Distributed, modular HTL by Henzinger, Thomas A et al.
1Distributed, Modular HTL∗
Thomas A. Henzinger Christoph M. Kirsch
EPFL and IST Austria University of Salzburg
tah@ist.ac.at ck@cs.uni-salzburg.at
Eduardo R. B. Marques Ana Sokolova
University of Porto University of Salzburg
edrdo@dcc.fc.up.pt anas@cs.uni-salzburg.at
Abstract—The Hierarchical Timing Language (HTL) is a real-
time coordination language for distributed control systems. HTL
programs must be checked for well-formedness, race freedom,
transmission safety (schedulability of inter-host communication),
and time safety (schedulability of host computation). We present
a modular abstract syntax and semantics for HTL, modular
checks of well-formedness, race freedom, and transmission safety,
and modular code distribution. Our contributions here com-
plement previous results on HTL time safety and modular
code generation. Modularity in HTL can be utilized in easy
program composition as well as fast program analysis and
code generation, but also in so-called runtime patching, where
program components may be modified at runtime.
I. INTRODUCTION
The Hierarchical Timing Language (HTL) [1] is a real-time
coordination language for distributed control systems.
HTL essentially consists of four building blocks called
program, module, mode, and task. An HTL program is a
hierarchical, tree-like structure whose root node must be a
program block. The immediate successors of a program block
can be any number of module blocks, which are executed in
parallel. The immediate successors of a module block can be
any number of mode blocks, with one mode identified as start
mode and some mode switching logic. During execution only
one mode per module can be active at any time. The immediate
successors of a mode block can be a (refinement) program
block and any number of task blocks, which are executed
periodically in parallel. Non-concurrent, concrete tasks (with
implementations) in a refinement program refine a single
abstract task (without implementation) which is to be under-
stood as a placeholder for schedulability. Upon invocation, the
implementation of a concrete task, which is written in some
language other than HTL, such as C, for example, computes
new output from its input. Task input may come from output
of other tasks running either in the same mode, implicitly
creating a task precedence relation, or in other modules,
with possibly different periods, but only through so-called
∗Supported by the EU ArtistDesign Network of Excellence on Embedded
Systems Design, the EU project COMBEST, the Austrian Science Funds
P18913-N15 and V00125, and Fundac¸a˜o para a Cieˆncia e Tecnologia funds
SFRH/BD/29461/2006 and PTDC/EIA/71462/2006.
communicators, which are periodically updated program-wide
variables with their own periods independent of any task
periods. The execution of HTL programs on multiple hosts
may be distributed at the level of modules with all inter-
host communication done through communicators. Duplicates
of the same module may execute on multiple hosts for fault
tolerance [2].
HTL programs must be checked for well-formedness (of
syntax), race freedom (of communicator updates), transmis-
sion safety (schedulability of inter-host communication), and
time safety (schedulability of host computation). An optional
check of reliability of communicator updates on unreliable
hardware [2] may also be performed but is not considered here.
The key feature of HTL is that the race-free, transmission-
safe, and time-safe execution of well-formed programs is
time-deterministic, that is, the computed values and update
times of communicators are input-determined and therefore
predictable [1].
In this paper, we present (1) a modular abstract syntax and
semantics for HTL, (2) modular checks of well-formedness,
race freedom, and transmission safety, and (3) modular code
distribution. The key to (3) is the modular transmission
safety check, ensuring that each communicator value can
be communicated within a single communicator period. The
original definition of HTL does not provide (1)–(3). Only time
safety checking of refinement programs [1] and HTL code
generation [3] has already been done modularly. The key result
of refinement in HTL is that well-formed concrete programs
that refine time-safe abstract programs are also time-safe [1].
Our contributions here complete the distributed and modular
design of HTL, except for time safety checking of top-level
programs (for which there are no abstractions), which remains
non-modular.
Modularity in HTL is important for design scalability (pro-
gram composition, analysis, and code generation) but also
enables efficient program modifications at runtime, called
runtime patching, while maintaining predictable behavior [4].
Runtime patching is a semantically well-defined method to
modify program components at runtime, and may eventually
be used as software foundation for addressing uncertainty in
control systems.
2We first introduce HTL informally by example in Section II.
We then discuss HTL compilation and runtime patching in
Section III. The modular abstract syntax and semantics for
HTL are defined in Section IV, followed by a detailed discus-
sion of modularity in HTL in Section V. Some related work
is pointed out in Section VI. The conclusion is in Section VII.
II. OVERVIEW OF HTL
A. An HTL example application
Figure 1 illustrates a three-tank system (3TS) [5] consisting
of three tanks, Tank1, Tank2, and Tank3, with respective evac-
uation taps Tap1, Tap2, and Tap3, and tank inter-connecting
taps Tap1,3 and Tap2,3. Two pumps Pump1 and Pump2 actuate
on the system by controlling the flow of water into Tank1
and Tank2. The aim is to maintain the water level in the
tanks both in the normal case with no perturbations (no water
leaves the tanks through the tanks’ taps) and in the case of
perturbations (water leaks). To control the pumps, a propor-
tional (P) controller is used in the absence of perturbations,
and two proportional-integrative (PI) controllers are used when
there are perturbations, one with slow integration speed for an
estimated low control error, the other with faster integration
speed. All the controllers work with a frequency of 2Hz.
Fig. 1. Three-tank system [5]
Fig. 2. HTL 3TS controller [3]
To control this system, an HTL program has been im-
plemented [3] running on three hosts with its high-level
structure shown in Figure 2. Two hosts have direct access
to the two pumps, respectively. The remaining host serves
as a monitoring interface to an operator. The HTL top-
level program 3TSController consists of three concurrently
running modules Pump1, Monitor, and Pump2, each mapped
to one of the mentioned hosts. Each module is organized in
modes, which describe switchable configurations of operation
in the module, with each mode defining the invocation of a
set of real-time task invocations over a time period, some of
which can be abstract placeholders for hierarchical refinement.
In the example, the pump control modules Pump1 and Pump2
are symmetrical in structure. Each has a single mode that is
further refined into a program with a single module, switching
between modes of P-control and PI-control according to tap
perturbations. The PI mode is further refined by a program
that defines the “slow”-PI and “fast”-PI control modes.
Figure 3 illustrates a possible execution of 3TSController.
