Component refinement and CSC solving for STG decomposition by Schaefer, Mark & Vogler, Walter (Prof. Dr.)
Universita¨t Augsburg
Component Refinement and CSC
Solving for STG Decomposition
Mark Scha¨fer and Walter Vogler
Report 2004-13 Oktober 2004
Institut fu¨r Informatik
D-86135 Augsburg
Copyright c©Mark Scha¨fer and Walter Vogler
Institut fu¨r Informatik
Universita¨t Augsburg
D–86135 Augsburg, Germany
http://www.Informatik.Uni-Augsburg.DE
— all rights reserved —
Component Refinement and CSC Solving for STG
Decomposition?
Mark Scha¨fer and Walter Vogler
University of Augsburg, Germany
{schaefer,vogler}@informatik.uni-augsburg.de
Abstract. STGs give a formalism for the description of asynchronous circuits based on Petri
nets. To overcome the state explosion problem one may encounter during circuit synthesis, a
nondeterministic algorithm for decomposing STGs was suggested by Chu and improved by one
of the present authors.
In this paper it is studied how CSC solving (which is essential for circuit synthesis) can be
combined with decomposition. For this purpose the correctness definition for decomposition is
enhanced with internal signals and it is shown that speed-independent CSC solving preserves
correctness. The latter uses a more general result about correctness of top-down decomposition.
Furthermore, we apply our definition to give the first correctness proof for the decomposition
method of Carmona and Cortadella [CC03].
Keywords: STG, system decomposition, CSC, implementation relation, speed-independent
1 Introduction
Signal Transition Graphs (STG) are a formalism for the description of asynchronous
circuit behaviour. An STG is a labelled Petri net where the labels denote signal
changes between logical high and logical low. The synthesis of circuits from STGs is
supported by several tools, e.g. Petrify [CKK+97], and it often involves the gener-
ation of the reachability graph, which may have a size exponential in the size of the
STG (state explosion). To cope with this problem, Chu suggested a nondeterminis-
tic method for decomposing an STG (without internal signals) into several smaller
ones [Chu87], see also [KKT93]. While there are strong restrictions on the structure
and labelling of STGs in [Chu87], the improved decomposition algorithm of Vogler,
Wollowski and Kangsah [VW02,VK04] works under – comparatively moderate – re-
strictions on the labelling only.
Roughly, this decomposition algorithm works as follows. Initially, a partition of
the output signals has to be chosen, and for each set in this partition a component
producing the respective output signals will be constructed as follows.
For each component, our algorithm finds a set of signals that (at least initially)
can be regarded as irrelevant for the output signals under consideration; then, it takes
a copy of the original STG and turns each transition corresponding to an irrelevant
signal into a dummy (λ-labelled) transition; finally, it tries to remove all dummy
transitions by so-called secure transition contractions and deletions of (structurally)
redundant places or redundant transitions.
In general, our algorithm might find during this process that additional signals are
relevant; then, it has to start anew from a suitably modified copy of the original STG
– which eventually gives a correct component as proven in [VW02,VK04].
? This work was partially supported by the DFG-project ’STG-Dekomposition’ Vo615/7-1.
Complete state coding (CSC) is an important property for STGs and must be
achieved before an asynchronous circuit can be synthesised; e.g. Petrify can solve
CSC, i.e. modify an STG on the basis of its reachability graph such that CSC holds.
While some decomposition methods [CC03,YOM04] have to assume that the original
STG satisfies CSC, our decomposition algorithm is more general since it does not pre-
suppose this; on the other hand, the methods in [CC03,YOM04] construct components
with CSC, while our components might not have CSC. For each such component one
can solve CSC and synthesise a separate circuit e.g. by using Petrify; compared to
solving CSC for the original STG (with its potentially huge reachability graph) and
synthesising one circuit, this can be much faster [VK04].
One would expect that the components generated by our decomposition algorithm
are still correct when they have been modified to achieve CSC, and in fact it would also
be very interesting in what sense CSC-solving with Petrify is correct – independently
of the issue of decomposition; it seems that no correctness for this has been proven so
far. For such correctness results, one needs a correctness definition that takes internal
signals into account.
The purpose of this paper is to enhance the correctness definition of [VW02,VK04]
appropriately, to study its properties and give applications in the area of decomposi-
tion and CSC-solving.
As the main property of the new correctness notion, we show that it is preserved
when decomposition is performed stepwise. While this correctness of top-down decom-
position is of interest in itself, it can in particular be used to improve the efficiency of
our decomposition algorithm. Then we prove that CSC-solving for speed-independent
circuits as performed by Petrify is correct in our sense. With our result on the cor-
rectness of top-down decomposition, we then conclude that speed-independent CSC-
solving can indeed be combined with the decomposition algorithm of [VW02,VK04].
As another contribution, we prove that the decomposition method in [CC03] is cor-
rect in the sense of our enhanced correctness definition; in [CC03] itself, no correctness
proof is given.
The paper is organized as follows. In the next section, Petri Nets, STGs and their
basic notions are introduced. Furthermore the correctness definition is enhanced with
internal signals. In Section 2, we prove top-down decomposition correct in terms of our
enhanced correctness definition; the succeeding section studies correctness of speed-
independent CSC solving on its own and in combination with decomposition. Section 5
shows the correctness for the approach of [CC03]. We conclude with Section 6.
2 Basic Definitions
This section provides the basic notions for Petri nets and STGs, for a more detailed
explanation confer e.g. [Pet81,CKK+02].
A Petri net is a 4-tuple N = (P, T, W, MN) where P is a finite set of places and
T a finite set of transitions with P ∩ T = ∅. W : P × T ∪ T × P → N0 is the weight
function and MN the initial marking, where a marking is a function P → N0. A node
is a place or a transition and a Petri net can be considered as a bipartite graph with
weighted and directed edges between its nodes. A marking is a function which assigns
a number of tokens to each place. Whenever a Petri net N, N ′, N1, etc. is introduced,
3
the corresponding tuples (P, T, W, MN), (P
′, T ′, W ′, MN ′), (P1, T1, W1, MN1) etc. are
introduced implicitly and the same applies to STGs later on.
The preset of a node x is denoted as •x and defined by •x = {y ∈ P∪T |W (y, x) >
0}, the postset of a node x is denoted as x• and defined by x• = {y ∈ P∪T |W (x, y) >
0}. We write •x• as shorthand for •x ∪ x•. All these notions are extended to sets as
usual. We say that there is an arc from each y ∈ •x to x.
In a graphical representation of a Petri net places are drawn as circles, transi-
tions as rectangles, the weight function as directed arcs xy (labelled with W (x, y) if
