Compositionality in Dataflow Synchronous Languages: Specification and Distributed Code Generation  by Benveniste, Albert et al.
Information and Computation 163, 125171 (2000)
Compositionality in Dataflow Synchronous
Languages: Specification and Distributed
Code Generation1, 2, 3
Albert Benveniste, Benoi^t Caillaud, and Paul Le Guernic
Irisainria, Campus de Beaulieu, 35042 Rennes cedex, France
E-mail: albert.benvenistearisa.fr, benoit.caillaudirisa.fr, paul.leguernicirisa.fr
Modularity is advocated as a solution for the design of large systems;
the mathematical translation of this concept is often that of compositionality.
This paper is devoted to the issues of compositionality for modular code
generation, in dataflow synchronous languages. As careless reuse of
object code in new or evolving system designs fails to work, we first
concentrate on what are the additional features needed to abstract
programs for the purpose of code generation: we show that a central
notion is that of scheduling specification as resulting from a causality
analysis of the given program. Using this notion, we study separate
compilation for synchronous programs. An entire section is devoted to the
formal study of causality and scheduling specifications. Then we discuss
the issue of distributed implementation using an asynchronous medium of
communication. Our main results are that it is possible to characterize
those synchronous programs which can be distributed on an asynchronous
architecture without loosening semantic properties. Two new notions of
endochrony and isochrony are introduced for this purpose. As a result, we
derive a theory for synthesizing additional schedulers and protocols needed
to guarantee the correctness of distributed code generation. Corresponding
algorithms are implemented in the framework of the DC+ common format
for synchronous languages, and the V4 release of the SIGNAL language.
] 2000 Academic Press
Key Words: synchronous languages; modularity; distributed code
generation; separate compilation; desynchronization.
doi:10.1006inco.2000.2898, available online at http:www.idealibrary.com on
125 0890-540100 35.00
Copyright  2000 by Academic Press
All rights of reproduction in any form reserved.
1 This paper is a significantly revised version of a preliminary report which appeared under the same
title in the Proceedings of the 1997 Malente Workshop on Compositionality, organized by W. P.
de Roever and H. Langmaack; these proceedings will be published in Lecture Notes in Computer
Science (Springer-Verlag).
2 This work is or has been supported in part by the following projects: Eureka-SYNCHRON, Esprit
R6D-SACRES (Esprit Project EP 20897), and Esprit LTR-SYRF (Esprit Project EP 22703).
3 In addition to the listed authors, the following people have indirectly, but strongly, contributed to
this work: the STS formalism has been shamelessly borrowed from Amir Pnueli; the background on
labelled partial orders is mostly acknowledged to Paul Caspi.
CONTENTS
1. Rationale.
2. Specification.
2.1. The Essentials of the Synchronous Paradigm.
2.2. Synchronous Transition Systems.
3. Compositionality in Code Generation: Information Analysis.
3.1. What is The Problem?
3.2. Scheduling Specifications.
3.3. Causality Analysis: Examples.
3.4. Generating Scheduling for Separate Modules.
3.5. Relaxing Synchrony.
3.6. Modular Design, gals Architectures.
4. Formal Study of Desynchronization.
4.1. Desynchronizing sts, and Two Fundamental Problems.
4.2. Endochrony and Resynchronization.
4.2.1. Formal Results.
4.2.2. Practical Consequences.
4.3. Isochrony, and Synchronous and Asynchronous Compositions.
4.4. Getting gals Architectures.
4.5. Handling EndoIsochrony in Practice.
4.5.1. Checking EndoIsochrony.
4.5.2. Enforcing EndoIsochrony.
5. Formal Study of Causality.
5.1. Encoding Scheduling Specifications Using an Algebraic Domain.
5.2. Circuit-Free Schedulings.
5.3. Deriving Scheduling Specifications as Causality Constraints.
5.4. Correct Programs.
6. Conclusion.
1. RATIONALE
Modularity is advocated as the ultimate solution for the design of large systems,
and this holds in particular for embedded systems, for both software and architec-
ture. Modularity allows the designer to scale down design problems, and facilitates
the reuse of preexisting modules.
The mathematical translation of the concept of modularity is often that of composi-
tionality. Paying attention to the composition of specifications (Manna and Pnueli,
1992) is central to any system model involving concurrency or parallelism. More
recently, significant effort has been devoted toward the introduction of compositionality
in verification, which aims at deriving proofs of large programs from partial proofs
involving (abstractions of) components (Manna and Pnueli, 1995). See also the volume
(de Roever et al., 1998) in which a number of papers are devoted to this topic.
Compilation and code generation have been given less attention from this very
same point of view. This is unfortunate, as it is critical for the designer to scale
down the design of large systems by (1) storing modules like black-box ‘‘procedures’’
or ‘‘processes’’ with minimal interface description, and (2) generating code which uses
these modules only on the basis of their interface description, while preserving in any
case the correctness of the design. This paper is devoted to the issues of composi-
tionality of dataflow synchronous languages, aimed at modular code generation.
126 BENVENISTE, CAILLAUD, AND LE GUERNIC
Dataflow synchrony is rather a paradigm than a set of concrete languages or
visual formalisms (Benveniste and Berry, 1991), and hence it is desirable to abstract
from such and such particular language. Thus we have chosen to work with syn-
chronous transition systems (sts), a lightweight formalism proposed by Amir
Pnueli, general enough to capture the essence of the synchronous paradigm. This
is the topic of Section 2. Using this formalism, we study in Section 2 the composi-
tion of specifications.
Most of our effort is then devoted to issues of compositionality that are critical
to code generation. Section 3 contains an informal discussion of this problem. It is
known that careless storing of object code for further reuse in systems design fails
to work. Hence we first concentrate on the additional features that are required to
abstract programs for the purpose of code generation and reuse: we show that a
central notion is that of scheduling specification as resulting from a causality
analysis of the given program. Related issues of compositionality are investigated.
Then we show that there is some appropriate level of ‘‘intermediate code,’’ which
at the same time allows us to scale down code generation for large systems, and still
maintains correctness at the system integration phase. Finally we discuss the side
issue of distributed implementation using an asynchronous medium of communication.
In Section 4 we formally study desynchronization. We first formalize what we
mean by desynchronization. Our theory requires that the communication medium or
operating system: (1) shall not lose messages, and (2) shall preserve the total ordering
of messages, for each flow individually (but, of course, not globally). These assump-
tions are typically satisfied by services offered by reliable communication media or
operating system. Our main result is that it is possible to check, directly on the original
synchronous specification, whether semantic properties will or will not be preserved after
desynchronization. The two fundamental notions are endochrony, which guarantees
that, for a single sts, desynchronization is a ‘‘revertible’’ transformation, and
isochrony, which guarantees that, for a pair of sts, desynchronizing communications
is also a ‘‘revertible’’ transformation. In some sense formalized in Section 4, semantics
is preserved by desynchronization when these conditions are satisfied.
Section 5 is devoted to a formal study of causality. In many respect, this formal
study is important. First, it is instrumental in getting executable, deterministic code
from a given sts specification. Then, it is a cornerstone of proper abstractions for
separate compilation and reuse. We pay strong attention to this study, using a
technique not unlike the one used for analyzing causality in Esterel (Berry, 1995).
Our analysis encompasses the case of arbitrary data types, and suitable abstractions
are used for this purpose.
In the Conclusion (Section 6) we discuss how our views on compositionality are
modified by this study. We sketch the resulting system design methodology, and we
briefly mention the implementation resulting from this theory, mostly developed in
the framework of the Esprit-SACRES project.
2. SPECIFICATION
This section discusses compositionality aspects of specifications, first informally,
and then formally.
127COMPOSITIONALITY IN DATAFLOW SYNCHRONOUS LANGUAGES
2.1. The Essentials of the Synchronous Paradigm
There have been several attempts to characterize the essentials of the synchronous
paradigm (Berry, 1989; Benveniste and Berry, 1991; Halbwachs, 1993). With some
experience, we feel that the following features are indeed essential and sufficient for
characterizing this paradigm:
1. Programs progress via an infinite sequence of reactions, informally written
P=R|,
where R denotes the set of legal reactions.4
2. Within a reaction, decisions can be taken on the basis of the absence of
some events, as exemplified by the following typical statements, taken from Esterel,
Lustre, and Signal, respectively:
present S else ‘stat’
y=current x
y :=u default v
The first statement is self-explanatory. The ‘‘current’’ operator delivers the most
recent value of x at the clock of the considered node; it thus has to test for the
absence of x before producing y. The ‘‘default’’ operator delivers its first argument
when it is present, and otherwise its second argument.
3. Communication is performed via instantaneous broadcast. In other words,
when it is defined, parallel composition is always given by the conjunction of associated
reactions:
P1 & P2=(R1 7 R2)|.
The above formula is a perfect definition of parallel composition when the intention
is specifying. In contrast, if producing executable code was the intention, then this
definition has to be compatible with an operational semantics. This very much
complicates the ‘‘when it is defined’’ prerequisite.5
Of course, such a characterization of the synchronous paradigm makes the class
of ‘‘synchrony-compliant’’ formalisms much larger than usually considered. However,
it has been our experience that these were the key features of the techniques we
have developed so far.
128 BENVENISTE, CAILLAUD, AND LE GUERNIC
4 In fact, ‘‘reaction’’ is a slightly restrictive term, as we shall see in the following that ‘‘reacting to the
environment’’ is not the only possible kind of interaction a synchronous system may have with its
environment.
5 For instance, most of the effort related to the semantics of Esterel has been directed toward solving
this issue satisfactorily (Berry, 1995).
Clearly, this calls for the simplest possible formalism comprising the above
features, and on which fundamental questions should be investigated. This is one of
the objectives of the sts formalism described next.
2.2. Synchronous Transition Systems
Synchronous Transition Systems. We assume a vocabulary V which is a set of
typed variables. All types are implicitly extended with a special element = to be
interpreted as ‘‘absent.’’ Some of the types we consider are the type of pure signals
with domain [t], and Booleans with domain [t, f] (recall that both types are
extended with the distinguished element =).
We define a state s to be a type-consistent interpretation of V, assigning to each
variable v a value s[v] over its domain. We denote by S the set of all states. For
a subset of variables VV, we define a V-state to be a type-consistent interpreta-
tion of V.
We define a synchronous transition system (sts) to be a triple
8=(V, 3, \)
consisting of the following components:
v V is a finite set of typed variables.
v 3 is an assertion characterizing the set of initial states; [s | s<3].
v \S_S is the transition relation relating past and current states denoted
by s& and s, respectively.6 For example, the assertion x=x&+1 states that the
value of x in s is greater by 1 than its value in s&. If (s&, s)<\, we say that state
s& is a \-predecessor of state s.
Runs. A run _: s0 , s1 , s2 , ... is a sequence of states such that
s0<3 7 \i>0, (si&1 , si)<\. (1)
Composition. The composition of two sts 8=81 & 82 is defined as
V=V1 _ V2
3=31 7 32
\=\1 7 \2 .
The composition is thus the pairwise conjunction (denoted by 7) of initial and
transition relations. Composition is thus commutative and associative. Note that, in
sts composition, interaction occurs through common variables only.
129COMPOSITIONALITY IN DATAFLOW SYNCHRONOUS LANGUAGES
6 Usually, states and primed states are used to refer to current and next states. This is equivalent to
our present notation. We have preferred to consider s& and s, just because the formulas we shall write
mostly involve current variables, rather than past ones. Using the standard notation would have resulted
in a burden of primed variables in the formulas.
Notations for sts. For the convenience of specification, sts have a set of declared
variables, written Vd , implicitly augmented with associated auxiliary variables: the
whole constitutes the set V of variables. We shall use the following generic notation
in the following:
v b, c, v, w, ... denote sts declared variables, and b, c are used to refer to
variables of Boolean type.
v For v a declared variable, hv # [t, =] denotes its clock:
[hv {=]  [v{=].
v For v a declared variable !v denotes its associated state variable, defined by
if hv then !v=v
(2)
else !v=!&v .
