Abstract Component-based software engineering advocates construction of software systems through composition of coordinated autonomous components. Significant benefits of this approach include software reuse, simpler and faster construction, enhanced reliability, and dramatic reductions in the complexity of construction of provably correct critical systems, many of which involve real-time concerns. Effective, flexible component composition by itself still poses a challenge today and yet the special nature of real-time constraints makes component-based construction of real-time systems even more demanding. The coordination language Reo supports compositional system construction through connectors that exogenously coordinate the interactions among the constituent components which unawarely comprise a complex system, into a coherent collaboration. The simple, yet surprisingly rich, calculus of channel composition that underlies Reo offers a flexible framework for compositional 
Introduction
The task of designing a complex concurrent system with several components requires a coordination model that formalizes their mutual interactions. The internals of black-box components cannot be modified to implement such coordinated interactions. Coordination, therefore, becomes the responsibility of the "glue-code" that interconnects the constituent components of a composite system, and of its underlying run-time middle-ware. Reo [6] offers a powerful glue language for implementation of coordinating component connectors based on a calculus of mobile channels.
In this paper, we consider the real-time aspects of Reo when the behavior specification of channels and component interfaces can involve timing constraints. Because connectors, not components, are the primary concern in Reo, our primary interest here is with channels whose behavior involves temporal constraints; and with their composition. For instance, a deadline t for the availability of some data can be formalized as the behavior of a FIFO channel that associates an expiration date, t, with every data item that enters its buffer: the channel loses a data item in its buffer t units of time after it enters through its source (unless, of course, it is dispensed through its sink in the meanwhile). Another example is a timer channel that becomes activated by a data item through its source, after which it returns a timeout signal through its sink, after a specified delay of exactly t units of time.
As the operational model for Reo connector circuits, we use timed constraint automata (TCA) which extend their untimed version [9] with the concepts borrowed from classical timed automata with location invariants [2, 16] . TCA have two kinds of transitions: (1) internal changes of the locations caused by some time constraints and (2) transitions that represent the synchronized execution of I/O-operations at some of the ports. Using ideas similar to [9] , the construction of a timed constraint automaton from a given timed Reo circuit can be performed in a compositional manner, using composition operators on TCA that model Reo's operators join and hide to build complex connectors out of instances of basic channel types.
One conceptual difference between TCA and classical timed automata is the treatment of immediate actions or urgent synchronous channels, as they are used, e.g., in the tools [20, 17, 37] . The assumption that synchronous I/O-operations must be executed as soon as they become enabled makes no sense in our framework. For instance, assume that we have a FIFO channel carrying data from node A to node B and a synchronous channel from B to another node C. As soon as A places a value in the FIFO buffer it becomes available for consumption through node B, and thus, the synchronous communication between B and C becomes enabled. On the other hand, the input and output of the same data item must not occur simultaneously through a FIFO channel, by its definition. Thus, we need a delay for the synchronization between B and C. Moreover, Reo allows to explicitly specify deadlines of "shortly delayed" activities or other time constraints (e.g., lower bounds for the delay) using an appropriate combination of timed channels.
The semantics of the TCA and timed Reo circuits relies on timed data streams as in [7, 9] , comprising a formalization of the possible data-flow at each node over time. To specify a desired coordination mechanism, we use a variant of linear temporal logic (LTL) [22, 27] with real-time constraints, which we call timed scheduleddata-stream logic (TSDSL) and has a semantics based on timed data streams. TSDSL essentially relies on a combination of the time-abstract temporal modalities in LTL and timed regular expressions [10] . We show through a series of examples how TSDSL can serve as a specification formalism for (timed) Reo circuits, sketch the ideas of a model checking algorithm, and explain the relation of TSDSL with refinement relations.
Related models. There are several other related realtime models that also focus on aspects of coordination. Timed interface automata (TIA) [1] or real-time variants of I/O-automata, e.g., [13, 19, 24] , are related to TCA in the same way as their untimed versions. I/Oautomata rely on the assumption of input-enabledness which is not required (and would not make sense) in constraint automata.
The purpose of TIA is orthogonal to our approach involving timed Reo connectors and TCA. (There are some conceptional differences, e.g., TIA use action labels rather than port names, but these are not important as the formal definition of TIA and TCA can be adapted to eliminate these differences.) The major goal of TIA is to provide a formalism to specify and to check the compatibility of real-time components by means of their interfaces. Our focus is on compositional reasoning about (design and analysis of) channel-based coordination mechanisms, based on their data-flow. Thus, our framework allows to design and analyze a coordination context in which certain components are used and to construct their interfaces, while the approach of interface automata allows to check a-posteriori whether a design makes the components work together in the desired way.
Although compositionality in timed Reo and TCA is in the spirit of real-time process algebras, e.g., [21, 29, 36 ], Reo's philosophy of composing connectors out of a variety of basic channel types via join and hiding and supporting any kind of synchronous or asynchronous communication differs from classical process algebra approaches which provide operators for modeling choice, parallelism, and recursion (all of which are implicit in Reo).
In some respects, Reo circuits superficially resemble Petri nets. However, there are major differences between the two. Petri nets are constructed out of a fixed set of building blocks (i.e., places, transitions, and arcs), each with a fixed behavior, that can be composed in a prescribed fashion. In contrast, Reo defines a fixed set of composition rules and allows an arbitrary set of user defined channels as primitives with arbitrary behavior, on which its composition rules can be applied to construct connector circuits. This allows a harmonious combinations of synchrony and asynchrony in the same model which is not possible in Petri nets. It also allows incorporation of arbitrary computational entities into a composed Reo circuit. Specifically, as we show in this paper, real-time constraints can be easily incorporated into Reo simply by adding a few channels with time-sensitive behavior to the user-defined repertoire of primitives used in the construction of circuits, without any extension or revision of the Reo model or its composition rules. On the other hand, to express temporal constraints in Petri nets, various extended models have been proposed and studied, each revising the semantics of a basic Petri net model by associating temporal constraints with (1) the availability of tokens in places, (2) transitions, or (3) arcs [18, 23, 28, 31] .
Using proper time-sensitive channles, Reo can cover the temporal constraints modeled in various timed Petri nets. Timed or un-tiemd Petri nets differ from Reo in that synchrony and exclusion constraints propagate through (the synchronous sub-sections of) Reo circuits. This is generally not the case in Petri nets, because their transitions are local. Petri net transition nodes enable them to directly synchronize otherwise unrelated events, thus enforcing a synchronous and of several arcs/events. However, Petri nets have no primitive for the dual synchronous or of several arcs. The or of several arcs is possible only if they end in the same place, which implies the commitment of moving a token into that place. This means that events/arcs can be directly andsynchronized to compose more complex synchronous transitions (i.e., one-step atomic transactions), but a synchronous or of events/arcs is not possible, i.e., two transitions cannot be connected together without an intervening place/commitment. This disallows a direct modeling of composite atomic transactions in Petri nets and prevents arbitrary combinations of synchrony and asynchrony.
Organization of the paper. Timed constraint automata are introduced in Sect. 2. Section 3 contains a brief overview of Reo. In Sect. 4 we introduce timed primitive channels for constructing Reo circuits, provide some examples for Reo circuits with timing constraints, and explain how timed constraint automata can serve as their operational model. Timed scheduled-data-stream logic (TSDSL) is introduced in Sect. 5. In addition, we provide some examples to illustrate how TSDSL can serve to specify timed component connectors and sketch the main steps of a TSDSL model checking algorithm. Sect. 6 concludes the paper.
