Combining Partial Specifications using Alternating Interface Automata

To model real-world software systems, modelling paradigms should support a form of compositionality. In interface theory and model-based testing with inputs and outputs, conjunctive operators have been introduced: the behaviour allowed by composed specification \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$s_1 \wedge s_2$$\end{document} is the behaviour allowed by both partial models \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$s_1$$\end{document} and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$s_2$$\end{document}. The models at hand are non-deterministic interface automata, but the interaction between non-determinism and conjunction is not yet well understood. On the other hand, in the theory of alternating automata, conjunction and non-determinism are core aspects. Alternating automata have not been considered in the context of inputs and outputs, making them less suitable for modelling software interfaces. In this paper, we combine the two modelling paradigms to define alternating interface automata (AIA). We equip these automata with an observational, trace-based semantics, and define testers, to establish correctness of black-box interfaces with respect to an AIA specification.


Introduction
The challenge of software verification is to ensure that software systems are correct, using techniques such as model checking and model-based testing. To use these techniques, we assume that we have an abstract specification of a system, which serves as a description of what the system should do. A popular approach is to model a specification as an automaton. However, the huge number of states in typical real-world software systems quickly makes modelling with explicit automata infeasible. A form of compositionality is therefore usually required for scalability, so that a specification can be decomposed into smaller and understandable parts. Parallel composition is based on a structural decomposition of the modelled system into components, and it thus relies on the assumption that components themselves are small and simple enough to be modelled. This assumption is not required for logical composition, in which partial specification models of the same component or system are combined in the manner of logical conjunction. Formally, for a composition to be conjunctive, the behaviour allowed by s 1 ∧ s 2 is the behaviour allowed by both partial specifications s 1 and  2 . Such a composition is important for scalability of modelling, as it allows writing independent partial specifications, sometimes called view modelling [3]. On a fundamental level, specifications can be seen as logical statements about software, and the existence of conjunction on such statements is only natural. Conjunctive operators have been defined in many language-theoretic modelling frameworks, such as for regular expressions [12] and process algebras [5].

Conjunction for Inputs and Outputs
A conjunctive operator ∧ has also been introduced in many automata frameworks for formal verification and testing, such as interface theory [8], ioco theory [3] and the theory of substitutivity refinement [7]. Within these theories, systems are modelled as labelled transition systems [15] or interface automata [1] (IA), and actions are divided into inputs and outputs.
An informal example of some (partial) specification models, as could be expressed in these theories, is shown by the automata in Figure 1, in which inputs are labelled with question marks, and outputs with exclamation marks. The specifications represent a vending machine with two input buttons (?a and ?b), which provides coffee (!c) and tea (!t) as outputs, optionally with milk (!c+m and !t+m). The first model, p, specifies that after pressing button ?a, the machine dispenses coffee. The second model, q, specifies that after pressing button ?b, the machine has a choice between dispensing tea, or tea with milk. The third model, r, is similar, but uses non-determinism to specify that button ?b results in coffee with milk or tea with milk.
The fourth model, p ∧ q ∧ r, states that all former three partial models should hold. Here, we use the definition of ∧ from [3], but the definition from [7] is similar. An input is specified in the combined model if it is specified in any partial model, making both buttons ?a and ?b specified. Additionally, an output is allowed in the combined model if it is allowed by all partial models, meaning that after button ?b, only tea with milk is allowed.

