Denotational Fixed Point Semantics for Constructive Scheduling of Synchronous Concurrency by Aguado, Joaquín et al.
BAMBERGER BEITRÄGE ZUR
WIRTSCHAFTSINFORMATIK UND ANGEWANDTEN INFORMATIK
ISSN 0937-3349
Nr. 96/April 2015
Denotational Fixed Point Semantics for
Constructive Scheduling of
Synchronous Concurrency
Joaquín Aguado, Michael Mendler,
Reinhard von Hanxleden, Insa Fuhrmann
FAKULTÄT FÜR
WIRTSCHAFTSINFORMATIK UND ANGEWANDTE INFORMATIK
OTTO-FRIEDRICH-UNIVERSITÄT BAMBERG
1Denotational Fixed Point Semantics for
Constructive Scheduling of
Synchronous Concurrency
Joaqu´ın Aguado∗, Michael Mendler∗,
Reinhard von Hanxleden†, Insa Fuhrmann†
∗Faculty of Information Systems and Applied Computer Sciences,
Bamberg University, Germany;
E-mail: {michael.mendler, joaquin.aguado}@uni-bamberg.de
†Department of Computer Science,
Kiel University, Germany;
E-mail: {rvh, ima}@informatik.uni-kiel.de
Abstract
The synchronous model of concurrent computation (SMoCC) is well established for
programming languages in the domain of safety-critical reactive and embedded systems.
Translated into mainstream C/Java programming, the SMoCC corresponds to a cyclic
execution model in which concurrent threads are synchronised on a logical clock that
cuts system computation into a sequence of macro-steps. A causality analysis verifies the
existence of a schedule on memory accesses to ensure each macro-step is deadlock-free
and determinate.
We introduce an abstract semantic domain I(D,P) and an associated denotational
fixed point semantics for reasoning about concurrent and sequential variable accesses
within a synchronous cycle-based model of computation. We use this domain for a
new and extended behavioural definition of Berry’s causality analysis in terms of
approximation intervals. The domain I(D,P) extends the domain I(D) from our previous
work and fixes a mistake in the treatment of initialisations.
Based on this fixed point semantics the notion of Input Berry-constructiveness
(IBC) for synchronous programs is proposed. This new IBC class lies properly between
strong (SBC) and normal Berry-constructiveness (BC) defined in previous work. SBC
and BC are two ways to interpret the standard constructive semantics of synchronous
programming, as exemplified by imperative SMoCC languages such as Esterel or Quartz.
SBC is often too restrictive as it requires all variables to be initialised by the program.
BC can be too permissive because it initialises all variables to a fixed value, by default.
Where the initialisation happens through the memory, e.g., when carrying values from
one synchronous tick to the next, then IBC is more appropriate.
IBC links two levels of execution, the macro-step level and the micro-step level. We
prove that the denotational fixed point analysis for IBC, and hence Berry’s causality anal-
ysis, is sound with respect to operational micro-level scheduling. The denotational model
can thus be viewed as a compositional presentation of a synchronous scheduling strategy
that ensures reactiveness and determinacy for imperative concurrent programming.
Keywords: Denotational semantics, concurrency, determinism, constructiveness,
Mealy reactive systems, synchronous programming, Esterel
This work has been conducted as part of the PRETSY project and was supported by the German
National Research Council DFG (HA 4407/6-1, ME 1427/6-1). An abridged version will appear in: U. Goltz,
R.J. van Glaabbek, E.-R. Olderog (eds.), Acta Informatica, Special Issue on Combining Compositionality
and Concurrency (2015).
2I. Introduction
A. Motivation
Arguably the mathematically most satisfactory way to define a compositional
programming language semantics is the denotational approach, which defines the
semantics of a program through a system of structurally-recursive equations involving
continuous functions on abstract semantic domains. Compositionality is built into
a denotational model at the outset, in the sense that the functional definition of
the fixed-point semantics of a composite program entirely depends on the abstract
functional denotation of its components rather than their syntax. As a consequence,
algebraic axiomatisations for program verification and program transformations can
be derived from the properties of these functions in the abstract domains.
Unfortunately, denotational fixed point models for computationally rich pro-
gramming languages are notoriously hard to come by. A famous case in point is
the long search for a fully-abstract denotational model of the functional language
PCF [10], [1], [43]. It is the tight interaction of program components, in particular for
non-deterministic concurrent systems, that makes it hard to decouple a composite
program into a system of continuous functions in a simple way. It is often easier
to understand the interaction behaviour of a concurrent program operationally in
terms of inductive relations rather than recursive functions. Hence, many concurrent
programming models or process algebras, for that matter, are based on Plotkin-
style structural operational semantics. Such models are then turned into an algebra
through notions of behavioural congruences and pre-congruences. Thereby abstracting
from behaviourally unobservable information carried by the operational rule system
one achieves the desired algebraic compositionality, see, e.g., [64], [9]. However,
denotational semantics generated in this fashion are essentially syntactic. Recursion
is not explained by denotational fixed points but by syntactic unfolding.
One can do better if the inductive operational rules satisfy certain structural
constraints, such as the GSOS or tyft/tyxt format [32]. In these cases, general
techniques are known to derive independent denotational semantics based on the
approximation of a process by finite synchronization trees, see e.g. [2], [44], [29] for
full-abstraction results for bisimulation-style semantics. Still, these approximation-
based denotational models have their own problems. They are algebraically rather
involved and depend on infinitary proof rules which fall outside the scope of normal
(Horn-style) equational reasoning. One classical instance of this problem is the
observation that, e.g., bisimulation equivalence for process algebras with the empty
process 0, non-deterministic choice p+ q, action prefix a.p and recursion µx.p(x)
does not admit a finitary denotational semantics based on complete partial orderings.
Specifically, the Park induction principle, p(y) = y⇒ µx.p(x)≤ y, expressing that
µx.p(x) is the least fixed point is inconsistent with monotonicity of the choice
operator +. It is unclear if bisimulation-style semantics can be finitely axiomatised
in equational Horn logic, see e.g. [62]. Denotational fixed point semantics with
Park induction seem to exist only in special cases, such as acceptance testing, trace
equivalence or simulation preorder [39], [48], [28].
While it is now clear that complex algebraic machinery is needed to reconcile
genuinely independent denotational and operational semantics for general non-
deterministic process calculi, attention should turn once again to more special
concurrent programming models. An early and successful starting point is the data-
flow semantics of Kahn networks [45], which is fully-abstract for coroutine-style
3operational execution [46]. Kahn process nodes are sequential and deterministic
and thus fairly restricted in modelling distributed systems. Yet, as discovered by
Kok [47], non-determinism can be added to the Kahn model without losing full-
abstraction using (local) clocks for the synchronisation of streams. This remarkable
result brings into view an important special class of concurrent programming
languages where denotational and operational approaches may go well together,
known as the synchronous programming paradigm [34], [8].
The Synchronous Model of Concurrent Computation (SMoCC) started in the
1980s with languages such as Statecharts [38], [68], Lustre [18], [35], Signal [33],
Esterel [13], [11] and Argos [61], [60]. Developing concurrently with the emerging
theory of process algebras, the SMoCC, from its beginning, has taken a practical
programming perspective and targeted embedded and safety-critical systems in the
automotive and avionics industries. The SMoCC languages have been very successful
in these highly-demanding and complex domains. Part of this is due to their solid
mathematical underpinning which inherits its robust logic from the design of digital
synchronous circuits. Over the years, the quality-software assurance of the SMoCC
paradigm has received attention in a wider range of applications. These include
Stateflow [36], web-orchestration [14], and music accompaniment [6] to mention a
few. The SMoCC approach also has spread into functional programming [58] and
mainstream imperative languages like C [15], [50], [82] or Java [65].
The SMoCC paradigm is based on a globally synchronous, locally asynchronous
model of concurrent computation1, which employs logical clocks to force asynchronous
processes into a globally deterministic sequence of execution steps, called macro steps
or logical instants. The SMoCC computations relate to classical automata in the sense
that macro-steps correspond to automata transitions and configurations are discrete
time points (automata states) on which system and environment can communicate
(synchronise) with each other. At this level of modelling—under the Synchrony
Hypothesis [8]—macro-steps appear as deterministic and functional input/output
interactions. If this were all, synchronous programs could be analysed by the standard
compositional techniques of the theory of synchronous automata, which fits both
the denotational and the operational viewpoint equally well. Not much concurrency
theory is needed for that.
However, there is a catch: The soundness of the automata model depends on
the compiler verifying that the Synchrony Hypothesis is valid. Yet, the Synchrony
Hypothesis is not compositional. The difficulty is that the SMoCC programs exhibit
Mealy as opposed to Moore-style interaction. Since Mealy outputs depend instanta-
neously on the inputs and (in a typical SMoCC language) are also broadcast, the
atomicity assumption creates a tangled causality cycle when the SMoCC automata
are composed. Since each program acts as the environment of the other, the Synchrony
Hypothesis expects each system to react faster than the other, and hence faster than
itself! This is aggravated by the fact that in some SMoCC languages, such as Esterel or
some version of Statecharts, the reaction of one component can depend on the absence
of a reaction from another component. To resolve the paradoxes, i.e., to prevent
deadlock and non-determinism, the synchronous interaction must satisfy stringent
causality requirements. Consequently, causality analyses have been a key component
in the SMoCC compilers. Typically, these analyses correspond to the derivation
of clock schedules (“clock calculus”) for the activation of program statements [19],
1This is sometimes referred to as the ‘LAGS’ model and not to be confused with the well-known but
orthogonal ‘GALS’ model which features globally asynchronous and locally synchronous computations.
4[7], [21], [77] or 3-valued circuit simulation (“ternary analysis”) [12], [26], [72].
Edwards [25] and Potop-Butucaru et al. [69] provide good overviews of compilation
challenges and approaches for concurrent languages, including synchronous languages.
In this report we focus on causality in control-flow oriented SMoCCs such as Esterel
or Quartz rather than data-flow oriented SMoCCs such as Lustre or Signal.
The techniques for causality analysis range from checking simple static criteria on
control-dependencies to full-fledged data-dependent control-flow analysis. Proving
the soundness of causality analyses necessarily requires maintaining some form of
refinement (“constructiveness” or “dependency”) information about a lower-level
asynchronous micro-step semantics. The first to observe this were Huizing, Gerth
and de Roever [42] who showed that combining compositionality, causality and
the Synchrony Hypothesis cannot be done within a single-levelled semantics (see
also [23]). In other words, causality analysis establishes consistency of a synchronous
macro-step with respect to an asynchronous micro-step execution model. This makes
causality analyses and their soundness properties interesting from a concurrency
theoretical point of view.
Different distributed execution platforms and memory models induce different
degrees of uncontrollable non-determinism. They give thus rise to different notions
of causality. A conservative, and thus robust, notion of causality among all the
SMoCCs is the so-called constructive semantics of Esterel [13], [11] introduced by
Berry in [12]. This is a pure macro-step semantics combining a structural operational
semantics for macro-state transitions with a denotational fixed-point construction,
also known as the “must-cannot” analysis, for computing causal reactions from
every state. However, there do not seem to be soundness proofs for the causality
analyses of Esterel relative to a micro-level scheduling in normal, i.e., unsynchronised
memory.2 The only available result on the lower-level operational soundness of the
fixed-point construction is indirect, has never formally been proven and applies
to the hardware translation given in [12]. At the hardware level it is known that
constructiveness implies delay-insensitivity under non-inertial delays [57], [75], [63].
While this highlights the universal nature of the constructive semantics, it does not
provide insights into the nature of constructiveness for software implementations of
SMoCC languages. This question is now starting to be addressed in the literature. An
interesting example is the more recent SMoCC language Quartz [73]. It has been given
both macro-step operational semantics and a fixed-point semantics implementing an
Esterel-style causality analysis [73], [31]. Talpin et. al. in [76] consider a combination
of Signal and Quartz and prove that the constructive fixed-point semantics is sound
for an operational micro-step semantics. In this report we proceed along similar
ideas as [76] for Esterel-style imperative languages.
B. Contributions
In this report we prove the soundness of the denotational fixed point semantics
for imperative SMoCC programs, commonly termed “constructive”, with respect to
their micro-step operational behaviour when compiled into multi-threaded shared
memory code. To the best of our knowledge this is the first result of its kind for
Esterel-style imperative programming.
2There is an informal sketch of a micro-step semantics in [12][Sec. 4.3] which is not developed further or
formally related with the fixed point semantics for macro-steps.
5The recent constructive semantics that integrates Quartz and Signal [76] is based
on a similar approach than the one proposed here in the sense that both are developed
around similar mathematical structures, i.e., fixed point on a lattice for representing
signal statuses and Boolean values. The semantics framework of [76] unifies the
behaviour of polychronous multi-clocked Signal networks and synchronous Quartz
modules where synchronous Boolean variables are always present. In contrast, our
approach significantly extends the standard 3-valued “must-cannot” semantics [12],
[26], [72] with the effect that (i) it is able to handle explicit initialisation of signals,
and (ii) it operates in a more structured domain of information intervals rather
than flat ternary Kleene algebra. In the enriched domain we prove soundness of the
fixed-point with respect to the micro-step operational execution. By “micro-step
operational semantics” we mean a small-step semantics in which the reaction of
a parallel composition for a single clock tick (rather than sequences of clocks) is
(1) implemented by thread interleaving and (2) the execution does not use the
must/cannot enriched statuses. E.g., the SOS reaction rules for Quartz [73], [31] do
not satisfy criterion (1). They give big-step semantics for full reaction instants. On
the other hand, the operational semantics sketched by Berry [12][Chap. 4.3] or by
Talpin et.al. [76] do not satisfy criterion (2).
Our main Theorem 1 strengthens the results presented in [4], where a similar fixed
point semantics was introduced to prove that the sequentially constructive model
of synchronous concurrent computation [84], [86] conservatively extends Berry’s
notion of constructiveness for Esterel. Specifically, we extend the work of [4] in three
ways: Firstly, we correct a mistake preventing the denotational semantics of [4] from
detecting deadlocks that can arise from concurrent initialisations (see our Ex. 19).
Secondly, the results presented here imply that the fixed point analysis is not only
sound for sequential constructiveness targeted in [4] but also for Esterel’s more
restrictive operational model of causality, characterised by B-reactiveness (Def. 4)
and SC-read-determinacy (Def. 5). The combination of these two properties is a
proper strengthening of the notion of ∆∗-constructiveness in the sense of [4], which
corresponds to the notion of sequential constructiveness introduced in [84]. Thirdly,
we introduce a new definition of constructiveness, called IB-constructiveness (Def. 9),
to permit implicit initialisations through memory. It is more generous than the
notions of constructiveness considered in [4] where all variables must be reinitialised,
by the program or the environment, at every macro step. In other words, compared
to [4] our semantics guarantees a stronger form of operational robustness for a wider
class of programs.
C. Overview
Section II gives an abstract account of the SMoCC principle for imperative
programs based on the consolidated language model pSCL and the operational
notion of free scheduling. It also offers the definitions of important terms that will be
used in the following sections, particularly of B-Admissibility and SC-Admissibility,
which are both scheduling protocols restricting the free scheduling with different
degrees of strength. The related terms of B-Reactiveness and SC-Reactiveness are
also defined as well as the notion of X-Determinacy, parametric in X-Admissibility
and its special case X-read-determinacy.
Section III is dedicated to the definition of the abstract domains and environments
on which our denotational fixed point semantics is based. This includes the definition
of the domain D, whose four elements represent possible signal statuses and comprise
6representations needed for the handling of explicit initialization of signals. The
semantics operates on closed intervals over D which represent predictions of variable
statuses combined with a domain P that is capturing initialization statuses, yielding
I(D,P) as working domain. Finally, the section introduces a domain I(C) of program
completion statuses.
Section IV is the core of this work, where we put the introduced technical apparatus
to form our denotational fixed point semantics for pSCL. The semantics induces
three notions of constructiveness increasing in strength, Berry-constructive (BC),
Input Berry-constructive (IBC) and Strong Berry constructive (SBC). This section
finally contains our main Soundness Theorem 1 that states that IBC programs are
B-reactive and SC-read-determinate.
Section V positions our work in reference to related work and Section VI offers
concluding remarks and mentions open problems.
II. Operational Semantics of Synchronous Programs
A. Language Model
For our elaborations, we employ a language that focuses on the micro-step
computations of a system. This language, referred to as pSCL3, contains the necessary
control structures for capturing multiple variable accesses as they occur inside macro-
steps. pSCL abstracts syntactic and control particularities of existing synchronous
languages not directly related to our analysis. This not only provides generality to
the results but also avoids over-complicating our formal treatment. pSCL is pure
in the sense that it manipulates Boolean variables from a finite set V , which carry
information over time by changing value in B= {0,1}. A variable s ∈ V with value
γ ∈ B is denoted by sγ . Here, 0,1 are used to code, respectively, the logical statuses
False (absent, initialised) and True (present, updated) of a synchronous signal. The
syntax of pSCL is given by the following BNF of operators:
P :=  nothing
| pi pause
| ¡s s = false (implicit unemit s in Esterel)
| !s s = true (emit s in Esterel)
| s ? P : P ifs thenP elseP (present s then P else P in Esterel)
| P ||P forkP parP join
| P ; P
| rec p. P p : P declare program label (implicit Esterel loop)
| p gotop jump to label (generalises Esterel iteration)
Since our syntax is abstract in the style of process algebras we also indicate the
more concrete syntax as used in control-flow languages SCL [84] and Esterel on the
right of each operator.