Timed constraint automata
The formal definition of timed constraint automata arises by combining the concepts of constraint automata [9] and timed automata [2, 16] . We first introduce the syntax of TCA and provide some intuitive examples (Section 2.1) and then provide their semantics by means of an infinite state-transition graph and the induced language of timed scheduled data streams (Sect. 2.2).
Syntax of TCA
Edges in timed constraint automata are labeled with tuples (N, dc, cc, C) where N is a set of ports/nodes that synchronously perform certain I/O-operations, dc is a data constraint that specifies the concrete values that are transferred through those I/O-operations, cc is a clock constraint, and C is a set of clocks that are reset to 0. If N = ∅ then the edge represents an internal move (in which case dc = true).
Before presenting the formal definition, we give a simple example. Figure 1 shows on its left a Reo circuit with a 1-bounded FIFO-channel with expiration, connecting nodes A and B, and a synchronous channel connecting nodes B and C. A FIFO channel "with expiration" is a lossy channel that loses any data item that remains in its buffer longer than its "expiration date" which in this case is 3 time units after it enters the buffer of the channel. Thus, in this example, there is an implicit deadline for the data transfer operation at node B. The graph on the right shows the TCA corresponding to this Reo circuit. In the TCA on the right-hand-side in Fig. 1 , location s stands for the initial configuration where the buffer is empty, while locations(d) represents the configuration where the buffer is filled with data element d. If nodes B and C are ready for I/O-operations within 3 time units, in locations(d), then we assume that B takes an element d from the buffer and immediately forwards it to C. This corresponds to the transition labeled with the set {B, C} and the data constraint
Although there is no explicit lower time bound for the delay of the {B, C}-transition, our semantics forces some time elapse in locations(d) before the {B, C}-transition can fire, even if B and C are waiting for an input value. This is different in ordinary timed automata, but is needed here because a FIFO channel (by its definition) does not allow for the synchronous trans- fer of data from its source to its sink end. If B cannot transfer the element out of the FIFO buffer (because no I/O operation is available on C to synchronize with B), the message is lost 3 time units after enterings(d). This is modeled by the invariance condition x ≤ 3 at locations(d) which forces the automaton to leaves(d) if the current value of x is 3.
Notation 2.1 (Data assignments, data constraints)
In the sequel, we assume finite and non-empty sets Data consisting of data items that can be transferred through channels, and N consisting of node names. A data assignment denotes a function δ : N → Data where ∅ = N ⊆ N . We use notations like δ = A → δ A : A ∈ N to describe the data-assignment that assigns the value δ A ∈ Data to every node A ∈ N. Data constraints can be viewed as a symbolic representation of sets of data assignments. Formally, data constraints (denoted dc) are propositional formulas built from the atoms "d A ∈ P" and "d A = d B " where A, B ∈ N and P ⊆ Data (plus the standard boolean connectors ∧, ∨, ¬, etc.). For N ⊆ N , DA(N) denotes the set of all data assignments for the node-set N and DC(N) the set of data constraints that at most refer to the terms d A for A ∈ N. We write DA for ∅ =N⊆N DA(N) and DC for DC(N ).
Notation 2.2 (Clock assignments, clock constraints) Let
C be a finite set of clocks. A clock assignment means a function ν : C → R ≥0 . If t ∈ R ≥0 then ν + t denotes the clock assignment that assigns the value ν(x) + t to every clock x ∈ C. If C ⊆ C then ν[C := 0] stands for the clock assignment that returns the value 0 for every clock x ∈ C and the value ν(x) for every clock x ∈ C \ C. A clock constraint (denoted cc) for C is a conjunction of atoms of the form "x n" where x ∈ C, ∈ {<, ≤, > , ≥, =} and n ∈ N. CA(C) (or CA) denotes the set of all clock assignments and CC(C) (or CC) the set of all clock constraints.
The symbol | stands for the obvious satisfaction relation for data (or clock) constraints which results from interpreting data (clock) constraints over data (clock) assignments. Satisfiability, validity, logical equivalence ≡ and logical implication ≤ of data (clock) constraints are defined as usual. For data constraints, we often use simplified notations such as " = (s, N, dc, cc, C,s) The automaton in Fig. 1 An interface specification of a timed sequencer that coordinates the data-flow of two components via synchronous channels is shown in Fig. 2 . Here and in the sequel, we skip the guards (data or clock constraint) of the edges when they are true. We assume the deadline t = 3 for the write-operations, that is, the sequencer in location s waits up to 3 time units to synchronize with component 1. If it fails then the sequencer moves via the edge labeled with the empty set to locations and tries to synchronize with component 2, and so on. Note that a single clock x suffices since clock x serves to measure the amount of time staying in one of the locations s or s. After changing the location, clock x is "reused" to measure the sojourn time in the new location.
Example 2.4 (Alternating Bit Protocol)
We consider a variant of the ABP where two components (the sender and the receiver) are connected via lossy synchronous channels. We follow here essentially the description in [25] but do not assume unreliable channels that may lose data in an unpredictable way. Instead, we assume lossy synchronous channels (as in Reo, see Sect. 4) where a data item written to the source end of such a channel is lost if the sink end of the channel cannot perform a matching I/O-operation to consume it.
Sender Receiver

I O
A B C D Via its input port I, the sender is fed with some input which it delivers to the receiver via the channel connecting ports A and C. The receiver acknowledges the receipt of the message via the channel between D and B and outputs the message through its port O. The sender attaches a bit to the messages and expects the corresponding control bit as acknowledgment. If the expected control bit b arrives through port B then the sender switches its mode and sends the next message together with the bit −b. If a certain deadline (t S in our example) expires then the sender resends the message with the same control bit b with a delay of at most ρ S . The same upper bound ρ S is assumed for the time interval between the receipt of a message d on input port I and the sending a message from output port A. Acknowledgments that contain a non-expected control bit are ignored as they belong to the previous message.
The behavior of the receiver is complementary to that of the sender. In mode b, the receiver waits for the arrival of an input (d, b) through its port C and acknowledges its receipt with the bit b, while messages of the form (d, −b) are ignored. The receiver resends the acknowledgment if the next message with the expected control bit b does not arrive within t R time units. (In particular, the receiver resends the control bit of the last message infinitely many times if data-flow at port I eventually terminates.) Moreover, we assume the upper time bound ρ R for the success of the write-operation on output port O as well as the receiver's acknowledgment by sending the control bit. Figure 3 shows the interface specifications for the sender and the receiver as (data parametrized) TCA. We assume here the data domain Data = {0, 1}∪Msg∪Msg× {0, 1} and write msg to denote the projection of the pairs Figure 4 shows the "combined" TCA T ABP for the ABP. Essentially, this TCA is obtained by the join operator (see Definition 4.5), while taking care of the special semantics of lossy synchronous channels, which forces its sink and the source ends to synchronize if both can perform I/O-operations 2.2 The state-transition graph of a TCA So far we described the syntax of TCA and gave some intuitive explanations for their meaning. The following definition formalizes this intuitive behavior by means of a state-transition graph. Following the standard semantics of timed automata [2, 16] , we use a dense time domain where the values of the clocks can be arbitrary real numbers. Dense time models are more appropriate than discrete time models when dealing with distributed, asynchronous systems where the components are not synchronized via a single global clock. The states consist of the current location of the TCA and the current values of the clocks. The transitions corresponding to a set of visible I/O-operations arise through passage of time, followed by the I/O-operations specified by some edge with a non-empty node-set. Invisible transitions (transitions with no observable data flow) are obtained by the edges with empty node-set. They can occur immediately, i.e., without any passage of time, in the current location. 
