Interface Automata for Shared Memory

Interface theories based on Interface Automata (IA) are formalisms for the component-based specification of concurrent systems. Extensions of their basic synchronization mechanism permit the modelling of data, but are studied in more complex settings involving modal transition systems or do not abstract from internal computation. In this article, we show how de Alfaro and Henzinger’s original IA theory can be conservatively extended by shared memory data, without sacrificing simplicity or imposing restrictions. Our extension IA for shared Memory (IAM) decorates transitions with pre- and post-conditions over algebraic expressions on shared variables, which are taken into account by IA’s notion of component compatibility. Simplicity is preserved as IAM can be embedded into IA and, thus, accurately lifts IA’s compatibility concept to shared memory. We also provide a ground semantics for IAM that demonstrates that our abstract handling of data within IA’s open systems view is faithful to the standard treatment of data in closed systems.


Introduction
Behavioural types [4,17] play an increasingly important role when developing and verifying software systems. For object-oriented software, behavioural types are specified as contracts [25], annotating methods and classes with pre-and post-conditions and invariants, respectively. For distributed software, session types are employed [10,19] to specify permitted and prohibited interactions. For concurrent software, component compatibility has been studied by interface theories, such as de Alfaro and Henzinger's Interface Automata (IA) [12,13]. Although IA is a well-studied theory, it does not directly reflect modern IT architectures that rely on networked, distributed clusters of multi-core/-processor computers. In these architec-tures, communication between clusters is via message passing, and communication within a cluster is typically via shared variables. Holik et al. have studied the IA paradigm for message passing in [18], but the treatment of shared variables in the context of IA has so far been unsatisfactory.
This article is addressed to concurrency theoreticians and studies an IA-based setting where data are communicated via shared memory while activities, or operations, are triggered by synchronizing actions. In this introduction, we first summarize IA and related works on extensions of IA with data, both of which is elaborated in Sects. 2 and 3, respectively. This allows us to spell out our contributions and advances over the state-of-the-art in interface theories.
Background Interface Automata (IA) [12,13] model system components as labelled transition systems that distinguish a component's input and output actions. Parallel component composition assumes that a component may wait on inputs but never on outputs, implying that a component's output must be consumed immediately, or a communication error occurs. In case no system environment may restrict the components' behaviour so that all errors are avoided, the components are deemed to be incompatible.
To support refinement during software development, IA is equipped with a branching-time behavioural preorder called alternating simulation; it allows one to substitute an abstract component by a concrete one, provided the concrete component offers no fewer inputs and no more outputs than the abstract one. As this implies that outputs cannot be enforced in IA, researchers have frequently based IA-inspired interface theories on the more expressive Modal Transition Systems (MTS) and modal refinement [3,5,15,22,29]. As an aside, a lineartime semantics respecting communication errors as in IA was proposed by Dill [14] and more recently adapted for variations of IA in [6,8].
To enable the modelling of richer classes of concurrent systems and software, IA has been extended in various ways to capture data in addition to control [1,2,9,11,18,27]. Except for [18], these works focus on shared memory. The work of Mouelhi et al. [9,27] is closest to ours and adopts a paradigm well-known from structured programming. It considers an output of one IA to trigger an operation in another IA. The guaranteed data state resulting upon executing the operation on the input side is expected to meet the trigger's assumption; otherwise, an error occurs. While Mouelhi et al. stick to the IA-setting and express assumptions and guarantees on data states by decorating actions with pre-and post-conditions, respectively, none of the essential results that we treat in Sects. 3-7 are shown.
For an interface theory built upon the more expressive MTS setting, Bauer et al. [1,2] also introduce data via pre-and post-conditions with the idea of operation calls. But counter to the optimistic view on component compatibility adopted by IA, they restrict themselves to a pessimistic view, whereby components are already deemed to be incompatible if there exists a system environment that causes a communication error. De Alfaro et al.'s Sociable Interfaces [11] employs scoping and non-interference conditions to ensure that interfaces can participate in sophisticated n-to-n communication schemes on global variables. The semantics of sociable interfaces is not directly based on a behavioural preorder but uses a related phrasing in terms of game semantics. This semantics, however, does not abstract from internal computation, which is also a limitation for [1,2].
Contributions This article demonstrates that IA permits a simple and faithful extension where data are communicated via shared memory while activities are triggered by synchronizing actions. To do so, we develop Interface Automata for Shared Memory (IAM) which, similarly to [1,2,9,27], specify operation calls via pre-and post-conditions attached to transitions (see Sect. 3).

The IA setting
We start off with a brief technical introduction to the classical setting of Interface Automata (IA) by de Alfaro and Henzinger [13]. This makes it easier to understand our extension with data, and the concepts and results for IA are technically needed in Sects. 6 and 7 for our shared-memory extension IAM. An interface automaton specifies a system component as a labelled transition system over some input and output alphabets I and O, respectively. − → p for some p ∈ P and a? ∈ I .
We use a, a?, a!, α, α? and α! as representatives of the sets A, I , O, A∪{τ }, I ∪{τ } and O ∪ {τ } and simply write P for an IA (P, I , O, − →, p 0 ), and similarly for IAM below. According to the above definition, a transition is labelled either with an input action a?, an output action a! or the internal action τ . Here, ? and ! are just comments showing whether an action is an input or an output. The actual name of the action is a; thus, two components of a parallel composition can share an action a, which then necessarily is an input of one and an output of the other component (see below). The two IAs synchronize on such actions a, resulting in internal τ -transitions; the IAs interleave on all other actions. In general, an a?-labelled transition shows that the component is willing to synchronize on a. In contrast, an action a! (like τ ) is locally controlled (or local for short) and can always be performed disregarding the environment. Thus, a! initiates a synchronization, and this requires an environment with input a? to be ready to receive a with a corresponding transition. As an aside note that, in [13], there can be several internal actions and the refinement does not allow one to rename these. We avoid this issue by having a single internal action τ only. − → Q q for some a.
Note that we often drop the index from a transition relation whenever it is clear from the context.
If IA P outputs an action shared with IA Q at a state p but Q cannot receive it in its current state q, a communication error occurs in state p, q . The parallel composition prunes all illegal states, i.e. all error states p, q as well as those states from which an error state can be reached autonomously via local transitions; these are the states where the environment can no longer prevent the composition of P and Q from entering an error state. This consideration of errors makes the IA interface theory suitable for reasoning about component compatibility and provides a means of error-awareness.
Interface Automata apply an open systems view with optimistic compatibility, assuming that a composed system runs in a so-called helpful environment. Such an environment obeys the operation guideline as given by the parallel composition P Q (see below) and avoids communication mismatches by controlling the composed component's input actions. Other theories such as [1,3] take a pessimistic view, where no assumptions about the environment are made: any occurrence of a reachable error state leads to an incompatibility of the components. Definition 3 (Parallel Composition) Given a parallel product P ⊗ Q of IAs P and Q, a state p, q is an error state if there is some a ∈ A P ∩ A Q s.t. - The set E ⊆ P × Q of illegal states is the least set containing all error states and those states p, q for which there is a transition p, q The parallel composition P Q is then computed by pruning the illegal states, i.e. by removing all states in E and their incoming and outgoing transitions. If p, q ∈ P Q, then states p and q are compatible, written p q; one also says that p q is defined. Furthermore, P and Q are compatible if their initial states are compatible; otherwise, P Q is undefined.