Intuitively, the empty statement  indicates that a given program has been
completed. That is,  corresponds to the termination situation in which there
are no further tasks to be performed in this or any subsequent macro-step. The pause
control pi forces a program to yield and wait for a global tick. This means that the
execution cannot not proceed any further during the current macro-step but it will
3This stands here for “pure Synchronous Constructive Language” indicating not only that signal variables
in pSCL carry Boolean status but also that pSCL is a minimalistic version of control-flow synchronous
languages in an abstract algebraic syntax.
7be resumed in the next. The reset (init) ¡s and set (update) !s constructs modify the
value of s∈V to s0 or s1, respectively. The conditional control s ? P :Q has the usual
interpretation in the sense that depending on the status 1 or 0 of the guard variable
s either P or Q are executed accordingly. Parallel composition P ||Q forks P and Q,
so the statements of both are executed concurrently. This composition terminates
(joins) when both components terminate, i.e., both are completed in the sense of ,
not waiting in a pause pi. When just one of the two components in P ||Q terminates
while the other pauses, then P ||Q pauses. Otherwise, if one component terminates
and the other does not pause or terminate then the computation continues from
the statements of the other component until it terminates, too, or pauses. In the
sequential composition P ; Q, the statements of P are first completely executed.
Then, the control is transferred to Q which, in turn, determines the behaviour of the
composition thereafter. The operator rec p.P introduces a recursion label or process
name p that can be used in its body P to reiterate the process using p as a jump
label. The semantics is so that rec p.P is equivalent to its unfolding P{rec p.P/p},
where P{Q/p} denotes syntactic substitution. As done in process algebras we can use
rec to fold up recursive equation systems modelling arbitrary forward and backward
jumps in control-flow graphs.
By default, a conditional binds tighter than sequential composition, which in turn
binds tighter than parallel composition; the loop prefix rec p has weakest binding
power. As usual, brackets can be used for grouping statements to override the
default associations. For instance, in the expression rec p.x ?  : p; !y the scope of
the loop extends to the end of the expression as in rec p.((x ?  : p); !y) whereas
(rec p.x ?  : p); !y limits the scope and leave !y outside the loop. Similarly, brackets are
needed, as in rec p.x ?  : (p; !y), to include !y into the else branch of the conditional.
Recursion without restrictions is too powerful for our purposes. We impose the
following three well-formedness conditions on pSCL expressions, which suffices to
model the static structure of many standard synchronous programming languages:
• No jumps out of an enclosing parallel composition. This does not limit the
power of the language, as for example aborts, traps and general gotos as
proposed for/provided by Esterel or SHIM [78], [79] can still be implemented
by “chaining” jumps up the thread hierarchy, but has the advantage of a simple
parallel/sequential control flow structure. Formally, in every loop rec p.P the
label p must not lie within the scope of a parallel operator ‖. For instance,
rec q. P ||q is not permitted while P ||(rec q.q) is accepted. This makes sure that
the static control structure of a program is a series-parallel graph (see [24]) and
the number of concurrently running threads is statically bounded by this graph.
In particular any given static thread cannot be concurrently instantiated more
than once; A fresh thread instance only runs sequentially after all previous
instances of the same static thread.
• Every loop rec p.P is clock guarded, i.e., every free occurrence of label p in
P lies within the sequential scope of a pause pi. For instance, rec p.pi ; p is
clock guarded whereas rec p.p is not. Clock guarded processes are guaranteed
to generate finite, terminating macro-steps. This corresponds to the standard
requirement in Esterel to not have instantaneous loops.
• No loop label occurs both free and bound in an expression, where the notion of a
free and bound label is as usual. This a standard restriction in process calculi, see
e.g., [9]. For instance, rec p. rec q. p ; q ; q is not allowed, whereas rec p. (rec r. p ;
r) ; q is accepted. This restriction avoids capturing of any free variable of rec p.P
8by a loop recursion in P in the syntactic unfolding P{rec p.P/p}.
Henceforth, programs are assumed to be expressions satisfying these conditions.
Programs without the rec construct will be called finite programs, or fprogs for
short.
The imperative statements of a pSCL program describe discrete changes of state at
the level of micro-steps. The computation of a concurrent program gets described by a
collection of threads (concurrent program fragments), each one performing micro-steps
independently and interacting with each other through shared memory. Generally, a
computation depends on a distinction of micro-steps happening sequentially after
each other or concurrently. The sequential order is instantiated from sequential
composition P ;Q. Parallel composition P ‖ Q is the construct that provides the
thread topology for achieving concurrency. The resulting tree-like structure of the
parallel construct determines statically which statements belong to which individual
thread. At run-time, these static threads get instantiated and executed. Every one of
such instantiations must have its own local control-state and, therefore, is considered
a process. From this perspective, the configuration capturing the global state of a
concurrent program at any given moment is determined by the local state of all its
processes together with a shared global memory.
As in synchronous programming, a micro-step can take place when at least one
process is active, i.e., when it is able to execute a statement other than pi. In this
manner, a micro-step produces a change in the configuration resulting from a process
modifying its own local state and possibly the global memory. Active processes
induce micro-steps until every process either terminates or reaches a pause, thereby
completing a macro-step. Then, from the resulting configuration, the environment
can provide a fresh stimulus for continuing the computation with a new macro-step.
The interaction between processes at the micro-step level must be controlled
according to some pre-established rules of admissible scheduling in order to enforce
the Synchrony Hypothesis abstraction. For instance, suppose in P ‖ Q, program
P performs a write to a variable x and Q concurrently reads x. Then, under
the Synchrony Hypothesis the producer P (system) is faster than the consumer
(environment) Q, or, equivalently, Q waits for P . A canonical notion of admissibility
that enforces such causalities is the “init;update;read” protocol [84], which is referred
to as the “iur” protocol in the following. It decrees that all initialisations ¡s must
take place before any update !s which in turn must both be scheduled before any
read, i.e., any conditional test s ? P :Q on s.
In the next section we define the notion of a free unconstrained execution for pSCL
programs and then in Sec. II-C introduce the restriction imposed by the iur protocol.
This defines the operational semantics of the class of causal pSCL programs for
which we shall later, in Secs. III and IV, provide a suitable notion of constructive
macro-step responses in terms of a denotational fixed-point analysis.
B. Micro-step Free Scheduling
In our operational model, a process T is defined by its own current control-state,
or state for short, which contains: (i) information about the precise position of T in
the tree structure of forked processes and (ii) control-flow references to specific parts
of the code. Formally, T is given by a triplet 〈id,prog,next〉 where we write T.id,
T.prog or T.next for referring to the individual elements of T which are called,
respectively, identifier, current-program and next-control. Concretely,
90
1
1
2
1.l.0
1.l.1
1.r.1
1.r.2
1.r.2
1.r.2.l.0
1.r.2.l.1
1.r.2.l.2
1.r.2.r.0
l r
r.l r.r
1.r.0
1.r.3
Fig. 1. A sequential-parallel program structure of thread identifiers.
• T.id is a non-empty sequence containing an alternation of natural numbers and
the symbols l, r that always starts and ends with a number. For instance, 0.l.5
and 1.r.3.l.7 are identifiers but 0.r and r.1.r.2 are not. Meta-variables to range
over identifiers are ι, κ, possibly with indices.
• T.prog is the pSCL expression that is currently scheduled to generate T ’s micro-
steps. Since these are pSCL expressions we use the meta-variables P , Q, etc.,
to range over these.
• T.next is a list of future program fragments that can be converted into micro-
steps sequentially after T.prog has terminated. This list is extended when a
sequential composition is executed in T.prog. We use the meta-variable Ks to
range over next-controls.
The identifier T.id localises process T uniquely in the sequential-parallel control
flow of the program context which has generated T . The intuition is that the numbers
in the identifier are counting the sequential steps taken by the program context.
The symbols (l for left and r for right) recall the path of previous parallel forks
from which the process has emerged. Where we are only interested in the depth of a
process in the thread hierarchy, we use a thread projection function th(ι) ∈ {l, r}∗
which drops from ι all sequencing numbers. The sequence th(T.id) can be interpreted
as the static thread identifier of process T .
Example 1. The serial-parallel graph in Fig. 1 gives an example of the thread
identifiers generated by the fprog P = a0 ; (Pl ‖ Pr) ; a2 with
Pl = a1.l.0 ; a1.l.1, Pr = a1.r.0 ; a1.r.1 ; (Pr.l ‖ Pr.r) ; a1.r.3,
Pr.l = a1.r.2.l.0 ; a1.r.2.l.1 ; a1.r.2.l.2, Pr.r = a1.r.2.r.0,
10
where all aι are primitive statements {, !s, ¡s}. The subscripts ι indicate the thread
identifier associated with the statement aι when it is executed. In Fig. 1 these primitive
statements are shown as rectangular boxes with their identifier written inside it. Notice
how the letters l and r (displayed in red colour) identify the static thread in which the
statement is executed. For instance the statement a0.r.2.l.1 is executed in the static
thread r.l, which is the left child of the right child of the main thread. This is the
projection th(0.r.2.l.1) = r.l. The first top level statement a0 is in the root thread ε,
i.e., th(0) = ε, where ε denotes the empty sequence. The hierarchical thread structure
is visualised by the dotted gray background boxes.
Definition 1. To compare the sequential depth of processes, we use the (partial)
lexicographic order ≺ on path identifiers. The natural numbers are ordered in the
usual way, i.e., 0< 1< 2 . . . while the symbols l, r are considered incomparable. Thus,
for identifiers ι= d1 . . .dn and ι′ = d′1 . . .d′m we have that ι ≺ ι′ iff ι is a proper prefix
of ι′ or ι is lexically below ι′. Formally, ι ≺ ι′ iff
• n <m and ∀1≤ j ≤ n. dj = d′j, or
• there is 0≤ i < n such that di+1 < d′i+1 and ∀1≤ j ≤ i we have dj = d′j.
We write  for the reflexive closure of ≺, i.e., ι ι′ iff ι≺ ι′ or ι= ι′.
The order  contains both the thread hierarchy and sequencing. If ι ι′ then ι′
is a sequential successor of ι in program order. If ι 6 ι′ and also ι′ 6 ι then both
ι and ι′ are concurrent. Note that there is no relationship between ι≺ ι′ and the
prefix order on th(ι) and th(ι′). The sequential successor ι′, in general, can be both
a descendant or an ancestor of ι in the thread hierarchy.
Example 2. For instance, in our example of Fig. 1, we have 1.r.2≺ 1.r.2.l.1≺ 1.r.3
following the sequential program order but 1.l.0 6≺ 1.r.2.l.1 and 1.r.2.l.1 6≺ 1.l.0, because
the labels l and r are incomparable. The micro-steps with thread identifiers 1.l.0 and
1.r.2.l.1 are not sequentially ordered. They are executed in the concurrent threads
th(1.r.2.l.1) = r.l and th(1.l.0) = l. Observe that 1.r.2.l.1 1.r.3 but th(1.r.2.l.1) = r.l
is not a prefix of r= th(1.r.3). In the other direction, the fork node 1.r.2 is a sequential
predecessor of 1.r.2.l.1 and r = th(1.r.2) is an ancestor of r.l = th(1.r.2.l.1).
Formally, the global memory is a Boolean valuation function ρ : V → B which
indicates the current value for each variable s ∈ V . Any micro-step of a process T
(relative to a given memory ρ) produces a new memory ρ′ and a set of successor
processes T ′. Thus, any micro-step is completely specified by the memory function
ρ′ := mem(T,ρ) and the succession function T ′ := nxt(T,ρ). For any s ∈ V , the
memory function is defined by:
mem(T,ρ)(s) :=

0 if T.prog = ¡s
1 if T.prog = !s
ρ(s) otherwise.
This says that for a given variable s ∈ V , if T performs a reset ¡s then s is
changed to 0, if T performs a set !s then s is changed to 1, otherwise, s keeps its
value from the previous memory. We define the succession nxt(T,ρ) by case analysis
on T.prog, where the sequential enumeration for identifier ι is computed by an
increment function inc(ι) which increases by 1 the last number of the identifier ι,
11
e.g., inc(1.r.6) = 1.r.7:
nxt(〈ι,P, [ ]〉,ρ) := ∅ if P ≡ ,P ≡ ¡s or P ≡ !s (1)
nxt(〈ι,P,Q::Ks〉,ρ) := {〈inc(ι),Q,Ks〉} if P ≡ ,P ≡ ¡s or P ≡ !s (2)
nxt(〈ι,P ;Q,Ks〉,ρ) := {〈ι,P,Q::Ks〉} (3)
nxt(〈ι,rec p.P,Ks〉,ρ) := {〈ι,P{rec p.P/p},Ks〉} (4)
nxt(〈ι,s ? P :Q,Ks〉,ρ) :=
{〈inc(ι),P,Ks〉} if ρ(s) = 1{〈inc(ι),Q,Ks〉} otherwise (5)
nxt(〈ι,P ||Q,Ks〉,ρ) := {〈ι, ,Ks〉,〈ι.l.0,P, [ ]〉,〈ι.r.0,Q, [ ]〉}. (6)
Let us explain the different cases one by one:
(1) If the program T.prog is one of the basic statements (i.e., empty , set !s or
reset ¡s) and the list of continuation processes in the next-control T.next is
empty [ ], then the process (after execution) is terminated and disappears from
the configuration. This is achieved by setting the succession to be the empty
set.
(2) If T.prog is one of the basic statements and the list of continuation processes
in T.next is a non-empty list Q::Ks, then we start Q in a new process with
next-control Ks and a sequentially incremented index inc(ι).
(3) If T.prog is a sequential composition P ;Q then we start P in a new process with
the same identifier and add Q to the front of the next-control list. The identifier
does not increment since we do not consider the new process 〈ι,P,Q::Ks〉 a
sequential successor but only a structural replacement.
(4) A loop T.prog = rec p.P behaves like its unfolding P{rec p.P/p}, without modi-
fication to the identifier and next-controls.
(5) Next consider a process with conditional program T.prog = s ? P :Q in memory
ρ. Depending on whether the memory value for the variable s is 1 or 0 we
install the P or the Q branch, respectively, with an incremented identifier and
the same next-control. The identifier is incremented because the branches are
considered as being executed strictly after the conditional test, in sequential
program order.
(6) Finally, executing a parallel program T.prog = P ‖Q instantiates the two sub-
threads P and Q in their own process 〈ι.l.0,P, [ ]〉 and 〈ι.r.0,Q, [ ]〉, respectively,
with a fresh and empty next-control but extended identifiers. The process P is the
initial sequential statement of the left child of the parent process 〈ι,P ||Q,Ks〉.
Therefore, we add the suffix l.0 to the parent’s identifier, and analogously r.0
for the right child Q. At the same time that the parent process forks its two
children, it transforms itself into a join process 〈ι, ,Ks〉. Since ι ≺ ι.l.0 and
ι≺ ι.r.0 both children have strictly larger identifiers. Since only processes with
maximal identifiers are executable (details below), the join process must wait for
the children to terminate before it can release the next-controls Ks, or terminate
itself in case Ks = [].
Note that there is no clause for the succession of a pausing process or a process
label, i.e., nxt(〈ι,pi,Ks〉,ρ) and nxt(〈ι,p,Ks〉,ρ) are undefined. This is no problem
since (i) program pi is never executed in a micro-step but only by the next global
clock tick (see below), and (ii) we are only interested in the behaviour of closed
pSCL expressions which do not have any free process labels.
Example 3. Consider the process T0 = 〈0, ¡x ; y ? pi : !x, [ ]〉. This process resets
variable x and then either pauses or sets variable x depending on the value of
12
variable y. Let us derive its behaviour in the formal semantics.
Starting from some initial memory ρ0, executing T0 yields a new memory ρ1 =
mem(T0,ρ0) and a set of successors S1 = nxt(T0,ρ0). This first micro-step breaks up the
sequential composition operator ; according to rule (3). This results in S1 = {T1} where
T1 = 〈0, ¡x, [y ? pi : !x]〉. The micro-step does not modify the memory, i.e., ρ1 = ρ0.
Proceeding with T1 from ρ1, we come to execute the reset ¡x following rule (2),
obtaining ρ2 = mem(T1,ρ1) and successors S2 = nxt(T1,ρ1). Memory ρ2 now assigns
0 to variable x, while y retains its initial value from ρ0. The succession is S2 = {T2}
with T2 = 〈1,y ? pi : !x, [ ]〉. Notice the increment of the identifier T2.id= 1 = inc(0) =
inc(T1.id) which reflects the fact that execution has passed a sequential composition
operator. The conditional T2 now reads the value of y in memory ρ2 and passes
control to the ‘then’ or ‘else’ branch:
• If ρ2(y) = ρ0(y) = 1 then the conditional executes the ‘then’ branch. We get
ρ3 = mem(T2,ρ2) = ρ2 and S3 = nxt(T2,ρ2) = {T3} with T3 = 〈2,pi, [ ]〉 by rule (5).