If N = ∅, we use in addition the same rule with t = 0:
. 
A state q = s, ν is called terminal iff it has no outgoing transitions, but allows the possibility for unbounded passage of time, i.e., ν + t | ic(s) for all t > 0. A time-lock
refers to a state q = s, ν that has no outgoing transitions and there exists some t 0 with ν + t | ic(s). T is called time-lock free iff A T does not contain a reachable time-lock.
For instance, the reachable part of the state-transition graph of the timed sequencer in Fig. 2 
which is taken without any further passage of time in location s. The outgoing transitions of the states s, x=ϑ are analogous. Thus, the timed sequencer in Fig. 2 is time-lock free. However, if we remove the clock reset "x := 0" from the two edges with empty node-sets then the resulting TCA has a time-lock in states s, x = 3 and s, x = 3 since the invariance conditions in s ands do not allow for any passage of time.
Edges with non-empty node-sets can fire only after some positive delay. This reflects the general idea of constraint automata where all observable activities that occur at the same time instant (i.e., atomically) are collapsed into a single transition. 
The q-run q is called time divergent if q is infinite and t 0 + t 1 + . . . = ω. Maximality of a run means that it is either time divergent or finite and ends in a terminal state.
Intuitively, N i is the set of nodes in state q i that are scheduled to synchronously perform the next set of I/Ooperations, while δ i represents the concrete values that are exchanged through those operations at the nodes A ∈ N i . The value t i stands for the delay.
We next define the notion of a TSD stream which will serve to formalize the observable data flow of the runs in a TCA. TSD streams are sequences of triples (N, δ,t) where N is a nonempty node-set, δ a data assignment for the nodes in N andt a point in time. The intuitive meaning of (N, δ,t) is that at timet the nodes A ∈ N simultaneously perform the I/O-operations specified by the pair (N, δ).
Notation 2.7 (TSD stream)
A timed scheduled data stream for a node-set N denotes any (finite or infinite) 
Notation 2.8 (TSDS-language of a TCA)
If q is a run in a TCA T as above then the induced TSD stream
. . is obtained from q by (1) removing all transitions in q with the empty node set, (2) building the projection on the transition labels, and (3) replacing the sojourn times t i by the absolute time pointst i = t 0 + · · · + t i . The generated language of a state q in A T is
The language L(T ) consists of all TSD streams (q)
where q is a maximal and initial run.
For instance, the language of the timed sequencer in Fig. 2 consists of all TSD streams
A Reo primer
Reo [6] is a channel-based exogenous coordination model wherein complex coordinators, called connectors, are compositionally built out of simpler ones. The simplest connectors in Reo are a set of channels with well-defined behavior supplied by users. Components can instantiate, compose, connect to, and perform I/O operations through connectors. Here, as in [7, 9] , we do not consider the dynamic creation, composition, and reconfiguration of connectors by components. We restrict our attention to connectors that have a static graphical representation as a Reo circuit which coordinates the data-flow through the channels connecting the input /output ports of components.
Channels. Reo's notion of channel is far more general than its common interpretation and allows for any primitive communication medium with exactly two ends. The channel ends are classified as source ends through which data enter and sink ends through which data leave a channel. Although Reo allows for an open-ended set of channel-types with user-defined semantics, for our purposes in this paper, we restrict ourselves to only a small set of channel-types, defined below.
The simplest form of an asynchronous channel is a FI-FO channel with one buffer cell (called a 1-bounded FI-FO channel or simply a FIFO1 channel). It has a sourceand a sink-end. We graphically represent a FIFO1 channel by a small box in the middle of an arrow. The buffer is assumed to be initially empty if no data item is shown in the box. The graphical representation of a FIFO1-channel whose buffer initially contains a data element d shows d inside the box. FIFO channels with two or more buffer cells can be produced by composing several FIFO1 channels, as for instance, explained in [7, 9] .
A synchronous channel (depicted as a simple solid arrow) has a source-and a sink-end, and no buffer. It accepts a data item through its source end iff it can simultaneously dispense it through its sink. A lossy synchronous channel (depicted as a dashed arrow) is similar to a synchronous channel, except that it always accepts all data items through its source end. If it is possible for it to simultaneously dispense the data item through its sink (e.g., there is a take operation pending on its sink) the channel transfers the data item; otherwise the data item is lost.
More exotic channels permitted in Reo are synchronous and asynchronous drains that have two source ends. Because drains have no sink end, no data value can ever be obtained from these channels. Thus, a synchronous drain accepts a data item through one of its ends iff a data item is also available for it to simultaneously accept through its other end as well. All data accepted by this channel are lost. An asynchronous drain accepts and loses data items through its two source ends, but never simultaneously. Synchronous and asynchronous spouts are duals of their corresponding drain channel types, as they have two sink ends.
Reo circuits.
A complex connector has a graphical representation, called a Reo circuit, as a finite graph where the nodes are labeled with pairwise disjoint, non-empty sets of channel ends and where the edges represent the established channels. The major operations for creating Reo connector circuits are join and hide.
To construct a Reo circuit, we start with several instances of basic channels and organize them in a graph where initially each channel end constitutes a separate node, and each pair of nodes is connected by an edge representing its respective channel. We then apply a series of join operations, each of which takes as input two nodes A and B and combines them into a new node C. In this way, several channel ends may coincide on one node.
Reo nodes are not physical locations nor represent components. A node is a fundamental concept in Reo representing an important topological property: coincidence of its channel ends. As described below, this property entails specific implications in Reo regarding the flow of data among the channel ends that coincide on a node, irrespective of concern for their locations or any component that may perform I/O operations on that node.
The set of channel ends coincident on a node A is disjointly partitioned into the sets Src(A) and Snk(A), denoting the sets of source and sink channel ends that coincide on A, respectively. A node is called a source
Intuitively, source nodes of a circuit are analogous to the input ports, and sink nodes to the output ports of a component, while mixed nodes are its hidden internal details. Components cannot connect to, read from, or write to mixed nodes. Instead, data-flow through mixed nodes is totally specified by the circuits they belong to.
A component can write data items to a source node of a Reo circuit that it is connected to. A write operation succeeds only if all (source) channel ends coincident on the node accept the data item, in which case the data item is transparently written to every source end coincident on the node. A source node, thus, acts as a replicator.
A component can obtain data items from a sink node of a Reo circuit that it is connected to through input operations. 1 A take operation succeeds only if at least one of the (sink) channel ends coincident on the node offers a suitable data item; if more than one coincident channel end offers suitable data items, one is selected nondeterministically. A sink node, thus, acts as a nondeterministic merger.
A mixed node is a self-contained "pumping station" that combines the behavior of a sink node (merger) and a source node (replicator) in an atomic iteration of an endless loop: in every iteration a mixed node nondeterministically selects and takes a suitable data item offered by one of its coincident sink channel ends and replicates it into all of its coincident source channel ends. A data item is suitable for selection in an iteration only if it can be accepted by all source channel ends that coincide on the mixed node.
