On the semantics of communicating hardware processes and their translation into LOTOS for the verification of asynchronous circuits with CADP  by Garavel, Hubert et al.
Science of Computer Programming 74 (2009) 100–127
Contents lists available at ScienceDirect
Science of Computer Programming
journal homepage: www.elsevier.com/locate/scico
On the semantics of communicating hardware processes and their
translation into LOTOS for the verification of asynchronous
circuits with CADP
Hubert Garavel, Gwen Salaün, Wendelin Serwe ∗
INRIA Centre de Recherche Grenoble – Rhône-Alpes, VASY Project Team, France
a r t i c l e i n f o
Article history:
Received 12 December 2006
Received in revised form 21 July 2008
Accepted 18 September 2008
Available online 30 September 2008
Keywords:
Asynchronous circuit
Asynchronous logic
Asynchrony
Chp
Formal method
Gals architecture
Handshake protocol
Hardware architecture
Hardware design
Lotos
Modelling
Network on chip
Process calculus
Specification
Structured operational semantics
Translation
Validation
Verification
a b s t r a c t
Hardware process calculi, such as Chp (Communicating Hardware Processes), Balsa, orHaste
(formerly Tangram), are a natural approach for the description of asynchronous hardware
architectures. These calculi are extensions of standard process calculi with particular
synchronisation features implemented using handshake protocols. In this article, we first
give a structural operational semantics for value-passing Chp. Compared with the existing
semantics of Chp defined by translation into Petri nets, our semantics is general enough
to handle value-passing Chpwith communication channels open to the environment, and
is also independent of any particular (2- or 4-phase) handshake protocol used for circuit
implementation. We then describe the translation of Chp into the process calculus Lotos
(ISO standard 8807), in order to allow asynchronous hardware architectures expressed in
Chp to be verified using the Cadp verification toolbox for Lotos. A translator from Chp
to Lotos has been implemented and successfully used for the compositional verification
of two industrial case studies, namely an asynchronous implementation of the Des (Data
Encryption Standard) and an asynchronous interconnect of a NoC (Network on Chip).
© 2008 Elsevier B.V. All rights reserved.
1. Introduction
In the currently predominating synchronous approach to hardware design, a global clock is used to synchronise all parts
of a circuit. Unfortunately, a global clock requires significant chip space and power. Asynchronous architectures [1] attempt
at avoiding the issues arising from a global clock. There are two main kinds of asynchronous architectures:
– Gals (Globally Asynchronous, Locally Synchronous) architectures replace the global clock with several local clocks, by
splitting a design into asynchronous parts, each with a synchronous clock domain, and
– asynchronous circuits totally remove the notion of clock.
∗ Corresponding address: INRIA, VASY Project Team, 655, avenue de l’Europe, F-38334 St. Ismier Cedex, France.
E-mail address:Wendelin.Serwe@inria.fr (W. Serwe).
URL: http://www.inrialpes.fr/vasy/people/Wendelin.Serwe (W. Serwe).
0167-6423/$ – see front matter© 2008 Elsevier B.V. All rights reserved.
doi:10.1016/j.scico.2008.09.011
H. Garavel et al. / Science of Computer Programming 74 (2009) 100–127 101
In these architectures, the different parts of a circuit evolve concurrently at different speeds, with no constraints
on communication delays. Such asynchronous designs reduce power consumption, enhance modularity, and increase
performance [2]. However, they raise problems that do not exist in the synchronous approach, e.g. proving the absence
of deadlocks in a circuit. Also, there is no widely established asynchronous design methodology with mature tool support
available up to now.
To master the design of asynchronous circuits, adequate description languages are necessary. For this purpose, several
process calculi (or process algebras) dedicated to the description of asynchronous hardware have been proposed, such asChp
(Communicating Hardware Processes) [3], Balsa [4], andHaste [5] (formerly Tangram [6]). These hardware process calculi are
based on similar principles as standard process calculi [7,8] such as Acp, Ccs, Csp, Lotos, µCrl, etc. Especially, they provide
operators such as nondeterministic choice, sequential, and parallel composition. However, comparedwith standard process
calculi, they offer extensions to express the low-level aspects of hardware communications, such as the implementation of
synchronisation by handshake protocols. In particular, communication in Chp, Balsa, or Haste is not necessarily atomic as
it is in standard process calculi, and may combine message-passing with shared memory communication. For instance, the
probe operation [9] of Chp allows one to check whether the communication partner is ready for a communication or not, but
without actually performing the communication. Chp, Balsa, and Haste are supported by synthesis tools that can generate
the implementation of a circuit from its process algebraic description. For instance, the Tast tool [10] can generate netlists
from Chp descriptions.
In this article, we focus on Chp, which is used in the geographical area of the authors by major actors, such as
STMicroelectronics, France Telecom R&D, and the Cea/Leti laboratory. Although there exist synthesis tools for Chp, the
verification of Chp descriptions still lacks tool support. Continuing previouswork [11] towards verification of Chp, our goal is
to enable the application of the Cadp toolbox [12] developed for standard process calculi, such as the international standard
Lotos [13], to the particular case of Chp. Therefore, we study the translation from Chp to Lotos, and consequently the formal
semantics of Chp.
So far, the semantics of Chp has only been partially formalised by a translation into Petri nets; this formalisation was
based on a subset of Chp supporting only pure synchronisation and closed systems [14]. A formal semantics for full Chp is
mandatory to ensure a safe development and verification of Chp designs. In this article, we address this problem by giving a
formal Sos (Structural Operational Semantics) [7, chapter 3] semantics for value-passing Chp with communication channels
open to the environment.
We present in a second step a translation algorithm from full Chp into Lotos. This algorithm is based on a structural
induction on the Chp description. To minimise the state space corresponding to the generated Lotos code, our translation
implements an optimisation based on code specialisation. This optimisation technique avoids as much as possible the
generation of Lotos gates and processes by distinguishing several translation strategies for Chp channels depending on
the use of probes in the Chp specification. A Chp to Lotos translator has been implemented and successfully used for the
compositional verification of two industrial case studies.
The remainder of the article is organised as follows. Section 2 presents the main features of the Chp hardware process
algebra, putting emphasis on the probe operation, an original feature of Chp. Section 3 defines an Sos semantics for
Chp. Section 4 presents translation rules from Chp into Lotos. Section 5 briefly describes the Chp to Lotos translator
implementing these translation rules, and reports about its application to two industrial case studies, namely an
asynchronous implementation of theDes (Data Encryption Standard) [15] and an asynchronous communication interconnect
of a NoC (Network on Chip) [16]. Finally, Section 6 compares our approach with related work, and Section 7 gives some
concluding remarks.
2. Main features of CHP
In this section, we focus on the behavioural part of Chp [10], and omit additional structures, such as modules and
component libraries, which are intended to designers convenience but have no impact on the operational semantics. We
do not detail the low-level aspects of concrete syntax, but present a high-level view of Chp, focusing on abstract syntax and
semantics features.
2.1. Syntax
A Chp description is a tuple
〈
C, X, Bˆ0 ‖ · · · ‖ Bˆn
〉
consisting of a finite set of channels C = {c1, . . . , cm} for handshake
communication, a finite set of typed variablesX = {x1, . . . , xl}, and a finite set of concurrent processes Bˆi communicating by
the channels C. Let Ci be the set of channels used by Bˆi. Without loss of generality, we suppose that all identifiers (channels
and variables) are distinct.
Each variable is local to a single process, and there is no shared variable between processes. Let Xi be the set of local
variables of process Bˆi, the set X being the disjoint union of the n sets X0, . . . ,Xn. Chp provides a set of predefined data
types (booleans, natural numbers, fixed-length bit vectors, and one-dimensional arrays of bit-vectors) together with a set
of predefined side-effect-free operations, written f1, . . . , fk (logic, arithmetic, as well as shift and rotation operations); the
list of predefined types and operations is detailed in [10]. Variables are typed; the type of a variable x is written as type(x).
V stands for the set of value expressions built using the predefined data types and operations.
102 H. Garavel et al. / Science of Computer Programming 74 (2009) 100–127
A channel c is either binary (if it connects two processes) or unary (if it connects a process and the environment); in
the latter case, c is also called a port; the predicate port(c) is true iff c is a port. Channels are typed, using the same set of
predefined data types already used for variables; the type of a channel c is written as type(c). Channels are unidirectional,
i.e. a process Bˆi must use a given channel c only for emissions or only for receptions; in such a case, we say that Bˆi is an
emitter (respectively a receiver on c). Furthermore, a process is either always active or always passive for a channel c; all
communications on cmust be initiated by the process active for c . This distinction between active and passive is also present
in other hardware process calculi such as Haste and Balsa. Note that these two process attributes (emitter/receiver and
active/passive) are statically defined and orthogonal, e.g. passive emission is possible and useful in applications as discussed
in [16, Section 4.2]. In the examples of this article, however, emission is generally assumed active. Binary channels can only
connect matching processes, i.e. for each binary channel, there is one emitter and one receiver, as well as one active and one
passive process, both notions being orthogonal. For each process Bˆi, we define a function Hi that maps channels to elements
of the set {neutral, active, passive}; for a channel c , Hi(c) = active (respectively passive) iff process Bˆi is active (respectively
passive) for channel c; otherwise, i.e. if Bˆi never uses c , Hi(c) = neutral.
A Chp process B is described using communication actions, assignments, collateral and sequential compositions, and
nondeterministic guarded commands. B corresponds to any piece of behaviour, whereas we note Bˆi a process definition
belonging to the top level Chp description ‘‘Bˆ0 ‖ · · · ‖ Bˆn’’. In the following abstract syntax, lower case identifiers stand for
terminals and upper case identifiers stand for non terminals.
B ::= nil deadlock1
| skip null action
| c!V emission on channel c
| c?x reception on channel c
| x:=V assignment
| B1; B2 sequential composition
| B1, B2 collateral composition
| @[V0 ⇒ B0; T0 . . . Vn ⇒ Bn; Tn] guarded commands
T ::= break | loop terminations
V ::= x | f (V1, . . . , Vn) value expression
| c #V | c # probe on a passive channel
Collateral composition has higher priority than sequential composition. Brackets can be used to express the desired
behaviour, e.g. ‘‘B1, (B2;B3)’’.
The precise semantics of these constructs will be explained in Section 3. Most of them have a meaning as is usual in
process calculi. Here, we only elaborate on the non-standard constructs.
2.2. Informal semantics of parallel composition in CHP
The collateral composition ‘‘,’’ and the parallel composition of processes ‘‘‖’’, which is used at the top level in ‘‘Bˆ0 ‖
· · · ‖ Bˆn’’, correspond to two different notions of concurrency. The collateral composition ‘‘,’’ specifies concurrent execution
without any communication, whereas the parallel composition ‘‘‖’’ specifies concurrent execution with handshake
communications between processes. In a process ‘‘B1,B2’’, if B1 modifies a variable x, B2 must neither access the value of
x nor modify x, and the sets of channels used by B1 and B2 must be disjoint (which also prohibits two interleaved emissions
or receptions on a same channel). In Bˆ1 ‖ Bˆ2, there are also no shared variables between Bˆ1 and Bˆ2.
2.3. Informal semantics of guarded choice in CHP
A guarded command ‘‘B = @[V0 ⇒ B0; T0 . . . Vn ⇒ Bn; Tn]’’ expresses the choice between the behaviours B0, . . . , Bn.
A Bi can only be chosen if the boolean value Vi, called guard, is valid. The ‘‘break’’ keyword indicates that the execution
of B terminates; the ‘‘loop’’ keyword indicates that B must be executed once more, thus allowing loops to be specified in
Chp. The choice is internal, i.e. other concurrent behaviours do not have control nor influence on the choice. The version of
Chp implemented in Tast [10] also allows deterministic guarded commands which are a particular case of nondeterministic
guarded commands with mutually exclusive guards; without loss of generality, we consider only nondeterministic guarded
commands in this article.
1 The deadlocking process ‘‘nil’’ is not present in the version of Chp implemented in Tast [10], but is required in Section 3 for a proper definition of the
operational semantics.
H. Garavel et al. / Science of Computer Programming 74 (2009) 100–127 103
2.4. Informal semantics of handshake communication in CHP
Communication between concurrent processes in Chp is implemented by means of hardware handshake protocols.
As mentioned in [14], there exists several implementation protocols, such as the 2-phase protocol (based on transition
signalling) and the 4-phase protocol (based on level signalling). Depending on the chosen protocol, each Chp channel
c will be implemented physically as a set of wires xc needed to carry data transmitted on c , and two control wires
creq and cgr implementing an access protocol to xc . Common to both protocols is that a communication on a channel
c is initiated by the process active for c , which has to wait until the communication is completed by the passive
process.
The 2-phase protocol for communication on a channel c between two processes B1 (active) and B2 (passive) consists of
the following two phases:
(i) Initiation: B1 sends a request to B2 by performing an electrical transition (‘‘zero-to-one’’ or ‘‘one-to-zero’’) on creq.
(ii) Completion: B2 sends an acknowledgement (or grant) to B1 by performing an electrical transition on cgr ; the emitted
value is assigned to the variable of the receiver using the wires xc .
A 4-phase protocol consists of the following four phases:
(i) Initiation: electrical transition ‘‘zero-to-one’’ on creq
(ii) Completion: electrical transition ‘‘zero-to-one’’ on cgr
(iii) ‘‘one-to-zero’’ for creq
(iv) ‘‘one-to-zero’’ for cgr
2.5. Informal semantics of the probe operation in CHP
The probe operation of Chpwas introduced in [9] andwas found to be useful in the design of asynchronous hardware. The
notation ‘‘c #’’ allows a passive process (either the emitter or the receiver) to check whether its active partner has already
initiated a communication on c. The notation ‘‘c #V ’’, which can only be used by a receiver, checks whether the emitter has
initiated the emission of the particular value V . Thus, the probe allows a process to query information about the current
internal state (i.e. whether the communication has been initiated or not) of a concurrent process without completing the
communication actually.
The probe operation allows one to express external choice in Chp: this can be done by including in the guards appropriate
probe operations to guarantee that the chosen branch can be executed. The arbiter examples given in Section 2.6 illustrate
this use of the probe operation. The probe operation also allows to implement multiple reads, by executing ‘‘c #V ’’ several
times, which avoids the hardware cost of an additional variable to store V .
Similar operators are also present in other hardware process calculi. For instance, Haste [5] provides a ‘‘probe(c)’’
operation that can be used only in guards and is similar to ‘‘c #’’ in Chp. Balsa provides a particular form of reception,
called input enclosure [4], which allows the receiver to perform several commands before acknowledging the reception,
whereas the emitter witnesses an atomic communication. Hence, in hardware process calculi, a rendezvous communication
might be decomposed into different steps, corresponding to the handshake protocol used for implementing the
rendezvous.
Notice that the abstract syntax allows to use the probe operator ‘‘#’’ in any expression, thus also in emissions and
assignments. Although we are not aware of any application using behaviours such as ‘‘c1!c2 #’’, we do not want to exclude
them a priori, as they might be useful in some situations. For instance, the process ‘‘c!c #’’ transmits a boolean value to the
active receiver, indicating whether the passive emitter is ready for the emission before (transmission of the value false) or
after (transmission of the value true) the initialisation of the communication by the receiver.
