|
| 1 | +---------------------------- MODULE Composition ---------------------------- |
| 2 | +(**************************************************************************) |
| 3 | +(* Background reading: Conjoining Specifications by Abadi and Lamport *) |
| 4 | +(* https://lamport.azurewebsites.net/pubs/abadi-conjoining.pdf *) |
| 5 | +(* *) |
| 6 | +(* Spec A and B are two components that together are composed into a *) |
| 7 | +(* larger system. It's toy example in the sense that minimize *) |
| 8 | +(* interaction of A and B to behaviors where first A takes its steps *) |
| 9 | +(* followed by B. Variable y in A and B represents the control wire *) |
| 10 | +(* that A and B use to synchronize. *) |
| 11 | +(* Variable z has been added to make the example more interesting--it *) |
| 12 | +(* only appears in spec A but *not* B. *) |
| 13 | +(* *) |
| 14 | +(**************************************************************************) |
| 15 | +EXTENDS Naturals, Sequences |
| 16 | + |
| 17 | +(* COMPONENT Spec A *) |
| 18 | +------------ MODULE A ------------ |
| 19 | +VARIABLES x, \* Abstract/very high-level representation of the overall computation. |
| 20 | + \* Think of it as some computation going on. At a certain state |
| 21 | + \* of the computation, the composed system transitions into the |
| 22 | + \* next phase. |
| 23 | + y, \* Represents the phase that the composed system is in. |
| 24 | + \* This toy example has three phases: <<"A", "B", "C">>. |
| 25 | + z \* z is the variable that is only going to be present in spec A. |
| 26 | +varsA == <<x, y, z>> |
| 27 | + |
| 28 | +InitA == |
| 29 | + /\ x = 0 |
| 30 | + /\ y = "A" |
| 31 | + /\ z = TRUE |
| 32 | + |
| 33 | +NextA == |
| 34 | + /\ y = "A" |
| 35 | + /\ x' = x + 1 |
| 36 | + /\ IF x' = 5 |
| 37 | + THEN y' = "B" |
| 38 | + ELSE UNCHANGED y |
| 39 | + /\ z' = ~ z |
| 40 | + |
| 41 | +================================== |
| 42 | + |
| 43 | +(* COMPONENT Spec B *) |
| 44 | +VARIABLES x, |
| 45 | + y |
| 46 | +varsB == <<x, y>> |
| 47 | + |
| 48 | +\* ++Observation: This is most likely not the original Init predicate of a |
| 49 | +\* standalone B component, unless perhaps we consider spec A |
| 50 | +\* the environment of spec B. In this particular example, |
| 51 | +\* InitB is superfluouos anyway. However, if one would want |
| 52 | +\* to prove something about spec B, we probably need an init |
| 53 | +\* predicate (=> Conjoining Specifications). |
| 54 | +InitB == |
| 55 | + /\ x \in Nat \* Spec B may starts with x being any natural number, |
| 56 | + \* which is where A left off. |
| 57 | + /\ y \in {"A", "B"} \* Phase A or B, otherwise InitA /\ InitB in Spec |
| 58 | + \* below will equal FALSE. |
| 59 | + |
| 60 | +NextB == |
| 61 | + /\ y = "B" |
| 62 | + /\ x' = x + 1 |
| 63 | + /\ IF x' = 10 \* (Make sure values is greater than in spec A) |
| 64 | + THEN y' = "C" \* Phase C of the composed system (or ultimate termination). |
| 65 | + ELSE UNCHANGED y |
| 66 | + |
| 67 | +----------------------------------------------------------------------------- |
| 68 | + |
| 69 | +(* This *extends* component spec B to defines what happens to the variables |
| 70 | + in spec A, which are not defined in B, when B takes a step. *) |
| 71 | +VARIABLES restOfTheUniverse |
| 72 | + |
| 73 | +\* Note that TLC doesn't complain about restOfTheUniverse |
| 74 | +\* not appearing in InitB. |
| 75 | +OpenNextB == |
| 76 | + /\ NextB |
| 77 | + /\ UNCHANGED <<restOfTheUniverse>> |
| 78 | + |
| 79 | +vars == |
| 80 | + <<x,y,restOfTheUniverse>> |
| 81 | + |
| 82 | +(* Composition of A and B (A /\ B) *) |
| 83 | +(* Down here we know about the internals *) |
| 84 | +(* of spec A and B (whitebox component). *) |
| 85 | + |
| 86 | +INSTANCE A WITH z <- restOfTheUniverse |
| 87 | + |
| 88 | +Spec == InitA /\ InitB /\ [][ \/ [NextA]_vars |
| 89 | + \/ [OpenNextB]_vars |
| 90 | + ]_vars |
| 91 | + |
| 92 | +Inv == y \in {"A","B","C"} |
| 93 | +THEOREM Spec => Inv |
| 94 | + |
| 95 | +============================================================================= |
| 96 | +\* Modification History |
| 97 | +\* Last modified Fri Jun 12 16:30:33 PDT 2020 by markus |
| 98 | +\* Last modified Fri Jun 12 16:30:19 PDT 2020 by Markus Kuppe |
| 99 | +\* Created Fri Jun 12 10:30:09 PDT 2020 by Leslie Lamport |
0 commit comments