Reo nodes contain no memory. While a component that performs a write operation on a source node may suspend (if the circuit that the node belongs to is not ready to allow the write to succeed), holding the value in its blocked write operation (indefinitely or until an optional time-out specified in the write operation), a Reo node cannot "hold" or represent any data. All data transfer through a Reo node is strictly synchronous (i.e., atomic).
The hide operator allows to create "components" by putting a thick box around a circuit. This insulates all mixed nodes of the circuit inside the box and allows access to its sink and source nodes only, which are placed on the border of the box. The idea is that mixed nodes are internal to the component and no other component can modify or connect to them. Formally, we make hidden (mixed) nodes invisible and abstract their names away. Fig. 5a shows an implementation of an exclusive router built by composing five synchronous channels, two lossy synchronous channels and a synchronous drain. The intuitive behavior of this circuit is that through its source node A, it obtains a data item d from its environment and delivers d to one of its sink nodes B or C. If both B and C are willing to accept d then the exclusive router nondeterministically decides to deliver d to either B or C.
Example 3.1 (Exclusive router and shift-lossy FIFO1 channel)
The key to understanding the behavior of this circuit is that for data flow to occur at A, data flow must synchronously also occur at the bottom node of the synchronous drain in Fig. 5a . This is a mixed node, with two sink and one source coincident channel ends. Data flow at this node can occur only if one of the two lossy synchronous channels actually transfers (rather than losing) the data item available at A. This precludes the possibility of both lossy synchronous channels losing this data item, while the merger behevior of the mixed node prevents the possibility of both making a transfer. If data flow is possible at B or C, the merge behavior of the mixed node allows its respective lossy synchronous channel to pass data, forcing the other to lose it. If data flow is possible at both B or C, the merge behavior of the mixed node non-deterministically selects the value available at one of its two sink channel ends, allowing its corresponding lossy synchronous channel to pass, and the other to lose, its data.
The circuit in Fig. 5b shows an implementation of a shift-lossy FIFO1 channel with source node A and sink node B. This implementation uses four synchronous channels, a synchronous drain, a FIFO1 channel whose buffer initially contains a token data item, o, an empty FIFO2 channel, and an instance of the exclusive router of Fig. 5a shown as the box labeled EXR. A shift-lossy FIFO1 channel behaves the same as a FIFO1 channel, except that writing to its source end is never blocked. If at the time of a write operation its buffer is full, the stored data item in the buffer is lost and the new data item replaces it in the buffer.
If the FIFO2 channel in Fig. 5b is not empty and there is a pair of write and take operations pending, respectively, on the nodes A and B, it is possible for this circuit to either (1) lose the contents of the FIFO2 channel and accept the data item through A to replace it, delaying the take on B; or (2) delay the write on A and dispense the contents of the FIFO2 channel through B. The non-deterministic behavior of the EXR circuit used here makes the choice between these two alternatives non-deterministic. Thus, the shift-lossy FIFO1 channel constructed here breaks the tie non-deterministically, when its buffer is full, and data flow is possible at both of its ends (otherwise, i.e., when the FIFO2 channel is empty, or data flow is not possible at A or B, the circuit has no choice). While, generally, we prefer this nondeterministic behavior, it is also possible to construct similar shift-lossy FIFO1 channels that deterministically prefer one of the two alternatives, by replacing the EXR in Fig. 5b with a priority router.
Derivation of the constraint automata representing the observable behavior of each of these Reo circuits as compositions of the constraint automata representing the behavior of the individual primitives used in their respective Reo circuits appears in [9] .
In spite of its simplicity, the semantics of Reo is indeed very rich, yielding a surprisingly expressive language [6] . For instance, the relational (as opposed to functional) dependencies that result in "propagation of synchrony and exclusion" as well as the way in which the local behavior of, e.g., lossy synchronous channels imposes non-local constraints on a circuit, are already evident in the exclusive router of Fig 5a. Examples of Reo circuits with more interesting behavior can be found elsewhere and the reader is encouraged to see [30] (in [26] ) and [7] for the simple, rich, and expressive formal semantics of Reo.
Timed Reo circuits
We now extend the set of primitive channels that we use in the Reo framework by adding channels with timing constraints for the enabledness of their I/O-operations. We first give some examples for "timed channels" and provide their semantics by means of TCA (Sect. 4.1). Next, we explain how the concepts of join and hiding can be realized with TCA, which yields a compositional way for constructing the TCA for a given Reo circuit with timed channels (Sect. 4.3).
Untimed and timed primitive channels
Reo defines what a channel is and how channels, as atomic connectors, can be composed into more complex connectors; however, it offers no specific channels. Instead, it allows an open-ended set of user-defined channel types as primitives for constructing connector circuits. This makes it easy to extend Reo circuits to cover timed behavior by introducing a few primitive channels with time-sensitive behavior. In the sequel, we define a number of channel types that we will later use in our timed Reo circuit examples.
FIFO channels. Analogous to a FIFO1 channel, shown on the left-hand-side of the figure below, on the righthand-side of this figure we show a timed-lossy variant of this channel, called expiring FIFO1, where a data item is lost if it is not taken out of buffer through the sink end of the channel within t time units after it enters through its source end. 
If we skip the loop ats(d) the TCA will have a different behavior. The modified TCA, shown later in Example 4.1 (Fig. 12) , is called a TCA for an expiring FIFO1 channel with delay. For instance, if B is never enabled to take an element out of the buffer then the original TCA allows A to write at time points 0, t, 2t, 3t, . . ., while the TCA for an expiring FIFO1 channel with delay requires some delays between the loss of the stored message (where the TCA moves froms(d) back to s) and A's next write operation. Formally,
is in the TSDS-language of the TCA shown on the right of Fig. 6 , but not of the TCA for an expiring FIFO1 channel with delay.
Synchronous channels. In the examples we discuss later, we use different types of synchronous channels. Here, we briefly explain their behavior and show how they can be modelled by TCA. The TCA for these synchronous channels do not have proper timing constraints (and do not use any clock).
We start with a standard synchronous channel, depicted as a solid arrow, where the write and take operations must synchronize. The behavior of a (standard) synchronous channel, is formalized by a TCA with a single location:
A P-producer is a synchronous channel that, like a standard synchronous channel, allows write and take operations to succeed atomically on its source and sink ends, respectively, except that the value dispensed To model the context-sensitive behavior of a lossy channel where the {A}-transition is impossible if B is ready to synchronize, the concept of priorities can be used. The rough idea is to assign a higher priority to the {A, B}-edge than to the {A}-edge stating that A and B must synchronize whenever possible. The technical details of constraint automata with priorities are more difficult and will be presented in the forthcoming paper [8] .
The above mentioned types of synchronous channels have one source and one sink ends. An example of a channel with two source ends is a synchronous drain that accepts a data item through one of its ends iff a data item is also available for it to simultaneously accept through its other end as well. The values written at the sources of a drain are irrelevant. The picture for a synchronous drain and its TCA is as follows: 2 
A B {A, B}
Timers. We now describe a few timer channels that can serve to measure the time between two events and produce timeout signals. Each of these timer channels has one source end and one sink end. The source end of a t-timer channel (see Fig. 7 ) accepts any input value d ∈ Data and returns on its sink end a timeout signal after a delay of t time units. The intuitive explanation for the loop at states is as for the expiring FIFO1 channel.
