Richer Interface Automata with Optimistic and Pessimistic CompatibilityThis research was supported by the DFG (German Research Foundation, grants LU 1748/3-1 and VO 615/12-1).


Electronic Communications of the EASST
Volume 66 (2013)

Proceedings of the
Automated Verification of Critical Systems

(AVoCS 2013)

Richer Interface Automata with
Optimistic and Pessimistic Compatibility

Gerald Lüttgen and Walter Vogler

15 pages

Guest Editors: Steve Schneider, Helen Treharne
Managing Editors: Tiziana Margaria, Julia Padberg, Gabriele Taentzer
ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122

http://www.easst.org/eceasst/


ECEASST

Richer Interface Automata with
Optimistic and Pessimistic Compatibility∗

Gerald Lüttgen1 and Walter Vogler2

1 gerald.luettgen@swt-bamberg.de
Software Technologies Group

University of Bamberg, Germany

2 vogler@informatik.uni-augsburg.de
Institute for Computer Science

University of Augsburg, Germany

Abstract: Modal transition systems are a popular semantic underpinning of inter-
face theories, such as Nyman et al.’s IOMTS and Bauer et al.’s MIO, which facili-
tate component-based reasoning of concurrent systems. Our interface theory MIA
repaired a compositional flaw of IOMTS-refinement and introduced a conjunction
operator. In this paper, we first modify MIA to properly deal with internal com-
putations including internal must-transitions, which were largely ignored already
in IOMTS. We then study a MIA variant that adopts MIO’s pessimistic – rather
than IOMTS’ optimistic – view on component compatibility and define, for the
first-time in a pessimistic, non-deterministic setting, conjunction and disjunction
on interfaces. For the pessimistic MIA variant we also provide a mechanism for
extending alphabets when refining interfaces, which is a desired feature in practice.
We illustrate our advancements via a small example.

Keywords: Interface theory, modal transitions system, modal interface automata,
optimistic and pessmimistic view, interface refinement, alphabet extension.

1 Introduction

Interface theories [BMSH10, LNW07, LV13, RBB+11] are a key technology for the component-
based design of critical systems and are applied, e.g., for specifying web services [BCHS07] and
software contracts [BDH+12]. Many interface theories are inspired by de Alfaro and Henzinger’s
Interface Automata (IA) [dH05] which employs transition systems with input and output actions
and alternating simulation for refinement. It is distinguished from classic process algebras by its
parallel composition operator: an interface cannot block an incoming input in any state but, if
an input arrives unexpectedly, this is treated as error, i.e., as an incompatibility. IA suffers from
the fact that outputs cannot be required since any interface may be implemented by a component
that accepts all inputs and does not engage in any output, hence avoiding errors altogether. This
is undesired in practice and has led researchers to base interface theories on modal transition

∗ This research was supported by the DFG (German Research Foundation, grants LU 1748/3-1 and VO 615/12-1).

1 / 15 Volume 66 (2013)

mailto:gerald.luettgen@swt-bamberg.de
mailto:vogler@informatik.uni-augsburg.de


Richer Interface Automata

systems (MTS) [Lar90]; these distinguish between must- and may-transitions and thus allow one
to enforce outputs via output must-transitions.

In the light of errors that may arise when joining components in parallel, two schools on
MTS-based interface theories have emerged, which treat compatibility either optimistically or
pessimistically. The pessimistic school of Bauer et al. [BMSH10] only defines the composition
of a restricted set of components; however, their MIO setting employs standard modal refinement
as refinement preorder and standard weak transitions for abstracting from internal computation.
In contrast, the optimistic school of Nyman et al. [LNW07] follows IA in that parallel compo-
sition is still defined in the presence of error states, if some concrete system environment may
prohibit such states to be reached. Their IOMTS setting is equipped with a customized preorder,
which allows one to compose a much larger set of components than in MIO. Fatally, IOMTS-
refinement does not require the matching of internal must-transitions of implementations and is
not at all permissive wrt. abstracting from internal computation. Our interface theory Modal In-
terface Automata (MIA) [LV13] adopts IOMTS-refinement while repairing a compositional flaw
regarding IOMTS parallel composition. It also adds conjunction on interfaces, which is a key
operator allowing engineers to specify a concurrent system from different perspectives.

This paper advances the state-of-the-art of both schools. Regarding the optimistic MIA set-
ting, we first re-consider IOMTS-refinement so that it properly deals with internal computation
including internal must-transitions (cf. Sec. 2). Along the way we also permit general, disjunc-
tive must-transitions, thereby increasing expressiveness and enabling an intuitive definition of
disjunction on interfaces. To the best of our knowledge, no existing work on disjunctive MTS
considers weak transitions. We then study a pessimistic variant of MIA and define, for the first-
time in a pessimistic, non-deterministic setting, conjunction and disjunction on interfaces (cf.
Sec. 3). While Bauer [Bau12] and Raclet et al. [RBB+11] also investigated conjunction, they
did so only for deterministic interfaces not containing internal computation. Extending alpha-
bets is useful in practice, firstly, when composing partial specification interfaces to an overall
interface conjunctively and, secondly, since implementors may decide to add extra features that
are not covered by the specification interface (cf. [RBB+11]). We add such a mechanism for
the pessimistic MIA version and discuss the problems that arise with alphabet extension in the
optimistic version.

In summary, we achieve a richer interface theory than related work does. In MIA, one may
specify non-deterministic behaviour, enforce outputs, express disjunctive must-transitions, ab-
stract from internal computation, interpret compatibility optimistically or pessimistically, com-
pose interfaces also conjunctively and disjunctively, and (in the pessimistic version) extend al-
phabets. A small example dealing with a communication protocol illustrates our advancements
(cf. Sec. 3.4).