Values can be given to s0[!v] as part of the initial condition. Then, !v is always
present after the first occurrence of v. Note that !!v=!v ; thus only state variables
of declared variables have to be considered.
Stuttering. As modularity is desirable, an sts should be permitted to do nothing
while its environment is possibly working. This feature has been yet identified in the
litterature and is known as stuttering invariance or robustness (Lamport, 1983a, b).
Stuttering invariance of an sts 8 is defined as follows: if
_: s0 , s1 , s2 , ...
is a run of 8, so is
_$: s0 , =s0 , ..., =s0
0*[=s0
]<
, s1 , =s1 , ..., =s1 , s2 , =s2 , ..., =s2 , ..., (3)
where, for every state s, the symbol =s denotes the silent state associated with s,
defined by
\v # Vd : {=s[v]===s[!v]=s[!v].
This means that state variables are kept unchanged, whenever their associated declared
variables are absent. Note that stuttering invariance allows for runs possessing only
a finite number of present states.
We require in the following that all sts that we consider be stuttering invariant.
They should indeed satisfy
[(s&, s) < \] O [(s&, =s&) < \] 7 [(=s& , s) < \]. (4)
By convention, we shall simply write =, when mentioning a particular state s is not
required.
130 BENVENISTE, CAILLAUD, AND LE GUERNIC
Examples of Transition Relations.
v A selector:
if b then z=u else z=v. (5)
Note that the ‘‘else’’ part corresponds to the property ‘‘[b=f] 6 [b==].’’
v A register:
if hz then v=!&z else v==, (6)
where !z is the state variable associated with z as in (2), and !&z denotes its past
value. The more intuitive interpretation of this statement is vn=zn&1, where index
‘‘n’’ denotes the instants at which both v and z are present (their clocks are specified
to be equal). Decrementing a register would simply be specified by
if hz then v=!&z &1 else v==, (7)
where z is of integer type. Note that both statements (6) and (7) imply the equality
of clocks:
hz=hv .
v Testing for a property:
if hv then b=(v0) else b==. (8)
Note that a consequence of this definition is, again,
hv=hb .
v A synchronization constraint:
(b=t)=(hu=t), (9)
meaning that the clock of u is the set of instants where the Boolean variable b is true.
Putting (5), (7), (8), and (9) together yields the sts
131COMPOSITIONALITY IN DATAFLOW SYNCHRONOUS LANGUAGES
A run of this sts for the variable z is depicted on the figure above. Each time u is
received, z is set to the value of u. Then z is decremented by one at each activation
cycle of the sts, until it reaches the value 0. Immediately after this, a fresh u can
be read, and so on. Note the schizophrenic nature of the ‘‘inputs’’ of this sts. While
the value carried by u is an input, the instant at which u is read is not: reading of
the input is on demand-driven mode. This is reflected by the fact that inputs of this
sts are the pair [activation clock h, value of u when it is present].
Using the primitives (5), (6), (8), and (9), dataflow synchronous languages such
as Lustre (Halbwachs, 1993) and Signal (LeGuernic et al., 1999) are easily
encoded. Note that the primitives (5), (6), (8), and (9) and their composition are
stuttering invariant sts; i.e., they satisfy condition (4).
3. COMPOSITIONALITY IN CODE GENERATION: INFORMAL ANALYSIS
In this section, we informally discuss issues of compositionality aiming at code
generation. After a brief review of the problems, we acknowledge the importance of
extending our basic sts model with preorders; preorders are useful to capture
causality, to specify schedulings, and to model communications in a distributed
environment. Also, preorders are instrumental in handling abstractions. Then we
discuss causality analysis and we analyze a few simple examples. Separate compila-
tion is discussed, using preorders: we show that separate compilation requires a
new level of intermediate code which allows us to store and reuse modules in a correct
way. Finally we discuss the issue of distributed code generation on an asynchronous
architecture.
3.1. What Is the Problem?
Basically, the problem is twofold: (1) bruteforce separate compilation can be the
source of deadlock, and (2) generating distributed code is generally not compatible
with maintaining strict compliance with the synchronous model of computation.
We illustrate briefly these two issues next.
Naive Separate Compilation may be Dangerous. This is illustrated in the following:
The first diagram depicts the ‘‘dependencies’’ associated with some sts specification:
the first output needs the first input for its computation, and the second output needs
the second input for its computation. The second diagram shows a possible scheduling,
corresponding to the standard scheduling: (1) read inputs, (2) compute reaction,
and (3) emit outputs. This gives a correct sequential execution of the sts. In the
132 BENVENISTE, CAILLAUD, AND LE GUERNIC
third diagram, an additional dependency is enforced by setting the considered sts
in some environment which reacts with no delay to its inputs: a deadlock is created.
In the last diagram, however, it is revealed that this additional dependency caused
by the environment indeed was compatible with the original specification, and no
deadlock resulted from applying it. Here, deadlock was caused by the actual
implementation of the specification, not by the specification itself.
The traditional answer to this problem by the synchronous programming school
has been to refuse considering separate compilation: modules for further reuse
should be stored as source code, and combined as such before code generation. We
shall later see that this does not need to be the case, however.
Desynchronization. This is illustrated in the following:
This figure depicts a communication scenario: two processors, modelled as sequential
machines, exchange messages using an asynchronous medium for their communica-
tions. The natural structure of time of a partial order, as derived from the directed
graph composed of (1) linear time on each processor and (2) communications. This
structure for time does not match the linear time corresponding to the infinite sequence
of reactions which is the very basis of the synchronous paradigm.
The Need for Reasoning about Causality, Schedulings, and Communications. This
need emerges from the above discussion. In the next subsection, we shall introduce
a unique framework to handle these diverse aspects: the formalism of scheduling
specifications.
3.2. Scheduling Specifications
Causality relations have been investigated for several years in the past in the area
of models of distributed systems and computations. The classical approach considers
a classical automaton, in which concurrency is modelled via an ‘‘independence’’ equiv-
alence relation among the labels of the transitions. Since independence is generally not
a symmetric relation (actions of writing and reading are not symmetric), the theory
of traces (Aabelsberg and Rozenberg, 1988) has been extended to so-called ‘‘semi-
commutations’’ (Clerbout and Latteux, 1987), and this technique has been recently
applied to the implementation of reactive automata on distributed architectures
(Caillaud et al., 1997). Causality preorder relations have also been used in a dif-
ferent way in (LeGuernic and Gautier, 1991), and also in (Benveniste et al., 1994),
from which we borrow the essentials of the present technique. In addition to
133COMPOSITIONALITY IN DATAFLOW SYNCHRONOUS LANGUAGES
modelling causality relations, preorders can be used to specify scheduling require-
ments, and they can also be used to model sendreceive type of communications.
sts with Scheduling Specifications. We consider a set V of variables. A preorder
on the set V is a relation (generically denote by P) which is reflexive (xPx) and
transitive (xP y and yPz imply xPz). To P we associate the equivalence relation
 , defined by x  y iff xP y and yPx. If equivalence classes of  are singletons,
then P is a partial order. Preorders are naturally specified via ( possibly cyclic)
directed graphs, denoted
x  y for x, y # V, (10)
by defining xPz iff there is a path originating from x and terminating in z. The
supremum of two preorders, written
P1 6 P2 , (11)
is the least preorder which is an extension of P1 and P2 . The set of all preorders
on V is denoted 4V .
A labelled preorder on V is a preorder on V, together with a value s[v] for each
v # V over its domain. A state s is a labelled preorder. The set of all states is denoted
S9 . As before for sts, we denote by S the set of all type-consistent interpretations of
V. Thus S9 =S_4V , and a state s decomposes as
s =(s, PV). (12)
An sts with scheduling specifications is a triple 89 =(V, 3, \ ), where V, 3 are as
before, and
\ /S_S9 =S_S_4V ; (13)
i.e., \ relates the value for the tuple of previous variables to the current state.
By convention, transition relation \ is trivially extended to a transition on S9 , i.e.,
a subset of S9 _S9 , and runs are sequences s 0 , s 1 , s 2 , ... that are consistent with
transition relation (13).
We shall denote by \ the transition relation on S obtained by projecting \ on
S_S, i.e., by ignoring the preorder component. Note that 8=(V, 3, \) is an
ordinary sts. The composition of two sts with scheduling specifications
89 =89 1 & 89 2 (14)
is defined as follows:
1. Associated underlying sts (without scheduling specifications) are simply
composed:
8=81 & 82 (15)
Then we need to define how preorders are combined.
134 BENVENISTE, CAILLAUD, AND LE GUERNIC
2. For s a state for 8, for i=1, 2 let si be the restriction of s to Vi ; we know
that si is a state for 8i . Let s i=(si , OVi) be the corresponding state for 89 i ; cf. (12).
Define
PV=def PV1 6 PV2 (cf. (11)) (16)
s =def (s, PV). (17)
Thus (15), (16), and (17) define how states of the components 89 i are combined
together, building up the states and runs of 89 =89 1 & 89 2 . Again, composition & as
extended to sts with scheduling specifications is commutative and associative.
Notation for Scheduling Specifications. We now introduce convenient notation
for the graphs generating the above-introduced preorders. The notation u > v
corresponds to the edge (10). For b a variable of type bool _ [=], and u, v variables
of any type, the following generic conjunct will be used to specify preorders,
if b then u > v, resp. if b else u > v,
also written
u b> v, resp. u b> v.
In Subsection 5.1, it is shown that scheduling specifications have the following
properties:
u b> y & y c> z O x b 7 c> z (18)
u b> y & x c> y O x b 6 c> y. (19)
Properties (18) and (19) can be used to compute inputoutput abstractions of
scheduling specifications:
In this figure, the diagram on the left depicts a scheduling specification involving
local variables. These are hidden in the diagram on the right, using rules (18) and (19).
Inferring Scheduling Specifications from Causality Analysis. We now provide a
technique for inferring schedulings from causality analysis for sts specified as
conjunctions of the particular set of generic conjunct we have introduced so far.
Considering this restricted set of generic conjuncts is justified by the fact that (1)
all known synchronous languages can be encoded using this set of basic conjuncts,
135COMPOSITIONALITY IN DATAFLOW SYNCHRONOUS LANGUAGES
and even more, (2) these primitives allow one to express the most general synchron-
ization mechanisms that are compatible with the paradigm of perfect synchrony
(Benveniste et al., 1992). We recall next this set of basic conjuncts for the sake of
clarity:
if b then w=u else w=v
u b> w (20)
w= f (u1 , ..., uk)= .hw=hu1= } } } =huk
In addition to the set (20) of primitives, state variable !v associated to variable v
can be used on the right-hand side of each of the above primitive statements. The
third primitive involves a conjunction of statements that are considered jointly.
Later on, in the examples, we shall freely use nested expressions such as ‘‘if b then
w=expr,’’ where expr denotes an expression built on the same set of primitives. It
is understood that such expressions need to be expanded prior to applying the rules
of formulas (21) given next.
In formulas (21), each primitive statement has a scheduling specification associated
with it, given on the corresponding right-hand side of the table. Given an sts specified
as the conjunction of a set of such statements, for each conjunct we add the correspond-
ing scheduling specification to the considered sts. Since, in turn, scheduling specifica-
tions themselves have scheduling specifications associated with them, this mechanism
of adding scheduling specifications must be applied until fixpoint is reached. Note
that applying these rules until fixpoint is reached takes at most two successive
passes. In formulas (21), labels of schedulings are expressions involving variables in
the domain [=, f, t] ordered by [=<f<t]; with this in mind, expressions involv-
ing the symbols ‘‘7’’ (min) and ‘‘6’’ (max) have a clear meaning:
(R-1) \u hu > u
(R-2)
if b then w=u
else w=v
O {
b hb 7 (hu 6hv ) > hw
(21)
hu 
b7 hu > hw
hv 
b7 hv > hw
u b 7 hu > w
v b 7hv > w
(R-3) u b> w O b > hw
(R-4)
w=f (u1 , ..., uk)
hw=hu1= } } } =huk= O ui 
hw > w.