A t-timer with the off-option allows the timer to be stopped before the expiration of its delay when a special "off" value is consumed through its source end. Similarly, the reset-option allows the timer to be reset to 0 after it has been activated when a special "reset" value is consumed through its source end. Figure 8 shows a t-timer with both the reset-and the off-options.
A timer with early expiration, shown in Fig. 9 , makes the timer produce its timeout signal through its sink and reset itself when it consumes a special "expire" value through its source.
In some cases, it is useful to have a timer that is initially activated. In the graphical representation of this timer, we simply put the word "on" under its circlesymbol. In its TCA, we declares as the initial location (rather than s).
Examples for timed Reo circuits
Before presenting the formal definitions of the composition operators join and hide on TCA, we provide a few examples for timed Reo circuits. These are obtained by combining channel instances through a series of join and hide operations. Figure 10 demonstrates how to build a Reo circuit via join and hide. 3 The resulting circuit repeatedly produces a timeout signal through T after t time units unless a data transfer occurs from A to B within that interval. Mixed node I serves as an initializer which activates the timer. Either A and B synchronize before the timer expires or the timeout signal occurs at T (after exactly t time units). In either case, the buffer is refilled and the whole procedure restarts.
In (timed) constraint automata models of Reo circuits, locations stand for the configurations of the circuits (e.g., contents of the FIFO channels) while transitions stand for the possible data-flow at one time instance and its effect on the configuration. Intuitively, if we regard a circuit itself as a component, the source nodes of the There is a subtle difference between the roles of the sink and source nodes on the one hand and that of the mixed nodes on the other. If an edge contains at least one sink or source node A then the transition must be regarded as conditional: it can be taken if and only if the environment that controls the data-flow at node A (the component that uses A as an in-or output port) performs the corresponding I/O-operation. On the other hand, any transition with a node-set consisting of mixed nodes only can be taken without any involvement by the environment. Figure 11 shows how an expiring FIFO1 channel with delay can be constructed out of a standard FIFO1 channel and a timer set to expire after t time units.
Example 4.1 (Expiring FIFO1 channel)
A successful write to A fills up the buffer of the FIFO1 channel CD, and (re)sets the timer channel FG. Another write to A will suspend until the FIFO1 channel becomes empty. While it is full, two things can happen: (1) the timer may expire, and (2) a take can be performed on B. If the timer expires, nodes G, H, and D can fire. GH acts as a synchronous channel and DH accepts but loses the data at D. So the value in the FIFO1 channel gets lost in the drain DH. A take on B will replicate the value in the FIFO1 channel at D and again at E. One copy goes out through B to satisfy the take. The other two copies get lost in the drain DH. Now that the FIFO1 channel is empty and the timer is still running, two things can happen: (3) there is a new write on A, and (4) the timer expires. If there is a new write on A, it succeeds and resets the timer, and we are back to the first case we considered. If the timer expires while the buffer is empty, then its token is accepted and lost in the lossy synchronous channel GH. The special case where the take on B happens at exactly the same time when the timer expires is non-deterministically resolved by the merger behavior of the node H. It either accepts the timer's token from G, or the copy of the data item from E. If it accepts the timer's token first, then it is as if the take has been performed after the expiration of the timer. If it takes the data item first, it is as if the timer expired after the take (which means the timer's token gets lost in the GH channel).
The TCA in Fig. 12 yields a formalization of the above explanation for the possible data flow in the Reo circuit of Fig. 11 , after hiding all mixed nodes, i.e., all nodes execpt for A and B.
Example 4.2 (Lower and upper time bounds for I/Ooperations)
Below we have a circuit that ensures the lower bound "> t" for a take operation on B; it yields a FIFO1 channel that guarantees every data item will remain in its buffer at least t time units.
t A B
We may also control the frequency of data transfer in synchronous channels with time-constrained channels. In the following figure, on the left, data-flow from A to B is possible only once every ≥ t time units.
The t-timer with early expiration in the circuit on the right ensures that as long as data items are available at A, they will be consumed at least once every t time units. Whenever a take operation is performed on C, the data item available at A is transferred through B to C via the synchronous and the lossy synchronous channels that connect these nodes. The transfer at A simultaneously produces an "expire" signal (through the 12 TCA for an expiring FIFO1 channels P-producer connected to A, where P is the singleton data set {expire}) which prematurely fires the timer channel, enabling the synchronous drain to allow the data transfer at B. If no take operation occurs at C, the timer produces its timeout-signal after t time units, enabling the transfer of a data item from A to B, because the lossy synchronous channel at B always accepts (and in this case loses this data item). (Because the two ends of the timer always have to synchronize in this circuit, the assumption that the timer is initially on is essential, since otherwise it can never be started.)
Example 4.3 (Timed sequencer)
The timed sequencer in Fig. 2 can be realized by the Reo circuit shown in Figure 13 (and hiding all nodes except for A and B) . Here, we use a t-timer with early expiration which is assumed to be initially switched on. A can transfer a value only if D simultaneously also takes a value from the upper buffer. The expiring FIFO1 channel allows this to happen only at some point in time t 0 < t. If this happens, an expire-signal is sent (via the P-producer from D to G where P is the singleton data set {expire}) which forces the timeout-signal to become available at H. Because the buffer of the left FIFO1 channel is full and it is connected at E through a synchronous drain and a lossy synchronous channel via J to H, the availability of the timeout-signal at H triggers the synchronous transfer of the contents of the left FIFO1 channel into the right FIFO1. The replication behavior of H also attempts to simultaneously write a copy of the timeout-signal into the top lossy synchronous channel connected to H. However, because at this point in time (i.e., t 0 ), there is no data available at C, the synchronous drain connected to C prevents I from participating in the transfer of this copy of the timeout-signal from H; therefore, the lossy synchronous channel connecting H to I loses this data. At this point, the same behavior symmetrically repeats with B.
If A has no value to transfer within the first t time units then D does not transfer the data element out the buffer but the timeout signal becomes available at H at time t. Simultaneously, the message in the buffer of the upper expiring FIFO1 channel is lost. At this point in time (i.e., t), there is no data available at C, and the synchronous drain connected to C prevents I from participating in the transfer of a copy of the timeout-signal from H; the lossy synchronous channel connecting H to I loses this data. On the other hand, node E can take the data element out of the buffer of the left FIFO1 channel. Also G is ready to start the timer again. Thus, H synchronizes with the nodes J, E and G which yields a configuration symmetric to the initial one with B instead of A. Fig. 14 shows the TCA (before hiding) where we skip the data constraints. 4 
Remark 4.4 (Time-constraints for the I/O-operations)
In the Reo circuit in Fig. 15 , node B is a mixed node which is "always" ready to consume a message from the buffer of the expiring FIFO1 channel because the The TCA for this circuit has a TSD stream of the
. . where A continuously transfers data items into the buffer of the expiring FIFO1 channel, which in turn loses them all because the data transfer at B takes longer than the specified expiration bound of 3 time units (e.g., because the synchronous drain is too slow). In fact, the above circuit makes no assumptions about the possible delay of B's data transfer operation. Its TCA involves an enabled transition with a node-set consisting of a mixed node with an unbounded delay.
