Boolean Automata for Implementing Pure. Axel Poigne. German National Research Center for Information Technology (GMD) Schlo Birlinghoven

Transcription

1 Boolean Automata for Implementing ure sterel? Axel oigne Leszek Holenderski German National Research Center for Information Technology (GMD) System Design Technology Institute (ST) Schlo Birlinghoven D Sankt Augustin, Germany December 18, 1995? The work has been supported by the project Synchronie at GMD and by the ureka-project Synchron.

2 Abstract A new compilation scheme is proposed for the synchronous language sterel. The compilation is based on a new intermediate \hardware" code for control. Correctness of the compilation scheme is established.

3 1 Introduction We propose a new compilation scheme for the control part of the synchronous language sterel [?], i.e., pure sterel. The compilation scheme is based on an intermediate code, we refer to as Boolean automata. The compilation scheme follows the idea of [?] of implementing pure sterel in terms of hardware, but the scheme is dierent in that it is more \algebraic"; our translation considers boolean terms and substitution as primitives while Berry's translation is \hardware-oriented", connecting generic circuitry by wires. Though the nal results are probably similar if considered as \hardware", boolean automata appear as a more versatile paradigm to support semantic analysis. A boolean automaton will be presented by a set of \boolean functions" of the form s ( or h where s and h are names, and is a dening body. The dierence is that s ( stands for \the signal s is immediately emitted if computes to true", while h stands for \the control register h is set to the value of in the next instant". The boolean polynomial will depend on signals and registers (\halts" in the sterel terminology). The translation of sterel code to boolean automata is compositional. sterel code is translated into a boolean automaton such that every syntactic operator maps to a \semantic" operation on boolean automata. This has the obvious advantage of operations being dened independent of a particular \front-end" language. For instance the parallel operator kq may be extended to Lustre programs, provided a translation of Lustre programs to boolean automata is given, or boolean automata generated by sterel, Lustre, etc. programs may be combined. Of course, each language causes particular problems. We are here concerned with the language sterel only which is sketched in Section??. Section?? rst gives an informal introduction to the compilation scheme, while the Sections?? and?? discuss preemption and reincarnation respectively. The formal translation is presented in Section??. We indicate how the translation is proved to be correct in Section?? while most of the proof is banished to the Appendix. 1

4 2 Introducing sterel Berry's synchrony hypothesis [?] states that a system immediately responds to its activation, implying that actions, which are necessarily atomic, take no time. Time is consumed only if the system is inactive, in a stable state. A system is activated by signals, and responds by emitting signals which are broadcast. Several signals may be raised at the same instant, synchronously. We call such a system responsive. Its behaviour may be visualized by: I/O I/O I/O I/O I/O I/O I/O I/O I/O We note that, in terms of \real" time, phases of inactivity may be of dierent length while activation and response, marked \I/O", invariably take zero time. 2 In sterel, the halt-statement stands for inactivity; if started it keeps control forever. This is expressed by halt ;;1?! halt The halt-statement is the only statement to consume time. The rules are presented in the style of structural operational semantics where transitions are of the form ' The current event consists of the set of all signals present at an given instant. Hence must contain the set 0 of emitted signals (no signals are emitted by the halt-statement). The integer k codes termination conditions; 0 stands for \terminates immediately", and 1 for \keeps control" (other codes will be explained further below). Control can be withdrawn by means of preemption. The watching-statement preempts execution of the statement if the signal s is up. ' do watching s present s else do ' watching s end Note that the system must be in a stable state before preemption can take place. The statement do halt watching s, abbreviated to await s, is a good example of this eect. 2 This, of course, is an idealisation; the reaction must terminate before the next activation takes place. If this is guaranteed, then reaction time may be considered to be zero without harm. 2

5 halt ;;1?! halt await s ;;1?! present s else await s end xecution of the present-statement depends on the presence of the signal s. Its semantics is given by s 2 ' present s then else Q end ' s 62 Q Q' present s then else Q end Q' The then- or else-branch may be omitted, as in the transition rule for await s, whenever = nothing or Q = nothing. Signals are emitted by emit s fsg;0 nothing The process emits s and terminates immediately. Apart from these operators we have the standard infrastructure of imperative languages: 1 0 ;k ' k > 0 ; Q 0 1 ;k ' ; Q 1 0 ;0 ' Q 0 2 ;k Q' ; Q 0 1 [0 2 ;k?? Q' ' k > 0 loop end 3 ' ; loop end

6 Q 1 0 ;k 1 ' Q 0 1 [0 2 ;maxfk 1;k 2 g????????? 0 2 ;k 2 Q' ' Q' Note that in contrast to standard imperative interpretations, none of these operators consume time. A second type of preemption is achieved by means of traps. Trap signals are raised by the statement exit t where exit t n ;;n halt A trap is bound by a trap-statement of the form trap t in end. The intuitive semantics is that the body of the trap-statement is preempted if the trap is raised. If several traps are raised, preemption takes place for the \outer-most" trap-statement. The hierarchy of traps is encoded by the termination code. The superscript n determines the distance from the occurrence of t to its binding trap t in end; the distance is n = 2 if exit t occurs in the body of trap t in end, but not in the body of any other trap statement within. The number n is increased by 1 for every trap statement trap t' in end with t' 6= t which embraces the exit statement. The following captures preemption via traps. ' k = 0 or k = 2 trap t in end 0 ;0 nothing ' (k = 1 and k 0 = 1) or (k > 2 and k 0 = k? 1) trap t in end 0 trap t in ' end Hence a trap-statement immediately terminates either if the body immediately terminates (k = 0), or if the trap is raised but no trap with higher priority, i.e., not bound in the statement, is raised (k = 2). If a trap with higher priority is raised (k > 2) the trap does not terminate immediately (for examples, cf. Section??). One should note that concurrent computations may be preempted via traps, e.g., trap t in k : : : exit t : : : end. Finally, we have scoping of signals. The signals in the list s = hs 1 ; : : :; s n i are not visible outside of the statement signal s in end. The rule for the signal-statement 3 3 In contrast to [?], we allow a set of signals to be bound. The rule specializes to the original two rules for the signal-statement as given in [?]. 4