There are no micro-step rules for pi which is forced to pause during the current
macro-step. T3 makes progress only at the next global clock tick where it transforms
into T ′3 = 〈0, , [ ]〉 as described later.
• If ρ2(y) = ρ0(y) = 0 then ρ3 = mem(T2,ρ2) = ρ2 and S3 = nxt(T2,ρ2) = {T3}
with T3 = 〈2, !x, [ ]〉 by rule (5). From here, the execution of !x sets variable x
and yields the new memory ρ4 = mem(T3,ρ3) with ρ4(x) = 1 and ρ4(y) = ρ2(y).
Since S4 = nxt(T3,ρ3) = ∅ by rule (1), there are no more processes from which we
can continue. The execution of T0 has terminated instantaneously in the current
macro-step.
Let us combine the memory and succession functions for a single process to define
the micro-steps of an arbitrary set of processes running concurrently. This requires
the notion of a configuration, defined next:
Definition 2. A configuration is given by a pair (Σ,ρ), where ρ is the global memory
and Σ, called the process pool, is a finite set of (closed) processes such that
• all identifiers are distinct, i.e., for all T1,T2 ∈ Σ, if T1.id= T2.id then T1 = T2;
• the sequential ordering of identifiers coincides with the thread hierarchy, i.e., for
all T1,T2 ∈ Σ, we have T1.id T2.id iff th(T1.id) is a (not necessarily proper)
prefix of th(T2.id);
• the identifiers form a full thread tree, i.e., for each T ∈Σ and every proper prefix
(ancestor) t∈ {r, l}∗ of th(T.id), there is a process T ′ ∈Σ of T with th(T ′.id) = t.
A configuration (Σ,ρ) is empty if Σ = ∅. We call a process T ∈ Σ
• pausing when T.prog = pi;
• active if it is not pausing and T.id is -maximal (identifier order) in Σ;
• waiting if it is neither pausing nor active.
A configuration with memory ρ in which all the processes in Σ are waiting or pausing,
is called quiescent.
a) Micro-sequences.: From a given configuration (Σ,ρ) and a selection T ∈ Σ
of an active process, we can let T execute a micro-step to produce a micro-step
(Σ,ρ) T→ (Σ′,ρ′), (7)
where in the free scheduling there is no constraint on the selection of T other than
it being active. The resulting memory ρ′ = mem(T,ρ) is computed directly from
the mem function. The new process pool Σ′ is obtained by removing T from Σ and
replacing it by the set of successors generated by nxt, i.e., Σ′ = Σ\{T} ∪ nxt(T,ρ).
13
Note that in the free schedule both the next process pool Σ′ and the new memory ρ′
only depend on the active process T that is executed and the current memory ρ.
They do not depend on the other processes in Σ. Since the successor configuration
is uniquely determined by (Σ,ρ) and T , we may write (Σ′,ρ′) = T (Σ,ρ). In a micro-
sequence the scheduler runs through a succession
(Σ0,ρ0)
T1→ (Σ1,ρ1) T2→ ·· · Tk→ (Σk,ρk) (8)
of micro-steps obtained from the interleaving of process executions. We let  be
the reflexive and transitive closure of →. That is, we write
R : (Σ0,ρ0) (Σk,ρk)
to express that there exists a micro-sequence R, not necessarily maximal, from
configuration (Σ0,ρ0) to (Σk,ρk). The sequence R is a function mapping each index
1≤ j ≤ k to the process R(j) = Tj executed at micro-step j and len(R) = k is the
length of the micro-sequence executed so far. We call any pair (i,R(i)) consisting of a
micro-step index 1≤ i≤ len(R) together with the process R(i) executed at position
i, a process instance of R. Further, it will be necessary to restrict a micro-sequence
R : (Σ0,ρ0) (Σn,ρn) to its prefixes R@i : (Σ0,ρ0) (Σi,ρi) for i≤ n= len(R).
b) Macro-steps.: A macro-step, also called a synchronous instant, or instant for
short, abbreviated
R : (Σ0,ρ0) =⇒ (Σk,ρk) (9)
is a maximal micro-sequence R that reaches a final quiescent configuration. Note
that for any memory ρ, a configuration (∅,ρ) is trivially quiescent. For the sake of
simplicity, sometimes we drop the mapping M from our relations  and =⇒. When
(Σk,ρk) is quiescent but non-empty then no further micro-step is possible (which
explains the term ‘quiescent’) since all processes are waiting for the clock to tick.
Such a clock tick
(Σk,ρk) =⇒tick (Σ′,ρ′) (10)
consists of eliminating every pausing process with empty continuation 〈ιd,pi, [ ]〉 ∈Σk
and replacing every pausing process 〈ιd,pi,Q::Ks〉 ∈ Σk with a non-empty contin-
uation by a new process 〈ι0,Q,Ks〉 ∈ Σ′ preserving the sequential identifier of all
ancestors but restarting the current thread at sequence number 0. The new memory
ρ′ preserves all internal and output variables but permits the environment to change
any input variables for the next macro-step. For the investigations in this report,
however, we are only interested in single macro-steps generated by the behaviour
of pSCL expressions. Therefore, we will not be concerned with the modelling of
successions of clock ticks.
Example 4. Let (Σ1,ρ0) be a configuration where ρ0 gives value 0 to every variable
and Σ1 = {T1} consists of the root process: T1 = 〈0,(!s ; !t || ¡s ; t ?  : pi), [ ]〉. The
complete computation graph for the free scheduling from (Σ1,ρ0) is depicted in Fig. 2.
The processes are abbreviated as follows:
T1 = 〈0, !s ; !t ‖ ¡s ; t ?  : pi, [ ]〉 T31 = 〈0.l.0, !s, [!t]〉
T20 = 〈0, , [ ]〉 T32 = 〈0.r.0, ¡s, [t ?  : pi]〉
T21 = 〈0.l.0, !s ; !t, [ ]〉 T41 = 〈0.l.1, !t, [ ]〉
T22 = 〈0.r.0, ¡s ; t ?  : pi, [ ]〉 T42 = 〈0.r.1, t ?  : pi, [ ]〉
T521 = 〈0.r.2, , [ ]〉 T522 = 〈0.r.2,pi, [ ]〉
14
({T1}, ρ0) ({T20, T21, T22}, ρ0)
({T20, T31, T22}, ρ0) ({T20, T21, T32}, ρ0)
({T20, T31, T32}, ρ0)({T20, T41, T22}, ρ11) ({T20, T21, T42}, ρ12)
({T20, T41, T32}, ρ11) ({T20, T31, T42}, ρ12)
({T20, T41, T42}, ρ11)({T20, T41, T42}, ρ12)
({T20}, ρ21)
({T20, T42}, ρ21)
({T20, T32}, ρ21)
({T20, T42}, ρ22)
({T20, T522}, ρ22)
¡s
({T20, T521}, ρ22)
;
({T20}, ρ22)
!s
!s
;
;
;
;
;
({T20, T31, T522}, ρ12)
({T20, T41, T522}, ρ11)
fork
({T20, T522}, ρ21)
¡s
²
¡s
!s
!s
join
({T20, T41, T522}, ρ12)
t?
t?
!t
!t
A
t?
t?
!t
!t
!t
t?
B
({ }, ρ21)
¡s
({ }, ρ22)
({T20, T22}, ρ21)
!t
;
({T20, T521}, ρ21)
²
join
pausing
pausing
instantaneous termination
Fig. 2. The free scheduling graph of process T1 of Ex. 4
Each edge in Fig. 2 is a single micro-step. For ease of explanation we do not use the
selected process Ti as the label like in (7) but instead the primitive operator executed
in the micro-step, i.e., a sequential composition ; (rule (3)), atomic set, reset or the
empty statements !s, !t, ¡s,  (rules (1) and (2)) or a parallel composition ‖ (rule (6)).
The shaded regions named A and B will be explained later.
Since T1 is active it can induce the micro-step (Σ1,ρ0)→ (Σ2,ρ0) with the a
succession Σ2 = {T20,T21,T22} of three processes as a result of executing the parallel
fork, the parent T20 and its two children T21 and T22. Observe that in Σ2 the two
children are active but the parent with identifier 0 is waiting, because 0≺ 0.l.0 and
0≺ 0.r.0. The parent T20 now plays the role of a ‘join’ in the sense that it cannot
execute any micro-step until the two children terminate and its own identifier becomes
maximal again. Let us suppose that T21 and T22 are scheduled in that order to
get (Σ2,ρ0) (Σ4,ρ0) with Σ4 = {T20,T31,T32}, where T31 and T32 are both active.
The configuration (Σ4,ρ0) is underlined in Fig. 2. Notice that we reach exactly the same
configuration if we first schedule T22 and then T21. The concurrent execution of the
sequential compositions in T21 and T22 is confluent, because there are no read or write
accesses to variables. However, in (Σ4,ρ0) things become interesting since the chosen
scheduling order will result in different configurations. For if (Σ4,ρ0) (Σ6,ρ11), with
Σ6 = {T20,T41,T42}, results from scheduling T32 followed by T31, then first the reset
¡s is performed and thereafter the set !s, so that ρ11(s) = 1. On the other hand, if first
T31 is picked and then T32 does its initial micro-step, then (Σ4,ρ0) (Σ6,ρ12) with
ρ12(s) = 0. Although the resulting process pool Σ6 is the same in both configurations,
the global memory is not.
Continuing the schedule from configuration (Σ6,ρ11), also underlined in Fig. 2, we
see that there is a race between the reading of variable t by T42 and the writing to t by
T41. If we first execute T41, then the conditional T42 will activate its ‘then’-branch .
15
Therefore, we eventually reach the configuration (Σ9,ρ21) with Σ9 = {T20} where the
memory satisfies ρ21(s) = ρ21(t) = 1. Now ‘join’ process T20 becomes active, which
instantaneously terminates reaching the quiescent configuration ({},ρ21). On the
other hand, if in (Σ6,ρ11) the process T42 first gets to test the value of t, which is
0, before T41 sets it to 1, then the ‘else’-branch is selected and we end up in the
configuration (Σ8,ρ21) where Σ8 = {T20,T522}. This configuration is also quiescent as
it contains no active processes. Here, the ‘join’ process T20 is still waiting since it has
a strictly smaller sequence number than process T522 which is pausing. No progress
can be made until the next clock tick makes T522 disappear from the configuration,
thereby activating T20 which then terminates instantaneously. Note that the conflict
between T41 and T42 in (Σ6,ρ11) results in a non-determinism of control, viz. between
terminating in the same instant or the next.
Clearly, as demonstrated in Ex. 4 the selection strategy applied in the free
scheduling of a program determines the final memory content and termination
behaviour of a program in a macro-step. If we would consider pSCL as a just another
clocked process algebra such as [40], [20], [55] or a model of general statecharts,
e.g., [68], [81], [37] (or in fact Java threads, for that matter) the non-determinism
would not worry us. It is a natural consequence of the asynchrony of parallel execution.
We can leave it in the responsibility of the versed programmer to harness her or
his programs by explicit synchronisation through shared memory mutual exclusion
algorithms (see [56]) in order to get rid of non-determinacy. Yet, this is not the right
approach for synchronous programming where every program, by compilation, is
required to code a deterministic Mealy machine. In synchronous programming it
is the compiler which has to achieve determinate tick responses under pessimistic
assumption on the varying degree of perturbations arising from the non-determinism
of target run-time system.
In synchronous programming the programmer is supported by static schedulability
and causality analyses. Often non-determinism can be eliminated by restricting the
free scheduling to so-called admissible schedules that are natural for, or intended by,
the programmer and at the same time reliably implemented on the chosen run-time
platform by a trusted compiler.
Example 5. Consider Example 4 in which the non-determinacy of the tick response
is due to races between the setting and resetting of variable s and the reading and
writing of variable t. Suppose we compile the root process T0 as a data-flow network
in which the non-determinism maps to the concurrent execution of function blocks.
Then it is easy to ensure that the data-flow always executes reset of a variable (value
initialisation) before any set (value update) and all write accesses before the reads.
This natural ordering prohibits the execution of the transitions shown in Fig. 2 as
dashed arrows. It eliminates the paths in region A with the resets ¡s occurring after
the sets !s and the path in region B in which the set !t happens after the reads
t?. The remaining admissible scheduling paths then all lead, deterministically, to
instantaneous termination in configuration ({},ρ21).
A canonical notion of admissibility to avoid causality locks is the “init;update;read”
(iur) protocol, which forces the accesses of every variable to undergo strict cycles of
first initialisations (¡s), then updates (!s) and finally reads (s?). Moreover, the iur pro-
tocol can be refined by limiting the number of initialisations that are permitted during
a single macro-step on any variable. Liberal notions of sequential constructiveness
permitting more than one init;update;read cycle have recently been proposed [84], [86].
16
In the traditional model of synchronous programming—paradigmatically represented
by Esterel—only one iur cycle is permitted. This leads to a more conservative notion
of constructiveness which is the subject of this report and formalised in the next
section.
Since well-formed pSCL programs are clock-guarded, we can unfold all loops
and extract finite rec-free expressions that fully describe the program’s macro step
reactions. Therefore, as the main results in this report concern the scheduling
of micro-steps inside a single finite macro-step, it suffices to consider only finite,
recursion-free pSCL programs, i.e., fprogs.
C. Reactiveness and Determinacy
All non-determinism of concurrent execution arises from two types of data races:
write-write conflicts and write-read conflicts. To remove these races, the iur scheduling
protocol enforces precedence of resets over sets and of writes over reads. The strict
ordering can be broken only if the variable accesses are confluent. A suitable notion
of confluence has been introduced in [84], [86].
Definition 3 (Confluence of Processes). Let T1 and T2 be two arbitrary processes
and (Σ,ρ) a configuration. Then,
1) T1,T2 are called conflicting in (Σ,ρ) if both T1 and T2 are active in Σ and
T1(T2(Σ,ρ)) 6= T2(T1(Σ,ρ));
2) T1,T2 are confluent in (Σ,ρ), written T1 ∼(Σ,ρ) T2, if there is no micro-
sequence (Σ,ρ) (Σ′,ρ′) such that T1 and T2 are conflicting in (Σ′,ρ′).
Example 6. As an illustration consider once more Example 4. Processes T31 and T32
are conflicting in configuration (Σ4,ρ0) = ({T20,T31,T32},ρ0) because, as we have seen,
both are active in this configuration and, moreover, different execution orders lead to
different results. Since the first micro-step of T31 is !s (update) and the first micro-step
of T32 is the reset ¡s (init), the scheduling protocol gives precedence to T32. Similarly,
T41 and T42 are in conflict in configuration (Σ6,ρ12) with Σ6 = {T20,T41,T42} as
can be seen from Fig. 2. For their part, processes T21 and T22 are independent or
confluent in (Σ2,ρ0) with Σ2 = {T20,T21,T22}. This is so because in every micro-
sequence (Σ2,ρ0) (Σ′,ρ′) the only configuration in which both T21 and T22 are active
is precisely (Σ2,ρ0). Furthermore, as can be seen from Fig. 2, the order of execution
is unimportant in this case, namely T21(T22(Σ2,ρ0)) = T21(T22(Σ2,ρ0)) = (Σ4,ρ0),
where Σ4 = {T20,T31,T32}. Note that since the initial micro-step of both T21 and T22
is the breaking up of the sequential composition, and thus not variable accesses, their
ordering is unconstrained by the “init;update;read” scheduling protocol.
In this report we introduce a fairly stringent interpretation of the iur protocol
derived from conservative SMoCCs such as Esterel or Quartz, which we term Berry
admissibility (Def. 4 below). It uses confluence to permit “ineffective” sets after
reads but is stronger than SC-admissibility [84], as it enforces the iur protocol on all
accesses not just concurrent ones as in [84]. Whatever synchronisation protocol X we
use —there may be many other interesting ones still to be discovered— the restriction
to X-admissible executions not only reduces non-determinacy. Such synchronisation
constraints may lead to deadlock, i.e., configurations in which no micro-step is
possible without violating X-admissiblity. Thus we must care about X-reactiveness,
i.e., the property that a program does not get stuck when executed in an X-admissible
fashion.
17
1) B-Admissibility and B-Reactiveness: The tighter the underlying notion of
X-admissibility the more information we have from knowing that a program is X-
reactive. If all X-admissible schedules are also Y-admissible then a program without
deadlocks under X is also deadlock-free under Y. Here we introduce a suitable
notion of admissibility that captures the essence of Esterel which is tighter than
SC-admissibility introduced in [84], [86].
Definition 4 (Berry Admissibility and Reactiveness). A micro-sequence R : (Σ0,ρ0)
(Σn,ρn) is Berry admissible ( B-admissible) iff
(1) R does not reset any variable that has been set before.
Formally, if R(i) for 0< i≤ n executes a set !s for some s ∈V , then no R(j)
for i < j ≤ n executes a reset ¡s.
(2) R does not write any variable which has been read before, unless this late write
is ineffective in the sense that the write is confluent with the read and the very
same value has been written already before the read.
Formally, if R(j) for 0< j ≤ n executes a conditional test s ? P : Q for some
P,Q, and R(k) for j < k ≤ n performs a set !s (reset ¡s), then there exists an
index i < j before the read where R(i) already executed a set !s (reset ¡s) and
R(j)∼(Σj ,ρj) R(k).