Conjunctions of states
This form of conjunctive composition acts as an operator on entire models. However, a partial specification could also describe the expected behaviour of a particular state of the system, other than the initial state. For example, suppose that the input ?on turns the vending machine on, after which the machine should behave as specified by p, q and r from Figure 1. This, by itself, is also a specification, illustrated by s in Figure 2. However, the formal meaning of this model is unclear: transitions connect states, whereas p ∧ q ∧ r is not a state but an entire automaton. A less trivial case is partial specification t, also in Figure 2: after obtaining any drink by input ?take, we should move to a state where we can obtain a drink as described by specifications p, q, r and t. Thus, we combine conjunctions with a form of recursion. This cannot easily be formalized using ∧ as an operator on automata, like in [3,7,8]. Defining conjunction as a composition on individual states would provide a formal basis for these informal examples. Conjunctions of states are a main ingredient of alternating automata [6], in which conjunctions and non-determinism alternate. Here, non-determism acts as logical disjunction, dually to conjunction. Because of this duality, both conjunction and disjunction are treated analogously: both are encoded in the transition relation of the automaton. This contrasts the approach of defining conjunction directly on IAs, where non-determinism is encoded in the transition relation of the IA, whereas conjunction is added as an operator on IAs, leaving the duality between the two unexploited. In fact, the conjunction-operator in [3] even requires that any non-determinism in its operands is removed first, by performing an exponential determinization step. For example, model r in Figure 1 is nondeterministic, and must be determinized to the form of model q before p ∧ q ∧ r is computed. This indicates that it is hard to combine conjunction and nondeterminism in an elegant way, without understanding their interaction.
Despite their inherent support for conjunction, alternating automata are not entirely suitable for modeling the behaviour of software systems, since they lack the distinction between inputs and outputs. In this respect, alternating automata are similar to deterministic finite automata (DFAs). Distinguishing inputs and outputs in an IA allows modelling of software systems in a less abstract way than with the homogeneous alphabet of actions of DFAs and alternating automata.

Contributions
We combine concepts from the worlds of interface theory and alternating automata, leading to Alternating Interface Automata (AIAs), and show how these can be used in the setting of a trace semantics for observable inputs and outputs. We provide a solid formal basis of AIAs, by combining alternation with inputs and outputs (Section 3.1), defining a trace semantics for AIAs (Section 3.2), by lifting the input-failure refinement semantics for non-deterministic interface automata [11] to AIAs, providing insight into the semantics of an AIA, by defining a determinization operator (Section 3.3) and a transformation between IAs and AIAs (Section 3.4), and defining testers (Section 4), which represent practical testing scenarios for establishing input-failure refinement between a black-box implementation IA and a specification AIA, analogously to ioco test case generation [15].
The definition of input-failure refinement [11] is based upon the observation that, for a non-deterministically reached set of states Q, the observable outputs of that set are the union of the outputs of the individual states in Q, whereas the specified inputs for Q are the intersection of the inputs specified in individual states in Q. For conjunction, we invert this: outputs allowed by a conjunction of states are captured by the intersection, whereas specified inputs are captured by the union. In this way, our AIAs seamlessly combine the duality between conjunction and non-determinism with the duality between inputs and outputs.
Proofs can be found in the extended technical report [10].

Preliminaries
We first recall the definition of interface automata [1] and input-failure refinement [11]. The original definition of IAs [1] allows at most one initial state, but we generalize this to sets of states. Moreover, [1] supports internal actions, which we do not need. Transitions are commonly encoded by a relation, whereas we use a function. In examples, we represent IAs graphically as in Figure 1. For the remainder of this paper, we assume fixed input and output alphabets I and O for IAs, with L = I ∪ O. For (sets of) sequences of actions, * denotes the Kleene star, and denotes the empty sequence. We define auxiliary notation in the style of [15]. Definition 2. Let s ∈ IA, Q ⊆ Q s , q, q ∈ Q s , ∈ L and σ ∈ L * . We define We omit the subscript for interface automaton s when clear from the context. We use IAs to represent black-box systems, which can produce outputs, and consume or refuse inputs from the environment. This entails a notion of observable behaviour, which we define in terms of input-failure traces [11].
Definition 3. For any input action a, we denote the input-failure of a as a. Likewise, for any set of inputs A, we define A = {a | a ∈ A}. The domain of input-failure traces is defined as FT I,O = L * ∪ L * · I. For s ∈ IA, we define Ftraces(s) = traces(s) ∪ {σa | σ ∈ L * , a ∈ I, a ∈ in(s after σ)} Thus, a trace σa indicates that σ leads to a state where a is not accepted, e.g. a greyed-out button which cannot be clicked.
Any such set of input-failure traces is prefix-closed. Input-failure traces are the basis of input-failure refinement, which we will now explain briefly. This refinement relation was introduced in [11] to bridge the gap between alternating refinements [1,2] and ioco theory [15]. Similarly to normal trace inclusion, the idea is that an implementation may only show a trace if a specification also shows this trace. Moreover, the most permissive treatment of an input is to fail it, so if a specification allows an input failure, then it also must allow acceptance of that input, as expressed by the input-failure closure.
for all σ ∈ L * , a ∈ I and ρ ∈ FT I,O , σa ∈ S =⇒ σaρ ∈ S. The inputfailure closure of S is the smallest input-failure closed superset of S, that is, Input-failure refinement and input-failure equivalence on IAs are respectively defined as The input-failure closure of the Ftraces serves as a canonical representation of the behaviour of an IA. That is, two models are input-failure equivalent if and only if the closure of their input-failure traces is the same, as stated in Proposition 5.
. Formally, it is thus a preorder, making it suitable for stepwise refinement.