2.6. Running examples: Asynchronous arbiters without and with priorities
Throughout this article we consider the example of an asynchronous arbiter presented in [14], which we generalise in
two ways: we use value-passing communications instead of pure synchronisations, and we model an arbiter open to its
environment by keeping the shared resource outside of the arbiter itself.
Arbiters are commonplace in digital systems, whenever a restricted number of resources (such as memories, ports,
buses, etc.) have to be allocated to different client processes. Fig. 1 depicts the situation in which two clients compete
for accessing a common resource. Each client transmits a request for the resource to the arbiter via an individual channel
(c1 or c2). A third channel c allows the arbiter to emit the number of the selected client (1 or 2) to the environment, i.e.
the resource. The arbiter chooses nondeterministically between the clients with pending requests. The corresponding Chp
description is〈{c, c1, c2}, {}, client-1 ‖ client-2 ‖ arbiter〉
104 H. Garavel et al. / Science of Computer Programming 74 (2009) 100–127
Fig. 1. Architecture of the asynchronous arbiter.
where all three channels have an active emitter and a passive receiver, the set of variables is empty, and the three processes
are described as follows:( arbiter
without
priorities
) client-1: @[true⇒ c1!; loop]
client-2: @[true⇒ c2!; loop]
arbiter: @[c1 #⇒ (c!1, c1?); loop c2 #⇒ (c!2, c2?); loop]
This example shows how the probe operation allows to model external choice. The arbiter uses probe operations to check
whether a client has a pending request for the resource; since the arbiter selects a client only if a request for this client is
pending, the clients can influence the choice made by the arbiter. Without the probe operations, the arbiter might select
client-1 even if client-1 has no pending request; in this case, any request of client-2 (even if pending) is granted only after
waiting for and handling a request of client-1.
To illustrate the general case of probes used in expressions, we extend this arbiter in order to distinguish high and low
priority requests. In this new system, the behaviour of both clients differs, since client-1 can emit requests with different
priorities. In this case, a boolean parameter is sent along channel c1 to indicate whether the request has a high (parameter
set to true) or normal (parameter set to false) priority. Consequently, client-1 has precedence when submitting a priority
request. The corresponding Chp description is〈{c, c1, c2}, {x}, client-1 ‖ client-2 ‖ arbiter〉
where the boolean variable x — taking values in the set {true, false} — is local to the arbiter, and where the three processes
are described as follows:( arbiter
with
priorities
) client-1: @[true⇒ c1!true ; loop true⇒ c1!false ; loop]
client-2: @[true⇒ c2!; loop]
arbiter: @[c1 #⇒ (c!1, c1?x); loop c2 # and (not(c1 #true))⇒ (c!2, c2?); loop]
In this example, requests from client-1 can always be served, while the arbiter accepts requests from client-2 only if client-1
is not trying to access the resource with a high priority.
3. A structural operational semantics for CHP
In this section, we propose an Sos semantics for Chp with value-passing communications. This semantics allows probe
operations in any expression, extending a previous version [17, Section 3], which allowed probe operations only in guards.
This semantics is defined without expanding communications according to a particular handshake protocol. This
approach is general in the sense that it gives to any Chp description
〈
C, X, Bˆ0 ‖ · · · ‖ Bˆn
〉
a unique behavioural semantics
by means of an Lts (Labelled Transition System). In this Lts, a state consists of two parts: data and behaviour. A transition
corresponds either to an observable action (communication on a channel) 2 or an internal action, noted τ . 3 As stated by
the semantics of Chp given in [14], internal actions are generated whenever a process assigns one of its local variables.
Our definitions follow the usual interleaving semantics of process calculi, i.e. at every instant, at most one (observable or
internal) action can take place.
We first present the notion of environment that gives the semantics of the data part of Chp. Then, we define the
behavioural semantics of Chp in two steps, starting with the semantics of a single process Bˆi taken in isolation, followed
by the semantics of a set of communicating processes ‘‘Bˆ0 ‖ · · · ‖ Bˆn’’. Finally, we relate our semantics to the approach
of [14].
3.1. Environments
A key semantic difficulty in Chp is the treatment of the probe operation, since this operation exploits the fact that
communication is not atomic at the lower level of implementation. Inspired by the actual hardware implementation of
Chp, we associate to each channel c a shared variable noted xc that is modified only by the process active for c and might
be read by the process passive for c . For a channel c with an active emitter, the type of xc is type(c). The active emitter
2 Chp has no hiding or restriction operator; thus, all inputs and outputs are observable.
3 This is generally not the case in standard process calculi, in which an assignment to a local variable does not create an internal action, all actions being
created by input/output communications.
H. Garavel et al. / Science of Computer Programming 74 (2009) 100–127 105
assigns the emitted value to xc when initiating the communication, and resets xc (to the undefined value, noted ‘‘⊥’’) when
completing the communication. A variable xc is equal to ⊥ iff all initiated communications on c have been completed. For
a channel with an active receiver, the type of xc is the singleton {ready}, meaning that the active receiver has initiated the
communication. Formally, we define the extended set of variables as X∗ = X ∪ {xc | c ∈ C}, and define X∗i as the set
of the local variables of Bˆi and all the variables xc such that channel c is used by Bˆi. Notice that the additional variables xc
ensure, for each channel c with an active emitter, that a value sent by the active process on c can be read or probed as often
as desired by the passive process before completion of the communication.
We define an environment E on X∗ as a partial mapping from X∗ to ground values (i.e. constants), and write
environments as sets of associations ‘‘x 7→ v’’ of a ground value v to a variable x. Environment updates are described by the
operator, which is defined as follows:
(∀x ∈ X∗) (E1  E2)(x) = {E1(x) if E2(x) = ⊥E2(x) otherwise
The environment obtained by resetting a variable x to⊥ in an environment E is defined by the function reset(E, x):
(∀x′ ∈ X∗) (reset(E, x))(x′) = {⊥ if x′ = x
E(x′) otherwise
The semantics of a value expression V is defined by an evaluation function eval(E, V ), which behaves as usual, but takes
the probe operation into account. eval(E, V ) can be undefined, since Chp (contrary to Lotos) does not force all variables to
be initialised. In the sequel, we suppose that all variables are properly initialised.
eval(E, x) = E(x)
eval
(
E, f (V1, . . . , Vn)
) = f (eval(E, V1), . . . , eval(E, Vn))
eval(E, c #) = true ⇐⇒ E(xc) 6= ⊥
eval(E, c #V ) = true ⇐⇒ E(xc) = eval(E, V )
3.2. Behavioural semantics for a single process
Our semantics associates to each process Bˆi an Lts
〈
Si,Li,−→b, 〈Ei, Bˆi〉
〉
, where:
– The set of states Si contains pairs 〈E, B〉 of a process B and an environment E onX∗i .
– The set of labels Li contains emissions, receptions, τ actions (representing internal transitions, such as assignments to
local variables), and a particular label
√
representing successful termination.
– The transition relation ‘‘−→b’’ is defined below by Sos rules derived from those used for Bpaε (Basic Process Algebra with
empty process ε) in [7, chapter 3], extended with values and environments. As for Bpaε , we write 〈E, B〉√ as a shorthand
notation for 〈E, B〉
√
−→b 〈E,nil〉.
– The initial state is 〈Ei, Bˆi〉, where the initial environment Ei assigns the undefined value⊥ to all variables ofX∗i .
This Lts is constructed using a function H that maps each channel to an element of the set {neutral, active, passive}; for each
Bˆi, the actual value of H is the function Hi defined in Section 2.1.
Rules for nil. There are no rules for nil because nil is in a deadlock state and cannot evolve.
Rules for skip. Similar to the empty process ε of Bpaε , the process skip can always be executed and terminates successfully.
〈E, skip〉√
The difference between a deadlock and a process that terminates successfully is subtle. In both cases, no more transition
is possible, but a successful termination is always preceded by an observable transition with special label
√
. The same
approach to distinguish deadlock states and terminating states using special transitions is also used in other process algebras,
such as Bpaε or Lotos.
Rules for assignments. An assignment can always be executed and modifies the environment by updating the value of the
variable to be assigned.
〈
E, x:=V
〉 τ−→b 〈E  {x 7→ eval(E, V )}, skip〉
106 H. Garavel et al. / Science of Computer Programming 74 (2009) 100–127
Rules for emissions. A passive emission can always be executed.
H(c) = passive〈
E, c!V
〉 c!eval(E,V )−−−−−→b 〈E, skip〉
An active emission on a channel c involves two successive transitions: the first (internal) one assigns a value to the
shared variable xc , which is initially set to ⊥, and the second one completes the communication by resetting xc . This two
step approach is general enough to represent 2-phase and 4-phase protocols.
H(c) = active eval(E, xc) = ⊥〈
E, c!V
〉 τ−→b 〈E  {xc 7→ eval(E, V )}, c!V 〉 H(c) = active eval(E, xc) 6= ⊥〈E, c!V 〉 c!eval(E,V )−−−−−→b 〈reset(E, xc), skip〉
Rules for receptions. These rules are dual of those for emissions.
H(c) = passive〈
E, c?x
〉 c?eval(E,xc )−−−−−−→b 〈E  {x 7→ eval(E, xc)}, skip〉
H(c) = active eval(E, xc) = ⊥〈
E, c?x
〉 τ−→b 〈E  {xc 7→ ready}, c?x〉 H(c) = active eval(E, xc) 6= ⊥ V ∈ type(c)〈E, c?x〉 c?V−−→b 〈reset(E, xc) {x 7→ V }, skip〉
Contrary to the first rule, which uses the value of xc as the received value, the third rule enumerates all possible ground
values V that might be received on channel c.
Rules for sequential composition. The first rule applies as long as behaviour B1 has not terminated. The second rule indicates
that when B1 can terminate successfully, the execution of B2 starts.
L 6= √ 〈E, B1〉 L−→b 〈E ′, B′1〉
〈E, B1;B2〉 L−→b 〈E ′, B′1;B2〉
〈E, B1〉√ 〈E, B2〉 L−→b 〈E ′, B′2〉
〈E, B1;B2〉 L−→b 〈E ′, B′2〉
Rules for collateral composition. The two first rules correspond to the independent evolution of behaviours B1 and
B2, respectively. The third rule expresses that when both behaviours terminate, the collateral composition terminates
successfully.
L 6= √ 〈E, B1〉 L−→b 〈E ′, B′1〉
〈E, B1,B2〉 L−→b 〈E ′, B′1,B2〉
L 6= √ 〈E, B2〉 L−→b 〈E ′, B′2〉
〈E, B1,B2〉 L−→b 〈E ′, B1,B′2〉
〈E, B1〉√ 〈E, B2〉√
〈E, B1,B2〉√
Rules for guarded commands. The rules for guarded commands express that a branch whose guard is true can be selected.
As in [14], the selection of a branch is modelled by an internal transition, reflecting that choice is internal in Chp. If the
chosen branch ends with ‘‘break’’, the guarded command terminates when the branch terminates. If it ends with ‘‘loop’’ the
guarded command will be restarted once more after executing the branch.
(∃i ∈ {1, . . . , n}) eval(E, Vi) = true Ti = break〈
E, @[V0 ⇒ B0; T0 . . . Vn ⇒ Bn; Tn]
〉 τ−→b 〈E, Bi〉
(∃i ∈ {1, . . . , n}) eval(E, Vi) = true Ti = loop〈
E, @[V0 ⇒ B0; T0 . . . Vn ⇒ Bn; Tn]
〉 τ−→b 〈E ′, Bi; @[V0 ⇒ B0; T0 . . . Vn ⇒ Bn; Tn]〉
3.3. Semantics for communicating processes
The semantics of a Chp description
〈
C, X, Bˆ0 ‖ · · · ‖ Bˆn
〉
is defined by the parallel composition of the (n+1) ‘‘local’’ Ltss〈
Si,Li,−→b, 〈Ei, Bˆi〉
〉
produced from the individual processes Bˆi and the corresponding functions Hi according to the rules of
Section 3.2. Formally, this composition is a ‘‘global’’ Lts
〈
S, L, −→, 〈E0, Bˆ0, . . . , Bˆn〉
〉
, where:
– The set of states S contains tuples 〈E, B0, . . . , Bn〉 consisting of (n+ 1) processes B0, . . . , Bn and a global environment E
onX∗ =⋃ni=0X∗i . E is the union of the local environments Ei onX∗i of the processes Bˆi. The setsX∗i are disjoint for the
setsXi (local variables of Bˆi), but for each binary channel c connecting Bˆi and Bˆj (i 6= j), the variable xc occurs inX∗i and
X∗j ; this is not a problem, since xc is only modified by the process active for c.
H. Garavel et al. / Science of Computer Programming 74 (2009) 100–127 107
– The set of labelsL is the union of the sets of labelsLiminus those labels that correspond to receptions on binary channels.
We represent synchronised communications (i.e. an emission and a reception) using the same symbol ‘‘!’’ as for emissions
(following the convention used in the Lts generated from Lotos using Cadp [12]).
– The transition relation ‘‘−→’’ is defined by the three Sos rules Internal, Com, and Env below.
– The initial state is 〈E0, Bˆ0, . . . , Bˆn〉, where E0 is the empty initial environment, i.e. (∀x ∈ X∗) E0(x) = ⊥.
Let internal(L) be the predicate that is true iff L is either a τ or corresponds to a communication on a port (i.e. a unary channel
open to the environment):
(∀L ∈ L) internal(L) ⇐⇒
(
L = τ ∨ ((∃c ∈ C) (∃V ∈ V) (L = c!V ∨ L = c?V ) ∧ port(c)))
The first Sos rule describes the evolution of the i-th process Bi independently of the others. Itmodels either an assignment
to a variable, or the communication on a port c that is open to the environment and does not need to be synchronised with
another process Bj (i 6= j).
(∃i ∈ {0, . . . , n}) 〈E, Bi〉 L−→b 〈E ′, B′i〉 internal(L)〈
E, B0, . . . , Bi, . . . , Bn
〉 L−→ 〈E ′, B0, . . . , B′i, . . . , Bn〉 . (Internal)
The next rule describes the communication between an emitter process Bi and a receiver process Bj exchanging values
over channel c .
(∃i ∈ {0, . . . , n}) 〈E, Bi〉 c!V−→b 〈E ′, B′i〉 (∃j ∈ {0, . . . , n}) 〈E, Bj〉 c?V−−→b 〈E ′′, B′j〉〈
E, B0, . . . , Bi, . . . , Bj, . . . , Bn
〉 c!V−→ 〈reset(E ′′, xc), B0, . . . , B′i, . . . , B′j, . . . , Bn〉 (Com)
Note that i and j in rule (Com) are different and uniquely defined, since communications are binary (one emitter and one
receiver for each channel). Note also that, if E ′ and E differ in rule (Com), the only possible modification (resetting xc) is
applied to E ′′ in the right hand side of the conclusion of rule (Com).