An fprog P is called Berry reactive ( B-reactive) if from every initial configuration
({〈0,P, [ ]〉},ρ0) there is at least one B-admissible instant.
Example 7. If a reset happens sequentially after a set (violating Def. 4(1)), as
in P1 := !s ; ¡s, then this violates the monotonicity of signal stabilisation. In the
conservative delay-insensitive model of Esterel this is a hazard, since a concurrent
environment could read either the first output value s = 1 (which is interpreted as
an emit) or the second s= 0 (which is an initialization). This creates a write-write
race, thus jeopardising determinism. P1 does not have a B-admissible execution. The
opposite ordering P2 := ¡s ; !s of a reset followed by a set is B-admissible, since it
adheres to the monotonic stabilisation protocol.
A read-write race (violating Def. 4(2)) occurs in the sequential programs P3 := s ?
!s :  and P4 := s ? ¡s : . The write accesses !s and ¡s, respectively, may effectively
overwrite the externally controlled value of s which is tested in the conditionals. If
we consider P3 and P4 to be environments of themselves then we run into a causality
loop: the test s? must wait until the program has set or reset its value, which however
can only happen after the test has been executed. If R is the micro-sequence generated
from P3 with initial memory ρ0(s) = 1 then it executes the set !s after the read s?
without any set having happened before the read. Similarly, we get a reset ¡s after the
read s? in P4 but this reset value has not been established before the read. Therefore,
neither P3 nor P4 are B-reactive. In the hardware translation of Esterel, P3 would be
a delay loop s= s which has two stable solutions s= 0 and s= 1, while P4 generates
essentially the feed-back system s= s · s which may produces glitches before it settles
at s= 0, if it stabilises at all.
P3 and P4 were acceptable if the status of s was already decided before the test s?.
For instance, in !s ; P3 the second !s in P3 is ineffective from the point of view of
the read access because the status 1 on s is determined by the first !s which occurs
sequentially before the read. Thus, executing !s ; P3 is B-admissible. P4 can be executed
admissibly in the form ¡s ; P4 which then bypasses the reset ¡s in P4. On the other
hand, !s ; P4 would not be B-reactive because it generates a reset ¡s after a set !s. We
note that all programs P1–P4 are sequentially admissible [84] (called ∆∗-admissibility
18
in [4]) because under sequential admissibility glitches can only be generated from
concurrent accesses, not sequential ones as in P1 and P2.
Example 8. Although each fprog P := x ? !y :  and Q := y ? !x :  is B-reactive,
their concurrent composition fprog P ||Q is not. There is only one initial memory
ρ0 from which this has any B-admissible instants, viz. ρ0(x) = ρ0(y) = 0. Suppose
initially ρ0(x) = 1 or ρ0(y) = 1. Then either the write statement !y in P is executed
after y has been read by Q, or !x in Q is executed after x is read by P . Both violates
Def. 4(2) because there are no other writes before the read which would make the
“late” write ineffective.
Example 9. All the scheduling sequences R : ({T1},ρ0) ({},ρ21) of Ex. 4, following
the transitions colored green in Fig. 2 are B-admissible. None of the scheduling
sequences going through a red transition, entering region A or B, is B-admissible. The
sequences entering region A are violating Def. 4(1) by resetting variable s (dashed red
arrows labelled ¡s) after s has been set (solid red arrows labelled !s). The sequences
entering region B are breaking the constraint Def. 4(2) because variable t is set (solid
red arrow labelled !t) after it has been read (dashed red arrows labelled t?), without
any setting of variable t before the read. However, since at least one B-admissible
scheduling sequence leads to completion, the program !s ; !t || ¡s ; t ?  : pi of Ex. 4 is
B-reactive.
2) SC-Admissibility and SC-Read-Determinacy: When it comes to the question of
determinacy then we want the underlying notion of X-admissibility to be as weak as
possible. If a program analysis detects determinacy under all X-admissible executions,
then the implied level of robustness depends on how much non-determinism is
still permitted by X-admissible executions. For instance, if X-admissibility limits
execution to a single micro-sequence, e.g. through a global linear priority ordering
on all statements, then determinacy is trivial. On the other hand, knowing that
a program is determinate under all free schedules, is a very strong (and rare)
property for a program to have. To get more headroom for our main result we use
SC-admissibility. In contrast to B-admissibility this admits writes-after-reads and
resets-after-sets, if these are sequential successors in program order or confluent.
The following definition is rephrased from [84], [86].
Definition 5 (SC-Admissibility and Reactiveness). A micro-sequence R : (Σ0,ρ0)
(Σk,ρk) is SC-admissible if for every two processes R(i), R(j) such that 0< i < j ≤ n
and either
(i) R(i) reads (tests) a variable s, on which R(j) subsequently performs a reset ¡s
or set !s, or
(ii) R(i) performs a set !s on a variable s, on which R(j) subsequently performs a
reset ¡s,
the first R(i) is sequentially before R(j) in program order or both are confluent, i.e.,
we have R(i).idR(j).id or R(i)∼(Σi,ρi) R(j).
An fprog P is SC-reactive, if from every initial configuration ({〈0,P, [ ]〉},ρ0) there
is at least one SC-admissible instant for P .
One can show that B-admissibility is more restrictive than SC-admissibility.
Proposition 1. Every B-admissible micro-sequence is also SC-admissible.
Proof: Let R : (Σ0,ρ0)  (Σn,ρn) be a B-admissible micro-sequence, with
processes instances R(i) and R(j) such that 0 < i < j ≤ n. First note that by
condition (1) of B-admissibility Def. 4, the situation (ii) of Def. 5 cannot occur. We
19
only need to care about the situation (i), where R(i) is a read and R(j) a write
of the same variable s. But then condition (2) of B-admissibility implies both are
confluent, i.e., R(i)∼(Σi,ρi) R(j). This was to be shown.
Example 10. The Ex. 4 is B-reactive and thus also SC-reactive. However, it does
not have any SC-admissible scheduling sequences which are not B-admissible at the
same time. None of the scheduling sequences entering regions A or B in Fig. 2
are SC-admissible. Let us look at what happens in region A. For instance, take the
scheduling
R = T1,T21,T31,T41,T22,T32,T42,T521,T20 : ({T1},ρ0) ({},ρ22)
in which R(3) = T31 performs a set !s and later R(6) = T32 performs a reset ¡s.
This violation of resets-before-sets is permitted under SC-admissibility only if the
micro-steps are sequentially ordered or confluent. The former is not the case, T31.id=
0.l.0 6 0.r.0 = T32.id, because both processes are from concurrent threads. The latter
is not the case either, because T31 6∼({T20,T31,T22},ρ0) T32. In fact, there is the (free)
schedule T22 : ({T20,T31,T22},ρ0)→ ({T20,T31,T32},ρ0) (underlined in Fig. 2) which
reaches the configuration ({T20,T31,T32},ρ0) in which both T31 and T32 are active and
conflicting (see Def. 3). Executing T31,T32 from here leads to ({T20,T41,T42},ρ12) while
the swapped ordering T32,T31 ends up in ({T20,T41,T42},ρ11) which have different
memories.
Similarly, one can show that the two concurrent processes T42 and T41 which read
and set variable t are in conflict on every schedule that runs through region B. The
critical configuration for region B is ({T20,T41,T42},ρ11) (underlined in Fig. 2) in
which processes T42 and T41 are in conflict with each other.
Clearly, by Prop. 1, every B-reactive program is also SC-reactive. An X-reactive
program is guaranteed not to deadlock under X-admissible execution. However, it
may be non-determinate, i.e., generate different final memory states. In defining
determinacy precisely we meet another degree of freedom, depending on whether or
not we permit the outcome at the end of an instant to be functionally dependent on
the memory configuration at the beginning of the instant. For instance, we might
distinguish, as done in Esterel V7, between temporary and registered variables. The
value of a temporary variable is ephemeral and must be recomputed by the program
at every instant. The value of a registered variable is provided by the environment in
memory at the beginning of each instant. Hence, the final response may depend on
the initial value of registered variables but not on the initial value of the temporary
variables. This gives rise to the following definition, parametric in X-admissibility,
where the notations X and =⇒X are used to indicate that the corresponding
micro-sequence complies with a particular notion X of admissibility. E.g. B refers
to a B-admissible micro-sequence and =⇒SC indicates a SC-admissible instant.
Definition 6 (X-Determinacy). For a given set of temporary variables W ⊆ V , an
fprog P is X-determinate for W ( XW -determinate) iff the following two conditions
hold:
1) For every fixed initial memory, P computes the same final memory in all
X-admissible instants.
Formally, if (〈ι,P 〉,ρ0) =⇒X (Σ0,γ0) and (〈ι,P 〉,ρ0) =⇒X (Σ1,γ1) then γ0 = γ1.
2) For every temporary variable in W , P either (i) computes the very same final
value in all X-admissible instants, or (ii) it does not modify the initial memory
value of this variable in any X-admissible instant. In other words, if P changes
20
the value of a variable x ∈W in any X-admissible instant then this must be
the final value for x in all X-admissible instants.
Formally, for all x∈W and γ0, ρ0, Σ0: if (〈ι,P 〉,ρ0) =⇒X (Σ0,γ0) and γ0(x) 6=
ρ0(x), then for all γ1, ρ1, Σ1 such that (〈ι,P 〉,ρ1) =⇒X (Σ1,γ1), we have
γ1(x) = γ0(x).
In this report we will treat two special cases: When W is the empty set, W = ∅,
then XW -determinacy is simply called X-determinacy. When W = rd(P ) is the set
of read variables of P , defined by
rd(P ) :=

rd(P1) ∪ rd(P2) if P = P1 ||P2 or P = P1 ; P2
{s} ∪ rd(P1) ∪ rd(P2) if P = s ? P1 : P2
∅ otherwise
then XW -determinacy is referred to as X-read-determinacy. The following proposition
is obvious, with Prop. 1:
Proposition 2. Every X-read-determinate fprog is also X-determinate and every
SC-determinate program is B-determinate.
Note that purely sequential programs, i.e., those without the concurrency operator
‖, are trivially deterministic and hence SC-read-determinate. Sequential programs
are also always SC-reactive. They can however fail B-reactiveness, i.e., if their
execution is not B-admissible because it generates a causal hazard in the access to
a variable (see Ex. 7). This models the stronger interpretation of reactiveness in
the more conservative SMoCCs like Esterel and Quartz which we deal with, here.
Also, SC-read-determinacy is trivial for pure input variables which are never written
by a program because their final value will always be the same as the initial value.
Hence, all programs, including those containing the ‖ operator, with disjoint input
and output variables, are SC-read-determinate but possibly not B-reactive.
The following Ex. 11 brings home the problems causality poses for compositionality.
Example 11. All P1, P3, P4 from Ex. 7 are purely sequential programs which are
not B-reactive but SC-read-determinate. An fprog which is B-reactive but not SC-
determinate is the parallel composition P ||Q, where P := x ?  : !y and Q := y ?  : !x.
The left component P sets y to 1 if x is 0 and the right sub-expression Q sets x to 1
if y is 0. Indeed, if both variables x,y ∈ rd(P ‖Q) are initially ρ0(x) = ρ0(y) = 0, the
response of P ||Q is non-determinate (under B-admissible scheduling). If P is first
executed to termination and then Q, we get the final memory γ0(x) = 0,γ0(y) = 1;
otherwise, if we first execute Q and then P , the result will be γ0(x) = 1,γ0(y) = 0.
This is an internal non-determinism observable from a single fixed initial memory.
P ||Q is B-reactive but not B-determinate and thus neither SC-determinate.
That a program is non-determinate does not mean all its sub-programs must be non-
determinate, too. E.g., both fprogs P and Q in this example are SC-read-determinate.
E.g., the only read variable x∈ rd(P ) is not touched by P and thus left to be controlled
by the environment. This satisfies condition (2) of Def. 6. Note that the value of y is
changed in the SC-admissible execution of P starting from ρ0(x) = 0 and ρ0(y) = 0
and its final value γ0(y) = 1 is not the final value for all SC-admissible instants,
e.g., if ρ0(x) = 1 and ρ0(y) = 0 then we get γ0(y) = 0. However, this is not a violation
of Def. 6(2) because y 6∈ rd(P ).
Finally note that non-determinate programs can become determinate in context.
E.g., the SC-admissibility rules make sure that in P ||Q || !x the set !x is executed
21
before the test x? in P , which means that P does not write !y which prevents Q
from writing !x, thereby avoiding an admissibility hazard with any earlier read of
y by Q. Moreover, since the set !x is executed before the read x? by P , the set !x
by Q is confluent with the read. As a consequence, for any given initial memory ρ0,
all SC-admissible executions of P ||Q || !x produce the same determinate response γ0
with γ0(x) = 1 and γ0(y) = ρ0(y) is the initial value. Thus, the fprog P ||Q || !x is
SC-read-determinate.
In Sec. IV below we shall give a sound denotational fixed point analysis to check
whether a program is B-reactive and SC-read-determinate. Our fixed point character-
isation defines the class of input Berry constructive (IBC) programs which includes
more programs than the strong Berry constructive (SBC) programs introduced
in [4]. The result established in [4], that every SBC program is SC-reactive and
SC-determinate, is a corollary of the main Thm. 1 in this report which says that
every IBC program is B-reactive and SC-read-determinate.
We first need to introduce the appropriate abstract semantical domains. This is
done in the following Sec. III.
III. Abstract Domains and Environments
The constructiveness analysis on finite pSCL programs (fprogs) takes place in an
abstract domain of information values which describe the sequential and concurrent
interaction of signals. It accounts for data dependencies and can deal with the
difference of a variable retaining its original initial value from the initial memory
(pristine), being initialised to 0 and then either remaining 0 (signal absence) or
being set to 1 (signal presence). This includes monotonic value changes from 0 to 1
and, essentially, corresponds to Berry’s notion of constructiveness in Esterel [12],
yet is able to deal with explicit initialisations which requires the ability to cope
with prescriptive sequencing. This section introduces this abstract domain and its
natural extension to environments, namely discrete structures able to maintain the
information of a number of signal variables.
A. Value Domain I(D) of Value Status
Instead of distinguishing just two signal statuses “absent” and “present” as in
traditional SMoCC, we consider the sequential behaviour of a variable (during each
instant) as taking place in a linearly ordered 4-valued domain D= {⊥ ≤ 0≤ 1≤>}.
This requires to consider two additional logical memory values, namely ⊥ and >. The
former indicates that the corresponding variable contains its initial memory value,
i.e., a pristine 0 or 1. The latter tells us that the variable value has passed from 1 to 0
at some point, independently of what the final memory result is. The linear ordering
≤ captures a trajectory through a single instance of the iur protocol. Observe the
difference between the variable values B = {0,1}, which appear at “run-time” as
defined in the operational semantics, and the signal statuses D, which are the basis
of constructiveness analysis. The latter lifts our description to a higher level in which
the semantics of variables is enriched to reflect the fact that they are controlled by
an implicit synchronisation protocol. Observe that the ordering ≤ in D is transitive
which permits monotonic status changes from ⊥ directly to 1, without first passing
through 0. This means a program can set a variable (emit a signal in Esterel) which
has not been explicitly reset. This matches the iur protocol, from which the notions
of B/SC-admissibility are derived, which does not require an update to be preceded
22
by an init operation. However, our fixed point semantics can be easily modified,
without changing the domain D, for the stronger requirement if needed.
We now go one step further in the abstraction. In the analysis we operate on
predictions of variable statuses. Possible statuses of variables are approximated by
closed intervals I(D) = {[a,b] | a,b ∈D,a≤ b} over D. An interval [a,b] ∈ I(D) in this
10-valued domain corresponds to the set of statuses set([a,b]) = {x | a≤ x≤ b} ⊆ D.
Intervals [a,b] such that a < b denote uncertain information, i.e., a potential non-
deterministic response. Such a general interval represents an approximation to the
final (stable) state of a variable from its two ends, the lower bound a and the upper
bound b. An interval [a,b] associated with a variable x ∈ V can thus be read as
follows: “the executions of the statements so far ensure that x has currently status a,
yet it cannot be excluded that some statements might be executed which could change
(increase) the status of x up to b”. In this vein, the intervals [a,a] correspond to
decided, or crisp, statuses which are naturally identified with the values ⊥= [⊥,⊥],
0 = [0,0], 1 = [1,1] and >= [>,>] of D, respectively, i.e., D⊂ I(D). A variable s∈V
with status γ ∈ I(D) is denoted by sγ .
Example 12. When computing the reaction of fprog ¡s ; x ? !s : , the interval for s
will be [0,1], assuming the status of x is not decided yet, say, x[⊥,>]. The status s[0,1]
for variable s indicates that a reset ¡s must definitively be executed, but there is at
least one set !s that can potentially be executed, which is why the status of s ranges
between 0 and 1.
