _) and all the transitions from qK in δK are of the form (qK , HK?_, _). Since w HK = w KH = ε , this case cannot occur. Towards a contradiction, let us assume it to be possible. Let now ξ be a transition sequence leading to s ∈ R S ( S ) from the initial state, in particular let ξ be ln−1

l2

l1

ln

s0 −→ s1 −→ . . . −→ sn−1 −→ sn = s By Lemma 4.9, aHK (ξ |H ) ∈ L( M H1 )C/ and aKH (ξ |K ) ∈ L( M K2 )C/ . Moreover, by Corollary 4.13(i), aHK (ξ |H ) = aKH (ξ |K ). Since all the transitions from qH in δH are of the form (qH , KH?_, _) and all the transitions from qK in δK are of the form (qK , HK?_, _), we can infer, by deﬁnition of gw(·), that aHK (ξ |H )·!a ∈ L( M H1 )C/ and aKH (ξ |K )·!b ∈ L( M K2 )C/ for certain a and b. We have then that aHK (ξ |H )·?b = aKH (ξ |K )·!b ∈ L( M K2 )C/ and hence, since by compatibility L( M H1 )C/ = L( M K2 )C/ , also that aHK (ξ |H )·?b ∈ L( M H1 )C/ . To have both aHK (ξ |H )·!a ∈ L( M H1 )C/ and aHK (ξ |H )·?b ∈ L( M H1 )C/ does contradict the no mixed state condition of compatibility since, by ?!-determinism of M H1 , qH is the unique state of M H1 recognising the string aHK (ξ |H ). 2 Corollary 4.15 (Preservation of deadlock-freeness). Let S 1 and S 2 be deadlock-free. Then S = S 1H↔K S 2 is deadlock-free. Proof. By contradiction, let us assume there is an s ∈ R S ( S ) which is a deadlock conﬁguration of S. We get immediately a contradiction by Lemma 4.14. 2 4.3. No-orphan-message preservation

) ∈ R S ( S ) is a reachable conﬁguration of S = S 1H↔K S 2 such that qK is ﬁnal, then w HK = ε . The same holds Lemma 4.16. If s = ( q, w by exchanging H and K. K . Let now ξ be a transitions sequence leading to s ∈ R S ( S ) from the initial state, say Proof. By Fact 4.2(1), qK ∈ /Q l1

l2

ln−1

ln

s0 −→ s1 −→ . . . −→ sn−1 −→ sn = s

HK = ε Hence, by Corollary 4.13 we get Towards a contradiction, let us assume w a) aKH (ξ |K ) is a strict preﬁx of aHK (ξ |H ); b) aHK (ξ |H ) \ aKH (ξ |K ) =?( w HK ).

K , we have that qK is the unique state of M K2 recognising the string aKH (ξ |K ) ∈ /Q Now, by ?!-determinism of M K2 and by qK ∈ / 2 C L( M K ) . Now, by (a) and (b) above and knowing, by Lemma 4.9, that aHK (ξ |H ) ∈ L( M H1 )C/ , there exists a message a such that aKH (ξ |K )·?a ∈ L( M H1 )C/ . Hence, by compatibility, aKH (ξ |K )·!a ∈ L( M K2 )C/ . Contradiction, since qK is ﬁnal.

2

) ∈ R S ( S ) be an orphan-message conﬁguration for S. Then, either s|1 is an orphan-message conﬁguration Lemma 4.17. Let s = ( q, w for S 1 or s|2 is an orphan-message conﬁguration for S 2 . ) ∈ R S ( S ) be an orphan-message conﬁguration for S, that is q is ﬁnal and w = ε . Since Proof. By hypothesis, let s = ( q, w q is ﬁnal, then a fortiori qH and qK are ﬁnal, and hence, by Lemma 4.16, it follows that w HK = w KH = ε . This implies that, = ε , we have to consider only the following two cases. since w ∃p, q ∈ P1 such that w pq = ε By Lemma 4.5 we have that s|1 ∈ R S ( S 1 ). Moreover, from the hypothesis, we trivially get that ( qs )s∈P1 is ﬁnal. So, by deﬁnition, s|1 is an orphan-message conﬁguration of S 1 .

∃p , q ∈ P2 with w p q = ε We can argue as in he previous case, getting s|2 to be an orphan-message conﬁguration of S 2 .

2

Corollary 4.18 (Preservation of no orphan-message). Let S 1 and S 2 be such that both R S ( S 1 ) and R S ( S 2 ) do not contain any orphanmessage conﬁguration. Then there is no orphan-message conﬁguration in R S ( S ).

16

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

Proof. By contradiction, let us assume there is an s ∈ R S ( S ) which is an orphan-message conﬁguration. We get immediately a contradiction by Lemma 4.17. 2 4.4. Preservation of no unspeciﬁed reception The following lemma is crucial for proving our preservation results for absence of unspeciﬁed receptions and progress.

) ∈ R S ( S ) be a reachable conﬁguration of S = S 1H↔K S 2 such that all the transitions from qK in δK are of Lemma 4.19. Let s = ( q, w the form (qK , HK?_, _). Then w HK = a · w =⇒ ∃(qK , HK?a, _) ∈ δK The same property holds by exchanging H and K. Proof. Let ξ be a transition sequence leading to s from the initial state, in particular let ξ be l1

l2

ln−1

ln

s0 −→ s1 −→ . . . −→ sn−1 −→ sn = s where si = (qi , w i ). Moreover, let us assume w HK = a · w . Now, by Corollary 4.13(ii) we have that a) aKH (ξ |K ) is a strict preﬁx of aHK (ξ |H ); b) aHK (ξ |H ) \ aKH (ξ |K ) =?( w HK ) =?a·?( w ). Moreover aHK (ξ |H ) ∈ L( M H1 )C/ and aKH (ξ |K ) ∈ L( M K2 )C/ by Lemma 4.9. sH?a

H and aHK (ξ/ j |H ) = aKH (ξ |K ). Then necessarily s j −→ s j +1 . Now, Now, let j be the greatest index such that q j H ∈ Q 1 2 by ?!-determinism of M H and M K , we have that q j H is the unique state of M H1 recognising the string aHK (ξ/ j |H ) and qK is the unique state of M K2 recognising the string aKH (ξ |K ) = aHK (ξ/ j |H ). Obviously, aKH (ξ |K )·!a = aHK (ξ/ j |H )·?a. Because aHK (ξ/ j |H )·?a ∈ L( M H1 )C/ and, by compatibility, L( M H1 )C/ = L( M K2 )C/ we then know that aKH (ξ |K )·!a ∈ L( M K2 )C/ . Hence, by deﬁnition of aKH (·), ∃(qK , HK?a, _) ∈ δK . The very same argument can be used to show the statement with H and K exchanged. 2 We are now ready to prove preservation of no unspeciﬁed reception. Intuitively this holds, since, by Lemma 4.19, no “wrong” elements can be put in a gateway-connecting channel, if the interface machines are compatible. Proposition 4.20 (Preservation of no unspeciﬁed reception). Let S 1 and S 2 be such that both R S ( S 1 ) and R S ( S 2 ) do not contain any unspeciﬁed reception conﬁguration. Then there is no unspeciﬁed reception conﬁguration in R S ( S ).

) ∈ R S ( S ) which is an unspeciﬁed reception conﬁguration. So, Proof. By contradiction, let us assume there is an s = ( q, w let r ∈ P and let qr be the receiving state of M r prevented from receiving any message from any of its buffers (Deﬁnition 2.4(iii)). Without loss of generality, we can assume r ∈ P1 , since the case r ∈ P2 can be treated in a similar way. Now we take into account the following possible cases: H . q ∈ Q qH = By Lemma 4.5 we get s|1 ∈ R S ( S 1 ). We distinguish now two further subcases. r = H

We get a contradiction by the hypothesis that R S ( S 1 ) does not contain any unspeciﬁed reception conﬁguration.

r=H

Since qr (= qH ) is a receiving state, by deﬁnition of gw(·) it follows that the set of all the outgoing transitions from qH in δH is of the form

{(qH , s j H?a j , qj )} j =1..m By deﬁnition of unspeciﬁed reception conﬁguration, we have hence that for all j = 1..m,

| w s j H |> 0 and w s j H ∈ A∗ · a j Now, the following further possibilities have to be taken into account s j = K for all j = 1..m.