W (x, y) > 1) and a marking of a place as a number or as a set of small dots drawn in
the interior of the corresponding circle.
Given a sequence x ∈ X∗, and a set X ′ ⊆ X, x↓X′ denotes the projection of x onto
X ′ and is obtained from x by omitting all elements not in X ′. This is extended to sets
of sequences as usual, i.e. element-wise.
A transition t is enabled under a marking M if ∀p ∈ •t : M(p) ≥ W (p, t), which
is denoted by M [t〉. An enabled transition can fire or occur yielding a new marking
M ′, written as M [t〉M ′, if M [t〉 and M ′(p) = M(p)−W (p, t) + W (t, p) for all p ∈ P .
A transition sequence v = t0t1 . . . tn is enabled under a marking M (yielding M
′)
if M [t0〉M0[t1〉M1 . . .Mn−1[tn〉Mn = M
′, and we write M [v〉, M [v〉M ′ resp.; v is called
firing sequence if MN [v〉. The empty transition sequence λ is enabled under every
marking.
M ′ is called reachable from M if a transition sequence v with M [v〉M ′ exists. The
set of all markings reachable from M is denoted by [M〉. [MN 〉 is the set of reachable
markings (of N), and we only deal with N where this set is finite (i.e. N is bounded).
An STG is a tuple N = (P, T, W, MN , In, Out, Int, l) where (P, T, W, MN) is a
Petri net and In, Out and Int are disjoint sets of input, output and internal signals.
We define the set of all signals Sig := In ∪ Out ∪ Int, the set of locally controlled or
just local signals Loc := Out∪ Int and the set of all external signals Ext := In∪Out.
l : T → Sig×{+,−} is the labelling function. In this paper we do not have to consider
λ-labelled dummy transitions, which play an important role in the decomposition
algorithm of [VW02,VK04].
An STG can be taken as a formalism for asynchronous circuits. Such a circuit has
input signals, which are under the control of its environment, and local signals, whose
values are changed by the circuit. The STG describes which output and internal
signals should be performed; at the same time, it describes assumptions about the
environment, which should perform input signals only if this is specified by the STG.
Sig × {+,−} or short Sig± is the set of signal changes or signal transitions; its
elements are denoted shortly as a+, a− resp. instead of (a, +), (a,−) resp. A plus
sign denotes that a signal value changes from logical low (written as 0) to logical high
(written as 1), and a minus sign denotes the other direction. We write a± if it is not
important or unknown which direction takes place. If such a term appears more than
once in the same context, it always denotes the same direction.
Some of the results of this paper do not depend on the fact that transition labels
are of the form a+ or a−, i.e. they can be applied in any setting where actions can
be regarded as inputs, outputs or internal.
We lift the notion of enabledness to transition labels: We write M [a±〉〉M ′ if
M [t〉M ′ and l(t) = a±. This is extended to sequences as usual. A sequence v ∈ (Sig±)∗
4
is called a trace of a marking M if M [v〉〉, and a trace of N if M = MN . The language
of N is the set of all traces of N and denoted by L(N).
The reachability graph RGN of an STG N is an edge-labelled directed graph on
the reachable markings with MN as root; there is an edge from M to M
′ labelled
s± whenever M [s±〉〉M ′. RGN can be seen as a finite automaton (where all states
are final), and L(N) is the language of this automaton. N is deterministic if its
reachability graph is a deterministic automaton, i.e. if for each reachable marking M
and each signal transition s± there is at most one M ′ with M [s±〉〉M ′.
The identity of the transitions or places of an STG, as well as the names of the
internal signals are not relevant for us; hence, we regard STGs N and N ′ as equal if
they are externally isomorphic, i.e. if they have the same input and output signals,
and we can rename the internal signals of N and then map the transitions (places
resp.) of the resulting STG bijectively onto the transitions (places resp.) of N ′ such
that the weight function, the marking and the labelling are preserved. (Altogether,
the external signals are preserved while the internal signals might be renamed.)
For the modular construction of STGs, the operations hiding, relabelling and par-
allel composition are of interest.
Given an STG N and a set H of signals with H ∩ In = ∅, the hiding of H results
in the STG N/H = (P, T, W, MN , In, Out \H, Int ∪H, l).
Given a bijection φ defined for all external signals of N , the relabelling of N is
φ(N) = (P, T, W, M0, φ(In), φ(Out), Int, φ ◦ l); this assumes that, if necessary, the
internal signals of N are renamed such that Int ∩ (φ(In) ∪ φ(Out)) = ∅ and φ is
extended to be the identity on the internal signals.
Observe that hiding and relabelling preserve determinism as defined above and
the same will apply for parallel composition. In particular hiding does not change the
identity of signals or removes them completely from the STG as it is done in other
settings.
In the following definition of parallel composition ‖, we will have to consider the
distinction between input, output and internal signals. The idea of parallel composi-
tion is that the composed systems run in parallel synchronising on common signals.
Since a system controls its outputs, we cannot allow a signal to be an output of more
than one component; input signals, on the other hand, can be shared. An output
signal of one component can be an input of one or several others, and in any case it is
an output of the composition. Internal signals of one component are not shared with
other components (this can be achieved with a suitable renaming) and they become
internal signals of the composition.
A composition can also be ill-defined due to what e.g. Ebergen [Ebe92] calls com-
putation interference; this is a semantic problem, and we will not consider it here, but
later in the definition of correctness.
The parallel composition of STGs N1 and N2 is defined if Loc1 ∩ Loc2 = ∅ and
Int1 ∩ In2 = Int2 ∩ In1 = ∅. Then, let A = Sig1 ∩ Sig2 be the set of common signals;
observe that A contains no internal signals. If e.g. s is an output of N1 and an input
of N2, then an occurrence of s in N1 is ‘seen’ by N2, i.e. it must be accompanied by
an occurrence of s in N2. Since we do not know a priori which s±-labelled transition
of N2 will occur together with some s±-labelled transition of N1, we have to allow
for each possible pairing. Thus, the parallel composition N = N1 ‖ N2 is obtained
5
from the disjoint union of N1 and N2 by combining each s±-labelled transition t1 of
N1 with each s±-labelled transition t2 from N2 if s ∈ A. In the formal definition of
parallel composition, ∗ is used as a dummy element, which is formally combined e.g.
with those transitions that do not have their label in the synchronisation set A. (We
assume that ∗ is not a transition or a place of any net.) Thus, N is defined by
P = P1 × {∗} ∪ {∗} × P2
T = {(t1, t2) | t1 ∈ T1, t2 ∈ T2, l1(t1) = l2(t2) ∈ A±}
∪ {(t1, ∗) | t1 ∈ T1, l1(t1) /∈ A±}
∪ {(∗, t2) | t2 ∈ T2, l2(t2) /∈ A±}
W ((p1, p2), (t1, t2)) =
{
W1(p1, t1) if p1 ∈ P1, t1 ∈ T1
W2(p2, t2) if p2 ∈ P2, t2 ∈ T2
W ((t1, t2), (p1, p2)) =
{
W1(t1, p1) if p1 ∈ P1, t1 ∈ T1
W2(t2, p2) if p2 ∈ P2, t2 ∈ T2
l((t1, t2)) =
{
l1(t1) if t1 ∈ T1
l2(t2) if t2 ∈ T2
MN = MN1∪˙MN2 , i.e.
MN((p1, p2)) =
{
MN1(p1) if p1 ∈ P1
MN2(p2) if p2 ∈ P2
Int = Int1 ∪ Int2 Out = Out1 ∪ Out2 In = (In1 ∪ In2)− (Out1 ∪Out2)