7 0 [X;k???? (?fsg)[x ' X fsg and fsg \ 0 = ; signal s in end signal s in ' end reects the coherence law [?] A local or output signal is present at an instant if and only if it is emitted by executing an emit-statement at that instant. in that, within the body, they impose that a local signal is present in if and only if it is emitted. Modules are the only structuring mechanism of sterel. A module is of the form module module name: input i 1 ; : : :; i m ; output o 1 ; : : :; i n ;. Signals in, the body of the module, should all be bound, either by (local) signal declarations, or by the declaration of input and output signals in the module. The functionality of modules is twofold: On one hand, modules are just syntactic entities which can be imported by the statement copymodule module name[a 1 =i 1 ; : : :; a m =i m ; b 1 =o 1 ; : : :; b n =o n ] Import is achieved by syntactic substitution, namely the copymodule statement is replaced by the body of the respective module in which all the input and output parameters have been replaced by the actual signals, i.e., i j by a j, and o j by b j. We will not be interested in this syntactic feature since it does not aect the semantics. A designated main module has additional properties which relate to semantic issues. The main module has input events I being a subset of the input signals and output events O being a subset of the output signals. The operational semantics is given by: M O?! M' if M I O;k???? I[O[ftickg M' for some k This concludes the presentation of the syntax and operational semantics of pure sterel. Full sterel additionally has built-in data types boolean and integer as well as assignment x :=, and conditional if B then else Q end, together with declaration of variables, types, constants, functions, procedures, etc.. Such a \signature" is interfaced to a host language by a standardized protocol. 5

8 3 Translating ure sterel, Informally Boolean automata implement the signal ow of pure sterel programs. A boolean automaton consists of a set of boolean polynomials of the form s ( or h. where s is a signal, and h is a halt or control register. 4 The dierence is that values of signals are computed instantaneously, while values of halts are set for the next instant. The boolean polynomial has signals and halts as atoms. There is a particular start signal and a termination signal!. xample 1. To give an example, we claim that the boolean automaton started ( o ( i 1 ^ i 2 ^ h h _ a ^ h _ :a ^ h! ( ff implements the sterel program emit started; loop await i 1 ; present i 2 then emit o else nothing end end The register h corresponds to the halt in the await-statement. If we run the program (to begin with we set = tt and h = ff) the register h will be set to tt for the next instant, and the signal started is emitted in the rst instant. In subsequent instants, the register is always reset to tt, and the signal o is emitted whenever the inputs i 1 and i 2 are up. The line! ( ff states that the automaton never terminates. 5 Note that the start signal should always be ff except for the initial phase where no register should be active, i.e. set to tt. In fact, we will identify \being out of control" with \all control registers being inactive, i.e. being set to ff", and we stipulate that a a process can be (re-) started only if it is out of control. This is captured by the condition ) : W H 4 The set of signals and of halts are disjoint by assumption. We use the notation s ( to indicate that s is a signal, while h in h is a halt. 6

9 where H denotes the set of control registers of the program. We refer to this condition as activation axiom. 5 The systematic translation allocates a boolean automaton to every sterel statement. 6 In particular, we apply the following rules in our example: emit s: await s: halt: The statement emit s generates the automaton s (! ( If started, the automaton emits s and terminates immediately. The statement await s, i.e., do halt watching s, generates the automaton h _ (:s ^ h)! ( s ^ h If started the control register becomes active, and automaton halts. It terminates, and the register h becomes inactive if the signal s is present. Otherwise it resets the register to tt. Remember that we assume that all registers are inactive initially. The await statement combines the halt statement with the watching statement. While the translation of the latter is given further below, we have: h _ h! ( ff If started the control register becomes active and stays active forever. present s then else Q end: nothing: [[]]. Given boolean automata and Q the statement present s then else Q end generates the boolean automaton [s ^ =] _ Q[:s ^ =] Whenever the start signal is present, the automaton is started immediately provided that s is present, or Q is started immediately provided that s is absent. The notation [s ^ =] means that is substituted by s ^ throughout. The operator _ is extended canonically so that ( _Q):x = :x_q:x where :x refers to the right hand side of the dening equation of x, i.e., x ( :x or x :x of. The statement nothing generates the automaton 5 The underlying model will be discussed at length in [?]. 6 We use for the semantics of the program for notational convenience rather that the more standard 7

10 ; Q:! ( If started, the automaton terminates immediately. Given boolean automata and Q the statement ; Q generates the boolean automaton ( / f! ( ffg) _ Q[:!=] If started, the automaton behaves as. If terminates, Q is started immediately. The operator / f! ( ffg overrides the denition of! in. Overriding is dened by / fx ( g:x =, and ( / fx ( g):y = :y if x 6= y. Hence the automaton terminates only if Q[:!=] does. loop end: Given boolean automata the statement loop end generates the boolean automaton [ _ :!=] / f! ( ffg If started the automaton behaves as. If the evaluation of terminates, then it is restarted again immediately. It is required that the automaton does not terminate in the rst instant in order to avoid \innitely fast" loops. xample 2. Continuing with xample?? started earlier, the present-statement translates to the boolean automaton o ( i 2 ^! ( i 2 ^ _ :i 2 ^ which is equivalent to o ( i 2 ^! ( : The body of the loop then translates to h _ :i 1 ^ h o ( i 2 ^ i 1 ^ h! ( i 1 ^ h; and the loop statement to h _ i 1 ^ h _ :i 1 ^ h o ( i 2 ^ i 1 ^ h! ( ff: 8

11 Sequential composition with started! ( then generates the boolean automata displayed earlier. 5 We have not yet addressed the salient feature of synchronicity. Signals may be emitted simultaneously as in emit a emit b which translates to a ( b (! ( : But control may be transferred simultaneously as well: [await a ; await b] [await c ; await d] The behaviour of this code is captured by h a _ :a ^ h a h b (a ^ h a ) _ (:b ^ h b ) h c _ :c ^ h c h d (c ^ h c ) _ (:d ^ h d )! ( (b ^ h b ) ^ (d ^ h d ) _ (b ^ h b ) ^ :(h c _ h d ) _ (d ^ h d ) ^ :(h a _ h b ) where h x refers to the halt related to the statement await x. If started the automaton immediately halts with h a and h c being up. Then, if the signals a and c are present simultaneously, control is passed to h b and h d at the same instant. If, for instance, only a is present, then control remains with h c, but is passed on from h a to h b. We note control is distributed which is another characteristics of boolean automata. In consequence, the termination condition becomes rather complicated. Both components terminate at the same instant if control is with h b and h d, and if the signals b and d are present synchronously. The relevant termination condition is (b^h b )^(d^h d ). Otherwise, if one of the components has terminated already, for instance await c ; await d, control cannot be within this component, i.e., neither h c nor h d should be active. On the other hand, h b should be and the signal b should be present. The corresponding termination condition is (b ^ h b ) ^ :(h c _ h d ). 9