136 BENVENISTE, CAILLAUD, AND LE GUERNIC
Note that there is no rule involving variables of the form !&z , as previous state
variables are available prior to starting the current reaction and thus do not participate
in the causality calculus. Rules (R-1)(R-4) are formally justified in Section 5. We
briefly report the corresponding results. For P an sts, first apply Rules (R-1)(R-4)
until fixpoint is reached: this yields an sts we call sched(P). Then, a sufficient condi-
tion for P to have a unique deterministic run is:
1. sched(P) is circuit-free at each instant, meaning that it is never true that
x1 
b1 > x2 
b2 > x1
and
(b1 7 b2=t),
where x1 and x2 are distinct variables
2. sched(P) has no multiple definition of variables at any instant, meaning
that, whenever
if b1 then x=exp1
7 if b2 then x=exp2
holds in P and the exp1 and exp2 are different expressions, then
b1 7 b2=t
never holds in P.
Then P is said to be executable, and sched(P) provides (dynamic) scheduling
specifications for this run. Note that proof obligations resulting from the above two
conditions are generally no automatically provable; therefore abstractions may
have to be considered.
Summary. What do we have at this stage?
1. sts composition is just the conjunction of constraints.
2. Scheduling specifications do compose as well.
3. Since causality analysis is based on an abstraction, Rules (R-1)(R-4) for
inferring scheduling from causality are bound to the syntax of the sts conjuncts.
Hence, in order to maximize the chance of effectively recognizing that an sts P is
executable, P is generally rewritten in a different but semantically equivalent syntax
(runs remain the same) while causality analysis is performed.7 But this latter operation
is global and not compositional: here we reach the limits of ideal compositionality.
137COMPOSITIONALITY IN DATAFLOW SYNCHRONOUS LANGUAGES
7 This is part of the job performed by the Signal compiler’s ‘‘clock calculus.’’
3.3. Causality Analysis: Examples
We show here some sts statements and their associated scheduling as derived
from causality analysis. In the following figures, vertices in boldface denote input
clocks, vertices in boldface italic denote input data, and vertices in Courrier denote
other variables. It is of interest to split between these two different types of inputs,
as input reading for an sts can occur with any combination of data- and demand-
driven mode. Note that, for each vertex of the graph, the labels siting on the incoming
branches are evaluated prior to the considered vertex. Thus, when this vertex is to be
evaluated, the other variables needed for its evaluation are already known. Resulting
directed graphs (which are labelled with Booleans) specify the set of all legal
schedulings for the execution of the considered sts; this is formalized in Section 5.
A reactive sts.
In the above example, input data are associated with their corresponding input
clocks: this sts reads its inputs on a purely data-driven mode, input patterns
(u, v, b) are free to be present or absent, and, when they are present, their value is
free also. We call it a ‘‘reactive’’ sts.
The Full Example, a Proactive sts.
FIG. 1. Scheduling from causality analysis for the example.
138 BENVENISTE, CAILLAUD, AND LE GUERNIC
Applying scheduling rules (R-1)(R-4) and then performing some straightforward
simplifications, we get the result shown in Fig. 1. Note the change in control: [input
clock, input data] have been drastically modified from the ‘‘if b then z=u else
z=v’’ statement to the complete sts: inputs now consist of the pair [h, vu], where
vu refers to the value carried by u when present. Reading of u occurs on demand,
when condition b is true. We propose to call such an sts ‘‘proactive.’’
3.4. Generating Scheduling for Separate Modules
Relevant target architectures for embedded applications are typically (1) purely
sequential code (such as C-code), (2) code using a threading or tasking mechanism
provided by some kind of a real-time OS (here the threading mechanism offers
some degree of concurrency), or (3) DSP-type multiprocessor architectures with
associated communication media.
On the other hand, the scheduling specifications we derive from causality rules
(R-1)(R-4) still exhibit maximal concurrency. Actual implementations will have to
conform to these scheduling specifications. In general, they will exhibit less (and
even sometimes no) concurrency, meaning that further sequentialization has been
performed to generate code.
Of course, this additional sequentialization can be the source of potential,
otherwise unjustified, deadlock when the considered module is reused in the form
of object code in some environment; this was illustrated in Subsection 3.1. The
traditional answer to this problem by the synchronous programming school has
been to refuse considering separate compilation: modules for further reuse should
be stored as source code, and combined as such before code generation.
We shall however see that this does not need to be the case. Instead, a careful
use of the scheduling specifications of an sts will allow us to decompose it into
modules that can be stored as object code for further reuse, whatever the actual
environment and implementation architecture will be.
For the sake of clarity, we restrict our discussion to the case of single-clocked sts,
i.e., an sts in which all declared variables have the same clock. The issue is
illustrated in the following figure, in which the directed graph defining the circuit-
free scheduling specification of some single-clocked sts is depicted:
In the above figure, the gray zones group all variables which depend on the same
subset of inputs; let us cal them ‘‘tasks.’’ Tasks are not subject to the risk of creating
fake deadlocks from implementation, unlike the example from Subsection 3.1. In
fact, as all variables belonging to the same task depend on the same inputs, each
task can be executed safely according to the following scheme: (1) collect inputs
and (2) execute task.
139COMPOSITIONALITY IN DATAFLOW SYNCHRONOUS LANGUAGES
In the next figure, we show how the actual implementation is prepared:
The thick arrows inside the task depicted on the right show one possible fully
sequential scheduling of this task. Then, what should be really stored as source code
for further reuse is only the abstraction consisting of the tasks viewed as black boxes,
together with their associated interface scheduling specifications. In particular, if the
supporting execution architecture involves a real-time tasking system implementing
some preemption mechanisms in order to dynamically optimize scheduling for best
response time, tasks can be freely suspendedresumed by the real-time kernel,
without impairing conformity of the object code to its specification. Using our
notion of scheduling specification, the above approach easily extends to general sts,
in which several different clocks are involved.
3.5. Relaxing Synchrony
Loosening Synchrony. The major problem is that of testing for absence in an
asynchronous environment. This is illustrated in the following figure in which
information about the presence of variables in the considered instant is lost when
passing from the left- to right-hand side, since an explicit definition of the ‘‘instant’’
is not available anymore:
The question mark indicates that it is generally not possible, in an asynchronous
environment, to decide upon the presenceabsence of a signal relative to another
one. While testing for absence is perfectly sound in a synchronous paradigm, it is
meaningless in an asynchronous one.
The solution consists in restricting ourselves to so-called endochronous sts.
Endochronous sts are those for which the control depends only on (1) the past
state and (2) the values possibly carried by environment signals, but not on the
presenceabsence status of these signals. For an endochronous sts, losing the
140 BENVENISTE, CAILLAUD, AND LE GUERNIC
synchronization barriers that define the successive reactions will not result in
changing its semantics; this is formalized in Subsection 4.2.
An example of an sts which is ‘‘exochronous’’ is the ‘‘reactive’’ sts given on the
left-hand side of the following figure, whereas the ‘‘proactive’’ sts shown on the
right-hand side is endochronous:
In the diagram on the left-hand side, three different clocks are source nodes on the
directed graph. This means that the first decision in executing a reaction consists in
deciding upon the relative presenceabsence of these clocks. In contrast, in the
diagram on the right-hand side, only one clock, the activation clock h, is a source
node of the graph. Hence no test for relative presenceabsence is needed, and the
control only depends on the value of the internally computed Boolean variable b.
How endochrony allows us to desynchronize an sts is illustrated in an intuitive
way in the following diagram, which depicts the scheduling specification associated
with the (endochronous) pseudo-statement ‘‘if b then get&u’’:
In the diagram on the left, a history of this statement is depicted, showing the
successive instants (or reactions) separated by thick dashed lines. In the right-hand
side diagram, thick dashed lines have been removed. Clearly, no information has
been lost: we know that u should happen exactly when b=t, and thus awaiting for
the value of b is enough for deciding whether u is to be waited for. A formal study
of desynchronization and endochrony is presented in Section 4.
Moving from exochronous programs to endochronous programs can be performed;
we only show one typical but simple example:
141COMPOSITIONALITY IN DATAFLOW SYNCHRONOUS LANGUAGES
The idea is to add to the considered sts a monitor which delivers the presence
absence information via two Boolean variables b, b$ with identical clocks h, and
such that [k=t]=[b=t], and similarly for k$, b$. The resulting sts is endo-
chronous, since Boolean variables b, b$ are scrutinized at the pace of activation
clock h. Other schemes are also possible; this is discussed in Subsection 4.5.
Loosening Synchronous Composition. The second question is that of preserving
the semantics of synchronous composition when an asynchronous communication
medium is used. In the synchronous programming paradigm, communication
occurs via instantaneous broadcast, meaning that all components must agree on (1)
which variable is presentabsent in the considered reaction, and then (2) what is the
value carried by each present variable. Again this protocol is meaningless in an
asynchronous communication medium. In Subsection 4.3, it is shown that the
condition for semantics preserving desynchronization of the communication is that
the considered pair of sts should be isochronous.
Isochrony is a property of the synchronous composition P & Q of two sts.
Roughly speaking, a pair of sts is isochronous if every pair of reactions, of P and
Q, respectively, which agree on present common variables, also agree on all common
variables. Thus, again, common agreement for composition of reactions can disregard
absence.
Endochrony and isochrony are the basic concepts for our theory of desynchroniza-
tion. For this theory to hold, requirements for the communication medium are: (1) it
should not lose messages and (2) it should not change the order of messages associated
with each given variable.
3.6. Modular Design, GALS Architectures
From the theory informally presented in the previous subsections, the following
approach results for modular design and distributed implementations of reactive
systems. The target architecture is globally asynchronous, locally synchronous
(gals) by nature. The whole approach is summarized in Fig. 2, where the considered
FIG. 2. Implementation architecture.
142 BENVENISTE, CAILLAUD, AND LE GUERNIC
sts is assumed to possess a unique, deterministic execution; i.e., it satisfies the correct-
ness criteria stated in Subsection 3.2. In this diagram, gray rectangles denote three
modules P1 , P2 , P3 of the source sts specification, hence given by P=P1 & P2 & P3 .
We assume here that this partitioning has been given by the designer, based on
functional and architectural considerations.
White bubbles inside the gray rectangles depict the structuration into tasks as
discussed in Subsection 3.4. The black half-ellipses denote the monitors. Monitors
are in charge of (1) providing the additional protocols if asynchronous communica-
tion media are to be used, and (2) specifying the scheduling of the abstract tasks.
In principle, communication media and real-time kernels do not need to be
specified here, as they can be used freely provided that they respect the sendreceive
abstract communication model and conform to the scheduling constraints set by
the monitors.
4. FORMAL STUDY OF DESYNCHRONIZATION
How farclose is indeed synchrony from asynchrony has already been discussed
in the literature, thus questioning the oversimplified vision of ‘‘zero time’’ computa-
tion and instantaneous broadcast communication. An early paper (Benveniste and
Berry, 1991) informally discussed the link between perfect synchrony and token-
based asynchronous dataflow networks; see in particular Section V therein. The first
formal and deep study is that of Caspi (1992): a precise relation is established
between so-called well-clocked synchronous functional programs and the subset of
Kahn networks amenable to ‘‘bufferless’’ evaluation.
Distributed code generation from synchronous programs requires one to address
the issue of the relationship between synchrony and asynchrony in some way or
another. Mapping synchronous programs to a network of automata, communicat-
ing asynchronously via unbounded fifos, has been proposed in Caillaud et al.
(1997). Mapping Signal programs to distributed architectures was proposed in
Maffeis and LeGuernic (1994) and Aubry (1997), based on an early version of the
theory we present in this paper. The SynDEx tool (Sorel and Lavarenne; Sorel,
1996) also implements a similar approach. Recent work (Berry and Sentovich,
1998) on the Polis system proposes to reuse the ‘‘constructive semantics’’ approach
for the Esterel synchronous language, with CFSM (codesign finite state machines)
as a model of synchronous machines which can be desynchronized.