It is not hard to see that parallel composition is associative and commutative up
to external isomorphism and ||i∈INi is defined if each Ni||Nj is defined. Furthermore,
one can consider the place set of the composition as the disjoint union of the place sets
of the components; therefore, we can consider markings of the composition (regarded
as multisets) as the disjoint union of markings of the components; the latter makes
clear what we mean by the restriction M Pi for a marking M of the composition.
STGs together with the three operations defined above form a circuit algebra as
defined in Dill’s PhD thesis [Dil88], when regarding externally isomorphic STGs as
equal. For our further considerations we will use the properties
(C6) : (N/H1)/H2 = N/(H1 ∪H2) and
(C8) : N1/H1||N2/H2 = (N1||N2)/(H1 ∪H2) if Hi ∩ Sig3−i = ∅, i = 1, 2
satisfied by a circuit algebra.1
Let RG be the reachability graph of an STG N . A state vector is a function
sv : Sig → {0, 1} where ’0’ means logical low and ’1’ logical high. A state assignment
assigns a state vector to each marking M of RG denoted by svM .
A state assignment must satisfy for every signal x ∈ Sig and every pair of markings
M, M ′ ∈ [MN 〉:
M [x+〉〉M ′ implies svM(x) = 0, svM ′ = 1
1 There are 7 additional laws a circuit algebra must fulfil (in our setting): (C1) (N1||N2)||N3 =
N1||(N2||N3) = N1||N2||N3, (C2): N1||N2 = N2||N1; (C3): φ2(φ1(N)) = (φ2 ◦ φ1)(N), (C4): φ(N1||N2) =
φ(N1)||φ(N2), (C5): id(N) = N , (C7): N/∅ = N , (C9): φ(N/H) = φ
′(N)/φ′(H).
It is clear that these properties are satisfied for our definitions, where (C4) and (C9) only have to hold if
both sides are defined.
6
M [x−〉〉M ′ implies svM(x) = 0, svM ′ = 1
M [y±〉〉M ′ for y 6= x implies svM(x) = svM ′(x)
If such an assignment exists, it is uniquely defined by these properties, and the
reachability graph (and also the underlying STG) is called consistent. From an incon-
sistent STG, one cannot synthesise a circuit.
Another necessary condition for synthesis is complete state coding (CSC). We say
that a consistent RG (and N) has CSC if:
∀x ∈ Loc, M, M ′ ∈ [MN 〉 : svM = svM ′ ⇒ (M [x±〉〉 ⇔ M
′[x±〉〉)
If RG violates CSC, no circuit can be synthesised because a circuit determines the
next local signal changes only from the current state of its signals (the state vector);
hence, the circuit cannot distinguish the two markings with the same state vector and
the same local signals must be enabled. It is possible that different input signals are
enabled in M and M ′ because these are not controlled by the circuit.
As mentioned in the introduction, Petrify can modify an STG such that CSC
is satisfied. If one is interested in speed-independent circuits, as we are in this paper,
one can require that Petrify preserves the following important property.
Definition 1 (Input Properness). An STG is input proper if no input signal be-
comes enabled by the occurrence of an internal signal, i.e. M1[t〉M2 with M1 a reach-
able marking, ¬M1[a〉〉 and M2[a〉〉, a ∈ In, implies l(t) 6∈ Int. ut
Recall that an STG also specifies which inputs the environment may perform; if
the environment performs an input that is not enabled in the current marking of the
STG, then such an unexpected input may lead to a malfunction of the circuit. To meet
this assumption, the environment must ”know” whether an input is expected or not.
But if input properness is violated, the environment cannot see whether the respective
input is already allowed, since internal signal transitions cannot be observed from the
outside.
Actually, the implementation of non-input-proper STGs is still possible, but one
has to make timing assumptions about the relative order of signal transitions, e.g. one
might assume that an input signal transition is slower than an internal signal transition
if both are triggered by the same output. Such assumptions are not necessary for input
proper STGs, and speed-independent implementations are possible.
Now we are ready to give our improved correctness definition; afterwards, we will
explain its specific properties and why they are sound.
Definition 2 (Correct Decomposition). A collection of deterministic components
(Ci)i∈I is a correct decomposition of (or simply correct w.r.t. a deterministic STG N
– also called specification – when hiding H, if the parallel composition C ′ = ||i∈ICi is
defined, C = C ′/H, InC ⊆ InN , OutC ⊆ OutN and there is an STG-bisimulation B
between the markings of N and those of C with the following properties:
1. (MN , MC) ∈ B
2. For all (M, M ′) ∈ B, we have:
(N1) If a ∈ InN and M [a±〉〉M1, then either a ∈ InC , M
′[a±〉〉M ′1 and (M1, M
′
1) ∈ B
for some M ′1 or a 6∈ InC and (M1, M
′) ∈ B.
7
(N2) If x ∈ OutN and M [x±〉〉M1, then M
′[vx±〉〉M ′1 and (M1, M
′
1) ∈ B for some
M ′1 with v ∈ (IntC±)
∗ .
(N3) If u ∈ IntN and M [u±〉〉M1, then M
′[v〉〉M ′1 and (M1, M
′
1) ∈ B for some M
′
1
and v ∈ (IntC′±)
∗.
(C1) If x ∈ OutC and M
′[x±〉〉M ′1, then M [vx±〉〉M1 and (M1, M
′
1) ∈ B for some
M1 with v ∈ (IntN±)
∗.
(C2) If x ∈ Outi for some i ∈ I and M
′
Pi[x±〉〉, then M
′[x±〉〉. (no computation
interference)
(C3) If u ∈ IntC and M
′[u±〉〉M ′1, then M [v〉〉M1 and (M1, M
′
1) ∈ B for some M1
and v ∈ (IntN±)
∗.
Here, and whenever we have a collection (Ci)i∈I in the following, Pi stands for PCi,
Outi for OutCi etc.
In the most simple case, (Ci)i∈I consists of just one component C1 and H is empty;
in this case we say that C1 is a (correct) implementation of N, and (C2) is always
trivially true. ut
B describes how behaviour of N and C closely match each other, similar to ordinary
bisimulation. As in [VW02,VK04], we allow OutC to be a proper subset of OutN
for the case that there are output signals, which are in fact never produced by the
specification. Our decomposition algorithm actually only produces components Ci
where OutC = OutN ; in any case, if equality is desired, it can be achieved by formally
adding the missing output signals OutN \OutC to some set Outi.
For a different reason we allow InC to be a proper subset of InN ; there are cases
where some inputs are just irrelevant for the behaviour of a circuit, but they were
possibly included by some design error. The decomposition algorithm might detect
such signals, since they are not needed for any component. Because of this possibility,
in (N1) an input signal transition of the specification does not have to be matched by
the implementation.
(C2) ensures that no computation interference (mentioned before the definition
of parallel composition) occurs; i.e. if a component produces an output (which is
under the control of this component), then the other components expect this signal
if it belongs to their inputs, and no malfunction of these other components must
be feared. (C2) is actually also satisfied for x ∈ Inti, since internal signals of one
component are by definition unknown to the other components.
Remarkably, there is no condition that requires a matching for an input occurring
in the implementation. On the one hand, if also the specification allows such an
input in a matching marking, then the markings after the input must match again by
(N1) due to determinism. On the other hand, there are very natural decompositions
which allow additional inputs compared to the specification, and it does no harm to
include these decompositions in our definition: since the specification also describes
which inputs are or are not allowed for the environment, the additional inputs will