Alternating Interface Automata
Real software systems are always in a single state, but the precise state of a system cannot always be derived from an observed trace. Due to non-determinism, a trace may lead to multiple states. In IAs, this is modelled as a set of states, such as the set of initial states, the set T (q, ) for state q and action , and the set s after σ for IA s and trace σ. The domain of such non-deterministic views on an IA with states Q is thus the powerset of states, P(Q). In set of states Q, traces from any individual state in Q may be observed.

Alternation
Alternation generalizes this view on automata: a system may not only be nondeterministically in multiple states, but also conjunctively. When conjunctively in multiple states, only traces which are in all these states may be observed. Alternation is formalized by exchanging the domain P(Q) for the domain D(Q). Formally, D(Q) is the free distributive lattice, which exist for any set Q [14].
where equivalence of terms is completely defined by the following axioms: [Distributivity] In short, (D(Q), ∨, ∧, ⊥, ) forms a distributive lattice. Expression q is named the embedding of q in D(Q), and operators ∨ and ∧ are named disjunction and conjunction, respectively. For the remainder of this paper, we make no distinction between expressions and their equivalence classes.
For finite n, we introduce the shorthand n-ary operators and , as follows: We distinguish the embedding q ∈ D(Q) from q itself. We require this distinction only in Definition 18, where we will point this out. Otherwise, we do not need this distinction, so we write q instead of q .
Intuitively, disjunction q 1 ∨q 2 replaces the non-deterministic set {q 1 , q 2 }. This is formalized by extending IAs with alternation.

Configurations
and ⊥ are analogous to the empty set of states in an IA s: if T s (q, ) = ∅, this means that state q does not have a transition for . In terms of input-failure refinement, not having a transition for an input means that the input is underspecified, whereas not having a transition for an output means that the output is forbidden. This distinction is made explicit in AIA by using to represent underspecification and ⊥ to represent forbidden behaviour. We will formalize this in Section 3.2. Definition 7 also allows output transitions to , meaning that the behaviour is unspecified after that output. Automata models which do not allow distinct configurations and ⊥ commonly represent such underspecified behaviour with an explicit chaotic state [3,4] instead.
We graphically represent AIAs in a similar way as IAs, with some additional rules. A transition T (q 0 , ) = q 1 is represented by a single arrow from q 0 to q 1 .
We represent T (q 0 , ) = q 1 ∨ q 2 by two arrows q 0 − → q 1 and q 0 − → q 2 , analogous to non-determinism in IAs. Conjunction T (q 0 , ) = q 1 ∧ q 2 is shown by adding an arc between the arrows. Nested expressions are represented by successive splits, as shown in Example 8. A state q without outgoing arrow for an output ∈ O represents T (q, ) = ⊥, and a state without input transitions for input indicates T (q, ) = . For ∈ O, a transitions T (q, ) = is shown with an arrow to , denoting underspecification, but note that is a configuration, not a state.
Example 8. Figure 3 shows Moreover, AIA s B combines the partial specifications from Section 1. Before defining trace semantics for AIAs, we extend the transition function from single actions to sequences of actions, by defining an after-function on AIAs. This function transforms configurations by substituting every state according to the transition function, similarly to the approach for alternating automata in [6]. Like before, we omit the subscript if clear from the context. We also define (s after σ) = e 0 s after s σ.
Example 11. Consider s B in Figure 3. We evaluate s B after ?on ?b !t, as follows: Intuitively, this means that giving a tea without milk after ?on ?b is forbidden.
In contrast, tea with milk is allowed, and leads to configuration q 10 B :