One possibility to avoid such scenarios is to assign deadlines to edges e = (s, N, dc, cc, C,s) where N con- sists of mixed nodes. For instance, assigning a deadline of 2 to the {B}-edge in the above example ensures that all values transferred by A are eventually taken out of the buffer by B. However, the timing behavior of the nodes (deadlines or lower time bounds for I/O-operations) can also be made explicit at the syntax level of Reo circuits, using an appropriate combination of Reo's timed channels. For instance, the deadline of 2 in the above example can be guaranteed by a 2-timer with the off-option as follows:
Join and hide on TCA
The examples provided in the previous subsection served to illustrate the Reo framework for composing component connectors out of channel instances via join and hide. We now provide composition operators on TCA that capture the meaning of Reo's join and hide operators and that can serve to construct the TCA for a Reo circuit in a compositional way.
Join (replicator semantics).
We start with the join operator on TCA which captures the replicator semantics of source (or mixed) nodes. It can serve as the semantic operator for the join of two nodes where at least one of them is a source node. We assume that we are given the TCA T 1 and T 2 for two fragments R 1 and R 2 of a Reo circuit and that we want to perform the join operations for the nodes B i (in T 1 ) andB i (in T 2 ), i = 1, . . . , n, where at least one of the nodes B i orB i is a source node (i.e., has no coincident sink channel end). We first renameB i into B i and then apply the following join operator to T 1 and T 2 . s 2 , N 1 ∪N 2 , dc 1 ∧dc 2 , cc 1 ∧cc 2 , C 1 ∪C 2 , s 1 ,s 2 ) ∈E .
Definition 4.5 (Join for TCA) Given two TCA
The second rule applies to edges all of whose involved nodes are local to only one of the automata:
and its symmetric rule. In particular, the latter rule applies to transitions with empty node-sets.
A correctness result for the join operator is presented in Lemma 4.9 and Corollary 4.10.
Join (merge semantics).
To mimic the merge semantics of sink (or mixed) nodes we use the same technique as in [7, 9] . To join two nodes A and B where each of them contains at least one sink end we (1) choose a new nodename, say C, and (2) 
return T Merger (A, B, C) T A
T B where T A and T B are the TCA that model the sub-circuits containing A and B, respectively, and the TCA T Merger (A, B, C) shown in Fig. 16 .
Hide. Hiding a node-set M in a TCA removes all Mnodes from its edges. However, given an edge with a node-set consisting of M-nodes only, we must ensure that this edge can be taken only after some positive delay. We model this by using an additional clock. 
Here Fig. 10 can be obtained by joining the TCA for all of its involved channels together with T Merger (F 1 , F 2 , F). The resulting TCA before and after hiding are shown in Fig. 9 (For simplicity, we skip the data constraints and irrelevant resettings of y).
We state the correctness of the join and hide operators on TCA by means of their TSDS-languages (see Notation 2.8). For this, we define join and hide operators on TSDS-languages and establish a compositionality result in Lemma 4.9. N, δ, t) where B / ∈ N; and (2) replacing any remaining triples (N, δ, t) with the pair (δ B , t).
• Given two TSD streams 1 ∈ TSDS(N 1 ) and 2 ∈ TSDS(N 2 ), their join is undefined if there is a node
consists of all TSD streams that can be obtained by joining the TSD streams 1 
The following lemma can be proved using similar arguments as in the untimed case (see [9] ): 
The join of TSDS-languages with the same node-set agrees with their intersection. Thus, we obtain: 
The problem of time-locks in Reo circuits
Of course, using arbitrary combinations of timed channels can lead to TCA with time-locks (see below for an example). However, using (modifications of) standard region-or zone-graph algorithms [2, 16] we may check the time-lock freedom of a given Reo circuit. An example of a Reo circuit with a time-lock is shown in the Fig. 18 . Here, A starts the timer and simultaneously puts a data item into the buffer. On the one hand, the synchronous drain forces B to take the data item from the buffer simultaneously with the expiration of the timer (which occurs exactly 4 time units after A's write operation). On the other hand, the data value written by A in the buffer is lost exactly 3 time units after A's write operation. Thus, the write operation at A causes a time-lock.
Timed scheduled-data-stream logic
To specify the behavior of timed Reo circuits, one can use a TCA T and require that the TSD-language generated by a given Reo circuit is contained in L(T ). In this sense, T specifies the "legal" behavior of the circuit. However, it is often easier to use a logical formalism to express the desired properties rather than using an automata model.
In this section, we introduce Time scheduled-datastream logic (TSDSL) which is a real-time variant of LTL and allows to reason about the observable data-flow of a Reo circuit by means of the TSD streams generated by its underlying TCA. Instead of the modality (next step), TSDSL uses formulas of the type α ϕ which consist of a so-called timed scheduled-data expression α and a formula ϕ. This type of formula is inspired by propositional dynamic logic [12] and extended temporal logic [34] . The timed scheduled-data expressions are variants of timed regular expressions [10] built from atoms of the form N, dc . The TSD expressions specify sets of finite TSD streams. The intuitive meaning of α ϕ is that every initial run has a finite prefix generating a word of the language of α such that ϕ holds for its corresponding suffix.
Syntax of TSDSL
In the sequel, we assume a fixed finite and non-empty set N of nodes. The abstract syntax of TSDSL-formulas is given by the following grammar:
where α is a timed scheduled-data expression (TSD expression) built by the grammar:
Here, N is a non-empty node-set, dc a satisfiable data constraint for N, and I ⊆ R ≥0 ∪ {ω} a (possibly unbounded) time interval with its upper-bound in N ∪ {ω}. The meanings of α 1 ∨ α 2 (union, choice), α 1 ∧ α 2 (intersection) 5 , α 1 ; α 2 (concatenation, sequential composition), and α * (Kleene closure, finitely many repetitions) are obvious. α I has the same meaning as α, except for the additional requirement that the total execution time falls in the time interval I. Intuitively, α ϕ holds for a TCA iff all its TSD streams have a finite prefix that generates an α-stream and ϕ holds for its remaining suffix. The dual operator for α ϕ is [[α]]ϕ = ¬ α ¬ϕ which holds for a TCA iff for each of its TSD streams and all prefixes of that generate an α-word, the formula ϕ holds for the corresponding suffix of . Other boolean connectives, like disjunction ∨ or implication →, are derived in the usual way.
Remark 5.1 We can also allow for ω-regular TSD expressions that result from adding an ω-operator. Although this increases expressiveness, we skip this option here. In contrast to the real-time extensions of LTL, as, e.g., in [3, 5, 15] , TSDSL does not use time-constrained temporal modalities such as U ≤t . These can be added to TSDSL, but in the examples (see below) it turned out that the time-constraints in the TSD expressions are sufficient to formulate the relevant properties of Reo circuits.
Simplified notation. We often skip the semicolon for the concatenation operator (i.e., αβ stands short for α; β). We simply write N for N, true and often omit brackets: e.g., A, dc is short-hand for {A}, dc and N for N . We write . . . A . . . to denote the disjunction of the expressions N where N ranges over all subsets of N that contain the node A. The construct ¬A stands for the disjunction of all expressions N where N ranges over all non-empty node-sets that do not contain A. The construct · denotes the disjunction of all atoms N where N is an arbitrary non-empty node-set. The shorthand · ϕ stands for · ϕ. We also often skip true and write α for α true: e.g., the TCA for the normal FIFO1 channel (Fig. 6 ) satisfies the formula
which states that the data-flows at nodes A and B alternate, starting with A.