actually never occur if the decomposition runs in an environment it is meant for. (The
additional input leads to a marking which in a way corresponds to a don’t-care entry
in a Karnaugh-diagram.)
As a consequence, the components might have behaviour and markings that never
turn up if the components run in an appropriate environment; also, these markings
8
do not appear in B. A subtle property of our correctness definition is that it allows
e.g. computation interference for such markings, which is perfectly reasonable since
such an interference will not occur in practical use.
The features discussed so far are taken from [VW02], where some more expla-
nations can be found. The new features deal with internal signals; they extend the
definition of [VW02] conservatively: for STGs without internal signals, the two cor-
rectness notions coincide. The consequence will be that the result about top-down
decomposition in the next section also applies in the setting of our decomposition
algorithm, where we have not considered internal signals so far.
First of all, we allow the hiding of some output signals in the parallel composition
of the components; this concerns additional signals to enable communication between
the components. It is no problem that we allow hiding at the ”top-level” only: by
way of an example, assume that the components C1 and C2 communicate via a signal
x which should not be visible to the other components; this would be modelled by(
((C1||C2)/{x}) || (||i∈I\{1,2}Ci)
)
/H. Now this equals ||i∈ICi/(H ∪ {x}) by the prop-
erties (C8) and (C6) of a circuit algebra, where (C8) is applicable since x is internal
to (C1||C2)/{x} and hence not a signal of ||i∈I\{1,2}Ci. We will use similar reasoning
in Section 3 where a component will be replaced by a decomposition of its own.
In (N2) and (C1) output signal transitions do not have to be matched directly;
(N2) allows the components to prepare the production of this output by some internal
signals, e.g. to achieve CSC or to inform other components about this event; (C1)
allows the specification to perform superfluous internal signals. In any case, from an
external point of view each output is matched by the same output.
In contrast, input signals must be matched directly; if the implementation could
precede the input by some internal signals, the environment could produce the input as
specified in N at a stage where the implementation is not ready yet to receive it, which
could lead to malfunction as discussed above in connection with input properness.
As for computation interference, the absence of this malfunction is only checked for
markings appearing in B, since only for these the problem is practically relevant.
In fact, the direct matching of inputs implies that the implementation is in a sense
input proper, at least in its “reachable behaviour”: assume that M1[t〉M2 with M1 a
reachable marking of C, and M2[a〉〉 for some a ∈ InC ; then either there is no pair
(M, M1) in the STG-bisimulation (hence, M1 will not be reached if C works in a
proper environment) or ¬M [a〉〉 (a proper environment will not produce a) or M1[a〉〉
by (N1).
Finally, (N3) and (C3) prescribe the matching of an internal signal by a sequence
of internal signals – just as in ordinary weak bisimulation. Note that we have several
internal signals, since these have to be implemented physically; but regarding external
behaviour, the identity of an internal signal does not matter. In principle, performing
an internal signal could make a choice, e.g. by disabling an output; according to these
clauses, this choice has to be matched.
Translating the treatment of internal signals in the definition of the somewhat
related notion of I/O-compatibility [CC02] to our setting, one would require that e.g.
in (N3) (M1, M
′) ∈ B without involving any u – and analogously in (C3); the idea is
that internal signals cannot make decisions in digital circuits. There are several reasons
not to follow this idea. First of all, this concerns a property one might like all STGs
9
to have and it is not related to comparing STGs or to the communication between
circuits – in contrast to e.g. computation interference; if one wants this property to
ensure physical implementability, it has to hold also for markings not appearing in B.
Therefore, this property has no adequate place in a correctness definition and should
be required separately. Secondly, one might want to use ME-elements [YKK+96],
which can make decisions; the respective signals could be internal to the parallel
composition. We see it as an advantage that we can cover such cases. Finally, the
alternative definition turned out to be technically inconvenient.
Observe that the alternative definition coincides with ours if the specification does
not have internal signals; then, (N3) is never applicable, and in (C3) we have v = λ
and M = M1.
There is another important comment. Our correctness definition concerns the cor-
rectness of a decomposition, but it also covers the question whether one STG is an
implementation of another. With this notion, we will prove in Section 4 that speed-
independent CSC-solving with Petrify produces a correct implementation.
One would like this implementation relation to be a preorder. Reflexivity is obvious
(choose B as the identity), and transitivity will follow from our first main result in the
next section. One would also like it to be a precongruence for the operations of interest.
This is obvious for relabelling and easy for hiding (use the same STG-bisimulation).
The much more important case of parallel composition will be discussed in the next
section.
Actually, one can see a more general result for hiding just as easily: (∗) if (Ci)i∈I is
correct w.r.t. N when hiding H, then (Ci)i∈I is also correct w.r.t. N/H
′ when hiding
H ∪H ′. As a consequence, we can apply our decomposition algorithm [VW02,VK04]
also to an STG N1 with internal signals as follows. Since the algorithm can only
decompose STGs without internal signals, we change the internal signals of N1 to
outputs obtaining an STG N2 with N1 = N2/H for a suitable set H. Then we de-
compose N2, obtaining a correct decomposition (Ci)i∈I of N2. After that, the formerly
internal signals are hidden in N2 and in ||i∈ICi and from (∗) we get that (Ci)i∈I is a
correct decomposition of N1 = N2/H when hiding H.
3 Decomposition of Subcomponents
In this section we will show that correctness is preserved when we decompose a com-
ponent of an STG decomposition into subcomponents. This result makes it possible
to design and implement STGs in a top-down fashion.
In particular, such top-down decomposition can be useful for efficiency of our
decomposition algorithm. For example, consider a case where only one component Ci
of a decomposition needs a specific input signal a, which therefore will be removed
from every other one by the decomposition algorithm (cf. Section 1). Alternatively, the
algorithm could first construct a component Cj which generates every output signal
that is not produced by Ci, and afterwards decompose it into smaller components.
This way, the signal a will only be removed from one component (Cj), which can
improve performance.
Stepwise decomposition is possible under two minor conditions stated in the fol-
lowing theorem: the composition of the subcomponents must have all output signals
10
of the decomposed component and its internal signals must be unknown to the other