Independently, another route to relate synchrony and asynchrony has been
followed. In Benveniste and LeGuernic (1990) and LeGuernic et al. (1991) it was
shown how nondeterministic Signal programs can be used to model asynchronous
communication media such as queues and buffers. Reactive modules were proposed
(Alur and Henzinger, 1996) as a synchronous language for hardware modelling, in
which asynchrony is emulated by the way of nondeterminism. Although this is of
interest, we believe that this approach is no suited to analyzing true asynchrony, in
which no notion of a global state is available, unlike for synchrony.
We first informally discuss the essentials of asynchrony. Synchronous transition
systems were defined in Subsection 2.2, and their asynchronous counterpart is
143COMPOSITIONALITY IN DATAFLOW SYNCHRONOUS LANGUAGES
defined in Subsection 4.1, where desynchronization is also formally defined. The rest
of this section is devoted to the analysis of desynchronization and its inverse,
namely resynchronization.
4.1. Desynchronizing STS, and Two Fundamental Problems
We first start with an informal discussion, following the discussion of Subsection
2.1. Keeping in mind the essentials of the synchronous paradigm, we are now ready
to discuss informally how asynchrony relates to synchrony. Referring to points 1,
2, and 3 of the discussion of Subsection 2.1, the following can be stated about
asynchrony:
1. Reactions cannot be observed anymore: as no global clock exists, the global
synchronization barriers which indicate the transition from one reaction to the next
one are no longer available. Instead, we only assume a reliable distributed commu-
nication medium, in which messages are not lost, and messages within each
individual channel are sent and delivered in the same order. We call a flow such a
totally ordered sequence of messages.
2. Absence cannot be sensed, and thus cannot be used to exercise control.
3. Composition occurs by means of separately unifying each common flow of
the two components. This models in particular the communications via asynchronous
unbounded fifos, such as used, say, in Kahn networks. Rendezvous type of communica-
tion can also be abstracted in this way.
From the definition (1) of a run of an sts, we can say that a run is a sequence
of tuples of values in domains extended with the extra symbol =. Desynchronizing
a run amounts to discarding the synchronization barriers defining the successive
reactions. Hence, for each variable v # V, we only know the ordered sequence of
present values. Thus desynchronizing a run amounts to mapping a sequence of
tuples of values in domains extended with the extra symbol =, into a tuple of
sequences of present values, one sequence per each variable. This is formalized next.
For _: s0 , s2 , s2 , ... a run for 8, we decompose state sk as
sk=(sk[v])v # V .
Thus we can rewrite run _ as
_=(_[v])v # V ,
where
_[v]=s0[v], s1[v], ..., sk[v], ... .
Now, compress each _[v] by deleting those sk[v] that are equal to =. Formally,
we denote by k0 , k1 , k2 , ... the subsequence of k=0, 1, 2, ... such that sk[v]{=.
Then we set
_a=(_a[v])v # V ,
144 BENVENISTE, CAILLAUD, AND LE GUERNIC
where
_a[v]=sk0[v], sk1[v], sk2[v], ... .
This defines the desynchronization mapping
_ [ _a, (22)
where each
_a[v]=sk0[v], sk1[v], sk2[v], ...
is called a flow in the sequel.
For 8=(V, 3, \) an sts, we define
8a=def (V, 7a) , (23)
where 7a is the family of all _a, for _ ranging over the set of runs of 8. For
8i=(Vi , 3i , \i) , i=1, 2, we define
8a1 &
a 8a2=def (V, 7
a) , where {V=V1 _ V27a=7a1 7a 7a2 (24)
and 7a denotes the conjunction of sets of asynchronous runs, which we define now.
For _ai # 7
a
i , i=1, 2, we say that _
a
1 and _
a
2 are unifiable, written
_a1 
a _a2 , (25)
if the following condition holds:
\v # V1 & V2 : _a1[v]=_
a
2[v] holds.
If condition (25) holds, then we define _a=def _a1 7
a _a2 as
\v # V1 & V2 : _a[v]=_a1[v]=_
a
2[v]
\v # V1 "V2 : _a[v]=_a1[v]
\v # V2 "V1 : _a[v]=_a2[v].
Finally, 7a is the set of the so-defined _a. Thus asynchronous composition proceeds
via unification of shared flows.
Synchrony vs Asynchrony? At this point two natural questions arise, namely:
Question 1 (Desynchronizing a Single sts). Is resynchronization feasible and
uniquely defined? More precisely, is it possible to uniquely reconstruct the original
run _ for our sts from its desynchronized version _a as defined in (22)?
145COMPOSITIONALITY IN DATAFLOW SYNCHRONOUS LANGUAGES
Question 2 (Desynchronizing a Communication). Does communication behave
equivalently for both the synchronous and asynchronous compositions? More precisely,
does the following property hold:
8a1 &
a 8a2=(81 & 82)
a ? (26)
If Question 1 had a positive answer, then we could desynchronize a run of the
considered sts, and then still recover the original synchronous run. Thus a positive
answer to Question 1 would guarantee the preserving of the synchronous semantics
when performing desynchronization, for a single sts.
On the other hand, if the question (26) had a positive answer, then we could
interpret our sts composition equivalently as synchronous or asynchronous.
Unfortunately, neither 1 nor 2 has positive answers in general, due to the
possibility of exercising control by way of absence in synchronous composition &.
In the following section, we show that Questions 1 and 2 have positive answers
under certain sufficient conditions, in which the two notions of endochrony (for
point 1) and isochrony (for point 2) play a central role.8
4.2. Endochrony and Resynchronization
4.2.1. Formal Results
In this section, we use notation from Subsection 2.2. For 8=(V, 3, \) an sts,
and s a reachable state of 8, we denote by sh the clock abstraction of s, defined by
\v # V : sh[v] # [=, ], and sh[v]==  s[v]==. (27)
For 8=(V, 3, \) and sts, s& a reachable previous state for 8, and W$WV,
we say that W$ is a clock inference of W given s&, written
W$/s& W, (28)
if, for each state s reachable from s& for 8, knowing the presenceabsence and
actual value carried by each variable belonging to W$ allows us to determine
exactly the presenceabsence for each variable belonging to W. In other words,
s[W$] determines sh[W] (29)
If W$/s& W1 and W$/s& W2 hold, then W$/s&(W1 _ W2) follows; thus there
exists a greatest W such that W$/s& W holds. Hence we can consider the unique
increasing chain, for s& given,
<=V(0)/s& V(1)/s& V(2)/s& } } } (30)
146 BENVENISTE, CAILLAUD, AND LE GUERNIC
8 Endochronous, from ancient Greek =&$o, inside, and /\o&o, time; isochronous, from ancient Greek
@_o, identical, and /\o&o, time. It is sometimes nice to remember that ancient Greeks were great
scientists, and thus honor them by reusing their words in our context.
of subsets of V such that, for each k, V(k) is the greatest set of variables such that
V(k&1)/s& V(k) holds. As <=V(0), V(1) consists of the subset of variables that
are present as soon as the considered sts gets activated.9 Of course chain (30) must
become stationary at some finite kmax : V(kmax+1)=V(kmax). In general, we only
know that V(kmax)V. Chain (30) is called the synchronization chain of 8.
Definition 1 (Endochrony). sts 8 is said to be endochronous if, for each state
s& reachable for 8, V(kmax)=V, i.e., if the following condition is satisfied: the
synchronization chain
(E) <=V(0)/s& V(1)/s& V(2)/s& } } } converges to V. (31)
Condition (31) expresses that the presenceabsence of all variables can be inferred
incrementally from already known values carried by present variables and state
variables of the sts in consideration. Hence no test for presenceabsence on the
environment is needed. The following theorem justifies our approach:
Theorem 1. Consider an sts 8=(V, 3, \).
1. Conditions (a) and (b) are equivalent, where:
(a) 8 is endochronous;
(b) for each $ # 7a, we can reconstruct the corresponding synchronous run _
such that _a=$, in a unique way up to silent reactions.
2. Assume that 8 is endochronous and stuttering invariant. If 8$=(V, 3, \$)
is another endochronous and stuttering invariant sts then
(8$)a=8a O 8$=8. (32)
Proof. We prove successively points 1 and 2.
1. We fix the previous state s& and prove the result by induction. Pick a
$ # 7a, and assume for the moment that we were able to decompose it as
s1 , s2 , ..., sn
ninitial segment of _
, $n , (33)
i.e., into a finite sequence of length n composed of nonsilent states si (the head of
the synchronous run _ we wish to reconstruct), followed by the tail of the asyn-
chronous run $, which we denote by $n , and we assume that such a decomposition
is unique. Then we claim that
(33) is also valid with n substituted by n+1. (34)
147COMPOSITIONALITY IN DATAFLOW SYNCHRONOUS LANGUAGES
9 Of course we assume here that no variable is absent in every reachable state.
To prove (34), we note that, when sts 8 gets activated, then we know that
variables belonging to V(1) will be present in the considered state. By assumption,
the clock-abstracted state shn+1[V(1)], having V(1) as variables, is uniquely deter-
mined. In the following we write shn+1(1) for short instead of s
h
n+1[V(1)]. Thus, the
presenceabsence of variables for state sn+1(1) is known; the values carried by the
variables present remain to be determined.
For v # V1 , we simply pick the value carried by the minimal element of the
sequence associated with variable v in $n . Values carried by corresponding state
variables are updated accordingly. Thus we know all of sn+1(1).
Next we move on constructing sn+1(2). From sn+1(1) we know shn+1(2). Thus we
know how to split V2 into present and absent variables for the considered state.
Pick the present ones, and repeat the same argument as before to get sn+1(2).
Repeat this argument until V(k)=V for some finite k (by endochrony assump-
tion). This proves claim (34).
Given the initial condition for $, we get from (34), by induction, the desired
proof that (a) O (b).
Next, we prove (b) O (a). We assume that 8 is not endochronous, and show that
condition (b) cannot be satisfied. If 8 is not endochronous, there must be some
reachable state s& for which chain (31) does not converge to V. Thus again we pick
a $ # 7a, decomposed as for case 1, cf. formula (33),
s1 , s2 , ..., sn
ninitial segment of _
, $n ,
and we assume in addition that sn=s&, the given state for which endochrony is
violated. We now show that (34) is disproved. Let k
*
0 be the smallest index such
that V(k)=V(k+1), we know Vk* {V. Thus we can apply the algorithm of case 1
for reconstructing the reaction, until variables of Vk* . Then presenceabsence for
variables belonging to V"Vk* cannot be determined based on the knowledge of variables
belonging to Vk* .Thus there are several possible extensions for s
h
n+1(k*+1) and
thus the (n+1)th reaction is not determined in a unique way. Hence condition (b)
is falsified.
2. Assume that 8 is endochronous, and consider 8$ as in point 2 of the
theorem. As both 8 and 8$ are stuttering invariant, point 2 is an immediate conse-
quence of point 1.
Comments. 1. For an sts, endochrony is not decidable in general. It is decidable
for sts involving, say, only finite domains for their variables, and model checking
can be used for that. For general sts, model checking can be used, in combination
with abstraction techniques. The case of interest is when the chain V(0), V(1), ...
does not depend upon the particular state s&, and we write simply V(k)/V(k+1)
in this case.
2. The proof of this theorem in fact provides an effective algorithm for the
on-the-fly reconstruction of the successive reactions, for a desynchronized run of an
endochronous program.
148 BENVENISTE, CAILLAUD, AND LE GUERNIC
(Counter)examples.
Examples.
v A single-clocked stst.
v sts ‘‘if b=t then get u,’’ where b, u are the two inputs, and b is Boolean. The
clock of b coincides with the activation clock for this sts, and thus V(1)=[b].
Then, knowing the value for b indicates whether or not u is present, and thus
V(2)=[b, u]=V.
Counterexample. sts ‘‘if ([present a] & [present b]) then...’’ is not endochronous,
as the environment is free to offer any combination of presenceabsence for the two
inputs a, b. Thus <=V(0)=V(1)=V(2)= } } } {
/
V, and endochrony does not
hold.