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

17

By Fact 4.2(3) and deﬁnition of gw(·) we have that

[(qH , s j H?a j , qj ) ∈ δH ∧ s j = K] ⇐⇒ (qH , sH?a j , q j ) ∈ δH1 This implies s|1 to be an unspeciﬁed reception conﬁguration for S 1 . Contradiction. s j = K for all j = 1..m. In this case we do get a contradiction by Lemma 4.19.

H . q∈Q qH = H is a sending state such that (qH , Hs!a, q H ) ∈ δH . Hence it is impossible that r = H. So, let r = H. By Fact 4.2(1), qH ∈ Q Hs!a ) with q H ∈ H and It is now immediate to check that there exists an element s ∈ R S ( S ) such that s −→ s = (q , w Q s ∈ P1 ∪ {K}. It hence follows, by Lemma 4.5, that s |1 ∈ R S ( S 1 ). Moreover, we have that a) ∀p = H. q p = qp ; b) ∀pq = Hs. w pq = w pq ; c) w Hs = a · w Hs . We consider now the following two possible subcases:

s=K

By (i) and (ii) above it follows that also s |1 ∈ R S ( S 1 ) is an unspeciﬁed reception conﬁguration. Contradiction.

s ∈ P1

In this case H sends the message a to the buffer w Hr . Since qr is the receiving state of receiving any message from any of its buffers, which all are not empty in conﬁguration extends w Hr which still has a wrong element on its ﬁrst position. Then, by (a) and (b) above reception conﬁguration of S 1 . Contradiction. 2

M r prevented from s, the sending of a s |1 is an unspeciﬁed

4.5. Progress preservation Proposition 4.21 (Progress preservation). If S 1 and S 2 do enjoy the progress property, so does S.

) ∈ R S(S) Proof. By contraposition, let us assume S not to enjoy the progress property, namely that there exists s = ( q, w such that s −→

and q is not ﬁnal.

H nor qK ∈ By s −→ and by Fact 4.2(1), we have that neither qH ∈ Q H and from either qH or qK , contradicting s −→ . Hence necessarily qH ∈ Q i = 1, 2. We show in the following that either

(17)

K . Otherwise there will be an output transition Q K . So, by Lemma 4.5 we get s| ∈ R S ( S i ) for qK ∈ Q i

s|1 −→

and q|1 is not ﬁnal;

(18)

s|2 −→

and q|2 is not ﬁnal.

(19)

or

Once we have shown (18) or (19) either S 1 or S 2 does not enjoy the progress property and we are done. We distinguish now the following possible cases according to whether qH and qK are ﬁnal or not. Both qH and qK are ﬁnal in M H and M K and hence in M H1 and M K2 : Then from s −→ it immediately follows that s|1 −→ and s|2 −→ . Moreover, since there exists r ∈ P such that qr is not ﬁnal, we can infer that either there exists r ∈ P1 such that r = H and qr is not ﬁnal, or there exists r ∈ P2 such that r = K and qr is not ﬁnal. Both qH and qK are non ﬁnal: In such a case, by deﬁnition of gw(·) and by the no mixed state condition on M H1 and M K2 imposed by compatibility, we need to take into account only the following further possible subcases concerning the shapes of the transitions from qH in δH and from qK in δK . All the transitions from qH in δH are of the form (qH , KH?_, _) and all the transitions from qK in δK are of the form (qK , sK?_, _) with s ∈ P2 (and hence s = H). Since all the transitions from qK in δK are of the form (qK , sK?_, _) with s ∈ P2 (and hence s = H), we can infer, from the deﬁnition of gw(·), that also all the transitions from qK in δK2 are of the form (qK , sK?_, _). Hence from s −→ we can

18

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

obtain that s|2 −→ as well and then (19). (Notice that, instead, s|1 −→, since, by deﬁnition of gw(·), all the transitions from qH in δH1 are of the form (qH , H_!_, _)).2 All the transitions from qH in δH are of the form (qH , sH?_, _) with s ∈ P1 (and hence s = K). and all the transitions from qK in δK are of the form (qK , HK?_, _). This case can be treated similarly to the previous one. All the transitions from qH in δH are of the form (qH , sH?_, _) with s ∈ P1 and all the transitions from qK in δK are of the form (qK , sK?_, _) with s ∈ P2 . This case can be treated similarly to the previous ones. All the transitions from qH in δH are of the form (qH , KH?_, _). and all the transitions from qK in δK are of the form (qK , HK?_, _). We now consider the possible shapes of w HK and w KH . w HK = w KH = ε . This subcase cannot occur. Towards a contradiction, let us assume it to be possible. Let now ξ be a transition sequence leading to s ∈ R S ( S ) from the initial state, in particular let ξ be l1

l2

ln−1

ln

s0 −→ s1 −→ . . . −→ sn−1 −→ sn = s By Lemma 4.9, aHK (ξ |H ) ∈ L( M H1 )C/ and aKH (ξ |K ) ∈ L( M K2 )C/ . Moreover, by Corollary 4.13(i), aHK (ξ |H ) = aKH (ξ |K ). Since all the transitions from qH in δH are of the form (qH , KH?_, _). and all the transitions from qK in δK are of the form (qK , HK?_, _), we can infer, by deﬁnition of gw(·), that aHK (ξ |H )·!a ∈ L( M H1 )C/ and aKH (ξ |K )·!b ∈ L( M K2 )C/ for certain a and b. We have then that aHK (ξ |H )·?b = aKH (ξ |K )·!b ∈ L( M K2 )C/ and hence, since by compatibility L( M H1 )C/ = L( M K2 )C/ , also that aHK (ξ |H )·?b ∈ L( M H1 )C/ . To have both aHK (ξ |H )·!a ∈ L( M H1 )C/ and aHK (ξ |H )·?b ∈ L( M H1 )C/ does contradict the no mixed state condition of compatibility since, by ?!-determinism of M H1 , qH is the unique state of M H1 recognising the string aHK (ξ |H ). w HK = ε . This subcase cannot occur, otherwise, by Lemma 4.19, we would get s −→. w KH = ε . This subcase cannot occur, otherwise, by Lemma 4.19, we would get s −→. qH is ﬁnal and qK is non ﬁnal: By the no mixed state condition imposed by compatibility, we need to take into account two further subcases. All the transitions from qK in δK are of the form (qK , sK?_, _) with s = H. As done in a previous case, we can infer, from the deﬁnition of gw(·), that also all the transitions from qK in δK2 are of the form (qK , sK?_, _). Hence from s −→ we can obtain that s|2 −→ as well, and then (19). All the transitions from qK in δK are of the form (qK , HK?_, _). KH = ε . Thus, it remains to consider the following two subcases: Since qH is ﬁnal, by Lemma 4.16, w w HK = ε . This case cannot occur. Towards a contradiction, let us assume it to be possible. Let ξ be a transition sequence leading to s ∈ R S ( S ) from the initial state, in particular let ξ be l1

l2

ln−1

ln

s0 −→ s1 −→ . . . −→ sn−1 −→ sn = s By Lemma 4.9, aHK (ξ |H ) ∈ L( M H1 )C/ and aKH (ξ |K ) ∈ L( M K2 )C/ .

Moreover, by Corollary 4.13(i), aHK (ξ |H ) = aKH (ξ |K ). Since all the transitions from qK in δK are of the form (qK , HK?_, _), we can infer, by deﬁnition of gw(·), that aKH (ξ |K )·!a ∈ L( M K2 )C/ for a certain a. We have then that aHK (ξ |H )·?a ∈ L( M K2 )C/ and hence, since by compatibility L( M H1 )C/ = L( M K2 )C/ , also that aHK (ξ |H )·?a ∈ L( M H1 )C/ . To have both aHK (ξ |H )·?a ∈ L( M H1 )C/ and aHK (ξ |H ) ∈ L( M H1 )C/ does contradict qH to be ﬁnal, since, by ?!-determinism of M H1 , qH is the unique state of M H1 recognising the string aHK (ξ |H ). w HK = ε . Then, by Lemma 4.19, we get s −→. Contradiction to the assumption of no progress in s. qK is ﬁnal and qH is non ﬁnal: The same argument of the previous case does apply.