2 Modal Interface Automata: The Optimistic Setting

This section fixes a severe shortcoming of MIA [LV13] that it inherited from IOMTS [LNW07],
namely that the refinement preorder ignores the matching of must-transitions labelled with the
internal action τ . The MIA variant presented below also permits (in contrast to [LV13]) general
disjunctive must-transitions, thus enabling a natural definition of disjunction on interfaces.

Proc. AVoCS 2013 2 / 15



ECEASST

Definition 1 (Modal Interface Automata) A Modal Interface Automaton (MIA) is a tuple (P, I,
O,−→, 99K), where

(i) P is the set of states,

(ii) A =df I ∪O with I ∩O = /0 is the alphabet consisting of disjoint inputs and outputs, resp., and
not containing the special, silent action τ ,

(iii) −→⊆ P ×(A ∪{τ})×(Pfin(P)\ /0) is the must-transition relation (with Pfin(P) being the
set of finite subsets of P),

(iv) 99K⊆ P ×(A ∪{τ})× P is the may-transition relation,

such that the following conditions hold for all i ∈ I and α ∈ A ∪{τ}:

(a) p i−→ P′ and p i−→ P′′ implies P′ = P′′ (input determinism),

(b) p
i

99K p′ implies ∃P′. p i−→ P′ and p′ ∈ P′ (input must),

(c) p α−→ P′ implies ∀p′∈P′. p
α

99K p′ (syntactic consistency).

Conds. (a)–(c) are adapted from the corresponding definition in [LV13]. Input determinism is
required for the MIA-refinement preorder (see below) to be a precongruence for parallel com-
position and conjunction; this condition is already imposed by IA, but note that, here, an input
must-transition is disjunctive, thus allowing nondeterminism within a transition. The input-must
condition is natural in the presence of IA-inspired parallel composition: a may-input in an in-
terface specification may simply be left out by a refining implementation, and thus increase the
potential for errors rather than decrease it. Finally, syntactic consistency is natural and inherited
from modal transition systems [Lar90].

In the sequel, we identify a MIA (P, I, O,−→, 99K) with its state set P and, if needed, use
index P when referring to one of its components, e.g., we write IP for I. Similarly, we write,
e.g., I1 instead of IP1 for MIA P1. In addition, we let i, o, a, ω and α stand for representatives of
the alphabets I, O, A, O ∪{τ} and A ∪{τ}, resp., write A = I/O when highlighting inputs I and
outputs O in an alphabet A, and define â =df a and τ̂ =df ε (the empty word). In figures, we often
refer to an action a as a?, if a ∈ I, and as a!, if a ∈ O, and omit the label of τ -transitions. Must-
transitions (may-transitions) are drawn using solid, possibly splitting arrows (dashed arrows);
any depicted must-transition also implicitly represents the resp. may-transition(s).

We now define weak must- and may-transition relations that abstract from transitions labelled
by τ , as will be needed for MIA-refinement. This is the first definition of this kind, which covers
disjunctive must-transitions; it is quite subtle as can be seen in Lemma 1 and Fig. 2 below.

Definition 2 (Weak Transition Relations) Weak must- and weak may-transition relations −→−→
and 99K99K , resp., are defined as the smallest relations satisfying p

ε
−→−→{p}, p

ε
99K99K p and the follow-

ing conditions, where ω̂ ∈ O ∪{ε}:

(a) p
ω̂
−→−→P′, p′ ∈ P′ and p′

τ−→ P′′ implies p
ω̂
−→−→(P′ \{p′})∪ P′′,

3 / 15 Volume 66 (2013)



Richer Interface Automata

(b) p
ε
−→−→P′ = {p1, . . . , pn} and ∀ j. p j

o−→ Pj, implies p
o
−→−→

⋃n
j=1 Pj,

(c) p
ε

99K99K p
′′ τ99K p′ implies p

ε
99K99K p

′,

(d) p
ε

99K99K p
′′ ω99K p′′′

ε
99K99K p

′ implies p
ω

99K99K p
′.

Our refinement relation is adapted from [LNW07, LV13] and called MIA-refinement:

Definition 3 (MIA-Refinement) Let P, Q be MIAs with common input and output alphabets.
Relation R ⊆ P × Q is a MIA-refinement relation if for all (p, q) ∈ R:

(i) q i−→ Q′ implies ∃P′. p i−→ P′ and ∀p′∈P′∃q′∈Q′. (p′, q′) ∈ R,

(ii) q ω−→ Q′ implies ∃P′. p
ω̂
−→−→P′ and ∀p′∈P′∃q′∈Q′. (p′, q′) ∈ R,

(iii) p
ω

99K p′ implies ∃q′. q
ω̂

99K99K q
′ and (p′, q′) ∈ R.

We write p @
`

q and say that p MIA-refines q if there exists a MIA-refinement relation R such
that (p, q) ∈ R.

It is easy to see that @
`

is the largest MIA-refinement relation and a preorder, i.e., it is reflexive and
transitive. The key difference to [LV13] is that our revised definition of MIA above also allows
τ -must-transitions that must be matched (Cond. (ii), for ω = τ ). The reason why input must-
transitions must be matched directly and not via a weak transition is due to the notion of MIA
parallel composition, which we adopt from IA [dH05] and explain below. The same comment
applies to the fact that our relation is insensitive to the refining MIA adding input-transitions,
since input may-transitions are not considered in Cond. (iv).