12 If we abstract from the particular, the automaton Q terminates if both terminate in the same instant or, for instance, if terminates but Q has terminated already. xcept for termination Q behaves as and Q do simultaneously. The general scheme is as follows: Q: automaton Given boolean automata and Q the statement Q generates the ( _ Q) / f! ( :! ^ Q:! _ :! ^ W H ^ :( W H Q ) _ Q:! ^ W H Q ^ :( W H )g: If we apply the translation scheme to [await a ; await b] [await c ; await d] we obtain a slightly more complicated, but equivalent version of the the boolean automaton above: h a _ :a ^ h a h b (a ^ h a ) _ (:b ^ h b ) h c _ :c ^ h c h d (c ^ h c ) _ (:d ^ h d )! ( (b ^ h b ) ^ (d ^ h d ) _(b ^ h b ) ^ (h a _ h b ) ^ :(h c _ h d ) _(d ^ h d ) ^ (h c _ h d ) ^ :(h a _ h b ) The strengthening of the condition for termination is needed for a statement such as emit a await b which translates to h b _ :b ^ h b a (! ( ^ (b ^ h b ) _ ^ W ; ^ :h b Without the guard W ; = ff the condition ^:h b would become true in the rst instant since is present and the control register h b is inactive due to our global invariant. 10

13 4 reemption In sterel, there are two preemption operators: the weak preemption operator do watching s and the strong preemption operator trap t in end. Weak preemption is triggered from outside while strong preemption is triggered from inside by means of a statement exit t. The watching statement is rather simple to capture. do watching s: Given boolean automata the statement do watching s generates the boolean automaton ( _ :s ^ ) _ f! ( s ^ ( W H )g If initialized, do watching s behaves as, and it keeps on behaving as if the signal s is not up, but it terminates immediately otherwise. Hence the statement should behave as in the initial instant, and as later but only if the condition :s holds. The latter is expressed by :s^ where we use the notation (^):x = ^ :x. Computation terminates either if terminates normally, or if the signal s is up at a later instant, i.e., some halt h 2 H is up. Note that the termination code for the watching-statement is :! _ (:s ^ :!) _ (s ^ W H ) For example, await s, i.e., do halt watching s, translates to h _ :s ^ h! ( s ^ h since the halt statement translates to fh _ h;! ( ffg, and for the halt is fh ;! ( ffg and is fh h;! ( hg. As a variation we have the statement do watching immediate s which is captured by the translation scheme (:s ^ ) _ f! ( s ^ ( _ W H )g: Traps are the other preemption mechanism of sterel. exit t: A trap is raised by the statement exit t which behaves like t (! ( ff i.e., the trap signal is raised, and control is kept. Traps are bound by the statement trap t in end. If the trap t is raised within the body, the statement terminates immediately provided that no outer trap is raised in the same instant. This is captured by the condition 11

14 :t ^ : W :T where :T = f:t 0 j t 0 2 T? ftgg. T is the set of trap signals of. If the condition holds the automaton should terminate immediately, all halts must be set to ff, but all signals are emitted. Otherwise the trap-statement should behave as. This suggests that ( ( / ft ( ffg) _ (:^ ) _ f! ( g captures the behaviour of the trap where ( = fx ( :x j x ( :x 2 g, = fh :h j h 2 H g. It turns out that the argument is awed. xample 3. To see why this is the case, let us consider an example: loop trap t in await tick; exit t end end The trap body translates to t ( h h! ( h since the system signal tick is true in every instant. The trap-statement translates to the quite reasonable h :h ^! ( h: However, the loop translates to [ _ :!=] / f! ( ffg, so: h :h ^ ( _ h)! ( ff: 12

15 which is wrong because h is set to true only in the rst instant. 5 So, what went wrong? The automaton h :h ^! ( h: behaves reasonable only under the hidden assumption that no halt is up in the initial instant, i.e. the global system condition ) : W H The loop-construct spoils this assumption because we replace the start signal by _ h, meaning that we (re-)start the automaton with halts being up. We will speak of a schizophrenic nature of the loop statement. In order to take care of the schizophrenic nature of the loop we distinguish between the rst instant and later instants when executing a trap statement. Formally, the initial instant of is specied by = [ff=h ] meaning that all registers h 2 H are replaced by ff, i.e., we stipulate that no register is active. Correspondingly, later instants are specied by = [ff=], the start signal is absent. Then we dene: trap t in end: Given boolean automata the statement trap t in end generates the boolean automaton ( ( /ft ( ffg) _ (:^ ) _ (:^ ) _ f! ( g where :t ^ : W f:t 0 j t 0 2 T? ftgg. This yields the correct automaton for the example: h _ h. We consider two examples to demonstrate the translation implements priorities of traps properly. xample 4. For a rst example, let trap t in end exit t (2) [trap t' in exit t' (2) end ; emit s] The statement exit t' translates to 13

16 t 0 (! ( ff and thus trap t' in exit t' end to t 0 (! ( since the trap t cannot be raised in trap t' in exit t' end, i.e., T? ftg = ;, hence W :T = ff. The right hand side of the parallel composition then translates to s (! ( ; the parallel composition to t ( s (! ( ff; and, hence, the complete statement to s (! ( : The various sub-automata behave like the respective sub-statements according to the operational semantics: exit t' (2) ;;2 halt trap t' in exit t' (2) end ;;0 nothing exit t (2) ;;2 halt trap t' in exit t' (2) end ; emit s fsg;0 nothing exit t (2) [trap t' in exit t' (2) end ; emit s] fsg;0 halt nothing trap t in exit t (2) [trap t' in exit t' (2) end ; emit s] end fsg;0 nothing 5 xample 5. We modify the example to see how the priority mechanism built into traps via the termination code works in the other direction. The statement 14