2

2 This fact clearly prevents us from having the preservation of progress in the case where, instead of connecting roles of different systems, we connect roles belonging to the same system. This “self connection” is equivalent to having multiple connections (see discussion in Section 6).

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

19

Corollary 4.22 (Preservation of strong deadlock-freeness). Let S 1 and S 2 be strongly deadlock-free. Then S = S 1H↔K S 2 is strongly deadlock-free.

Proof. By Proposition 2.6(iii), Corollary 4.18 and Proposition 4.21.

2

5. Discussion of the assumptions and usefulness of gateways In this section we discuss no mixed state and ?!-determinsm assumptions and provide for each case counterexamples showing that, by omitting one of the two assumptions preservation results fail. The literature gives already a hint that both assumptions are important. In [13] it has been shown that two compatible ﬁnite state machines which are deterministic and have no mixed states are free from deadlocks and unspeciﬁed receptions. Cécé and Finkel show in [2] that two compatible ﬁnite state machines yield a half-duplex system under the restriction that both don’t have mixed states and are deterministic. Moreover, they show that for half-duplex systems of two CFSMs several properties, among them deadlock-freeness and the absence of unspeciﬁed receptions, are decidable. It is still worth to discuss the relevance of our two restrictions, since we are dealing with a different problem, namely preservation of communication properties under composition of open systems, and we use distinguished gateways for their connection. 5.1. The no mixed state assumption The impact of the no mixed state assumption for interface compatibility is interesting, since for interfaces whose machines have mixed states, their gateways do, by deﬁnition, not have mixed states. Nevertheless the no mixed state assumption is important since a mixed state q of an interface machine gives rise to two types of receiving actions in the state q of its gateway, one coming from inside and one coming from outside. Mixed states, deadlock and progress. Let us consider a system S 1 with roles A and H, where H is the interface, and let S 2 be a system with roles B and K, where K is the interface. Let us assume M H and M K to be the following CFSMs: H

K 1

AH?a

1

KB!a

HA!b 3

2

BK?b 3

2

The two machines have dual languages and are ?!-deterministic, but both have a mixed state. Let us now consider the following CFSMs representing gw( M H , K) and gw( M K , H): H

K 1

AH?a 1 HK!a 2

1

HK?a

KH?b 1

1 KB!a

HA!b 3

2

BK?b 1 KH!b 3

Suppose that in S 1 above the machine of A has a single transition waiting to receive b from H and terminates when it has received b. Similarly, in S 2 the machine of B waits to receive a from K and terminates when it has received a. Obviously, both S 1 and S 2 satisfy the progress property and therefore are also deadlock-free. (Moreover, S 1 and S 2 are orphan-message free and reception-error free.) But if S 1 and S 2 were connected by the gateways, the system S = S 1H↔K S 2 is immediately in a deadlock conﬁguration where all machines wait for the reception of a message and all buffers are empty. Moreover, this shows that S does also not satisfy the progress property. Mixed states and unspeciﬁed reception. To get a counterexample in the case of unspeciﬁed receptions, we extend the two machines M H and M K as follows:

20

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

H

K 1

1

AH?a

KB!a

HA!b 3

2

HA!c

3

2

BK?c

AH?d 5

4

BK?b

KB!d 5

4

The two machines have dual languages and are ?!-deterministic, but both have mixed states. The gateway machines gw( M H , K) and gw( M K , H) are the following CFSMs:

H 1

AH?a

KH?b

1

1

HK!a

HA!b 3

2

KH?c

AH?d

2

2

HA!c

HK!d 5

4

K 1

HK?a

BK?b

1

1

KB!a

KH!b 3

2

BK?c 2 KH!c 4

HK?d 2 KB!d 5

Assume that in S 1 the machine of A sends repeatedly (in a loop) message a and then terminates, and in S 2 the machine of B sends repeatedly (in a loop) message b and then terminates. Both S 1 and S 2 are free from unspeciﬁed reception errors since none of their machines has a receiving state. (Moreover, S 1 and S 2 are deadlock-free, orphan-message free and satisfy the progress property.) To see that S = S 1H↔K S 2 has an unspeciﬁed reception conﬁguration we perform the following execution in S:

B K K A H H A

puts b into the buffer w BK ; consumes b from the buffer w BK ; puts b into the buffer w KH ; puts a into the buffer w AH ; consumes a from the buffer w AH ; puts a into the buffer w HK ; puts a into the buffer w AH ;

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

H

21

K 1

1

BK?a CK?a

KH?a

A

1

1

1

B

1

1

KH!a HA!a

HA?a

KH!a 4 2

2

AH?b

AH!b

2

2

C

HK?b

2

3

BK!a

1

2 KC!b

HK!b 3

3

Fig. 4. S 1H↔K S 2 of the counterexample for orphan-message freeness preservation in absence of ?!-determinism.

Now w KH = b, w AH = a and the machine gw( M H , K) is in receiving state 2 expecting either the element c in the buffer w KH or the element d in the buffer w AH . Thus we have reached an unspeciﬁed reception conﬁguration.3 5.2. The ?!-determinism assumption The notion of ?!-determinsm requires that interfaces should have a deterministic behaviour when focusing just on the names of the messages and on their type (input or output). To abstract away the roles involved in sending and receiving messages to and from an interface looks quite natural. While in CFSM systems the presentation of a message depends also on the involved channel, an open system receives or sends a message via an interface playing the role of an environment whose constitution is unknown. Thus an open system simply knows that the message is coming from or going to another open system; the information about the speciﬁc role which sent or received it is necessarily to be abstracted away. For a more precise understanding, we illustrate the above intuitive argument by means of examples. Non ?!-determinism and orphan-messages. Let S 1 = ( M p )p∈{H,A} and S 2 = ( M p )p∈{K,B,C} be the systems with the following components: A

H 1

K 1

B 1

1

BK?a HA?a

CK?a

HA!a

4 2

AH!b

2

2

2

C

KC!b

AH?b

BK!a

1 3

3

3

Obviously, both M H and M K have no mixed state and are compatible, but M K is not ?-deterministic. Moreover, both systems S 1 and S 2 are orphan-message free (and deadlock-free, reception-error free and progressing). In fact: In S 1 , A and H exchange messages a and b and the system so terminates in a ﬁnal conﬁguration with all the buffers empty. In S 2 , B can send a to K which consumes the message from the buffer and then the system terminates with all buffers empty. The left branch of K can never be followed, since C is unable to send any message. However, the composed system S 1H↔K S 2 , described in Fig. 4, is not orphan-message free. In fact, the following can happen:

B puts a into the buffer w BK and reaches its ﬁnal state; 3

Let us remark here that it is an open question whether the no mixed state assumption is really needed for preservation of orphan-message freeness.

22

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

K A

B

H

1

DK?a

1

HB!a 5

2 2

HC!c

C 1

HC?c

HC!b 3

3

DK?c

6

2

6

DK?a

DK!c 3

EK?a 4

HA!a 4

DK!a

EK?b 3

HC?b HB!a

2

5

2

HB?a 2

1

EK?a

1

HA!a HA?a

D 1

DK!a

E 1

4

Fig. 5. S 1 and S 2 of the counterexample for reception-error freeness and progress preservation in absence of ?!-determinism.

K K H H A A H H

consumes a from the buffer w BK ; puts a into the buffer w KH and reaches a ﬁnal state; consumes a from the buffer w KH ; puts a into the buffer w HA ; consumes a from the buffer w HA ; puts b into the buffer w AH and reaches its ﬁnal state; consumes b from the buffer w AH ; puts b into the buffer w HK and reaches its ﬁnal state.