2.1 Parallel Composition

We define a parallel composition operator | on MIA in analogy to IA [dH05, LNW07] in two
stages: first a standard product ⊗ between two MIAs is introduced, where common actions are
synchronized and hidden. Then, error states are identified, and all states are pruned from which
reaching an error state is unavoidable in some implementation.

Definition 4 (Parallel Product) MIAs P1, P2 are composable if A1 ∩ A2 = (I1 ∩ O2)∪(O1 ∩ I2).
For such MIAs we define the product P1 ⊗ P2 = (P1 × P2, I, O,−→, 99K), where I = (I1 ∪ I2) \
(O1 ∪ O2) and O = (O1 ∪ O2)\(I1 ∪ I2) and where −→ and 99K are defined as follows:

(Must1) (p1, p2)
α−→ P′1 ×{p2} if p1

α−→ P′1 and α /∈ A2
(Must2) (p1, p2)

α−→ {p1}× P′2 if p2
α−→ P′2 and α /∈ A1

(Must3) (p1, p2)
τ−→ P′1 × P

′
2 if p1

a−→ P′1 and p2
a−→ P′2 for some a

(May1) (p1, p2)
α

99K (p′1, p2) if p1
α

99K p′1 and α /∈ A2
(May2) (p1, p2)

α
99K (p1, p′2) if p2

α
99K p′2 and α /∈ A1

(May3) (p1, p2)
τ

99K (p′1, p
′
2) if p1

a
99K p′1 and p2

a
99K p′2 for some a.

Proc. AVoCS 2013 4 / 15



ECEASST

Figure 1: Necessity of matching input-transitions strongly (left) and of ignoring input may-
transitions when matching (right).

The difference to the version of MIA in [LV13] is that we now have τ -must-transitions; in par-
ticular, this has led us to introduce Rule (Must3).

Definition 5 (Parallel Composition) Given a parallel product P1 ⊗ P2, a state (p1, p2) is an
error state if there is some a ∈ A1 ∩ A2 such that (a) a ∈ O1, p1

a
99K and p2 6

a−→, or (b) a ∈ O2,
p2

a
99K and p1 6

a−→. We define the set E ⊆ P1 ×P2 of incompatible states as the least set such that
(p1, p2) ∈ E if (i) (p1, p2) is an error state or (ii) (p1, p2)

ω
99K (p′1, p

′
2) and (p

′
1, p

′
2) ∈ E.

The parallel composition P1|P2 of P1 and P2 is now obtained from P1 ⊗ P2 by pruning, namely
removing all states in E and every transition that involves such states as its source, its target or
one of its targets; all may-transitions underlying a removed must-transition are deleted, too. If
(p1, p2) ∈ P1|P2, we write p1|p2 and call p1 and p2 compatible.

It is easy to see that parallel products and parallel compositions are well-defined MIAs and that
the parallel composition operator is commutative and associative. In addition and as we will show
below, MIA-refinement is compositional wrt. parallel composition, i.e., @

`
is a precongruence. It

is this desired property that requires us in Def. 3 to match input must-transitions strongly and
to ignore input may-transitions when matching. To see the former, consider Fig. 1 (left) with
input/output alphabets AP =df AQ =df {i}/ /0 and AR =df /0/{i}. Now, p should not refine q since q
and r are compatible while p and r are not (because (p, r) is an error). Therefore, one must not
be able to match a transition

i−→ by a transition sequence ( τ−→)+ i−→, unless the notion of error
state originating from Interface Automata [dH05] is changed, as is done in [BMSH10].

To see the latter, observe that prescribing the matching of input may-transitions as in Def. 3(iv)
for output may-transitions would lead to a compositionality bug. For example, for the MIAs in
Fig. 1 (right) with alphabets AP =df {o}/ /0 and AQ =df AQ′ =df {i}/{o} we would have q′ @` q but
p|q′ 6@

`
p|q would fail.

Theorem 1 (Compositionality of Parallel Composition) Let P1, P2, Q be MIAs with p1 ∈ P1,
p2 ∈ P2, q ∈ Q and p1 @` q. Assume that Q and P2 are composable; then:

(a) P1 and P2 are composable.

(b) If q and p2 are compatible, then so are p1 and p2 and p1|p2 @` q|p2.

The proof of this result requires a couple of auxiliary properties regarding the preservation of

5 / 15 Volume 66 (2013)



Richer Interface Automata

Figure 2: Example showing that set R in Lemma 1 is not always the full set P′ × Q′.

composability and consistency under refinement, respectively, as well as the following property
of weak must-transitions:

Lemma 1 (Weak Must-Transitions) Let P, Q be composable MIAs. If p
a
−→−→P P

′ and q
a−→Q Q′

for some action a ∈ (OP ∩ IQ)∪(IP ∩ OQ), then (p, q)
ε
−→−→R in P ⊗ Q with R ⊆ P′ × Q′.

Fig. 2 shows that, in general, R 6= P′ × Q′; here, 1
a!
−→−→P {2, 3, 4, 5} and 0

a?
−→−→Q 0, but not 1|0

ε
−→−→

{2, 3, 4, 5}×{0}. The sets R with maximal cardinality satisfying 1|0
ε
−→−→R are {2, 4, 5}×{0}

and {3, 4, 5}×{0}.

2.2 Conjunction & Disjunction

Conjunction on MIA will be defined in two stages, similarly to parallel composition. State
pairs can be logically inconsistent due to unsatisfiable must-transitions and are then removed
incrementally in the second stage.