4.2.2. Practical Consequences
A first use of endochrony is shown in the following figure:
In this figure, a pair (81 , 82) of sts is depicted, with W as a set of shared variables.
Rewrite their composition as
81 & 82=81 & 91, 2 & 82 ,
where 91, 2 is the restriction of 81 & 82 to W; hence 91, 2 models the synchronous
communication channel. Using the property 8 &8=8 for every sts 8, we get
81 & 82=(81 & 91, 2)
8 1
& (91, 2 & 82)
8 2
=8 1 & 8 2 . (35)
Assume now that channel model 91, 2 is endochronous, and composition 81 & 82
is implemented as the (equivalent) composition 8 1 & 8 2 . Then, as 8 1 knows
channel 91, 2 and the latter is endochronous, then communication can be equiv-
alently implemented according to perfect synchrony or full asynchrony.
This is fine, but it does not extend to networks of sts involving more than two
nodes. The following figure shows an example:
149COMPOSITIONALITY IN DATAFLOW SYNCHRONOUS LANGUAGES
Assume that 91 , 92 are both endochronous. Then communication between 81 and
8 on the one hand, and 8 and 82 on the other hand, can be desynchronized.
Unfortunately, communication between 81 and 82 via 8 cannot as it is not true
in general that 91 & 8 &92 is endochronous. The problem is that endochrony is not
compositional; hence even ensuring in addition that 8 itself is endochronous would
not do. Thus we would need to ensure that 92 , 92 as well as 91 & 8 & 92 are all
endochronous, not an elegant solution when networks are considered! Thus we
move on to introducing the alternative notion of isochrony, which focusses on
communication, and is compositional.
4.3. Isochrony, and Synchronous and Asynchronous Compositions
The next result addresses the question of when property (26) holds true. We are
given two sts 8i=(Vi , 3 i , \i) , i=1, 2. Denote by W=V1 & V2 the set of their
common variables, and by 8=81 & 82 their synchronous composition. For s a
reachable state in 8, we denote by s1=def s[V1] and s2=def s[V2] the restrictions
of state s to 81 and 82 , respectively. Note that, for i=1, 2, si is a reachable state
for 8i . Corresponding notations s&, s&1 , s
&
2 for past states will be used accordingly.
Definition 2 (Isochrony). Consider a pair (81 , 82) of sts. Transitions of 8i ,
i=1, 2, are written (s&i , s i). Consider the following conditions on pairs ((s
&
1 , s1),
(s&2 , s2)) of transitions for (81 , 82):
(i) 1. s&1 =s
&[V1] and s&2 =s
&[V2] hold for some reachable state s& for
8; in particular s&1 and s
&
2 are unifiable;
2. none of the states si , i=1, 2, are silent on the common variables; i.e., it
is not the case that, for some i=1, 2, si[v]== holds \v # W;
3. s1 and s2 coincide over the set of present common variables,10 i.e.,
\v # W : (s1[v]{= and s2[v]{=) O s1[v]=s2[v],
(ii) States s1 and s2 coincide over the whole set of common variables, i.e.,
states s1 and s2 are unifiable:
s1=s[V1] and s2[V2] hold for some state s for 8.
The pair (82 , 82) is called isochronous if condition (i) implies condition (ii), for
each pair ((s&1 , s1), (s
&
1 , s2)) of transitions for (81 , 82).
Comment. Roughly speaking, the condition of isochrony expresses that unifying
over present common variables is enough to guarantee the unification of the
two considered states s1 and s2 . The condition of isochrony is illustrated on the
following figure:
150 BENVENISTE, CAILLAUD, AND LE GUERNIC
10 By convention this is satisfied if the set of present common variables is empty.
The figure depicts, for unifiable previous states s&1 , s
&
2 , corresponding states s1 , s2 ,
where (s&i , si) is a valid transition for 8i . It shows the interpretation of s1 (circle
on the left) and s2 (circle on the right) over shared variables W. White and hatched
areas represent absent and present values, respectively. The two left and right circles
are superimposed in the middle circle. In general, vertically and horizontally
hatched areas do not coincide, even if s1 and s2 unify over the subset of shared
variables that are present for both transitions (crosshatched area). Pictorially,
unification over the crosshatched area does not imply in general that the hatched
areas coincide. Isochrony indeed requires that unification over the crosshatched
area does imply that hatched areas coincide; hence unification of s1 and s2 follows.
The following theorem justifies introducing this notion of isochrony.
Theorem 2. 1. If the pair (81 , 82) is isochronous, then it satisfies property (26).
2. Conversely, assume in addition that 81 and 82 are both endochronous. If the
pair (81 , 82) satisfies property (26), then it is isochronous.
Thus, isochrony is sufficient for (26) to holds, and it is also in fact necessary when
the components are endochronous.
Comments. 1. We already discussed the importance of guaranteeing property
(26). Now, why is this theorem interesting? Mainly because it replaces condition
(26), which involves infinite runs, by condition (i) of isochrony, which only involves
a single reaction for the considered pair of sts.
2. Comment 1 for endochrony also applies here.
Proof. We successively prove points 1 and 2.
1. Isochrony implies Property (26). We proceed into two steps.
1. The desynchronization of 8, defined by (23), is denoted by 8a, and we
denote by $ a run of 8a. For each $ # 7a, there is at least one corresponding
synchronous run _ for 8 such that $=_a. Any such _ is clearly the synchronous
composition of two unifiable runs _1 and _2 for 81 and 82 , respectively. Hence
associated asynchronous runs _a1 and _
a
2 are also unifiable, and their asynchronous
composition _a1 7
a _a2 belongs to 7
a
1 7
a 7a2 . Thus we always have the inclusion
8a1 &
a 8a2 $(81 & 82)a, (36)
151COMPOSITIONALITY IN DATAFLOW SYNCHRONOUS LANGUAGES
which proves the first part of (26). So far we have used only the definition of
desynchronization and asynchronous composition; isochrony has not yet been used.
2. To prove the opposite inclusion, we need to prove that, when moving from
asynchronous to synchronous composition, the additional need for a reaction-per-
reaction matching of unifiable runs will not result in rejecting pairs of runs that
otherwise would be unifiable in the asynchronous sense. This is where condition (i)
of isochrony enters the game.
Pick a pair ($1 , $2) such that $1 a $2 (cf. (25)): they can be combined while
performing the asynchronous composition 8a1 &
a8a2 to form some $ (cf. (24)); this
is denoted by $1 7a $2=$. By definition of desynchronization (cf. Subsection 4.1),
there exist a (synchronous) run _1 for 81 and a (synchronous) run _2 for 82 such
that $i is obtained by desynchronizing _i , i=1, 2 (as we do not assume endochrony
at this point, run _i is not uniquely determined). Thus each run _i is a succession
of states. Clearly, inserting finitely many silent states between successive states of _i
would also provide valid candidates for recovering $i after desynchronization. We
shall show, by induction over successive states, that
properly inserting such a silent state in the appropriate
component will provide two runs which are (37)
unifiable in the synchronous sense.
This will show that, from a pair ($1 , $2) such that $1a $2 , we can reconstruct (at
least) one pair (_1 , _2) of runs for 81 and 82 that are unifiable in the synchronous
sense, and thus will prove the alternative inclusion
8a1 &
a 8a2 (81 & 82)
a. (38)
From (36) and (38) we then deduce property (26). We prove (37) now, by induction
over successive states.
We are given a pair ($1 , $2) such that $1 a $2 . Pick a _1 such that _a1=$1 , and
similarly for _2 . For s1 , s2 , ..., sn a finite run, we say that another run s$1 , s$2 , ..., s$m
is a stretching of s1 , s2 , ..., sn , written
s$1 , s$2 , ..., s$m=(s1 , s2 , ..., sn) A (39)
if there is a strictly increasing subsequence k1 , ..., kn of 1, ..., m such that s$kj=s j ,
j=1, ..., n, and s$k== for k{k1 , ..., kn . Note that (39) implies mn. Using nota-
tion (39) we introduce the following hypothesis, for use in our inductive reasoning:
for i=1, 2, run _i decomposes as
_i= si, 1 , si, 2 , ..., si, ni
initial segment of length ni
, _i, ni (40)
152 BENVENISTE, CAILLAUD, AND LE GUERNIC
and there are stretchings such that
s$i, 1 , s$i, 2 , ..., s$i, n=(si, 1 , si, 2 , ..., si, ni)
A for i=1, 2
(41)
s$1, m  s$2, m for m=1, ..., n.
Note that (41) implies _a1, n1 
a _a2, n2 . Define index
‘(n)=min[n1 , n2],
where ni is defined in (40). To perform the proof by induction, we need to extend
(40) and (41) in such a way that index ‘(n) grows to infinity.
To this end, decompose the tail _ i, ni into
_i, ni=si, ni+1 , _i, ni+1 .
The following cases can occur:
Case 1. None of the two states s1, n1+1 and s2, n2+1 is silent over the common W
variables. Concentrate one those v # W variables that are present in both states
s1, n1+1 and s2, n2+1 . As $1
a $2 holds, then we must have s1, n1+1[v]=s2, n2+1[v] for
any such v. Thus points 1, 2, and 3 of condition (i) of isochrony are satisfied. Hence
s1, n1+1 and s2, n2+1 are indeed unifiable in this case, by isochrony. Therefore, in this
case, hypothesis (40), (41) extends in such a way that ‘(n+1)=min[n1+1, n2+1]
=‘(n)+1 holds.
Case 2. Both states s1, n1+1 and s2, n2+1 are silent over the common W variables.
They are unifiable. Again, hypothesis (40), (41) extends in such a way that ‘(n+1)
=‘(n)+1 holds.
Case 3. One and only one of the two states s1, n1+1 and s1, n1+1 is silent over the
common W variables, say \v # W : s1, n1+1[v]==. In this case we unify state s1, n1+1
with the silent state = for 82 . Thus the matching hypothesis (41) is extended as
s$1, 1 , s$1, 2 , ..., s$1, n , s$1, n+1=(s1, 1 , s1, 2 , ..., s1, n1 , s1, n1+1)
A
s$2, 1 , s$2, 2 , ..., s$2, n , =
s$2, n+1
=(s2, 1 , s2, 2 , ..., s2, n2)
A
s$1, m  s$2, m for m=1, ..., n+1. (42)
Therefore ‘(n+1)=min[n1+1, n2] and we cannot infer that ‘(n+1)>‘(n) holds
in this case.
Given the analysis above, we only need to show that
Case 3 cannot occur for infinitely many successive induction steps (43)
153COMPOSITIONALITY IN DATAFLOW SYNCHRONOUS LANGUAGES
Assume that (43) does not hold. Then this implies that the whole tail _1, n1 is silent
over the common W variables, while _2, n2 is not. But on the other hand we should
have _a1, n1 
a _a2, n2 , see (41), whence a contradiction. This finishes the induction
proof; hence (38) follows.
2. Under Endochrony of the Components, Property (26) Implies Isochrony. This
is easy. From Theorem 1 we know that, in our argument for proving point 1 of
Theorem 2, the synchronous runs _i are uniquely defined, up to silent states, from
their desynchronized respective versions _ai . Now, focus on Case 1 of this argument.
If isochrony is not satisfied, then, for some pair _a1 
a _a2 of unifiable asynchronous
runs, and some decomposition (40) of them, it follows that points 1, 2, and 3 of
condition (i) of isochrony are satisfied, but states s1, n+1 and s2, n+1 are not
unifiable. As our only possibility is to try to insert silent states for one of the two
componentsnot feasible in Case 1our process of incremental unification on a
per reaction basis fails. Thus (38) is violated, and so is property (26). This finishes
the proof of the theorem. K
The following result is instrumental in proving compositionality of isochrony.
Lemma 1. If pairs (9, 81) and (9, 82) are isochronous, then so is pair (9, 81 & 82).