Notice that C is already in its ﬁnal state (which is also the initial one). So, by the above transition sequence, system S 1H↔K S 2 reaches a conﬁguration where all the machines are in a ﬁnal state, whereas not all the buffers are empty, since w HK = b. This means that an orphan-message conﬁguration belongs to the set of reachable conﬁgurations of S 1H↔K S 2 . The crucial point of the counterexample is that compatibility of interface roles based on comparing languages cannot discover incompatible behaviours if nondeterminism is involved. Non ?!-determinism, unspeciﬁed reception and progress. Let us consider the systems S 1 = ( M p )p∈{H,A,B,C} and S 2 = ( M p )p∈{K,D,E} as described in Fig. 5. It is easy to check that both M H and M K have no mixed state and are compatible, but are not ?!-deterministic. In particular, M H is not !-deterministic and M K is not ?-deterministic. Moreover, both systems S 1 and S 2 are free from unspeciﬁed receptions (as well as deadlock-free, orphan-message free and progressing). In particular: S 1 is free from unspeciﬁed receptions since from the initial state machine H sends in sequence either the messages a, c and a to, respectively, A, C and B, or the messages a, b and a to, respectively B, C and A. In both cases the messages are received and the system arrives at a ﬁnal conﬁguration with all buffers empty. S 2 is free from unspeciﬁed receptions since from the initial conﬁguration the only machine that can send messages is D and it sends in sequence the messages a, c and a to K, which is able to receive all of them by following its left branch. The system hence arrives at a ﬁnal conﬁguration with all buffers empty. Notice that K cannot ever take its right branch since it starts with an input from E, which is made of by a single state and no transitions. The composed system S 1H↔K S 2 is described in Fig. 6. It is not free from unspeciﬁed receptions since the following can happen:

D K K H H B D K K

puts a into the buffer w DK ; consumes a from the buffer w DK ; puts a into the buffer w KH ; . i.e. by taking its right branch; consumes a from the buffer w KH by going from state 1 to state 1 to state 5; puts a into the buffer w HB , going from state 1 consumes a from the buffer w HB ; puts c into the buffer w DK ; consumes c from the buffer w DK ; puts c into the buffer w KH ;

By the above transition sequence, S 1H↔K S 2 reaches a conﬁguration where H is in a receiving state, namely 5, waiting for a message b, whereas from the nonempty buffer w KH only the message c could be consumed. Moreover w KH is the only buffer H can consume messages from. This means that S 1H↔K S 2 can reach an unspeciﬁed reception conﬁguration.

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

H

23

K 1

KH?a

1

DK?a

KH?a

EK?a D

1

1 A

B

HA!a

1

HB!a

KH!a

HA?a

1

KH!a DK!a

1 5

2

5

2

2

HB?a KH?c 2

DK?c

EK?b DK!c

2 1

HC?c

KH?b

2

C

2

5

HC!c

HC!b

5

KH!c

3

KH!b DK!a

HC?b 3

2

1

1

6

3

6

3

4

KH?a

KH?a

3

DK?a

6

HB!a

EK?a

3

HA!a

6

KH!a

4

E 1

KH!a 4

Fig. 6. S 1H↔K S 2 of the counterexample for reception-error freeness and progress preservation in absence of ?!-determinsm.

Systems S 1 and S 2 are actually a counterexample also to the progress property. In fact, by the previous short descriptions of the behaviours of S 1 and S 2 , it can be checked that both of them enjoy the progress property. Moreover, the transition sequence described above, leads to a stuck conﬁguration which is not made by ﬁnal states only. As before, the counterexample relies on the fact that due to nondeterminism the compatibility of M H and M K (based on comparing languages) cannot avoid incompatible behaviours. 5.3. Gateways versus direct communications In Remark 3.6, we pointed out how diﬃcult it could be to try and use direct communications to connect systems instead of using gateways. We mentioned that using direct communications to connect systems S and S of our working example, the automaton for role M should be completely redesigned. We provide now a further example supporting the gateway approach, in which, to preserve the communication properties the whole system needs to be redesigned. Let S 1 and S 2 be the systems of Fig. 7. It is not diﬃcult to check that both S 1 and S 2 are “well-behaved” for what concerns communication properties. Moreover, they could be connected through H and K because these two roles are compatible. Now let us try using direct communications to connect the two systems, getting rid of the gateways H and K. For what concerns role A, one could think of simply modifying the target roles of communications in the following way: A 1

AC!m

AD!n 2

AB!f 3

For what concerns roles C and D, the source roles of some of their communication could be simply renamed as follows:

24

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

A

K

H 1

AH!m

1

1

AH!n

AH?m

2

KC!m

KD!n

2

3

KC!r

KD!r

AH?n 2

AB!f

1

KD?n

4

BH?r

3

D

C

3

2

CD?g 5

1

1

DC!g

KC?r 2

3

5

2

AB?f

KD?r

DC?g

KC?m

B

4

3

BH!r

CD!g

3

4

Fig. 7. S 1 and S 2 for the direct-communications example.

D

C

1

1

AC?m 2

DC?g

AD?n 2

5

CD?g 5

BD?r

BC?r

3

3

DC!g

CD!g 4

4

It remains to modify B for getting direct communications. The transition from state 2 to 3 could be relabelled either to BC!r or to BD!r. It is, however, not diﬃcult to check that none of the two modiﬁcation of B would lead to a system enjoying the progress property. In fact, B has no way to know whether A has chosen to send m to C or n to D. Without such an information, the system could reach a weak-deadlock conﬁguration. The only possibility to recover progress would be to redesign the system as shown in Fig. 8. In particular, we must redesign the machines for A and for B, by adding several new states and communications. 6. Multiple connections The operation of composition can be immediately extended to multiple gateways connections. Deﬁnition 6.1 (Systems composition via multiple connections). Let S 1 = ( M p1 )p∈P1 and S 2 = ( M q2 )q∈P2 be two communicating = (Hi )i ∈ I and K = (Ki )i ∈ I , where I is a systems over P1 and A1 (P2 and A2 resp.) such that P1 ∩ P2 = ∅. Moreover, let H ﬁnite set of indices, such that for all i ∈ I : Hi ∈ P1 , Ki ∈ P2 and Hi ↔Ki (i.e. M H1 i ↔ M K2 i ). and K is the communicating system The composition of S 1 and S 2 w.r.t. H

S 1H↔K S 2 = ( M p )p∈(P1 ∪P2 )

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

25

A 1

AC!m

AD!n

2

5

D

C AB!f

AB!f 1

1 3

AC?m

6

DC?g

5

2

5

2

AB!m

CD?g

AD?n

AB!n

4

BD?r

BC?r

B 1

3

3

AB?f

DC!g

CD!g

2

4

4

AB?m

AB?n

3

5

BC!m

BD!n

4

Fig. 8. Recovering progress in the direct-communications example.

) and over P1 ∪ P2 and A1 ∪ A2 where, for all i ∈ I , M Hi = gw( M H1 i , Ki ), M Ki = gw( M K2 i , Hi ), and M p = M p1 for all p ∈ (P1 \ H ).4 M p = M p2 for all p ∈ (P2 \ K

It is immediate to check that the binary composition operator for CFSM systems is commutative and associative if roles are not used twice for connections. Under this condition larger networks of CFSM systems can be constructed in a stepwise way. Note that the resulting networks can have cyclic composition structures due to the availability of multiple connections. Alternatively, one may also deﬁne directly an n-ary composition operator for a set S 1 , . . . , S n of CFSM systems and a set C of connections if any interface role occurs in at most one connection in C . 6.1. Non preservation of deadlock-freeness and progress Without imposing further conditions on systems and on the compatibility relations, it is easy to prove that multiple gateway connections do neither preserve deadlock-freeness nor progress. To see this, let S 1 and S 2 be the following systems: s

r 1

H

J Jr?b

1

rH?a

rH!a 3

Ks!a

Jr!b 2

I Ks?a

1

1

2

2

1

K

1

2

sI?b sI!b

2

2

3

It is easy to check that both S 1 and S 2 enjoy the progress property (and hence are deadlock-free), that H and K are compatible and that J and I are compatible.

4

The CFSMs over P1 and A1 (P2 and A2 resp.) are considered here as CFSMs over P1 ∪ P2 and A1 ∪ A2 .