The control starts without water-level perturbations in the
system, and modes P1 and P2 remain active for some time.
Due to a perturbation in the water level of the first tank, there
is a mode switch to mode PI1 within Ref11 at time 1, and,
by refinement, program Ref12 and mode Slow1 within Ref12
become active. Later, at time 2, due to a high control error,
there is a mode switch from Slow1 to Fast1 within Ref12.
A similar behavior of the controller of the second tank can
be observed, with perturbations making Ref21/PI2 become
active at time 1.5, and Slow2 switching to Fast2 within
Ref22 at time 3. As perturbations in the first tank decrease,
there is a mode switch from Fast1 to Slow1 at time 3.5, and
at higher level, from mode PI1 to P1 at time 4.5.
Fig. 3. Sample 3TSController execution
B. HTL programs, components, and blocks
An HTL program is a tree-like structure of HTL blocks
(program, module, mode, task), where the root node is a
program block. A component of an HTL program is a subtree
of the program. We now describe in more detail the four HTL
blocks, and in addition, explain the hierarchical refinement
relation, discuss the advantage of hierarchical programs over
flat programs, and present the definition of a platform on which
an HTL program executes.
Task. A task T in HTL, depicted in Figure 4, is defined by
a sequential code procedure f without internal synchronization
and with isolated memory space, and sets In, Out, and Priv
of input, output, and private persistent variables called ports.
Each port p is characterized by a set Type(p), defining the
domain of p, and an initial value init(p) ∈ Type(p) that is
undefined (equals⊥) for non-private ports. The code procedure
f is implemented in an external language (e.g. C or Java), and
its flow of execution comprises an assignment of the task’s
input ports (In) and the actual execution of the procedure code
that, upon completion, produces values written to the task’s
output ports (Out) and updates the task’s private ports (Priv).
The private ports enable storing state across task invocations.
This task scheme resembles port-based objects [6].
3Fig. 4. An HTL task
The HTL task model is a generalization of the Giotto task
model [7], based on the notion of logical execution time (LET)
of tasks, which is defined by release and termination events.
The release time is the latest of logical times for task inputs
to become available and the termination time is the earliest
of logical times when task outputs may be made available.
The LET of a task defines a logical, platform-independent
interval for execution of the task’s code procedure. All task
inputs and outputs can be understood as logically available
at the release and termination time, respectively. In an actual
execution on a concrete platform, the task procedure may start
later than the release event, or complete before the termination
event, and be preempted any number of times (if preemption is
supported by the platform), as illustrated in Figure 5. The key
property of the LET model is that the functional aspects and
some key non-functional aspects of programs such as I/O and
memory management are preserved across different platforms
and workloads as long as there are sufficient computational
resources [8], [7], [9].
Fig. 5. Logical and physical execution of a task in HTL [1]
A task in HTL is invoked periodically on the timeline. It
gets its inputs (resp. produces outputs) from (for) other tasks
ports that run in the same period, or from (to) variables called
communicators. Figure 6 illustrates the invocation of a task
that interfaces with three communicators and other tasks. The
inputs and outputs fed from and to other tasks ports define task
precedences. A communicator c is specified by a period Π(c),
a set Type(c) that defines the domain of c, and an initial value
init(c) ∈ Type(c). Communicators can be read or written
periodically according to their own periods, and provide means
for tasks invoked with different periods to communicate, or
an interface with the external runtime environment. A task
invocation can read or write a communicator at logical times
that fall within the task’s invocation period, and match (are
divisible by) the communicator’s own period. Communicators
and ports are not detailed in Figure 2 for the 3TS example,
but also there they provide the communication mechanism for
task interaction and interaction with the external environment
(eg. water-level sensor readings or pump actuation are defined
through communicators).
Mode. A mode m in HTL specifies the invocation of
a set of tasks, Tasks, in a period of time ∆, the mode
period. The invocation of each task in a mode is completely
defined by acyclic task precedences and read/write access to
Fig. 6. A task invocation
communicators. The task invocations are established by the
mode task invocation relation Inv composed of elements of
the form (p, p′) defining a dependency between an output port
p of a task T in Tasks and an input port p′ of a task T ′ also in
Tasks, and of elements (p, c, t) defining a communicator read
(resp. write) from (to) communicator c to input (from output)
port p at time t ∈ [0,∆] which is a factor of the communicator
period. A mode can additionally be refined by a program, as
we have already mentioned and will discuss in more detail
below.
Figure 7 depicts an example mode with period ∆ = 10 and
task set Tasks = {T1, T2, T3, T4}. We present some details on
the task invocation relation for T1 and T2 involving the ports
p1 to p7 and communicators c1, c2, and c3 with periods 1, 2,
and 5, respectively. This example also illustrates that the LET
of a task is affected both by communicator access and task
dependencies: the logical termination time of T1 is no later
than the logical termination of T2 since there is a dependency
from T1 to T2, and for the same reason, the logical release
time of T4 is not earlier than the release time of T3.
Fig. 7. Mode example
Module. A module M in HTL consists of a set of modes,
Modes, a starting mode start in Modes, a mode switching
function switch, and a set of ports, Ports, defining the
scope for the ports of tasks in Modes. The execution of M
corresponds to an execution of its modes in a sequence,
starting with start, with mode switching taking place at
the end of the active mode’s period by the evaluation of
switch. The mode switching function decides the next mode
to execute, considering the last active mode and the current
values of ports and communicators accessed by tasks in the
scope of the module. Modules declared at the top level can
have modes with distinct periods that are harmonic with the
communicator periods accessed by any mode in the module.
4Figure 8 illustrates the structure and a possible execution of
an example module M , with 3 modes, m1, m2, and m3 with
periods 2, 4, and 3, respectively, with m1 being the starting
mode of M .
Fig. 8. A module with different mode periods
Program. A program P in HTL consists of a set of
modules, Modules. If a program P is a top-level program, then
it also has a set of communicators, Comms. The modules in a
program execute concurrently, as illustrated in Figure 3 for the
3TS system, interacting through the program’s communicators.