Definition 6 (Conjunctive Product) Let (P, I, O,−→P, 99KP) and (Q, I, O, −→Q, 99KQ) be MIAs
with common input and output alphabets and disjoint state sets. The conjunctive product P&Q
=df ((P × Q)∪ P ∪ Q, I, O,−→, 99K) inherits the transitions of P and Q and has additional tran-
sitions as follows:

(OMust1) (p, q)
ω−→ {(p′, q′)| p′ ∈ P′, q

ω̂
99K99KQ q

′} if p ω−→P P′ and q
ω̂

99K99KQ

(OMust2) (p, q)
ω−→ {(p′, q′)| p

ω̂
99K99KP p

′, q′ ∈ Q′} if p
ω̂

99K99KP and q
ω−→Q Q′

(IMust1) (p, q)
i−→ P′ if p i−→P P′ and q 6

i−→Q
(IMust2) (p, q)

i−→ Q′ if p 6 i−→P and q
i−→Q Q′

(IMust3) (p, q)
i−→ P′ × Q′ if p i−→P P′ and q

i−→Q Q′

(May1) (p, q)
τ

99K (p′, q) if p
τ

99K99KP p
′

(May2) (p, q)
τ

99K (p, q′) if q
τ

99K99KQ q
′

(May3) (p, q)
ω

99K (p′, q′) if p
ω

99K99KP p
′ and q

ω
99K99KQ q

′

(IMay1) (p, q)
i

99K p′ if p
i

99KP p′ and q 6
i

99KQ

(IMay2) (p, q)
i

99K q′ if p 6
i

99KP and q
i

99KQ q′

(IMay3) (p, q)
i

99K (p′, q′) if p
i

99KP p′ and q
i

99KQ q′

Observe that the conjunctive product is inherently different from the parallel product, as can be

Proc. AVoCS 2013 6 / 15



ECEASST

seen from some ‘unusual’ rules that define single transitions on the basis of weak transitions
(Rules (OMust) and (May)) and synchronize on τ -transitions (Rule (May3)). These will be
justified by Thm. 2 below. As an aside, note that we assume in the (OMust) rules and in similar
cases below, that the target set of the defined transition is finite. If one wishes to deal with
infinite target sets in MIA, one has to modify the definition of

ε
−→−→ by allowing the simultaneous

replacement of several p′ by suitable P′ in Def. 2(a); this would make the latter definition more
complicated and Lemma 1 superfluous.

We now define a conjunction operator on MIAs that have the same input and output alphabets;
relaxing this requirement will be discussed below.

Definition 7 (Conjunction) Given a conjunctive product P&Q, the set F ⊆ P×Q of (logically)
inconsistent states is defined as the least set satisfying the following rules:

(F1) p
o−→P and q 6

o
99K99KQ implies (p, q) ∈ F

(F2) p 6
o

99K99KP and q
o−→Q implies (p, q) ∈ F

(F3) (p, q)
α−→ R′ and R′ ⊆ F implies (p, q) ∈ F

The conjunction P ∧ Q of MIAs P, Q with common input and output alphabets is obtained by
deleting all states (p, q) ∈ F from P&Q. This also removes any may- or must-transition exiting
a deleted state and any may-transition entering a deleted state; in addition, deleted states are
removed from targets of disjunctive must-transitions. We write p∧q for state (p, q) of P∧Q; all
such states are defined – and consistent – by construction.

Operator ∧ indeed defines conjunction on MIA, i.e., ∧ is the greatest lower bound wrt. @
`

:

Theorem 2 (∧ is And) Let P and Q be MIAs with the same alphabets and disjoint state sets.
We have (i) (∃MIA R and r ∈ R. r @

`
p and r @

`
q) iff p ∧ q is defined. Further, in case p ∧ q is

defined and for any MIA R and r ∈ R: (ii) r @
`

p and r @
`

q iff r @
`

p ∧ q. In both statements, R is
supposed to have the same alphabets as P and Q.

The theorem’s first part reflects the intuition that specifications p and q are logically inconsistent
if they do not have a common implementation; formally, p∧q is undefined in this case. Its proof
demands us to reason about inconsistent states, for which we resort to a notion of witness:

Definition 8 (Witness) A witness W of P&Q is a subset of (P × Q) ∪ P ∪ Q such that the
following conditions hold for all (p, q) ∈ W :

(W1) p
o−→P implies q

o
99K99KQ

(W2) q
o−→Q implies p

o
99K99KP

(W3) (p, q)
α−→ R′ implies R′ ∩W 6= /0

Lemma 2 (Concrete Witness) Let P&Q be a conjunctive product of MIAs. Then, for any
witness W of P&Q, we have (i) F ∩W = /0. Moreover, (ii) the set W =df {(p, q) ∈ P×Q | ∃MIA R
and r ∈ R. r @

`
p and r @

`
q}∪ P ∪ Q is a witness of P&Q.

Statement (ii) above is now the key for proving Thm. 2. As a corollary to this theorem, one may

7 / 15 Volume 66 (2013)



Richer Interface Automata

obtain compositionality of MIA-refinement wrt. conjunction:

Corollary 1 If p @
`

q and p ∧ r defined, then q ∧ r defined and p ∧ r @
`

q ∧ r.

Note that one cannot expect that definedness of q∧r implies that of p∧r, because specializing q
to p might introduce an inconsistency.