Proof. Let (s&, s) and (t&, t) be pairs of successive states, for 9 and 81 & 82 ,
respectively, satisfying condition (i) for isochrony; see Definition 2. Let t be the
unification of the two states s1 and s2 for 81 and 82 , respectively. By point 2 of (i),
at least one of these two states is not silent; assume that s1 is not silent. From
point 3 of (i), s and s1 coincide over the set of present common variables, and thus,
since pair (9, 81) is isochronous, states s and s1 coincide over the whole set of
common variables for 9 and 81 . Thus s and s1 are unifiable. But, on the other
hand, s1 and s2 are also unifiable since they are just restrictions of the same global
state t for 81 & 82 . Thus states s and t are unifiable, and thus pair (9, 81 &82) is
isochronous. This proves Lemma 1. K
An interesting immediate by-product is the extension of the results on desyn-
chronization, to networks of communicating synchronous components:
Corollary 1 (Desynchronizing a Network of Components). We are given a
finite family (8k)k=1, ..., K of sts. Assume that each pair (8k , 8k$) is isochronous.
Then
1. For each disjoint subsets I and J of set [1, ..., K], the pair
(&k # I 8k , &k$ # J 8k$) (44)
is isochronous. Thus isochrony is compositional.
2. Also, desynchronization extends to the network
(81 & } } } & 8K)a=8a1 &
a } } } &a 8aK . (45)
154 BENVENISTE, CAILLAUD, AND LE GUERNIC
Proof. 1. Property (44) follows from Lemma 1 via obvious induction on the
cardinal of sets I, J.
2. The second statement is proved via induction on the cardinal of the
number of components,
(81 & } } } & 8K)a=((81 & } } } & 8K&1) & 8K)a
=(81 & } } } & 8K&1)a &a 8aK ,
and the induction step follows from (44). K
The next corollary expresses that isochrony is a ‘‘local’’ property.
Corollary 2 (Locality of Isochrony). Assume that the pair (81 , 82) is isochronous,
and the pair (91 , 92) is such that 91 has no common variable with 82 & 92 and 92
has no common variable with 81 & 91 . Then the pair (91 &81 , 82 & 92) is also
isochronous.
Proof. This follows directly from Lemma 1. K
This is a useful result; it says that, in order for a pair (&k # I 8k , &k$ # J 8k$) to be
isochronous, it is enough to check isochrony for pairs (8k , 8k$) of interacting
components.
Note however that, in order for a pair (91 & 81 , 82 & 92) to be isochronous, it
is not necessary, but only sufficient, that the pair (81 , 82) be isochronous.
(Counter)examples.
Examples.
v A single-clocked communication between two sts.
v The pair (8 1 , 8 2) of formula (35).
Counterexample. Assume that an sts communicates with another one according
to the synchronous protocol ‘‘await x & await y’’; the resulting pair of sts is not
isochronous.
4.4. Getting GALS Architectures
In practice, only partial desynchronization of networks of communicating sts
may be considered. This means that we really want to have locally synchronous
components communicating via a globally asynchronous communication medium
this is referred to as gals architectures.
In fact, Theorems 1 and 2 provide the adequate solution. Let us assume that we
have a finite collection 8 i of sts such that:
1. each 8i is endochronous, and
2. each pair (8 i , 8j) is isochronous.
155COMPOSITIONALITY IN DATAFLOW SYNCHRONOUS LANGUAGES
Then, from Corollary 1 and Theorem 1, we know that
(81 & } } } & 8K)a=8a1 &
a } } } &a 8aK
and each 8ak is in one-to-one correspondence with its synchronous counterpart 8k .
Here is the resulting running mode for this gals architecture:
v For communications involving a pair (8i , 8j) of sts, each flow is preserved
individually, but global synchronization is lost.
v Each stst 8i reconstructs its own successive reactions by just observing its
(desynchronized) environment, and then locally behaves as a synchronous sts.
v Note that it is allowed, for each 8i , to have an internal activation clock
which is faster than communication clocks. Resulting local activation clocks evolve
asynchronously from one another.
4.5. Handling EndoIsochrony in Practice
While we have given criteria for endochrony and isochrony, we did not propose
a practical algorithm for checking these criteria. We do this now. Our aim is to
prepare for gals architectures such as discussed in Subsection 4.4. In particular, through-
out this subsection, a network of sts satisfying conditions 1 and 2 of Subsection 4.4
will be called endoisochronous.
In this subsection, we shall indicate (1) how a (tight) sufficient condition for endo
isochrony can be actually tested, and (2) how making an sts endoisochronous can
be performed. As both the DC+ format and the Signal language can be considered
concrete instances of our sts model, we shall rely for our explanation on tools and
algorithms already developed in these environments.
4.5.1. Checking EndoIsochrony
As one of the modules of the existing Dc+ or Signal compiler, the data structure
shown in Fig. 3 is computed, for a given program P: In this figure, b, c denote
Boolean variables, and [b], [c] denote clocks composed of the instants at which
b, c=t holds, respectively. Finally, h, k are also clocks. The down arrows h0  b1 ,
[b1]  b2 , [b2]  b3 , etc., indicate that Boolean variable b1 has a clock equal to h0
and only needs variables with clock h0 for its evaluation, and so on. Roots of the
trees are related by clock equations, depicted, for instance, by the bidirectional
arrow relating h0 and k0 . This defines a tree under each clock h0 , k0 , ..., and yields
the so-called clock hierarchy in the form of a ‘‘forest,’’ i.e., a collection of trees
related by clock equations. This structure is detailed in Amagbegnon et al. (1994,
1995), where it is shown to be a canonical representation of the combination of
clock equations and scheduling specifications of a program. Now, considering this
clock hierarchy, one easily proves the following:
Theorem 3. Assume that program P has a clock hierarchy consisting of a single
tree. Also assume that it is decomposed as P=P1 & } } } & PK , and, for each k, the
156 BENVENISTE, CAILLAUD, AND LE GUERNIC
FIG. 3. The clock hierarchy computed by the DC+ or Signal compiler.
clock hierarchy of component Pk is a subtree of the clock tree of P. Then the corre-
sponding network of sts is endoisochronous.
Theorem 3 is an immediate corollary of Theorem 1 of Section 4; it only states a
sufficient condition. In computing a clock hierarchy, the abstractions performed are
twofold: (1) inferring dependencies from causality analysis, and (2) abstracting
Boolean variables which result from the evaluation of a predicate involving a non-
Boolean expression. In practice, we shall use the clock hierarchy as the practical
criterion for checking endoisochrony.
4.5.2. Enforcing EndoIsochrony
Assume that we have an sts P having a clock hierarchy which is not a tree, and
we still want it to be a tree. What can we do? As revealed by inspecting the previous
figure, it is sufficient to make the roots h0 , k0 , ... of the clock hierarchy belonging
to some single clock tree. In other words, we can concentrate on the roots of the
clock hierarchy. Thus the problem can be restated as follows:
We are given a set h1 , ..., hk of clocks, which are related by a set of clock equations
of the form
p1(h1 , ..., hk) { f
} } } (46)
pq(h1 , ..., hk) { f.
This corresponds to having a collection p1 , ..., pq of predicates on clocks, which are
Boolean-valued expressions that are either true or absent. Note that being always
true is the case for predicates in classical Boolean logic, while in our case, due to
157COMPOSITIONALITY IN DATAFLOW SYNCHRONOUS LANGUAGES
the requirement for stuttering robustness, we must accept the possibility for a
‘‘clock predicate’’ to be absent. Systems of equations of the form (46) can be solved
for their variables h1 , ..., hk , meaning that we can find a set h01 , ..., h
0
l of clocks, and
a set p01 , ..., p
0
k of clock expressions, such that equation system
h1 = po1(h
o
1 , ..., h
o
l )
} } } (47)
hk = pok(h
o
1 , ..., h
o
l )
has the same set of solutions for h1 , ..., hk as the original system (46), and new
clocks h01 , ..., h
0
l are free, i.e., unconstrained by the system of equations (47). Finally,
we introduce Boolean variables b01 , ..., b
0
l , and a ‘‘master clock’’ h
0, such that
ho1=[b
o
1], ..., h
o
l =[b
o
l ]
(48)
hb o1= } } } =hbol =h.
The bottom line is:
1. System of clock equations (46) is equivalent to (47), (48) after hiding
auxiliary variables h, b01 , ..., b
0
l .
2. System (47), (48) is a clock tree.
Discussion. Basically, building (48), (47) from (46) intuitively corresponds to
equipping the original P program with a suitable communication protocol Q in such
a way that the compound program P & Q is endoisochronous. This is not surprising
indeed, for it is known in the area of distributed systems that components in a distrib-
uted system must be equipped with suitable protocols for their communications.
Finally, the way we moved from (46) to (47) reveals one unpleasant feature of
this technique, namely, that this part of the process is not unique, and thus there
are possibly many different correct protocols.
5. FORMAL STUDY OF CAUSALITY
In this section we develop a formal theory of causality for sts. Our basic tool is
that of scheduling specifications and labelled preorders. We first formalize this, by
adding the value unknown to our domains, like in the Constructive Boolean logic
used in Berry and Sentovich (1998). Using this extended domain, we are able to
formally state and prove our criterion that circuit-freeness implies executability.
Then we formalize Rules (R-1)(R-4) of (21), and we finally show how correct
deterministic execution results from a successful causality analysis.
5.1. Encoding Scheduling Specifications Using an Algebraic Domain
In this section, we consider the following domain D and its two orderings O and
< as an abstraction of arbitrary domains of values:
158 BENVENISTE, CAILLAUD, AND LE GUERNIC
pD=[?, =, f, t

] (49)
?O=, f, t, =>f>t. (50)
In these formulas, the symbol ? (resp. p) indicates that the value is ‘‘unknown’’
(resp. ‘‘known’’). The ‘‘unknown’’ status should not be confused with absence (=):
absence is a perfectly known status, while ‘‘unknown’’ is intended to model hat a
variable has not been produced yet in the current reaction. Non-Boolean types are
abstracted as the single distinguished element ; hence, for Booleans, the pair
[f, t] can be seen as a refinement of the symbol : this is shown by the under-
brackets. And [=, ] is a refinement of p; this is shown by the overbrackets.
Ordering < has already been introduced, and the additional partial order O is the
Scott information ordering: ?O=, f, t, the three values =, f, t being incomparable
with respect to O.
Definition. Relation x b> y is defined in Table 1, where it is specified in the
form of a multivalued function. Its main feature is that it forbids, whenever b=t,
that y becomes know while x is not.
Properties of Scheduling Specifications. The following properties hold:
if b, c{?, then
x b> y7 y c> z O x b 7c> z
(51)
x b> y7 y c> z O x b 6 c> y.
TABLE 1
Definition of the
Dependency x b> y
x ? = =
b
? ? ? ?
=
f
t ?
Note. This table gives the
result of this multivalued
function for its output y.
When nothing is written, this
means that any value is
accepted. If x is Boolean,
then  is to be refined as
any of the two values [f, t].
159COMPOSITIONALITY IN DATAFLOW SYNCHRONOUS LANGUAGES
In these equations, b 7 c and b 6 c are respectively defined as the infimum (resp.
supremum) w.r.t. relation ‘‘<’’ defined in (50) when both values belong to the sub-
domain [=, t, f]. In fact, we do not need formulas (51) in case b or c is unknown,
because the label of a branch is known prior to its extremity, in executable programs
equipped with their scheduling specifications as inferred from rules (R-1)(R-4).
5.2. Circuit-Free Schedulings
We are given a set of variables x1 , ..., xn . Some of them are Boolean; for the sake
of readability, Boolean variables used as labels in scheduling specifications will be
generically denoted by b1 , b2 , .... Then we are given (1) a set of constraints of the
form C(b1 , ..., bk) on boolean variables restricted to subdomain [=, t, f] of known
values, and (2) a set of scheduling specifications defined on x1 , ..., xn . Constraints
C(b1 , ..., bk) are extended to the ‘‘unknown’’ value by simply assuming that
G(b1 , ..., bk) is satisfied as soon as at least one of the variables b1 , ..., bk is ‘‘unknown.’’