17 trap t in trap t' in exit t (3) exit t' (2) end ; emit s end has the following behaviour according to the operational semantics of sterel: exit t (3) ;;3 halt exit t' (2) ;;2 halt exit t (3) exit t' (2) ;;3 halt halt trap t' in exit t (3) exit t' (2) end ;;2 trap t' in halt halt end trap t in trap t' in exit t (3) exit t' (2) end ; emit s end ;;0 nothing Our translation scheme yields t; t 0 (! ( ff for the parallel composition, t (! ( ^ : for the inner trap, t ( s ( ^ :! ( ^ : for the body of the outer trap, and s ( ^ :! ( ( ^ :) _ for the outer trap, in agreement with the operational semantics. 5 15

18 5 Reincarnation The translation of the signal-statement is confused by specic consequences of the synchrony hypothesis: reincarnation and causality. Since causality does not directly aect the translation, but sorts out programs which are not well-formed, we will postpone its discussion [?]. For reincarnation, we start with a simple example due to Berry [?]: loop signal s in present s then emit o end; await i; emit s end end. The following synchronous automaton corresponds to the body of the signal-statement s ( i ^ h o ( s ^ h _ :i ^ h! ( i ^ h We may now consider the signal-operator just as an binding of the ordinary variety, i.e., as having no eect on the code, if the binding structure is not aected. Then the loop would generate the automaton s ( i ^ h o ( s ^ ( _ i ^ h) h _ i ^ h _ :i ^ h! ( ff which will emit o after the rst instant whenever i is up. However, leaving the loop, we should forget about the present incarnation of the signal s, and use a new incarnation immediately when restarting the loop. Since the loop restarts immediately due to the synchrony hypothesis, the two incarnations have to \exist at the same time" which is impossible. The phenomenon exhibits another aspects of the schizophrenic nature of loops; with restarting the signal statement instantaneously this situation cannot arise. A minor trick helps to resolve the problem; we rename the signal s to s but only for those copies of s which relate to the initialization phase, i.e., rename s to s in. For the signal statement we would then obtain 16

19 s ( ff s ( i ^ h o ( s ^ h _ :i ^ h! ( i ^ h and for the loop the perfectly reasonable s ( ff s ( i ^ h o ( s ^ ( _ i ^ h) h _ i ^ h _ :i ^ h! ( ff The signal o is never emitted as s never is. For a more serious analysis, let us inspect the loop statement. The sequential composition in ' k > 0 loop end ' ; loop end implicitly states that the local variables bound within and loop end are disjoint. This is not reected by our denition of sequential composition; if s is a variable which is emitted by the automaton as well as by the automaton Q, then (; Q):s = :s _ Q:s, though only in the instant when Q starts its computation, i.e., if :! = tt. Hence \disjointness" of local variables can be guaranteed if all the locally dened variables in Q which can be emitted in the rst instant have dierent names from the local variables which can be emitted by. This is exactly what is achieved by our \star" construction. One should note that \starring" must be applied to all local variables since several reincarnations of the same signal may occur at the same instant as in Gonthier's example (see below). signal s in end: Given boolean automata the signal-statement generates the boolean automaton ( [s =s j s 2 L + fsg] _ : The notation [s =s] states that the signal s is replaced by s wherever it occurs in. L denotes the set of local signals in : the local signals in signal s in end are those in fs j s 2 L + fsgg. 17

20 By the way, the operational rule for the loop-statement violates another basic assumption about sequential composition: the sets of halts are not disjoint. This phenomenon suggests another, but more costly strategy to x the reincarnation problem: duplicate the loop's body to loop ; end. A milder version is introduced in Mignard's thesis [?] who independently develops a similar translation: just duplicate the -part of the loop's body to loop ; end. We believe this to be a wrong strategy in general. The x does not refer to the real villain, namely the binding mechanism, as for every new language construct a new x has (potentially) to be found. Our solution is invariant for any construct of the looping variety, for instance for endo-transitions as in Argos. xample 6. As an exercise, we compute Gonthier's example (see [?]) which provides the most complex setting for reincarnation: loop trap t2 in signal s2 in loop trap t1 in signal s1 in present s2 then emit s1 end; present s1 then present s2 then emit s12 else emit s1-2 else present s2 then emit s-12 else emit s-1-2 await tick; emit s1; exit t1 end end end await tick; emit s2; exit t2 end end end The translation gives 18

21 s 12 ( s 1 ^ s 2 ^ ( _ h 2 ) _ s 1 ^ s 2 ^ h 1 s 1 2 ( s 1 ^ :s 2 ^ ( _ h 2 ) _ s 1 ^ :s 2 ^ h 1 s12 ( :s 1 ^ s 2 ^ ( _ h 2 ) _ :s 1 ^ s 2 ^ h 1 s12 ( :s 1 ^ :s 2( _ h 2 ) _ :s 1 ^ :s 2 ^ h 1 h 1 _ h 2 _ :h 2 ^ h 1 h 2 _ h 2 s 1 ( :s 2 ^ h 1 s 1 ( :s 2 ^ ( _ h 2 ) s 1 ( h 1 s 2 ( ff s 2 ( h 2! ( ff 5 19

22 6 The Translation Now the full translation is given in Figure?? for a precise reading of which we need some notation. We assume the module to be well-formed, in particular that all local signals and traps are bound. Denition 1. The set of boolean polynomials 2 B(X), with x 2 X being a variable, is dened by ; ::= tt j ff j x j ^ j _ j : We distinguish two kinds of signals, the set S of signals which can be emitted by the automaton, and the set O of signals which are observable to the environment (the computational model will be discussed in [?]). Denition 2. A boolean automaton consists of a signature (S; H) where S is the set of signals, and H is a set of halts, and a function : S + H + f!g! B(fg + S + H) The set of signals S = O + L + T is comprised of a set O of observable signals, a set L of local signals, and a set T of trap signals. These data are dened inductively in Figure??. The translation follows the syntax of sterel. We assume without restriction of generality that names used in signal and trap statements are all dierent, and we apply the following notational conventions. Notation. We use :x to refer to the x-component, i.e., :x = (x). The boolean operators canonically extend to operations on automata, e.g., ( _ Q):x = :x _ Q:x, ff:y = ff. The boolean operators are overloaded in that they are dened for every signature. We use the notation /fx ( g (resp. /fx g) for overriding, i.e., ( /fx ( g):y = if x = y, and ( / fx ( g):y) = :y otherwise. The notation is extended to sets of overridings. It is useful for coercion of automata. For instance, if and Q have dierent signatures, then (ff / )_(ff / Q) is well dened since ff and _ are overloaded. However, we will use _ Q for convenience with the coercions being implicit. Replacement [t=x] is dened by [t=x]:y = :y[t=x], i.e. we substitute t for x in each right hand side, and strong replacement [y =x] by / fx ( ff; y ( :x[y=x]g where y is a signal. 20