components. The first condition is often automatically true or can be achieved easily
as mentioned after the definition of correctness, the latter one is an obvious restric-
tion required by our definition of parallel composition and can trivially be fulfilled
renaming internal signals. The proof of this theorem requires a careful and detailed
case analysis.
Theorem 3 (Correctness of top-down decomposition).
1. Let N be an STG and (Ci)i∈I a correct decomposition of N when hiding HC .
Furthermore let (Ck)k∈K be a correct decomposition of some Cj when hiding HK
(j ∈ I, I ∩K = ∅). Then (Ci)i∈I′ with I
′ := I ∪K−{j} is a correct decomposition
of N when hiding HC ∪HK if
⋃
k∈K OutCk \HK = OutCj and (
⋃
k∈K IntCk ∪HK)∩⋃
i∈I\{j} SigCi = ∅.
2. The implementation relation is a preorder.
Remark: One might expect that refining a component Cj of (||i∈ICi)/HC with
(||k∈KCk)/HK would give the STG
(
||i∈I\{j}Ci || (||k∈KCk/HK)
)
/HC , where there is
not just one hiding on the top-level as in the theorem. But with the same reasoning
already used in the discussion of Definition 2, we can derive from the properties
(C8) (use the second assumption on HK) and (C6) of a circuit algebra that for H =
HC ∪HK:(
||i∈I\{j}Ci || (||k∈KCk/HK)
)
/HC = ((||i∈I′Ci) /HK) /HC = ||i∈I′Ci/H
Proof. We define C = (||i∈ICi)/HC , CK = (||k∈KCk)/HK and C
′ = (||i∈I′Ci)/H,
where H := HC ∪ HK. Without loss of generality let I = {1, 2, . . . , |I|}, j = |I| and
K = {|I|+ 1, |I|+ 2, . . . , |I|+ |K|}. We will write Outi for OutCi etc.
Regarding (2), we already know that the implementation relation is reflexive; tran-
sitivity is just a special case of (1), where both hiding sets are empty and the decom-
positions have just one component each. So (1) tells us that, if C is an implementation
of N and C ′ an implementation of C, then C ′ is an implementation of N – except
that we do not have the two extra conditions required in (1). But observe that the
second condition is trivially true since
⋃
i∈I\{j} SigCi is empty. The first condition is
only needed to prove claims that are obvious for this restricted case, namely that
the parallel composition C ′ (which has only one component here) is defined and that
InC′ ⊆ InN . Thus, it suffices to prove (1).
First, we show that the parallel composition of (Ci)i∈I′ is defined.
Obviously, Loci ∩ Loci′ for different i, i
′ with either i, i′ ∈ I \ {j} or i, i′ ∈ K, because
||(Ci)i∈I and ||(Ck)k∈K are defined. Therefore let k ∈ K, i ∈ I \{j}; then Lock∩Loci =
(Intk ∪ Outk) ∩ Loci = Intk ∩ Loci ∪ Outk ∩ Loci = ∅ ∪ Outk ∩ Loci, by assumption
about Intk. Outk ∩ Loci ⊆ (Outj ∪ HK) ∩ Loci = (Outj ∩ Loci) ∪ (HK ∩ Loci) ⊆
(Locj ∩ Loci) ∪ (HK ∩ Loci) = ∅ by the assumption about HK and because ||i∈ICi is
defined.
For i, i′ as above, Inti ∩ Ini′ = ∅. Let therefore i, k be as above, then Ink ∩ Inti ⊆
Inj ∩ Inti = ∅ and Intk ∩ Ini = ∅ by the assumptions.
Next, we show the requirements for the sets of output and input signals.
OutC′ =
⋃
i∈I′
Outi \H = (
⋃
i∈I\{j}
Outi ∪
⋃
k∈K
Outk) \H
11
= (
⋃
i∈I\{j}
Outi∪(
⋃
k∈K
Outk\HK))\HC = (
⋃
i∈I\{j}
Outi∪Outj)\HC =
⋃
i∈I
Outi\HC ⊆ OutN
where the third equality holds by the second assumption on HK.
For the input signals, we have
InC =
⋃
i∈I
Ini \
⋃
i∈I
Outi ⊆ InN and
⋃
k∈K
Ink \
⋃
k∈K
Outk ⊆ Inj
It follows that
InC′ =
⋃
i∈I′
Ini \
⋃
i∈I′
Outi = (
⋃
i∈I\{j}
Ini ∪
⋃
k∈K
Ink) \ (
⋃
i∈I\{j}
Outi ∪
⋃
k∈K
Outk)
⊆ (
⋃
i∈I\{j}
Ini∪Inj)\(
⋃
i∈I\{j}
Outi∪
⋃
k∈K
Outk)
(∗)
⊆
⋃
i∈I
Ini\(
⋃
i∈I\{j}
Outi∪Outj) = InC ⊆ InN
The inclusion (∗) might fail if we had only (
⋃
k∈K Outk) \ HK ⊆ Outj. Observe
that we do not need to consider hiding here.
We proceed with the main part of this proof: the requirements for an STG-
bisimulation between the markings of N and C ′.
Let B1 be the STG-bisimulation between the markings of N and C and B2 the one
between the markings of Cj and CK. We define a relation B between the markings of
N and C ′ as follows:
(M1, M2, M3) ∈ B ⇔ (M1, M2, Mj) ∈ B1 and (Mj, M3) ∈ B2 for some Mj
where M1 denotes a marking of N , M2 a marking of C1|| . . . ||C|I|−1, Mj one of Cj and
M3 a marking of C|I|+1|| . . . ||C|I|+|K|; thus (M2, Mj) can be regarded as marking of C
and (M2, M3) as one of C
′. We will show that (Ci)i∈I′ is a correct decomposition of
N when hiding H due to STG-bisimulation B.
(1): Obviously fulfilled by definition of B.
(2): Let (M1, M2, M3) ∈ B due to (M1, M2, Mj) ∈ B1 and (Mj, M3) ∈ B2 for some
marking Mj of Cj.
(N1): a ∈ InN and M1[a±〉〉Mˆ1.
1. Let a ∈ InC′ ⊆ InC (see above) and therefore (B1) (M2, Mj)[a±〉〉(Mˆ2, Mˆj) and
(Mˆ1, Mˆ2, Mˆj) ∈ B1 for some (Mˆ2, Mˆj).
(a) If a 6∈ Inj we get Mj = Mˆj and immediately (M2, M3)[a±〉〉(Mˆ2, M3) with
(Mˆ1, Mˆ2, M3) ∈ B.
(b) a ∈ Inj with Mj[a±〉〉Mˆj implies (B2) either a ∈ InK and M3[a±〉〉Mˆ3, (Mˆj, Mˆ3) ∈
B2 for some Mˆ3 or a 6∈ InK and (Mˆj, M3) ∈ B2.
In the first case, we get (M2, M3)[a±〉〉(Mˆ2, Mˆ3) with (Mˆ1, Mˆ2, Mˆ3) ∈ B.
In the latter one we get (M2, M3)[a±〉〉(Mˆ2, M3) with (Mˆ1, Mˆ2, M3) ∈ B.
2. Let a 6∈ InC′ . There are two reasons for this:
(a) a 6∈ InC . Then, (Mˆ1, M2, Mj) ∈ B1 and by definition (Mˆ1, M2, M3) ∈ B.
(b) a ∈ Inj, but a 6∈ Ini for i 6= j and a 6∈ InK (a only element of Cj). Therefore,
a ∈ InC and (M2, Mj)[a±〉〉(M2, Mˆj) with (Mˆ1, M2, Mˆj) ∈ B1, since a cannot
be a signal of any other component. a 6∈ InK implies (Mˆj, M3) ∈ B2 and by
definition (Mˆ1, M2, M3) ∈ B.
12
(N2): Let x ∈ OutN and M1[x±〉〉Mˆ1.
Then (B1) (M2, Mj)[vx±〉〉(Mˆ2, Mˆj) and (Mˆ, Mˆ2, Mˆj) ∈ B1 for some (Mˆ2, Mˆj) and
v ∈ (IntC±)
∗. Let v′ = vx± = v1v2 . . . vn with vi ∈ SigC± for i = 1, . . . , n and
(M2, Mj) = (M
0
2 , M
0
j )[v1〉〉(M
1
2 , M
1
j )[v2〉〉(M
2
2 , M
2
j ) . . .
(Mn−22 , M
n−2
j )[vn−1〉〉(M
n−1
2 , M
n−1
j )[vn〉〉(M
n
2 , M
n
j ) = (Mˆ2, Mˆj)
We will show by induction over m ∈ {0, . . . , n} that
∃wm ∈ (IntC′±)
∗{x±, λ}, Mm3 : (M2, M3)[wm〉〉(M
m
2 , M
m
3 )
∧wm↓ExtC′ = (v1 . . . vm)↓ExtC ∧(M
m
j , M
m
3 ) ∈ B2
Observe that the case m = n proves our claim.
For m = 0 let M 03 = M3 and w0 = λ. By assumption (M
0
j , M
0
3 ) ∈ B2.
Let now m < n and (M2, M3)[wm〉〉(M
m
2 , M
m
3 ), wm↓ExtC′= (v1 . . . vm)↓ExtC , (M
m
j , M
m
3 ) ∈
B2 and (M
m
2 , M
m
j )[vm+1〉〉(M
m+1
2 , M
m+1
j ). We distinguish several cases, where in items
(3) - (5) we have either vm+1 ∈ HC or vm+1 = vn = x±:
1. vm+1 ∈ Inti for i ∈ I \ {j} ⇒ M
m+1
j = M
m
j , M
m+1
3 = M
m
3 , wm+1 = wmvm+1 and
(Mm+1j , M
m+1
3 ) ∈ B2.
2. vm+1 ∈ Intj ⇒ M
m+1
2 = M
m
2 ,M
m
3 [w
′
m〉〉M
m+1
3 , w
′
m ∈ (IntK±)
∗, wm+1 = wmw
′
m
and (Mm+1j , M
m+1
3 ) ∈ B2.
3. vm+1 ∈ Outi for i ∈ I \ {j} and vm+1 6∈ Inj: ref. item (1).
4. vm+1 ∈ Outi for i ∈ I \ {j} and vm+1 ∈ Inj: (N1) implies
(a) vm+1 ∈ InK ⇒ M
m
3 [vm+1〉〉M
m+1
3 with (M
m+1
j , M
m+1
3 ) ∈ B2 and wm+1 =
wmvm+1.
(b) vm+1 6∈ InK ⇒ M
m+1
3 = M
m
3 with (M
m+1
j , M
m+1
3 ) ∈ B2 and wm+1 = wmvm+1.
5. vm+1 ∈ Outj ⇒ M
m
3 [w
′
m+1vm+1〉〉M
m+1
3 with w
′
m+1 ∈ (IntK±)
∗, (Mm+1j , M
m+1
3 ) ∈
B2 and wm+1 = wmw
′
m+1vm+1.
(N3): Let u ∈ IntN and M1[u±〉〉Mˆ1. Therefore (M2, Mj)[v〉〉(Mˆ2, Mˆj) with (Mˆ1, Mˆ2, Mˆj) ∈
B1 and v ∈ (IntC±)
∗ for some (Mˆ2, Mˆj). At this point the proof can be continued
analogously to the previous item.
(C1): Let x ∈ OutC′ and (M2, M3)[x±〉〉(Mˆ2, Mˆ3).
1. If x ∈ OutK \ HK = Outj it follows that Mj[vx±〉〉Mˆj, (Mˆj, Mˆ3) ∈ B2 for some
Mˆj and v ∈ (Intj±)
∗. Let Mj[v〉〉M
′
j[x±〉〉Mˆj; then (M2, Mj)[v〉〉(M2, M
′
j) and by
(C3) M1[w1〉〉M
′
1 with w1 ∈ (IntN±)
∗ and (M ′1, M2, M
′
j) ∈ B1 for some Mˆ
′
1.
Since (M2, M
′
j)[x±〉〉(Mˆ2, Mˆj) (where M2[x±〉〉Mˆ2 or Mˆ2 = M2), we get by (C1) for