Proposition 4 (Associativity & Commutativity)
If P, Q and R are pairwise composable IAs, then (P Q) R and P (R Q) are either both undefined or (P Q) R and P (R Q) are isomorphic. Analogously, is commutative.
IA supports the compositional refinement of systems via a notion of alternating simulation: P refines Q if the input-transitions of Q can be simulated by P and, vice versa, the outputtransitions of P can be simulated by Q. By simply following this pattern, new communication errors cannot be introduced during refinement. The pattern prevents the removal of specified inputs needed to synchronize with outputs of an environment as well as the addition of unspecified outputs, which would create new needs of synchronization. A weak transition ε ⇒ stands for a finite and possibly empty sequence of τ -transitions.
Definition 5 (Alternating Simulation) For IAs P, Q with the same signature, a relation R ⊆ P × Q is an alternating simulation if the following conditions hold for all pRq and actions a: We write P IA Q to say that P IA-refines Q, if there exists an alternating simulation R s.t. p 0 Rq 0 . Further, P is IA-equivalent to Q if P and Q IA-refine each other.
Intuitively, a state p refines q if it matches all inputs of q and, conversely, if q matches all outputs of p. Note that p may have additional inputs in which q cannot engage and which may be followed by arbitrary behaviour afterwards. It is not hard to show that the IA-refinement IA is a preorder and, as motivated above, a pre-congruence for parallel composition. It is also easy to see that, for the latter result, an input of q must immediately be matched by p, i.e. without preceding τ s; neither trailing τ s are allowed. Theorem 6 (Compositionality of IA) Let P, Q, R be IAs and P IA Q. Further assume that Q and R are composable. We have: (i) P and R are composable; (ii) P R is defined if Q R is, and then P R IA Q R.
We illustrate the concepts of IA with a simple vending machine example that consists of two components, the machine-offering coffee and tea-and the customer (see Figs. 1, 2).
The machine M waits for the customer C to select coffee or tea (inputs selC? and selT?). In the case of coffee, the machine accepts a positive number of coins (transitions labelled coin?), while tea is free of charge. Eventually, coffee or resp. tea is released (outputs relC! and relT!). If the customer approaches the vicinity of the machine and is thirsty for coffee or tea (inputs atVM C ? and atVM T ?), she or he presses the appropriate selection button (outputs selC! and selT!) and makes a selfie of her or him at the machine afterwards (output selfie!). In case of tea, a British customer would also accept the drink without taking the selfie. She or he then inserts some coins (output coin!) and waits for the drink to be dispensed (inputs relC? and relT?).
For the parallel composition of M and C, one determines the product shown in Fig. 3. Here, m 3 , c 6 is an error state, because m 3 does not accept the coin offered in c 6 . Therefore, also states m 3 , c 5 and m 0 , c 4 are illegal, because they can locally reach m 3 , c 6 . Thus, M C is M ⊗ C without the tea vending cycle in the right half of the figure.
An IA-refinement C of C that accommodates the taste of Italian customers is shown in Fig. 4. Customer C has an additional input relC? at state c 2 , because he or she would also accept coffee earlier. Moreover, C has learned from M, seen as an 'operating guideline,' not to pay for tea. The product M ⊗ C is the same as M ⊗ C except that m 3 , c 6 is no longer an error state. Hence, M C = M ⊗ C . Note that the additional input at c 2 has no effect on the composition.

The IAM setting
To capture shared memory in IA, our extension IAM additionally labels transitions by pre-and post-conditions, similar to [1,2,9,27]. These allow us to abstractly specify and reason about manipulations of global variables without modelling data states explicitly, i.e. as functions from variables to values. Formally, the shared memory is represented by a set V of variables, ranged over by x, y, etc., and all IAMs, as defined below, have the same set V of variables. Pre-conditions are predicates over V , i.e. first-order formulas with interpreted function and predicate symbols. Besides the propositional operators ¬, ∨, ∧ and − →, we employ the usual arithmetic operators and predicate symbols such as <, = and ≥. The universe of our predicates is denoted by Pred(V ), with representatives ϕ, ϕ, ϕ 1 , etc. In order to represent also post-values of variables, we introduce the set V of fresh primed variables x for each x ∈ V . While x represents the value of x before executing the respective transition, the value after is referenced by x . We write ϕ for ϕ where each x is replaced by x . Post-conditions are ranged over by ψ, ψ 1 , etc. and taken from the set Pred(V , V ) of predicates over V ∪ V .
A data state over V , often represented by σ or σ , is a valuation σ : V → D over a fixed, possibly infinite domain D of values. The set of all these data states is denoted by V . To take a transition, now also its pre-condition ϕ must be satisfied by the current data state σ , and we write σ | ϕ in this case; further, we define ϕ = df {σ ∈ V | σ | ϕ}, and similarly for predicates over V . The post-condition ψ must be satisfied by σ together with the new data state σ applied to the primed variables, and we write σ, σ | ψ. Here, σ : V → D is a valuation like σ : because the post-condition refers to the next state with primed variables, Intuitively, a pre-condition acts as a guard for a transition. An output-transition labelled (ϕ, a!, ψ) specifies that it is only executable when the system's data state satisfies precondition ϕ and expects that the system environment, upon synchronizing on a, leaves the system in a data state such that post-condition ψ is satisfied. Similarly, an input-transition labelled (ϕ, a?, ψ) is executable in data states satisfying ϕ and guarantees that it implicitly manipulates variables only in ways such that the post-condition ψ is satisfied. This corresponds to an operation call: the caller performs an output-transition; this requires the callee to execute a respective input-transition in each data state satisfying ϕ, or otherwise a communication mismatch arises; the callee modifies the memory according to the post-condition of the input-transition and requires the caller to accept this. A violation of the caller's assumption gives rise to a (data-)error in the parallel composition (see Sect. 4). These mutual requirements are very different from the one-way requirement in an IA; thus, it is quite surprising that we can nevertheless embed IAM into IA below (see Sect. 6).
Interface Automata for Shared Memory We can now formally define the notion of IAM: For a transition ( p, ϕ, α, ψ, p ) ∈ − →, written p −(ϕ, α, ψ)→ p for simplicity, its precondition ϕ must be satisfiable, i.e. ϕ = ∅ and denoted by ϕ sat. There is a stricter requirement for the post-condition: if one assigns values to the unprimed variables in ψ according to some data state σ satisfying ϕ, the resulting predicate ψ(σ ) must be satisfiable. 1 This requirement can also be written as ϕ ⇒ ∃X . ψ, where ∃X existentially quantifies over all primed variables in ψ and symbol ⇒ denotes logical entailment.
In figures, pre-and post-conditions are set in square brackets. Note that the above definition coincides with the one of IA [13] in case only the tautology true, written tt, is allowed as pre-and post-condition. In particular, the normally finer notion of data-determinism is then the same as input-determinism, which is needed to achieve compositionality for parallel composition (see Theorem 6). Data-determinism is needed in our approach for the respective result (see Corollary 18). Figure 5 shows two simple IAMs P and Q, where P can call operation a (output action a!) in initial state p 0 , provided that variable x has value −1 (pre-condition x = −1). IAM P assumes that operation a adjusts the value of x to a positive one (post-condition x > 0), and transitions to state p 1 . Alternatively, if x is non-negative (pre-condition x ≥ 0), P can serve a call to operation b in p 0 (input action b?), guarantees that the value of x remains unchanged (post-condition x = x), and transitions to state p 2 . Similarly, IAM Q offers to execute operation a in state q 0 (input action a?), provided that x has a non-zero value (pre-condition x = 0), and transitions to state q 1 while guaranteeing that the value of x is set to 1 (post-condition x = 1). The resulting synchronization on action a in the parallel composition of P and Q can only take place if x = −1 and then updates the value of x to 1. The post-condition of Q's transition always meets the assumption of P's transition due to x = 1 ⇒ x > 0. Parallel composition for IAM is fully introduced and discussed in Sect. 4.

Alternating simulation
We now adapt alternating simulation from IA to IAM. First observe that a single IAM transition may represent many transitions when explicitly considering the underlying data state. This implies that the behaviour of a transition in one IAM might need to be matched by multiple transitions in another IAM, i.e. by a family-an indexed collectionof transitions. For example, the behaviour of a transition labelled with pre-condition x ≥ 0 may only be covered in the other IAM by two transitions with pre-conditions x = 0 and x > 0, respectively, where the former transition matches the behaviour for data states in which x has value 0 and the latter in which x has a strictly positive value. Employing such families makes our approach more flexible and sophisticated than the one in [9,27]. In the following, families of transitions are indexed over some implicit index set with representative i. Such a family could even be infinite, e.g. when encoding local data states with infinite domains; the meaning of ϕ ⇒ i ϕ i is clear also in such a case.
A weak transition ε ⇒ stands for a finite and possibly empty sequence of τ -transitions labelled with arbitrary satisfiable pre-and post-conditions. This is because an environment component can always change a data state satisfying a post-condition to a data state satisfying the next pre-condition. This also explains why pre-and post-conditions are simply ignored in Item (iii) of the following definition.
Definition 8 (Alternating Simulation) For IAMs P and Q with the same signature, R ⊆ P × Q is an alternating simulation if the following conditions hold for all pRq and ϕ, a, ψ: (iii) p −(ϕ, τ, ψ)→ p implies that there exists a q with q ε ⇒ q and p Rq .
We write P IAM Q and say that P IAM-refines Q, if there exists an alternating simulation R such that p 0 Rq 0 . Further, P is IAM-equivalent to Q if P and Q IAM-refine each other. Note that "for all As for alternating simulation in IA and motivated in Sect. 2, inputs must be matched immediately for IAM, i.e. leading and trailing τ s are not allowed. Additionally, Cond. (i) shows that pre-conditions are weakened while post-conditions are strengthened. The weakening of a pre-condition keeps in line with IA in that refinement may introduce additional inputs. The strengthening in the post-conditions ensures that refinement does not loosen guarantees, i.e. strengthening prevents the refined system from generating more data states than specified. Note that, as Cond. (i) covers input actions, the pre-conditions ϕ i are pairwise disjoint due to data-determinism.
Outputs are matched the other way around, as specified in Cond. (ii), which is analogous to Cond. (i) except that, as in IA , leading τ s are permitted when matching output-transitions. The matching runs show that the same output can occur in the specification, at least in an environment causing the appropriate changes of data states; this time, the post-condition of the specification is stricter because it is a requirement. Cond. (iii) has been explained above.
Despite the fact that IA does not consider families when matching transitions, our alternating simulation IAM for IAM coincides with IA when considering only IAMs where all pre-and post-conditions are equivalent to tt. For such IAMs, it does not matter with which family member a transition is matched, any one family member would do.
An example illustrating alternating refinement is depicted in Fig. 6, where IAMs P, Q, R are defined over shared variable sets V = {x} and V = {x } with domain R such For output-transitions, leading τ s are allowed when refining. Transition Note that R has overlapping pre-conditions in r 1 ; unlike for inputs, datadeterminism is not required for local actions in IAM.