Hierarchical refinement. Hierarchical refinement is en-
abled if a subset of the tasks of a mode are declared as
abstract. Abstract tasks in a mode have no associated code
procedure, but are instantiated by other (concrete or abstract)
refinement tasks in the mode’s refinement program. A mode m
with abstract task set ATasks must have a defined refinement
program RefP such that the implementation of tasks in ATasks
is partitioned across the modules of RefP. The other basic
syntactic constraints in task refinement require that the LET
of a refinement task R must be larger than that of the abstract
task A it refines, as illustrated by Figure 9. This means that the
refinement task is less constrained in its execution, and in that
sense the abstract task is a convenient conservative abstraction
for the refinement task.
Fig. 9. LET refinement constraint
Hierarchical vs. flat programs. Hierarchical refinement
does not add expressiveness to HTL, as it is possible to “flat-
ten” any hierarchical program into a “flat” program without
refinement. Hierarchical refinement does however offer the
flexibility of hierarchical encapsulation, which in turn can
leverage the effort in compiling a program. In general, even
beyond HTL, the flat version of a hierarchical program is
typically larger and takes more effort to analyze, eventually
leading to state-space explosion during compilation. Also, in
general, flattening a program may be an unfeasible option if
components are “black boxes” with only known “public inter-
face” (see e.g. [10]), or the internal behavior of components is
too heterogeneous, requiring an agreed interface to compose
them together (see e.g. [11]).
In Figure 10 we depict the structure of a flat HTL program
equivalent to the hierarchical 3TS controller of Figure 2,
illustrating some issues concerning flat vs. hierarchical pro-
grams. The flat program contains “flat modes”, accounting
Fig. 10. Flat 3TS controller
for all possible combinations of modes in the refinement
level. Furthermore, “flatness” may turn into “fatness” for
each flattened component: an abstract mode like Mode1 in
Figure 2 contains abstract tasks but also concrete tasks, so
in that case its concrete functionality needs to be repeated
three times in the flat program. Finally, and crucially, the
program becomes harder to check at the top level, as the
number of possible combinations of concurrent top-level mode
invocations grows exponentially. We have only one possi-
ble top-level combination in the hierarchical 3TS controller
(Mode1/Mode2/Monitor), in contrast to nine combinations in
the flat program.
C. HTL platform characterization
An HTL program, by definition, does not include a descrip-
tion of the platform on which it executes. The platform defini-
tion is encoded separately, or conveyed through programmer
annotations.
A platform for the execution of an HTL program P is
defined by: (1) A set of hosts, Hosts, each with a uniprocessor
maintaining a mirror image of the values of all communicators,
employing a preemptive EDF scheduling policy, and commu-
nicating over a reliable, time-synchronized broadcast network.
(2) A distribution dmap : Modules(P ) → Hosts mapping
modules of P to hosts in the platform. Each concrete task
T , declared in some module M ∈ Modules(P ), runs on host
dmap(M). (3) A WCET mapping wcet : Tasks(P ) → Q>0
indicating the WCET estimate for all abstract or concrete tasks
declared in P . The WCET is a bound on the execution of a task
procedure in the absence of any concurrency. If T is an abstract
task, then wcet(T ) should be understood as an abstract anno-
tation for the upper bound on the WCET for any refinements of
T . (4) A WCTT mapping wctt : Comms(P )→ Q>0. For each
communicator c, wctt(c) is a bound on the worst-case time
the network needs to transmit a single communicator datum,
in the absence of concurrency.
This characterization of platform differs in the formulation
of the WCTTs from the original characterization [1]. The
difference is that WCTTs are characterized here as raw time
needed to transmit a datum, in the absence of concurrency,
rather than in the presence of worst-case concurrency. Instead
of abstracting the complete network with a worst-case charac-
terization, we consider it here in a form that allows modular
transmission safety checking and modular code distribution.
5III. COMPILATION AND RUNTIME PATCHING
The desired key property of HTL programs is time-
determinism, meaning that their functional and temporal be-
havior is repeatable, i.e., for every timed sequence of inputs
there is a unique timed sequence of outputs. HTL compilation
is the process of checking whether an HTL program is time-
deterministic on a given, possibly distributed target platform,
and of generating code that runs on that platform. HTL
runtime patching is the process of modifying components of an
HTL program at runtime using HTL compilation to re-check
correctness and re-generate code.
A. HTL compilation
Fig. 11. HTL compilation stages
HTL compilation can be seen as proceeding in stages
to check if a program is time-deterministic, as illustrated
in Figure 11, before generating code. First, any program
specification needs to be checked for well-formedness with
respect to the syntactic constraints of the language. Then, race
freedom must be established, meaning that no communicator
is assigned different values at the same time. The existence
of a race clearly leads to non-determinism. Along with race
freedom, time safety must also be checked, in the traditional
sense of real-time systems, meaning that the computation of
a program on each host of the platform is schedulable, taking
into account the mapping of modules to hosts and the WCET
of tasks. For distributed platforms, a transmission safety check
is also necessary, verifying that there exists a schedule for the
networked communication between different hosts, based on
the WCTT of communicators. In particular, the check verifies
that race-free communicator updates can be broadcast during
the respective communicators’ periods before the update. Time
and transmission safety are checked independently, in contrast
to [1], by requiring tasks to complete so that their outputs are
available at least one communicator period early.
Well-formed, race-free, time-safe, and transmission-safe
programs are time-deterministic [1]. Code generation starts
after checking these properties. There is a non-modular, flat-
tening HTL compiler generating code that may be expo-
nentially larger than the input program [1], and a modular,
hierarchy-preserving HTL compiler [3] generating code that is
linear in the size of the input program. The modular compiler
can also compile HTL programs on the level of individual
components. Below top level, the modular compiler can even
check time-determinism and generate code incrementally by
only considering a limited context of the component or even no
context at all. Section V introduces a framework to quantify
the degree of compositionality in modular compilation and
applies the framework to HTL.
B. HTL runtime patching
Modular and incremental compilation in particular is not
just a prerequisite for scalable software development but may
also lead to interesting applications at runtime. Uncertainty
in control systems, for example, makes it difficult if not
impossible to design control software at compile time that is
able to address infinitely many environment states at runtime.
Run-time code modifications provide a way to accomplish
this. However, semantics and efficiency of code modifications
at runtime requires a robust foundation. Runtime patching is
the process of modifying code incrementally (for efficiency)
at runtime such that the resulting system behavior could be
reproduced (for semantics) by a program containing complete
copies of the unpatched and the patched program, switching
from the unpatched to the patched copy at the time of the
patch [4]. Therefore, the semantics of the language in which
the patched programs are written also defines the semantics of
code modifications through runtime patching.