The rules presented so far are sufficient to define the semantics of (closed) systems without passive ports, i.e. unary
channels for which no process Bˆi is active. The following rule completes the semantics by modelling the environment as an
active process that communicates with each passive port c:
(∃i ∈ {0, . . . , n}) Hi(c) = passive (∀j ∈ {0, . . . , n}) ¬Hj(c) = active eval(E, xc) = ⊥ V ∈ type(xc)〈
E, B0, . . . , Bn
〉 τ−→ 〈E  {xc 7→ V }, B0, . . . , Bn〉 (Env)
This rule is similar to those defining the semantics of asynchronous processes communicating via shared memory, as for
instance, concurrent constraint programming [18] or concurrent declarative programming [19, Table 5.3, page 142].
Example 1. This example shows the necessity of rule (Env). Consider the following two processes B1 and B2, which are
derived from the arbiter of Section 2.6:
B1 = @[c1 #⇒ (c!1, c1?); loop]
B2 = @[c2 #⇒ (c!2, c2?); loop]
Here, c1 and c2 are passive ports open to the environment. Without rule (Env), both B1 and B2 would be equivalent to the
deadlock process nil. Thus, one would expect that in the behaviour ‘‘B1 ‖ client-2’’, B1 could be replaced by B2 without
modifying the semantics. However, ‘‘B1 ‖ client-2’’ is equivalent to nil, but ‘‘B2 ‖ client-2’’ is not — the corresponding Lts is
shown in Fig. 2. Rule (Env) solves this issue by giving a different semantics to B1 and B2.
Example 2. For the arbiter with priorities of Section 2.6, the Lts generated according to the operational semantics has 51
states and 112 transitions. After minimisation with respect to branching bisimulation [20], the resulting Lts (Fig. 3) has 18
states, 34 transitions, and 6 different labels corresponding to internal τ actions and communications on channels c , c1, and
c2.
3.4. Comparison with the existing petri net translation
So far, the only existing semantics for Chp proceeds by a translation of Chp into Petri nets [14]. This formalisation only
handles a subset of Chp that, compared with full Chp presented in Section 2, is restricted in two ways: it allows only pure
synchronisations (instead of value-passing communications), allows probe operations only in guards, and forbids ports open
to the environment. By handling full Chp, our semantics allows one to describe circuits with inputs and outputs properly. In
this section, our goal is not to compare formally our semantics with the Petri nets encoding, but to explain the principles of
such a comparison, and point out the differences between both semantics.
This section is split into three parts. First, we introduce the basics of the Petri net encoding. Second, we sketch how Ltss
can be obtained from these Petri nets. Last, we stress differences between Ltss generated from both approaches.
108 H. Garavel et al. / Science of Computer Programming 74 (2009) 100–127
Fig. 2. Lts for ‘‘B2 ‖ client-2’’ of Example 1.
Fig. 3. Lts for the arbiter with priorities — minimised with respect to branching bisimulation.
Translation of CHP to petri nets. Similar to our Sos semantics, [14] defines the translation of a Chp description
〈
C, X, Bˆ1 ‖
· · · ‖ Bˆn
〉
into Petri nets in two successive steps:
– In a first step, the Petri nets corresponding to the processes Bˆi are constructed separately following the patterns sketched
in [14]. Petri net placesmay be labelledwith assignments, emissions, and receptions. Petri net transitionsmay be labelled
with the guards of Chp guarded commands.
– In a second step, the separate Petri nets are merged into one global Petri net. To model synchronisation on channels,
[14] gives two different translations, depending on the handshake protocol (2- or 4-phase) used for the implementation.
In both cases, channels are modelled by additional places and transitions that encode the chosen handshake protocol.
Notice that for each channel c the places labelled ‘‘c!’’ and ‘‘c?’’ are kept separate, i.e. there is no transition merging
(contrary to [21] for instance).
Example 3. Consider an adaptation of the simple arbiter of Section 2.6 in order to meet the restrictions of [14] (no ports
open to the environment and pure synchronisations only). The corresponding Chp description is
〈{c1, c2}, {x}, client-1 ‖
client-2 ‖ arbiter〉, where channels c1 and c2 have an active emitter and a passive receiver, where variable x is local to the
arbiter, and where the three processes are defined as follows:
client-1: @[true⇒ c1!; loop]
client-2: @[true⇒ c2!; loop]
arbiter: @[c1 #⇒ x:=1; c1?; loop c2 #⇒ x:=2; c2?; loop]
The corresponding Petri net for a 4-phase protocol is shown in Fig. 4. Places are represented by circles, and transitions by
thick lines. Whenever a place is both an input and an output place of some transition, we use a double-headed arrow (as for
places labelled c1req, c1gr , c2req, and c2gr ). The Petri nets corresponding to the three processes are framed in dotted boxes. The
places modelling the channels c1 and c2 are framed in dashed boxes.
H. Garavel et al. / Science of Computer Programming 74 (2009) 100–127 109
Fig. 4. Petri net for the arbiter in Example 3.
Fig. 5. Duplication of Petri net places.
Deriving an LTS from a CHP Petri net. As for ordinary Petri nets, a Petri net model of [14] has tokens in the places; the Petri
nets generated from Chp descriptions are one-safe, i.e. each place contains at most one token. A transition can be fired
when all its input places contain a token and its guard (if any) is true; after firing, the input places lose their token and
the output places get a token. The Petri nets of [14] have also a different behaviour than ordinary Petri nets, to take into
account the actions attached to places. For instance, if two places with action (e.g. ‘‘c1!’’ and ‘‘c2!’’ in Fig. 4) have a token,
then interleaved transitions have to be created for these actions. From [14] and following discussions with the first author
of [14], we conjecture that these Ltss can be obtained by the following two steps:
– First, the Petri net needs to be transformed into a (more standard) Petri net model, in which actions are attached to
transitions. As shown in Fig. 5, each place q labelled with an action a (i.e. emission, reception, or assignment) is replaced
by two places q1 and q2, linked with a new transition labelled with action a. Place q is replaced by q1 (respectively q2) in
the sets of output (respectively input) places of all transitions arriving in (respectively leaving) q. In the case a transition
t has q both as an input and an output place (i.e. t is linked to q with a double-headed arrow such as t1 in Fig. 5), q is
replaced by q2 in the sets of input and output places of t .
– Then, the Lts is obtained by applying to themodified Petri net amarking graph construction algorithm extendedwith the
evaluation of expressions and guards. The transitions of this Lts are labelled with the emissions and receptions attached
to Petri net transitions. If a Petri net transition is not labelled with an emission or a reception, the corresponding Lts
transition is labelled with τ .
Comparison of both approaches. We can try to compare the LtsSos obtained by our Sos semantics and LtsPN obtained after
translation of Chp into Petri nets according to [14]. Given that [14] does not deal with value-passing communications and
open systems, comparison is only possible for closed systems with pure synchronisations. Comparison of LtsSos and LtsPN
is not immediate, for several reasons.
First, the places and transitions added to the Petri nets for the communication channels introduce τ -transitions in LtsPN
that have no counterpart in LtsSos; thus, LtsSos and LtsPN are not strongly equivalent. 4 Second, the sets of labels of LtsSos and
LtsPN are different: on the one hand, LtsPN contains both ‘‘c!’’ and ‘‘c?’’ as labels, since the places labelled ‘‘c!’’ and ‘‘c?’’ are
kept separate in the Petri net model of [14]; on the other hand, for closed systems LtsSos does not contain labels of the form
‘‘c?’’; thus, comparing LtsSos and LtsPN would require to rename into τ all labels of LtsPN corresponding to communications
by active processes, and to replace all remaining ‘‘?’’ by ‘‘!’’.
4. Principles of a translation from CHP into LOTOS
In order to check the correctness of asynchronous circuit designs, our approach is to translate Chp into Lotos so that tools
for Lotos (namely, the Cadp verification toolbox [12]) can be applied.
4 Strong equivalence (or strong bisimulation) [22] treats τ -transitions like visible transitions.
110 H. Garavel et al. / Science of Computer Programming 74 (2009) 100–127
4.1. Overview of LOTOS
Lotos (Language Of Temporal Ordering Specification) is a specification language for distributed open systems,
standardised by Iso [13]. A Lotos specification is composed of two parts: a process part based on Ccs [23] and Csp [24], and
a data part based on the algebraic data type language ActOne [25]. We present hereafter only the subset of Lotos needed
for expressing Chp; the data part being straightforward, we focus on the process part. For a complete description of Lotos,
we refer the reader to existing tutorials, such as [26].
The following grammar uses the same conventions as for Chp, i.e. lower case identifiers stand for terminals and upper
case identifiers stand for non terminals; x is a variable, s a sort, f a function, and g a gate for rendezvous communication.
V ::= x | f (V1, . . . , Vn) value expression
O ::= !V emission
| ?x : s reception
B ::= stop deadlock
| exit successful termination
| let x : s = V in B0 variable definition
| τ ; B0 internal action
| g O1 . . . On; B0 rendezvous on gate g with offers O1, . . . ,On
| B1 >> accept x0 : s0, . . . , xn : sn in B2 sequential composition
| [V]-> B0 guarded behaviour
| B1 [] B2 nondeterministic choice
| choice x0 : s0, . . . , xn : sn [] B choice over values
| B1 |[g1, . . . , gn]| B2 parallel composition
| B1 ||| B2 parallel interleaving
| P[g1, . . . , gm](V1, . . . , Vn) process call
F ::= noexit | exit(s1, . . . , sn) functionality
The behaviour of a process B in Lotos is described using rendezvous communications, sequential and parallel compositions,
guarded behaviours, nondeterministic choices, choices over values, process calls, etc. Rendezvous communications in Lotos
allow one to exchange several values – called offers – at the same time. The behaviour ‘‘choice x0 : s0, . . . , xn : sn [] B’’
assigns to each variable xi a nondeterministically chosen value in the domain of sort si, and then behaves as B. The so-called
functionality of a Lotos process P is ‘‘noexit’’ if P never terminates, or ‘‘exit(s1, . . . , sn)’’ if P may terminate and return a
possibly empty set of values of sorts s1, . . . , sn.
The definition of a Lotos process P involves a list of formal gates g1, . . . , gm, a list of formal parameters x1, . . . , xn of sort
s1, . . . , sn, a functionality F , a behaviour B, and possibly other process definitions d1, . . . , dp:
process P[g1, . . . , gm](x1 : s0, . . . , xn : sn) : F :=
B
where
d1, . . . , dp
endproc
4.2. Overview of the CHP to LOTOS translation
We first highlight the main features of the translation of Chp into Lotos:
– Each Chp type (booleans, natural numbers, bit vectors, etc.) is translated into a Lotos sort (i.e. algebraic data types).
– Each Chp operation is translated into a Lotos operation, which is implemented either using Lotos algebraic equations or
directly by C code (as Cadp allows one to import hand-written C code).
– Each Chp channel c is translated into a Lotos gatewith the same name c togetherwith, in case c is probed, a Lotos process
to handle variable xc .
– Each Chp variable x is translated into one ormore Lotos variables (i.e. value identifiers in the Lotos standard terminology)
with the same name and the same type as x. Several Lotos variables might be required, since Lotos processes follow
the functional paradigm in which a variable can be assigned only once (whereas Chp variables can be assigned several
times).
– Sequential composition ‘‘;’’ in Chp is symmetric, whereas Lotos has two different operators for sequential composition:
an asymmetric action prefix ‘‘;’’ and a symmetric sequential composition ‘‘>>’’. Variables assigned on the left hand
side of a Chp ‘‘;’’ can be used on the right hand side, whereas variables assigned on the left hand side of a Lotos ‘‘>>’’
H. Garavel et al. / Science of Computer Programming 74 (2009) 100–127 111
must be explicitly listed (in an ‘‘accept . . . in’’ clause) to be used on the right hand side. Furthermore, ‘‘>>’’ creates an
internal τ -transition, contrary to the ‘‘;’’ operators of both Chp and Lotos. There are two options when translating Chp
to Lotos. A simple approach is to generate Lotos code containing only ‘‘>>’’, but this adds unnecessary τ -transitions
in the corresponding Lts, thus contributing to state space explosion. A better approach is to generate ‘‘;’’ whenever
possible and ‘‘>>’’ only when needed. In this article, we adopt the second approach, which produces better Lotos
code (in the sense that the corresponding Lts has less states and transitions) at the expense of a more involved
translation.
– Chp has a neutral element (skip) for its sequential composition, whereas Lotos lacks neutral elements for both ‘‘;’’ (which
is asymmetric) and ‘‘>>’’ (which creates a τ -transition).
– Chp has a loop operator, whereas Lotos does not; thus, Chp loops must be translated into recursive Lotos processes.
– Chp expressions may contain probes, i.e. accesses to shared variables xc , whereas Lotos forbids shared variables. As a
consequence, the translation of the probe operation requires the generation of additional transitions modelling accesses
to communication channels.
– Evaluation of an expression V is an atomic operation in Chp, whereas Lotos requires a sequence of as many transitions
as there are probe operations in V . To preserve atomicity, we will introduce a semaphore-based locking mechanism
discussed in Section 4.5.
The remainder of this section is organised as follows. First, we introduce data-flow analysis and other auxiliary
definitions. Then, we present preliminary simplifications of Chp descriptions prior to the translation. The translation
function c2l itself is defined in two steps: translation of a single Chp process and translation of several Chp processes
composed in parallel. Then, we illustrate the translation on the arbiter example. Finally, we discuss the possible relations
between our Lotos translation with the Sos semantics of Section 3; to prepare this discussion, we will enhance
the definition of the translation function c2l with remarks about preservation of branching equivalence during the
translation.
4.3. Auxiliary definitions
Data-flow analysis. We introduce the following data-flow sets inspired from [27, Section 3]. Let def (B) be the set of all
variables modified (in assignments or receptions) in at least one branch of process B:
def (nil) = ∅ def (x:=V ) = {x}
def (skip) = ∅ def (B1;B2) = def (B1) ∪ def (B2)
def (c!V ) = ∅ def (B1,B2) = def (B1) ∪ def (B2)
def (c?x) = {x} def (@[V0 ⇒ B0; T0 . . . Vn ⇒ Bn; Tn]) =⋃ni=0 def (Bi)
Let defn(B) be the set of all variables modified in all branches of process B:
defn(nil) = ∅ defn(x:=V ) = {x}
defn(skip) = ∅ defn(B1;B2) = defn(B1) ∪ defn(B2)
defn(c!V ) = ∅ defn(B1,B2) = defn(B1) ∪ defn(B2)
defn(c?x) = {x} defn(@[V0 ⇒ B0; T0 . . . Vn ⇒ Bn; Tn]) =⋂ni=0 defn(Bi)
We have def (B) = defn(B) for any behaviour B that does not contain a choice, i.e. a guarded command with more than one
branch.