Each dependency is interpreted as specified in Table 1. Thus, together with the
Boolean constraints of the form C(b1 , ..., bk), they specify a subdomain of the
product domain Dn of all possible states. The set of states satisfying these constrains
is denoted by S, and we call it a scheduling of x1 , ..., xn . States in S are written
s, t, ... and corresponding interpretations are denoted by s1 , ..., sn for short instead
of s[x1], ..., s[xn], and similarly for t. The ‘‘totally unknown state,’’
\i, si=?, (52)
is denoted by s? .
Two states of S are said to be neighbours if they differ in exactly one variable;
we call it their discriminating variable. We call a path in S any finite sequence
s(1), s(2), ..., s(K) of neighbouring states belonging to S.
For s and t two neighbouring states of S, we write sO t if their respective values
for their discriminating variable xi satisfy the relation si O ti defined in (49). A path
s(1), s(2), ..., s(K) such that s(k)Os(k+1) is called increasing.
A scheduling S is called circuit-free if it is never true in S that
xi1 
b1 > xi2 
b2 > xi3 } } } xip 
bp > x i1
and (53)
(b1 7 } } } 7 bp=t).
Theorem 4 (Circuit-Free Schedulings). A scheduling is circuit-free iff, for every
state s # S satisfying \i: s i {?, there is an increasing path linking s? to s.
The intuitive interpretation of this theorem is that, for an sts with a circuit-free
scheduling, it is possible to compute sequentially without deadlock all variables,
starting from the inputs. Each increasing path mentioned in Theorem 4 corresponds
to one possible sequential execution.
Proof. We first prove the ‘‘if ’’ part by contradiction. Assume that (53) is violated
for some circuit xi1 
b1 > x i2 
b2 > x i3 } } } xip 
bp > xi1 ; i.e., b1 7 } } } 7 bp=t is possible
160 BENVENISTE, CAILLAUD, AND LE GUERNIC
for this circuit in S. We want to deduce from this assumption that there are states
for which all variables are known, but there is no increasing path originating from
s? and terminating at the states in consideration. Without loss of generality, we can
restrict S to those states for which
\i=1, ..., p : [bi=? or bi=t] holds;
the set of such states is called S(b1 7 } } } 7 bp=t) . (54)
By Table 1, condition xi1 
b1 > x i2 
b2 > x i3 } } } xip 
bp > x i1 implies that, on
S(b1 7 } } } 7 bp=t) , the following holds,
xi1 pxi2 p } } } pxip pxi1 ,
and thus the xij ’s are either all unknown, or alternatively all known. Thus there is
no increasing path originating from s? and leading to any known state belonging
to S(b1 7 } } } 7bp=t) . This proves the ‘‘if ’’ part.
Next, we prove the ‘‘only if ’’ part, also by contradiction. Beforehand, we need a
lemma. Two states s and s$ are said to be complementary if, for each variable x,
either s[x]=? or s$[x]=?.
Two states s and s$ are said compatible if, for each variable x,
either s[x]=? or s$[x]=? or s$[x]=s[x].
Complementary states are also compatible. For two compatible states s and s$, we
define their sum s _+ s$ by
(s _+ s$)[x] = if s[x]{? then s[x] else s$[x].
Lemma 2 (Monotonicity). Let t0 and t1 be two neighbouring states belonging
to S, such that t0 O t1 . Let t be a state such that
1. t1 and t are complementary,
2. t0 _+ t # S,
3. there is an increasing path contained in S originating from t0 and terminat-
ing in t0 _+ t, and
4. t1 _+ t satisfies the Boolean constraints C(b1 , ..., bk) which contribute to the
definition of S.
Then t1 _+ t # S and there is an increasing path contained in S originating from t1
and terminating in t1 _+ t.
Proof. Note that t0 _+ t is well defined, since t0 and t are also complementary.
Let t0  t0 _+ t denote the path referred to in item 3. Denote by t~ the state such that
(1) t~ and t0 are complementary and (2) t1=t0 _+ t~ ; such a state exists and is unique.
Denote by t0 _+ t~  t0 _+ t _+ t~ the increasing path obtained by complementing each
161COMPOSITIONALITY IN DATAFLOW SYNCHRONOUS LANGUAGES
state belonging to path t0  t0 _+ t by t~ . This is possible since each intermediate
state of path t0  t0 _+ t and t~ are complementary. We claim that
path t0 _+ t~  t0 _+ t _+ t~ is contained in S. (55)
Clearly, claim (55) is equivalent to the conclusion of the lemma. To prove (55),
using item 4, we first note that each state belonging to path t0 _+ t~  t0 _+ t _+ t~
satisfies the Boolean constraints C(b1 , ..., bk) which contribute to the definition of
S. We thus only need to check that they also satisfy the dependencies contributing
to the definition of S, but the latter results from an inspection of Table 1. This
proves the lemma. K
We now return to the proof of Theorem 4 and proceed by steps.
1. Assume _s* # S satisfying \i: si* {?, such that there is no increasing path
linking s? to s*. Denote by b1 , ..., bp the Boolean variables such hat b1 7 } } } 7 bp=
t holds at state s*. Denote by S the set of states s # S such that sPs*. We have
s? # S and s* # S. States belonging to S are all compatible.
2. Let s, s$ # S be two states such that increasing paths s?  s and s?  s$ are
both contained in S. Then we claim that
s"=s _+ s$ # S, and there exists an increasing path contained in S,
originating from s? ,
and terminating in s". (56)
As all s # S satisfy sPs*, they satisfy in particular the Boolean constraints
b1 7 } } } 7 bp=t. Thus we only need to verify the dependencies. There is a unique
state s0 # S such that (1) s0 # [s?  s] & [s?  s$], and (2) [s0  s] & [s0  s$]=
[s0], meaning that s0 is the latest point at which the two considered paths deviate
from each other. Let s1 be the neighbour state of s0 belonging to path [s0  s$].
Apply Lemma 2 with the following substitutions: t0 s0 , t1 s1 , ts~ such that s=
s0 _+ s~ . We deduce that path [s?  s _+ s1]S. Then, let s2 be the neighbour state
of s1 belonging to path [s1  s$]; we can repeat the same argument. And we
proceed repeatedly in the same way until we prove the claim (56).
3. Consider the set of s # S for which there exists an increasing path [s?  s]
S. From (56) we know that this set has a unique maximal element smax for partial
order O . By hypothesis we have smax Os*, smax {s*. Thus there are at least two
variables, denote them by x and x$, such that smax[x]=smax[x$]=?, but
s[x]=s[x$]{? for every s # S"[s?  smax]. Hence, the following holds at each
state belonging to S:
x b> x$ b> x, where b=b1 7 } } } 7 bp=t.
Hence the condition of circuit-freeness is violated on S, and thus it can be
violated on S. This finishes the proof of Theorem 4. K
162 BENVENISTE, CAILLAUD, AND LE GUERNIC
In the following, for 8 and sts with scheduling specifications, we shall consider
its associated scheduling
S8 (57)
which is obtained by keeping, from the set of predicates defining the transition
relation of 8,
1. the scheduling specifications, and
2. the assertions involving only Boolean variables and clocks, and discarding
the other ones.
5.3. Deriving Scheduling Specifications as Causality Constraints
In this subsection, we formally justify rules (21). The principles we follow for our
abstraction mechanism are given next:
(P-1) For x not a Boolean variable, we abstract its domain Dx as the
singleton [], and then extend [] with the additional values [?, =].
(P-2) Within equations of the form ‘‘y=exp ’’ or ‘‘if b then y=exp1 else
y=exp2 ’’ we shall further abstract y by mapping the set [=, f, t] to the single
value p (known). Note the asymmetry of this abstraction principle: for the state-
ment ‘‘if b then y=x,’’ where x, y are Booleans, we abstract y but not x.
(P-3) Since we are interested in causality constraints, we only need to keep
track of configurations for which y cannot be known; i.e., y=? is the only allowed
possibility. For other configurations, we weaken the constraint on y to ‘‘y
unconstrained,’’ which is depicted in the tables by an empty box.
We now proceed in deriving the scheduling associated to each primitive statement,
using (P-1)(P-3). We use the notation ?, = to indicate that, for the considered
configuration, either y=? or y== holds, and similarly for other cases.
Lemma 3. The following holds:
x b> y O b > hy .
Proof. By inspection of Table 1.
Lemma 4. The following holds:
hx > x.
Proof. By inspection of the following tables (the first table relates x to hx , as
extended to unknown values):
hx ? = t
x ? ?, = ?, 
163COMPOSITIONALITY IN DATAFLOW SYNCHRONOUS LANGUAGES
hx ? = t
abstracted as (using (P-2) :
x ? ?, p ?, p
hx ? = t
which is equal to :
x ?
which turns out to be equivalent to hx  x by Table 1.
Lemma 5. The following holds:
( f ) : {y=f (u, v)hu=hv=hy O (u, v) 
hy > y.
Proof. By inspection of Table 1 and of the following tables (* denotes a
prohibited value):
u ? = 
v
abstraction of ( f ), using (P-1) : ? ? ?, = ?
= ?, = = *
 ? * 
u ? = 
v
using (P-2) : ? ? ?, p ?
= ?, p p *
 ? * p
u ? = 
v
using (P-3) : ? ? ?
=
 ?
which is equivalent to the formulas of the conclusion of the rule of Lemma 5.
164 BENVENISTE, CAILLAUD, AND LE GUERNIC
Lemma 6. The following holds:
u b 7hu > x
[if b then x=u] 7 [if b then hx=hu] O {b hb 7hu > hxhu b 7hu > hx .
Proof. By inspection of Table 1 and of the following two tables. These tables
define the possible values, of x and hx , respectively, for [if b then x=u] 7 [if b
then hx=hu]:
u ? =  hu ? = t
b b
? ? ?, = ? ? ? ?, = ?
= ?, = ?, = ?, = = ?, = ?, = ?, =
t ? ?, = ?,  t ? ?, = ?, 
f ?, = ?, = ?, = f ?, = ?, = ?, =
Applying Principles (P-2) and (P-3) then yields the formulas corresponding to the
conclusion of the rule of Lemma 6. Note the asymmetry between x and u, while
statements x=u and u=x are clearly identical. This asymmetry is due to Principle
(P-2) for sts abstraction.
5.4. Correct Programs
In this subsection, we formally state and prove the result establishing the link
between circuit-freeness and executable sts.
Theorem 5 (Correct Programs). Let P be an sts satisfying the following
conditions:
1. For each statement of P, the scheduling specifications derived from applying
the rules of Lemmas 3, 4, 5, and 6 are also statements of P.
2. The scheduling SP (cf. (57)) defined by P is circuit-free.
3. There is no multiple definition of a variable, meaning that, whenever
if b1 then x=exp1
7 if b2 then x=exp2
is part of P, then
b1 7 b2=t never holds
165COMPOSITIONALITY IN DATAFLOW SYNCHRONOUS LANGUAGES
Then:
1. As far as control is concerned, the inputs of P are the source nodes of the
dependency graph.
2. Input values are those variables which never occur on the left-hand side of
statements of the form ‘‘x=exp.’’
3. For each given input control history of P and compatible input value history,
there is exactly one run of P; i.e., P is deterministic.
Note. Clearly, Theorem 5 provides us with a sufficient condition; this condition
is not necessary. Furthermore, the rules for inferring scheduling specifications as
causality constraints is bound to the syntax, not to the semantics of the program.
In particular, from statement ‘‘if b then x=u,’’ we choose to infer dependency
u b 7 hu> x but not the symmetric one in which x and u are exchanged. This means
that, while P may not satisfy the assumptions of Theorem 5 for a given syntactic
form of P, it may satisfy them after a proper rewriting into a semantically equivalent
form. Here, semantic equivalence means identical runs when scheduling specifications
are discarded.
Proof. It is organized into several steps.