Theorem 9 (Preorder) IAM is a preorder.
Proof Reflexivity immediately follows from the fact that the identity relation is an alternating simulation. For transitivity, we let P IAM Q and Q IAM R due to R 1 and R 2 , respectively. We show that R = df {( p, r ) | ∃q ∈ Q. pR 1 q and qR 2 r } is an alternating simulation, too, implying P IAM R. Obviously, p 0 Rr 0 . Let pRr due to q with pR 1 q and qR 2 r , and distinguish Cases (i)-(iii) according to Definition 8. Because Cases (i) and (iii) are easier than Case (ii), we focus on the latter only. A transition p −(ϕ, a!, ψ)→ p implies the existence of a family For every q i , we provide a state r i for which r ε ⇒ r i and q i R 2 r i . Consider the given sequence Note that the decidability of alternating simulation for finite-state IAMs depends on the logic chosen for expressing pre-and post-conditions. Above we picked first-order logic, for which implication is known to be undecidable. We leave the question as to which logic is most suitable for future work.
Related work We close this section by discussing the differences of our IAM setting to the most closely related work, namely the publications of Mouelhi et al. [27], Bauer et al. [2] (which extends [1]) and de Alfaro et al. [11]: Mouelhi et al. The paper [27] has served as our original motivation for IAM. We adopted Mouelhi et al.'s symbolic handling of data and their intuition of outputs triggering operations, with the exception that they fix a pre-and post-condition for each action, while we do so for each action instance. This results in larger expressiveness by being able to consider different caller states, as does our addition of primed variables. However, the notion of communication error-due to a missing input or because the pre-or post-conditions of caller and callee do not fit-are the same in IAM as in [27]. The latter should be checked statically for each action a, and in case of a misfit, each state with an a-output directly gives rise to an error. Otherwise, only the presence of input a has to be checked. Additionally, the variation of alternating refinement studied in [27] does not consider transition families when matching and, thus, is unnecessarily limited. Mouelhi et al. also do not prove the precongruence result wrt. parallel composition, and leave important terms such as compatibility open to interpretation.
Moreover, ideas such as extending the set of variables when refining are neither explained nor intuitive; we cannot see how then a pre-condition in the specification could imply one in the refinement. As an aside, note that Mouelhi et al. base their work on an early version of IA [12] and not [13], which uses a variation of alternating simulation but appropriately abstracts from internal actions; in particular, output transitions are matched with weak transitions. Bauer et al. In [2], shared memory is considered for an IA-inspired variation of modal transition systems [21], which increases expressiveness wrt. IA by allowing one to specify outputs that are compulsory and cannot be refined away. Parallel composition is, however, different from IA in that Bauer et al. adopt the pessimistic view of compatibility, as explained in Sect. 1: if a communication error is possible, then parallel composition is undefined. This makes technicalities much easier, e.g. when proving a precongruence result. But it also disregards many meaningful compositions. Therefore, we advocate the optimistic compatibility of IA, where the description of a parallel composition can also be seen as an operating guideline that tells the system environment how to use the components such that errors are avoided.
As in IAM, Bauer et al. use pre-and post-conditions for modelling operation calls and their effect on shared-memory data, and adopt the same notion of communication error. Moreover, the memory available to a component is subdivided in [2] into local variables and external variables. A local variable can be read and written by the component, and it can only be read by another component provided the variable is declared to be visible. An external variable is a local visible variable of another component. Additionally, each operation has a list of parameters with values set by the caller. In case of a synchronization, the operation and the shared variables are internalized but operations keep their names. Hence, such a variable only allows a one-way information flow between only two components; this is not what is usually called shared memory. Moreover, refinement does not abstract from internal computation: each transition, even if is invisible, has to be matched by a single step with the same operation, which is quite restrictive in practice.
A further study of Bauer et al. concerns the comparison of systems via inclusion of their sets of implementations. Such a refinement is often called thorough and shown to be implied by the refinement preorder adopted in [2]. Here, a state of an implementation consists of a control state and a data state for the local variables. This is not unlike our ground semantics (see Sect. 7), but the implementation is still open since the values of external variables are not fixed. Instead, such a valuation is part of each transition label.
In addition, there is no discussion in [2] that one transition can end in some concrete data state for the external variables, while the next transition might be performed from a different data state. Surprisingly, there is also no requirement that pre-and post-conditions must be satisfiable: if a data state σ satisfies some pre-condition but there is no σ satisfying the new data state, then there might be no implementation for such a specification.
De Alfaro et al. Sociable interfaces [11] also employ automata, called modules, but in contrast to IA, de Alfaro et al. allow a module to use the same action both as input and as output, consider a multicast parallel operator, and do not abstract from internal actions for refinement. Each module has local and global variables, where local variables describe the module's state. Further, for each action a, a module has a set W (a) of variables that it can modify, which interestingly might contain none of the local variables; in the latter case, a cannot change the state, which is a bit peculiar. In a parallel composition, W (a) always contains all local variables, and an output a modifies the values of W (a), while the input requires that these are acceptable. Hence, sociable interfaces are not meant to model operation calls.
Sociable interfaces are equipped with a semantics in terms of a two-player game, where one player controls input actions and the other controls output actions. Moreover, the module states are partitioned into the two sets iSet (called ϕ I in [11]) and oSet, with the aim of the input (output) player being that the game does not leave iSet (oSet). In the product of two modules, the good states are defined, in standard terms, as the non-error states. On the basis of the good states, the old iSets and the winning states for input, the iSet of the product is modified and this gives the parallel composition. However, the relation of this construction to standard pruning is not clarified in any way in [11], and this is not obvious to us.
To conclude, we point out that it might well be useful to add local variables to IAM in the future, similar to [2,11]. But, for the time being, this would only obscure our issue, namely to study an IA-like setting where data is communicated by shared memory while operations are triggered by synchronizing actions. From the perspective of the present article, local variables are just syntactic sugar: if an interface has local variables x and y, we can choose states of the form s xy , where the index gives the current variable values. For this to work, it is important that our IAM theory treats infinite state systems.