Runtime patching can be applied to HTL programs using
mode switching as a means to express the switch from un-
patched to patched versions. HTL components can be patched
at runtime as long as there exists a time-deterministic HTL
program that can mimick the patch through mode switch-
ing. Sufficient conditions for runtime patching cold (non-
executing) and even hot (executing) HTL components have
been discussed elsewhere [4]. An implementation of HTL
runtime patching is future work. The modularity framework
and analysis presented in this paper provide a foundation for
it.
IV. MODULAR SYNTAX AND SEMANTICS
〈Top Program〉 → Comms : 〈Communicator〉+ ,
〈Program〉Comms,∅ .
〈Program〉Comms,Ports → P : Name ,
Modules : 〈Module〉+Comms,Ports .
〈Communicator〉 → c : Name ,
Type : Type ,
init : Type,
Π : Q>0 .
〈Module〉Comms,Ports0 → M : Name ,
Ports : 〈Ports〉+ ,
Modes : 〈Mode〉+Comms,Ports0∪Ports ,
start : Modes,
switch : ModesModes×V(Comms∪Ports) .
〈Port〉 → p : Name ,
Type : Type ,
init : Type .
〈Mode〉Comms,Ports → m : Name ,
∆ : Q>0 ,
Tasks : 〈Task〉+Ports ,
Inv ⊆ (Ports× Ports) ∪ (Ports× Comms× Q≥0) ,
RefP : 〈Program〉Comms,Ports | ⊥ .
〈Task〉Ports → T : Name ,
In ⊆ Ports,
Out ⊆ Ports,
Priv ⊆ Ports,
f : V(Out ∪ Priv)V(In∪Priv) | ⊥.
Fig. 12. HTL abstract syntax grammar
A. Syntax
HTL programs are formally defined via an abstract syn-
tax [1], which is implemented by compilers in a textual or
6Top level semantics
s0 = (0, v0(P ), invoke(P, 0))
(INIT)
E = {complete, write, switch, read, time}
s
complete
=⇒• s1
write
=⇒• s2
switch
=⇒• s3
read
=⇒• s4 time=⇒ s′
s −→ s′ (TOP)
e ∈ E \ {time} s e=⇒
l1
s1
e
=⇒
l2
...
e
=⇒
ln
sn
e
6=⇒
·
·
n ≥ 0 ∀i, li = ε ∨ ∀i 6= j, li 6= lj
s
e
=⇒• sn
(MICRO)
Invocation and transitions for program (P, Modules)
invoke(P, t) = {〈M, invoke(M, t)〉 |M ∈ Modules}
e ∈ E \ {time} 〈M,AM 〉 ∈ A (t, v, AM ) e=⇒
l
(t, v′, A′M )
(t, v, A)
e
=⇒
l
(t, v′, (A \ {〈M,AM 〉}) ∪ {〈M,A′M 〉})
(COMP1)
∀〈M,AM 〉 ∈ A, (t, v, AM ) time=⇒ (t′, v, AM )
(t, v, A)
time
=⇒ (t′, v, A)
(TIME1)
Invocation and transitions for a module (M, Ports, Modes, start, switch)
(PrivPorts = {p ∈ Priv(T ) | T ∈ Tasks(m) ∧m ∈ Modes})
invoke(M, t) = 〈start, invoke(start, t)〉
e ∈ E \ {switch} A = 〈m,Am〉 (t, v, Am) e=⇒
l
(t′, v′, Am)
(t, v, A)
e
=⇒
l
(t′, v′, A)
(COMP2)
(t, v, Am)
switch
=⇒ (t, v′, A′m)
mnew = switch(m, v(Comms ∪ Ports))
(mnew = m ∧ Anew = A′m) ∨ Anew = invoke(mnew, t)
(t, v, 〈m,Am〉) switch=⇒ (t, [Ports \ PrivPorts := ⊥] v′, 〈mnew, Anew〉)
(SWITCH1)
Invocation and transitions for a mode (m,∆, Tasks, Inv, RefP)
(CTasks = {T ∈ Tasks | f(T ) 6= ⊥})
invoke(m, t) =
{ 〈t,⊥〉 , RefP = ⊥
〈t, invoke(RefP, t)〉 , RefP 6= ⊥
e ∈ E \ {switch, time} (t, v, Ar) e=⇒
l
(t, v′, Ar)
(t, v, 〈a,Ar〉) e=⇒
l
(t, v′, 〈a,Ar〉)
(REFINE)
(RefP = A′r = ⊥) ∨ (t, v, Ar)
switch
=⇒ (t, v, A′r)
(t, v, 〈t−∆, Ar〉) switch=⇒ (t, v, 〈t, A′r〉)
(SWITCH2)
t < t′ ≤ a+ min>t−a{δ | (p, · , δ) ∈ Inv ∨ δ = ∆}
A = 〈a,Ar〉 RefP = ⊥ ∨ (t, v, Ar) time=⇒ (t′, v, Ar)
(t, v, A)
time
=⇒ (t′, v, A)
(TIME2)
A = (a, · ) ∀p ∈ In(T ), v(p) 6= ⊥
T ∈ CTasks t− a ≤ Termination(T )
v′ = [Out(T ) ∪ Priv(T ) := f(T )(v(Priv(T ) ∪ In(T ))] v
(t, v, A)
complete
=⇒
T
(t, v′, A)
(COMPLETE1)
A = (a, · ) ∀p ∈ In(T ), v(p) 6= ⊥
T ∈ CTasks t− a < Termination(T )
(t, v, A)
complete
=⇒
T
(t, v, A)
(COMPLETE2)
(p, p′) ∈ Inv v(p) 6= ⊥ v(p′) = ⊥
(t, v, A)
read
=⇒ (t, [p′ := v(p)] v,A)
(DEP)
A = (a, · ) (c, p, t− a) ∈ Inv
p ∈ In(T ) v(p) = ⊥ T ∈ CTasks
(t, v, A)
read
=⇒ (t, [p := v(c)] v,A)
(READ)
A = (a, · ) (c, p, t− a) ∈ Inv
p ∈ Out(T ) v(p) 6= ⊥ T ∈ CTasks
(t, v, A)
write
=⇒
p,c
(t, [c := v(p)] v,A)
(WRITE)
Fig. 13. HTL semantics
visual representation [8], [12]. Figure 12 depicts the abstract
syntax in grammar-like notation, defining the various blocks
and the scope of ports and communicators within a program.