23 nothing emit s exit t halt ; Q k Q present s then else Q end loop end signal s in end O; L; T ; H = ; f! ( g O = fsg; L; T ; H = ; fs;! ( ;! ( ffg O; L = ;; T = ftg; H = ; ft ( ;! ( ffg O; L; T = ;; H = fhg fh _ h;! ( ffg O = O [ O Q ; L = L + L Q T = T [ T Q ; H = H + H Q ( / f! ( ffg) _ Q[:!=] O = O [ O Q ; L = L + L Q T = T [ T Q ; H = H + H Q ( _ Q) /f! ( (:! ^ Q:!) _ (:! ^ W H ^ : W H Q ) _ (Q:! ^ W H Q ^ : W H )g O = O [ O Q [ fsg; L = L + L Q T = T [ T Q ; H = H + H Q [ ^ s=] _ Q[ ^ :s=] O = O ; L = L ; T = T ; H = H [ _ :!=] / f! ( ffg proviso :![tt=] = ff O = O? fsg; L = fs j s 2 L + fsgg T = T ; H = H [s =s j s 2 L + fsg] _ do watching s trap t in end module N: input i; output o;. O = O [ fsg; L = L T = T ; H = H ( _ :s ^ ) _ f! ( s ^ W H g O = O ; L = L ; T = T? ftg; H = H ( _(:^ ) _ (:^ ) _ f! ( g where :t ^ : W :T O = f ig [ fog; L = L ; T = ;; H = H Figure 1: The translation of pure sterel 21

24 Moreover we have fsg = fs 1 ; : : :; s n g if s = hs 1 ; : : :; s n i. We recall the following notations: = [ff=h] and = [ff=]. Also: ( = fx ( :x j x ( :x 2 g, = fh :h j h 2 H g, and nally :T = f:t 0 j t 0 2 T? ftgg. Subscripts such as O or H Q refer to the respective sets of the automata, resp. Q. The automaton obtained by translating the sterel statement will be denoted by. 22

25 7 Correctness of the Translation We compare the behaviour of sterel statements and of the corresponding boolean automata on the level of labeled transition systems of the form T = (St; a!; A). Transition systems are considered as being equivalent if they are bisimilar, i.e. Denition 3. Let T be a transition system with labels a 2 A and states x 1 ; x 2 2 St. A relation R St St is called a bisimulation if (x 1 ; y 1 ) 2 R implies that, for all a 2 A, whenever x 1 a! x 2 then, for some y 2, y 1 a! y 2 and (x 2 ; y 2 ) 2 R, whenever y 1 a! y 2 then, for some x 2, x 1 a! x 2 and (x 2 ; y 2 ) 2 R. The plan now is to set up a bisimulation relation on the level of modules. While the operational semantics of sterelis already specied in terms of a transition system, we still have to dene the notion of a transition system generated by a Boolean automata. Denition 4. For all 2 B(X), let a function : 2 X! ftt; ffg be inductively dened by tt(c) = tt ff(c) = ff x(c) = x 2 C ( ^ )(C) = (C) ^ (C) ( _ )(C) = (C) _ (C) (:)(C) = :(C) For a Boolean automaton, let the function : 2 fg+s+h! 2 S+H+f!g be dened by (C) = fx j :x(c) = ttg. Denition 5. Let be a boolean automaton. A state consists of a pair h; i where either = fg or = H H. The initial state is h; fgi. Transitions are of the form h; i S 0?! S h; H 0 i where S 0 S S + f!g and ( [ S) = S 0 [ H 0. For sterel modules M, let hm; i O I[O hm; H 0 i if, for some S, hm; i 23 S??? I[S[tick hm; H 0 i and O = S \ O M.

26 A bisimulation relation on modules will be dened by hm; i R(M; ) where R(eM; ) is specied by (see [?]): Denition 6. Let be an sterel statement, and let H be a set of halts. Then R(; fg) = R(; ;) = nothing R(emit s; H) = nothing R(exit t; H) = halt R(halt; H) = halt if h 2 H halt R( ; Q; H) = R(; H) ; Q if ; 6= H H R( ; Q; H) = R(Q; H) if H H Q R( jj Q; H) = R(; H \ H ) jj R(Q; H \ H Q ) R(present s then else Q; H) = R(; H) if H H R(present s then else Q; H) = R(Q; H) if H H Q R(signal s in end; H) = signal s in R(; H) end R(loop end; H) = R(; H) ; loop end R(do watching s; H) = 0 present s else end do R(; H) watching s R(trap t in end; H) = trap t in R(; H) end R(module N : input i; output o; :; H) = R(; H) 1 C A Theorem 7. The translation of sterel to Boolean automata is correct in that the relation M hm; fgi denes a bisimulation where M ranges over sterel modules. xplicitly, we prove that, for all sterel modules M, if hm; i if R(M; ) O I[O h M; 0 i then R(M; ) O I[O O R(M; 0 ) I[O M 0 then, for some 0, hm; i O I[O hm; 0 i and M 0 = R( M; 0 ), The proof of theorem is given in the Appendix??. We believe it to be interesting in its own right. For instance, it sheds some light on the various eects the synchrony hypothesis has with regard to otherwise well known programming concepts. 24