On the domain I(D) we can define two natural orderings:
• The point-wise ordering [a1, b1] [a2, b2] iff a1 ≤ a2 and b1 ≤ b2, and
• the (inverse) inclusion ordering [a1, b1]v [a2, b2] iff set([a2, b2])⊆ set([a1, b1]),
which endow I(D) with a full lattice structure for  and a lower semi-lattice structure
for v. The point-wise lattice 〈I(D),〉 has minimum element [⊥,⊥] and the minimum
for the inclusion semi-lattice 〈I(D),v〉 is [⊥,>]. The element [>,>] is a maximal
element for both orderings but it is the maximum only for . For v all singleton
intervals [a,a] are maximal. Join ∨ and meet ∧ for the -lattice are obtained in the
point-wise manner:
[a1, b1]∨ [a2, b2] = [max(a1,a2),max(b1, b2)]
[a1, b1]∧ [a2, b2] = [min(a1,a2),min(b1, b2)].
In the inclusion v-lattice the meet u is
[a1, b1]u [a2, b2] = [min(a1,a2),max(b1, b2)].
The semi-lattice 〈I(D),v〉 does not possess joins, but it is consistent complete, i.e.,
whenever in a nonempty subset ∅ 6= X ⊆ D any two elements x1,x2 ∈X have an
upper bound y ∈ D, i.e., x1 v y and x2 v y, then there exists the least upper bound
unionsqX = u{y | ∀x ∈X. xv y}. This will give us least fixed points.
Fig. 3 illustrates the two-dimensional lattice structure of I(D). The vertical
direction (upwards, green arrows) corresponds to  and captures the sequential
dimension of the statuses. The horizontal direction (left-to-right, blue arrows) is
the inclusion ordering v and expresses the degree of precision of the approximation.
The most precise status description is given by the crisp values on the right side,
which are v-maximal and are order-isomorphic to the embedded domain D. The
least precise information value is the interval [⊥,>] on the left. The following Ex. 13
23
Kleene‘s ternary domain (Esterel)
extension for
initialisation
and crash
(v,u)
(¹,∨)
crisp
values
I(D)
[⊥,⊥]
[1, 1]
[0, 0]
[>,>]
[⊥, 0]
[0, 1]
[1,>]
[⊥, 1]
[0,>]
[⊥,>]
Fig. 3. Domain I(D) for Approximating Signal Variable Statuses.
illustrates how we can use the domain I(D) in the fixed point analysis to navigate in
both dimensions  and v for determining the instantaneous response of a program.
Example 13. Consider the fprog P := (x ?  : (!y ‖ !z)) ‖ (y ?  : !x). Suppose that
we execute P in a sequential thread in which all three variables are initially pristine,
i.e., with status x⊥, y⊥ and z⊥. What are the final values of of the variables when
P is completed? Since we do not know what the memory values of x and y are, we
do not know how the branches are decided, i.e., whether the first concurrent thread
x ?  : (!y ‖ !z) will execute  or set both variables y and z in !y ‖ !z. Similarly, we
cannot decide if the second thread y ?  : !x sets x or not. Yet, what we do know is
that the variables x, y or z may be set but cannot crash because there is no reset on
any of them. So, the best approximation for the response of P , in terms of intervals
I(D), is the final status x[⊥,1], y[⊥,1], and z[⊥,1].
Now put P in parallel with the program Q := ¡x ‖ !y. Since Q certainly executes the
reset ¡x and no other write accesses to x, this produces the response x0. Combining
this with the status obtained from P gives the joint response x0∨[⊥,1] = x[0,1]. This
tells us that x must certainly be reset (viz. by Q) and then might be set (viz. by P ).
Notice how the interval [⊥,1] has shrunk to [0,1], which provides tighter information.
What about variable y? It is set by Q and never reset, which means its status, after
executing Q, is at least 1. By the iur protocol the set !y must wait for any potential
reset on y to have happened in the environment. In this case, P does not have a reset
on y, so the set !y of Q must go ahead, giving y1 for the response of Q. This merges
with the information from P to the joint response y1∨[⊥,1] = y1.
But now we have narrowed down the status of y to a crisp 1, which implies that
the conditional test y ?  : !x in the second thread of P is decided. So we conclude
that the set !x must definitely be executed. Therefore, the status of x from P in our
first approximation can now be tightened from x[⊥,>] to x1. Once we have that, the
conditional x ?  : (!y ‖ !z) in the first thread of P is decided, too, implying that the
set !z must be executed by P implying 1 as a lower bound for the status of z and an
increase of information from z[⊥,1] to z1. Since all three variables are now fixed to
have crisp statuses x1, y1, z1, the program P ‖Q is called strongly Berry constructive.
From [4] this implies that P ‖Q is sequentially constructive, i.e., SC-reactive and
SC-determinate. From the results reported here it will follow that it is also B-reactive
and SC-read-determinate.
24
(w,u)
(¹,∨)
0
2
1
Fig. 4. The domain P coding the initialisation status.
Observe that the well-known ternary domain (Kleene) for the fixed-point analysis
of Pure Esterel [12] or constructive Boolean circuits [63] is captured, as indicated
in Fig. 3, by the inner part with values [0,0] (“absent”), [1,1] (“present”) and
[0,1] (“undefined”). In ternary analysis all signal variables are implicitly assumed
initialised, hence no need for ⊥. Moreover, since there is no reset operator and thus
programs cannot fail the monotonic single-change requirement, there is no need for >
either, in languages such as Esterel, as long as initialisation of signals is implemented
by the run-time rather than the program. This ternary fragment of I(D) corresponds
to three-valued Kleene logic with ∨ disjunction and ∧ logical conjunction. Fig. 3
visualises clearly how the 10-valued domain I(D) offers an extended playground to
represent the logic of explicit initialisation.
Interestingly, another recent approach to enrich the standard ternary domain
is the constructive semantics by Talpin et.al. [76] for a multi-clocked synchronous
(polysynchronous) data-flow language which integrates Quartz and Signal. This
extension is based on a lattice D which extends {[0,0], [1,1], [0,1]} by elements ? for
representing unknown and  for inconsistent signal statuses similar to our ⊥ and
>. It also contains Boolean values for “true” and “false” (embedded as refinements
of the present status) which our domain I(D) does not model. On the other hand,
the partial order D of [76] does not have an interval structure like I(D), which is
the key to modelling Esterel-style reaction to absence. This is not needed in the
data-flow semantics of [76].
B. Semantic Domain I(D,P) of Signal Status
There is one logical refinement to the domain I(D) that we need to make in
order to keep properly track of the completion of the initialisation phase on each
variable. According to the synchronous protocol a set !s contained in a program
can only go ahead if it is guaranteed that no reset ¡s on this variable is possibly
outstanding. There is no information in the intervals of I(D) to express that no
reset is outstanding. For instance, the status s[0,1] specifies that the initialisation of
s has been started and that there is a waiting update access on s, but it does not
tell if there are any other resets ¡s still pending. However, this is important in the
constructive scheduling, because only if the initialisation phase has been completed,
the waiting update !s is permitted to proceed changing the status to s[1,1].
To capture the termination of the initialisation phase of the “init;update;read”
protocol, we enrich the interval domain by an additional token r ∈ P = {0,1,2},
called the init status. The status 2 expresses that the “init” phase is ongoing and
a reset is still predicted. The status 1 means that no more resets are outstanding,
i.e., the init phase is completed, but the protocol is still running. Finally, if the
25
“init;update” is finished, and thus the value of the variable determined, the init status
0 is obtained.
As for I(D) there are natural sequential and information-theoretic orderings on P
as seen in Fig. 4. The sequential ordering  is given by 0 1 2 which reflects the
fact that in sequential order a finished computation (0) must first become blocked
at a set or a conditional test (1) to start a running protocol, before it reaches
a predicted reset ¡s which witnesses an incomplete initialisation (2) for the reset
variable s. In contrast, the information ordering on P is the opposite, 2 v 1 v 0,
which models the narrowing of behaviour that occurs when the status of variables
becomes more and more decided. The init status 2 is least informative. It says that
the protocol is contingent and that there may still be potential resets outstanding.
With the value 1 the protocol is still contingent but the init phase is finished, i.e.,
no resets are possible any more. Finally, 0 is the tightest status for it says that the
protocol is finished and that no resets are possible.
The domain (P,,v) is a lattice for both  and v in which only the semi-lattice
structure will be relevant induced by the join operations r1∨r2 = r1ur2 = max(r1, r2).
Our definition of constructive behaviours will be based on a fixed point analysis in
the product domain
I(D,P) = {([l,u], r) | [l,u] ∈ D, r ∈ P} = I(D)×P.
We will write a typical element ([l,u], r) ∈ I(D,P) more compactly as [l,u]:r and
refer to the interval [l,u] as the value status to separate it from the init status r.
If r = 0 we simply write [l,u] instead of [l,u]:0 or even a instead of [a,a]:0. In this
fashion we naturally consider D as a subset of I(D,P). Generally, as before, when
an interval is a singleton we write it as an element in D, even if its init status is not
0. For instance, 0:1 is the same as [0,0]:1 or ⊥:2 stands for [⊥,⊥]:2. These singleton
intervals are contained within the dotted regions in Fig. 5.
The orderings v and  on I(D,P) are inherited component-wise from the cor-
responding orderings in the domains I(D) and P, respectively. The init status
is logically part of the upper bound and so we define the upper projection on
I(D,P) by stipulating upp([l,u]:r) = [⊥,u]:r, and for the lower projection we set
low([l,u]:r) = [l,>]:2. The same is obtained if we define the upper projection sepa-
rately on P as the identity, i.e., upp(r) = r for all r ∈ P and the lower projection
as the constant function low(r) = 2 for all r ∈ P. Then, upp and low on I(D,P) are
obtained component-wise from upp and low on I(D) and P, respectively.
Note that I(D,P) is essentially a tripling of I(D), extending the domain I(D) by
the information contained in P.4 This is illustrated Fig. 5.
Example 14. Consider the fprog P := ¡s ; x ? !s : ¡s. Suppose we do not know anything
about the status of x in the current environment. This is captured by the status x[⊥,>]:2
which is the v-minimal element in I(D,P). It not only leaves open the full range
[⊥,>] for the value status of x. The init status 2 models an unfinished “init” and a
possible outstanding reset on x. Now, if the status of x is so maximally undetermined,
the conditional x ? !s : ¡s is undecided. We cannot say if the initial reset ¡s in P is
followed by the set !s or the reset ¡s. Consequently, the response of P for s will be
[0,1]:2. The init status 2 indicates that the protocol execution of P on s is speculative
4This extra bit for indicating predicted resets has been missing in our publication [4] where this fixed
point analysis was introduced for the first time.
26
I(D,P)
I(D):0
I(D):1
I(D):2
⊥
0
1
>
Fig. 5. The extended interval domain I(D,P) including the init status P= {0,1,2}.
and that there is a possible reset on s which may become active. The response of P
on variable x, on the other hand, yields x⊥:1 because the value status is guaranteed
to remain pristine but that the computation is nevertheless speculative (because of the
blocked conditional test on x).
When the state of x becomes decided with a crisp x0 = x[0,0]:0, then the conditional
is switched through into the left branch containing the reset ¡s and the response of P
for s refines into 0 = [0,0]:0, too. When x is decided present x1 then the conditional
is unblocked and the set !s is executed. Hence, the response for s becomes 1 = [1,1]:0.
Both responses for s have init status 0 stating that the “init;update;read” protocol on
s is completed.
Example 15. Consider a reset followed by a set, i.e., the cprog P := ¡x ; !x. Let
us schedule the micro-steps of P starting from the sequential status S0 = x⊥, or
equivalently, S0 = x[⊥,⊥]:0. This represents a fully determined initial memory of
unknown value. The reset ¡x is the first micro-step of P to be scheduled, raising
the status of x to S1 = x0. The init status is still 0 because the reset terminates
instantaneously. Thus, we reach the set P ′ := !x as the continuation program. To be
scheduled the set must wait for the completion of the init phase which depends on
the concurrent environment. In the environment C0 := x[⊥,>]:2 our sequential thread
is blocked at the set. However, what we can conclude about the sequential response
of P is that x undergoes a reset and then possibly a set, yielding the final status
S2 := x[0,1]:1. We cannot put the lower bound to 1 because we have no guarantee that
the set is actually executed. Also, the init status 1 informs the environment that the
“init;update” in P is blocked but P does not produce any further resets, if it ever were
to be continued. Assuming that P is running alone by itself we can strengthen the
initial approximation C0 of the environment by C1 := S2 and reanalyse P , again from
the sequential status S0. Now as we reach the set !x, the refined environment C1 with
init status 1 unblocks the set !x and we obtain the final sequential status S3 := x1.
The status of variables and their evolutions over time are kept in discrete structures,
called environments E : V → I(D,P) mapping each variable x ∈ V to a status
E(x)∈ I(D,P). The orderings and (semi-)lattice operations are lifted to environments
27
by stipulating
E1EE2 iff E1(x)EE2(x) for E ∈ {,v} and
(E1E2)(x) = E1(x)E2(x) for  ∈ {∨,∧,u}.
If E(x) = [a,b]:r then we will also write x[a,b]:r ∈E and further xa ∈E when E(x) =
[a,a]:0. Using this notation we can view environments as sets of variable statuses
E = {x[a,b]:r | E(x) = [a,b]:r} with the property that if x[a,b]:r ∈ E and x[a′,b′]:r′ ∈ E,
then a= a′ and b= b′ and r = r′.
It is natural to identify the values [a,b]:r ∈ I(D) with constant environments such
that ([a,b]:r)(x) = [a,b]:r for all x ∈ V . An environment E is called decided if for all
variables x ∈ V there exists b ∈ D with b:1v E(x); crisp if for all variables x ∈ V
there exists b ∈ D such that bv E(x); ternary if E(x) ∈ {0,1, [0,1]} for all variables
x ∈ V ; crash-free if E(x) 1:2 for all x ∈ V . An environment E in which all entries
are one-sided lower (upper) intervals, i.e., in which x[a,b]:r ∈ E implies b => and
r = 2 (a = ⊥) is called a lower (upper) environment. Every environment can be
separated into its lower and upper projections
low(E) := {x[a,>]:2 | x[a,b]:r ∈ E} upp(E) := {x[⊥,b]:r | x[a,b]:r ∈ E}
so that
E = low(E)unionsqupp(E) = u{X | low(E)vX and upp(E)vX},
where the join exists since low(E) v E and upp(E) v E, i.e., low(E) and upp(E)
are always consistent. Observe further that low(E) = E ∨ [⊥,>]:2 = E u>:2 and
upp(E) = Eu⊥:0.
We use the set-like notation {〈xγ11 ,xγ22 , . . . ,xγnn 〉} to specify a finite environment
that explicitly sets the status for the listed variables xi and implicitly defines the
status ⊥ for all other variables z ∈V \{x1,x2, . . . ,xn}. Then, the empty environment
{〈〉}=⊥ = [⊥,⊥]:0 is the neutral element for ∨ which acts as the operator for set
union.
Example 16. Let S1 = {〈x0,y[0,>]:2〉} and S2 = {〈x[⊥,1]:1, z[0,1]〉}. Then, S1 = {〈x0〉}∨
{〈y[0,>]:2〉}, S2 = {〈x[⊥,1]:1〉}∨{〈z[0,1]〉} and
S1∨S2 = {〈x0∨[⊥,1]:1,y[0,>]:2∨⊥, z⊥∨[0,1] 〉}= {〈x[0,1]:1,y[0,>]:2, z[0,1] 〉}
S1uS2 = {〈x0u[⊥,1]:1,y[0,>]:2u⊥, z⊥u[0,1] 〉}= {〈x[⊥,1]:1,y[⊥,>]:2, z[⊥,1] 〉}.
C. Some Useful Properties of the Interval Domain I(D,P)
The following results all express inherent properties of the domain (I(D,P),
,∨,v,u) but are phrased here in more general form for environments.
Lemma 1.
1) low(E) = E∨ [⊥,>]:2 = Eu>:2
2) upp(E) = E∧ [⊥,>]:2 = Eu⊥:0 = Eu⊥.
Proof: Trivial from the definitions of low and upp.
Proposition 3. Both projection operators are idempotent, monotonic with respect
to both orderings E ∈ {,v} and can be separated into upper and lower projections.
Formally,
28
1) low(low(E)) = low(E), upp(upp(E)) = upp(E).
2) If EEE′ then low(E)E low(E′) and upp(E)Eupp(E′).
3) If low(E)E low(E′) and upp(E)Eupp(E′) then EEE′.
Proof: The first part (1) is obvious from the definition of low and upp. For the
second (2) and third part (3) regarding ordering  observe that [a,b]:r  [a′, b′]:r′
iff a≤ a′, b≤ b′ and r  r′ which holds exactly in case that [a,>]:2 [a′,>]:2 and
[⊥, b]:r  [⊥, b′]:r′. For ordering v we note that [a,b]:r v [a′, b′]:r′ iff a ≤ a′, b′ ≤ b
and r  r′, which is the same as [a,>]:2v [a′,>]:2 and [⊥, b]:r v [⊥, b′]:r′.
Both orderings  and v are linked up in tight reciprocity connections mediated
by the projections. The connection is summed up in the next Prop. 4:
Proposition 4.
1) low(E1)v E2 iff E1  low(E2)
2) upp(E2)v E1 iff E2  upp(E1)
3) low(E1) E2 iff E1  low(E2) E2
4) E1 v upp(E2) iff E1 v upp(E1)v E2.