In the syntax presentation we use the symbol + as in regular
expressions, for the set of non-empty sequences of elements in
a given set. In addition to the syntax rules (and simple scope
and naming constraints detailed in [1]), a well-formed HTL
program must conform to a set of constraints regarding the
LET of tasks and hierarchical refinement, discussed below.
LET constraints. In a mode m, with period ∆, a task
invocation may access (read/write) communicators only at
logical times in [0,∆] that are factors of the communicators’
periods. No read may happen at time ∆, and no write at time
0. Also, ∆ must be a factor of every communicator period
referenced by other modes in the same module, in order that
mode switching to any mode induces an aligned time window
for all communicators. In addition, the task precedence relation
≺m for the tasks in m must be acyclic.
Each task T ∈ Tasks(m) must have a well-defined LET
interval LET(T ) = [Release(T ), Termination(T )] such that
Release(T ) is the maximum of times t such that (p, c, t) ∈
Inv(m) for p ∈ In(T ) or such that t = Release(T0) for
T0 ≺m T , and Termination(T ) is the minimum of times
t such that (p, c, t + Π(c)) ∈ Inv(m) for p ∈ Out(T ) or
such that t = Termination(T0) for T ≺m T0. Note that for
communicator writes we take into account the transmission
time, which takes at most one communicator period Π(c).
Hence, if (p, c, t) ∈ Inv(m) for p ∈ Out(T ), then at time
t the corresponding p-output of T is both written to the
communicator c and has already been transmitted via the
network.
Refinement constraints. A mode m is refined if and only
if it contains at least one abstract task, i.e., A ∈ Tasks(m)
with f(A) = ⊥. In that case, each refinement mode m′ within
RefP(m) must have the same period as m, and each of its
tasks must be a proper refinement of a unique abstract task A.
A task T is a proper refinement of A if and only if the
following four conditions are met: (1) The LET of T contains
that of A, LET(T ) ⊇ LET(A); (2) Any precedence of T is a
precedence of A, directly or by refinement: if T0 ≺m T then
T0 is either a refinement of a precedence of A, or a concrete
task in the parent mode that is a precedence of A; (3) T writes
to all of the output ports of A, Out(T ) ⊇ Out(A); and (4) T
only writes to communicators to which A also writes. We
note that condition (4) is not present in [1], but it certainly
characterizes a well-defined refinement and is necessary for
establishing race freedom in the simple way hinted in [1].
Whenever an execution platform is specified for the program,
7the following condition must also be satisfied: (5) The WCET
of T is less than or equal to the WCET of A. Note that
an abstract task is not an interface for communication of
refinement tasks, but merely a placeholder for schedulability
ensuring race freedom.
B. Semantics
An operational semantics was given for HTL in [1], in close
relation to the time-triggered execution of the E machine [9].
Here we briefly present a more abstract modular semantics
defined compositionally in terms of the HTL blocks.
A state of a top program P is a triple s = (t, v, A) where
t ∈ Q≥0 is the current time, v is a valuation of the variables
of P , and A is an activation of P . Activations are defined
compositionally: for a program P , an activation A ∈ Act(P )
is a set
A = {〈M,AM 〉 |M ∈ Modules(M), AM ∈ Act(M)}
where AM = 〈m,Am〉 ∈ Act(M) is an activation for the
module M , with m ∈ Modes(M) being the active mode,
and Am ∈ Act(m) its activation. A mode activation for m
is another pair Am = 〈a,Ar〉, with activation time a ∈ Q+0 ,
and a refinement activation Ar = ⊥ if RefP(m) = ⊥, or
Ar ∈ Act(RefP(m)) otherwise.
A program trace s0 −→ s1 −→ s2 −→ · · · is de-
fined by a two-layer operational semantics shown in Fig-
ure 13. The initial program state of P (INIT rule) is s0 =
(0, v0(P ), invoke(P, 0)) , where v0(P ) assigns the initial
value init(x) to each communicator or port x in P . In
the initial activation invoke(P, 0), the active mode of each
module is set to be the specified start mode. A successor state
s′ of s is reached after a sequence of task completions, writes,
reads, and mode switches, defining “micro”-successors, before
an elapse of time (TOP rule). We write e for any of these events
(comprising the set of events E). Each e-“micro”-successor,
except for the time elapse, comprises a closed sequence of
e-events with distinct labels or no labels at all (MICRO rule).
The labels are a convenience artifact that allows us to model
that any (complete or write) event transition is enabled only
once at a time instant.
The handling of program events is modeled by the second
layer of the semantics, modularly. A program event is either
an independent event in one of its modules (COMP1) or a
synchronized elapse of time in all of its modules (TIME1).
The behavior of a module reduces to the behavior of the
current active mode (COMP2), until mode switching is due
and the active mode may change (SWITCH1). At the level
of modes, the behavior is defined by the concrete tasks of
the mode, and compositionally by the refinement program
(REFINE). Switching is enabled at the end of the mode’s period
(SWITCH1), and time elapses with an offset up to the next
logical event in the mode (TIME2). Both switching and time
elapsing are synchronized events with the mode’s refinement
program. In the lowest level of concrete task invocations in
a mode, each task completion is modeled as completing non-
deterministically at an instant that is within the LET of the
task (COMPLETE1 and COMPLETE2). Other than that, the state
may change by appropriate updates of ports and communi-
cators (DEP, READ, and WRITE) due to task precedences and
communicator reads/writes. Note that the semantics defines
only the time-deterministic behavior of the program and not
an actual execution on a platform. In this respect it qualifies
as “abstract”.
V. MODULARITY
A. Modularity framework
We consider the following framework, illustrated in Fig-
ure 14. Given a top-level program Po for which property or
aspect ϕ holds, and a component Co within Po that is updated
to a component (patch) C yielding top-level program P , we
wish to establish ϕ for P . Let A be the algorithm used for
establishing ϕ. The modularity of ϕ given A, in regard to P
and C, is a pair (DAϕ (C,P ), CAϕ (C,P ))
where DAϕ (C,P ) stands for the part of P that needs to
be re-analyzed in order to establish ϕ, called the modular
dependency context and CAϕ (C,P ) is the complexity function
measuring the effort in doing so in terms of the size of the
dependency context, called the modular complexity.