Let usev(V ) be the set of all variables read in value expression V :
usev(x) = {x} usev(c #) = ∅
usev
(
f (V1, . . . , Vn)
) =⋃ni=1 usev(Vi) usev(c #V ) = usev(V )
Let use(B) be the set of all variables used (in expressions of assignments, emissions, or guards) in a process B before any
modification of these variables in B:
use(nil) = ∅ use(x:=V ) = usev(V )
use(skip) = ∅ use(B1;B2) = use(B1) ∪
(
use(B2) \ defn(B1)
)
use(c!V ) = usev(V ) use(B1,B2) = use(B1) ∪ use(B2)
use(c?x) = ∅ use(@[V0 ⇒ B0; T0 . . . Vn ⇒ Bn; Tn]) =⋃ni=0(usev(Vi) ∪ use(Bi))
Functionalities. The Lotos functionality corresponding to a Chp process B is given by the function func(B,D,U), where D
andU are two sets (in fact, alphabetically ordered lists) of variables, specifying the context in which B is executed; precisely,
112 H. Garavel et al. / Science of Computer Programming 74 (2009) 100–127
the set of variables defined before B is executed, and used after B is executed, respectively.
func(nil,D,U) = noexit
func(skip,D,U) = exit(D ∩ U)
func(c!V ,D,U) = exit(D ∩ U)
func(c?x,D,U) = exit((D ∪ {x}) ∩ U)
func(x:=V ,D,U) = exit((D ∪ {x}) ∩ U)
func(B1;B2,D,U) =
{
noexit if func(B1,D,U) = noexit ∨ func(B2,D,U) = noexit
exit
(
(D ∪ def (B1) ∪ def (B2)) ∩ U
)
otherwise
func(B1,B2,D,U) =
{
noexit if func(B1,D,U) = noexit ∨ func(B2,D,U) = noexit
exit
(
(D ∪ def (B1) ∪ def (B2)) ∩ U
)
otherwise
func(@[V0 ⇒ B0; T0 . . . Vn ⇒ Bn; Tn],D,U) ={
noexit if (∀i ∈ {0, . . . , n}) (func(Bi,D,U) = noexit ∨ Ti = loop)
exit
((
D ∪⋃ni=0 def (Bi)) ∩ U) otherwise
Let inf (B) be the predicate that is true iff func(B,∅,∅) = noexit.
Channels. Let chanv(V ) be the set of channels occurring in value expression V ; by definition, these channels are probed
in V :
chanv(x) = ∅
chanv
(
f (V1, . . . , Vn)
) =⋃ni=1 chanv(Vi)
chanv(c #) = {c}
chanv(c #V ) = {c} ∪ chanv(V )
Let chan(B) be the set of channels occurring in behaviour B:
chan(nil) = ∅ chan(x:=V ) = chanv(V )
chan(skip) = ∅ chan(B1;B2) = chan(B1) ∪ chan(B2)
chan(c!V ) = {c} ∪ chanv(V ) chan(B1,B2) = chan(B1) ∪ chan(B2)
chan(c?x) = {c} chan(@[V0 ⇒ B0; T0 . . . Vn ⇒ Bn; Tn])
=⋃ni=0(chanv(Vi) ∪ chan(Bi))
Channel profiles. In order tominimise the state space corresponding to the generated Lotos code, the translation of a channel
c and of the communications on c depends on the profile of c , i.e. whether and how c is probed by the passive process for c.
The profile of a channel c can take one out of three enumerated values:
– unprobed: the channel c is never probed,
– single: any probe operation on c appears as a guard, e.g. ‘‘c1 #⇒ . . .’’ (as in the simple arbiter without priorities), and
– general: a probe on c is used in an expression, e.g. ‘‘c2 # and (not(c1 #true)) ⇒ . . .’’ (as in the arbiter with priorities,
where both channels c1 and c2 have profile ‘‘general’’).
We define an order unprobed < single < general (the smaller the value, the more ‘‘efficient’’ the generated Lotos will be).
We note ‘‘max(x, y)’’ the maximal element of the two profiles x and y.
Channel profiles for a Chp description are computed statically as defined below. Let a profile environment be a partial
function mapping channels to their profiles; as for environments (see Section 3.1), we write profile environments as sets of
associations c 7→ {unprobed, single, general}, where c is a channel. We define
(∀c ∈ C) (E1 unionmulti E2)(c) =

E1(c) if E2(c) is undefined
E2(c) if E1(c) is undefined
max
(
E1(c), E2(c)
)
otherwise
Let profilev(V ) be the partial function associating the ‘‘general’’ profile to each channel probed in the value expression V :
profilev(V ) =
{
c 7→ general | c ∈ chanv(V )
}
The boolean expressions occurring as guards in the ‘‘@[...]’’ operator need to handled differently from ‘‘ordinary’’ expressions.
Indeed, if the outermost operation of a guard V is a probe on channel c , and V does not contain any other occurrence of a
H. Garavel et al. / Science of Computer Programming 74 (2009) 100–127 113
probe operation, the profile of c is ‘‘single’’. Let profileg(V ) be the partial function computing profile environments for those
channels occurring in guard V :
profileg(x) = ∅
profileg
(
f (V1, . . . , Vn)
) = profilev(f (V1, . . . , Vn))
profileg(c #) = {c 7→ single}
profileg(c #V ) =
{{c 7→ single} if profilev(V ) = ∅
{c ′ 7→ general | c ′ = c ∨ c ′ ∈ chanv(V )} otherwise
Let profileb(B,H) be the partial function computing profiles for channels occurring in the behaviour B, where parameter H
is a partial function mapping channels to the set {neutral, active, passive} (see Section 2.1). Function profileb is defined as
follows:
profileb(nil,H) = ∅
profileb(skip,H) = ∅
profileb(c!V ,H) =
{{c 7→ unprobed} unionmulti profilev(V ) if H(c) = passive
profilev(V ) otherwise
profileb(c?x,H) =
{{c 7→ unprobed} if H(c) = passive
∅ otherwise
profileb(x:=V ,H) = profilev(V )
profileb(B1;B2,H) = profileb(B1,H) unionmulti profileb(B2,H)
profileb(B1,B2,H) = profileb(B1,H) unionmulti profileb(B2,H)
profileb(@[V0 ⇒ B0; T0 . . . Vn ⇒ Bn; Tn],H) =
⊎n
i=0
(
profileg(Vi) unionmulti profileb(Bi,H)
)
Finally, for a Chp description
〈
C, X, Bˆ0 ‖ · · · ‖ Bˆn
〉
, the partial function profilemapping a channel to its profile is defined
by:
profile = (⊎ni=0 profileb(Bˆi,Hi)) unionmulti {c 7→ unprobed | c ∈ C ∧ port(c)}
Note that profile uses the profile ‘‘unprobed’’ as default value for each port; this simplifies the Lotos code produced by the
translation and reduces the size of the corresponding state space.
4.4. Preliminary simplifications
Prior to translation, we simplify all Chp processes by applying the following transformations in sequence:
– All occurrences of skip are removed wherever possible, based on the facts that (1) skip is neutral element for sequential
and collateral composition, (2) any branch ‘‘V ⇒ skip; loop’’ of a guarded command can be removed, and (3) any
Bˆi equal to skip can be removed from ‘‘Bˆ0 ‖ · · · ‖ Bˆn’’. After these transformations, skip may occur only in branches
‘‘V ⇒ skip; break’’ of guarded commands.
– The abstract syntax tree of all processes Bˆi is reorganised so that the sequential composition operator ‘‘;’’ is right bracketed
(based on the associativity of Chp sequential composition). After transformation, each sequence ‘‘B1; B2; B3’’ is bracketed
as ‘‘B1; (B2; B3)’’, even if it were bracketed as ‘‘(B1; B2); B3’’ before.
– If the rightmost process Bn of a maximal sequence ‘‘B0; . . . ;Bn’’ is of the form ‘‘x:=V ’’, ‘‘c!V ’’, or ‘‘c?x’’, a final skip is
added, leading to the sequence ‘‘B0; . . . ;Bn; skip’’. This transformation simplifies the syntax-driven induction presented
in Section 4.5.
– For each process of the form ‘‘B1;B2’’ such that inf (B1), B2 can be removed as it will never be executed. Similarly, in each
process of the form ‘‘B1,B2’’ such that inf (B1) = ¬inf (B2), we replace the process Bi (i ∈ {1, 2}) such that inf (Bi) is false,
by ‘‘Bi; nil’’. Also, if¬inf (Bˆi), then Bˆi is replaced by ‘‘Bˆi; nil’’. These transformations are needed to obey the static check of
functionalities in Lotos.
After these transformations, all assignments and all communications (emissions and receptions) occur in prefix-form, i.e.
they occur only in processes of the form ‘‘x:=V ; B’’, ‘‘c!V ; B’’, or ‘‘c?x; B’’. Precisely, Chp processes obtained after these
transformations have the following syntax:
B ::= nil | skip | A;B | B1,B2 | @[V0 ⇒ B0; T0 . . . Vn ⇒ Bn; Tn]
A ::= x:=V | c !V | c ?x | B1,B2 | @[V0 ⇒ B0; T0 . . . Vn ⇒ Bn; Tn]
where T and V are defined as in Section 2. In the sequel, we use this new grammar for the definition of the translation
functions.
114 H. Garavel et al. / Science of Computer Programming 74 (2009) 100–127
4.5. Translation of a single process
AChpprocess Bˆi is translated into a Lotosprocesswhose body is obtainedusing the recursive function c2lb(B,H,D,U,∆),
where B is a Chp process to translate, H is a mapping from channels to {neutral, active, passive}, and D, U , and ∆ are sets
(in fact, alphabetically ordered lists) of variables necessary to compute the variables transmitted over Lotos sequential
composition operators ‘‘>>’’. Intuitively, D is the set of variables that have a defined value before the execution of B, U is the
set of variables thatmay be used after the execution of B, and∆ is an auxiliary set of defined variables suitable for translating
collateral compositions. We have the invariant property that D ⊆ ∆.
Translation of channels. We apply code specialisation to optimise the translation of channels, i.e. the translation of a channel
depends on its profile — ‘‘unprobed’’, ‘‘single’’, or ‘‘general’’.
– A Chp communication on a channel c of profile ‘‘unprobed’’ is translated directly into a single Lotos rendezvous on gate
c.
– The translation of a channel c of profile ‘‘single’’ also requires only one Lotos gate c . Probe operations are translated into
communications on gate c; they are distinguished by an additional offer ‘‘!Probe’’, where ‘‘Probe’’ is a special constant
belonging to an enumerated type with a single value. This translation is based on the value-matching communication
feature of Lotos, which allows the emitter and the receiver both to synchronise on the same offer ‘‘!Probe’’.
– A channel c of profile ‘‘general’’ is translated into a Lotos process channel_c which manages the shared variable xc
introduced in the Chp operational semantics. Five Lotos gates are introduced, namely three gates (c , c_init , c_probe)
dedicated to the channel c , and two gates (probe_enable and probe_disable) common to all channels of profile ‘‘general’’. A
Chp communication on c is translated into two Lotos communications: a binary communication on gate c_init between
the active process and channel_c , followed by a three-party rendezvous on gate c between the emitter, the receiver, and
channel_c. A probe is translated into a binary communication on c_probe between the passive process and channel_c.
Because channels are binary, for a given shared variable xc the potential conflicts on xc to be considered are only
those between one single writer (the process active for c) and one single reader (the process passive for c). However, the
situation is not so simple, because there are several shared variables and because each process may wish to read several
variables simultaneously in an atomic step (during which one should prevent these variables from being modified).
Different approaches are possible to ensure atomicity of such a transition sequence, as for instance, a locking
mechanism, or a single process for all channel variables xc (so as to allow several channels to be probed in a single
transition). We chose the locking approach for its modularity (when considering a subset of processes, only those
channels linking the processes are required). Without loss of generality, we present in this article a single lock for all
channels; using several locks (where all channels probed in a same expression share the same lock) might even lead to
larger but equivalent state spaces (due to the interleaving of the confluent [28] transitions).
The locking mechanism is implemented by the two gates ‘‘probe_enable’’ (to acquire the lock) and ‘‘probe_disable’’
(to release the lock). A shared variable can be modified (for initialisation – communication on c_init – and reset after
the communication on c) if no process owns the lock (i.e. if no process is between a synchronisation on probe_enable
and the next synchronisation on probe_disable). Conversely, a shared variable can only be read if some process owns
the lock. Stated otherwise, a synchronisation on probe_enable places all shared variables in a read access mode, and a
synchronisation on probe_disable places all shared variables in a write access mode (this is the default initial mode).
The precise definition of channel_c can take two forms:
• If channel c links an active emitter and a passive receiver, the process channel_c is defined as follows:
process channel_c[probe_enable, probe_disable, c, c_init, c_probe] : noexit :=
c_init ?x : s; channel_c_comm[probe_enable, probe_disable, c, c_init, c_probe](x)
[]
probe_enable; (
c_probe !false !⊥; probe_disable; channel_c[probe_enable, probe_disable, c, c_init, c_probe]
[]
probe_disable; channel_c[probe_enable, probe_disable, c, c_init, c_probe] )
where
process channel_c_comm[probe_enable, probe_disable, c, c_init, c_probe](x : s) : noexit :=
c !x; channel_c[probe_enable, probe_disable, c, c_init, c_probe]
[]
probe_enable; (
c_probe !true !x; probe_disable; channel_c_comm[probe_enable, probe_disable, c, c_init, c_probe](x)
[]
probe_disable; channel_c_comm[probe_enable, probe_disable, c, c_init, c_probe](x) )
endproc
endproc
• If channel c links a passive emitter to an active receiver, the translation is slightly simpler, as one can remove the
parameter x of channel_c_comm since the value exchanged on c does not need to be stored:
H. Garavel et al. / Science of Computer Programming 74 (2009) 100–127 115
process channel_c[probe_enable, probe_disable, c, c_init, c_probe] : noexit :=
c_init; channel_c_comm[probe_enable, probe_disable, c, c_init, c_probe]
[]
probe_enable; (
c_probe !false; probe_disable; channel_c[probe_enable, probe_disable, c, c_init, c_probe]
[]
probe_disable; channel_c[probe_enable, probe_disable, c, c_init, c_probe] )
where
process channel_c_comm[probe_enable, probe_disable, c, c_init, c_probe]: noexit :=
c ?x : s; channel_c[probe_enable, probe_disable, c, c_init, c_probe]
[]
probe_enable; (
c_probe !true; probe_disable; channel_c_comm[probe_enable, probe_disable, c, c_init, c_probe]
[]
probe_disable; channel_c_comm[probe_enable, probe_disable, c, c_init, c_probe] )
endproc
endproc
Remark. Compared with the Chp operational semantics, the translation into Lotos introduces additional transitions (those
containing ‘‘!Probe’’ offers, synchronisations on the gates probe_enable, probe_disable, and communications on gates of one of
the forms c_init and c_probe). Anticipating the discussion about the correctness of the translation (see Section 4.10), these
transitions should be hidden (i.e. renamed into τ ) when comparing the translation into Lotos with the Chp operational
semantics. 