Proof: For (1) we calculate [a,>]:2 v [a′, b′]:r′ iff a ≤ a′ iff [a,b]:r ≤ [a′,>]:2;
(2) holds since [⊥, b′]:r′ v [a,b]:r iff b ≤ b′ and r  r′ iff [⊥, b]:r  [a′, b′]:r′; (3) is
obtained from observing that [a,>]:2 [a′, b′]:r′ iff a≤ a′, b′ => and r′ = 2 which is
equivalent to [a,b]:r  [a′,>]:2 and [a′,>]:2 [a′, b′]:r′. Finally, (4) is true because
[a,b]:r v [⊥, b′]:r′ iff a=⊥, b′ ≤ b and r  r′ which is the same as [⊥, b]:r v [a′, b′]:r′
and [a,b]:r v [⊥, b]:r.
Proposition 5. In the –lattice, low is inflationary and upp is deflationary. In the
v–lattice, both projection operators are deflationary. Formally,
1) E  low(E), upp(E) E.
2) low(E)v E, upp(E)v E.
Proof: Statement (1) follows from the observation that ⊥ and > are the minimum
and the maximum, respectively, in the ≤-ordering of D and that 2 is -maximum
in P. Statement (2) follows from (1) and the connections from Prop. 4(1,2).
With the previous observations we can use the projection operations to define
each ordering  and v in terms of the other. Both orderings together express the
same information as each of the orderings by itself does in combination with the
projections:
Lemma 2. For environments E1, E2 we have
1) E1 v E2 iff low(E1) low(E2) and upp(E2) upp(E1);
2) E1  E2 iff low(E1)v low(E2) and upp(E2)v upp(E1).
Proof: Both statements are easy to establish directly from the definitions.
Alternatively, they can be obtained by abstract reasoning from the previous propo-
sitions. For instance, suppose E1 v E2. Then, by Prop. 3(2,3) this is the same as
low(E1) v low(E2) and upp(E1) v upp(E2). But by Prop. 4 and Prop. 3(1) these
are equivalent to E1  low(E2) and upp(E2) E1, which in turn are equivalent to
low(E1)  low(E2) and upp(E2)  upp(E1), by Prop. 3(1,2) and Prop. 5(1). In a
similar fashion we obtain statement (2) from Props. 3, 4 and 5(2).
We have seen in Prop. 4 that lower and upper projections connect the two ordering
structures  and v. They are in fact algebraic homomorphism:
29
Proposition 6. The lower and upper projections distribute over ∨, ∧ and u.
Formally,
1) low(E1E2) = low(E1) low(E2)
2) upp(E1E2) = upp(E1)upp(E2)
for  ∈ {∨,∧,u}.
Proof: Trivial from the definitions.
Another obvious but key result is the monotonicity and distributivity of the
(semi–)lattice operations:
Proposition 7. All the operators ∨, ∧ and u are monotonic in both the –lattice
and the v–semi-lattice. Furthermore, all three operators distribute over each other,
i.e., E11 (E22E3) = (E11E2)2 (E11E3).
Proof: Since ∨ and ∧ are join and meet for  they must be monotonic for .
Similarly, u is the meet for v, whence it is monotonic for v. What is not obvious is
that ∨ and ∧ are monotonic for v, and u is monotonic for , too. This is seen as
follows:
Suppose E1 v E′1 and E2 v E′2. Then, both low(Ei)  low(E′i) and upp(E′i) 
upp(Ei) by Lem. 2. Now, on the one hand, low(E1 ∨E2) = low(E1)∨ low(E2) 
low(E′1)∨ low(E′2) = low(E′1∨E′2) and upp(E′1∨E′2) = upp(E′1)∨upp(E′2) upp(E1)∨
upp(E2) = upp(E1∨E2), by assumption, Prop. 6 and monotonicity of ∨ for . Hence,
E1 ∨E2 v E′1 ∨E′2 as claimed, again using Lem. 2.The same reasoning works to
show that ∧ is monotonic for v and that u is monotonic for . Distributivity of all
operators follows from the distributive laws
max(a1,min(a2,a3)) = min(max(a1,a2),max(a1,a3))
min(a1,max(a2,a3)) = max(min(a1,a2),min(a1,a3))
max(a1,min(a2,a3)) = max(max(a1,a2),max(a1,a3)).
The following final Lem. 3 collects some specific consequences of the univer-
sal properties of the domain (I(D,P),,∨,v,u) which will be used in our later
development
Lemma 3.
1) low(upp(E)) = low(⊥) = [⊥,>]:2 = upp(>:2) = upp(low(E))
2) E1∨ low(upp(E2)) = low(E1)
3) E1∨upp(E2)v E1
4) If low(E1)v low(E2), then E1∨upp(E2)v E2
Proof: (1) and (2) are obvious from the definitions. Concerning (3) first observe
that E1 E1∨upp(E2) as ∨ is the join with respect to . By Lem. 2(2) this implies
upp(E1∨upp(E2))v upp(E1). (11)
We can also show
low(E1∨upp(E2)) = low(E1) (12)
for the lower projections. First, by statement (2) of the Lemma, Props. 6(1) and
3(1) we compute
low(E1∨upp(E2)) = low(E1)∨ low(upp(E2)) = low(low(E1)) = low(E1)
30
which proves (12) as claimed. Prop. 3(3) permits us to combine (11) and (12) to
obtain E1 ∨ upp(E2) v E1 as claimed in statement (3) of the Lemma. Suppose
low(E1)v low(E2). Then, E1  low(E2) by Prop. 3(1) and Prop. 4(1), whence (12)
implies
low(E1∨upp(E2)) = low(E1) low(low(E2)) = low(E2). (13)
using Prop.3(1,2). Next, we have E1  E1∨E2  E1∨upp(E2) by the properties of
the join ∨ Also, the inclusion upp(E2) E1∨upp(E2) implies
upp(E2) = upp(upp(E2)) upp(E1∨upp(E2)) (14)
again using Prop. 3(1,2). Another application of Lem. 2, combining the inequations
(13) and (14) for lower and upper projections, proves E1∨upp(E2)v E2, which is
statement (4) of the Lemma, as desired.
D. Domain I(C) of Completion Status
The completion status for an fprog P in concurrent environment C is given by
a set of completion codes cmpl 〈P,C〉 ⊆ C := {⊥,0,1} which model the uncertainty
about the termination behaviour of P , analogous to the status intervals for signal
variables. The code 0 stands for instantaneous (normal) termination, 1 for pausing
and ⊥ for blocking to model a situation when a program’s control flow is stuck at a
conditional test which cannot be decided. These completion codes C must not to be
confused with the signal statuses in D.
What is the information content of a subset cmpl 〈P,C〉 ⊆ C of completion codes?
When c ∈ cmpl 〈P,C〉 then c is a possible completion of P , but it is not guaranteed
unless cmpl 〈P,C〉= {c} is a singleton, in which case c must be the completion type
of P . Otherwise, if c′ 6= c with c′ ∈ cmpl 〈P,C〉, then c′ is another type of completion
that can happen for P in environment C. Complementarily, if c 6∈ cmpl 〈P,C〉 then c
cannot occur. The “must” and “cannot” information —which is the basis for defining
the completion semantics of programs in Esterel— is completely captured by the
five subsets
I(C) := {{⊥,0},{⊥,1},{⊥,0,1},{0},{1}}.
The sets {}, {0,1} and {⊥} are missing because every program must at least possibly
terminate instantaneously or possibly pause, and if a program possesses both possible
codes 0 and 1 then this is so because some conditional test cannot be decided, which
means it is blocked. So, ⊥ must be a possible code for this program, too.5
The precise relation between I(C) to the completion codes of Esterel [12] is given
by defining the sets
mustk(P,C) := {k | k ∈ {0,1}, cmpl 〈P,C〉 ∈ {k}},
cannotk(P,C) := {k | k ∈ {0,1}, cmpl 〈P,C〉 6∈ {k}},
cank(P,C) := {0,1}\ cannotk(P,C) = cmpl 〈P,C〉 \{⊥}
of codes that must and cannot/can be obtained by program P in environment
C, respectively. We observe that mustk(P,C)∩ cannotk(P,C) = ∅ and that both
5In other words, the free set-theoretic “collection semantics”, which defines the completion code of a
program as the set of all it possible completions (under a given choice of environments), would produce
exactly the sets in I(C). We could have defined I(C) more generously as the set of subsets of completion
codes P{⊥,0,1}. However, our explicit description reveals more of the algebraic properties of I(C) than
P{⊥,0,1}. For instance, it makes clear that the internal logic of I(C) is not a Boolean algebra.
31
mustk(P,C) 6= {0,1} and cannotk(P,C) 6= {0,1}. This makes sense since must and
cannot completions are contradictory and there is no program which must terminate
and must pause at the same time, or cannot terminate and cannot pause at the
same time. Since we do not consider completion codes for traps, every program
can at least potentially terminate or pause. More specifically, mustk(P,C) and
cannotk(P,C) are either empty ∅ or a singleton set {0} or {1}. Also, directly from
the definition we find that if mustk(P,C) is a singleton, then cannotk(P,C) is the
complementary singleton set, i.e., mustk(P,C) = {0} implies cannotk(P,C) = {1}
and mustk(P,C) = {1} implies cannotk(P,C) = {0}. Finally, mustk(P,C) = ∅ iff
⊥ ∈ cmpl 〈P,C〉 and cannotk(P,C) = ∅ iff cmpl 〈P,C〉= {⊥,0,1}.
Note that (i) every P has at least one possible completion status, i.e., 0 ∈
cmpl 〈P,C〉 or 1 ∈ cmpl 〈P,C〉 and (ii) if we cannot decide whether P terminates
instantaneously or pauses then this is because we cannot decide if P completes at
all, i.e., if {0,1} ⊆ cmpl 〈P,C〉 then ⊥ ∈ cmpl 〈P,C〉. This explains why not all of
the eight possible subsets of C can occur as the completion status of a program.
IV. Denotational Semantics of Synchronous Programs
Now that the technical apparatus of status intervals and environments is in place
it is time to put it to use. What we will do in this section is to introduce an
extended version of the causality analysis for Esterel, which includes initialisation.
This analysis defines the class of constructive programs. This analysis performs
an abstract program simulation using the interval environments I(D,P) introduced
above. To keep matters simple we consider only finite pSCL programs (fprogs),
i.e., programs without rec. This is without loss of generality. Since well-formed
pSCL programs are clock-guarded, we can unfold all loops and extract finite rec-free
expressions that fully describe the program’s macro step reactions. We first describe
the computation of completion codes in Sec. IV-A and then the computation of
program responses in Sec. IV-B.
A. Computing Completion Codes
How are completion codes computed for a program P and environment C? As
for the response semantics 〈〈P 〉〉 this is done by structural recursion on P . However,
while the computation of the sets mustk(P,C) and cannotk(P,C) in [12] is performed
separately through a combinatorial construction, we here give a uniform and algebraic
definition of the same information for cmpl 〈P,C〉. Specifically, we exploit that I(C),
like I(D), forms a meet semi-lattice under the (inverse) inclusion ordering v, i.e.,
γ1 v γ2 iff γ2 ⊆ γ1. The completion set {⊥,0,1} is the minimal element in I(C) and
the meet u is γ1uγ2 = γ2uγ1 = γ1 if γ1 v γ2 and γ1uγ2 = {⊥,0,1} if γ1 and γ2
are v-incomparable. Let ⊕ be the strict lifting of Boolean summation to C, i.e.,
0⊕1 = 1 = 1⊕0 = 1⊕1 and 0⊕0 = 0, while x⊕y =⊥ iff x=⊥ or y =⊥. This can
then further be lifted to completion sets, γ1⊕γ2 := {x⊕y | x ∈ γ1,y ∈ γ2}. Notice
that if we consider the completion codes 0 and 1 as numbers, then ⊕ is the same as
max. Indeed, ⊕ on I(C) is analogous to ∨ on I(D). The upper projection is given
by upp(γ) := γ ∪{⊥}. One shows that ⊕ and upp are well-defined on I(C) and
monotonic with respect to v.
The function cmpl 〈P,C〉 ∈ I(C) is as described in Fig. 6. One shows by induction
on P that if P is purely combinational, i.e., it does not contain the pi operator,
then cmpl 〈P,C〉= {0} or cmpl 〈P,C〉= {⊥,0}. Furthermore, it is easy to see that
the only way in which the status ⊥ can enter the completion set is through the
32
cmpl 〈P,C〉 := {0} if P is one of  or ¡s
cmpl 〈!s,C〉 :=
{0} if [⊥,>]:1v C(s){⊥,0} otherwise
cmpl 〈pi,C〉 := {1}
cmpl 〈P ||Q,C〉 := cmpl 〈P,C〉⊕ cmpl 〈Q,C〉
cmpl 〈P ;Q,C〉 :=
cmpl 〈P,C〉 if 0 6∈ cmpl 〈P,C〉cmpl 〈P,C〉⊕ cmpl 〈Q,C〉 otherwise
cmpl 〈s ? P :Q,C〉 :=

cmpl 〈P,C〉 if 1:1v C(s)
cmpl 〈Q,C〉 if 0:1v C(s)
upp(cmpl 〈P,C〉)uupp(cmpl 〈Q,C〉) otherwise
Fig. 6. Denotational analysis of completion codes for fprogs.
‘otherwise’ case of a set or a conditional. More strictly, we have ⊥ ∈ cmpl 〈P,C〉
iff (i) the control flow reaches some set !s in P which is blocked on the condition
[⊥,>]:1 6v C(s), or (ii) there is some conditional s ? P ′ :Q′ executed in P for which
the guard variable s is undecided, i.e., 1:1 6v C(s) and 0:1 6v C(s). The condition
[⊥,>]:1v C(s) in the definition of cmpl 〈!s,C〉 requires that the init status of C(s)
is at most 1, i.e., that initialisations ¡s are no longer possible. However, this does
not constrain the value status. If we wanted to make a set !s wait for at least one
initialisation ¡s to take place, we could strengthen the condition [⊥,>]:1v C(s) to
[0,>]:1v C(s).
Example 17. The completion intervals {0} and {1} are obtained from the pSCL
expressions  and pi, respectively. The intervals {⊥,0} and {⊥,1} are the completion
codes for expressions x ?  :  and x ? pi : pi in every concurrent environment C with
0:1 6v C and 1:1 6v C. Finally, if x is undecided, we get cmpl 〈x ?  : pi,C〉= {⊥,0,1}.
The completion statuses {⊥,0} and {⊥,1} may also be obtained from programs !x ; 
and !x ; pi, respectively, in an environment C where ⊥:2 C(x).
B. Computing Program Responses
The denotational semantics of a fprog P is given by a function 〈〈P 〉〉SC that
determines constructive information on the instantaneous response of P to an external
stimulus consisting of a sequential environment S and a concurrent environment C.
The sequential context S can be thought of as an initialisation under which P is
activated. It represents knowledge about the status of variables sequentially before
P is started. In contrast, the parallel environment C contains the external stimulus
which is concurrent with P . The lower bound low 〈〈P 〉〉SC of the response tells us
what P must write to the variables and the upper bound upp 〈〈P 〉〉SC is the level that
the variables may reach upon execution of P .
The function 〈〈P 〉〉SC is defined by recursion on the structure of the fprog P as seen
in Fig. 7.
33
〈〈〉〉SC := S
〈〈pi〉〉SC := S
〈〈¡s〉〉SC :=

S∨{〈s>〉} if 1 S(s)>
S∨{〈s>:2〉} 1:1 S(s)
S∨{〈s0〉} if S(s) 0
S∨{〈s0:2〉} if ⊥:1 S(s) 0:2
S∨{〈s[0,>]:2〉} otherwise
〈〈!s〉〉SC :=
S∨{〈s1〉} if [⊥,>]:1v C(s)S∨{〈s[⊥,1]〉}∨⊥:1 otherwise
〈〈P ||Q〉〉SC := 〈〈P 〉〉SC ∨ 〈〈Q〉〉SC
〈〈s ? P :Q〉〉SC :=

〈〈P 〉〉SC if 1:1v C(s)
〈〈Q〉〉SC if 0:1v C(s)
S∨upp〈〈P 〉〉S∨⊥:1C ∨upp〈〈Q〉〉S∨⊥:1C otherwise
〈〈P ;Q〉〉SC :=

〈〈P 〉〉SC if 0 6∈ cmpl 〈P,C〉
〈〈Q〉〉〈〈P 〉〉
S
C
C if cmpl 〈P,C〉= {0}
〈〈P 〉〉SC ∨upp
(
〈〈Q〉〉〈〈P 〉〉
S
C
C
)
otherwise
Fig. 7. Denotational response analysis for fprogs (the function cmpl 〈P,C〉 is explained in Fig. 6.
• The empty fprog 〈〈〉〉SC passes out its sequential stimulus S and does not add
anything to it. The same applies to the pausing program pi.
• The result of resetting a variable 〈〈¡s〉〉SC depends on whether the sequential
stimulus S already contains a status 1 for s or not and on the init status for s:
– If 1  S(s)  >, then the sequential status is S(s) = [l,u]:r where the
value status [l,u] is one of {1, [1,>],>} and the init status is r = 0. This
indicates that s must have been set sequentially before the execution of
the reset ¡s. Hence, we must crash s since a change from 1 to 0 falls
outside of the model. Also, r = 0 means that the scheduling control flow
has reached the reset ¡s and since it terminates instantaneously the down-
stream computation continues with the init status 0. All other variables
x 6= s retain their status from S. This is what S ∨ {〈s>〉} achieves, viz.