Input-Failure Semantics for AIAs
IAs are equipped with input-failure semantics, based on the traces and underspecified inputs of the IA. We lift this to AIAs via the after-function, using that ⊥ indicates forbidden behaviour, and indicates underspecified behaviour. Compare Definition 4 and Definition 12 for input-failure refinement for IAs and for AIAs. For AIAs, refinement is defined directly over their Ftraces, whereas for IA, the input-failure closure of the Ftraces is used for the right-hand model (and optionally for the left-hand model, according to Proposition 5). In this regard, AIAs are a more direct and natural representation of input-failure traces, since the input-failure closure is not needed.
Another motivation to represent input-failure traces with AIAs is the connection between the distributive lattice D(Q) and the lattice of sets of input-failure traces: ∧ and ∨ are connected to intersection and union of input-failure traces, respectively, and and ⊥ represent the largest and smallest possible input-failure trace sets. does not allow transitions to T (q, a) = ⊥ for an input a: in that case, Ftraces(q) would contain trace , but it would not contain extension a nor a of , meaning that after trace it is not allowed to accept nor to refuse a.
We can lift configurations and ⊥, as well as ∧ and ∨, to the level of AIAs. This provides the building blocks to compose specifications. Specifications s and s ⊥ can be used to specify that any or no behaviour is considered correct, respectively. The operators ∧ and ∨ on specifications fulfill the same role as existing operators in substitutivity refinement [7], and have similar properties, described in Proposition 14.

AIA Determinization
In case of nestings of ∧ and ∨, the after-set s after σ may not be clear immediately, so a transition function producing configurations without ∧ and ∨ is easier to interpret. For this reason, we lift the notions of determinism and determinization from IAs [11] to the alternating setting.
Definition 17. Let s ∈ AIA and e ∈ D(Q s ). Then e is deterministic if e = or e = ⊥ or e = q for some q ∈ Q s . Furthermore, s is deterministic if for all σ ∈ L * , configuration s after σ is deterministic.
Compare the notions of determinism for IAs and AIAs. For every trace σ, a deterministic IA s is in a singleton state (s after σ) = {q}, unless (s after σ) = ∅ (that is, σ is not a trace of s). For AIAs, this singleton set {q} is replaced by the embedding q , and ∅ is replaced by or ⊥, depending on whether this set was reached by an undespecified action or a forbidden action.
We now define determinization, where we require the distinction between q and q to avoid ambiguity. Example 20. Figure 4 shows (the reachable part of) the determinizations of s A and s B from Figure 3. In det(s A ), state q 0 A ∧ q 2 A has no outgoing !x-transition.
Example 20 shows that an input is specified by a conjunction of states in the determinization if any of the individual state specify this input, whereas an output is allowed by a conjunction of states only if all of the individual state allow this output. In the setting of IA, [11] already established that this works in a reversed way for non-determinism, following their definition of determinization: all individual states of a disjunction should specify an input to specify it in the determinization, and any individual state should allow an output to allow it in the determinization. Their so-called input-universal determinization is an instance of the determinization from Definition 18, using only disjunctions. This duality arises from Definition 10 of after, since the determinization directly represents the after-function: the determinizations in Example 20 correspond to the after-sets such as those derived in Example 11. This correspondence is formalized in Proposition 21.
Proposition 21. Let s ∈ AIA and σ ∈ L * . Then A known result [6] is that alternating automata are exponentially more succinct than non-deterministic automata, and double exponentially more succinct than deterministic automata. Although alternating automata are not a special case of AIAs (as AIAs lack the accepting and non-accepting states of alternating automata), we expect AIAs to be exponentially more succinct than IAs, as well.