Translation of value expressions. The translation of a value expression V is straightforward except for the probe operations
that may occur in V . For each channel c probed by V , the shared variable xc must be read. Thus, each evaluation of a value
expression V (in an emission, an assignment, or a guard) must be preceded by a sequence of communications with all
channels probed by V . We define
query_probe(V0, . . . , Vn) =
probe_enable; c1_probe ?xc1 : bool ?xc1 : s1; . . . ; cm_probe ?xcm : bool ?xcm : sm; probe_disable
where {c1, . . . , cm} =
{
c ′ | profile(c ′) = general ∧ c ′ ∈⋃ni=0 chanv(Vi)} is the set of channels of profile ‘‘general’’ probed
by value expressions V0, . . . , Vn. For each probed channel c , this translation introduces two auxiliary variables, a boolean xc
(which is true iff channel c is ready to communicate) and xc (which contains the value carried by c when xc is true).
Remark. There are only two places at which the translation generates synchronisations on probe_enable and probe_disable;
the other one will be seen below during the translation of guarded commands. The above definition of query_probe
guarantees that a synchronisation on probe_enable is eventually followed by a synchronisation on probe_disable, since all
rendezvous between probe_enable and probe_disable are communications with processes channel_c that always accept to
synchronise on gates c_probe (after a synchronisation on probe_enable). Thus, because there is only a single lock which is
eventually released, the locking mechanism does not introduce deadlocks. 
We define c2lv(x) as the function translating a Chp value expression into a Lotos value expression:
c2lv(x) = x
c2lv
(
f (V1, . . . , Vn)
) = f (c2lv(V1), . . . , c2lv(Vn))
c2lv(c #) = xc
c2lv(c #V ) = xc ∧
(
xc = c2lv(V )
)
Translation of nil. nil is translated into stop.
Remark. The Chp operational semantics and the translation into Lotos coincide in associating nil to a deadlock. 
Translation of skip. Due to the preliminary transformations of Section 4.4, skip may only occur in a guarded command as
a branch ‘‘V ⇒ skip; break’’ (this case is handled below as part of guarded commands) or at the end of a sequence. In the
latter case:
c2lb(skip,H,D,U,∆) = exit(ξ1, . . . , ξn)
where {x1, . . . , xn} = ∆ ∩ U , and (∀i ∈ {1, . . . , n}) ξi = xi if xi ∈ D or ξi = ‘‘any type(xi)’’ otherwise.
Remark. The translation into Lotos generates a transition (labelled with ‘‘exit(ξ1, . . . , ξn)’’) that corresponds to the
√
-
transition of the Chp operational semantics. 
116 H. Garavel et al. / Science of Computer Programming 74 (2009) 100–127
Translation of ‘‘c !V ; B’’ and ‘‘c ?x; B’’ when profile(c) = unprobed. Communication on a channel of profile ‘‘unprobed’’ is
translated directly into a Lotos rendezvous communication:
c2lb(‘‘c !V ; B’’,H,D,U,∆) = query_probe(V ); c !c2lv(V ); c2lb(B,H,D,U,∆)
c2lb(‘‘c ?x; B’’,H,D,U,∆) = c ?x : s; c2lb(B,H,D ∪ {x},U,∆ ∪ {x}).
Remark. As regards the relationship between this translation and the operational semantics given in Section 3 for Chp
emissions and receptions, four (i.e. 2× 2) cases should be considered depending on:
– Emission v. reception: for a reception the translation into Lotos generates a single rendezvous on c; for an emission it
generates a rendezvous on c that occurs after a sequence of transitions (communications on c_probe and synchronisations
on probe_enable and probe_disable, see the definition of query_probe above), required to evaluate the value V .
– H(c) = passive v. H(c) = active: in the former case, the first rule of the Chp operational semantics for emissions
(respectively receptions) produces a single transition (communication on c); in the latter case, two transitions are
produced: a first τ -transition (second inference rule on the left, corresponding to an assignment to the variable xc)
followed by a communication on c (third rule on the right).
Thus, the four cases are the following:
– Passive reception: both the Chp operational semantics and the translation into Lotos generate one single rendezvous on
c.
– Active emission: the τ -transition the Chp operational semantics matches the sequence of transitions (generated by
query_probe); if these transitions are hidden, branching equivalence is preserved.
– Passive emission: the translation into Lotos introduces a sequence of transitions that, if hidden, preserve branching
equivalence (this is a particular case of the more general notion of τ -confluence [28]).
– Active reception: the τ -translation generated by the second rule (on the left) of the Chp operation semantics for receptions
is confluent; therefore the Lotos code can be optimised by not generating a τ -transition while still preserving branching
equivalence. 
Translation of ‘‘c !V ; B’’ and ‘‘c ?x; B’’ when profile(c) = general. The translation of an emission on a channel c depends
whether H(c) is ‘‘active’’ or ‘‘passive’’:
– A passive emission – when H(c) = passive – is translated as follows:
c2lb(‘‘c !V ; B’’,H,D,U,∆) = query_probe(V ); c !c2lv(V ); c2lb(B,H,D,U,∆).
– The translation of an active emission – when H(c) = active – requires in addition to initialise the variable xc before
communication. Thus, the translation of an active emission is as follows:
c2lb(‘‘c !V ; B’’,H,D,U,∆) = query_probe(V ); c_init !c2lv(V ); c !c2lv(V ); c2lb(B,H,D,U,∆)
The translation of a reception on a channel c of sort s = type(c) depends whether H(c) is ‘‘active’’ or ‘‘passive’’:
– A passive reception – when H(c) = passive – is translated as follows:
c2lb(‘‘c ?x; B’’,H,D,U,∆) = c ?x : s; c2lb(B,H,D ∪ {x},U,∆ ∪ {x}).
– An active reception – when H(c) = active – additionally requires to initiate the communication on the channel c:
c2lb(‘‘c ?x; B’’,H,D,U,∆) = c_init; c ?x : s; c2lb(B,H,D ∪ {x},U,∆ ∪ {x}).
Remark. As regards the relationship between this translation and the operational semantics given in Section 3 for Chp
emissions and receptions, three out of four cases are similar to the case where profile(c) = unprobed (see above). In the
case of an active reception, the second rule (on the left) of the Chp operational semantics generates a τ transition, which is
matched by the rendezvous on c_init; if c_init is hidden, branching equivalence is preserved. 
Translation of ‘‘c !V ; B’’ and ‘‘c ?x; B’’ when profile(c) = single. The translation depends on the value of H(c):
– If H(c) = passive, the translation is straightforward (identical to the ‘‘unprobed’’ case):
c2lb(‘‘c !V ; B’’,H,D,U,∆) = query_probe(V ); c !c2lv(V ); c2lb(B,H,D,U,∆)
c2lb(‘‘c ?x; B’’,H,D,U,∆) = c ?x : s; c2lb(B,H,D ∪ {x},U,∆ ∪ {x})
where s = type(c).
Remark. Branching equivalence is preserved for the same reasons as for the ‘‘unprobed’’ case. 
H. Garavel et al. / Science of Computer Programming 74 (2009) 100–127 117
– If H(c) = active, the translation is more involved because the active process Bˆi must allow its passive partner to probe
channel c an arbitrary number of times. Thus, the active processmust allowany actual communication on c to bepreceded
by a (possible empty) sequence of communicationswith an additional offer ‘‘!Probe’’ (asmentioned during the translation
of channels). This protocol is encapsulated in an auxiliary Lotos process channel_c , the definition of which depends
whether c is used for emission or reception.
• An active emission ‘‘c !V ; B’’ is translated as follows:
c2lb(‘‘c !V ; B’’,H,D,U,∆) = query_probe(V ); channel_c[c]
(
c2lv(V ), x1, . . . , xn
)
>> accept x1 : s′1, . . . , xn : s′n in c2lb(B,H,D′,U,∆′)
where {c1, . . . , cm} = chanv(V ), (∀i ∈ {1, . . . ,m}) si = type(xci), U ′ = use(B) ∪ U , D′ = D ∩ U ′, ∆′ = ∆ ∩ U ′,{x1, . . . , xn} = D′, and (∀i ∈ {1, . . . , n}) s′i = type(xi). Process channel_c is defined by:
process channel_c[c](x : s, x1 : s1, . . . , xn : sn) : exit(s1, . . . , sn) :=
c !x; exit(x1, . . . , xn) [] c !Probe !x; channel_c[c](x, x1, . . . , xn)
endproc
where s = type(c).
Remark. As for all active emissions, the translation into Lotos introduces a sequence of communications that,
after hiding, matches the τ -transition generated by the Chp operational semantics, thus preserving branching
equivalence. 
• An active reception ‘‘c ?x; B’’ translates as follows:
c2lb(‘‘c ?x; B’’,H,D,U,∆) = channel_c[c](x′′1, . . . , x′′n)
>> accept x′1 : s′1, . . . , x′m : s′m in c2lb(B,H,D′,U,∆′)
where U ′ = use(B)∪U , D′ = (D∪ {x})∩U ′,∆′ = (∆∪ {x})∩U ′, D′′ = D′ \ {x}, {x′1, . . . , x′m} = D′, {x′′1, . . . , x′′n} = D′′,
(∀i ∈ {1, . . . ,m}) s′i = type(x′i), and (∀i ∈ {1, . . . , n}) s′′i = type(x′′i ). Process channel_c is defined by:
process channel_c[c](x′′1 : s′′1, . . . , x′′n : s′′n) : exit(s′1, . . . , s′m) :=
c ?x : s; exit(x′1, . . . , x′m) [] c !Probe; channel_c[c](x′′1, . . . , x′′n)
endproc
where s = type(c).
Remark. As for the ‘‘unprobed’’ case, the translation into Lotos removes the confluent τ -transition introduced by the
Chp operational semantics, thus preserving branching equivalence. 
Notice that, contrary to the ‘‘general’’ case above, in the ‘‘single’’ case, the process channel_c never needs (neither for an
active emission nor for an active reception) to evaluate a probe, and, thus, never needs to synchronise on probe_enable
and probe_disable.
Remark. Preservation of branching equivalence albeit the communications containing offers of the form ‘‘!Probe’’
introduced by the translation into Lotos (and that do not exist in the Chp operational semantics) is discussed during
the translation of guards and the translation of guarded commands. 
Translation of ‘‘x:=V ;B’’. An assignment to a variable x of sort S is translated as follows:
c2lb(‘‘x:=V ;B’’,H,D,U,∆) = query_probe(V ); let x : s = c2lv(V ) in τ ; c2lb
(
B,H,D ∪ {x},U,∆ ∪ {x}).
Remark. The translation generates the internal transition ‘‘τ ’’, also present in the Chp operational semantics (see Section 3)
and the Petri net model of [14]. Moreover, as for emissions, if the value V contains probe operations, query_probe introduces
a confluent sequence of communications that, after hiding, preserves branching equivalence. 
Translation of ‘‘A; B’’. This translation rule applies only if A is a collateral composition or a guarded command (all other cases
have been handled before):
c2lb(‘‘A; B’’,H,D,U,∆) = c2lb(A,H,D,U ′,D) >> accept x1 : s1, . . . , xn : sn in c2lb(B,H,D′,U,∆′)
where U ′=use(B) ∪ (U \ defn(B)), D′ = (D ∪ def (A)) ∩ U ′, {x1, . . . , xn}=D′, and∆′=(∆ ∪ def (A)) ∩ U ′.
Remark. The symmetric sequential composition operator of Lotos ‘‘ >> ’’ differs from Chp sequential composition by
the fact that it creates a τ -transition. In general, this transition is not always confluent (as in the Lotos behaviour
‘‘(c; stop [] exit) >> B’’, which is equivalent to ‘‘c; stop [] τ ; B’’). However, the preliminary simplifications applied to
the Chp description forbid such situations, as the Lotos behaviour generated for A (which is either a collateral composition
or a guarded command) always contains at least one transitions, so that the τ -transition created by ‘‘>>’’ is always prefixed
by some other transitions, and thus cannot occur as the first transition of a non-deterministic choice. 
Translation of ‘‘B1,B2’’. A collateral composition is translated as follows:
c2lb(‘‘B1,B2’’,H,D,U,∆) = c2lb(B1,H,D1,U,∆′) ||| c2lb(B2,H,D2,U,∆′)
where D1 = D \ def (B2), D2 = D \ def (B1), and∆′ = ∆ ∪ def (B1) ∪ def (B2).
118 H. Garavel et al. / Science of Computer Programming 74 (2009) 100–127
Remark. The translation into Lotos exploits the similarity of the Chp operator ‘‘,’’ with the Lotos operator ‘‘|||’’, the only
difference being that the translation into Lotos introduces a synchronisation on the special termination gate, noted ‘‘δ’’, in
order to express the synchronous termination of B1 and B2. Because the preliminary simplifications (Section 4.4) always
introduce a final ‘‘nil’’ wherever a process terminates (i.e. ‘‘Bˆi’’ is replaced by ‘‘Bˆi; nil’’ when ¬inf (Bˆi)), such δ-transitions
always occur on the left-hand side of a Lotos ‘‘>> ’’ sequential composition operator. Therefore, these δ-transitions are
captured by the ‘‘>> ’’ operator, which transforms them into τ -transitions, thus making them confluent (see the remark
for sequential compositions). 
Translation of guards. If a guard V is of the form ‘‘c #’’ or ‘‘c #V ′’’, where channel c is of profile ‘‘single’’, then V is translated
as a communication on the Lotos gate c with a ‘‘!Probe’’ offer. Otherwise, V is translated directly into a Lotos guard:
c2lg(V ) =

c !Probe ; if V = c # ∧ profile(c) = single and
c links a passive emitter to an active receiver
c !Probe ?x : type(c) ; if V = c # ∧ profile(c) = single and
c links an active emitter to a passive receiver
c !Probe !c2lv(V ′) ; if V = c #V ′ ∧ profile(c) = single
[c2lv(V )] -> if cond(V )
where x is a new variable (to receive the value of xc) and the predicate cond(V ) is defined by
cond(V ) iff ¬((V = c # ∨ V = c #V ′) ∧ profile(c) = single)
Remark. Comparedwith the Chp operational semantics, the translation into Lotos adds, in the casewhere profile(c) = single,
a communication that – after hiding – corresponds to the τ -transition generated by the first rule for guarded commands in
the Chp operational semantics (see Section 3 and the translation of guarded commands below). 
Translation of guarded commands. A guarded command B = ‘‘@[V0 ⇒ B0; T0 . . . Vn ⇒ Bn; Tn]’’ is translated into a call to
an auxiliary process PB:
c2lb(‘‘@[V0 ⇒ B0; T0 . . . Vn ⇒ Bn; Tn]’’,H,D,U,∆)
= choice xi1 : si1 , . . . , xik : sik [] PB[probe_enable, probe_disable, gate(Bˆi,H)](x1, . . . , xm)
where
gate(Bˆi,H) = chan(Bˆi) ∪{
c_init | c ∈ chan(Bˆi) ∧ profile(c) = general ∧ H(c) = active
} ∪{
c_probe | c ∈ chan(Bˆi) ∧ profile(c) = general ∧ H(c) = passive
}
and where D′ = (D ∪ def (B)) ∩ (use(B) ∪ (U \ defn(B))), {x1, . . . , xm} = D′, {i1, . . . , ik} ⊆ {1, . . . ,m}, i.e. {xi1 , . . . , xik} ⊆{x1, . . . , xm}, (∀j ∈ {1, . . . ,m}) sj = type(xj), and (∀j ∈ {i1, . . . , ik}) xj 6∈ D. The ‘‘choice xi1 : si1 , . . . , xik : sik ’’ is used to
assign nondeterministically chosen values to the variables xi1 , . . . , xik , which might be read when executing PB, but are not
defined before the first call to PB. This is required, since Chp allows uninitialised variables to be read,whereas Lotos prohibits
this using syntactic restrictions, which are too restrictive in some cases, as for instance the initialisation of a variable in the
last iteration of a loop. If k = 0, the (empty) ‘‘choice’’ statement should be omitted.