B1 that M
′
1[w2x±〉〉Mˆ1 and (Mˆ1, Mˆ2, Mˆj) ∈ B1 for some Mˆ1 and w2 ∈ (IntN±)
∗.
Altogether, we get that M1[w1w2x〉〉Mˆ1 with w1w2 ∈ (IntN±)
∗ and (Mˆ1, Mˆ2, Mˆ3) ∈
B.
2. If x 6∈ OutK \HK = Outj, there exists an m ∈ I \{j} such that x ∈ Outm ⊆ OutC.
(a) x 6∈ Inj implies that neither M3 nor Mj are changed when firing x±: Mˆ3 = M3
and (M2, Mj)[x±〉〉(Mˆ2, Mj); we get directly (B1) M1[wx±〉〉Mˆ1, (Mˆ1, Mˆ2, Mj) ∈
B1 for some Mˆ1 and w ∈ (IntN±)
∗, and by definition of B: (Mˆ1, Mˆ2, Mˆ3) ∈ B.
13
(b) If x ∈ Inj then Mj[x±〉〉Mˆj by (C2) for B1 and by (N1)
i. x 6∈ InK , Mˆ3 = M3 and (Mˆj, M3) ∈ B2.
ii. x ∈ InK and (Mˆj, Mˆ3) ∈ B2.
In both cases (M2, Mj)[x±〉〉(Mˆ2, Mˆj), M1[wx±〉〉Mˆ1 with w ∈ (IntN±)
∗ and
(Mˆ1, Mˆ2, Mˆj) ∈ B1, hence (Mˆ1, Mˆ2, Mˆ3) ∈ B.
(C2): Let x ∈ Outm, m ∈ I
′ and (M2, M3)|Pm[x±〉〉.
1. x ∈ Outm for some m ∈ I \ {j} and M2|Pm [x±〉〉. Then (B1) (M2, Mj)[x±〉〉 and
therefore (M2, M3)[x±〉〉, because either x 6∈ Inj and x 6∈ Sigk for k ∈ K or x ∈ Inj,
and by (N1) for B2 either M3[x±〉〉 or x 6∈ Sigk, k ∈ K.
2. x ∈ Outm for some m ∈ K and M3|Pm [x±〉〉. Hence, M3[x±〉〉 by (C2) for B2.
(a) If x ∈ OutK, then Mj[v〉〉M
′
j[x±〉〉 by (C1) for B2 for some v ∈ (Intj±)
∗ and
M ′j. Since Cj can fire its internal signals without changing the state of the other
components, we get (M2, Mj)[v〉〉(M2, M
′
j) and (M
′
1, M2, M
′
j) ∈ B1 for some M
′
1.
Applying (C2) for B1 we get (M2, M
′
j)[x±〉〉 and therefore (M2, M3)[x±〉〉, too.
(b) If x ∈ IntK , i.e. x ∈ HK, then M3[x±〉〉 gives immediately that (M2, M3)[x±〉〉.
(C3): Let u ∈ IntC′ and (M2, M3)[u±〉〉(Mˆ2, Mˆ3).
1. If u ∈ Inti for i ∈ I \ {j}, then Mˆ3 = M3, (M2, Mj)[u±〉〉(Mˆ2, Mj) and by (C3) for
B1: M1[v〉〉Mˆ1, w ∈ (IntN±)
∗ and (Mˆ1, Mˆ2, Mj) ∈ B1 for some Mˆ1 and therefore
(Mˆ1, Mˆ2, Mˆ3) ∈ B.
2. If u ∈ Intk for k ∈ K, then Mˆ2 = M2 and by (C3) for B2: Mj[v〉〉Mˆj, v ∈
(Intj±)
∗ and (Mˆj, Mˆ3) ∈ B2 for some Mˆj. Let v = v1v2 . . . vn, vi ∈ Intj± and
Mj = M
0
j [v1〉〉M
1
j . . .M
n−1
j [vn〉〉M
n
j = Mˆj. By (C3) for B1 we get that M1 =
M01 [w1〉〉M
1
1 [w2〉〉 . . .M
n−1
1 [wn〉〉M
n
1 = Mˆ1 with wi ∈ (IntN±)
∗ and (Mm1 , Mˆ2, M
n
j ) ∈
B2 for every m = 0, . . . , n. In particular, M1[w1 . . . wm〉〉Mˆ1 , (Mˆ1, Mˆ2, Mˆj) ∈ B1
and therefore (Mˆ1, Mˆ2, Mˆ3) ∈ B.
3. If u ∈ Outi ∩HC for i ∈ I \ {j}.
(a) u ∈ Inj. Then (M2, Mj)[u±〉〉(Mˆ2, Mˆj) and by (C3) for B1: M1[v〉〉Mˆ1, v ∈
(IntN±)
∗ and (Mˆ1, Mˆ2, Mˆj) ∈ B1; by (N1) for B2 either M3[u±〉〉Mˆ3 or u 6∈ InK
and Mˆ3 = M3; in both cases (Mˆj, Mˆ3) ∈ B2 and it follows that (Mˆ1, Mˆ2, Mˆ3) ∈
B.
(b) u 6∈ Inj. Analogous to item (1)
4. If u ∈ Outk ∩HC for k ∈ K. Then, M3[u±〉〉Mˆ3 and by (C1) for B2 Mj[vu±〉〉Mˆj
and (Mˆj, Mˆ3) ∈ B2 for v ∈ (Intj±)
∗. Furthermore, (M2, Mj)[vu±〉〉(Mˆ2, Mˆj) and
by (C3) for B1 we get M1[w〉〉Mˆ1, w ∈ (IntN±)
∗ and (Mˆ1, Mˆ2, Mˆj) ∈ B1 (with
Mˆ2 = M2 if u 6∈ Inm for m ∈ I \ {j}). It follows that (Mˆ1, Mˆ2, Mˆ3) ∈ B.
5. If u ∈ Outk ∩HK for k ∈ K. Then, by (C3) for B2: Mj[v〉〉Mˆj, v ∈ (Intj±)
∗ and
(Mˆj, Mˆ3) ∈ B2 and Mˆ2 = M2. Thus, (M2, Mj)[v〉〉(Mˆ2, Mˆj) and by (C3) for B1:
M1[w〉〉Mˆ1, w ∈ (IntN±)
∗ and (Mˆ1, Mˆ2, Mˆj) ∈ B1. Therefore by definition of B,
(Mˆ1, Mˆ2, Mˆ3) ∈ B. ut
As explained after Definition 2, our correctness definition coincides with the one
of [VW02,VK04] if we restrict ourselves to STGs without internal signals; hence, the
above theorem also holds in this setting (where of course no hiding is applied, i.e.
14
the hiding sets are taken to be empty). Therefore, the theorem can indeed be used
to improve the decomposition of [VW02,VK04] as explained at the beginning of this
section. It is an open problem how to group the output signals for optimal efficiency.
Surprisingly, the theorem has also an impact on the question whether the imple-
mentation relation between STGs is a precongruence for parallel composition, which
we will now show under some mild restrictions. Recall that, for some N1||N2 to be
defined, we only had some syntactic requirements regarding the signal sets; but the
composition only makes sense in the area of circuits, if we also ensure absence of
computation interference; for the following definition cf. the discussion on condition
(C2) of Definition 2.
Definition 4. A parallel composition N1||N2 is interference-free if, for all its reach-
able markings (M1, M2), i ∈ {1, 2} and x ∈ Outi, Mi[x±〉〉 implies (M1, M2)[x±〉〉. ut
Corollary 5. If N2 is a correct implementation of N1, N1 and N2 have the same
output signals, and N1||N is a well-defined and interference-free parallel composition,
then N2||N is a correct implementation of N1||N .
Proof. Since the composition is interference-free, the identity is an STG-bisimulation
showing that the family (N1, N) is a correct decomposition of N1||N ; note that in this
setting all conditions for an STG-bisimulation are trivially fulfilled except for (C2).
With this observation, the claim follows from our theorem. ut
Note that each of our operations hiding, renaming and parallel composition with
another STG changes the set of output signals in the same way, such that equality of
these sets is preserved.
Corollary 6 (Implementation relation as precongruence). The implementa-
tion relation is a precongruence for hiding, relabelling and parallel composition when
restricted to STGs with the same output signals.
We will see another application of the theorem in the next section.
4 CSC-Solving for Components of a Decomposition
In this section we will prove that CSC-solving fits into our correctness definition, i.e.
that it leads to a correct implementation. Theorem 3 then implies that CSC-solving
can be combined with our decomposition algorithm. The latter could be shown directly
without this theorem, but its use makes the following proof much easier, because we
have to consider only one component. First, we will introduce an operation that the
tool Petrify uses to achieve CSC.
Given an STG without CSC, Petrify can (in many cases) insert internal signals
into the STG such that their values distinguish between the markings with equal state
vectors and different outputs. This insertion takes place on the level of reachability
graphs (as most of our considerations in this paper do). Petrify can also derive an
STG for the modified reachability graph, and although this is not important for the
synthesis of a circuit, it fits our manner-of-speaking well. We take the following defi-
nition of event insertion from [CKK+02]. Run with an appropriate option, Petrify
performs a number of input proper event insertions arriving at an STG with CSC,
and this we call speed-independent CSC-solving.
15
Definition 7 (Event insertion). Let N be a deterministic STG, u± a signal tran-
sition not appearing in N for a (possibly new) internal signal u and R ⊆ [MN〉. The
event insertion of u± at region R into N modifies the reachability graph RG as follows
(and results in a corresponding STG N ′):
1. For every marking M ∈ R add a duplicate M ′ and add the transition M [u±〉〉M ′.
2. If M1, M2 ∈ R and M1[s±〉〉M2, add the transition M
′
1[s±〉〉M
′
2.
3. If M1 ∈ R, M2 6∈ R and M1[s±〉〉M2, remove this transition and add M
′
1[s±〉〉M2.
4. The initial marking of N ′ is the same as that of N . Add u to Int.
The insertion is called input proper, if there is no M1[a±〉〉M2 in RG with a ∈ In,
M1 ∈ R and M2 6∈ R.
We define the marking relation M between the markings of N and of N ′ such that
(M1, M2) ∈ M if M2 = M1 or M2 = M
′
1. ut
An example for this definition can be found in Figure 1.
  