Parallel composition
This section extends the parallel operator of IA, as outlined above, to IAM. 2 Two IAMs P and Q can be composed, if each action that is in the alphabets of both is an output action in one IAM and an input action in the other. When the overall system composed of P and Q is in data state σ and P is in control state p with p − ϕ p , a!, ψ p → p such that σ | ϕ p , then P can perform action a!. If Q is in state q and a ∈ I Q , a transition q − ϕ q , a?, ψ q → q such that σ | ϕ q is required, i.e. Q has to perform the operation invoked: such a transition provides a new data state σ with σ, σ | ψ q . If each such σ meets the expectation of P, i.e. σ, σ | ψ p (and ψ q (σ ) ⇒ ψ p (σ ) in Definition 1(P!?)), the data state changes from σ to σ and the components jointly move from p, q to p , q . Otherwise, we have a communication mismatch, and p, q is an error state. This also holds if there is no transition q − ϕ q , a?, ψ q → q with σ | ϕ q . As for IA, all error states are pruned in the parallel composition of P and Q; the same applies for those states from which reaching an error cannot be prevented by any system environment.
, and the transition relation − → is the least relation satisfying the following rules: The asynchronous interleaving of autonomous transitions of P and Q is modelled by Rules (Pl) and (Pr). Rules (P!?) and (P?!) govern synchronization between P and Q. The pre-condition of the synchronized transition is the conjunction of the pre-conditions of the two involved transitions, as both must be fulfilled in the system's current data state for P and Q to engage in their transitions. To model the invocation of an operation, the inputtransition may alter the data state; accordingly, the synchronized transition is labelled with the post-condition ψ q . This requires that the post-condition of the output-transition is respected, leading to the implication ψ q (σ ) ⇒ ψ p (σ ) as explained above. The text " Here, as already announced above, we deviate from the IA-approach-as do the authors of [9,27]-in order to model operation calls properly as follows. A synchronization has two phases: it is triggered by the caller's output in the first phase, which requires a matching input; in the second phase, the new data state is produced on the input side (i.e. by the callee), requiring the outputting component (i.e. the caller) to accept it. Violation of one of the requirements leads to an error.
Definition 11 (Parallel Composition) Given a parallel product P ⊗ Q of IAMs P and Q, a state p, q is an error state if at least one of the following conditions is satisfied: The set E ⊆ P × Q of illegal states is the least set containing all error states and the states p, q satisfying p, q −(ϕ, α!, ψ)→ p , q with p , q ∈ E; this is also called Rule (Epb). The parallel composition P Q is obtained by pruning the illegal states. We also refer to the set of illegal states of P ⊗ Q as its E-set. The notions of state and component compatibility are as in IA.
Rule (E!?ϕ) describes a situation where p performs a! in some data state σ where q has no a?-transition enabled by σ . If (E!?ψ) applies, q has such an enabled a?-transition and it is unique by data-determinism; but this transition can update the shared memory in a way that violates the assumption of the a!-transition.
Note that the above definition coincides with the corresponding one for IA, if we consider IAMs where only tt occurs as pre-and post-condition. The latter guarantees that the side conditions of the parallel product, i.e. ϕ p ∧ ϕ q sat and ψ q (σ ) ⇒ ψ p (σ ) for all σ with σ | ϕ p ∧ ϕ q are satisfied trivially. Rule (E!?ϕ) states that q has no a?-transition, giving rise to an error as for IA, and Rule (E!?ψ) is never applicable. Figure 7 shows an example of a parallel product P ⊗ Q and the effect of pruning. IAMs P, Q synchronize on a where, e.g.
both pre-conditions, and x < 0 ⇒ x = 2 for the post-conditions. Note that the precondition x < 0 of the lower a?-transition from q 0 contradicts x = 2. The synchronization results in transition p 0 , by an a?-transition of q 0 for x = 0, so (E!?ϕ) applies to p 3 , q 0 . For x > 0, the upper transition from q 0 has a fitting pre-condition, but the new value of x could be −1; this contradicts x = 0, so (E!?ψ) applies, too. Hence, p 3 , q 0 is an error state so that transitions p 0 , q 0 −(tt, b?, tt)→ p 3 , q 0 and p 3 , q 0 − x = 2, τ, x < 0 → p 5 , q 1 in P ⊗ Q are pruned and not part of P Q.
It is important to observe that, in contrast to IA, an error may arise in a parallel composition due to an output enabled in some data state, although a τ -transition in which the output participates may still exist in the product due to some different data state. For example, an output a! might be offered when variable x has value 1 or 2, while the communication partner only has input a? if x has value 1. This results in an error due to (E!?ϕ), but the product still has a synchronizing τ -transition with pre-condition x = 1.
Clearly, one expects parallel composition to be associative and commutative. While the latter is obvious, the former is not trivial in IA-like approaches. For our IAM-setting, the associativity proof is given in Sect. 6.
Proposition 12 (Associativity & Commutativity) If P, Q and R are pairwise composable IAMs, then (P Q) R and P (R Q) are undefined or (P Q) R and P (R Q) are isomorphic. Analogously, parallel composition is commutative.
Preorder IAM is compositional wrt. parallel composition, which follows directly from the properties of our embedding of IAM to IA in the next section (see Corollary 18). Before showing this embedding, we wish to technically justify the notion of pruning which realizes IAM's optimistic notion of compatibility that it inherits from IA. We follow the approach adopted by us for Modal Interface Automata (MIA) in [5], which is based on so-called legal, or helpful, environments as first introduced for IA in [13].
(ii) The reachable states of (P ⊗ Q) ⊗ U contain no error states, where ((r 1 , r 2 ), r 3 ) is an error state, if some (r i , r j ) with i = j is an error state according to Definition 11.
Intuitively, U prevents P ⊗ Q from reaching an error state, so that one can think of a legal environment as modelling a user with whom each desired system assembled from concurrently running IAMs is composed at the end. Technically, our definition of legal environment is more general than the one of de Alfaro and Henzinger in [13], because we only demand composability for the signature. In the IA setting, de Alfaro and Henzinger showed that two IAs are compatible if and only if there is a legal environment for them. As in MIA, we can give a better justification for pruning: Proposition 14 (Pruning Justification) Let P, Q be IAMs. Hence, pruning only removes behaviour from P ⊗ Q that is never reached in any legal environment, i.e. when the composition is used properly.
Proof (i) "⇒": If P and Q are compatible, then P ⊗ Q has no locally reachable error states. Composing it with an IAM U that has only one state, no transitions, no inputs, and all inputs of P ⊗ Q as outputs, yields essentially only those states that are locally reachable from ( p 0 , q 0 ). Thus, U is a legal environment for P and Q. "⇐": Assume towards a contradiction that P and Q are incompatible, i.e. P ⊗ Q has a locally reachable error state ( p, q). Then, for any IAM U , the IAM (P ⊗ Q)⊗U either has a locally reachable error state (( p, q), u), or there is a first output transition on the path to ( p, q) that U prevents by not providing the corresponding input transition. This also results in a locally reachable error state in (P ⊗ Q) ⊗ U . Either way, U is no legal environment.   , q), u). As just argued, the path from ( p, q) to ( p , q ) still exists in (P ⊗ Q) ⊗ U , or is prevented by U at some stage leading to another error state. Either way, U is not a legal environment.
The correctness of pruning has also been investigated in the context of a linear-time semantics for IA in [6], where a problem with the original version of IA [12] in the presence of input-nondeterminism is pointed out and fixed.

Example
This section first illustrates the handling of data in IAM using a variation of the vending machine example of Sect. 2. It then briefly introduces an initial, prototypic toolset-based around our IAM theory, which supports modelling and simulating IAMs, debugging communication errors, as well as checking and reasoning about model refinements.

The vending machine example, expanded with shared memory
The variation of our vending machine example (see Figs. 8,9) considers, in particular, the payment operation coin and the change giving operation relCh, the latter of which is supple- mented with action done in case no change is given. Variable th stores whether customer C is thirsty for coffee (value C) or tea (value T ); hence, this information is no longer encoded in action atVM. Variable v stores the payment that the customer has made so far. Upon receiving a selection selC or selT, machine M sets this value to 0. Variable v is updated in operation coin; for coffee (tea), the machine never lowers (always raises) the value, while the customer always expects an increase. Variable c holds the value of the inserted coin, which can be 50¢, 1e or 2e. Note that, implicitly, c is set by the customer when selecting a coin. The drink is dispensed (operation relC) when v reaches the resp. price of 2e for coffee and 1e for tea. Finally, the change computed in ch is returned in operation relCh.
The product M ⊗ C is shown in Fig. 10. We discuss some of the transitions. In the τtransition from m 0 , c 4   To improve the situation, we IAM-refine M and C to M and C , respectively. Refinement C (not shown) is obtained from C by deleting the 0.5-option in the offending pre-condition. Analogously to the IA-example, the customer has learned that 50¢ coins are never accepted. On the machine side, refinement M (see Fig. 11) computes the correct pay- A similar change is made at m 1 , but here we have a new feature, showing the splitting of the input selC? at m 0 . The refined machine M is configurable to give a discount if variable disc is true. In this case, payment v is incremented by one additional Euro for each coin, which actually happens exactly once. Observe that data-determinism is maintained since disc ∧ ¬disc unsat, while Definition 8(i) is satisfied because disc ∨ ¬disc implies tt. With these changes, we obtain M ⊗ C = M C , as displayed in Fig. 12. Because M IAM M and C IAM C, we also have M C IAM M C and, indeed, m 0 , c 0 only has additional inputs in M C . Note that the behaviour after a new input can be arbitrary, because inputs of the refinement do not have to be matched according to Definition 8.