27 8 Conclusions There is a notable omission; we have not mentioned causality (see [?]) since we do not want to add to the size of an already long paper. However, the problem should be sketched: For an automaton to be reactive we expect it to react to every stimulus. Following Halbwachs [?] the reaction should moreover be fully reproducible, hence deterministic. Neither necessarily holds for sterel statements. For instance, the statement signal s in end present s then emit s ; emit o end has two coherent statuses for s: assuming s to be absent makes sense since emit s is not executed, and s to be present makes sense since then emit s is executed. Hence o may be emitted or not. On the other hand, there exists no adequate status of s in signal s in end present s else emit s ; emit o end Assuming s to be absent causes its emittance, and vice versa (see [?]). The translations to boolean automata s ( s ^ o ( s ^! ( and s ( :s ^ o ( s ^! ( reect the causality problem. The local signal s has two solutions in the rst case while there is no solution in the second case. Formally, the problems are caused by the existential quantication which is implicit in the denition of transitions for modules: for every reachable, and for every input I, there exist some O; H 0 O such that (M; ) (M; H 0 ). We speak of a reactive automaton if such an ) always exist, and is unique (assuming that we are only concerned with I[O deterministic computations). 25

28 If one adheres to the point of view that \reactivity" should be checked at compile-time, as synchronous languages do, the existential quantication proves to be quite expensive computationally. Sucient criteria are needed which guarantee reactivity but are feasible computationally. Such criteria are considered under the label causality in [?], and we will put forward our own proposal in a separate paper [?]. The existential quantication should also considered harmful with regard to the runtime system; transitions are too expensive in term of computation time. We would expect that only such programs pass the causality check which have a decent (linear) run-time behaviour. In other words, the causality check implicitly eliminates programs which cannot be eciently implemented. As another remark, it is quite obvious that the boolean automata generated by the translation are not ecient as far as the size of generated code is concerned. The discussion of these issues will be postponed but we can state already here that a ne-tuned translation yields linear code for all reasonable examples (but can grow to be quadratic). Finally, we will have to address inclusion of data.we propose a very simple mechanism here: actions A on data will be triggered by signals in that s states that the action A is executed if the signal s is present. Boolean actions may result in emitting a signal if B then emit s' given that the condition B evaluates to tt at a present instant. Data very much complicate causality analysis in that all \writes" have to precede all \reads" and in that, of course, analysis is not any more restricted to booleans only. Acknowledgement. We acknowledge Gerard Berry and Matthew Morley. Gerard provided a counter example with regard to the \almost nal" version of the paper which the authors should have known anyway if they would have read his papers more carefully. Matthew did an excellent job of careful proof-reading and provided many fruitful comments. He did not succeed to eliminate all the notational follies of the rst author though he did his best. References [1] G. Berry, The Semantics of ure sterel, M.Broy (ed.), rogram Design Calculi, Vol. 118 of Series F: Computer and System Sciences, NATO ASI Series, 1993 [2] G. Berry, A Hardware Implementation of ure sterel, Rapports de Recherche No. 1479, INRIA,

29 [3] G.Gonthier, Semantique et modes d'ex'ecution des languages reactifs synchrones; application a sterel, These d'informatiques, Universite d'orsay, 1988 [4] N. Halbwachs,. Caspi,. Raymond, D. ilaud, The Synchronous Dataow rogramming Language Lustre, roc. of the I, 79(9), 1991 [5]. Le Guernic, A. Benveniste,. Bournaii, T. Gautier, Signal: a data-ow oriented language for signal processing, I-ASS, vol.34, no 2, 1986 [6] F. Maraninchi, Argos: a Graphical Synchronous Language for the Description of Reactive Systems, Spectre Report 29, LGI, IMAG-CAMUS, 1991 [7] F. Mignard, Compilation du langage sterel en systemes d'equations booleennes, These d'informatiques, cole des Mines de aris, 1994 [8] O.Maeis, A. oigne, Reactivity and Causility for Synchronous Systems, forthcoming 27

30 A The roof of Correctness of the Translation The theorem as stated considerably abstracts from the computational details of the transition systems involved but which are, of course, are crucial for the proof. We need a long argument, given in Section??, to establish a common basis for comparing both the transition systems. We then prove the main theorem in Section?? by an extensive case distinction. A.1 reparing for the roof The labeling schemes are of the two transition systems, that for sterel and that for Boolean automata are apparently dierent though, we claim, the content of information is the same. To deal with this situation we use a more general denition for bisimulation. Denition 8. Let there be two transition systems with transitions T and T 0 where a 2 A and a 0 2 A 0 are labels, and x 1 ; x 2 2 St, and y 1 ; y 2 2 St 0. Moreover let a 1./ a 2 be a relation on A A 0 A relation R St St 0 is called an extended bisimulation if (x 1 ; y 1 ) 2 R implies that, for all a 2 A and a 0 2 A 0, whenever x 1! a x 2 then, for some y 2 and a 0 such that a./ a 0, y 1 a! 0 y 2 and (x 2 ; y 2 ) 2 R, whenever y 1! a y 2 then, for some x 2 and a 0 such that a./ a 0, x 1 a! 0 x 2 and (x 2 ; y 2 ) 2 R. We write x 1 y 1 if x 1 and x 2 are in some extended bisimulation R. This leaves us with the question of how to relate the two labeling schemes in our case. Some massaging of the sterel semantics is needed. As a rst observation, the behaviour of a Boolean automaton depends on the evaluation of local signals. e.g. the statement signal s in emit s present s then emit s end translates to s ( o ( s ^! ( s ^ _ :s ^ 28

31 The local signals have to be kept while translating in order to prepare for reincarnation. Of course, evaluation of locals is needed as well for the operational semantics of sterel but is hidden in the proof tree; the signal statement 0 [X;k???? (?fsg)[x ' X fsg and fsg \ 0 = ; signal s in end signal s in ' end \abstracts" from the locals. These can be made explicit by recording the locals, i.e. 0 [X;k???? (?fsg)[x ' X fsg; fsg \ 0 = ; signal s in end ;X signal s in ' end One should note that the locals are implicitly disambiguated by abstraction in that we require that, e.g., L 1 \ L 2 = ; in 0 1 ;0 ;L 1 ' Q 0 2 ;k ;L 2 Q' ; Q 0 1 [0 2 ;k?? ;L 1 [L 2 Q' or, equivalently, that 0 1 ;0 ;L 1 ' Q 0 2 ;k ;L 2 Q' ; Q 0 1 [0 2 ;k??? ;L 1 +L 2 Q' where L 1 +L 2 denotes the disjoint sum of L 1 and L 2. The same restriction applies to the rules for the parallel statement. Without this restriction unwanted interaction of signals may take place as in signal s in emit s end ; signal s in present s then emit o else nothing end end Without disambiguating the local signal s, the signal o would be emitted. The transition rule of the signal statement implicitly resolves the reincarnation problem in that, for instance, a pattern 29