Connections between IAs and AIAs
IAs and AIAs are used to represent sets of input-failure traces, and are in that sense interchangeable. First, we show that any IA can be translated to an AIA. Definition 29 formalizes how disjunction in an AIA corresponds to nondeterminism in IA. Specifically, if no transitions are present for some output in an IA, then the transition function of the corresponding AIA gives ∅ = ⊥ for this output, analogous to the explicit case for inputs. Note that the graphical representation of an IA and that of its induced AIA are the same.
The translation from AIAs to IAs is more involved. For disjunctions of states (q after ) = q 1 ∨ q 2 , the translation of Definition 24 can simply be inverted, but this is not possible for conjunctions. As such, we represent any configuration by its unique disjunctive normal form.
Definition 27. Let e ∈ D(Q). Then DNF(e) is the smallest set in P(P(Q)) such that e = { Q | Q ∈ DNF(e)}.
The set DNF(e) can be constructed by using the axioms from Definition 6.

Testing Input-Failure Refinement
So far, we have introduced refinement as a way of specifying correctness of one model with respect to another. Often, a specification is indeed a model, but we use it to ensure correctness of a real-world software implementation. To this end, we assume that this implementation behaves like a IA. We cannot see the actual states and transitions of this IA, but we can provide inputs to it and observe its outputs. We assume that this IA must have an initial state, i.e. it is non-empty.
In this section, we introduce a basis for model-based testing with AIAs, analogously to ioco test case generation [15]. Given a specification AIA, we derive a testing experiment on non-empty implementation IAs, in order to observe whether input-failure refinement holds with respect to the specification. This requires an extension of input-failure refinement to these domains.