We now turn our attention to defining the dual disjunction operator ∨ on MIA, which ex-
presses the least upper bound property wrt. @

`
. The definition of disjunction may make use of the

disjunctive must-transitions relation also for inputs and the internal action τ :

Definition 9 (Disjunction) Let (P, I, O,−→P, 99KP) and (Q, I, O, −→Q, 99KQ) be MIAs with
common input and output alphabets and disjoint state sets. The disjunction P ∨ Q is defined by
({p ∨ q| p∈P, q∈Q}∪ P ∪ Q, I, O,−→, 99K), where −→ and 99K are the least sets satisfying the
conditions −→P⊆−→, 99KP⊆99K, −→Q⊆−→, 99KQ⊆99K and the following rules:

(Must) p ∨ q τ−→ {p, q}
(IMust) p ∨ q i−→ P′ ∪ Q′ if p i−→P P′ and q

i−→Q Q′

(May) p ∨ q
τ

99K p, p ∨ q
τ

99K q

(May1) p ∨ q
i

99K p′ if p
i

99KP p′ and ∃q′. q
i

99KQ q′

(May2) p ∨ q
i

99K q′ if q
i

99KQ q′ and ∃p′. p
i

99KP p′

The idea behind the operational reading of ∨ is very intuitive since p∨q τ−→ {p, q} naturally de-
scribes disjunctive behaviour. The only subtle point is that must-inputs must be matched directly,
which justifies Rule (IMust) above. We now have the following desired theorem and corollary:

Theorem 3 (∨ is Or) Let P, Q and R be MIAs with common alphabets, disjoint state sets and
states p, q, r, resp. Then, p ∨ q @

`
r iff p @

`
r and q @

`
r.

Corollary 2 MIA-refinement is compositional wrt. disjunction.

The above conjunction and disjunction operators are only defined on MIAs with the same al-
phabets. In practice, one would wish to also be able to apply these operators to MIAs that specify
different aspects of the system under study and, thus, have different alphabets (cf. Sender and
Resetter in Sec. 3.4). One way to deal with this situation is to extend the alphabets of the con-
juncts in some P∧Q to a common alphabet by adding a may-loop p

a
99K p to all states p ∈ P and

for all actions a ∈ AQ \AP, and similarly for Q; such loops would express that P, Q behave neutral
regarding actions that are not in their resp. alphabets. However, there is a problem with this idea
in the context of MIA refinement, which we inherited from the IOMTS framework [LNW07].

To see this problem, consider the MIAs P, Q depicted in Fig. 3 with input/output alpha-
bets /0/{o, o′} and resp. {i}/ /0, as well as MIAs R1, R2 and R3 with alphabets {i}/{o, o′}. Intu-
itively, r1 and r2 should refine p ∧ q, while r3 should not. This is because (i) p morally has an
i-may-loop and q allows input i, and (ii) p enforces one output o and prohibits o′ independent
of any i. However, there is no MIA R with alphabets {i}/{o, o′} and some r ∈ R which has
these properties of p ∧ q: if r2 refines r, then so does r3. The problem’s source lies in the fact

Proc. AVoCS 2013 8 / 15



ECEASST

Figure 3: Alphabet extension and conjunction in the optimistic setting.

that, as shown in Fig. 1 (right), any reasonable refinement relation on MIA must allow additional
inputs (with arbitrary subsequent behaviour) in implementations, if compositionality for parallel
composition as in IA [dH05] should hold.

One could try to generalise Def. 3 such that the refining P may have additional inputs (and
outputs) and decree that

p
i−→ P′ with i ∈ IP \ IQ implies ∀p′ ∈ P′. (p′, q) ∈ R,

as we did in a prior version of this paper that is included in the pre-proceedings of AVoCS’13.
But the example above shows that the resulting refinement notion would not be transitive, since
then r3 @` r2

@
`

p but r3 6@` p. Our special treatment of inputs implies that may-inputs make no
sense, because inputs are always implicitly allowed. Thus, one cannot formalize the decision
not to implement some input in some state. As we will show in the next section, the pessimistic
approach as, e.g., in [BMSH10] avoids this problem.

3 The Pessimistic Setting

Orthogonal to the ‘optimistic’ school on interface theories, comprising IA [dH05], IOMTS
[LNW07] and the above MIA approaches, there is the school of Bauer et al. who has adopted
a pessimistic view of compatibility in the presence of errors; see, e.g., [BMSH10]. Their in-
terface theory, called MIO, also roots in Larsen’s modal transition systems [Lar90] and allows
may-inputs, but it defines parallel composition for much fewer interfaces when compared to
optimistic approaches.

In our opinion, intuition for the pessimistic setting is weak since it distinguishes a state p
where an input i is absent, from the situation where an i-transition leads to an error state; in both
cases, an error is reached iff the environment provides input i. However, the pessimistic setting
has technical advantages as we will see below. We will therefore re-develop our MIA theory for
such a pessimistic setting, to which we will primarily contribute conjunction and disjunction op-
erators and also disjunctive must-transitions. For completeness note that conjunction was defined
by Bauer for a pessimistic interface theory in [Bau12]; however, he considered deterministic in-
terfaces only and no internal actions.

Definition 10 (Relaxed MIA) A Relaxed Modal Interface Automaton (Relaxed MIA) is a tuple
(P, I, O,−→, 99K) as in Def. 1, but which is only required to satisfy syntactic consistency.