Derived operators. The standard next step operator is derived as ϕ = · ϕ. In particular, true asserts the occurrence of some observable data-flow, while ¬ true states that data-flow has stopped. The modalities eventually and always can be derived as usual by definitions ♦ϕ = trueUϕ and ϕ = ¬♦¬ϕ. For instance, the following TSDSL formula specifies the behavior of a normal FIFO1 channel (see Fig. 6 ):
The expiring FIFO1 channel in Fig. 6 satisfies the TSDSL formula
which expresses the fact that within t time units after A's write-operation either B takes the element from the buffer or there is no observable data-flow. For the timed sequencer ( Fig. 2 and Example 4.3) the following formula holds
stating that whenever data-flow is observed at A, within the next t time units there is either data-flow at B or no observable data-flow at all.
The weak variantŨ of until is obtained as ϕ 1Ũ ϕ 2 = (ϕ 1 Uϕ 2 ) ∨ ( ϕ 1 ). For instance, the t-timer with resetoption (but without the off-option) fulfills the formula
Semantics of TSDSL
To provide the formal definition of the semantics of TSD expressions and TSDSL-formulas we need some additional notation for working with TSD streams. (N 1 , δ 1 ,t 1 ) , . . .. be a TSD stream as in Notation 2.7. For a point in time t ∈ R ≥0 , we define ↑ t as the suffix of that ignores every data-flow that occurs before t and formalizes the observable behavior in the time interval [t, ∞[. Formally, if is as above then:
Notation 5.2 (Time cuts, concatenation, Kleene closure)
We use ↓ t to denote the TSD stream that describes the data-flow in the time interval
The concatenation of finite TSD streams is defined as follows. We define ; ε = ε;
If L andL are TSDS-languages with the same node-set N then L;L = ;˜ :
Semantics of TSD-expressions and TSDSL
is the set of all TSD streams of length 1 that have the form (N, δ, t) where
The semantics of timeconstrained expressions is formalized as
Recall that τ ( ) denotes the execution time of (see Notation 2.7). The satisfaction relation | for TDSL-formulas and TSD-streams is defined by structural induction as shown in Fig. 19 we obtain
With any TSDSL-formula, we associate a TSDSlanguage as follows:
Logical equivalence ≡ of TSDSL-formulas is defined as usual by
Remark 5.3 TSDSL as a logic on TSD streams has the power to "separate" all TSD streams 1 , 2 where the time-abstract data flows (formalized by the induced sequences of node-set/data-assignment pairs) are different. To see this, we may simply take a prefix (N 1 , δ 1 ,t 1 ) , . . . , (N k , δ k ,t k ) of one of the TSD streams, say 1 , such that 2 has no prefix of the form (N 1 , δ 1 ,t 1 
Here, the data assigments δ i are viewed as data constraints. If, however, the time-abstract data flows in 1 and 2 agree then it possible that no TSDSL-formula can distinguish between 1 and 2 . The reason for this is that we allow for natural (lower/upper) time bounds in TSDSL-expressions only. For instance, the TSD streams
fulfill the same TSDSL-formulas.
Example: the alternating bit protocol
The properties of the ABP (see Example 2.4 and Fig. 4) can be specified by the formula
for some time bound t. The formula ϕ ABP (t) states that whenever the sender receives a message d at port I, within its next t time units the receiver will output d at port O during which time the sender does not accept a new input message through port I. 6 Arbitrary choice of the time-parameters. For an arbitrary choice of the time-parameters t S , t R , ρ S and ρ R we cannot expect that T ABP | ϕ ABP (t). For instance, if ρ S ≥ ρ R = 5 and t R = t S = 2 then the following behavior is possible. The starting state is q 0 = in(0), wait(0), x = 0, y = 0 . Let us assume that the first input at I arrives at time instant 3. The invariance condition "y ≤ t R = 2" of the receiver-location wait(0) forces the receiver to move to location ack(1) at time instant 2. Thus, we enter state One time unit later, clock y has the value 2 and forces the receiver to leave location wait(0). We enter the global state q 6 = try(d, 0), ack(1), x = 1, y = 0 . After waiting for 1 time unit, the sender resends the pair (d, 0) which leads to the global state
One time unit later, the receiver resends the control bit 1 which the sender ignores again. We now reenter state q 4 and may continue in the same way, without ever producing an output at port O. Hence, for this choice of the time-parameter we obtain
In particular, there is no t such that ϕ ABP (t) holds for T ABP .
Special choices of the time-parameters. Assuming ρ R < ρ S < t R and ρ R < t S then no message sent via the lossy channel connecting A and C will be lost. In fact, it can only happen that the receiver acknowledges more than once the receipt of the last message (because no upper time bound is assumed for the arrival of messages at input port I). The reachable fragment of the TCA is shown in Fig. 20 . We obtain
stating that the delay for the output at O is bounded above by the maximal sojourn time of the sender in location wait(d, b) plus the maximal delay ρ R for the receiver to send the acknowledgment after it receives a message through port C. (This is the best bound we can expect.) The fact that messages along the AC channel are never lost can be formalized by the TSDSL formula ¬♦ A which states that it is not possible to observe a data-flow at node A only (i.e., not together with C). When ρ R < t S < t R and ρ S < t R − t S , messages sent from A to C may get lost. However, when A resends the Fig. 21 TCA for the ABP for ρ R < t S < t R and ρ S < t R − t S message the receiver accepts the message through port C. In this case, we have
stating that the delay for the output at port O is at most the maximal delay for the sender and receiver to send their messages along the lossy channels connecting them plus the deadline t S which the sender uses for resending message-bit pairs. The reachable part of the TCA under these assumptions is shown in Fig. 21 . The property that a message sent along the AC channel can be lost only once can be formalized by the TSDSL formula. ¬♦ A ¬I * A .
TSDSL model checking
The TSDSL model checking problem addresses the question of whether T | ϕ for a given TCA T and TSDSL formula ϕ. We briefly sketch the main ideas of a TSDSL model checking algorithm that relies on a combination of (slight variants of) standard automata-based model checking algorithms for LTL [14, 33, 35] and timed regular expressions [10] . The rough idea is to provide an algorithm that disproves the satisfaction of ϕ for T and "searches" for a witness for L(T ) ⊆ L(ϕ), i.e., a TSD stream in L(T ) where ϕ does not hold. The first step is to switch from ϕ to ¬ϕ which is then turned into a TCA with Büchi acceptance. Formally, a Büchi TCA denotes a pair F = (T , S acc ) consisting of a TCA T = (S, Q, N , E, S 0 , ic) and a set S acc ⊆ S of accepting locations. A q-run in T is called accepting iff it is either finite and ends in an accepting location or visits infinitely often an accepting location. L(F) denotes the set of TSD streams that can be generated by an accepting maximal run. (Note that for any TCA T we have L(T ) = L(F T ) where F T is the Büchi TCA that results from T by declaring all locations to be accepting.)