26

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

By deﬁnition of multiple connection, S 1H,J↔K,I S 2 is the following system: r

H

J 1

1

1

rH!a

HK!a 3

2

1

2

2

sI?b 1

2

sI!b

Ks!a

Jr!b

1

Ks?a

HK?a

IJ?b 1

2

I 1

1

1

Jr?b

rH?a

s

K

3

IJ!b 2

It is immediate to check that the initial conﬁguration of S 1 H,J↔K,I S 2 is a deadlock conﬁguration. In particular, S 1H,J↔K,I S 2 does not enjoy the progress property.5 6.2. Preservation of no orphan message and no unspeciﬁed reception by self-connection It is possible to show, instead, that preservation of no orphan message and no unspeciﬁed reception do hold also in presence of multiple connections. In order to do that, we ﬁrst notice that having multiple connections is equivalent to having a connection between compatible roles belonging to the same system. For instance, the double connection of the above example does correspond to connecting the interface pair (H, K) in the system S 1J↔I S 2 . Deﬁnition 6.2 (Self-connection). Let S = ( M p )p∈P be a communicating system over P and A and let H, K ∈ P. i) We say that H does not communicate with K, denoted by H#K, whenever M H does not send/receive any message to/from M K and the same holds, conversely, for M K . ii) Let H, K be such that H#K and H ↔K. Then the self-composition of S w.r.t. H and K is deﬁned as the communicating system SH K = ( M p )p∈(P)

over P and A where M H = gw( M H , K), M K = gw( M K , H), and M p = M p for all p ∈ P \ {H, K}. It is immediate to check that any multiple connection can be obtained as one single connection and a number of self-connections.

= Fact 6.3. Let S 1 = ( M p1 )p∈P1 and S 2 = ( M q2 )q∈P2 be two communicating systems such that P1 ∩ P2 = ∅. Moreover, let H = (Ki )i ∈ I where I = {1, .., n}, such that for all i ∈ I : Hi ∈ P1 , Ki ∈ P2 and Hi ↔Ki . Then (Hi )i ∈ I and K S 1H↔K S 2 = (. . . ( S 1H1↔K1 S 2 )K22 . . .)Knn H

H

By the above fact, it follows that the composition via multiple connections does preserve the no orphan message and no unspeciﬁed reception if the self-composition does. The proofs of preservation of no orphan message and no unspeciﬁed reception by self-connection can be obtained similarly to those for the case of single connections between different systems. Some technical lemmas have however to be rephrased and proven again, while some of them stay the same both in the statement and the proof if we simply consider H↔K S 2 . SH K instead of S 1 General assumption: In the following of this section we generally assume given a system

S = ( M p )p∈P = S H K self-connected as described in Deﬁnition 6.2 from the system

S = ( M p )p∈P .

5

Notice that the above counterexample holds also in case of synchronous communications.

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

27

Notice that S and S have the same set of channels. Notation: The transitions of M p in S will be denoted by δp , whereas the transitions of M p in S will be denoted by δp . Notice that δp = δp for all p ∈ {H, K}. When necessary to avoid ambiguity, we shall denote by −→ S the transition relation in S (while −→ denotes the transition relation in S). The last item of Fact 4.2 needs to be rephrased as follows.

H . ) ∈ R S ( S HK ) and let qH ∈ Q q, w Fact 6.4. Let s = ( a) If (qH , KH?a, qH ) ∈ δH then there exists (qH , Hs!a, qH ) ∈ δH with s = K such that (qH , Hs!a, qH ) ∈ δH . The same holds for δK and by exchanging H with K and vice versa. b) If (qH , sH?a, qH ) ∈ δH with s = K then there exists (qH , HK!a, qH ) ∈ δH such that (qH , sH?a, qH ) ∈ δH . The same holds for δK and by exchanging H with K and vice versa. Lemma 4.4 is adjusted as follows. Lemma 6.5. Let J ∈ {H, K}. i) If s0 is the initial state of S H K , then s0 is also the initial state of S . l ii) Let s ∈ R S ( S H K ) such that s ∈ R S ( S ). Moreover, let s −→ s where l is neither of the form _J?_ nor of the form J_!_. Then l s −→ S s .

rJ?a Js!a iii) Let s ∈ R S ( S H K ) such that s ∈ R S ( S ). Moreover, let s −→ s −→ s . Then, s −→ S s .

Proof. Easy by deﬁnitions of −→, −→ S and gw(·).

2

The next lemma corresponds to Lemma 4.5.

) ∈ R S ( S HK ). Then q, w Lemma 6.6. Let s = (

H and qK ∈ Q K =⇒ s ∈ R S ( S ). qH ∈ Q Proof. If s ∈ R S ( S H K ), then there exists a transition sequence leading to s from the initial state, say

s0 −→ s1 −→ . . . −→ sn−1 −→ sn = s si = (qi , w i ) (i = 0, . . . , n). H and q j +1 ∈ Q H (if there is not such a j, then the statement we intend Let j ≥ 0 be the smallest index such that q j H ∈ Q H to show, namely that any transition of the form rH?a is immediately followed by a transition Hs!a, is vacuously satisﬁed). By rH?a

deﬁnition of gw(·) we have that s j −→ s j +1 for a certain r. Now let t be the smallest index such that t ≥ j + 1, qt H = q j +1 H H . Such an index t does exist because of the hypothesis qH ∈ Q H (moreover, notice that no self loop transitions and qt +1 H ∈ Q Hs!a

H ). By deﬁnition of gw(·) we have that st −→ st +1 for a certain s. are possible out of a state in Q We can now proceed by induction on the length of the transition sequence rH?a

Hs!a

s j −→ . . . −→ st +1 using Lemma 4.3, in order to show that it is possible to build a transition sequence like the following one rH?a

Hs!a

s0 −→ s1 −→ . . . s j −→ s j +1 −→ sj +2 −→ . . . −→ sn −1 −→ sn = s

H . where q j +2 H ∈ Q The iteration of this procedure trivially converges and allows us to get a sequence starting with s0 , ending with s and such that any transition of the form rH?a is immediately followed by a transition Hs!a. We can now repeat the above procedure taking into account K instead of H, getting a sequence s0 −→ . . . −→ sn = s

(20)

such that any transition of the form rH?a is immediately followed by a transition Hs!a and any transition of the form rK?a is immediately followed by a transition Ks!a. Now, by using Lemma 6.5, it is possible to proceed by complete induction over the length of the transition sequence (20) in order to get a transition sequence s0 −→∗S s. So s ∈ R S ( S ). 2

28

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

The following lemma corresponds to Lemma 4.16.

) ∈ R S ( S ) such that qK is ﬁnal, then w HK = ε . The same holds by exchanging H and K. q, w Lemma 6.7. If s = ( K . Let now ξ be a transition sequence leading to s ∈ R S ( S ) from the initial state, say /Q Proof. By Fact 4.2(1), qK ∈ l1

l2

ln−1

ln

s0 −→ s1 −→ . . . −→ sn−1 −→ sn = s

HK = ε . Hence, by Corollary 4.13 (it is not diﬃcult to check that this corollary and Towards a contradiction, let us assume w its proof stay the same for the case of self-connection) we get a) aKH (ξ |K ) is a strict preﬁx of aHK (ξ |H ); b) aHK (ξ |H ) \ aKH (ξ |K ) =?( w HK ).

K , we have that qK is the unique state of M K recognising the string aKH (ξ |K ) ∈ Now, by ?!-determinism of M K and by qK ∈ /Q / 2 C L( M K ) . Now, by (a) and (b) above and knowing, by Lemma 4.9 (it is not diﬃcult to check that this lemma and its proof stay the same for the case of self-connection if in the proof one takes into account the fact that, by deﬁnition of selfconnection, H#K), that aHK (ξ |H ) ∈ L( M H1 )C/ , there exists a message a such that aKH (ξ |K )·?a ∈ L( M H1 )C/ . Hence, by compatibility, aKH (ξ |K )·!a ∈ L( M K2 )C/ . Contradiction, since qK is ﬁnal. 2 Lemma 6.8. Let s ∈ R S ( S H K ) be an orphan-message conﬁguration. Then s is an orphan-message conﬁguration for S .