  
  
 
 
 



 
 
 


     
     


     
     
						
						
						

 
 
 
 
 


 
 
 
 
 


 
 
 
 
 

a
b
c
d




 
 
 
 




 
 
 
 




 
 
 
 




 
 
 
 




 
 
 
 




 
 
 
 































a a
b b
c
c
c
d1 2
3 4
5 6




 
 
 
 
ffff
ffff
ffff
ffff
fi fi
fi fi
fi fi
fi fi
flfl
flfl
flfl
flfl
ffi ffi
ffi ffi
ffi ffi
ffi ffi




  
  
  
  
!!
!!
!!
!!
" "
" "
" "
" "
##
##
##
##
$ $
$ $
$ $
$ $
%%
%%
%%
%%
& &
& &
& &
& &
''
''
''
''
( (
( (
( (
( (
)))))))))
* * * * * * * * *
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
,,,,,
,,,,,
,,,,,
,,,,,
,,,,,
,,,,,
,,,,,
,,,,,
,,,,,
,,,,,
,,,,,
,,,,,
,,,,,
,,,,,
,,,,,
,,,,,
- - - - -
- - - - -
- - - - -
- - - - -
- - - - -
- - - - -
- - - - -
- - - - -
- - - - -
- - - - -
- - - - -
- - - - -
- - - - -
- - - - -
- - - - -
- - - - -
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
a
b
c
c
c
a a
b
d
u
u
1 2
3 4
5 6
2’
4’
(a) (b) (c)
Fig. 1. Example for an event insertion. (a) A Petri net and its reachability graph in (b). The two marked
states are the region R where the new event written u will be inserted. (c) The reachability graph with
the inserted event u. Transitions entering R (e.g. 1
c
→ 2), are not duplicated, transitions within R (2
a
→ 4)
are duplicated and transitions leaving R (4′
b
→ 6) only leave duplicated states. The marking relation is
M = {(1, 1), (2, 2), (2, 2′), (3, 3), (4, 4), (4, 4′), . . .}.
It is not hard to see that N ′ as above is deterministic again. We first note some
properties.
Lemma 8. Let N be an STG and N ′ be obtained from N by event insertion of u±
at region R. Let (M1, M2) ∈ M and a ∈ SigN .
1. If M2 = M
′
1, then M1[a±〉〉Mˆ1 in N implies M2[a±〉〉Mˆ2 in N
′ with (Mˆ1, Mˆ2) ∈ M.
2. M2[a±〉〉Mˆ2 in N
′ implies M1[a±〉〉Mˆ1 in N with (Mˆ1, Mˆ2) ∈ M.
Proof. 1. M2 = M
′
1 implies M1 ∈ R and by Definition 7.2,3 M2[a±〉〉Mˆ2 in N
′ with
(Mˆ1, Mˆ2), where we have Mˆ2 = Mˆ
′
1 if case 2 is applicable and Mˆ2 = Mˆ1 if case 3
is applicable.
2. The reasoning is similar. ut
The following result explains the definition of an input-proper event insertion and
why we speak of speed-independent CSC-solving.
16
Proposition 9. Let N be an input proper STG and let N ′ be obtained by the insertion
of u± at R. Then N ′ is input proper if and only if the insertion is.
Proof. Assume the insertion is not input proper because of M1[a±〉〉M2; then we have
in N ′: M1[u±〉〉M
′
1 due to Definition 7.1 and ¬M1[a±〉〉 and M
′
1[a±〉〉M2 due to 3.
Vice versa, assume that N ′ is not input proper because of M1[v±〉〉M2, ¬M1[a±〉〉
and M2[a±〉〉M3 for some a ∈ In. If v± is the newly inserted u±, then M2 = M
′
1;
we cannot have M2[a±〉〉M3 due to Definition 7.2 because then M1[a±〉〉, and thus
we must have M2[a±〉〉M3 due to Definition 7.3, i.e. the insertion is not input proper
because of M1[a±〉〉M3 in N .
Otherwise, there are Mˆ1 and Mˆ2 with (Mˆ1, M1) ∈ M, (Mˆ2, M2) ∈ M, Mˆ1[v±〉〉Mˆ2
in N and Mˆ2[a±〉〉 in N by Lemma 8.2. Since N is input proper, this implies Mˆ1[a±〉〉;
since ¬M1[a±〉〉 in N
′, this in turn implies Mˆ1 = M1 by Lemma 8.1. Thus, Mˆ1 has
“lost” an a±-transition during the event insertion; this can only be due to Defini-
tion 7.3, and also in this case, the insertion is not input proper. ut
We come to the main result of this section.
Theorem 10 (Correctness of CSC solving). Let N be an STG and N ′ be obtained
from N by speed-independent CSC-solving; then N ′ is a correct implementation of N .
Proof. N ′ is obtained from N by a sequence of input proper event insertions. It suf-
fices to show the claim for one such insertion, and then the theorem follows from
Theorem 3.2. Thus, assume that N ′ is obtained from N by the input-proper insertion
of u± at R, with M being the corresponding marking relation.
We obviously have InN = InN ′ , OutN = OutN ′. We will show that M is an
STG-bisimulation for N and N ′.
(1): Fulfilled by definition of event insertion.
(2): For this part observe that (C2) is trivially fulfilled, because we consider only
one component. Let now (M1, M2) ∈ M.
For (N1)–(N3), we only have to consider M2 = M1 due to Lemma 8.1. If a ∈ InN
and M1[a±〉〉Mˆ1 in N , then Definition 7.3 cannot be applicable since the insertion is
input proper, hence M1[a±〉〉Mˆ1 in N
′ as well with (Mˆ1, Mˆ1) ∈ M and (N1) follows.
Now let x ∈ LocN and M1[x±〉〉Mˆ1 in N . Then we have in N
′ that M1[x±〉〉Mˆ1
if M1 6∈ R or M2 ∈ R and M1[u ± x±〉〉Mˆ1 otherwise; obviously (Mˆ1, Mˆ1) ∈ M and
(N2) and (N3) follow.
(C1/C3): Let x ∈ LocN ′ and M2[x±〉〉Mˆ2 in N
′. If x± is not the inserted u±,
Lemma 8.2 implies M1[x±〉〉Mˆ1 and (Mˆ1, Mˆ2) ∈ M. Otherwise, we have M2 = M1,
Mˆ2 = M
′
1 and (M1, Mˆ2) ∈ M. ut
Now we can conclude that speed-independent CSC-solving can be combined with
decomposition. For this, we have to apply Theorems 3.1 and 10 to each component;
observe that the crucial first condition on HK in 3.1 is satisfied since HK = ∅ and
event insertion does not change the sets of output and of input signals.
Corollary 11. Let (Ci)i∈I be a correct decomposition of N when hiding H, and let
C ′i be obtained from Ci by speed-independent CSC-solving for all i ∈ I. Then (C
′
i)i∈I
is a correct decomposition of N when hiding H.
17
5 Correctness of an ILP Approach to Decomposition
In this section we will show that the decomposition method of Carmona and Cortadella
[Car03,CC03], which has not been proven correct so far, yields components which are
a correct decomposition according to our definition. For this method, it is assumed
that an STG with CSC is given, where CSC can also be achieved by modifications on
the STG-level, i.e. without considering the reachability graph. (It can also be given
due to a suitable translation from a description in a high-level language to STGs as
in [YOM04]). As explained at the end of Section 2, we can assume that there are no
internal signals.
The method of [Car03,CC03] works roughly as follows. Starting with a deter-
ministic STG N that already has CSC, for every output signal x a CSC support is
determined; this is a set of signals, which guarantees CSC for x. Here is the formal
definition:
Definition 12 (CSC Support). Let N be an STG and S ⊆ SigN .
1. Let v ∈ (SigN±)
∗. code change(S, v) is defined as the vector over S, which maps
every s ∈ S to the difference between the numbers of s+ and of s− in v.
2. S is called CSC support for the output signal x if, for all reachable markings M1,
M2 with M1[v〉〉M2 and code change(S, v) = 0 for some v ∈ (SigN±)
∗, M1 enables
x iff M2 does. ut
A sufficient condition for being a CSC support used in the algorithm is that some
integer linear programming (ILP) problem is infeasible. The algorithm starts for every
output x with the set including the so-called syntactical triggers of x and x itself, and
iteratively improves it – mostly by adding additional signals – until it is a CSC support
for x; since the original STG has CSC, this algorithm is always successful.
After that, for every output signal the original STG is projected onto the cor-
responding CSC support: the other signals are considered as dummies, and these
dummies and redundant places are removed as far as possible much as in our de-
composition algorithm. If the resulting component still contains dummies, then [priv.
comm.]: the reachability graph is generated and viewed as a finite automaton with
dummies regarded as the empty word. Now the automaton is made deterministic with
well-known methods, which in particular remove all λ-labelled edges. Finally, we can
regard this automaton as an STG again, which e.g. has the edges of the automaton
as transitions.
The projection part is similar to our algorithm, the difference is where backtrack-
ing is performed: the method of [Car03,CC03] uses some form of backtracking when
determining the CSC support as described above — our algorithm uses backtracking
when the contraction of a dummy signal is not possible.
An advantage of the method of [Car03,CC03] is that the components have CSC.
Actually, the defining condition for a CSC support is slightly too weak to guarantee
CSC in all cases,2 but in most practical cases CSC holds, the condition and the corre-
sponding ILP problem could easily be corrected, and most of all the given condition
is sufficient for the proof of Theorem 13.
2 The condition should consider all markings with the same state vector for signals in S, and not only those
where one is reachable from the other.
18
For this proof, we need the following properties of the components (Ci)i∈I produced
by the CSC-support algorithm:
1. Every component is deterministic.
2. The signals of every Ci are a CSC support of the only output signal.
3. ∀i ∈ I : L(Ci) = L(N)↓i
In the last item, L(N)↓i denotes the projection of L(N) onto the signals of Ci. We
can now prove that (Ci)i∈I is a correct decomposition by our definition.
In the last item, L(N)↓i denotes the projection of L(N) onto the signals of Ci; note
that this item is not equivalent to L(||i∈ICI) = L(N); , see e.g. Figure 2 taken from
[VW02] We can now prove that (Ci)i∈I is a correct decomposition by our definition.
(a) (b)
  