(S∨{〈s>〉})(s) =S(s)∨{〈s>〉}(s) =S(s)∨>=> and (S∨{〈s>〉})(x) =S(x)∨
{〈s>〉}(x) = S(x)∨⊥= S(x).
– If 1:1 S(s) then S(s) = [l,u]:r with a value status [l,u] in {1, [1,>],>} as
above, but now the init status is r  1. Hence the up-stream computation
must have set the variable but is still contingent, so that the ¡s is speculative.
In this case we crash the value status and raise the init status to 2 since
the reset is executed only speculatively. We must consider it as a possibly
outstanding reset. The response, therefore is S∨{〈s>:2〉}.
– If S(s)  0 then the sequential status of s is one of S(s) ∈ {⊥, [0,⊥],0}
34
again with init status 0. This says that the upstream computation has
finished and s cannot have been set before. So we can execute the reset by
returning (S∨{〈s0〉})(s) = 0. The init status stays 0 because the schedule
passes the reset ¡s which terminates instantaneously.
– If ⊥:1 S(s) 0:2 then S(s) = [l,u]:r with u≤ 0 and 1 r. The constraint
u ≤ 0 again guarantees that s is not set before while 1  r tells us that
the up-stream schedule is contingent. Consequently, we must put the init
status to 2 to record that the ¡s is only speculative. This gives the response
(S∨{〈s0:2〉})(s) = 0:2.
– Finally, the remaining cases are S(s) = [l,u] : r, where l < 1, u ≥ 1 and
1 r. These cases are subsumed by the constraint [⊥,1]:1 S(s) [0,>]:2.
These statuses say that s may have been set before. We can neither be
sure that a set on s must have happened earlier, nor that it cannot have
happened. So, the execution of ¡s may crash the model, whence the result
S∨{〈s[0,>]:2〉} forces the value status of s to be [0,>]. The init status must
be 2 because the speculative control flow passes a reset.
• Setting a variable 〈〈!s〉〉SC updates the sequential environment S with the status
s1 for variable s. However, the “init;update;read” protocol permits a set !s to
be executed only if and when the init phase on s has been completed. This is
checked by the condition [⊥,>]:1v C(s) on the environment which is the same
as C(s)>:1. If C(s)>:1 then C(s) = [l,u]:r with r  1. Thus, there cannot
be any contingent reset still outstanding and we can execute the set !s which
terminates instantaneously. This gives the response (S∨{〈s1〉})(s) = S(s)∨1. On
the other hand, if C(s) 6 >:1, then the update !s is blocked and only executed
speculatively. In this case, the set !s only forces the status of s to be in the
interval [⊥,1]. This leaves open if the set is actually executed or not. Also, the
init status for all variables must be set to 1 in order to inform any sequential
successor that its execution is only speculative rather than factual. Hence our
definition of the response as S∨{〈s[⊥,1]〉}∨⊥:1.
• The response of a parallel 〈〈P ||Q〉〉SC is obtained by letting each of the children
P , Q react to the S and C environments, independently, and then combine their
responses using ∨. This implements a logical disjunction on Boolean values and
implements the idea that in B-admissible executions resets happen before any
concurrent sets of a variable. If one of 〈〈P 〉〉SC or 〈〈Q〉〉SC generates a crash, then
the composition 〈〈P ||Q〉〉SC does so, too. Also the init status of combined with
the join ∨ operator: The schedule of the “init;update” phases on a variable
s in the parallel composition is completed, 〈〈P ||Q〉〉SC(s)  >:0 if and only if
the scheduling of both threads is completed, i.e., if both 〈〈P 〉〉SC(s)>:0 and
〈〈Q〉〉SC(s)>:0 Further, the schedule of P ||Q is blocked and has a speculative
reset, 〈〈P ||Q〉〉SC(s)  ⊥:2 iff in one of the threads a reset is pending, i.e., if
〈〈P 〉〉SC(s)⊥:2 or 〈〈Q〉〉SC(s)⊥:2.
• In order to derive information about the variables’ status under arbitrary
SC-admissible scheduling, conditionals need to be evaluated cautiously. The
result of a branching test s ? P : Q can only be predicted if and when the
value of s has been firmly established as a decided 0 or 1 under all possible
SC-admissible schedules. The decision value for s is taken from the concurrent
environment C. Accordingly, if 1:1 v C(s) then 〈〈s ? P : Q〉〉SC behaves like
〈〈P 〉〉SC and if 0:1v C(s) the result of the evaluation is 〈〈Q〉〉SC . As long as the
value of s is still undecided, i.e., if 1:1 6v C(s) and 0:1 6v C(s), we cannot know
35
if branch P or Q will be executed. However, at least the write accesses already
recorded in the sequential environment S must become effective. This gives
the condition low 〈〈s ? P :Q〉〉SC = low(S) for the lower bound. A write access
may be produced by s ? P : Q if it may be generated by S or by one of the
branches P or Q. So, we speculatively compute the response of P and Q in
the sequential environment S ∨⊥:1. This sets the init status of all variables
to 1 (at least) in order to mark all write accesses in P and Q as speculative.
This implies upp 〈〈s ? P : Q〉〉SC = upp(S)∨ upp 〈〈P 〉〉S∨⊥:1C ∨ upp 〈〈Q〉〉S∨⊥:1C for
the upper bound. Both can be expressed by the single equation 〈〈s ? P :Q〉〉SC =
S∨upp 〈〈P 〉〉S∨⊥:1C ∨upp 〈〈Q〉〉S∨⊥:1C which is seen as follows:
low(S∨upp 〈〈P 〉〉S∨⊥:1C ∨upp 〈〈Q〉〉S∨⊥:1C )
= low(S)∨ low (upp 〈〈P 〉〉S∨⊥:1C )∨ low upp 〈〈Q〉〉S∨⊥:1C
= low(S)∨ [⊥,>] : 2∨ [⊥,>] : 2
= low(S)∨ [⊥,>] : 2
= S∨ [⊥,>] : 2∨ [⊥,>] : 2 = S∨ [⊥,>] : 2 = low(S)
by the properties of ∨ and the projections and similarly
upp(S∨upp 〈〈P 〉〉S∨⊥:1C ∨upp 〈〈Q〉〉S∨⊥:1C )
= upp(S)∨upp upp 〈〈P 〉〉S∨⊥:1C )∨upp upp 〈〈Q〉〉S∨⊥:1C
= upp(S)∨upp 〈〈P 〉〉S∨⊥:1C ∨upp 〈〈Q〉〉S∨⊥:1C .
Notice that upp 〈〈P 〉〉S∨⊥:1C ∨ upp 〈〈Q〉〉S∨⊥:1C is the same as upp(〈〈P 〉〉S∨⊥:1C u
〈〈Q〉〉S∨⊥:1C ), the upper projection of the best over-approximation of both en-
vironments 〈〈P 〉〉S∨⊥:1C and 〈〈Q〉〉S∨⊥:1C . It is here that the meet operator u is
hidden in the semantics.
• The response of a sequential composition P ; Q depends on a set of possible
completion codes cmpl 〈P,C〉 ⊆ {⊥,0,1} from which we can tell whether P is
known to terminate or pause or neither. The code 0 stands for instantaneous
termination, 1 for pausing and ⊥ for “unknown” or “blocked”, to model the
situation when P ’s control flow is stuck at a conditional test which cannot be
decided. If 0 6∈ cmpl 〈P,C〉 then P cannot terminate instantaneously. In this
case, Q will never be executed in the current instant, so that 〈〈P ;Q〉〉SC = 〈〈P 〉〉SC .
However, if cmpl 〈P,C〉= {0}, then P is guaranteed to terminate instantaneously.
Thus, the overall response 〈〈P ; Q〉〉SC is that of Q reacting to the concurrent
stimulus C and using the response 〈〈P 〉〉SC as the sequential stimulus. Otherwise
if 0 ∈ cmpl 〈P,C〉 and cmpl 〈P,C〉 6= {0}, then this means that some conditional
test on the execution path in P cannot be decided in C. Thus, it is not known
yet how P will complete and, as a consequence, if Q will be executed. Therefore,
we can only say a variable must be written by P ;Q if it must be written by P
in the present environments S and C. This leads to low 〈〈P ;Q〉〉SC = low 〈〈P 〉〉SC .
As regards upper bounds, a variable may be written if it may be written by Q
with the response of P as its sequential stimulus: upp 〈〈P ;Q〉〉SC = upp 〈〈Q〉〉〈〈P 〉〉
S
C
C .
One can show, as above in the case of conditionals, that both lower and upper
bound equations can be combined into 〈〈P ;Q〉〉SC = 〈〈P 〉〉SC ∨upp 〈〈Q〉〉〈〈P 〉〉
S
C
C , or
equivalently 〈〈P ;Q〉〉SC = 〈〈P 〉〉SC u〈〈Q〉〉〈〈P 〉〉
S
C
C .
36
Example 18. Consider the fprog P := (x ?  : (!y ‖ !z)) ‖ (y ?  : !x) with the
environments S = {〈 〉} = ⊥ and C0 = {[ ]} = [⊥,>]:2. The response 〈〈P 〉〉SC0 is the
information to be got from a single pass through P without letting P communicate
with itself. In doing that the sequential environment S sums up the variable status
that has been established by the upstream control flow as the execution reaches P . The
environment C0 accumulates our information about the global status of all variables,
including the concurrent environment in which P is running. Considering that neither
x nor y is decided in C0, both the conditionals block. Since the updates !x, !y, !z may
possibly be executed and there is no later reset, the variables’ expected status is at
least ⊥ and at most 1, i.e., 〈〈P 〉〉SC0 =⊥:1∨ {〈x[⊥,1],y[⊥,1], z[⊥,1]〉}. The init status ⊥:1
is imposed to record that the computation for all variables is incomplete, yet there is
no contingent reset for any of them. Indeed, this is what the calculation using Fig. 7
obtains: The response of the first thread is
〈〈x ?  : (!y ‖ !z)〉〉SC0 = S∨upp 〈〈〉〉S∨⊥:1C0 ∨upp 〈〈!y ‖ !z〉〉S∨⊥:1C0
= S∨upp(S ∨⊥:1)∨upp(〈〈!y〉〉S∨⊥:1C0 ∨〈〈!z〉〉S∨⊥:1C0 )
= S∨upp(S ∨⊥:1)∨upp(S ∨⊥:1∨{〈y1〉}∨S ∨⊥:1∨{〈z1〉})
= ⊥∨upp(⊥:1)∨upp(⊥:1∨{〈y1〉}∨⊥:1∨{〈z1〉})
= ⊥:1∨ upp{〈y1, z1〉} = ⊥:1∨ {〈y[⊥,1], z[⊥,1]〉}.
Similarly, we obtain 〈〈y ?  : !x〉〉SC0 = ⊥:1∨ {〈x[⊥,1]〉} for the second thread. Joined
together, the parallel composition then is
〈〈P 〉〉SC0 =⊥:1∨ {〈y[⊥,1], z[⊥,1]〉}∨{〈x[⊥,1]〉}=⊥:1∨ {〈x[⊥,1],y[⊥,1], z[⊥,1]〉}
as claimed.
Without further assumptions on the environment this is the end of the story,
none of the variables’ value status can be decided beyond [⊥,1]. One shows that
cmpl 〈P,C0〉= {⊥,0}, i.e., P does not terminate. Now put P in parallel with fprog
Q := ¡x ‖ !y, to continue the discussion begun in Ex. 11. Running Q from S and
C0 gives 〈〈Q〉〉SC0 =⊥:1∨{〈x0,y[⊥,1]〉}. The response is contingent because the set !y
cannot proceed in C0 which does not exclude further resets on y. Therefore,
C1 = 〈〈P ‖Q〉〉SC0 =⊥:1∨ {〈x[⊥,1],y[⊥,1], z[⊥,1]〉}∨{〈x0,y1〉}=⊥:1∨ {〈x[0,1],y1, z[⊥,1]〉}.
This says that x must be reset but may be set later (stabilising without crash), y and
z may remain pristine or stabilise at 1. In addition, the init status of all variables is
1, excluding any further possible resets arising from P ‖Q. Notice that C1 is a more
precise description of the response compared to C0, i.e., C0 @ C1.
The remaining uncertainty arises because the single application of 〈〈P ‖ Q〉〉SC0
blocks the setting of y in the write access in Q. For this, P ‖Q needs to communicate
with itself to find out that the set !y can proceed. This is achieved by running a second
pass, now feeding the concurrent environment C1 instead of C0. Since C1 indicates a
completed “init” phase for y the set !y in Q is unblocked. We find 〈〈Q〉〉SC1 = {〈x0,y1〉}.
Since variable y is now a decided 1 the conditional in the second thread of P is
turned off which makes the set !x non-executable, so variable x cannot be set. The
calculation for the second thread now is 〈〈y ?  : !x〉〉SC1 = 〈〈〉〉SC1 = S =⊥. It terminates,
i.e., cmpl 〈y ?  : !x,C1〉 = {0}, as one shows without difficulty from the definition
in Fig. 6. The first thread still does not terminate because x is still undecided in
C1 and we have 〈〈x ?  : (!y ‖ !z)〉〉SC1 = ⊥:1∨ {〈y[⊥,1], z[⊥,1]〉} as before. This means
〈〈P 〉〉SC1 =⊥:1∨ {〈y[⊥,1], z[⊥,1]〉}∨⊥= {〈y[⊥,1], z[⊥,1]〉}.
37
Thus, overall, this gives the refined response
C2 := 〈〈P ‖Q〉〉SC1 =⊥:1∨ {〈y[⊥,1], z[⊥,1]〉}∨{〈x0,y1〉}=⊥:1∨ {〈x0,y1, z[⊥,1]〉}
which is a more precise status description, i.e., C1 @ C2, since C2 now also endows
variable x with a decided value 0. As a result, the conditional in the first thread of
P must execute !z which finally resolves the status of z: 〈〈x ?  : (!y ‖ !z)〉〉SC2 = 〈〈!y ‖
!z〉〉SC2 = {〈y1, z1〉} which means
C3 = 〈〈P ‖Q〉〉SC2 = 〈〈P 〉〉SC2 ∨〈〈Q〉〉SC2
= 〈〈x ?  : (!y ‖ !z)〉〉SC2 ∨〈〈y ?  : !x〉〉SC2 ∨〈〈Q〉〉SC2
= {〈y1, z1〉}∨⊥∨{〈x0,y1〉} = {〈x0,y1, z1〉}.
The environment C3, which satisfies C2 @C3, is a crisp fixed point, 〈〈P ‖Q〉〉SC3 =C3,
in which the parallel composition P ‖Q terminates, i.e., cmpl 〈P ‖Q,C3〉= {0}.
Ex. 18 is what we shall call a strongly Berry-constructive program (cf. Def. 7)
which generates a crisp fixed point response. This implies (cf. Thm. 1) that the
program is B-reactive and SC-read-determinate. There are however programs which
cannot be scheduled because they contain a causal cycle which makes the schedule
lock up. These deadlocks arise from the “init;update;read” protocol constraint that
makes read accesses wait for the prior completion of all possible write accesses and
sets wait for the completion of any possible resets. The following examples illustrates
the two typical cases of deadlocks.
Example 19. The program P1 := !x ; ¡y ‖ !y ; ¡x is not constructive. Indeed it does
not admit any SC-admissible (and hence neither any B-admissible) schedule because
in all its free schedules a reset happens after a concurrent set to the same variable, yet
they are not confluent with each other. Hence, each schedule violates SC-admissibility.
Also, the final memory is non-deterministic depending on the schedule. If we chose the
sequence !x ; !y ; ¡x ; ¡y the final memory has y = 0, whereas if we schedule !x ; ¡y ; !y ; ¡x
the we get y = 1. If we run the fixed point analysis the problem becomes visible as
a deadlock: From S :=⊥ and C0 := [⊥,>]:2 the two concurrent sets !x and !y both
block so that 〈〈!x〉〉SC0 = ⊥:1∨{〈x[⊥,1]〉} and 〈〈!y〉〉SC0 = ⊥:1∨{〈y[⊥,1]〉}. Then, because
the sets guard the resets ¡y and ¡x, respectively, their init status is set to 2:
〈〈P1〉〉SC0 = 〈〈!x ; ¡y ‖ !y ; ¡x〉〉SC0
= 〈〈!x ; ¡y〉〉SC0 ∨〈〈!y ; ¡x〉〉SC0
= 〈〈!x〉〉SC0 ∨upp 〈〈¡y〉〉
〈〈!x〉〉SC0
C0
∨〈〈!y〉〉SC0 ∨upp 〈〈¡x〉〉
〈〈!y〉〉SC0
C0
= ⊥:1∨{〈x[⊥,1]〉}∨upp 〈〈¡y〉〉⊥:1∨{〈x[⊥,1]〉}C0 ∨
⊥:1∨{〈y[⊥,1]〉}∨upp 〈〈¡x〉〉⊥:1∨{〈y[⊥,1]〉}C0
= ⊥:1∨{〈x[⊥,1]〉}∨{〈y[⊥,1]〉}
∨upp(⊥:1∨{〈x[⊥,1]〉}∨{〈y0:2〉})∨upp(⊥:1∨{〈y[⊥,1]〉}∨{〈x0:2〉})
= ⊥:1∨{〈x[⊥,1]〉}∨{〈x[⊥,0]:2〉}∨{〈y[⊥,1]〉}∨{〈y[⊥,0]:2〉}
= ⊥:1∨{〈x[⊥,1]:2〉}∨{〈y[⊥,1]:2〉}.