Testers for AIA Specifications
From a given specification AIA, we derive a tester. We model this tester as an IA as well, which can communicate with an implementation IA through a form of parallel composition. The tester eventually concludes a verdict, indicating whether the observed behaviour is allowed. To communicate, the inputs of the implementation must be outputs for the tester, and vice versa (note that I and O denote the inputs and outputs for the implementation, respectively). The tester should not block or ignore outputs from the implementation, meaning that the tester should be input-enabled. If the tester intends to supply an input to the implementation, it should also be prepared for a refusal of that input. A verdict is given by means of special states pass or fail. Lastly, to give consistent verdicts, a tester should be deterministic. This leads to the following definition of testers.
Definition 34. A tester for (an IA or AIA with) inputs I and outputs O is a deterministic, input-enabled IA t = (Q t , O, I ∪ I, T, q 0 t ) with pass, fail ∈ Q t , such that pass and fail are sink-states with out(pass) = out(fail) = ∅, and a ∈ out(q) ⇐⇒ a ∈ out(q) for all q ∈ Q t and a ∈ I.
Testing is performed by a special form of parallel composition of a tester and an implementation. If the tester chooses to perform an input while the implementation also chooses to produce an output, this results in a race condition. In such a case, both the input or the output can occur during test execution. We assume a synchronous setting, in which the implementation and specification agree on the order in which observed actions are performed (in contrast to e.g. a queue-based setting [13], in which all possible orders are accounted for). These assumptions are in line with the assumptions in e.g. ioco-theory [15], and lead to the following definition of test execution.
Definition 35. Let i ∈ IA be non-empty, and let t be a tester for i. We write We say that i fails t if q 0 t | q 0 i σ − → fail | q i for some σ and q i , and i passes t otherwise.
We reuse the notions of soundness and exhaustiveness from [15], to express whether a tester properly tests for a given specification.
Definition 36. Let s ∈ AIA and let t be a tester for s. Then t is sound for s if for all i ∈ IA with inputs I and outputs O, i fails t implies i ≤ if s. Moreover, t is exhaustive for s if for all i ∈ IA, i passes t implies i ≤ if s.
A simple attempt to translate specification AIA s to a sound and exhaustive tester would be similar to the determinization of s, but replacing every occurence of ⊥ and by fail and pass, respectively. However, this tester is quite inefficient. If a tester reaches pass after both σa and σa, then this input a does not need to be tested after σ. Specifically, this is the case if and only if trace σa leads to specification configuration . We thus improve the tester for a given specifications as follows.  Figure 3 is shown in Figure 5. for all q t ∈ Q t , | out(q t )| ≤ 1, and there are no infinite sequences q 0 t , q 1 t , . . . for q 0 t , q 1 t , . . . ∈ Q t \ {pass, fail} such that q 0 The test case generation algorithm of [15] is non-deterministic, since it must choose at most one inputs in every state, and it must choose when to stop testing. We avoid defining a separate test case generation algorithm, and instead use Theorem 39 to obtain sound test cases. If specification s 1 is weakened to s 2 , such that tester(s 2 ) is a test case, then soundness of tester(s 2 ) for s 1 is guaranteed by the theorem. Such a weakened singular specification s 2 describes a finite, tree-shaped part of the original specification s 1 .
It can be created from s 1 similarly to test case generation in [15]. In every state σ of the tree s 1 , we either decide to pick one input specified in s 1 and also specify that in s 2 ; or we do not specify any input, but only outputs; or we leave any successive behaviour unspecified ( ).
Test cases based on singular specifications are inherently sound, and for any incorrect implementation, it is possible to find a singular specification which induces a test case to detects this incorrectness.
Theorem 42. If s 2 is a singular specification for s 1 , then tester(s 2 ) is a sound test case for s 1 .
Theorem 43. Let i ∈ IA and s 1 ∈ AIA. If i ≤ if s 1 , then there is a singular specification s 2 for s 1 such that i fails tester(s 2 ).
Example 44. Specification s B in Figure 3 can be weakened to singular specification s C shown in Figure 6. Indeed, s B ≤ if s C holds, which can be established by comparing s C with det(s B ) in Figure 4. Therefore tester(s C ) is a sound test case for s B .

Conclusion and Future Work
Alternating interface automata serve as a natural and direct representation for sets of input-failure traces, and therefore also for refinement of systems with inputs, outputs, non-determinism and conjunction. We have used the observational nature of input-failure traces to define testers, describing an experiment to observationally establish refinement of a black-box system.  6. A weakened version sC of the vending machine, and the test case tester(sC ). Question and exclamation marks are interchanged in tester(sC ) to indicate that the input and output alphabets have been interchanged with respect to sC .
The disjunction and conjunction of alternation brings interface automata specifications closer to the realm of logic and lattice theory. On the theoretical side, a possible direction is to extend configurations from distributive lattices to a full logic. On the practical side, classical testing techniques acting on logical expressions, such as combinatorial testing, could be translated to our black-box configurations of states.
Possible criticism on our running example of a vending machine s B in Figure 3 may be that its representation as an AIA is not concise, since the determinization det(s B ) is much smaller and more understandable than s B itself. This is because the individual specifications offer a choice between outputs, such as tea with or without milk, whereas the intersection of all choices is singleton. A more natural encoding for this example is to express the types of drink with data data parameters, and the restrictions on them by logical constraints. This requires an automaton model in style of symbolic transition systems [9], which could be enriched with the concepts of alternation of AIAs.
Interface automata typically contain internal transitions, and the interaction between internal behaviour and alternation is not immediately clear. A possible approach to extend AIAs with internal behaviour is to lift the -closure of [1], the set of states reachable via internal transitions, to the level of configurations.