A prototypic IAM toolset
In order to demonstrate that tool support for the IAM interface theory is conceivable, we have developed an initial, prototypical toolset, to which we refer as IAM Toolset. The toolset is developed using various open-source technologies described below, is itself open source and available for download and further development via GitHub [28] and comprises approx. 12,000 lines of code. It runs on Windows, Linux and macOS with installed JDK11. We have used the toolset to check small examples that we had developed by pencil and paper, such as the vending machine example above. Note that we do neither claim that the IAM Toolset is fit for practical use by software engineers as is, nor that it scales to real-world examples of concurrent systems.
Textual language To specify interfaces, we have developed a textual syntax for IAM, have used the popular Xtext framework (https://www.eclipse.org/Xtext/) to realize this domainspecific modelling language, and written an extension for Microsoft's Visual Studio Code (VS Code) editor (https://code.visualstudio.com). This has led to a state-of-the-art IDE for IAM, with a modern editor that supports features such as syntax highlighting and code completion, and a compiler-actually, more of an interpreter-for transforming the textual language into IAM automata.
The textual language allows one to specify the underlying universe of global actions (keyword actions), the shared global variables (keyword var) that are typed using built- in primitive types such as int and bool or custom-defined enumeration types (keyword type), and the templates of interface processes (keyword proc). It also has an initialization section (keyword init), where processes can be instantiated from templates (keyword sys), composed in parallel (keywords product and composition for the parallel product and composition, respectively) and checked for refinement (keyword refinement). In fact, there is also an explicit pruning operator (keyword prune) such that composition is simply product followed by prune. While Xtext assist us in realizing our language interpreter's front-end (approx. 1100 lines of code), the backend and, thus, all IAM operators are implemented solely in the Kotlin programming language (approx. 9400 lines of code). The various commands for instantiation, composition and refinement can also be executed directly from VS Code (approx. 1350 lines of code in TypeScript) or the command line. For checking static semantics constraints, we frequently call the Z3 SMT solver (https:// github.com/Z3Prover/z3), which we also use in the context of the product operator and IAM refinement for checking logic implications that involve arithmetic expressions over shared variables. Figure 13 shows, in the rightmost two columns, snippets of the machine and customer specifications of our vending machine example of the previous section, now cast in the syntax of the IAM Toolset. The process template Machine first defines its input and output alphabet and then defines interface behaviour via a guarded-command language enriched with control structures such as while loops (with optional breaks), case statements, sequential composition (via newlines or semicolons), or goto (jump to a label). Guards are on the left of symbol -> and constitute the pre-condition of the first action following symbol ->. Post-conditions immediately follow an action and are labelled with keyword assume for post-conditions of output actions and guarantee for post-conditions of input actions; the rationale is that a post-condition of an output action a! abstractly specifies how Debugging The left column in Fig. 13 reveals (see the section labelled Call Stack) that this screenshot has been taken after instantiating machine and customer and computing their product, which revealed a communication error between the interfaces. This error relates to the highlighted lines 17 and 54, i.e. on the synchronization on action coin. The detailed error message in the red box explains that the assumption is not met by the guarantee, and the section labelled Product in the left column provides information via which series of actions the error state is reached from the products initial state. As an aside, we wish to note here that the IAM toolset has standard debugging features, including the setting of breakpoints, that allow engineers the interactive tracing through interface processes, parallel products and parallel compositions.
Refinement checking IAM's notion of refinement, alternating simulation, has a convenient characterization in terms of a two-player game [13], which we exploit so that users can interactively explore in the IAM Toolset whether two processes are related under refinement. A snapshot of such an exploration is shown in Fig. 14 where, in a first move of the game, the initial selC? input action of the specification side (right-hand side), i.e. of Machine, was chosen. The toolset now highlights the available selC? families on the implementation side (left-hand side), i.e. of MachinePrimed; in this case, there is a single family consisting of two selC? transitions, one with pre-condition disc and one with its negation. In general, our tool displays every family (i) consisting of members that have pre-and post-conditions that match the requirements of alternating simulation (cf. Definition 8) and (ii) not including a member already covered by others. The engineer now, in the matching move, picks the only available family and continues the game by investigating the two transitions of the family.
The IAM Toolset also prototypes an automated refinement checker which reduces the refinement problem between two IAMs to solving a Boolean equation system; note that all IAMs specified in the toolset's textual language are finite-state. The reduction is rather straightforward and follows the lines proposed by Mateescu and Oudot in [24] who proposed such a reduction for bisimulation [26]. We then employ the mCRL2 toolset [7] (https://www. mcrl2.org) for solving the resulting Boolean equation system. In case a refinement does not hold, the IAM Toolset synthesizes an attacking strategy so that an engineer might play a game against the computer to gain understanding as to why refinement between the given two processes is violated.

Embedding IAM into IA
This section shows that, while IAM adds shared memory to the IA theory, it does not alter IA's concept of component compatibility and refinement. IAM is rather an intuitive and possibly finite abstraction for reasoning about possibly infinite data, which maintains the simplicity that has made IA popular. In the following, we develop a behaviour-preserving translation from IAM to IA such that our parallel composition and refinement match exactly those of IA.
While our formal semantics of IAM is based on alternating simulation, we wish to foster intuition here by considering an IAM P to have runs of the form (σ 0 , p 0 ) Note that σ i and σ i+1 might be different, because interface theories consider open systems and P's environment can always interleave and arbitrarily modify the data state; we study and define closed systems in Sect. 7. 3 For our translation, one might consider to integrate data states into actions, so that the above run gives rise to α 0 (σ 0 , σ 0 ) . . . α n−1 (σ n−1 , σ n−1 ) as a sequence of actions, i.e. each α i (σ i , σ i ) is taken to be an (atomic) action. This idea is similar to, e.g. the translation of full CCS into basic CCS in [26].
However, this translation does not work in general. Consider IAMs P, Q of Fig. 15, where V = {x}, V = {x } and D = {1, 2}. By the above idea, P would have tran- , because it is really the set of acceptable new data states that counts. To get a matching inputtransition, the same translation should be applied there. But such an input-transition could have a smaller set according to its post-condition as in the example. To get the same input action as the output, we allow all M ⊇ ψ(σ ) for inputs; such an M can be understood as the guarantee that the new data state will be in M. This way, the IAs do not produce false errors, and the real errors still occur in the translation if the output with M = ψ(σ ) cannot be matched.
Another issue is that, if we refine some p −(ϕ, a!, ψ)→ p , we could weaken the assumption, i.e. the corresponding a(σ, M)! would be refined by a(σ, M )! with M M . To make this possible, we also include supersets on the output side. This does not disturb the correct handling of errors: if there is a matching input for a(σ, M)!, there is also one for a(σ, M )!. Observe that taking supersets for inputs actually also allows for correct refinements, because we have the same entailment ψ i (σ ) ⇒ ψ(σ ) in Definition 8(i) and (ii).
To reflect on this translation scheme for our example IAMs P, Q, consider their translations IA(P), IA(Q) in Fig. 17 In such a scenario, more generally speaking, a(σ, M)! is present for σ satisfying the preconditions of both P and Q whenever ψ P (σ ) ⊆ M, and a(σ, M )? whenever ψ Q (σ ) ⊆ M , where ψ P and ψ Q refer to the according post-conditions in P and Q, resp. If no error each a(σ, M)! is matched by a(σ, M)?. Otherwise, a(σ, ψ P (σ ) )! does not have a match and the error arises in the translation as well.
We now formalize our translation and then work towards proving the correctness of the induced embedding of IAM into IA. Proof Composability only depends on the signature, and inputs (outputs, resp.) of an IAM R give rise to inputs (outputs, resp.) of IA(R), so the first claim follows. Obviously, P ⊗ Q and IA(P) ⊗ IA(Q) have the same state sets. The initial states also coincide. We proceed as follows: 1. We show that P ⊗ Q has the same error states as IA(P) ⊗ IA(Q): p, q is an error state in P ⊗ Q due to Definition 11 (E!?ϕ) or (E?!ϕ). W.l.o.g., P has a transition p − ϕ p , a!, ψ p → p , and some σ with σ | ϕ p satisfies σ | ϕ q for all transitions q − ϕ q , a?, ψ q → q . The p-transition gives rise to some p a(σ,M)! −−−−→ p in IA(P) but, due to the condition σ | ϕ q , state q has no input-transition with any a(σ, X )?. As a result, p, q is also an error state in IA(P) ⊗ IA(Q).
p, q is an error state in IA(P) ⊗ IA(Q). W.l.o.g., IA(P) has a transition p a(σ,M)! −−−−→ p that IA(Q) cannot match in state q. Thus, P has a transition p − ϕ p , a!, ψ p → p with σ | ϕ p and ψ p (σ ) ⊆ M. By the definition of our translation, p can also perform a(σ, ψ p (σ ) ), while q cannot: -If IA(Q) does not contain any a(σ, X )?-transition at q, then there is no q − ϕ q , a?, ψ q → q with σ | ϕ q in Q. Thus, p, q is an error in P ⊗ Q due to Definition 11 (E!?ϕ). -Otherwise, there exists only one transition q − ϕ q , a?, ψ q → q with σ | ϕ q in Q, due to data-determinism. Because q does not have the action a(σ, ψ p (σ ) ), we get ψ p (σ ) ψ q (σ ) . Again, p, q is an error in P ⊗ Q due to Definition 11 (E!?ψ).
2. We show that IA(P ⊗ Q) is isomorphic to IA(P) ⊗ IA(Q), except for outgoing transitions of error states, and consider synchronized transitions first: -If p − ϕ p , a!, ψ p → p and q − ϕ q , a?, ψ q → q , ϕ p ∧ ϕ q sat and ψ q (σ ) ⇒ ψ p (σ ) holds for all σ with σ | ϕ p ∧ ϕ q , then the transitions synchronize to ψ q (σ ) . Then, we have Unsynchronized transitions of P are "copied" into P ⊗ Q and replaced by a bundle of transitions on the left, and replaced by the same bundle that is copied into the product on the right. The same holds for unsynchronized transitions of Q. 3. Due to Item (1), P ⊗ Q and IA(P) ⊗ IA(Q) have the same error states. Each illegal state has a path of local actions reaching an error state at the end only. Hence, we can conclude from Item (2) that both systems have the same illegal states, and IA(P) IA(Q) is defined iff P Q is. Applying Item (2) again, we get that IA(P Q) is isomorphic to IA(P) IA(Q).