For comparison, we also denote by CAϕ (P ) the complexity
of the total effort of checking ϕ for P using A. Note that, in
the modularity framework, we exclude the case Co = Po, i.e.,
C = P , since then the modular complexity equals CAϕ (P ).
Hence, our framework is one for incremental compilation,
applicable when a certain component of a program is updated,
and thus the program requires re-compilation. The framework
also subsumes plain incremental compilation, in case when the
old component Co is the “empty component”.
Fig. 14. Modularity
The modular dependency contextDAϕ (C,P ) alone is already
a good measure of modularity, and is in close relation to the
modular complexity. In the best-case scenario, we will have
DAϕ (C,P ) = C, meaning that only C needs to be re-checked.
This is the case when ϕ (and A) is “fully modular” for C
with regard to P , or C can be checked to be a refinement of
Co in regard to ϕ. In the worst-case scenario, we will have
DAϕ (C,P ) = P and CAϕ (C,P ) = C
A
ϕ (P ), meaning that P
needs to be fully re-checked, i.e., ϕ (or A) is “non-modular”
for C in the context of P .
From now on, if ϕ, A, C, and P are fixed and clear, we
write D and C, for the dependency context and the complexity,
respectively. Similarly, we write C for the total complexity.
8B. HTL modularity aspects
We characterize HTL modularity for all cases of interest.
For each property ϕ, from the compilation stages of Figure 11,
we discuss an algorithm A used to validate ϕ on P . Before
presenting the modularity of the property, i.e., D and C for all
possible components, we first discuss C, the total complexity
of checking ϕ by A. Note that in case of a dependency
between properties, i.e., an arrow in Figure 11, we only
consider the effort of checking the property of interest and
assume that the needed predecessor property has already been
checked. For example, in order to establish transmission safety
a program needs to be race free (and in order to be race free, it
must be well-formed). When discussing the complexity of the
transmission-safety check, we assume the program is already
proven race free (and hence also well-formed), and consider
only the complexity that is essential to the transmission safety
check.
Our results are summarized in Table I, showing that top-
level time safety is non-modular, whereas all other proper-
ties are modular. Moreover, refinement-level race freedom,
transmission safety, refinement-level time safety, and code
generation are fully modular properties. In the rest of the paper
we discuss the results presented in Table I. Let us start by
introducing the needed notation.
A program P has a refinement height rP , and the follow-
ing upper bounds on its size: nc communicators, nM top
modules, nm modes per top module, nT tasks per mode,
nw communicator writes per task, na communicator accesses
per task, np ports per task, and periods of modes with
maximum value ∆max. We also use the notation nPm↓ for
the bound on the total number of modes in P calculated as
nPm↓(rP ) = (nM ·nm)rP+1, and nPT↑ for the bound of the total
number of top-level tasks in P calculated as nPT↑ = nMnmnT .
We distinguish between top-level and refinement-level com-
ponents. A top-level component can have a root node module,
mode, or task. A refinement-level component can have a
root node program, module, mode, or task. Similar as for
programs, rC denotes the refinement height of a component
C, nCm↓ an upper bound on the total number of modes in
it, and nCT↑ an upper bound on the number of top-level
tasks. These two notions can be calculated for each type of
a component. For example, if C is a refinement program,
then nCm↓ = (nM · nm)rC+1 and nCT↑ = 0; whereas if
C is a top-level component with root node a module, then
nCm↓ = (nM · nm)rC · nm and nCT↑ = nm nT .
For simplicity, we assume that the mode switching function
of each module induces a fully connected mode-switching
graph. This is not a restriction but actually creates a worst-
case scenario since it subsumes all possible mode-switching
behaviors.
Well-formedness. The verification of well-formedness of a
program P with respect to the LET and refinement constraints
discussed in Section IV is performed inductively on the
structure of the program and it can be achieved in linear time
(one pass) depending on the product of the total number of
modes, number of tasks per mode, and number of ports per
task, i.e. C = O(nPm↓(r) nT np). Checking other syntactic
constraints is performed in less time, and therefore subsumed
by this complexity bound.
For modular compilation, the well-formedness check is also
linear, now in the size of the component. The dependency
context is C itself (although each refinement task needs to be
compared also to its parent task) and the modular complexity
is C = O(nCm↓(rC) nT np).
Race freedom. A race happens in the execution of a
program when two concurrent task invocations write the
same communicator at the same time, compromising time-
determinism.
We consider a simple race-free sufficiency algorithm. It uses
the fact that if no two concurrent tasks write to the same com-
municators, regardless of the time when the communicators
are written, then race freedom is ensured. Moreover, using
condition (4) of the refinement constraints in Section IV-A,
we observe that two concurrent tasks in an HTL program
write to the same communicators if and only if there exist
two top-level concurrent tasks in the program that write the
same communicators. Hence, for race freedom it is sufficient
to check that no two top-level concurrent tasks write to the
same communicators. At top level, concurrent tasks are any
two tasks within the same mode, or any two tasks in different
top-level modules.
More precisely, let write(T ) be the set of communicators
to which task T writes, and let write(M) be the set of
communicators written by any task in any mode of M . We
need to ensure that
1. for all top-level modules M1 and M2 we have
write(M1) ∩ write(M2) = ∅, and
2. for every top level mode m, and each two tasks T1 and
T2 of m, it holds that write(T1) ∩ write(T2) = ∅.
The check of 1. can be done in linear time in the number of
modules and number of communicators, whereas the check of
2. is linear in the total number of writes of all top-level task.
Hence, C = O(nPT↑ nw + nM nc).
As for the modularity cases of interest, if C is a well-formed
refinement-level component, then there is nothing to check:
the dependency context is C, and the complexity is constant
time, actually zero time. If C is a top-level component, then
re-checking race freedom requires checking 2. for the tasks in
C and re-checking 1. Hence, the dependency context is the
whole program P , but not all of P needs to be re-checked.
There is still some modularity involved, the top-level tasks
outside C need not be re-checked. As a result, we get that
C = O(nCT↑ nw + nM nc).
Transmission safety. Transmission safety requires that the
networked communication of a program, i.e., the broadcast
of communicator values, is schedulable, meaning that any
transmission of a value of any communicator fits into the
communicator’s period instance.