The semantics of a guarded command ‘‘@[V0 ⇒ B0; T0 . . . Vn ⇒ Bn; Tn]’’ requires one to check all guards simultaneously.
Thus, PB starts by reading the values of the variables xc for all channels that have profile ‘‘general’’ and are probed by some
guard Vj (j ∈ {0, . . . , n}). Formally, this set of channels is defined as
{c1, . . . , cl} =
{
c | c ∈⋃nj=0 chanv(Vj) ∧ profile(c) = general}
Then, PB offers the possibility to execute any branch Bi; Ti the guard Vi of which is true. An additional branch handles the case
where all the guards containing a probe of channel of profile ‘‘general’’ are false: in this case, a busy waiting is implemented
(using a recursive call to PB), so as to allow to probe the channels c1, . . . , cl once more until some guard becomes true.
H. Garavel et al. / Science of Computer Programming 74 (2009) 100–127 119
The auxiliary process PB is defined as follows:
process PB[probe_enable, probe_disable, gate(Bˆi,H)](x1 : s1, . . . , xm : sm) : F
probe_enable; c1_probe ?xc1 : bool ?xc1 : type(xc1); . . . ; cl_probe ?xcl : bool ?xcl : type(xcl);
(
c2lg(V0) probe_disable; c2lc
(
B0, T0, H, D′ \
(
def (B0) \ use(B0)
)
, U, ∆′
)
[] · · · []
c2lg(Vn) probe_disable; c2lc
(
Bn, Tn, H, D′ \
(
def (Bn) \ use(Bn)
)
, U, ∆′
)
[]
[
∧
j∈{0,...,n}∧ cond(Vj)
(¬c2lv(Vj))] -> probe_disable; PB[probe_enable, probe_disable, gate(Bˆi,H)](x1, . . . , xm)
)
endproc
where
∆′ = ∆ ∪ def (B)
F =
{
noexit if inf (B)
exit
(
type(x′1), . . . , type(x′q)
)
such that func(B,D,U) = exit({x′1, . . . , x′q}) otherwise
and where the translation of a branch is defined as:
c2lc(Bj, break,H,D,U,∆) = c2lb(Bj,H,D,U,∆)
c2lc(Bj, loop,H,D,U,∆) = c2lb
(
Bj, H, D, D ∪
(
def (Bj) \ use(Bj)
)
, D
)
>> accept x1 : s1, . . . , xm : sm in
PB[probe_enable, probe_disable, gate(Bˆi,H)](x1, . . . , xm)
Remark. As regards correction, we must distinguish between two parts in the Lotos code generated for PB. There is first a
prefix, which corresponds to the first line of PB, i.e. the sequence of transitions starting with probe_enable and ending with
‘‘cl_probe ?xcl : bool ?xcl : type(xcl)’’. Notice that this prefix is similar to the Lotos code generated by query_probe(V0, . . . , Vn)
in the translation of value expressions. This prefix is followed by a choice between (n + 1) branches: the first n
branches are the lines starting with ‘‘c2lg(Vi)’’ and the last branch is the line starting with the guard ‘‘
∧
j∈{0,...,n} ∧ cond(Vj)(¬c2lv(Vj))’’.
Notice that the guards of these branches are not necessarily mutually exclusive, because Chp guarded commands
themselves can be nondeterministic. However, the (n + 1) branches are exhaustive, since the guard of the last branch
acts as a default case, so that always at least one branch can be taken. Moreover, the definition of PB guarantees that the
synchronisation on probe_enable is eventually followed by a synchronisation on probe_disable, because all branches contain a
synchronisation on probe_disable, and all rendezvous between probe_enable and probe_disable are communications with the
channel_c processes (see the translation of channels with profile(c) = general); these communications are always possible
because each channel_c process always accepts to synchronise on its c_probe gate after a synchronisation on probe_enable.
Thus, as regards the preservation of branching equivalence:
– The prefix preserves branching equivalence for the same reasons as for the definition of query_probe(V0, . . . , Vn): after
hiding, the transitions on the probe_enable and ci_probe gates become confluent.
– Each of the first n branches startswith either one or two transitions thatmatch, after hiding, the τ -transition generated by
the Chp operational semantics. Indeed, the definition of c2lg(Vn) implies that the i-th branch starts either, if cond(Vi), with
a synchronisation on probe_disable or, if ¬cond(Vi), with a communication having the form ‘‘c !Probe’’ or ‘‘c !Probe ?x :
type(c)’’ followed by a synchronisation on probe_disable.
– The last branch has no direct counterpart in the Chp operational semantics. However, it consists of a synchronisation
on probe_disable followed by a recursive call to PB (without modification of the value parameters x1, . . . , xm).
Thus, after hiding the probe_disable gate, this branch just amounts to a τ -cycle, which preserves branching
equivalence. 
4.6. Translation of several concurrent processes
In a nutshell, the parallel composition ‘‘‖’’ of Chp is translated into the Lotos operator ‘‘|[· · · ]|’’, because the underlying
model of asynchronous concurrency (interleaving semantics) implemented by these two operators is basically the same.
However, there are some ‘‘surface’’ differences between both languages worth being mentioned:
120 H. Garavel et al. / Science of Computer Programming 74 (2009) 100–127
– The parallel composition operator of Chp is n-ary but allows only binary communications; to the contrary, the parallel
composition operator of Lotos is binary but allows n-ary communications.
– Although in the general case certain involved communication patterns cannot be expressed in Lotos [29], translation
into Lotos is always possible for Chp descriptions, since Chp channels have pairwise distinct names.
– Although communication in Chp is always between two parties, the generated Lotos code contains three-party
communications. This is no problem, since in the generated Lotos code any three-party communication is a
communication on a channel c with profile(c) = general, which involves exactly two processes Bˆi and Bˆj (sender
and receiver) plus one of the processes channel_c representing the shared variable xc (see Section 4.5, translation of
channels).
– The synchronisation rules are not identical: in Chp, two processes synchronise implicitly on all common channels; in
Lotos, processes do not synchronise on their common gates, but only on the set of gates g1, . . . , gn explicitly listed inside
the parallel composition operator ‘‘|[g1, . . . , gn]|’’.
The translation of a Chp description
〈
C, X, Bˆ0 ‖ · · · ‖ Bˆn
〉
is defined as:
c2l(‘‘Bˆ0 ‖ · · · ‖ Bˆn’’) = c2lp(‘‘Bˆ0 ‖ · · · ‖ Bˆn’’, C)
|[probe_enable, probe_disable, c1, c1_probe, . . . , cl, cl_probe, ci1_init, . . . , cip_init]|
(
channel_c1[probe_enable, probe_disable, c1, c1_init, c1_probe]
|[probe_enable, probe_disable]| · · · |[probe_enable, probe_disable]|
channel_cl[probe_enable, probe_disable, cl, cl_init, cl_probe]
)
where function c2lp is defined as follows:
c2lp(‘‘Bˆ0 ‖ · · · ‖ Bˆn’’, C) ={
c2lb(Bˆ0,H0,∅,∅,∅) if n = 0
c2lb(Bˆ0,H0,∅,∅,∅) |[chanbin(Bˆ0) ∩ C]| c2lp
(
‘‘Bˆ1 ‖ · · · ‖ Bˆn’’, C \ chanbin(Bˆ0)
)
otherwise
where chanbin(B) =
{
c | c ∈ chan(B) ∧ ¬port(c)} is the set of binary channels occurring in process B, {c1, . . . , cl} ={
c | c ∈ C ∧ profile(c) = general} is the set of all channels of profile ‘‘general’’ in C , and {i1, . . . , ip} = {i |
i ∈ {1, . . . , l} ∧ ¬port(ci)
}
are the indexes i such that ci ∈ {c1, . . . , cl} is a binary channel (and no port) of profile
‘‘general’’. We distinguish between the constant C corresponding to the set of channels of the Chp description and the
parameter C used in the recursive definition of c2lp to represent the set of channels for which a communication has yet to be
generated.
4.7. Optimisations of the generated LOTOS code
In addition to the aforementioned code specialisation technique (i.e. different translations of a channel depending on the
profile), several other optimisations are possible.
– A Chp guard that is always true can be dismissed in the corresponding Lotos specification.
– Boolean expressions in Lotos guards could be simplified using standard techniques (boolean algebra or Bdd).
– The ‘‘accept’’ construct needs to be generated only if some variable values must be transmitted over a sequential
composition ‘‘ >> ’’ (see translation of the loop construct in Translation of Guarded Commands, Section 4.5 as an
example).
– If a guarded command is the left hand side of a sequential composition ‘‘@[ . . . ]; B′’’, we generate a second auxiliary
process PB′ (for B′); each ‘‘break’’ is translated into a call to PB′ and the functionality F is computed with respect to B′.
This optimisation avoids the introduction of a τ -transition due to the ‘‘exit’’ (generated by the translation of ‘‘break’’).
For each Bi such that inf (Bi), Ti is not translated at all.
– In the definition of query_probe(V0, . . . , V1), if the set of channels of profile ‘‘general’’ probed by V0, . . . , Vn is empty, the
synchronisations on gates probe_enable and probe_disable are not required.
– If none of the guards of a guarded command probes a channel of profile ‘‘general’’, the synchronisation on gate
probe_enable is unnecessary and can be removed. In this case, tomatch the τ -transition generated by the Chp operational
semantics, the synchronisation on gate probe_disablemust be replaced by a τ .
Such optimisations have been implemented in the translator we will present in Section 5.
H. Garavel et al. / Science of Computer Programming 74 (2009) 100–127 121
4.8. Example of the arbiter without priorities
For the arbiter without priorities of Section 2.6, profile(c) = unprobed (because c is never probed) and profile(c1) =
profile(c2) = single (because any probe operation on c1 and c2 is a guard). The Lotos behaviour obtained by applying the
translation rules of Section 4.6 is the following:
arbiter[c, c1, c2] |[ c1, c2 ]|
(
client-1[c1] ||| client-2[c2]
)
Processes client-1, client-2, and arbiter are defined as:
process client-1[c1] : noexit :=
channel_c1[c1] >> client-1[c1]
where
process channel_c1[c1] : exit := c1 ; exit [] c1 !Probe ; channel_c1[c1] endproc
endproc
process client-2[c2] : noexit :=
channel_c2[c2] >> client-2[c2]
where
process channel_c2[c2] : exit := c2 ; exit [] c2 !Probe ; channel_c2[c2] endproc
endproc
process arbiter[c, c1, c2] : noexit :=(
c1 !Probe; (c !1; exit ||| c1; exit) >> arbiter[c, c1, c2]
)
[](
c2 !Probe; (c !2; exit ||| c2; exit) >> arbiter[c, c1, c2]
)
endproc
Processes client-1 (respectively client-2) repeat forever the auxiliary process channel_c1 (respectively channel_c2), followed
by a recursive call (the Chp loop construct being translated into a recursive Lotos process call, see Translation of Guarded
Commands, Section 4.5). Both processes channel_c1 and channel_c2 are obtained as described in Section 4.5 (translation of
‘‘c!V ’’, ‘‘single’’ case). As regards the process arbiter , Chp guarded commands are translated to a Lotos choice ([]). Guards
consisting of a single probe are translated as a communication with offer ‘‘!Probe’’ (see Translation of Guards in Section 4.5).
At last, the collateral composition is encoded as an interleaving ‘‘|||’’ (of an emission on c and a communication on ci). In
both branches of the arbiter, the loop is translated in a recursive call to process arbiter .
The Lts generated from this Lotos code by theCæsar tool ofCadphas 72 states and 165 transitions after reductionmodulo
strong bisimulation. The Lts obtained after hiding all transitions containing a ‘‘!Probe’’ offer was proved (by the Bisimulator
tool [30] of Cadp) to be branching equivalent to the one corresponding to the Chp operational semantics. Without code
specialisation, the Lts generated by Cæsar (also reduced modulo strong bisimulation) would have been about 20% larger,
with 85 states and 198 transitions, still being branching equivalent.
4.9. Example of the arbiter with priorities
For the arbiter with priorities of Section 2.6, profile(c) = unprobed and profile(c1) = profile(c2) = general (because c1
and c2 are probed in an expression). The translation rules yield the following Lotos behaviour:(
arbiter[probe_enable, probe_disable, c, c1, c1_probe, c2, c2_probe] |[ c1, c2 ]|(
client-1[c1, c1_init] ||| client-2[c2, c2_init]
) )
|[ probe_enable, probe_disable, c1, c1_init, c1_probe, c2, c2_init, c2_probe ]|(channel_c1[probe_enable, probe_disable, c1, c1_init, c1_probe]
|[probe_enable, probe_disable]|
channel_c2[probe_enable, probe_disable, c2, c2_init, c2_probe]
)
where the processes channel_c1 and channel_c2 are obtained as described in Section 4.5 — Translation of Channels. The other
processes are defined as follows:
process client-1[c1, c1_init] : noexit :=
c1_init !true; c1 !true; client-1[c1, c1_init]
[]
c1_init !false; c1 !false; client-1[c1, c1_init]
endproc
process client-2[c2, c2_init] : noexit :=
c2_init; c2; client-2[c2, c2_init]
endproc
122 H. Garavel et al. / Science of Computer Programming 74 (2009) 100–127
process arbiter[probe_enable, probe_disable, c, c1, c1_probe, c2, c2_probe] : noexit :=
probe_enable; c1_probe ?xc1 : bool ?xc1 : bool; c2_probe ?xc2 : bool;
(
[xc1] -> probe_disable;
(
(c !1; exit) ||| (c1 ?x; exit)
)
>>
arbiter[probe_enable, probe_disable, c, c1, c1_probe, c2, c2_probe]
[]
[xc2 ∧ ¬(xc1 ∧ xc1)] -> probe_disable;
(
(c !2; exit) ||| (c2; exit)
)
>>
arbiter[probe_enable, probe_disable, c, c1, c1_probe, c2, c2_probe]
[]
[¬(xc1) ∧ ¬
(
xc2 ∧ ¬(xc1 ∧ xc1)
)
] -> probe_disable;
arbiter[probe_enable, probe_disable, c, c1, c1_probe, c2, c2_probe]
)
endproc
Since channel c1 (respectively c2) has profile ‘‘general’’, any active emission on c1 (respectively c2) is preceded by a
communication on c1_init (respectively c2_init) with process channel_c1 (respectively channel_c2) to allow probes. Similarly,
execution of process arbiter starts with communications on gates c1_probe and c2_probe with processes channel_c1 and
channel_c2 to check (or probe) whether a channel is ready for communication (first offer) and to retrieve the value possibly
sent (second offer). Note that a third choice is added in process arbiter , whose guard corresponds to the negation of the two
other guards, andwhose body is a simple call to the process arbiter itself. This case is necessary to check again the possibility
to probe channels c1 and c2, if none of the probes were successful the first time.