In the context of the pessimistic setting, it turns out that input determinism and input must
(Conds. (a) and (b) of Def. 1) will not be necessary. We thus eliminate these conditions from

9 / 15 Volume 66 (2013)



Richer Interface Automata

MIA and call the resulting automata Relaxed MIAs. In analogy to Def. 2 we now define weak
transitions for Relaxed MIA and, for convenience, overload the according transition symbols:

Definition 11 (Relaxed Weak Transition Relations) The relaxed weak must-transition rela-
tion −→−→ and relaxed weak may-transition relation 99K99K are defined identically to the weak must-
and may-transition relations in Def. 2, but replacing ω by α , ω̂ by α̂ , and o by a. For input ac-
tions, we additionally define a restricted weak must-transition that only allows trailing τ -actions
as follows:

(e) p i−→ P′ implies p
i

−→−→−→−→P′,

(f) p
i

−→−→−→−→P′, p′ ∈ P′ and p′
τ−→ P′′ implies p

i
−→−→−→−→(P′ \{p′})∪ P′′,

Observe that p
i

−→−→−→−→P′ implies p
i

−→−→P′, which will be used in the sequel.

Since may-inputs are available in the pessimistic setting, extending the alphabets of interfaces
can be defined via an according operation, as we will see below (Def. 15). Therefore, we first
consider refinement and operators for Relaxed MIAs with the same input and output alphabets.
The corresponding notions for Relaxed MIAs with dissimilar alphabets will then be defined on
the basis of the existing ones and the alphabet extension operator.

Definition 12 (Modal Refinement on Relaxed MIA) Let P, Q be Relaxed MIAs with the same
input and output alphabets. R ⊆ P × Q is a modal refinement relation if for all (p, q) ∈ R:

(i) q i−→ Q′ implies ∃P′. p
i

−→−→−→−→P′ and ∀p′∈P′∃q′∈Q′. (p′, q′) ∈ R,

(ii) q ω−→ Q′ implies ∃P′. p
ω̂
−→−→P′ and ∀p′∈P′∃q′∈Q′. (p′, q′) ∈ R,

(iii) p
α

99K p′ implies ∃q′. q
α̂

99K99K q
′ and (p′, q′) ∈ R.

We write p @
a

q and say that p modal-refines q if there exists a modal refinement relation R such
that (p, q) ∈ R. Moreover, we denote the kernel of @

a
by @

a
A
a

.

3.1 Parallel Composition

The definitions of composability, parallel product and error state for Relaxed MIAs are as in
Def. 4 for MIAs. However, the pessimistic setting is distinguished from the optimistic one by
the following definition of compatibility, which is much stricter than the notion of compatibility
introduced in Def. 4:

Definition 13 (Compatibility on Relaxed MIA) Given Relaxed MIAs P1 and P2, states p1 ∈ P1
and p2 ∈ P2 are called incompatible if an error state is reachable from (p1, p2) in P1 ⊗ P2. Here,
reachable means reachable via any kind of may-transition. We write p1 ⊗ p2 for (p1, p2) if p1
and p2 are compatible.

Note that Lemma 1 is still valid in the pessimistic setting. We now obtain the analogue of Thm. 1:

Proc. AVoCS 2013 10 / 15



ECEASST

Theorem 4 (Compositionality of Parallel Composition) Let P1, P2, Q be Relaxed MIAs with
p1 ∈ P1, p2 ∈ P2, q ∈ Q and p1 @a q. Assume that Q and P2 are composable; then:

(a) P1 and P2 are composable.

(b) If q and p2 are compatible, then so are p1 and p2 and p1 ⊗ p2 @a q ⊗ p2.

In contrast to the optimistic setting, the matching of input may-transitions in the refinement pre-
order does not preclude compositionality. This is because for p1 @a q, there exist much fewer p2
such that q and p2 are compatible. In other words, for establishing the precongruence property
for parallel composition ⊗, there are much fewer results p1 ⊗ p2 @a q ⊗ p2 to prove.

3.2 Conjunction & Disjunction

The definition of conjunction ∧ on Relaxed MIA gets by with five instead of eleven rules. This
is because it allows one to merge the corresponding rules for outputs and inputs, due to the use
of weak input must-transitions in Def. 12:

Definition 14 (Conjunctive Product on Relaxed MIA) Let (P, I, O, −→P, 99KP) and (Q, I,
O,−→Q, 99KQ) be Relaxed MIAs with common alphabets. The conjunctive product P&Q =df
(P × Q, I, O,−→, 99K) is defined by the following operational transition rules:

(Must1) (p, q)
α−→ {(p′, q′)| p′ ∈ P′, q

α̂
99K99KQ q

′} if p α−→P P′ and q
α̂

99K99KQ

(Must2) (p, q)
α−→ {(p′, q′)| p

α̂
99K99KP p

′, q′ ∈ Q′} if p
α̂

99K99KP and q
α−→Q Q′

(May1) (p, q)
τ

99K (p′, q) if p
τ

99K99KP p
′

(May2) (p, q)
τ

99K (p, q′) if q
τ

99K99KQ q
′

(May3) (p, q)
α

99K (p′, q′) if p
α

99K99KP p
′ and q

α
99K99KQ q

′

Conjunction on Relaxed MIA – including the set F of inconsistent states – is now defined iden-
tically to these notions on MIA (Def. 7), but replacing o ∈ O with a ∈ A; the same applies to the
notion of witness (Def. 8). In analogy to Lemma 2, we obtain the following concrete witness
lemma for our pessimistic setting:

Lemma 3 (Concrete Witness for Relaxed MIAs) Let P, Q and R be Relaxed MIAs.

(i) For any witness W of P&Q, we have F ∩W = /0.

(ii) The set {(p, q) ∈ P × Q | ∃r ∈ R. r @
a

p and r @
a

q} is a witness of P&Q.