). By deﬁnition of orphan-message conﬁguration, q is ﬁnal and w = ε . Since q is ﬁnal, then a fortiori q, w Proof. Let s = ( = ε , there exist qH and qK are ﬁnal, and hence, by Lemma 6.7, it follows that w HK = w KH = ε . This implies that, since w , and we have, by Lemma 6.6, that s ∈ R S ( S ) p, q ∈ P such that p = H, q = K and w pq = ε . Now, since being ﬁnal, qH , qK ∈ Q with s being an orphan-message conﬁguration for S . 2 Corollary 6.9 (Preservation of no orphan-message by self-connection). Let S be such that R S ( S ) does not contain any orphanmessage conﬁguration. Then there is no orphan-message conﬁguration in R S ( S H K ). Proof. By contradiction, let us assume there is an s ∈ R S ( S H K ) which is an orphan-message conﬁguration. We get immediately a contradiction by Lemma 6.8. 2 Proposition 6.10 (Preservation of no unspeciﬁed reception by self-connection). Let S be such that R S ( S ) does not contain any unspeciﬁed reception conﬁguration. Then there is no unspeciﬁed reception conﬁguration in R S ( S H K ).

) ∈ R S ( S HK ) which is an unspeciﬁed reception conﬁguration. q, w Proof. By contradiction, let us assume there is an s = ( So, let r ∈ P and let qr be the receiving state of M r prevented from receiving any message from any of its buffers (Deﬁnition 2.4(iii)). Now we consider the following possible cases: H and qK ∈ Q K . qH ∈ Q By Lemma 6.6 we get s ∈ R S ( S ). We distinguish now the following possible further subcases.

r = H and r = K

We get a contradiction by the hypothesis that R S ( S ) does not contain any unspeciﬁed reception conﬁguration.

r=H Since qr (= qH ) is a receiving state, by deﬁnition of gw(·) it follows that the set of all the outgoing transitions from qH in δH is of the form

{(qH , s j H?a j , qj )} j =1..m By deﬁnition of unspeciﬁed reception conﬁguration, we have hence that for all j = 1..m,

| w s j H |> 0 and w s j H ∈ a j · A∗ Now, the following further possibilities have to be taken into account s j = K for all j = 1..m. By Fact 6.4 and deﬁnition of gw(·) we have that

[(qH , s j H?a j , qj ) ∈ δH ∧ s j = K] ⇐⇒ (qH , sH?a j , q j ) ∈ δH

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

29

This implies s to be an unspeciﬁed reception conﬁguration for S . Contradiction. s j = K for some j = 1..m. In this case we do get a contradiction by Lemma 4.19 (it is not diﬃcult to check that this lemma stays the same also in case of self-connection).

r=K This case can be treated in the same way as the previous one.

H and qK ∈ Q K . qH ∈ Q By Fact 4.2(1) (it is easy to check that this item of Fact 4.2 stays the same when self-connection is taken into account), H is a sending state such that (qH , Hs!b, q H ) ∈ δH . Hence it is impossible that r = H. Moreover, qK ∈ Q K is a qH ∈ Q sending state such that (qK , Ks !a, q K ) ∈ δK . Hence it is impossible that r = K. So, let r = H and r = K. It is now

Hs!b Ks !a Q H , immediate to check that there exist two elements s , s ∈ R S ( SH K ) such that s −→ s −→ s = (q , w ) with q H ∈ q K ∈ Q K . It hence follows, by Lemma 6.6, that s ∈ R S ( S ). Moreover, we have that a) ∀p ∈ {H, K}. q p = q p = qp ; b) ∀pq ∈ {Hs, Ks }. w pq = w pq = w pq ; c) w Hs = w Hs · b and w Ks = w Hs · a. We consider now the following possible subcases:

s = r and s = r

By (a) and (b) above it follows that also s ∈ R S ( S ) is an unspeciﬁed reception conﬁguration. Contradiction.

s=r

In this case H sends the message b to the buffer w Hr . Since qr is the receiving state of M r prevented from receiving any message from any of its buffers, which all are not empty in conﬁguration s, the sending of b extends w Hr which still has a wrong element on its ﬁrst position. Then, by (a) and (b) above s is an unspeciﬁed reception conﬁguration of S . Contradiction.

s = r

In this case K sends the message a to the buffer w Kr . Since qr is the receiving state of M r prevented from receiving any message from any of its buffers, which all are not empty in conﬁguration s, the sending of a extends w Kr which still has a wrong element on its ﬁrst position. Then, by (a) and (b) above s is an unspeciﬁed reception conﬁguration of S . Contradiction.

H and qK ∈ Q K and when qH ∈ Q H and qK ∈ Q K can be treated similarly to the last one. The cases when qH ∈ Q

2

Corollary 6.11. (Communication properties preservation by multiple connections) i) S 1H↔K S 2 is orphan-message free if S 1 and S 2 are so. ii) S 1H↔K S 2 is reception-error free if S 1 and S 2 are so. Proof. The properties are preserved by single connections by Corollary 4.18 and Proposition 4.20. They are also preserved by self-connections by Corollary 6.9 and Proposition 6.10. The thesis hence follows since, by Fact 6.3, a multiple connection is equivalent to one single connection followed by a number of self-connections. 2 7. Global types with interface roles The previous sections were related to a semantic view of concurrent systems where the semantic objects are CFSMs. In this section we show how our results can be directly applied to syntactic formalisms for the speciﬁcation of interacting components when the formalism allows for a semantic interpretation by CFSMs. For systems of CFSMs, most of the relevant communications properties are, in general, undecidable [2] or computationally hard. Partly with the aim of overcoming such shortcomings, a number of formalisms have been recently proposed in the literature enabling (1) to describe in a structured way the overall behaviour of systems of CFSMs; (2) to steer the implementation of the system components, guaranteeing their compliance with the overall behaviour together with some relevant communication properties. Among them are the generalised global types of [3], the global graphs of [4] and the global choreographies of [10]. All of them provide syntactic means to describe the overall behaviour of a system of interacting components (also called participants or roles) and they allow for a semantic interpretation in terms of CFSM systems. To consider an example for a global type (or graph) let us come back to the system, called S in Section 3, which tries to transmit texts to a social network. The example is inspired by a similar one in [15]. The overall behaviour of the system is

30

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

Fig. 9. The global type G describing system S.

as follows: Once a text is received from the outside, the system tries to transmit it at most n times, where also the number n of possible trials is provided from the outside when the system is initialised. A successful transmission to the network is acknowledged by an ack message; a nack message represents instead an unsuccessful transmission. An ok message is sent back in case of a successful transmission; a fail message in case of n unsuccessful trials. Before any transmission trial, a semantically-invariant transformation is applied to the message in order to take into account requirements of the social network concerning propriety of language. If the message is not accepted by the network, our system automatically transforms it maintaining its sense, and sending it again and again up to n times, invariantly transforming it each time. A counter is used to keep track of the number of trials and it is reset to n each time a message is successfully transmitted. It is instead automatically reset to n each time 0 is reached, before issuing a failure message and restarting the protocol with some new message. The roles participating in the system are the following ones: M: the manager of the system; T: the process implementing the semantically-invariant message transformation; C: the trials counter; I, J and H: the roles representing those parts of the environment which, respectively: initialises the system, sends the text message and receives back the ok or fail message, receives the messages transmitted by the systems and acknowledges its propriety, if so. The global type G describing the behaviour of system S is shown in Fig. 9. In the ﬁgure a label s → r : a represents an

interaction where s sends a message a to r. A vertex with label represents the starting point of the interaction and + marks vertexes corresponding to branch or merge points, or to entry points of loops. According to the projection algorithm for generalised global types (see §3.1 and Def. 3.4 in [3]), the projection GJ on role J of the global type G in Fig. 9 is the CFSM M J shown in Fig. 1 which describes the behaviour of that part of the environment of system S which sends a text and waits for a positive or negative answer.