Theorem 17 (Monotonicity) P IAM Q iff IA(P) IA IA(Q), for all IAMs P, Q.
Proof "⇒": Assume P IAM Q due to the alternating simulation R. We show that R is also an alternating simulation for IA(P) and IA(Q). First, p 0 Rq 0 holds for the IAMs and, thus, also for the IAs. Let pRq and consider the following cases: This obviously leads to q ε ⇒ q in IA(Q), for some q with p Rq . "⇐": Assume IA(P) IA IA(Q) due to the alternating simulation R. We claim that R is also an alternating simulation for P and Q. Note that p 0 Rq 0 holds for the IAs and, thus, also for the IAMs. Let pRq and distinguish the following cases: The latter is due to a unique transition p −(ϕ σ , a?, ψ σ )→ p σ with σ | ϕ σ , which also satisfies ψ σ (σ ) ⊆ ψ(σ ) . 5 The family of all these transitions satisfies ϕ ⇒ σ ϕ σ and, for all σ with σ | ϕ, we have σ | ϕ ∧ ϕ σ and ψ σ (σ ) ⇒ ψ(σ ).
p −(ϕ, τ, ψ)→ p . We get the transition p τ − → p . Due to R, we obtain some q with q ε ⇒ q in IA(Q) and p Rq . Hence, q ε ⇒ q also holds in Q.
Using the last two theorems and Proposition 4, we can now prove the associativity of parallel composition as stated in Proposition 12: The embedding of IAM into IA is not injective due to at least two possible reasons, although these are somewhat pathological. The first reason is that pre-and post-conditions of τ -transitions in an IAM are omitted in the translation. Hence, IA(P) cannot distinguish between τ -transitions with the same source and target but different pre-or post-conditions in P. The second reason is that two different IAMs can have the same translation because of visible parallel transitions. IAM P in Fig. 18 is not equal to P, but IA(P ) is the same automaton as IA(P) shown in Fig. 17. Observe that, in general, two IAMs that are mapped to the same IA are at least IAM-equivalent due to Theorem 17.
The compositionality of parallel composition for IAM now follows from the corresponding property for IA [13] (see Theorem 6) and the above theorems: Fig. 19 Example showing that gs(P) can be a quasi-IA Corollary 18 (Compositionality) Let P, Q, R be IAMs and P IAM Q. Further, assume that Q and R are composable. We have: (i) P and R are composable; (ii) P R is defined if Q R is, and then P R IAM Q R.
Proof By Theorems 16 and 17, the assumptions hold for IA(P), IA(Q) and IA(R), and also the assumption in (ii) carries over. For these, the result is known (see Theorem 6). Hence, also P and R are composable (compatible, resp.) by Theorem 16. Further, IA(P) IA(R) IA IA(Q) IA(R) implies IA(P R) IA IA(Q R) by Theorem 16. Now, P R IAM Q R follows by Theorem 17.

Ground semantics: data-closed IAM
Communication via shared memory works efficiently only for a limited number of components that are locally close to each other. In practical applications, one has a group of components that communicate among each other via shared memory and with their environment via, e.g. message passing [18]. The group is modelled as a parallel composition of IAMs with the understanding that the shared memory is local to this group. Technically, the composition is itself an IAM that is data-closed as defined below. Informally, we speak of a cluster to keep in mind that it represents a group closely connected by common data. To sketch the use of our framework for designing shared-memory systems, we assume that the communication with the system environment is just by synchronizing on common actions, i.e. the environment is an IA and sees the cluster as an IA that is originally specified by some IA Spec.
As the first step for implementing Spec, it has to be translated to an IAM Spec', and we demonstrate how this can be done towards the end of this section. Spec' is developed with the IAM design-process into a final cluster P. Now, the system environment needs an IA as a behavioural description of P. As the main result, we show how to represent P by an IA that refines Spec; under some restrictions, the construction even gives a finite IA if P is finite. Due to the symbolic handling of possibly infinite data, this is not obvious. After Proposition 30, when having obtained all formal results, we describe the design process from Spec to the representation of P in greater detail. Until then, we concentrate on the representation of P.
In the previous sections, we have assumed that a control state p of P can be entered while being in some data state σ , and then left because of a data state σ different from σ . In a data-closed system, such a change cannot happen since the shared memory is inaccessible from the outside. To describe the behaviour of such a system, we present a ground semantics where p can only be left via a transition whose pre-condition is satisfied by data state σ . In particular, pre-and post-conditions are now also relevant for τ -transitions.
More formally, states of the ground semantics are pairs p, σ , where p is a control state and σ a data state. A transition of p with pre-condition ϕ is only kept for p, σ if σ | ϕ. Note that, in case of infinite data, there are usually infinitely many states, even if P is finite.
The ground semantics of a data-closed IAM P, denoted by gs(P), describes the behaviour of P as seen from its environment, given some initial data state σ 0 . Such an initial state would not make much sense for an IAM since it could be changed immediately by the environment. Automaton gs(P) is essentially an IA without pre-and post-conditions, but it might violate input-determinism if several data states satisfy the post-condition of an input-transition. Figure 19 shows an example with V = {x}, D = {1, 2} and an initial data state where x = 1. In this section, we call such IA-like systems quasi-IAs. Similarly, a system that is an IAM except for data-determinism is called a quasi-IAM.

Reduction of a data-closed IAM
To fit the development of a shared-memory cluster into the IA-approach, we first define a quasi-IA that properly reflects the behaviour of the final data-closed IAM P wrt. the ground semantics, but is finite whenever P is (cf. Theorem 25). In turn, this quasi-IA is based on a quasi-IAM to which we refer as the reduction of P; it has the same ground semantics as P.
Recall that state p, σ of the ground semantics inherits those transitions of p whose preconditions are satisfied by σ . If another data state σ satisfies the same pre-conditions as σ , then p, σ inherits the same transitions as p, σ . The main idea is to merge such states. Each merged state is essentially characterized by a conjunction of pre-conditions, written ϕ J in the following definition.
Definition 20 (Reduction) Given a data-closed IAM (P, I , O, − → P , p 0 , σ 0 ), assume that each p ∈ P has outgoing transitions indexed over some K p with pre-conditions ϕ j , j ∈ K p . For each J ⊆ K p , let ϕ J be j∈J ϕ j ∧ j / ∈J ¬ϕ j . Set J is called a p-index set if ϕ J is satisfiable.
The reduction of P is the data-closed quasi-IAM (red(P), I , O, − → red(P) , p 0 , ϕ 0 , σ 0 ) with the following properties: -The set red(P) ⊆ P×Pred(V ) of states consists of all pairs p, ϕ J with J being a p-index set. -If p − ϕ j , α, ψ → P p and there are p-and p -index sets J and J , resp., with j∈J and State p, ϕ J of red(P) represents all p, σ in gs(P) where σ | ϕ J . Given p and σ , there is a unique p-index set J with σ | ϕ J ; for this J , data state σ satisfies ϕ j iff j ∈ J . A state p, ϕ ∅ corresponds to the data states that do not satisfy any pre-condition attached to p; so all such states of red(P) have no outgoing transitions and could be identified with a new state dead. Observe that there are finitely many formulas ϕ J for a finite P; thus:

Lemma 21 (Finiteness) For any finite, data-closed IAM P, the quasi-IAM red(P) is finite.
Given the transition from p in Definition 20, consider some σ with σ | ϕ J . Because j ∈ J , we have σ | ϕ j , ψ(σ ) is satisfiable and, for each feasible new data state σ at p , one identifies the proper p -index set J . Then, σ (which is applied to V ) satisfies ψ(σ ) and ϕ J (obtained from the resp. pre-conditions, replacing each x by x first). Together, σ, σ | ϕ J ∧ψ∧ϕ J . This explains the details of the transition of red(P) in the above definition. It also shows that each transition from p gives rise to a transition from p, ϕ J for each suitable J ; we refer to this in the proof of Theorem 29. Examples of reductions can be found in Figs. 20 and 21. Now, we show that gs(red(P)) is essentially the same as gs(P). This means that red(P) and P have the same behaviour as seen from the environment. We call a state p, ϕ J , σ of gs(red(P)) data consistent if σ | ϕ J . In other words, ϕ J is an invariant for data consistent states p, ϕ J , σ . All reachable states in gs(red(P)) are data consistent: the initial state is data consistent, because ϕ 0 is defined such that σ 0 | ϕ 0 . Furthermore, if σ and σ satisfy the post-condition of a transition leading to p , ϕ J in red(P), then σ | ϕ J , i.e. the resp. state p , ϕ J , σ of gs(red(P)) is data consistent.
Similarly, we remark that only data consistent states of gs(red(P)) have outgoing transitions. All transitions in gs(red(P)) are based on transitions of red(P) and the data states have to fulfill the pre-conditions of the outgoing transitions; these pre-conditions coincide with the ϕ J of the state of red(P).
Theorem 22 (Data consistency) Let P be a data-closed IAM. Each reachable state of gs(red(P)) is data consistent. The quasi-IA induced by data consistent states is isomorphic to gs(P) due to the isomorphism ι: p, ϕ J , σ → p, σ ; note that σ | ϕ J . The reachable parts of gs(red(P)) and gs(P) are isomorphic due to the resp. restriction of ι.
We now define a simple translation of an IAM Q to a quasi-IA ia(Q). It turns out that ia(red(P)) has essentially the same behaviour as gs(P), if P's post-conditions do not contain any unprimed variables. The quasi-IA ia(Q) is only IA-like as we do not necessarily get an input-deterministic system. Input-determinism is implied by data-determinism in combination with another property (see below). Obviously, ia(Q) is finite if Q is. The notion of similar behaviour, as used here, is (strong) bisimilarity. On IAs, this is much stronger than mutual IA-refinement.
States p and q are called bisimilar if pRq for a bisimulation R. Further, P and Q are bisimilar if the initial states p 0 and q 0 are bisimilar.
If P has no unprimed variables in its post-conditions, one obtains directly from Definitions 19 and 20 that data consistent states p, ϕ J , σ and p, ϕ J , σ in gs(red(P)) have the same transitions, i.e. actions and target states coincide. Relating all such pairs results in a bisimulation R on gs(red(P)) that is an equivalence. It is well known that merging such equivalence classes gives a bisimilar system [20]. If we denote each class by the resp. p, ϕ J , this system is ia(red(P)). With Theorem 22 and the above observation that ia(Q) is finite if Q is, we have: Theorem 25 Let P be a data-closed IAM. If P is finite, then ia(red(P)) is finite, too. If P has no unprimed variables in its post-conditions, then ia(red(P)) and gs(red(P)), as well as ia(red(P)) and gs(P), are bisimilar. They are IA-equivalent, if they are IAs.

Remark 26
The example in Fig. 20 shows that the restriction wrt. unprimed variables cannot be dropped for this result; here, we do not show conjuncts tt in the post-conditions of red(P). The ground semantics of data-closed IAM P, with σ 0 mapping x and y to 0, has the sequence ab 1 ab 2 ab 3 . . . of outputs as visible behaviour. On the resp. unique run, τ -transitions and visible transitions alternate. The states connected by τ are bisimilar; each pair is characterized by the number of bs before the next a and the number of bs after the next but before the next but one a. Thus, no other states are bisimilar, and no finite quasi-IA is bisimilar to gs(P). Although the ground semantics of the reduction red(P) is infinite, red(P) is finite, and so is ia(red(P)). Hence, ia(red(P)) and gs(P) cannot be bisimilar.
Even worse, when we consider only quasi-IAs where outputs a and b are the only visible actions, then the quasi-IAs are actually IAs. Taking all states as final states, we can regard them as 'possibly infinite finite automata,' which are language equivalent if they are equivalent wrt. IA . The language of gs(P) consists of all finite prefixes of ab 1 ab 2 ab 3 . . . ; this language is not regular, so no finite IA is equivalent to the IA gs(P) wrt. IA .
The restriction regarding unprimed variables is clearly uncomfortable; we plan to study how to weaken it in future work.

Fitting the reduction to the IA-approach
As indicated above, we want to use a data-closed IAM P in a design process developing an IA. For this, we would like red(P) to be an IAM and ia(P) and ia(red(P)) to be IAs. This only holds under some restrictions. We first characterize those red(P) that violate datadeterminism.
Definition 27 (Transition ambiguity) Input-transition p −(ϕ, a?, ψ)→ p of data-closed IAM P is ambiguous if, for some p-index set J containing the index of this transition, ϕ J ∧ ψ ∧ ϕ J is satisfiable for more than one p -index set J .
A predicate that is satisfied exactly by one data state σ is called univalent and denoted by ϕ σ ; w.l.o.g. we assume that a univalent post-condition is written without unprimed variables.
Concerning the input-transitions of some state p in a data-closed IAM P, we observe the following: if two transitions from p numbered i and j concern the same input a?, the pre-conditions ϕ i and ϕ j contradict each other due to data-determinism. Thus, a p-index set J can contain at most one index of an a?-transition for a fixed a?, i.e. there is at most one p −(ϕ, a?, ψ)→ P p that gives rise to a?-transitions from p, ϕ J . Still, red(P) might only be a quasi-IAM: if a were an input in the example shown in Fig. 20, red(P) would otherwise look the same and would violate data-determinism in state p 1 , tt .
Because every p-index set can contain at most one index of an a?-transition for a fixed a?, a violation of data-determinism at some p, ϕ J can only arise from a single input-transition at p, which is then ambiguous. Conversely, if p has an outgoing ambiguous a?-transition as in the definition, red(P) has more than one outgoing a?-transition from p, ϕ J by the definition of reduction. Hence, red(P) is not data-deterministic, because every outgoing transition of p, ϕ J has the pre-condition ϕ J . The latter also shows that data-determinism at each p, ϕ J implies input-determinism and that ia(red(P)) is an IA.
We summarize, noting also that a transition with a univalent post-condition is unambiguous, because the ϕ J at some state p contradict each other:

Proposition 28
Let P be a data-closed IAM.

(i) P has no ambiguous input-transitions iff red(P) is an IAM. (ii) If red(P) is an IAM, then ia(red(P)) is an IA.
(iii) If all input post-conditions in P are univalent, then P has no ambiguous input-transitions.
Obviously, ia(P) is input-deterministic, i.e. an IA, if every state of P has at most one outgoing a?-transition for each input a. Due to data-determinism, this is guaranteed if all pre-conditions of input-transitions are equivalent to true. The latter condition also allows us to relate a data-closed IAM P and red(P) on the IA-level: Theorem 29 (Reduction and IA-refinement) Let P be a data-closed IAM without ambiguous input-transitions, where all pre-conditions of input-transitions are equivalent to true. Then, ia(red(P)) and ia(P) are IAs and, moreover, ia(red(P)) IA ia(P).