On the basis of this lemma we can now establish the desired greatest lower bound result for ∧,
which implies the compositionality of @

a
wrt. ∧:

Theorem 5 (∧ is And) Let P and Q be Relaxed MIAs with common alphabets. Then, (i) (∃R
and r ∈ R. r @

a
p and r @

a
q) iff p ∧ q defined. Further, in case p ∧ q defined and for any R and

r ∈ R: (ii) r @
a

p and r @
a

q iff r @
a

p ∧ q.

11 / 15 Volume 66 (2013)



Richer Interface Automata

Corollary 3 Modal-refinement is compositional wrt. conjunction.

We now turn our attention to disjunction ∨ on Relaxed MIA, which is defined as in Def. 9 for
MIA and for which we obtain, in analogy to Thm. 3 and Cor. 3:

Theorem 6 (∨ is Or) Let P, Q and R be Relaxed MIAs with common alphabets, disjoint state
sets and states p, q and r, resp. Then, p ∨ q @

a
r iff p @

a
r and q @

a
r.

Corollary 4 Modal-refinement is compositional wrt. disjunction.

3.3 Alphabet Extension

As motivated in Sec. 2, we introduce alphabet extension as an operation on Relaxed MIA:

Definition 15 (Alphabet Extension) Given a Relaxed MIA (P, I, O, −→, 99K) and disjoint ac-
tion sets I′ and O′ satisfying I′ ∩A = /0 = O′ ∩A, where A =df I ∪O. The alphabet extension of P
by I′ and O′ is given by [P]I′, O′ =df (P, I∪I′, O∪O′,−→, 99K

′) for 99K′ =df 99K ∪{(p, a, p)| p ∈ P,
a ∈ I′ ∪ O′}. We often write [p]I′, O′ – or conveniently [p] in case I′, O′ are understood from the
context – for p as state of [P]I′, O′ .

For Relaxed MIAs P, Q with p ∈ P, q ∈ Q, IP ⊇ IQ and OP ⊇ OQ, we define p @a
′ q if p @

a
[q]IP\IQ, OP\OQ . Since @a

′ extends @
a

to Relaxed MIAs with different alphabets, we write @
a

for @
a
′.

We also abbreviate [q]IP\IQ, OP\OQ by [q]P.

Our compositionality result regarding parallel composition of Thm. 4 immediately carries over
to the alphabet extension situation, if we require that alphabet extension does not yield new
communications:

Theorem 7 (Compositionality of Parallel Composition) Let P1, P2, Q be Relaxed MIAs as well
as p1 ∈ P1, p2 ∈ P2, q ∈ Q such that, for I′ =df I1 \IQ and O′ =df O1 \OQ, we have (I′∪O′)∩A2 =
/0. Assume further that Q and P2 are composable and p1 @a q. Then:

(a) P1 and P2 are composable.

(b) If q and p2 are compatible, then so are p1 and p2 and p1 ⊗ p2 @a q ⊗ p2.

The conjunction operator in the presence of alphabet extension can now be lifted from Sec. 3.2
in a straightforward manner:

Definition 16 (Conjunction Operator) Let P, Q be Relaxed MIAs, p ∈ P and q ∈ Q such that
IP ∩ OQ = /0 = IQ ∩ OP. Then, p ∧′ q =df [p]Q ∧[q]P. Again, we simply write p ∧ q for p ∧′ q.

To be able to lift our main result, Thm. 5, we only need to establish that the alphabet extension
operation is a homomorphism for conjunction:

Lemma 4 Let P with p ∈ P and Q with q ∈ Q be Relaxed MIAs that have the same alphabets.
Consider the alphabet extensions by some I′ and O′. Then:

Proc. AVoCS 2013 12 / 15



ECEASST

(a) p and q are consistent iff [p] and [q] are.

(b) Given consistency, [p ∧ q] @
a

A
a

[p]∧[q].

Theorem 8 (∧ is And) Let P with p∈P, Q with q∈Q, and R with r∈R be Relaxed MIAs such
that IP ∩ OQ = /0 = IQ ∩ OP, IR ⊇ IP ∪ IQ and OR ⊇ OP ∪ OQ. Then, (i) there exists such an R and
r ∈ R with r @

a
p and r @

a
q iff p∧q is defined. Further, in case p∧q is defined: (ii) r @

a
p and r @

a
q

iff r @
a

p ∧ q.

The situation for disjunction under alphabet extension is analogous to above, but exploiting
monotonicity of the alphabet extension operation wrt. @

a
:

Definition 17 (Disjunction Operator) Let P, Q be Relaxed MIAs with disjoint state sets, p ∈ P
and q ∈ Q such that IP ∩ OQ = /0 = IQ ∩ OP. Then, p ∨′ q =df [p]Q ∨[q]P. Once again, we simply
write p ∨ q for p ∨′ q.

Lemma 5 Let P with p∈P and R with r∈R be Relaxed MIAs having the same alphabets, as
well as I′ and O′ be suitable action sets for extending them. Then, p @

a
r iff [p] @

a
[r].

Theorem 9 (∨ is Or) Let P with p∈P, Q with q∈Q, and R with r∈R be Relaxed MIAs with
disjoint state sets such that IP ∩ OQ = /0 = IQ ∩ OP, IR ⊆ IP ∪ IQ and OR ⊆ OP ∪ OQ. Then,
p ∨ q @

a
r iff p @

a
r and q @

a
r.

3.4 Example

We briefly illustrate the utility of our interface theory by a small example that models parts of a
communication protocol (see Fig. 4) and is inspired by an example in [RBB+11]. The protocol’s
abstract specification is given by MIA Spec. It receives a message from its environment (action
get?), delivers it (put!) and signals to its environment its willingness to handle the next
message (nxt!). The two τ -may-transitions making up the τ -loop model that the message’s
transmission may fail and that this failure may possibly be repaired.