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

31

Systems of CFSMs obtained as end-point projections of (well-formed) generalised global types do enjoy all communication properties of Deﬁnition 2.4. They are free from deadlocks, orphan messages and unspeciﬁed receptions (Theorem 3.1 in [3]) and they satisfy the progress property (Theorem 3.3 in [3]). Moreover, systems of CFSMs obtained as end-point projections of global choreographies (satisfying some well-formedness conditions) are strongly deadlock free; see Theorem 1 in [10]. The above mentioned formalisms represent a line of evolution of the general notion of global type widely investigated in the literature [7–9]. The centralised viewpoint offered by the global type approaches makes them naturally suitable for describing closed systems. This prevents a system described/developed by means of global types to be looked at as a module that can be connected to other systems. In the present section, on the ground of our results, we address the problem of generalising the notion of global type in order to encompass the description of open systems and, in particular, open systems of CFSMs; so paving the way towards a fruitful interaction between the investigations on open systems carried out in automata theory and those on global types. In our approach, an “open global type” – that we dub “global type with interface roles” (GTIR) – is a syntactic expression denoting a number of connected open systems of CFSMs. According to one’s needs, any role can be looked at as representing (part of) the expected communication behaviour of the environment, or equivalently as components whose implementation is delegated to an external system.6 We have no necessity to stick to any particular global type formalism as a basis for our GTIRs, as long as the local end-point behaviours of a global type G can be interpreted as CFSMs. So we introduce a parametric syntax which, given a global type formalism GT , extends its syntax by essentially enabling to identify some roles as interface roles and to deﬁne a composition of open global types, semantically interpreted by systems of CFSMs. We call GT -ir (GT -with-interface-roles) the so obtained formalism which, by the main results of the present paper in Section 4, is hence suitable for the composition of open systems which ensures preservation of communication properties. Our approach is usable for any global type formalism GT which satisﬁes the following assumptions: For each global type G in GT , 1. there is associated a ﬁnite set of roles P(G ) ⊂ PU and a ﬁnite set of actions A(G ) ⊂ AU , 2. there is a projection function, denoted by _ _, such that for any p ∈ P(G ), Gp is a CFSM over P(G ) and A(G ). In the following we deﬁne formally Global Types with Interface Roles (GTIRs) by providing their syntax and semantics. Deﬁnition 7.1 (GTIR syntax). The set GTIR of GTIR-expressions [G] is deﬁned by simultaneous induction together with the set of roles P([G]) and projections [G]p for each p ∈ P([G]): a) if G is a global type of GT then [G ] ∈ GTIR and P([G]) = P(G ) and [G]p = Gp for each p ∈ P(G ); b) if 1) [G1 ], [G2 ] ∈ GTIR such that P([G1 ]) ∩ P([G2 ]) = ∅, and 2) H ∈ P([G1 ]), K ∈ P([G2 ]), such that H and K are interface compatible, i.e. [G1 ]H ↔[G2 ]K, then [[G1 ]H↔K [G2 ]] ∈ GTIR and P([[G1 ]H↔K [G2 ]]) = P([G1 ]) ∪ P([G2 ]) and [[G1 ]H↔K [G2 ]]p = [G1 ]p for all p ∈ P([G1 ]) \ {H}, [[G1 ]H↔K [G2 ]]p = [G2 ]p for all p ∈ P([G2 ]) \ {K}, [[G1 ]H↔K [G2 ]]H = gw([G1 ]H, K), [[G1 ]H↔K [G2 ]]K = gw([G2 ]K, H). Deﬁnition 7.2 (GTIR semantics). The semantics of a GTIR [G] is the communicating system

J[G]K = ([G]p)p∈P([G]) . It is immediate to check that the operation of “connecting” GTIRs is semantically commutative and associative if roles are not used twice for connections, i.e. the following holds: (comm) (ass)

J[[G1 ]H↔K [G2 ]]K = J[[G2 ]K↔H [G1 ]]K J[[[G1 ]H↔K [G2 ]]I↔J [G3 ]]K = J[[G1 ]H↔K [[G2 ]I↔J [G3 ]]]K if H, K, I, J are pairwise different.

By the deﬁnition of the composition of communicating systems via gateway CFSMs we can easily prove, by structural induction on the form of GTIRs, that their semantics is compositional:

6 Differently from what was done in [11], here we do not partition the set of roles into interface and non-interface roles from the beginning. In fact, any role can be looked at as an interface according to the current needs of the developer of a system. (We thank Ivan Lanese for such a suggestion.)

32

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

Theorem 7.3. For any composed GTIR-expression [[G1 ]H↔K [G2 ]]:

J[[G1 ]H↔K [G2 ]]K = J[G1 ]KH↔K J[G2 ]K. As an immediate consequence we can apply our preservation results of Section 4 to justify that the validity of communication properties is propagated from smaller GTIRs to larger ones.

Corollary 7.4. Let P be one of the communication properties of Section 2. Let [G] = [[G1 ]H↔K [G2 ]] be the GTIR composed from GTIRs [G1 ] and [G2 ] via compatible interface roles H and K. If both J[G1 ]K and J[G2 ]K enjoy the property P , so does J[G]K.

Hence, if we use the global types formalisms discussed above, which guarantee certain communication properties, we can be sure that these properties hold for composed types as well. Notice that, as a generalisation, multiple connections of global types could also be considered with a CFSM interpretation along the lines of Section 6.

8. Conclusions and related work

We have proposed open systems of communicating ﬁnite state machines where, according to the current needs, a machine can be interpreted as the description of an interface role, namely the description of the environment’s behaviour instead of the behaviour of a proper participant. From this point of view, two systems possessing two compatible interface machines can be connected by replacing such machines with automatically generated “gateway” automata, which enable messages to be exchanged between the two systems. As a crucial contribution of this work we have proved that important communication properties (deadlock-freeness, freeness of orphan messages and unspeciﬁed receptions, and progress) are preserved when open systems are connected in such a way. By means of suitable counterexamples, we have shown that the conditions of no mixed-state and ?!-determinism, imposed on the notion of compatibility, cannot be taken out without loosing the communication properties preservation. The preservation results have also been proved for the extension of the connection procedure to its multiple gateways version, but for the progress property, which is not preserved by multiple connections as shown by a counterexample. It is known from the literature on global types that CFSM systems enjoying the communication properties can be obtained by end-point projecting (well-formed) global descriptions in formalisms like [3,4,10]. We have hence proposed a (parametric) syntax for Global Types with Interface Roles (GTIRs) to describe systems obtained by connecting via gateways the end-point projections of global descriptions in formalisms like the above mentioned ones. Our preservation results imply that in such a way communication properties guaranteed by global type frameworks are propagated when (open) global types are composed to larger ones. A prominent approach to model open systems and their compatibility is the theory of interface automata [16,15]. Even though some loose connections can be envisaged with interface automata our approach to open systems is different in many relevant points: First of all, an interface automaton describes the communication abilities of an automaton with its environment in terms of input and output actions while internal behaviour is described by internal actions. In our open systems, however, the expected behaviour of the environment is emulated by interface roles and their CFSMs, identiﬁed according to the current need, while internal behaviour is modelled by message exchange between the CFSMs of the other roles. Interface automata rely on synchronous communication while we consider asynchronous communication via FIFO buffers. The crucial idea of compatibility for interface automata is that no error state should be reachable in the synchronous product of two automata. An error state is a state, in which one automaton wants to send a message to the other but the other automaton is not ready to accept it. This situation is related to unspeciﬁed reception in the asynchronous context. The speciality of interface automata is, however, that an error state must be autonomously reachable, i.e. without interaction with the environment. In other words, in open systems a “helpful” environment can avoid to reach an error state. Since interface automata use synchronous message passing, the problem of orphans is empty. Moreover, the theory of interface automata does not consider deadlock-freedom. On the other hand, interface automata consider also reﬁnement and preservation of compatibility by reﬁnement. On the background of the ideas of interface automata several other frameworks have been proposed which study in an automata-theoretic setting compatibility notions mostly for synchronous (handshake) communication; see, e.g., [17–19]. For asynchronous systems in [13, Sect. 6], the authors use the same compatibility notion for CFSMs showing that a system made of just two CFSMs, which both are deterministic and do not have mixed states, is free from deadlocks and unspeciﬁed receptions. In [6], weaker notions of asynchronous compatibility are considered and characterisations and criteria based on synchronous compatibility are provided still in the context of two component systems.