Fig. 21
Example illustrating IAM's application in the IA-context Proof As noted above and by Proposition 28(i) and (ii), ia(red(P)) and ia(P) are IAs. We show that R = df {( p, ϕ J , p) | p ∈ P} is an alternating simulation for ia(red(P)) and ia(P). Clearly, p 0 , ϕ 0 R p 0 holds for the initial states. Let p, ϕ J R p and consider the following cases: • p a?
− → ia(P) p . For some ϕ and ψ, the transition p −(ϕ, a?, ψ)→ P p is a transition of P, and ϕ is equivalent to tt by assumption, implying that the index of the transition is in each p-index set. As argued after Definition 20, there is some p -index set J such that p, ϕ J − ϕ J , a?, ϕ J ∧ ψ ∧ ϕ J → red(P) p , ϕ J . (Actually, J is unique by unambiguity.) This implies p, ϕ J a? − → ia(red(P)) p , ϕ J with p , ϕ J R p .
• p, ϕ J α! − → ia(red(P)) p , ϕ J . The IAM red(P) has a corresponding transition p, ϕ J − ϕ J , α!, ϕ J ∧ ψ ∧ ϕ J → red(P) p , ϕ J for some ψ. Hence, P has some tran- The following, final result shows how IAM-refinement fits together with IA-refinement: Proposition 30 (IAM-refinement fits IA-refinement) Let P IAM Q due to an alternating simulation R. Then, R also satisfies the conditions of an alternating simulation for ia(P) and ia(Q).
Proof Let pRq. The case of τ -transitions is obvious, because we ignore their conditions in the IAMs anyway. An input-transition of q is matched by a family of input-transitions from p. Each of these results in a transition in ia(P) that matches the resp. transition in ia(Q). The case of outputs is similar.
We now describe in detail how one can implement a given IA specification Spec as a shared memory cluster; explanations and the correctness proof are given afterwards. The inputs and outputs of Spec are the external actions for the IAM-design. In the first step, we translate Spec into an IAM Spec by decorating each transition with tt as pre-and post-condition, except for the post-conditions of output-transitions. As first design choices, we select an initial data state σ 0 and, for each output-transition, a single expected σ , i.e. the post-condition is the univalent predicate ϕ σ . A possible resulting IAM Spec is given in Fig. 21.
To obtain a working implementation, one typically refines Spec by a parallel composition. While developing this cluster in the IAM-framework, the overall system keeps the external actions, and we require that the pre-condition of a transition with an external input is always tt. Introducing new components introduces new actions; there are no restrictions for the resp. transitions, and they are hidden after synchronization. Refining the new components, which are not data-closed, demands IAM-refinement in order to have a precongruence.
We require the final cluster P to not have any unprimed variables in its post-conditions. Furthermore, it must not have any ambiguous transitions, e.g. due to all post-conditions of external input-transitions being univalent (cf. Definition 27). Then, ia(red(P)) IA-refines Spec; as a faithful behavioural description of the data-closed IAM P, ia(red(P)) can be given to the user of the shared memory cluster as an operating guideline. Preferably, P is finite so that ia(red(P)) is finite as well, even if the common ground semantics of P and red(P) were infinite.
This concludes the description of the design process. In order to demonstrate the technical steps, we give a small example and, as we aim to keep things simple, we do not show any components here. Instead, Fig. 21 depicts a realization P of Spec , which has to be understood as the parallel composition of the final cluster. Spec , P and red(P) have the external inputs and outputs as signature. Most interestingly, state p 2 in P has transitions with overlapping pre-conditions. This leads to three satisfiable conditions ϕ J , which are equivalent to x < 0, x > 0 and x = 0. As x < 0 is always invalid after the τ -transition in P, state p 2 results in two reachable states in red(P); the post-conditions of the two τ -transitions are suitably adapted. The left-hand state inherits the two c-transitions where x > 0 is allowed, and the right-hand state inherits only the c-transition where x = 0 is allowed; the pre-conditions are adapted.
We close this section by motivating the initial choices for Spec and proving the correctness of our method. Predicate tt is chosen as pre-condition for output-transitions, because this is the most general choice. These pre-conditions can be made stricter during refinement. Dually, the post-conditions can be made broader, so we start from a minimal post-condition. The conditions of τ -transitions do only matter for the final cluster. Post-conditions tt for inputtransitions are again most general. The pre-conditions of input-transitions being tt is only necessary for the final P, where we have to apply Theorem 29, but it seems conceptually easiest to require this throughout. This condition guarantees that the environment, which does not have access to the shared memory, can really rely on the operation calls being accepted as promised in the operating guideline. Obviously, ia(Spec ) is Spec.
As an aside, we note that Spec is isomorphic to red(Spec ); simply replace each p by p, tt . Furthermore, Spec has no post-conditions with unprimed variables. Hence, the behaviour of the data-closed IAM Spec properly reflects ia(red(Spec )) by Theorem 25, and the latter is isomorphic to Spec. Therefore, the choice of Spec is intuitively well motivated.
The final cluster P is obtained from Spec by IAM-refinement. By Theorem 29, ia(P) and ia(red(P)) are IAs and ia(red(P)) IA ia(P). From P IAM Spec and Proposition 30, we derive ia(P) IA ia(Spec ), where the latter is Spec. Together, we have ia(red(P)) IA Spec. So, ia(red(P)) is an IA-refinement of Spec, and it faithfully shows the behaviour of P by Theorem 25. Finally, ia(red(P)) is finite by Lemma 21, if P is.

Remark 31
One might think that these considerations could be simplified. The idea would be to conclude red(P) IAM Spec from red(P) IAM P. The IAM P in Fig. 22 and red(P) in Fig. 23 show that the latter can fail in various ways. In this example, we have D = {1, 2}, V = {x, y} and σ 0 maps x and y to 1. We write ϕ i, j instead of x = i ∧ y = j and, therefore, ϕ i, j instead of x = i ∧ y = j, for i, j ∈ D. In some of the post-conditions in red(P), we have omitted some redundant conjuncts like tt. We assume that each of p 2 , p 3 , p 4 and p 5 has a characteristic behaviour that is omitted in the figures, e.g. each has an input-transition not occurring elsewhere. This way, no alternating simulation can relate any p i , ϕ J ∈ red(P) to some p j ∈ P with i, j ∈ {2, 3, 4, 5} and i = j.
Suppose that red(P) IAM P due to some alternating simulation that relates p 0 , x = 1 to p 0 . Due to the o-transition from p 0 , x = 1 to p 1 , ϕ 1,1 , the simulation also relates p 1 , ϕ 1,1 to p 1 . Now, the first problem is that p 1 − x = 2, i?, ϕ 2,1 → P p 5 must be matched by an i-transition from p 1 , ϕ 1,1 to p 5 , tt . But there is no such transition, because the common pre-condition ϕ 1,1 of the transitions from p 1 , ϕ 1,1 contradicts x = 2. More generally speaking, the index of the i-transition above is not in the p 1 -index set giving rise to ϕ 1,1 . Such a contradiction cannot occur if all pre-conditions of input-transitions in P are tautologies, which implies input-determinism.
The second problem is similar. Transition p 1 − x = 1, i?, ϕ 1,1 → P p 2 must be matched by the only i-transition from p 1 , ϕ 1,1 . However, due to transition p 1 − y = 1, o!, ϕ 1,1 → P p 3 and the construction of red(P), we have the pre-condition ϕ 1,1 in the latter IAM, and this is not implied by x = 1. This effect can also occur if all pre-conditions of input-transitions in P are tautologies. Consider the transition p 0 , x = 1 − x = 1, o!, x = 1 ∧ ϕ 1,1 → p 1 , ϕ 1,1 in red(P) to see the last problem. This must be matched by the only o-transition from p 0 . By the construction of red(P), the post-condition of the given transition has an additional conjunct that makes the post-condition stricter than x = 1. This also contradicts the definition of alternating simulation.
Finally, observe that also ia(P) IA Spec, but ia(P) should not be used in place of ia(red(P)). It might have outputs that cannot ever occur in the data-closed P, i.e. outputs for which the environment does not have to care.

Conclusions and future work
Interface Automata (IA) [12,13] have laid the foundation for reasoning about the compatibility of concurrent system components and been extended in the literature in various ways by shared variables for modelling data manipulating operations [1,2,9,11,27]. However, all these works consider a more complex setting than IA [1,2], do not relate their proposed semantics to an intuitive ground semantics [1,2,9,11,27], or do not abstract from internal computation [1,2,9,11,27]. Thus, it has remained an open question whether IA permits a simple and faithful extension to shared memory.
This article answered this question positively. Our interface theory IAM is a conservative extension of IA by shared memory. Similar to [1,2,9,27], we decorated action-labelled transitions with pre-and post-conditions constraining data states. A pre-condition acts as the transition's guard, and a post-condition of an output (input) transition specifies an assumption (guarantee) on the data state reached when executing the transition. We extended IA's concepts of compatibility, refinement and parallel composition to this setting, and provided a translation from IAM to IA. The latter shows that IAM accurately lifts IA's concepts to shared memory. In this sense, IAM keeps the simplicity that has made IA increasingly popular in the formal methods community. But the clear advantage is that IAM attains finiteness even when reasoning about infinite data domains. For our IAM theory, we implemented an initial, prototypic toolset [28] using open-source technologies and applied it to a simple example, thereby demonstrating that practical tool support is conceivable.
To prove that IAM treats shared variables as intuitively expected and that a cluster of IAMs can be abstracted to an IA, we provided a ground semantics for data-closed IAMs. This makes the data states, which are implicit in an IAM, explicit, and is not unlike the implementation semantics of [2]. Most importantly, our presentation of the usually infinite ground semantics is often finite. Data-closed IAMs may occur as a cluster of IAMs that communicate among each other by shared memory, but via message passing with the system environment. Thus, the cluster looks externally similar to an IA. We sketched an approach, where under some restrictions, an IA as a specification is transformed into an IAM, which in turn can be implemented by a cluster according to IAM-refinement. Then, the ground semantics of the cluster IA-refines the specification, and it can be turned into a bisimilar finite IA obtained from a reduction of data-closed IAMs.
Future work We propose to extend IAM with operators enhancing its practicality, namely a conjunction operator that is needed when a component must satisfy several interfaces, as well as operators for action scoping and variable scoping. The former is not as easy as for IA [23], where two interfaces always have a common refinement since contradictions cannot occur. In IAM, contradictions may arise due to transitions with conflicting post-conditions. Action scoping can be realized by pruning inputs and hiding outputs [8]. Variable scoping requires the introduction of an access control to IAM's global variables [1,2,11].
Further, we plan to attach data invariants to IAM states. The idea is that, while a component is in a state, a compatible system environment can only alter data in ways respecting the invariant. This restricts the environments with which a component can be composed, thus making shared variables more meaningful wrt. an open systems view. Variations like this bring our theory closer to practical application; we then have to adapt our cluster result accordingly, while replacing IA by message-passing systems.
Last, but not least, we wish to investigate the extent to which our prototypic IAM toolset scales to realistic systems and whether it can cope with the variety of concurrent systems developed in engineering practice. Certainly, scalability also depends on the logic chosen for expressing pre-and post-conditions, which effects the computational complexity for deciding alternating simulation.