1. With the formula x b> y we associate the following automaton:
Transitions are labelled with actions. Label ‘‘set x’’ indicates that variable x is set
to an arbitrary value of its (extended) domain Dx _ [=]. States are labelled with
those variables that are ?, i.e., have not been set. This automaton is the most
permissive one with the following properties:
(a) states are valued with configurations of the triple (x, b, y) that are
compatible with the scheduling constraint x b> y.
(b) Variables are set sequentially.
(c) All variables are eventually set.
166 BENVENISTE, CAILLAUD, AND LE GUERNIC
Thus each path of this automaton specifies an evaluation scheme for the triple
(x, b, y) which is compatible with the considered scheduling specification. Conversely,
any correct evaluation scheme for triple (x, b, y) can be specified in this way. We call
this automaton the execution automaton associated with scheduling specification
x b> y.
2. To each primitive statement we associate the conjunction of its causality
constrains and possible constraints involving clocks and Boolean variables, and we
take the product of associated execution automata. The paths of the resulting
automaton specify all correct schedulings to evaluate the involved variables. We call
the resulting product automaton the execution automaton associated with the
considered primitive.
3. Then we take the product of the execution automata associated with each
statement. By Theorem 4 we know that, for each tuple of variables which satisfies
the specification, there is a path of the product automaton which originates from
its initial state and terminates at the final state in which all variables are set,
meaning that all variables of the considered tuple are sequentially set.
4. Finally, we refine the transition labels of the form ‘‘set x,’’ etc., by assigning
to x, etc., the value specified by the program. As source nodes of the dependency
graph are set first, they appear as inputs of P for its control. Also, variables u that
are set and do not occur on the left-hand side of any statement u=expression must
be read from the environment: their values are inputs of the considered program P.
Finally, thanks to condition 3 of Theorem 5, actions of the form ‘‘set x,’’ etc., are
refined into single writings. This finishes the proof of the theorem. K
We illustrate this technique on the following simple sts:
y= f (u, v) 7 hu=hv=hy=def h.
The causality constraint and associated execution automaton are
167COMPOSITIONALITY IN DATAFLOW SYNCHRONOUS LANGUAGES
Clock h is the activation clock. The refined execution automaton is obtained by
replacing set u and set v by read u and read v, and set y by the assignment y := f (u, v).
6. CONCLUSION
Our contribution can be summarized as follows:
v We have proposed sts with scheduling specifications as a paradigm for
causality analysis, sts abstraction, separate compilation, and reuse.
v We have characterized those sts for which asynchronous and synchronous
semantics are equivalent in some precise meaning.
We advocate system design methodology based on the synchronous paradigm,
possibly followed by a provably correct desynchronization. Advantages of this
approach are numerous, and they are listed below according to the different phases
of the design:
Specification. Designing within the synchronous paradigm allows the designer
to exploit the simplicity and elegance of compositionality of synchronous specifica-
tions. In addition, specification can be performed independently from the execution
architecture; therefore, upgrading an execution architecture does not require
redesigning the specifications.
Verification.
v In the synchronous paradigm, composition of specifications and composi-
tion of properties are both performed by using the composition ‘‘&’’ of sts. This
facilitates reasoning in general, and in particular compositional reasoning.
v For endoisochronous sts, proofs based on the synchronous semantics carry
over without modifications to asynchrony. For such systems, verifications can be
performed within the synchronous framework. This allows one to avoid state explo-
sion resulting from the use of the asynchronous interleaving semantics.
Abstraction, Modularity, and Reuse.
v Scheduling specifications provide the adequate notion of abstraction for
separate compilation. It allows the designer to check the correctness of component
encapsulation at the systems integration phase.
v sts with scheduling specifications can be composed using a proper generali-
zation of the composition ‘‘&’’ of sts. Thus advantages of compositionality naturally
extend to sts with scheduling specifications.
v The structuration of specifications into scheduler and tasks allows us to
define proper reusable modules. Of course, if assumptions are available on the
possible behaviours of the environment, then larger modules can be stored as object
code for further reuse.
gals Network. The elegant feature is that isochrony is a local property within
a network of components. As isochrony is compositional, adding a new component
168 BENVENISTE, CAILLAUD, AND LE GUERNIC
8new to a preexisting gals network (8i) i=1, ..., n while preserving its gals nature
only requires one to check whether pairs (8new , 8 i) are isochronous, for each 8i
having direct communication with 8new in the extended network. Thus gals
designs can be built compositionally, and it is not necessary to desynchronize at
once the whole synchronous design.
Thanks to the outcomes of the SACRES project, the above approach is supported
by the Signal-V4 language,11 and by the Dc+ common format for synchronous
languages (Sacres Consortium, 1996). (Signal-V4 and the DC+ format are both
concrete implementations of our sts model. This includes scheduling specifications,
which are available as primitive statements in both formalisms.
In particular, the 1999 release of Sildex (TNI, 1999)12 implements distributed
code generation based on the approach presented in this paper. The target architec-
tures above all else are POSIX-compliant real-time OS.
The new Signal-V4 compiler developed at Inria implements the whole methodology,
including separate compilation. Services for architecture generation are also provided,
using our notion of abstraction.
Research perspectives. Further work is needed to show that the above principles
are viable for generating architectures built up from preexisting CC++Java...
modules. Then, not all communication media or operating systems provide services
satisfying the requirements of our theory of desynchronization, namely, no loss of
messages and first-infirst-out semantics for each individual channel. Additional
work is needed for getting a full implementation on each different type of distrib-
uted architecture; this can be very easy (writing a few generic drivers, e.g., for
POSIX), or can be more demanding when adequate services are not provided by
the architecture, and thus need to be emulated.
ACKNOWLEDGMENTS
The authors are gratefully indebted to Michael Siegel for a thorough reading and detailed comments,
and in particular the discovery of several inconsistencies in an earlier version of this manuscript in the
formal study of causality.
Received November 28, 1997; final manuscript received August 31, 1999; published online October 20, 2000
REFERENCES
Aabelsberg, I. J., and Rozenberg, G. (1988), Theory of traces, Theoret. Comput. Sci. 60, 182.
Alur, R., and Henzinger, T. A. (1996), Reactive modules, in ‘‘Proceedings 11th IEE Symposium on Logic
in Computer Science 9LICS,’’ pp. 207218, extended version submitted for publication.
169COMPOSITIONALITY IN DATAFLOW SYNCHRONOUS LANGUAGES
11 Logic Besnard and other members of the ‘‘EpAtr’’ team at IRISA are gratefully acknowledged for
the development of this environment.
12 The Sildex tool is a commercial tool for reactive systems design based on the Signal language. It
is marketed by TNI, Brest, France.
Amagbegnon, T. P., Besnard, L., and Le Guernic, P. (June 1994), ‘‘Arborescent Canonical Form of
Boolean Expressions,’’ Inria Research Report, 2290.
Amagbegnon, T. P., Besnard, L., and Le Guernic, P. (1995), Implementation of the dataflow language
Signal, in ‘‘Programming Languages Design and Implementation,’’ pp. 163173, Assoc. Comput.
Mach., New York.
Aubry, P. (1997), ‘‘Mises en #uvre distribue es de programmes synchrones,’’ Ph.D. thesis, Univ. Rennes I.
Benveniste, A., and Le Guernic, P. (1990), Hybrid dynamical systems theory and the Signal language,
IEEE Trans. Automat. Control 35, No. 5, 535546.
Benveniste, A., and Berry, G. (1991), Real-time systems design and programming, in ‘‘Another Look at
Real-Time Programming,’’ special section of ‘‘Proceedings of the IEEE’’, Vol. 9, pp. 12701282, IEEE,
New York.
Benveniste, A., Le Guernic, P., and Jacquemot, C. (1991), Synchronous programming with events and
relations: The SIGNAL languages and its semantics, Sci. Comput. Programming 16, 103149.
Benveniste, A., Le Guernic, P., Sorel, Y., and Sorine, M. (1992), A denotational theory of synchronous
communicating systems, Inform. and Comput. 99, 192230.
Benveniste, A., Caspi, P., Halbwachs, N., and Le Guernic, P. (1994), Data-flow synchronous languages,
in ‘‘A Decade of Concurrency, Reflexions and Perspectives, REX SchoolSymposium,’’ Lecture Notes
in Computer Science, Vol. 803, pp. 145, Springer-Verlag, BerlinNew York.
Berry, G. (1989), Real time programming: Special purpose or general purpose languages, in ‘‘IFIP
World Computer Congress, San Francisco.’’
Berry, G. (Dec. 1995), ‘‘The Constructive Semantics of Esterel,’’ Draft book, http:www.inria.frmeije
esterel.
Berry, G., and Sentovich, E. M. (Nov. 1998), An implementation of constructive synchronous programs
in polis, manuscript.
Caillaud, B., Caspi, P., Giraud, A., and Jard, C. (1997), Distributing automata for asynchronous
networks of processors, Eur. J. Automat. Systems (JESA) 31, No. 3, 503524.
Caspi, P. (1992), Clocks in dataflow languages, Theoret. Comput. Sci. 94, 125140.
Clerbout, M., and Latteux, M. (1987), Semicommutations, Inform. and Comput. 73, 5974.
de Roever, W.-P., Langmaack, H., and Pnueli, A. (1998), Compositionality: The significant difference,
in ‘‘Proceedings International Symposium COMPOS’97, Bad Malente, Germany,’’ Lecture Notes in
Computer Science, Vol. 1536, Springer-Verlag, BerlinNew York.
Le Guernic, P., and Gautier, T. (1991), Dataflow to von Neumann: The Signal approach, in ‘‘Advanced
Topics in Dataflow Computing’’ (L. Biv, and J.-L. Gaudiot, Eds.), pp. 413438, PrenticeHall, New York.
Halbwachs, N. (1993), ‘‘Synchronous Programming of Reactive Systems,’’ Kluwer Academic, Dordrecht
Norwell, MA.
Lamport, L. (1983), Specifying concurrent program modules, ACM Trans. Programm. Languages
Systems 5, No. 2, 190222.
Lamport, L. (1983), What good is temporal logic?, in ‘‘Proceedings, IFIP 9th World Congress’’
(R. E. A. Mason, Eds.), pp. 657668, North-Holland, Amsterdam.
Le Guernic, P., Gautier, T., Le Borgne, M., and Le Maire, C. (1991), Programming real-time applica-
tions with Signal, in ‘‘another Look at Real-Time Programming,’’ special section of ‘‘Proceedings of
the IEEE,’’ Vol. 9, pp. 13211336, IEEE, New York.
Maffeis, O., and Le Guernic, P. (1994), Distributed implementation of Signal: Scheduling and graph
clustering, in ‘‘3rd International School and Symposium on Formal Techniques in Real-Time and
Fault-Tolerant Systems,’’ Lecture Notes in Computer Science, Vol. 863, pp. 149169, Springer-Verlag,
BerlinNew York.
Manna, Z., and Pnueli, A. (1992), ‘‘The Temporal Logic of Reactive and Concurrent Systems:
Specification,’’ Springer-Verlag, New York.
Manna, Z., and Pnueli, A. (1995), ‘‘The Temporal Logic of Reactive and Concurrent Systems: Safety,’’
Springer-Verlag, New York.
170 BENVENISTE, CAILLAUD, AND LE GUERNIC
Sacres Consortium, (May 1996), The Declarative Code Dc+, Version 1.2; Esprit project EP 20897:
Sacres, see http:www.tni.frsacres
Sorel, Y., and Lavarenne, C. ‘‘SynDEx v4.2 User Guide’’; http:www-rocq.inria.frsyndex.articlesdoc
docSynDEx42.html.
Sorel, Y. (Sept. 1996), Sorel: Real-time embedded image processing applications using the A3 methodology,
in ‘‘Proceedings IEEE International Conference on Image Processing, Lausanne.’’
TNI, (1999), Sildex tool; see http:www.tni.frindexgb.htm.
171COMPOSITIONALITY IN DATAFLOW SYNCHRONOUS LANGUAGES