The design of our communication protocol contains a generic component Sender, which
receives a message for delivery (get?). It sends this message (msg!) to the Medium and waits
for an according acknowledgment (ack?). In case a negative acknowledgment arrives (nack?),
the message is re-sent. Sender is specialized by conjoining it with component Resetter,
which can suggest a reset (rst!) after a negative acknowledgment; it is defined such that an
implementation may decide, e.g., to initiate a reset after exactly n negative acknowledgments,
showing the utility of may-inputs for specification and the model-refinement preorder.

(Relaxed) MIA Sender∧Resetter is the result of formally applying our conjunction op-
erator to (Relaxed) MIA Sender and Relaxed MIA Resetter. Note that applying conjunc-
tion implicitly extends the alphabet of Resetter by get?, ack?, msg! and nxt! (cf.
Def. 16). In addition, no inconsistency arises in our example. However, if one would refine
Sender and Resetter by removing the rst!-loop at state D and making the reset transition
a must-transition instead of a may-transition, then state Db (or, more precisely, D∧b) would be

13 / 15 Volume 66 (2013)



Richer Interface Automata

Figure 4: Example: Design = (Sender∧Resetter)|Medium and Spec.

inconsistent; removing this state as is required by the definition of ∧ would then yield state Ab
unreachable.

(Relaxed) MIA Medium specifies a communication medium with potential failure, which re-
ceives a message (msg?) and may either deliver it to the environment (put!) or – via the
τ -may-transition – may lose it. In the former case, Medium returns to its initial state by send-
ing an acknowledgment (ack!); in the latter case, it signals failure (failed!) and may re-
turn a negative acknowledgment (nack!). The parallel composition Design =df (Sender∧
Resetter)|Medium is also shown in Fig. 4. Using our refinement preorder, it is now easy to
check that Design modal-refines Spec when the latter’s alphabet is extended by failed!,
i.e., Design @

a
[Spec] /0,{failed}. Note that this relies on our use of weak must- and may-

transitions in the definition of @
a

, i.e., on the ability to abstract from internal τ -transitions.
As a practical case for the problem that we discussed using Fig. 3, observe the following: if

Resetter would permit everything after the unknown input get?, output rst! would then
always be allowed – also without any occurrence of nack?.

Proc. AVoCS 2013 14 / 15



ECEASST

4 Conclusions & Future Work

Interface theories are an important tool for reasoning about component-based systems [BDH+12,
BMSH10, BCHS07, dH05, LNW07, LV13, RBB+11]. This paper advanced the state-of-the-art
of both the optimistic and pessimistic schools on interface theories. Regarding the optimistic
school, we repaired a shortcoming of the refinement preorder introduced in [LNW07], which
ignored internal must-transitions, thereby leading to unintuitive refinements. Regarding the pes-
simistic school, we showed how its approach may be extended by conjunction and disjunction
operators; conjunction is a key operator in any component-based setting, which enables engi-
neers to express that some component is required to satisfy several interfaces.

In future work we wish to investigate whether there are suitable interface theories in-between
the optimistic and pessimistic approaches. This might fix their current limitations, namely al-
lowing may-inputs as in the pessimistic approach while maintaining the truly open systems view
of the optimistic approach.

Bibliography

[Bau12] S. Bauer. Modal Specification Theories for Component-based Design. PhD thesis,
Faculty of Mathematics, Informatics and Statistics, LMU Munich, Germany, 2012.

[BCHS07] D. Beyer, A. Chakrabarti, T. Henzinger, S. Seshia. An Application of Web-Service
Interfaces. In ICWS. Pp. 831–838. IEEE, 2007.

[BDH+12] S. Bauer, A. David, R. Hennicker, K. Larsen, A. Legay, U. Nyman, A. Wasowski.
Moving from Specifications to Contracts in Component-Based Design. In FASE.
LNCS 7212, pp. 43–58. Springer, 2012.

[BMSH10] S. Bauer, P. Mayer, A. Schroeder, R. Hennicker. On Weak Modal Compatibility, Re-
finement, and the MIO Workbench. In TACAS. LNCS 6015, pp. 175–189. Springer,
2010.

[dH05] L. de Alfaro, T. Henzinger. Interface-based Design. In Engineering Theories of
Software-Intensive Systems. NATO Science Series 195. Springer, 2005.

[Lar90] K. Larsen. Modal Specifications. In Automatic Verification Methods for Finite State
Systems. LNCS 407, pp. 232–246. Springer, 1990.

[LNW07] K. Larsen, U. Nyman, A. Wasowski. Modal I/O Automata for Interface and Product
Line Theories. In ESOP. LNCS 4421, pp. 64–79. Springer, 2007.

[LV13] G. Lüttgen, W. Vogler. Modal Interface Automata. Logical Methods in Computer
Science 9(3:4), 2013.

[RBB+11] J. Raclet, E. Badouel, A. Benveniste, B. Caillaud, A. Legay, R. Passerone. A Modal
Interface Theory for Component-based Design. Fund. Inform. 107:1–32, 2011.

15 / 15 Volume 66 (2013)


	Introduction
	Modal Interface Automata: The Optimistic Setting
	Parallel Composition
	Conjunction & Disjunction

	The Pessimistic Setting
	Parallel Composition
	Conjunction & Disjunction
	Alphabet Extension
	Example

	Conclusions & Future Work