A Simplified Method for Establishing the Correctness of Architectural Refinements

My colleagues and I developed an approach to proving correctness of architectural reenement hierarchies that depended upon treating architectural speciications as axiomatizations of rst-order theories. This paper explores the consequences of an alternative approach to formalizing the content of speciications in logic. A speciication is treated as a depiction of a particular relational structure, which is intended to be a mathematical model of the system being speciied. As a result, speciications now correspond to much stronger (in fact, complete) theories. Although the criterion for reenement cor-rectness | that the theory corresponding to the higher-level speciication can be faithfully interpreted in the theory corresponding to the lower-level spec-iication | remains the same, the technique for proving correctness is quite diierent: proving that a mapping is a theory interpretation is more complex, though still largely a matter of calculation, but faithfulness is trivially guaranteed. The net result is a substantial simpliication of correctness proofs, as a comparison of proofs of a simple reenement pattern illustrates. 1. Two Approachs to Establishing Correctness In a previous paper 5], my colleagues and I presented an approach to proving correctness of architectural reenement patterns. A correspondence between architectural speciications, such as the high-level compiler speciication in Figure 1, and theories in rst-order logic was deened in terms of a mapping from speciication elements to axioms for the theories. 1 For example, the presence of the dataaow connector that carries objects of type AST (i.e., abstract syntax trees) from the parser component to the analyzer/optimizer component in Figure 1 corresponds to the axioms Channel(ast intermediate) 8x 0 AST(x 0) ! Can Carry(ast intermediate; x 0)] The theory that corresponds to a speciication is simply the set of all consequences of the axioms obtained from the elements of the speciication, together with general axioms that constrain the meanings of the component, port, and connector predicates that appear in the speciication. This theory is rather weak, in the sense that it does not determine the truth value of many sentences in the language. For example, it does not contain any explicit 1 Strictly speaking, the content of the informal dataaow diagram was formalized in a textual speciication language. For the purposes of this paper, let us eliminate the middleman and pretend that diagrammatic representations are suuciently precise to serve as formal architectural speciications.