The Lts corresponding to this Lotos specification, generated by the Cæsar tool of Cadp and reduced modulo strong
bisimulation, has 138 states and 303 transitions. The Lts obtained after hiding all labels corresponding to communications
on gates c1_init , c2_init , c1_probe, and c2_probewas proved (by the Bisimulator tool of Cadp) to be branching equivalent to
the one presented in Fig. 3.
4.10. Correction concerns about the translation from CHP into LOTOS
Our translation algorithm from Chp into Lotos is implemented in a translator (see Section 5) that is being used by
hardware designers for validating several asynchronous circuits. Interestingly, when discussing correctness issues with
these designers, we received the feedback that a formal proof of correction for our translator was a low priority issue. In
addition to the usual constraints (lack of resources and time-to-market pressure), we can mention the following reasons:
(i) In the hardware community, circuit designers rely on closed-source commercial tools to perform semantic translations,
for instance to transform a high-level description into Rtl (Register Transfer Level), to synthesise a netlist from an Rtl
description, or to perform placement and routing for a netlist. In most cases, designers do not have any formal proof of
correctness of for the complex algorithms present in these tools. There are even documented situations in which these
tools are known to generate incorrect or inefficient outputs, which have to be corrected or optimised manually later.
(ii) Even if the tools were fully reliable, with correction proofs available, it is still unlikely that designers would trust
them blindly because of the huge costs arising from mistakes in hardware circuits. Instead, designers routinely use
independent cross-checking tools to verify whether commercial translation tools have produced correct outputs or
not. Examples of such tools are symbolic model checkers, which verify that a generated netlist is equivalent to its high
level design, or Lvs (Layout Versus Schematic) checkers, which verify that an electric circuit obtained after placement
and routing correctly implements its netlist.
(iii) The intended use of our translator is to enable model checking of Chp descriptions. In general, a formal semantics
is not of prime importance to model checkers — some famous model checkers do not even have a formal definition
for their input languages! This is partly justified by the use of model checkers for ‘‘bug hunting’’: the model checker
finds possible problems, which are then analysed manually to understand if they are ‘‘real’’ bugs in the design or ‘‘false
positives’’ (caused by excessive abstractions or issues in the model checker itself). However, even if model checkers
are not fully proven (with a non-null, yet small, probability of reporting false positives or even omitting the real bugs),
the use of model checking is still beneficial, as it often uncovers real problems that would have remained undetected
otherwise. This was the case with our translator (see Section 5); we can also mention that no translation bug has been
reported so far.
Despite a formal proof of correction for our translator was considered of little practical interest by the end-users, the
remainder of this section addresses this issue.
According to concurrency theory results, a natural approach to prove the correction of our translation would be to seek
for an equivalence relation (such as a bisimulation) between the Lts (noted ‘‘LtsSos’’) obtained from a Chp description〈
C, X, Bˆ0 ‖ · · · ‖ Bˆn
〉
using the proposed operational semantics for Chp and the Lts (noted ‘‘LtsLotos’’) corresponding
to the Lotos specification c2l(‘‘Bˆ0 ‖ · · · ‖ Bˆn’’).
This task is not easy, since some Chp descriptions do not have a defined semantics, i.e. if they access variables that
are neither initialised nor assigned before. For these Chp descriptions, our Sos semantics is undefined (as some variables
H. Garavel et al. / Science of Computer Programming 74 (2009) 100–127 123
Fig. 6. Translation steps in Chp2Lotos.
evaluate to the undefined value ‘‘⊥’’). To the contrary, Lotos has a set of static semantic constraints that rule out all Lotos
descriptions in which a variable is used before being defined, so that each Lotos description satisfying these constraints has
a ‘‘well-defined’’ dynamic semantics. Thus, only the subset of Chp that forbids accesses to undefined variables should be
considered.
Moreover, finding an equivalence is difficult, as LtsSos and LtsLotos have different sets of actions (i.e. labels of transitions).
Indeed, due to the translation of the probe operation, LtsLotos might contain additional gates (such as probe_enable,
probe_disable, c_init , and c_probe) that do not exist in LtsSos. We suggest to hide these additional gates using the ‘‘hide
G in’’ construct of Lotos. However, this is not sufficient, since LtsLotos might also contain additional offers ‘‘!Probe’’ which
do not exist in LtsSos. We suggest applying a renaming operator (which does not exist in Lotos, but in other process calculi
such as E-Lotos [31]) to rename into τ all labels containing a ‘‘!Probe’’ offer. Let Lts′Lotos be the Lts obtained from LtsLotos
after these hiding and renaming steps.
LtsSos and Lts′Lotos are still not equivalent with respect to strong bisimulation, since the hiding and renaming steps
introduce τ -transitions that do not exist in LtsSos. Besides, the symmetric sequential composition operator ‘‘>>’’ of Lotos
also introduces τ -transitions that do not exist in LtsSos. Thus, our translation can only preserve a weak equivalence, i.e. an
equivalence that handles τ -transitions differently from ordinary transitions.
Furthermore, as mentioned before in Section 4.5, the translation of guarded commands creates τ -cycles (namely, in the
last branch of process PB, i.e. the line starting with ‘‘
∧
j∈{0,...,n} ∧ cond(Vj)
(¬c2lv(Vj))’’). Thus, it is necessary to consider a weak
equivalence relation that abstracts τ -cycles away. This suggests considering branching bisimulation [20], the strongest of
the weak equivalences found in the literature.
To prove that LtsSos and Lts′Lotos are branching equivalent, one should proceed in two steps: (1) consider each Chp
process Bˆi separately, apply the preliminary simplifications described in Section 4.4, and prove that its translation into Lotos
preserves branching equivalence — this can be done by induction on the syntax of Bˆi ; (2) extend this result to the parallel
composition of several processes ‘‘Bˆ0 ‖ · · · ‖ Bˆn’’ taking into account that branching bisimulation is a congruence for the
parallel composition operator of Lotos. Proof arguments and remarks that substantiate this have been given throughout
Sections 4.4–4.6.
5. Implementation and applications
We developed a translator from Chp into Lotos, called Chp2Lotos, which supports full Chp including value passing
communication, ports open to the environment, and hierarchical components. Chp2Lotoswas developed using the Syntax
and Lotos NT compiler construction technologies [32] and consists of 2200 lines of Syntax, 13,400 lines of Lotos NT, and
3900 lines of C. The translation is performed in several steps as depicted in Fig. 6. The parsing and elaboration phases
construct an intermediate representation, which is then optimised and simplified using the transformations described in
Section 4.4. After computing the channel profiles, the translator generates Lotos code according to the translation functions
defined in Sections 4.5 and 4.6.
Taking advantage of the possibility offered by the Cadp toolbox to implement Lotos data types using external C code,
the predefined Chp data types have been directly implemented as C libraries, thus avoiding the recompilation of the generic
data types each time the Lotos code is used for state space generation or verification.
We validated the Chp to Lotos translator on more than 500 Chp specifications, corresponding to about 14,500 lines of
Chp, which (after translation and pretty-printing) generate about 34,700 lines of Lotos code. This increase in the number of
generated lines is mainly due to the Lotos pretty-printer of Cadp, which puts each communication action on a separate line.
We also applied the Chp to Lotos translator to two asynchronous circuits designed at the Cea/Leti laboratory in Grenoble
(France) that we present with more details below.
Data Encryption Standard. TheDes (Data Encryption Standard) [15] defines amethod for encrypting information. It accepts as
input two64-bitwords (a data and a key) and an operationmode (i.e. ciphering or deciphering), and outputs the (de)ciphered
value. In this case study, we experimented Chp2Lotos on a Chp description of an asynchronous implementation of the Des
(25 processes, which correspond to about 1600 lines of Chp), which has also been studied in [11]. We focused on the control
part, abstracting 64-bit words into a single data value.
Since this case study containsmany concurrent processes, direct generation of the Lts failed due to lack of memory (after
70 min, the generated Lts had more than 17 million states and 139 million transitions). However, using the compositional
124 H. Garavel et al. / Science of Computer Programming 74 (2009) 100–127
verification techniques (decomposing, minimising, and recomposing processes) [33] of the Cadp toolbox, we generated
an equivalent, but smaller Lts (16,910 states and 85,840 transitions) in 8 min on a SunBlade 100 (500 MHz Ultra Sparc II
processor, 1.5 GB of RAM). In a second step, several properties were proved on this Lts, such as deadlock freeness and some
safety and liveness properties. As an example, we checked that after the reception of the three inputs (key, data, decrypt),
an output is always returned. Once the Lts is generated from the Lotos specification, only a few seconds suffice to verify
each property.
Asynchronous Network on Chip Architecture. As a second case study, we considered the Anoc (Asynchronous Network On
Chip) architecture [16,34], which is used as the backbone of Faust, a 4th generation wireless telecom baseband [35]. Anoc
implements the Gals paradigm, in which synchronous resources (e.g. memory, generic processor, dedicated hardware for
Fourier transformation or Mpeg decoding) are linked via an asynchronous communication network, consisting of a set of
nodes, each of which is connected to a resource and four other nodes. Although no assumption is made on the topology of
the network as regards the architecture of the node, the Faust implementation of Anoc connects the nodes in a 2D-Mesh
topology for several reasons (e.g. scalable bandwidth, easy placement and route on silicon).
Each network node provides lower-level network services, i.e. routing and arbitration of the transiting messages, called
flits. Each node consists of five input controllers, which route incoming flits to one of the other four ports (a flit is never
returned to the incoming port), and five output controllers, which arbitrate between flits heading for the same output.
In this case study, we dealt in particular with the verification of the most complex component of a node of Anoc, namely
an input controller. As for theDesmodel, the Anocmodel in Chpwas abstracted by considering only four transmitted values
(to identify different flits) plus the control information required for routing and handling packets (i.e. sequences of flits).
Furthermore, we used a traffic generator (specified in Chp) to implement several realistic scenarios with packets of different
length (one or more flits), either emitted sequentially or overlapping on different channels and to different destinations.
For each scenario, the Chpmodel of the input controller (about 1200 lines of Chp) was translated into Lotos (about 3600
lines of code) using Chp2Lotos (the translation takes less than one second). Then, we applied the compositional techniques
of Cadp to generate the state space. The generation of the Lts corresponding to the input controller of Anoc for a particular
cycle of four flits was automated using an Svl script [36] (about 500 lines), which automatically invokes different Cadp
tools for state space generation, hiding, minimisation, and composition. The Svl script is generic in the sense that it can be
used to generate the state spaces for all scenarios. For a typical scenario, the Svl script generates in about four minutes the
corresponding Lts (1300 states and 3116 transitions), the largest intermediate Lts observed during the generation having
295,893 states and 812,283 transitions.
Independently from any Chpmodel, we enunciated functional properties describing the protocol behaviour of the input
controller, such as protocol correctness (the input controller must comply at its inputs with the Anoc protocol, and transmit
the incoming data to an output controller), data integrity (the contents of the communications must be preserved by the
input controller), and correct packet routing (the input controller has to route all the flits of a packet in the right direction).
These properties were verified using a generic Svl script (of about 250 lines), calling the model checking and equivalence
checking tools of Cadp.
During this verification stage, in collaborationwith the authors of [16], we automatically detected a routing error—which
previously had been found only manually and corrected in the synthesised and manufactured chip.
More details about the Anoc case study are presented in [37]. Recently, Cea/Leti managed the compositional verification
of the output controller of Anoc.
Last but not least, as for the simple arbiter example, the code specialisation technique proved to be effective in both
case studies, by reducing the size of the intermediate state spaces up to a factor of 89 as regards states and 156 as regards
transitions, which had the effect of reducing the overall run-time of the compositional generation and verification by a factor
of two.
6. Related work
In general, the semantics of hardware process calculi is not given in terms of Sos rules (as it is usual in the concurrency
theory community), but rather by means of a translation into another formalism, e.g. handshake circuits for Tangram [38],
Petri nets for Chp [14], and Csp for Balsa [39]. In that respect, our Sos semantics is an original contribution allowing to bridge
the gap between hardware process calculi and mainstream process calculi.
As regards the verification of asynchronous circuits and architectures, we distinguish two lines of related work:
– A first line of work focuses on the verification of asynchronous designs without paying attention to synthesis. In these
approaches, the asynchronous designs are specified in the input language of the verification tool to be used, such as
Promela for Spin [40,41], Ccs for Cwb [42,43], Lotos for Cadp [44–46], or Csp for Fdr2 [47,48]. These approaches target
gate level descriptions of asynchronous circuits [40–42,44–48] or explicitlymodel of wires of unbounded delay [43]. This
is different from our approach, which aims at verifying high level Chp descriptions from which gate level models can be
automatically synthesised. Furthermore, a common issue with these approaches is the necessity of having two different
descriptions of the circuit, one for verification and one for synthesis.
H. Garavel et al. / Science of Computer Programming 74 (2009) 100–127 125
– A second line of work devises verification techniques for asynchronous designs described using hardware process calculi,
for which synthesis tools exist. There are fewer works in this line; we can mention three such approaches.
– Firstly, the process algebra Circal (Circuit Calculus) and its associated tool [49] have been designed for the automatic
verification of circuits. A particularity of Circal is the possibility that several actions may happen simultaneously,
which enables a precise modelling of systems combining synchrony and asynchrony. Recent extensions of Circal
allow one to specify timing and performance properties by adding observer processes [50]. Contrary to Chp, Circal
provides no direct support for value passing communication, although this allows more abstract and concise models
and is essential for describing large complex systems. Verification in Circal mainly relies on equivalence checking.
By translating to Lotos and using Cadp, our approach offers a wider variety of verification techniques, including
equivalence checking, model checking of µ-calculus formulae, as well as on-the-fly techniques, static analysis, and
distributed and compositional verification.
– Secondly, the Balsa language can also be used together with Csp. [39] starts with a Balsa description of circuits, and
sketches, but does not detail, a translation from Balsa into Csp. Contrary to our approach, the handling of probe-like
operations is simpler in [39], since Balsa’s handshake enclosure is more restrictive than Chp’s probe operation (in
particular, the equivalent of a probe can be used only in guards). Furthermore, the approach of [39] does not translate
a Balsa process B independently of the other Balsa processes communicating with B, whereas our approach without
code specialisation is modular in the sense that it allows to translate each Chp process into Lotos regardless of its
context.
– Thirdly, [11] is a precursor of our approach in the sense that it is also based on Chp and uses Cadp too. Contrary to
our approach, [11] translates Chp into networks of communicating automata. Thus, [11] cannot handle Chp processes
with intertwined sequential and parallel compositions, except by flattening parallel processes, which is less efficient
than our translation from Chp into Lotos. Additionally, our approach brings support of the probe operation. As regards
the efficiency of verification, we observed reductions of the Lts generation time by factors up to four on the same Des
case study as [11].