For the given formula ¬ϕ, we may apply roughly the same techniques as suggested in [33, 34] for extended temporal logic, to construct a Büchi TCA F with L(F) = L(¬ϕ). (The main steps for the construction of F are sketched below.) Then, we have:
Assuming disjoint clock sets of T and F (otherwise the clocks in F an be renamed to avoid name clashes), the join-operator T F yields a Büchi TCA which is obtained through the standard join operator (Definition 4.5) where the accepting locations s, s in T F are those such that location s is an arbitrary location in T and location s is an accepting location in F. Finally, we may apply the standard region graph algorithms [2] to check for the emptiness of T F. Note that for the emptiness check the Büchi TCA T F can be regarded as a standard timed automata à la Alur and Dill. We just need to remove all edges with an unsatisfiable data constraint, and then ignore the node-set/data-constraint labels of the remaining edges.
What remains is to explain how to obtain a Büchi TCA for TSDSL-formulas. We sketch here only the main ideas of this rather complex construction, which essentially uses techniques known from the literature, and put the emphasis on the modifications that are necessary for our purposes. The first step in the construction of F is to generate a (normal) TCA T α for every TSDexpression α that appears in a subformula of ¬ϕ of the form α ψ. These automata T α will serve as the basic building blocks for the construction of F.
TCA for TSD-expressions. The TCA T α can be constructed in a compositional way. The TCA T α has a unique initial location, called start(α), and a location stop(α) such that L(α) is the set of all TSD streams that are induced by a finite run in T α starting in start(α) and ending in stop(α).
The construction of the TCA T α is by structural induction, essentially as described in [10] . For the atoms N, dc we use a TCA with two locations start(α) and stop(α) that are connected via the edge (start(α), N, dc, true, ∅, stop(α)). The invariance condition of both locations is true. If α is γ ; β then we use the construction shown in Fig. 22 . Here and in the sequel, edges with no label in the figures are assumed to be labelled with N = ∅,dc = true, cc = true and C = ∅.
A similar construction can be used for the choice operator α = γ ∨ β where we use edges from start(α) to start(γ ) and start(β) and from stop(γ ) and stop(β) to stop(α). See Fig. 23 . For the Kleene closure α = γ * , we may use a similar construction shown in Fig. 24 .
The above TCA T α do not use any clock. In fact, proper timing constraints are needed only for TSD-expressions with (non-trivial) time bounds. For α = γ I we introduce one new clock x which is not used in T γ and use the construction for T α as illustrated in Fig. 25 . The invariance condition "x ∈ I" ensures that the location stop(α) can be entered only by runs where the execution time lies within the time interval I. Here, the edges from stop(γ ) to stop(α) are labelled with the empty node-set and data and clock constraints true.
Büchi TCA for TSDSL-formulas. We now return to the problem of generating a Büchi TCA for a given TSDSLformula ϕ. As mentioned above, we may apply adaptations of standard automata-based techniques for extended LTL model checking [33] . We first transform the original TSDSL-formula ϕ into an equivalent formula of an extended TSDS-logic. This logic is in the style of extended temporal logic ETL f à la Vardi and Wolper. Formulas of extended TSDS-logic are built by boolean combinators (¬ and ∧) and automata-formulas. The latter can be viewed as a generalization of the until-operator and formulas α ψ. The automata-formulas have the form T (ψ 1 , . . . , ψ n ) where ψ 1 , . . . , ψ n are formulas of the extended TSDS-logic and T is a slight variant of a TCA: the edges in T are either TCA-edges (i.e., labelled with a node-set, a data constraint, a clock constraint and a set of clocks) or edges with a label in {ψ 1 , . . . , ψ n }. The other components (starting location, invariance conditions) are as in normal TCA. Moreover, T has a distinguished accepting state. For the purpose of TSDSL-model checking, it suffices to deal with automata-formulas of the as substitute for α ψ) and A(ψ 1 , ψ 2 ) (as substitute for ψ 1 Uψ 2 ):
• T α (ψ) arises from T α by adding a ψ-labelled edge from stop(α) to a new accepting state.
• A(ψ 1 , ψ 2 ) consists of an initial state q 0 with a ψ 1 -labeled self-loop and an accepting state q 1 which is reached from q 0 via an ψ 2 -labeled edge.
The syntax of extended TSDS-logic agrees with the syntax of ETL f , except that we deal with TCA-like automata rather than nondeterministic finite automata. Roughly the same construction of Büchi automata for given ETL f -formulas that has been suggested by Vardi and Wolper [33] can be applied in our setting, to obtain a Büchi TCA F for the given TSDSL-formula, viewed as a formula of extended TSDS-logic. The automaton F is obtained by combining a so-called local automaton F L with an eventually automaton F E . In the Vardi-Wolperconstruction, both automata F L and F E arise through a certain combination of the edges in the automata for the automata-subformulas. The same technique is applicable in our setting and allows us to "lift" the timeguards and invariance conditions in the TCA of automata-subformulas to obtain corresponding time-guards and invariance conditions in the constructed Büchi TCA.
Complexity of TSDSL model checking.
The major steps of the above sketched TSDSL model checking algorithm are (1) the construction of the Büchi TCA F for the negation of the given formula ϕ, and (2) checking emptiness for T F. While the TCA T α for the sub-expressions of ϕ are linear in the length of α, the number of states in the resulting Büchi TCA F is exponential in the length of ϕ. The exponential blow-up arises in the construction of the local automaton F L whose locations are sets of subformulas of ϕ (respectively, the corresponding formula of extended TSDS-logic). Thus, the number of locations in T F is O(exp(|ϕ|) · |T |). The cost for the analysis of the region graph of T F for the emptiness check is dominated by the number of regions. These grow exponentially in the number of clocks (in T and F) and linear in the number of locations in the product. Thus, the running time of the sketched model checking algorithm is linear in the number of locations of T , and exponential in (a) the length of the formula ϕ, (b) the number of clocks in T , and (c) the number of time-bounded subexpressions α I of ϕ. satisfy exactly the same TSDSL-formulas. A sufficient decidable criterion for checking (TSDLS-or) languageequivalence of two TCA is to switch to a coarser equivalence corresponding to timed bisimulation for ordinary timed automata [11] . In our setting, a timed bisimulation for a TCA T is the coarsest equivalence ∼ on the state space Q of the induced state-transition graph A T such that for all q 1 , q 2 ∈ Q with q 1 ∼ q 2 and all N ⊆ N , δ ∈ DA(N), t ∈ R ≥0 : The relation is finer than language-inclusion, and thus, preserves all TSDSL formulas in the sense that if q 1 q 2 and q 2 | ϕ then q 1 | ϕ. The question of whether one state of a TCA simulates another one can be answered with the help of the region graph construction as in [32] .
Conclusion
In this paper, we introduced a formal model to reason about timing constraints for Reo component connectors. We presented composition operators for join and hide that can serve as a basis for the automated construction of an automaton-model from a given (timed) Reo circuit, and as a starting point for its formal verification. Particularly, (slightly modified versions of) well-known algorithms for checking time-lock freedom in ordinary timed automata can serve for checking the realizability of the coordination mechanisms of a Reo circuit with timing constraints. Moreover, we suggested a linear-time temporal logic for reasoning about the real-time behavior of component connectors based on their timed scheduled-data streams. Finally, we sketched how the standard model checking algorithms for timed automata can be adapted for our setting.
Our future work includes an implementation of the presented model checking algorithms and case studies. Moreover, we intend to study an alternating-time logic in the style of [4] that allows to reason about the possibility for certain components to cooperate such that a given (real-time) property holds.