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

33

In the future, we ﬁrst want to study whether our conditions for compatibility could be relaxed still guaranteeing preservation of communication properties. For instance, consider the working example and a system S with the same roles as S , where the CFSM L is the one described below instead of the one described in Fig. 2. L LB!ok

0

6

LA!fail LB!fail

LB!fail

AL?text BL?text

5

1

LA!ok

3

BL?text LB!ok

LA!fail 4

LA!ok

2

LB!fail

LB!fail

Through the above interface, B keeps on sending a text message after A does it. A new message can be sent only after an acknowledgement has been received (ok). A message is resent in case of failure. B’s message failure forces A to send / C

its message again. A can receive an ack also after B has sent its message. We have that now L( M J )C/ L( M L ) , but the interaction between S and S (which is possible to guarantee in our present setting only by means of a “mediating” system) would still safely proceed. Such a possibility could hence suggest the introduction and the use of a “sub-behaviour” relation for CFSMs, somewhat related to a form of asynchronous subtyping [20–22]. The equivalence of multiple connections and single connections (together with self-connections) suggests that, in order to overcome problems like the one exploited by the example of non preservation of progress for multiple connections, severe restrictions should be imposed on the systems to be connected, rather than simply on our compatibility relation. To provide such restrictions is a complex problem. It was recognised already for the case of synchronous message exchange in several papers. Most papers just assume acyclic (tree-like) architectures to get results on compositional veriﬁcation of deadlock-freeness (see for instance the discussion and references on page 2, paragraph 3, of [14]). [14] provides a generalisation of acyclic architectures by considering so-called “disjoint circular wait free component systems”. In future we may want to study whether such architectures can also be useful for asynchronous composition, like the one described in the present paper. In the future it would also be worth taking into account, besides our communication properties, certain liveness properties. In particular, the generalised global types of [3], at the cost of being less expressive than global types in [4,10], guarantee also liveness. A collection of further communication properties and their preservation by composition has been studied in [23]. This approach uses bags as communication channels. It would be interesting to see to what extent the preservation results of [23] could be formulated when FIFO buffers are used instead of bags. Acknowledgements We would like to thank the anonymous reviewers for thoroughly reading this paper and providing useful comments and remarks. The ﬁrst author is also grateful to Mariangiola Dezani for her encouragement. The ﬁrst author was partially supported by the project “Piano Triennale Ricerca” DMI-Università di Catania. The second author was partially supported by the EU H2020 RISE programme under the Marie Skłodowska-Curie grant agreement No 778233. Declaration of competing interest There is no competing interest. References [1] D. Brand, P. Zaﬁropulo, On communicating ﬁnite-state machines, J. ACM 30 (2) (1983) 323–342, https://doi.org/10.1145/322374.322380. [2] G. Cécé, A. Finkel, Veriﬁcation of programs with half-duplex communication, Inf. Comput. 202 (2) (2005) 166–190, https://doi.org/10.1016/j.ic.2005.05. 006. [3] P. Deniélou, N. Yoshida, Multiparty session types meet communicating automata, in: ESOP’12, 2012, pp. 194–213. [4] J. Lange, E. Tuosto, N. Yoshida, From communicating machines to graphical choreographies, in: POPL 2015, 2015, pp. 221–232. [5] L. Clemente, F. Herbreteau, G. Sutre, Decidable topologies for communicating automata with FIFO and bag channels, in: CONCUR 2014 – Concurrency Theory, in: LNCS, vol. 8704, Springer, 2014, pp. 281–296. [6] R. Hennicker, M. Bidoit, Compatibility properties of synchronously and asynchronously communicating components, Log. Methods Comput. Sci. 14 (1) (2018), https://doi.org/10.23638/LMCS-14(1:1)2018.

34

F. Barbanera et al. / Journal of Logical and Algebraic Methods in Programming 109 (2019) 100476

[7] M. Carbone, K. Honda, N. Yoshida, A calculus of global interaction based on session types, Electron. Notes Theor. Comput. Sci. 171 (3) (2007) 127–151, https://doi.org/10.1016/j.entcs.2006.12.041. [8] G. Castagna, M. Dezani-Ciancaglini, L. Padovani, On global types and multi-party session, Log. Methods Comput. Sci. 8 (1) (2012), https://doi.org/10. 2168/LMCS-8(1:24)2012. [9] M. Coppo, M. Dezani-Ciancaglini, N. Yoshida, L. Padovani, Global progress for dynamically interleaved multiparty sessions, Math. Struct. Comput. Sci. 26 (2) (2016) 238–302, https://doi.org/10.1017/S0960129514000188. [10] E. Tuosto, R. Guanciale, Semantics of global view of choreographies, J. Log. Algebraic Methods Program. 95 (2018) 17–40, https://doi.org/10.1016/j. jlamp.2017.11.002. [11] F. Barbanera, U. de’Liguoro, R. Hennicker, Global types for open systems, in: Proceedings ICE 2018, in: Electronic Proceedings in Theoretical Computer Science, vol. 279, Open Publishing Association, 2018, pp. 4–20. [12] J.F. Groote, M.R. Mousavi, Modeling and Analysis of Communicating Systems, MIT Press, 2014. [13] M.G. Gouda, E.G. Manning, Y. Yu, On the progress of communication between two machines, Inf. Control 63 (3) (1984) 200–2016, https://doi.org/10. 1016/S0019-9958(84)80014-5. [14] C. Lambertz, M.E. Majster-Cederbaum, Eﬃcient deadlock analysis of component-based software architectures, Sci. Comput. Program. 78 (12) (2013) 2488–2510, https://doi.org/10.1016/j.scico.2013.02.006. [15] L. de Alfaro, T.A. Henzinger, Interface-based design, in: Engineering Theories of Software Intensive Systems: Proceedings of the NATO Advanced Study Institute on Engineering Theories of Software Intensive Systems, Marktoberdorf, Germany, 3–15 August 2004, Springer Netherlands, Dordrecht, 2005, pp. 83–104. [16] L. de Alfaro, T.A. Henzinger, Interface automata, in: Proceedings of the 8th European Software Engineering Conference Held Jointly With 9th ACM SIGSOFT International Symposium on Foundations of Software Engineering 2001, Vienna, Austria, September 10–14, 2001, 2001, pp. 109–120. [17] K.G. Larsen, U. Nyman, A. Wasowski, Modal I/O automata for interface and product line theories, in: 16th European Symposium on Programming, ESOP, in: LNCS, Springer, 2007, pp. 64–79. [18] J. Carmona, J. Kleijn, Compatibility in a multi-component environment, Theor. Comput. Sci. 484 (2013) 1–15, https://doi.org/10.1016/j.tcs.2013.03.006. [19] S.S. Bauer, P. Mayer, A. Schroeder, R. Hennicker, On weak modal compatibility, reﬁnement, and the MIO Workbench, in: Proc. 16th Int. Conf. Tools and Algorithms for the Construction and Analysis of Systems (TACAS’10), in: LNCS, vol. 6015, Springer, 2010, pp. 175–189. [20] M. Carbone, F. Montesi, C. Schürmann, Choreographies, logically, Distrib. Comput. 31 (1) (2018) 51–67, https://doi.org/10.1007/s00446-017-0295-1. [21] D. Mostrous, N. Yoshida, Session typing and asynchronous subtyping for the higher-order π -calculus, Inf. Comput. 241 (2015) 227–263, https://doi.org/ 10.1016/j.ic.2015.02.002. [22] J. Lange, N. Yoshida, On the undecidability of asynchronous session subtyping, in: Foundations of Software Science and Computation Structures – 20th International Conference, FOSSACS 2017, Held as Part of the European Joint Conferences on Theory and Practice of Software, Proceedings, ETAPS 2017, Uppsala, Sweden, April 22–29, 2017, 2017, pp. 441–457. [23] S. Haddad, R. Hennicker, M.H. Møller, Channel properties of asynchronously composed Petri nets, in: Petri Nets, in: Lecture Notes in Computer Science, vol. 7927, Springer, 2013, pp. 369–388.

Connecting open systems of communicating finite state machines

Connecting open systems of communicating finite state machines

Recommend Documents