kfhoech
commented
4 years ago 
Hi Ethan,
Sorry I thought I responded to this a while back. The email was in my drafts folder and I never sent it :-(.
I'm confused about the comments in this component:
system implementation B.impl annex agree { --these are automatically added from A due to extension --eq abstract out: int; --assert output = out; eq abstract out2: int; }; end B.impl;
How does the implementation of "B.impl" know to reference the syntax in in the annex of "A.impl"? The extends clause in the component type definition for B only references the component type of A (not the implementation A.impl). Because there can be many implementations for a single type it doesn't make sense to me that an implementation of a component defined with an extends clause would inherit syntax in some implementation of the extended type. Let me know if I didn't articulate this well, I can explain more if this is confusing.
As for inheritence for component types, I think the idea seems okay. It does however make it easier for a user to specify inconsistent/unrealizable contracts.
- John
On Thu, Jun 4, 2015 at 8:41 AM, Ethan McGee notifications@github.com wrote:
I am raising an issue to discuss the possibility of the inclusion of a new feature in AGREE. I would like to see better support for the use of the "extends" concept in AADL, and my idea is the inclusion of an abstract local variable. An example prototype of what I am thinking follows below.
package Sample public system A features input: in data port; output: out data port; annex agree { assume "we won't divide by 0 or a non-negative" input >= 1; guarantee "we will produce a non-negative value": output >= 0; }; end A;
system implementation A.impl annex agree {** eq abstract out: int; assert output = out; **}; --attempting to verify this system will verify its ultimate non-abstract extensions (D and C) --since this system cannot be verified due to the abstract end A.impl; system B extends A annex agree {** --these are automatically added from A due to the extension --assume "we won't divide by 0 or a non-negative" input >= 1; --guarantee "we will produce a non-negative value": output >= 0; guarantee "output = 2048 / input": output = 2048 / input; **}; end B; system implementation B.impl annex agree {** --these are automatically added from A due to extension --eq abstract out: int; --assert output = out; eq abstract out2: int; **}; end B.impl; system C extends A annex agree {** --these are automatically added from A due to the extension --assume "we won't divide by 0 or a non-negative" input >= 1; --guarantee "we will produce a non-negative value": output >= 0; guarantee "output = 2048 / input": output = 2048 / input; **}; end C; system implementation C.impl annex agree {** --these are automatically added from A due to extension --eq abstract out: int; --assert output = out; eq out: int = 2048 / input; **}; end C.impl; system D extends B annex agree {** --these are automatically added from B due to the extension --assume "we won't divide by 0 or a non-negative" input >= 1; --guarantee "we will produce a non-negative value": output >= 0; --guarantee "output = 2048 / input": output = 2048 / input; **}; end D; system implementation D.impl annex agree {** --these are automatically added from B due to extension --eq abstract out: int; --assert output = out; --eq abstract out2: int; --validation error, must have same type as defining abstract (int) eq out2: bool = false; assert output = out2; --validation error, abstract out must be defined **}; end D.impl;end Sample;
The approach above uses a copy-down approach where extensions of a component copy down the contracts of their parents. Abstract variables must be ultimately given a definition, it would be invalid for an abstract to remain undefined at one of the leaf nodes of the inheritance hierarchy, although its definition could be given higher in the tree (in the example above out defined in B leaving it invalid for it to also be defined in D).
The abstract variable would make it impossible to verify a system, so in the event an AGREE annex has an abstract, the extensions of the component would be verified in place of the abstract component. Or to prevent state explosion, the abstract component is simply assumed to be correct, and the abstract is only ever verified if one extensions of the abstract is verified. Either approach would be sufficient in my thinking.
Thank you for your consideration. Thoughts / Questions?
— Reply to this email directly or view it on GitHub https://github.com/smaccm/smaccm/issues/39.
I am raising an issue to discuss the possibility of the inclusion of a new feature in AGREE. I would like to see better support for the use of the "extends" concept in AADL, and my idea is the inclusion of an abstract local variable. An example prototype of what I am thinking follows below.
The approach above uses a copy-down approach where extensions of a component copy down the contracts of their parents. Abstract variables must be ultimately given a definition, it would be invalid for an abstract to remain undefined at one of the leaf nodes of the inheritance hierarchy, although its definition could be given higher in the tree (in the example above
outdefined inBleaving it invalid for it to also be defined inD).The abstract variable would make it impossible to verify a system, so in the event an AGREE annex has an abstract, the extensions of the component would be verified in place of the abstract component. Or to prevent state explosion, the abstract component is simply assumed to be correct, and the abstract is only ever verified if one extensions of the abstract is verified. Either approach would be sufficient in my thinking.
Thank you for your consideration. Thoughts / Questions?