  
  
 
 
 




































 
 
 
 
 
 
 
 
 
 
 
 
a+ b+x+ y+



 
 
 
		
		
		

 


 


 

























b+ y+
























a+ x+
Fig. 2. (a) Original STG N (b) Decomposition into two components. In the second component and also
in the parallel composition – but not in N – the input signal b+ can occur at the initial marking yielding
a marking M . But this is not a problem since no environment suitable for N will fire b+. Correspondingly,
the marking M will not appear in the STG-bisimulation corresponding to this decomposition.
Theorem 13 (Correctness of the CSC-support algorithm). Let N be an STG
and (Ci)i∈I be given as above. Then, (Ci)i∈I is correct w.r.t. N .
Proof. Let C = ||i∈ICi. We define a relation B between the markings of N and C by
(M, (Mi)i∈I) ∈ B ⇔ ∃w : MN [w〉〉M ∧ ∀i ∈ I : MCi [w↓i〉〉Mi
we will show that B is an STG-bisimulation.
(1): Obviously fulfilled for w = λ.
(2): Let (M, (Mi)i∈I) ∈ B. Therefore ∃w : MN [w〉〉M ∧ ∀i ∈ I : MCi [w↓i〉〉Mi.
(N1): Let a ∈ InN and M [a±〉〉Mˆ . This implies wa± ∈ L(N) and therefore
∀i ∈ I : (wa±)↓i∈ L(Ci). If a 6∈ InC we are done, otherwise it follows from the
determinism of the components that every Ci with a ∈ Ini can fire a±: there is only
one transition sequence v with l(v) = w↓i and one sequence v
′ with l(v′) = w↓ia±,
obviously v is a prefix of v′ and reaches Mi, and therefore Mi[a±〉〉Mˆi.
This holds for every component with a ∈ Ini and therefore (Mi)i∈I [a±〉〉(Mˆi)i∈I
where Mˆi = Mi if a 6∈ Ini, and by definition of B we get (Mˆ, (Mˆi)i∈I) ∈ B.
(N2): Analogous to (N1).
(C2): Let x ∈ Outj and Mj[x±〉〉. Therefore, w↓jx± ∈ L(Cj) = L(N)↓j which
implies that M [vx±〉〉 for some v ∈ ((SigN \Sigj)±)
∗ by determinism of N . Obviously,
code change(Sigj, v) = 0 and since Sigj is a CSC support for x, we get M [x±〉〉.
Applying (N2) yields the desired result: (Mi)i∈I [x±〉〉.
19
(C1): Let x ∈ OutC and (Mi)i∈I [x±〉〉(Mˆi)i∈I . If x± is produced by component j,
we get Mj[x±〉〉; then our considerations for (C2) imply M [x±〉〉Mˆ . By definition of
B: (Mˆ, (Mˆi)i∈I) ∈ B.
(N3,C3): Not relevant. ut
6 Conclusion
We have generalised the correctness definition for decompositions from [VW02,VK04]
to STGs with internal signals and proven that speed-independent CSC-solving as
performed by Petrify is correct. We have shown that the new correctness is preserved
in a top-down decomposition, and this result has a number of consequences: now
we can use step-wise decomposition in the algorithm of [VW02,VK04] to improve
efficiency, and we know that this algorithm in combination with speed-independent
CSC-solving gives correct results. Applying the correctness definition to compare two
STGs, we get an implementation relation, and consequences of our result are that this
is a preorder and, with a small restriction, a precongruence for parallel composition,
relabelling and hiding.
As another application of the correctness definition, we have shown that a decom-
position method based on integer linear programming [CC03] is correct. It remains
an open problem whether a related method in [YOM04] is correct: while the first
method checks on the original STG to be decomposed whether a set of signals is a
CSC-support and in the positive case removes the other signals, the related method
removes some signals and checks CSC on the remaining STG; this is in general not
sufficient, but it might be sufficient under the specific circumstances of the algorithm
in [YOM04].
For a further validation of our correctness definition, it would be interesting to
compare the resp. implementation relation with another one derived from the notion
of I/O-compatibility in [CC02]. We think that the derived implementation relation
holds whenever our implementation relation holds, but the reverse direction can only
be true under suitable restrictions; the latter still have to be identified, but we expect
that they will shed some light on the conceptual ideas behind I/O-compatibility and
our correctness.
20
References
[Car03] Josep Carmona. Structural Methods for the Synthesis of Well-Formed Concurrent Specifications.
PhD thesis, Universitat Polite`cnica de Catalunya, 2003.
[CC02] J. Carmona and J. Cortadella. Input/output compatibility of reactive systems. In Formal Methods
in Computer-Aided Design, FMCAD 2002, Portland, USA, Lect. Notes Comp. Sci. 2517, pages
360–377. Springer, 2002.
[CC03] J. Carmona and J. Cortadella. ILP models for the synthesis of asynchronous control circuits. In
Proc. of the IEEE/ACM International Conference on Computer Aided Design, pages 818–825,
2003.
[Chu87] T.-A. Chu. Synthesis of Self-Timed VLSI Circuits from Graph-Theoretic Specifications. PhD
thesis, MIT, 1987.
[CKK+97] J. Cortadella, M. Kishinevsky, A. Kondratyev, L. Lavagno, and A. Yakovlev. Petrify: a tool for
manipulating concurrent specifications and synthesis of asynchronous controllers. IEICE Trans.
Information and Systems, E80-D, 3:315–325, 1997.
[CKK+02] J. Cortadella, M. Kishinevsky, A. Kondratyev, L. Lavagno, and A. Yakovlev. Logic Synthesis of
Asynchronous Controllers and Interfaces. Springer, 2002.
[Dil88] D. Dill. Trace Theory for Automatic Hierarchical Verification of Speed-Independent circuits. MIT
Press, Cambridge, 1988.
[Ebe92] J. Ebergen. Arbiters: an exercise in specifying and decomposing asynchronously communicating
components. Sci. of Computer Programming, 18:223–245, 1992.
[KKT93] A. Kondratyev, M. Kishinevsky, and A. Taubin. Synthesis method in self-timed design. Decom-
positional approach. In IEEE Int. Conf. VLSI and CAD, pages 324–327, 1993.
[Pet81] J.L. Peterson. Petri Net Theory. Prentice-Hall, 1981.
[VK04] W. Vogler and B. Kangsah. Improved decomposition of signal transition graphs. Technical Report
2004-8, University of Augsburg, http://www.Informatik.Uni-Augsburg.DE/skripts/techreports/,
2004.
[VW02] W. Vogler and R. Wollowski. Decomposition in asynchronous circuit design. In J. Cortadella et al.,
editors, Concurrency and Hardware Design, Lect. Notes Comp. Sci. 2549, 152 – 190. Springer,
2002.
[YKK+96] A. Yakovlev, M. Kishinevsky, A. Kondratyev, L. Lavagno, and M. Pietkiewicz-Koutny. On the
models for asynchronous circuit behaviour with or causality. Formal Methods in System Design,
9:189–233, 1996.
[YOM04] T. Yoneda, H. Onda, and C. Myers. Synthesis of speed independent circuits based on decompo-
sition. In ASYNC 2004, pages 135–145. IEEE, 2004.
21