32 loop signal s in end end is unfolded by the loop rule 0 [X;k???? (?fsg)[x ' X fsg and fsg \ 0 = ; signal s in end signal s in ' end loop signal s in end end signal s in ' end ; loop signal s in end end The locals X refer to a \rst" reincarnation of the signal statement. A second unfolding will generate a second set of local signal, etc.. It will be a major complication in our proof to establish that reincarnation is correctly modeled by \starring" when translating the signal statement. As a hint, we note that the \starring" provides a second set of local signals but only in the rst instant of evaluating a signal statement. This will prove to be sucient for the loop statement since unwanted interaction of locals may only take place when terminating the body of the loop and instantaneously reentering, i.e. at the rst instant in terms of evaluation of the body. Next, let us inspect the termination code. The rule exit t n ;;n halt assumes implicitly that the superscript n is well-dened, which does not need to be the case a priori..g.: exit t m exit t n is obviously inconsistent if m 6= n. Well-denedness can only be established if the (full) context of a statement is known. We abstract this context to a function which binds the exit statements to a termination level. Denition 9. Let be an sterel statement, and let T be the corresponding set of traps as dened by our translation scheme. We speak of an injective mapping : T! IN as a termination context. The idea is that the injection reects the termination code as induced by a statement 30

33 trap t 1 in trap t n end end in such that T ft 1 ; : : :; t n g. That is, for all traps in T, we know exactly that the trap signal t is present if the termination code of a transition is (t). We use the termination context as an additional attribute for the sterel transition rules. The crucial rules are exit t ;;(t) ; nothing 0 ;k ' k = 0 or k = 2 ; trap t in end 0 ;0? ;?1 nothing 0 ;k ' (k = 1 and k 0 = 1) or (k > 2 and k 0 = k? 1) ; trap t in end 0? ;?1 trap t in ' end where (? 1)(t) = (t)? 1. For the latter, the proviso is that (t) = 2. For other rules the termination context is always. Note that both the trap signals in exit t exit t then always have the same termination level. Still one further change is needed; we propose to replace the transition rule exit t 0 ;(t)? ; halt by exit t 0 ;(t)? ; nothing, 31

34 and claim that this change does not aect the semantics of modules; as argued, the statement should be bound by a trap statement trap t in exit t end Whenever the exit statement is executed the trap will be exited, whatever remains to be computed inside the trap statement will be discarded anyway [?]. All these amendments are nalised by the subsequent transition system, the general proviso being that L 1 \ L 2 = ;: nothing ;;0 ;;; nothing halt ;;1 ;;; halt emit s fsg;0??? [fsg;;; nothing exit t ;;(t) ;;; nothing 0 1 ;k? ;L; ' k > ;0? ;L 1; ' Q 0 2 ;k? ;L 2; Q' ; Q 0 1 ;k? ;L; ' ; Q ; Q 0 1 [ 0 2 ;k???? ;L 1+L 2; Q' 0 1 ;k1? ;L 1; ' Q 0 2 ;k2? ;L 2; Q' Q 0 1 [ 0 2 ;maxfk1;k2g????????? ;L 1+L 2; ' Q' s 2? ;L; ' present s then else Q end? ;L; ' s 62 Q? ;L; Q' present s then else Q end? ;L; Q' loop end? ;L;? ;L; ' k > 0 ' ; loop end 0 [X;k??????? (?fsg)[x;l; ' X fsg; fsg \ 0 = ; signal s in end??? ;L[X; 32 signal s in ' end

35 ? ;L; ' do watching s? ;L; present s else do ' watching s end? ;L; ' k = 0 or k = 2? ;L; trap t in end 0 ;0?? ;L;?1 false ' (k = 1 and k 0 = 1) or (k > 2 and k 0 = k? 1) trap t in end 0?? ;L;?1 trap t in ' end roposition 10. For an sterel module M, we have that M O M 0 if, for some L I[O L M, and some k 2 f0; 1g, M O;k?????? I[O[tick;L;; M 0. ; denotes the empty termination context. 7 roof. A simple induction on statement proves that? \O k = 0; 1. 0 \O;k 0 i, for some L L, ;L; 00, and 0 = 00 whenever 5 After all this preparation, we can relate the labeling of the two transition systems, ;L; 0 and (; ) S 0?! S ( 0 ; H 0 ). the rened transition system for sterel, and transition system for Boolean automata. Denition 11. Let (; L; ; 0 ; k)./ (S; S 0 ) if (i) = S \ O, and 0 = S 0 \ O, (ii) L = S \ L, and if (iii) a. if k = 0,! 2 S 0, and S 0 \ T = ;, or 7 Note that all traps are bound in a module. 33

36 b. if k = 1,! 62 S 0, S 0 \ T = ;, or c. if k 2,! 62 S 0, and k = maxf(t) j t 2 S 0 \ T g. T is the set of traps of. Now we can state our main lemma. roposition 12. For all sterel statements and all reachable states 6= ; of we have that, given some, (i) if h; i S 0?! S h; 0 i then R(; ) ;L; R(; 0 ), and (ii) if R(; ) ;L; 0 then, for some H H, h; i S 0?! S h; 0 i and 0 = R(; 0 ) where (; L; ; 0 ; k)./ (S; S 0 ). A state 0 is reachable if either 0 = fg or hm:i state. O I[O hm: 0 i where is a reachable The proof is given in Section??. Remark. The reader will have noticed that the denition of extended bisimulation refers to a family of relations on labeling by indexing with. More precisely, we should have indexed by the triplet ho ; L ; T i which conveys the information used in the denition. However, since the triplet is determined by and all contexts the bisimulation is used, we prefer the notation as given for technical convenience. We should explain the restriction to reachable states such that 6= ; which we will refer to as active: the rule nothing ;;0 ;;; nothing iterates innitely often, at each instant with termination code 0. In contrast, the boolean corresponding automaton emits! only at the rst instant because of nothing( [ S) = f!g and nothing(s) = ;. However, the transition system for modules abstracts from this dierence by using an existential quantication; in case of the operational semantics of sterel we quantify over the termination code, and signals are restricted to observable signals in case of Boolean automata. As a further remark, we note that bisimulation for modules identies deadlock and livelock, i.e. nothing and halt behave equivalently. Compared with the standard operational semantics the translation to Boolean automata distinguishes more carefully 34