In the worst-case transmission scenario of a race-free pro-
gram, every communicator is updated at every period. Since
transmitting an update takes time at most the WCTT of
the communicator, scheduling the network communication
amounts to scheduling a set of periodic tasks (one per each
9ϕ C DAϕ (C,P ) CAϕ (C,P ) CAϕ (P )
Well-formedness any C nCm↓ nT np n
P
m↓ nT np
Race freedom top P n
C
T↑ nw + nM nc nPT↑ nw + nM nc
ref. C 1
Transmission safety any C 1 nc
Time safety top P (nm ∆max)
nM
(nm ∆max)
nM
ref. C 1
Code generation any C nCm↓ (nT na + nm) n
P
m↓ (nT na + nm)
na number of communicator accesses per task nc number of communicators nM number of modules per program
nm number of modes per module np number of ports per task nT number of tasks per mode
nw number of communicator writes per task nCm↓ total number of modes in C n
P
m↓ total number of modes in P
nCT↑ number of top-level tasks in C n
P
T↑ number of top-level tasks in P ∆max maximal value of mode periods
TABLE I
MODULARITY ASPECTS OF HTL
communicator) with execution times equal to the correspond-
ing communicator WCTTs and periods equal to the corre-
sponding communicator periods.
Hence, for network architectures that are flexible with
respect to the choice of a scheduling algorithm, a simple
utilization based scheduling test and algorithm (e.g. EDF or
rate-monotonic scheduling), linear in the number of communi-
cators in the system, suffices to establish transmission safety,
C = O(nc). An example of such a flexible architecture is an
FFT-CAN bus [13]. Also statically scheduled networks like
the simplest forms of TDMA buses may allow for a simple
utilization-based schedulability check.
Transmission safety is fully modular although the commu-
nicators in a program are global: if the original program Po is
transmission safe, then all communicators have already been
taken into account in Po and a change of a component does
not require any additional check. So, the dependency context
is always C and C = O(1).
Time safety. For time safety, a program needs to be
checked for schedulability of computation, taking into account
the target platform (WCETs) and the program specification
(LETs). Time safety can be checked independently from the
network communication (the transmission-safety check). The
main HTL schedulability result, enabled by the refinement
constraints, is that time safety of any program P is ensured by
schedulability of all (abstract and concrete) top-level tasks. In
such a case, any schedule for the top-level tasks is robust and
sustainable (in the sense of e.g. [14], [15]) to a replacement
of an abstract task by any of its refinements.
For schedulability at the top level, standard periodic-task
scheduling techniques can be used (c.f. [16]). In the absence of
mode switching, with a single mode per module, the top level
of P is a periodic-task system with task precedences and the
complexity of checking top-level schedulability is exponential
in the mode periods: O(∆nMmax) [17]. This can be improved
for special cases, for which there are tractable schedulability
tests and algorithms, e.g. synchronous periodic-task systems
with deadlines equal to or less than periods. In the general
case with mode switching, the top-level schedulability check
must consider in the worst case O(nmnM ) combinations of
concurrent modes at the top level. There is no need to check
anything but well-formedness for refinement programs. Hence,
the total complexity for checking time safety of a program P
is C = O((nm ∆max)nM ).
Let us consider the two cases of interest for modularity anal-
ysis. If C is a well-formed refinement-level component, then
D = C and the modular complexity is C = O(1) since there is
nothing to check. If C is a top-level component, the top-level
time-safety analysis of P must be fully re-checked, i.e., time
safety is non-modular in this case with dependency context
D = P and modular complexity C = O((nm ∆max)nM ).
Code generation. There is a flattening HTL compiler tar-
geting the E machine [1] and a modular, hierarchy-preserving
HTL compiler targeting the HE machine [3]. A detailed com-
parison of both compilers can be found in [5]. We highlight the
differences, and characterize the complexity and modularity
for the HE-compiler.
The more recent HE-compiler allows modular code gen-
eration. The worst-case code size per mode generated by the
HE-compiler depends linearly on the number of communicator
accesses (na) for each task and the number of modes in
the same module (for the evaluation of mode switching),
c.f. [3] for more details. Hence, the size of the generated code
per mode is O(nT na + nm) and the overall complexity of
generating code for P is C = O(nPm↓(rP ) (nT na+nm)). The
code for each component C can be generated independently
from the code for the rest of the program. So, we have that for
any component C, D = C and C = O(nCm↓(rC)(nT na+nm)).
To be precise, this holds for any component that contains at
least one mode. For the corner case of a component with root
node task, the modular complexity simplifies to C = O(na).
Beyond code generation, there is the aspect of code distribu-
tion across multiple hosts. In the HTL characterization in [1]
different modules exchanged values of ports, rather than values
of communicators. As a consequence of exchanging values
of ports, the code for (almost) the entire program had to be
10
executed on all hosts. With the current approach, originating in
the decoupling of task executions from network transmissions,
only the code of modules mapped to a host needs to execute
on that host leading to fully modular code distribution.
VI. RELATED WORK
The foundation for HTL is the LET model, introduced
in previous work on Giotto [7] and the E machine [9].
Modular refinement-level time safety checking was shown in
the original work on HTL [1]. Modular code generation was
described for HTL in [3], [5], and for Giotto in [18]. Mod-
ular code generation is a relevant issue also in synchronous
reactive programming languages, for it allows reusability and
integration of components, but calls for different solutions due
to the zero-time rather than LET semantics [10]. The quest for
verifiable, predictable, and compositional time-determinism of
distributed programs, motivated the work on “network code”
programs [19], distributed synchronous reactive programs on
so-called “loosely”-time-triggered architectures (LTTA) [20],
and further back, work on TTA [21], [22].
Exact schedulability analysis of real-time programs is
a complex problem, which motivated the development of
sustainable [23], compositional [23], [24], and “interface”-
based [25], [26] techniques.
There is significant research interest in component-based
real-time software in general, and its modular compilation.
We highlight some examples of recent work in this area.
BIP components [27] provide a framework where correctness
of components is inferred compositionally by properties of
sub-components. BIP also works as a “verification back-
end” for other component-based systems such as AADL [28]
and synchronous languages such as Lustre [29]. Ptolemy
actors [11] allow for the composition of heterogeneous models
of computation and have been considered in verification [30].