Compared with a previous conference publication [17], the present article brings original material. In [17], the probe
operations of Chp could only be used in guards; the present article lifts this restriction by supporting probe operations in
any expression. Moreover, the present article introduces proof arguments about the correctness of the translation as well
as code specialisation to optimise the translation. Finally, it reports on experiments on a much larger set of 500 examples,
and features a second case study.
7. Conclusion
In hardware design, synchronous techniques have been predominating, but they face problems when implementing the
global clock; asynchronous circuits and architectures are a promising approach to avoid these problems. A major issue is
that asynchronous design is more complex than synchronous design, due to interleavings of concurrent processes. Thus,
ensuring the correctness of asynchronous designs as early as possible is essential to avoid the cost of synthesising erroneous
circuits. However, contrary to synchronous design, there does not yet exist an established methodology for the verification
of asynchronous designs.
In this article, we proposed a formal semantics for the hardware process calculus Chp, including value-passing
communication, ports open to the environment, and probe operations. Moreover, our semantics is independent of any
particular (2- or 4-phase) handshake protocol expansion used for circuit implementation. This semantics has been approved
by our colleagues from Cea/Leti and the developers of the Tast tool. Based on this semantics, we formalised a translation of
Chp into the international standard Lotos and implemented this translation in the Chp2Lotos tool, which has been validated
on many examples.
Our work prefigures a framework for the design of asynchronous circuits and architectures, enabling asynchronous
designs to be specified using Chp, then translated into Lotos, verified using the Cadp model checking and equivalence
checking tools, and finally synthesised using the Tast tool. This tool chain has been applied successfully to two industrial
asynchronous circuits and is being used for validating other parts of the Anoc architecture.
Acknowledgements
We are grateful to our colleagues Edith Beigné, François Bertrand, Yvain Thonnart, and Pascal Vivet (from Cea/Leti
laboratory), as well as Marc Renaudin, Dominique Borrione, and Menouer Boubekeur (from Tima laboratory) for interesting
discussions on Chp and Tast, in particular their explanations regarding the probe operation. We also thank the same
colleagues from Cea/Leti laboratory for their cooperation in the Des and Anoc case studies.
References
[1] S. Hauck, Asynchronous design methodologies: An overview, Proceedings of the IEEE 83 (1) (1995) 69–93.
[2] K. van Berkel, M.B. Josephs, S.M. Nowick, Scanning the technology: Applications of asynchronous circuits, in: Asynchronous Circuits and Systems,
Proceedings of the IEEE 87 (2) (1999) 223–233 (special issue).
[3] A.J. Martin, Compiling communicating processes into delay-insensitive VLSI circuits, Distributed Computing 1 (4) (1986) 226–234.
126 H. Garavel et al. / Science of Computer Programming 74 (2009) 100–127
[4] D. Edwards, A. Bardsley, Balsa: An asynchronous hardware synthesis language, The Computer Journal 45 (1) (2002) 12–18.
[5] A. Peeters, M. de Wit, Haste Manual, Version 3.0, Handshake Solutions, 2006.
[6] J.L.W. Kessels, A.M.G. Peeters, The Tangram framework (embedded tutorial): Asynchronous circuits for low power, in: Proceedings of the Asia and
South Pacific Design Automation Conference, ASP-DAC 2001 (Yokohama, Japan), ACM, 2001, pp. 255–260.
[7] J.A. Bergstra, A. Ponse, S.A. Smolka (Eds.), Handbook of Process Algebra, Elsevier, 2001.
[8] W. Fokkink, Introduction to process algebra, in: Texts in Theoretical Computer Science, Springer Verlag, 2000.
[9] A.J. Martin, The probe: An addition to communication primitives, Information Processing Letters 20 (3) (1985) 125–130.
[10] M. Renaudin, TAST compiler and TAST_CHP language, Version 0.6, TIMA Laboratory, CIS Group, 2005.
[11] D. Borrione, M. Boubekeur, L. Mounier, M. Renaudin, A. Sirianni, Validation of asynchronous circuit specifications using IF/CADP, in: M. Glesner,
R.A. da Luz Reis, H. Eveking, V.J. Mooney, L.S. Indrusiak, P. Zipf (Eds.), Proceedings of the International Conference on Very Large Scale Integration of
System-on-Chip VLSI-SoC 2003 (Darmstadt, Germany), Darmstadt, 2003, pp. 86–91.
[12] H. Garavel, F. Lang, R.Mateescu,W. Serwe, CADP 2006: A toolbox for the construction and analysis of distributed processes, in:W. Damm,H. Hermanns
(Eds.), Proceedings of the 19th International Conference on Computer Aided Verification, CAV’2007 (Berlin, Germany), in: Lecture Notes in Computer
Science, vol. 4590, Springer Verlag, 2007, pp. 158–163.
[13] ISO/IEC, LOTOS — a formal description technique based on the temporal ordering of observational behaviour, International Standard 8807,
International Organization for Standardization — Information Processing Systems — Open Systems Interconnection, Genève, Sep. 1989.
[14] M. Renaudin, A. Yakovlev, From hardware processes to asynchronous circuits via Petri nets: An application to arbiter design, in: Proceedings of the
Workshop on Token Based Computing TOBACO’04 (Bologna, Italy), 2004.
[15] NIST, Data encryption standard (DES), Federal Information Processing Standards FIPS PUB 46-3, National Institute of Standards and Technology, Oct.
25, 1999.
[16] E. Beigné, F. Clermidy, P. Vivet, A. Clouard, M. Renaudin, An asynchronous NoC architecture providing low latency service and its multi-level design
framework, in: Proceedings of the 11th IEEE International Symposium on Asynchronous Circuits and Systems, ASYNC’05 (New York, USA), IEEE
Computer Society Press, 2005, pp. 54–63.
[17] G. Salaün, W. Serwe, Translating hardware process algebras into standard process algebras — illustration with CHP and LOTOS, in: J. van de Pol,
J. Romijn, G. Smith (Eds.), Proceedings of the 5th International Conference on Integrated Formal Methods, IFM’2005 (Eindhoven, The Netherlands),
in: Lecture Notes in Computer Science, vol. 3771, Springer Verlag, 2005, pp. 287–306. full version available as INRIA Research Report RR-5666.
[18] F.S. de Boer, C. Palamidessi, A fully abstract model for concurrent constraint programming, in: S. Abramsky, T.S.E. Maibaum (Eds.), Proceedings of
the International Joint Conference on Theory and Practice of Software Development TAPSOFT’91, Volume 1, Colloquium on Trees in Algebra and
Programming CAAP’91 (Brighton, United Kingdom), in: Lecture Notes in Computer Science, vol. 493, Springer Verlag, 1991, pp. 296–319.
[19] W. Serwe, On concurrent functional-logic programming, Thèse de doctorat, Institut National Polytechnique de Grenoble, Mar. 2002.
[20] R.J. van Glabbeek, W.P. Weijland, Branching-time and abstraction in bisimulation semantics (extended abstract), CS R8911, Amsterdam, also in Proc.
IFIP 11th World Computer Congress, San Francisco, 1989 (1989).
[21] H. Garavel, J. Sifakis, Compilation and verification of LOTOS specifications, in: L. Logrippo, R.L. Probert, H. Ural (Eds.), Proceedings of the 10th
International Symposium on Protocol Specification, Testing and Verification (Ottawa, Canada), IFIP, North Holland Publishing Company, 1990,
pp. 379–394.
[22] R. Milner, A Calculus of Communicating Systems, in: Lecture Notes in Computer Science, vol. 92, Springer Verlag, 1980.
[23] R. Milner, Communication and Concurrency, Prentice-Hall, 1989.
[24] C.A.R. Hoare, Communicating Sequential Processes, Prentice-Hall, 1985.
[25] H. Ehrig, B. Mahr, Fundamentals of Algebraic Specification 1 — Equations and Initial Semantics, in: EATCS Monographs on Theoretical Computer
Science, vol. 6, Springer Verlag, 1985.
[26] T. Bolognesi, E. Brinksma, Introduction to the ISO specification language, LOTOS 14 (1) (1988) 25–59.
[27] H. Garavel, W. Serwe, State space reduction for process algebra specifications, Theoretical Computer Science 351 (2) (2006) 131–145.
[28] J. Groote, J. Pol, State space reduction using partial τ -confluence, in: M. Nielsen, B. Rovan (Eds.), Proceedings of the 25th International Symposium on
Mathematical Foundations of Computer Science, MFCS’2000 (Bratislava, Slovakia), in: Lecture Notes in Computer Science, vol. 1893, Springer Verlag,
Berlin, 2000, pp. 383–393. also available as CWI Technical Report SEN-R0008, Amsterdam, March 2000.
[29] H. Garavel, M. Sighireanu, A graphical parallel composition operator for process algebras, in: J. Wu, Q. Gao, S.T. Chanson (Eds.), Proceedings of the
Joint International Conference on Formal Description Techniques for Distributed Systems and Communication Protocols, and Protocol Specification,
Testing, and Verification, FORTE/PSTV’99 (Beijing, China), IFIP, Kluwer Academic Publishers, 1999, pp. 185–202.
[30] D. Bergamini, N. Descoubes, C. Joubert, R. Mateescu, Bisimulator: A modular tool for on-the-fly equivalence checking, in: N. Halbwachs, L. Zuck (Eds.),
Proceedings of the 11th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, TACAS’2005 (Edinburgh,
Scotland, UK), in: Lecture Notes in Computer Science, vol. 3440, Springer Verlag, 2005, pp. 581–585.
[31] ISO/IEC, Enhancements to LOTOS (E-LOTOS), International Standard 15437:2001, International Organization for Standardization — Information
Technology, Genève, Sep. 2001.
[32] H. Garavel, F. Lang, R. Mateescu, Compiler construction using LOTOS NT, in: N. Horspool (Ed.), Proceedings of the 11th International Conference on
Compiler Construction, CC 2002 (Grenoble, France), in: Lecture Notes in Computer Science, vol. 2304, Springer Verlag, 2002, pp. 9–13.
[33] F. Lang, Compositional verification using SVL scripts, in: J.-P. Katoen, P. Stevens (Eds.), Proceedings of the 8th International Conference on Tools and
Algorithms for the Construction and Analysis of Systems, TACAS’2002 (Grenoble, France), in: Lecture Notes in Computer Science, vol. 2280, Springer
Verlag, 2002, pp. 465–469.
[34] E. Beigné, P. Vivet, Design of off-chip and on-chip interfaces for a GALS NoC architecture, in: Proceedings of the 12th IEEE International Symposium
on Asynchronous Circuits and Systems, ASYNC’06 (Grenoble, France), IEEE Computer Society Press, 2006, pp. 172–181.
[35] Y. Durand, C. Bernard, D. Lattard, FAUST : On-chip distributed architecture for a 4G baseband modem SoC, in: Proceedings of Design and Reuse IP-
SOC’05 (France), 2005, pp. 51–55.
[36] H. Garavel, F. Lang, SVL: A scripting language for compositional verification, in: M. Kim, B. Chin, S. Kang, D. Lee (Eds.), Proceedings of the 21st IFIP WG
6.1 International Conference on Formal Techniques for Networked and Distributed Systems, FORTE’2001 (Cheju Island, Korea), IFIP, Kluwer Academic
Publishers, 2001, pp. 377–392. full version available as INRIA Research Report RR-4223.
[37] G. Salaün, W. Serwe, Y. Thonnart, P. Vivet, Formal verification of CHP specifications with CADP — illustration on an asynchronous network-on-chip,
in: Proceedings of the 13th IEEE International Symposium on Asynchronous Circuits and Systems, ASYNC 2007 (Berkeley, California, USA), IEEE
Computer Society Press, 2007, pp. 73–82.
[38] K. van Berkel, Handshake Circuits: An Asynchronous Architecture for VLSI Programming, in: International Series on Parallel Computation, vol. 5,
Cambridge University Press, 1993.
[39] X. Wang, M.Z. Kwiatkowska, G. Theodoropoulos, Q. Zhang, Towards a unifying CSP approach for hierarchical verification of asynchronous hardware,
in: M.R.A. Huth (Ed.), Proceedings of the 4th International Workshop on Automated Verification of Critical Systems, AVoCS’04 (London, UK),
in: Electronic Notes in Theoretical Computer Science, vol. 128, 2004, pp. 231–246.
[40] G. Baulch, D. Hemmendinger, C. Traver, Analyzing and verifying locally clocked circuits with the concurrency workbench, in: Proceedings of the 5th
Great Lakes Symposium on VLSI, GLSVLSI’95 (Buffalo, USA), IEEE computer Society, 1995, pp. 144–147.
[41] B. Rahardjo, SPIN as a hardware design tool, in: J.-C. Gregoire (Ed.), Proceedings of the First SPIN Workshop SPIN 1995 (Quebec, Canada), 1995.
[42] G. Clark, G. Taylor, The verification of asynchronous circuits using CCS, Tech. Rep. ECS-LFCS-97-369, University of Edinburgh, Department of Computer
Science, Oct. 1997.
[43] H.K. Kapoor, M.B. Josephs, Modelling and verification of delay-insensitive circuits using CCS and the concurrency workbench, Information Processing
Letters 89 (6) (2004) 293–296.
H. Garavel et al. / Science of Computer Programming 74 (2009) 100–127 127
[44] J. He, K.J. Turner, Verifying and testing asynchronous circuits using LOTOS, in: T. Bolognesi, D. Latella (Eds.), Proceedings of the Joint International
Conference on Formal Description Techniques for Distributed Systems and Communication Protocols, and Protocol Specification, Testing, and
Verification, FORTE/PSTV’2000 (Pisa, Italy), IFIP, Kluwer Academic Publishers, 2000, pp. 267–283.
[45] M. Yoeli, A. Ginzburg, LOTOS/CADP-based verification of asynchronous circuits, Technical Report TR CS-2001-09, Technion, Computer Science
Department, Haifa, Israel, Mar. 2001.
[46] M. Yoeli, R. Kol, Verification of systems and circuits using LOTOS, in: Petri Nets, and CCS, Parallel and Distributed Computing, Wiley, 2008.
[47] X. Wang, M.Z. Kwiatkowska, On process-algebraic verification of asynchronous circuits, in: Proceedings of the 6th International Conference on
Application of Concurrency to System Design, ACSD’06 (Turku, Finland), IEEE Computer Society Press, 2006, pp. 37–46.
[48] M.B. Josephs, Gate-level modelling and verification of asynchronous circuits using CSPm and FDR, in: Proceedings of the 13th IEEE International
Symposium on Asynchronous Circuits and Systems, ASYNC 2007 (Berkeley, California, USA), IEEE Computer Society Press, 2007, pp. 83–94.
[49] A. Bailey, G.A. McCaskill, G.J. Milne, An exercise in the automatic verification of asynchronous designs, Formal Methods in System Design 4 (3) (1994)
213–242.
[50] A. Cerone, G.J. Milne, Property verification of asynchronous systems, Innovations in Systems and Software Engineering 1 (1) (2005) 25–40.