37 between obtaining control but terminating instantaneously and being out of control as will be explained in [?] in detail. Our main theorem Theorem 13. The translation of sterel to Boolean automata is correct in that the relation M hm; fgi denes a bisimulation where M ranges over sterel modules. is a direct consequence of roposition?? and of Lemma??. A.2 The proof of the Main Lemma Notation. We use fx j vg for a \conditional valuation", i.e. fx j vg = fxg if v = tt, and fx j vg = ; if v = ff. Note that [=x](c) = (fx j (C)g [ (C? fxg)) by laws of substitution. ( [ S) states that the synchronous system generated by the sterel statement is evaluated with being the state of the system, and S being the set of signals being present. The next lemma proves that either the start signal must be present or that some registers should be active in order to generate some non-trivial behaviour. Lemma 14. Let range over sterel statements. Then, for all S S, (S) = ; roof. By a structural induction on statements. For example: ; Q(S) = ( / f! ( ffg)(s) [ Q[:!=](S) = ( / f! ( ffg)(s) [ Q[:!=](S) = ; [ Q(S) since (S) = ; by inductive assumption. This implies that :!(S) = ff, hence Q[:!=](S) = Q(S) = Q(S) = ; by inductive assumption on Q The next lemma characterizes the rst instant and latter instants as syntactically specied by and ; reacts like only if is present, and reacts like only if some register is active. Lemma 15. Let range over sterel statements. Then, for all H H and S S, 35

38 1. (fg [ S) = (fg [ S), 2. (H [ S) = ;, 3. (H [ S) = (H [ S), and 4. (fg [ S) = ;. roof. Using the previous lemma and standard properties of replacement - for example: (fg [ S) = [ff=h](fg [ S) = (fg [ S). Lemma 16. Let range over sterel statements. Then, for all reachable states 6= ; and S S, if! 2 ( [ S) then ( [ S) \ H = ; roof. By structural induction on where ; 6= H H. nothing: halt: ; Q: Since H = ;. Similar for emit s, exit t. Since halt:! = ff. Q: = fg: There are two subcases: :!(fg [ ) = ff: Then (fg [ ) \ H = ;, and ; Q(fg [ S) = (fg [ S) since Q[:!=](fg [ S) = Q(S) = ; by Lemma??. Hence ; Q(fg [ S) \ (H [ H Q ) = (fg [ S) \ H = ; by inductive assumption on. :!(fg [ ) = tt: Then ; Q(fg[S)\(H [H Q ) = Q(fg[S)\H Q since (fg[s)\h = ; by inductive assumption on. As ; Q:!(fg [ S) = Q:!(fg [ S) the inductive assumption can be used for Q. = H: The argument is similar. Let range over reachable states. = fag: Then! 2 jj Q(fg [ S) i! 2 (fg [ S) and! 2 Q(fg [ S), and we can apply the inductive hypothesis. 36

39 = H: The only new case is if! 2 (fg [ S) and H \ H Q = ; which is simple as well. present s then else Q end: Just observe that either H \ H = ; or H \ H Q = ;. loop end: = fag: Then jj Q(fg [ S) \ H 6= ; by assumption; loops are not instantaneous. = H: The case distinction is similar to that for sequential composition. If is restarted it does not terminate because of the same argument as above. signal s in end: The binding does not aect termination. do watching s: = fag: Then! 2 do watching s(fg [ S) i! 2 (fg [ S). = H: Then! 2 do watching s(h [ S) i! 2 (H [ S) or s 2 S. In the rst case we can use the inductive assumption, for the latter we observe that :s ^ (H [ S) = ;. trap t in end: There are several cases: t 62 S: Then (fg [ S) = ff and! 2 trap t in end(fg [ S) i! 2 (fg [ S) where = or = H. t 62 S and T 0 \ S 6= ;: Then (fg [ S) = ff as well. t 62 S and T 0 \ S = ;: Then (fg [ S) = tt and trap t in end(fg [ S) = ( (fg [ S), hence no control register is set. The next lemma takes care of the schizophrenic nature of loops. The loop is the only construct which \falsies" the global assumption that no control register is active if a process is started; the body will be restarted in loop end though still having control, meaning that some control register is active. Of course, the control register are active in a \previous" reincarnation of the loop. The following lemma exactly analysis this situation. 37

40 Lemma 17. Let be an sterel statement such that! 62 (fg [ S) for all S S. Then, for all reachable states H H and S S, (fg [ H [ S) = ( [ S) [ (H [ S) if! 2 (H [ S). roof. By induction on the structure of terms: nothing: halt: ; Q: Q: The statement is trivial since H = ;. Similarly, for emit s, exit t. Since halt:! = ff. ; Q(fg [ H [ S) = ( / f! ( ffg)(fg [ H [ S) [ Q[:!=](fg [ H [ S) = ( / f! ( ffg)(fg [ S) [ Q(f j :!(fg [ H [ S)g [ H [ S) We have either H H or H H Q by the same arguments as in Lemma??. In the rst case we compute = ( / f! ( ffg)(fg [ H [ S) [ Q(f j :!(fg [ H [ S)g [ S) since H H = ( / f! ( ffg)(fg [ S) [ ( / f! ( ffg)(h [ S) [ Q(f j :!(fg [ S)g [ S) by inductive assumption on since :!(fg [ S) = tt because of Q:!(fg [ S) = tt = ; Q(fg [ S) [ ; Q(H [ S) by reversing the argument. The other case is similar. The rst case is that! 2 (H[S) and! 2 Q(H[S). Then the inductive assumption can be used for and Q separately. Otherwise, for instance,! 2 (H [ S) and H \ H Q = ;. Then Q(fg [ H [ S) = Q(fg [ S) by Lemma??. We apply the inductive hypothesis for. do watching s: We apply Lemma??. We leave the other cases to the reader. The next two lemmas deal with the reincarnation problem. The rst one states that the local signals raised in the rst instant of computing are dierent by name to those raised in later instants. The second lemma states that locals signals can be renamed without aecting the observable reactions. Lemma 18. Let be an sterel statement. Then, for all H H and S S, 38