Relational interfaces [31] endow (real-time) interfaces [32]
with synchronous input-output relations and are compositional
with respect to refinement.
VII. CONCLUSION
We have presented a modular abstract syntax and semantics
for HTL, modular checks of well-formedness, race freedom,
and transmission safety, and modular code distribution. Our
contributions here complement previous results on HTL time
safety and modular code generation, and complete the study of
modularity in HTL. Modularity in HTL can be utilized in easy
program composition as well as fast program analysis and code
generation, but also in runtime patching, which may eventually
be used as software foundation for addressing uncertainty in
control systems. While there is already an implementation
of a modular HTL compiler, an implementation of runtime
patching for HTL is still future work.
REFERENCES
[1] A. Ghosal, T. Henzinger, D. Iercan, C. Kirsch, and A. Sangiovanni-
Vincentelli, “A hierarchical coordination language for interacting real-
time tasks,” in Proc. EMSOFT, 2006.
[2] K. Chatterjee, A. Ghosal, D. Iercan, C. Kirsch, T. Henzinger, C. Pinello,
and A. Sangiovanni-Vincentelli, “Logical reliability of interacting real-
time tasks,” in Proc. DATE, 2008.
[3] A. Ghosal, D. Iercan, C. Kirsch, T. Henzinger, and A. Sangiovanni-
Vincentelli, “Separate compilation of hierarchical real-time programs
into linear-bounded embedded machine code,” in Proc. APGES, 2007.
[4] C. Kirsch, L. Lopes, and E. Marques, “Semantics-preserving and in-
cremental runtime patching of real-time programs,” in Proc. APRES,
2008.
[5] D. Iercan, “Contributions to the development of real-time programming
techniques and technologies,” Ph.D. dissertation, Politehnica University
of Timisoara, 2008.
[6] D. Stewart, R. Volpe, and P. Khosla, “Design of dynamically reconfig-
urable real-time software using port-based objects,” IEEE Transactions
on Software Engineering, 1997.
[7] T. Henzinger, B. Horowitz, and C. Kirsch, “Giotto: A time-triggered
language for embedded programming,” Proc. of the IEEE, 2003.
[8] J. Auerbach, D. Bacon, D. Iercan, C. Kirsch, V. Rajan, H. Ro¨ck, and
R. Trummer, “Low-latency time-portable real-time programming with
Exotasks,” ACM TECS, 2009.
[9] T. Henzinger and C. Kirsch, “The Embedded Machine: predictable,
portable real-time code,” in Proc. PLDI, 2002.
[10] R. Lublinerman, C. Szegedy, and S. Tripakis, “Modular code generation
from synchronous block diagrams — modularity vs. code size,” in Proc.
POPL, 2009.
[11] J. Eker, J. Janneck, E. Lee, J. Liu, X. Liu, J. Ludvig, S. Neuendorffer,
S. Sachs, and Y. Xiong, “Taming heterogeneity—the Ptolemy approach,”
Proc. of the IEEE, 2003.
[12] HTL site, http://htl.cs.uni-salzburg.at.
[13] L. Almeida, P. Pedreiras, and J. Fonseca, “The FTT-CAN protocol: Why
and how,” IEEE Trans. on Industrial Electronics, 2002.
[14] M. Anand and I. Lee, “Robust and sustainable schedulability analysis
of embedded software,” in Proc. LCTES, 2008.
[15] S. Baruah and A. Burns, “Sustainable scheduling analysis,” in Proc.
RTSS, 2006.
[16] G. Buttazzo, Hard Real-Time Computing Systems: Predictable Schedul-
ing Algorithms and Applications. Norwell, MA, USA: Kluwer Aca-
demic Publishers, 1997.
[17] J. Leung and M. Merrill, “A note on preemptive scheduling of periodic,
real-time tasks,” Information Processing Letters, 1980.
[18] T. Henzinger, C. Kirsch, and S. Matic, “Composable code generation
for distributed Giotto,” in Proc. LCTES, 2005.
[19] S. Fischmeister, O. Sokolsky, and I. Lee, “A verifiable language for
programming real-time communication schedules,” IEEE Trans. on
Computers, 2007.
[20] S. Tripakis, C. Pinello, A. Benveniste, A. Sangiovanni-Vincent, P. Caspi,
and M. Di Natale, “Implementing synchronous models on loosely time
triggered architectures,” IEEE Trans. on Computers, 2008.
[21] H. Kopetz and G. Bauer, “The Time-Triggered Architecture,” Proc. of
the IEEE, 2003.
[22] P. Caspi, A. Curic, A. Maignan, C. Sofronis, S. Tripakis, and P. Niebert,
“From Simulink to SCADE/Lustre to TTA: a layered approach for
distributed embedded applications,” ACM SIGPLAN Notices, 2003.
[23] A. Easwaran, M. Anand, and I. Lee, “Compositional analysis framework
using EDP resource models,” in Proc. RTSS, 2007.
[24] L. Thiele, E. Wandeler, and N. Stoimenov, “Real-time interfaces for
composing real-time systems,” in Proc. EMSOFT, 2006.
[25] R. Alur and G. Weiss, “RTComposer: a framework for real-time com-
ponents with scheduling interfaces,” in Proc. EMSOFT, 2008.
[26] T. Henzinger and S. Matic, “An interface algebra for real-time compo-
nents,” in Proc. RTAS, 2006.
[27] S. Bensalem, M. Bozga, J. Sifakis, and T. Nguyen, “Compositional
verification for component-based systems and application,” in Proc.
ATVA, 2008.
[28] M. Chkouri, A. Robert, M. Bozga, and J. Sifakis, “Translating AADL
into BIP-application to the verification of real-time systems,” in Proc.
MoDELS Workshops, 2008.
[29] M. Bozga, V. Sfyrla, and J. Sifakis, “Modelling synchronous systems in
BIP,” in Proc. EMSOFT, 2009.
[30] Y. Zhou and E. A. Lee, “Causality interfaces for actor networks,” ACM
TECS, 2008.
[31] S. Tripakis, B. Lickly, T. Henzinger, and E. Lee, “On relational inter-
faces,” in Proc. EMSOFT, 2009.
[32] L. de Alfaro and T. A. Henzinger, “Interface theories for component-
based design,” in Proc. EMSOFT, 2001.