In this updated environment C1 := 〈〈P1〉〉SC0 both variables still indicate contingent
resets. As a consequence, in the next iteration the sets !x and !y again block, whence
〈〈P1〉〉SC1 = C1. This fixed-point C1 is not crisp (not even decided) and constitutes a
38
scheduling deadlock. Observe that the deadlock is detected with the help of the init
status not reducing from 2 to 1. In the fixed point semantics of [4] where the init
status is missing P1 would wrongly be classified as SC-constructive. This is a mistake
that our extended semantics now fixes.
Example 20. Another unschedulable program is the “arbiter” P2 := x ?  : !y ‖ y ?
 : !x. It is not constructive because it fails to have any admissible schedules. Every
execution order forces a set to happen concurrently after a read and both are not
guaranteed to be confluent (depends on the initial memory). As one can verify, our
domain-theoretic analysis of P2 obtains C1 := 〈〈P1〉〉SC0 = ⊥:1∨{〈x[⊥,1],y[⊥,1]〉} and
then 〈〈P1〉〉SC1 = C1, again choosing S :=⊥ and C0 := [⊥,>]:2. The fixed point C1 is
undecided and therefore P1 not (strongly) Berry-constructive (Def. 7).
The completion codes cmpl 〈P,C〉 control the analysis of sequential composition.
As long as P does not terminate or pause, a sequential successor Q only enters
the calculation for P ;Q to reduce the “may” (upper bound) information on signal
statuses, never the “must” (lower bound) information. This is similar to the treatment
of conditionals s ? P :Q in which we block the “must” reaction of P and Q until
variable s becomes decided. Until this happens the conditional does not terminate.
One can show that termination and crisp reaction environments are closely related.
For this we call an environment E synchronized when (i) E(x) = [l,u]:0 implies l= u,
and (ii) ⊥:1 E(x) implies ∀y.⊥:1 E(y), for all variables x ∈ V . As we shall see,
all our environments will be synchronized. Hence the difference between a completed
schedule marked by 0 and a contingent schedule marked by one of {1,2} is a feature
of the whole environment rather than an individual variable.
Proposition 8. Let S be synchronized then
1) 〈〈P 〉〉SC is synchronized.
2) If S is a crisp sequential environment, i.e., S(x) ∈ D for all x ∈ V , then the
response of a terminating or pausing fprog starting from S is crisp, too: If
cmpl 〈P,C〉= {0} or cmpl 〈P,C〉= {1} then 〈〈P 〉〉SC(x) ∈ D for all x ∈ V . The
converse also holds, i.e., if 〈〈P 〉〉SC is crisp, then ⊥ 6∈ cmpl 〈P,C〉.
Proof: (1) Suppose 〈〈P 〉〉SC(x) = [l,u]:0 for a given variable x ∈ V . One shows
l = u without difficulty by induction on P . What is important to observe is that the
init status 0 right away excludes the contingent (blocking) cases of a variable access
when P is a set !s, reset ¡s, conditional s ? P ′ :Q′ or a sequential P ′ ;Q′. Then, the
claim is a matter of straightforward induction on P ′ and Q′. For a reset ¡s, either
x 6= s, where the claim follows from the assumption on S, or x = s and only the
cases that 〈〈¡x〉〉SC = S∨{〈x>〉}, 〈〈¡x〉〉SC = S∨{〈x0〉} remain. Here, too we can use the
assumption that S is synchronized, as for the inductive case where P is  and pi.
Finally, for parallel composition P ′ ‖Q′ and generally for all other cases, we exploit
that E1(x)∨E2(x)>:0 iff both E1(x)>:0 and E2(x)>:0. This implies that
E1∨E2 is crisp iff both E1 and E2 are crisp exploiting that both E1 and E2 are
synchronized (which is obtained in each case from the induction hypothesis).
The second property of being synchronized is that if ⊥:1  〈〈P 〉〉SC(x) for one
variable x ∈V , then ⊥:1 〈〈P 〉〉SC(y) for all variables y. This is obvious by induction
on P , considering how the init status is set above 1 in the definition of 〈〈P 〉〉SC
along the different cases. This time we use the fact that ⊥:1  E1(x)∨E2(x) iff
⊥:1  E1(x) or ⊥:1  E2(x). For the inductive step of a reset one observes that
⊥:1 〈〈¡s〉〉SC(x) iff ⊥:1 S(x) whether x= s or x 6= s.
(2) Note that the claim that ⊥ 6∈ cmpl 〈P,C〉 is equivalent to the disjunction of
39
cmpl 〈P,C〉= {0} or cmpl 〈P,C〉= {1} is obvious from the definition of the completion
codes. Recall that an environment E is crisp if E(s) = [a,a]:0 = a ∈D for each s ∈V .
The proof is by induction on the structure of P , along the recursive definitions of
〈〈P 〉〉SC and cmpl 〈P,C〉. Because of statement (1) of the Prop. 8 and the assumption
that S is synchronized, all of the environments 〈〈P ′〉〉SC obtained for the sub-programs
P ′ of P are synchronized, too. A synchronized environment E is crisp iff E >:0
and it is not crisp iff there exists a variable s such that E(s)⊥:1.
• The cases of P =  and P = pi are trivial.
• We have cmpl 〈¡s,C〉= {0} so that we must show 〈〈¡s〉〉SC is crisp iff S is crisp. The
crucial observation is that for a reset 〈〈¡s〉〉SC in a crisp sequential environment S
only the two cases S∨{〈s>〉} or S∨{〈s0〉} apply which both preserve crispness.
Vice versa, if 〈〈¡s〉〉SC is crisp then the only possible cases are 〈〈¡s〉〉SC = S∨{〈s>〉}
or 〈〈¡s〉〉SC = S∨{〈s0〉}. All others generate the init status 2 on variable s which
contradicts crispness. But then either 1 S(s)> or S(s) 0 which, exploiting
the assumption that S is synchronized, implies that S(s) is crisp. For all other
variables x 6= s crispness follows from the assumption because S(x) = S(x)∨⊥=
S(x)∨{〈sa〉}(x) = (S∨{〈sa〉})(x) = 〈〈¡s〉〉SC(x) for both a ∈ {0,>}.
• Suppose [⊥,>]:1 6v C(s), whence cmpl 〈!s,C〉 = {⊥,0}. We must show that
〈〈!s〉〉SC is not crisp. But this is obvious since then 〈〈!s〉〉SC = S ∨{〈s[⊥,1]〉}∨⊥:1
which gives variable s the status S(s)∨ [⊥,1]:1. Now assume [⊥,>]:1v C(s),
so that cmpl 〈!s,C〉= {0} and 〈〈!s〉〉SC = S∨{〈s1〉}. As above we argue that then
〈〈!s〉〉SC is crisp iff S is crisp.
• The inductive proof for a parallel composition succeeds, because on the one hand,
⊥ 6∈ cmpl 〈P ‖ Q,C〉 = cmpl 〈P,C〉 ⊕ cmpl 〈Q,C〉 iff ⊥ 6∈ cmpl 〈P,C〉 and ⊥ 6∈
cmpl 〈Q,C〉. On the other hand, a join E1∨E2 of two synchronized environments
is crisp iff and only if both E1 and E2 are crisp. Both 〈〈P 〉〉SC and 〈〈Q〉〉SC are
synchronized by Prop. 8(1).
• To handle a conditional 〈〈s ? P :Q〉〉SC let us look at undecided case first, i.e.,
where 1:1 6v C(s) and 0:1 6v C(s). Then, ⊥ ∈ upp(cmpl 〈P,C〉u cmpl 〈Q,C〉) =
cmpl 〈s ? P : Q,C〉 by definition of the upp abstraction. We can infer that
〈〈s ? P : Q〉〉SC = S ∨ upp 〈〈P 〉〉S∨⊥:1C ∨ upp 〈〈Q〉〉S∨⊥:1C is not crisp, using the in-
equations ⊥:1 = upp(⊥:1) upp(S∨⊥:1) upp 〈〈P 〉〉S∨⊥:1C  〈〈s ? P :Q〉〉SC .
What if the conditional is decided, 1:1 v C(s) or 0:1 v C(s)? Then 〈〈s ? P :
Q〉〉SC = 〈〈P 〉〉SC or 〈〈s ? P : Q〉〉SC = 〈〈Q〉〉SC and the claim follows directly from
the induction hypothesis.
• The last operator is the sequential composition. First observe that if 0 6∈
cmpl 〈P,C〉 then 〈〈P ; Q〉〉SC = 〈〈P 〉〉SC and cmpl 〈P ; Q,C〉 = cmpl 〈P,C〉. Then,
the claim is obtained from the induction hypothesis without detours. So, assume
0 ∈ cmpl 〈P,C〉 henceforth. But this means cmpl 〈P ; Q,C〉 = cmpl 〈P,C〉 ⊕
cmpl 〈Q,C〉, and further that
⊥ 6∈ cmpl 〈P ;Q,C〉 iff cmpl 〈P,C〉= {0} and ⊥ 6∈ cmpl 〈Q,C〉. (15)
If in fact cmpl 〈P,C〉 = {0} then (i) by induction hypothesis on P , we can
conclude that (i) 〈〈P 〉〉SC is crisp iff S is crisp; further, we have (ii) 〈〈P ;Q〉〉SC =
〈〈Q〉〉〈〈P 〉〉
S
C
C and, due to (15), (iii) ⊥ 6∈ cmpl 〈P ;Q,C〉 iff ⊥ 6∈ cmpl 〈Q,C〉. From
here the claim follows by induction hypothesis on Q, considering that 〈〈P 〉〉SC is
synchronized by Prop. 8(1).
If cmpl 〈P,C〉 6= {0}, i.e., cmpl 〈P,C〉= {⊥,0}, then by (15) we have ⊥∈ cmpl 〈P ;
Q,C〉. We show that 〈〈P ;Q〉〉SC is not crisp. This follows because by induction
hypothesis on P the environment 〈〈P 〉〉SC is not crisp. Yet, it is synchronized,
40
which means that ⊥:1 〈〈P 〉〉SC(x) for some x ∈ V . On the other hand, in this
case 〈〈P ;Q〉〉SC = 〈〈P 〉〉SC ∨upp 〈〈Q〉〉〈〈P 〉〉
S
C
C . Thus, ⊥:1 〈〈P 〉〉SC(x) 〈〈P 〉〉SC(x)∨
upp 〈〈Q〉〉〈〈P 〉〉
S
C
C (x) = 〈〈P ; Q〉〉SC(x). This shows that 〈〈P ; Q〉〉SC is not crisp as
required.
Prop. 8 does not hold for decidedness: Although a program does not terminate it
may be possible to constructively prove that its response is decided. E.g., the fprog
s ?  :  does not complete in the concurrent environment C(s) = [⊥,>]:2 but still
has the decided response 〈〈s ?  : 〉〉⊥C(s) =⊥:1, implying that the s remains pristine
and environment-controlled.
Proposition 9. For every reset-free fprog P , the sets mustk(P,C) and cannotk(P,C)
extracted from cmpl 〈P,C〉 as defined in Sec. III-D are identical to the completion
semantics of Esterel [12].
Proof: To show the connection with [12] let us take a detailed look at the mustk
and cannotk sets and see how they are computed for the different operators of the
language. We begin with mustk:
• The primitive statements have mustk(,C) = mustk(!s,C) = {0} and mustk(pi,C) =
{1}.
• We have 0 6∈ mustk(P,C) iff cmpl 〈P,C〉 6= {0}. In all cases one shows that
0 6∈mustk(P ;Q,C) and also that 1 ∈mustk(P ;Q,C) iff 1 ∈mustk(P,C). This
is because γ1⊕γ2 = {0} iff γ1 = γ2 = {0}. Thus, mustk(P ;Q,C) = mustk(P,C)
if 0 6∈mustk(P ;Q,C). On the other hand, if 0∈mustk(P,C), i.e., cmpl 〈P,C〉=
{0}, then cmpl 〈P ;Q,C〉= cmpl 〈Q,C〉 by definition and thus mustk(P ;Q,C) =
mustk(Q,C). Overall,
mustk(P ;Q,C) =
mustk(P,C) if 0 6∈mustk(P,C)mustk(Q,C) otherwise.
• For parallel composition, the following holds:
– mustk(P ‖Q,C) = ∅ iff mustk(P,C) = ∅ or mustk(Q,C) = ∅;
– mustk(P ‖Q,C) = {0} iff mustk(P,C) = {0} and mustk(Q,C) = {0};
– mustk(P ‖Q,C) = {1} iff either mustk(P,C) = {1} and mustk(Q,C) 6= ∅,
or mustk(Q,C) = {1} and mustk(P,C) 6= ∅.
This can be summarised as
mustk(P ‖Q,C) = Max(mustk(P,C),mustk(Q,C)),
where Max(A,B) = {a⊕b | a ∈A,b ∈B}= {max(a,b) | a ∈A,b ∈B} for subsets
A,B ⊆ {0,1}.
• Finally, since always ⊥∈ upp(cmpl 〈P,C〉)uupp(cmpl 〈Q,C〉) we find mustk(s ?
P :Q,C) = ∅ if s1 6∈ C and s0 6∈ C, by definition. Hence, for conditionals
mustk(s ? P :Q,C) =

mustk(P,C) if 1:1v C(s)
mustk(Q,C) if 0:1v C(s)
∅ otherwise.
Now we turn to the cannotk sets:
• For the primitive statements we compute cannotk(,C) = cannotk(!s,C) = {1}
and cannotk(pi,C) = {0}, or in positive terms, cank(,C) = cank(!s,C) = {0}
and cank(pi,C) = {1}.
41
• The definition for conditional statements directly implies that if 1:1vC(s) then
cannotk(s ? P : Q,C) = cannotk(P,C) and if 0:1 v C(s) then cannotk(s ? P :
Q,C) = cannotk(Q,C). If both 1:1 6v C(s) and 0:1 6v C(s) then one can show
that cannotk(s ? P :Q,C) = cannotk(P,C)∩cannotk(Q,C). This is because, in
this case, cmpl 〈s ? P : Q,C〉 = upp(cmpl 〈P,C〉)u upp(cmpl 〈Q,C〉) and since
for boolean a ∈ {0,1}, we have that a 6∈ γ1uγ2 iff a 6∈ γ1 and a 6∈ γ2, as well as
a 6∈ uppγ iff a 6∈ γ. In terms of can-sets
cank(s ? P :Q,C) =

cank(P,C) if 1:1v C(s)
cank(Q,C) if 0:1v C(s)
cank(P,C)∪ cank(Q,C) otherwise.
• For the parallel operator observe that 1 ∈ γ1⊕ γ2 iff 1 ∈ γ1 or 1 ∈ γ2. I.e.,
a parallel cannot pause if both concurrent branches cannot pause; Further,
0 ∈ γ1⊕γ2 iff 0 ∈ γ1 and 0 ∈ γ2, for all γ1,γ2 ∈ I(C). In other words, a parallel
cannot terminate if one of its branches cannot terminate. This leads to
cank(P ‖Q,C) = Max(cank(P,C),cank(Q,C)).
• The sequential composition we makes the following case distinction: First
suppose 0 ∈ cannotk(P,C) or equivalently, 0 6∈ cmpl 〈P,C〉. Then, the definition
implies that cannotk(P ;Q,C) = cannotk(P,C). What if 0 ∈ cmpl 〈P,C〉? Since
then cmpl 〈P ; Q,C〉 = cmpl 〈P,C〉⊕ cmpl 〈Q,C〉 we get 0 ∈ cmpl 〈P ; Q,C〉 iff
0 ∈ cmpl 〈Q,C〉. Also, a ∈ cmpl 〈P ;Q,C〉 iff a ∈ cmpl 〈P,C〉 or a ∈ cmpl 〈Q,C〉
for all a ∈ {⊥,1}. This can be summed up as
cmpl 〈P ;Q,C〉= (cmpl 〈P,C〉 \{0})∪ cmpl 〈Q,C〉.
Hence,
cank(P ;Q,C) =
cank(P,C) if 0 6∈ cank(P,C)(cank(P,C)\{0})∪ cank(Q,C) otherwise.
These calculations, extracting recursive definitions for the sets mustk(P,C) and
cank(P,C) show that we have recovered precisely the definition in [12] of the
completion codes that must and can be computed for a program P in environment
C.
C. The Fixed Point Semantics and Constructivity
While 〈〈P 〉〉SC describes the instantaneous behaviour of P in a compositional
fashion, the constructive response of P running by itself is obtained by the least
fixed point
µC.〈〈P 〉〉SC =
⊔
i≥0
Ci, (16)
where C0 := [⊥,>]:2 and Ci+1 := 〈〈P 〉〉SCi . Note that the sequential environment S is
not updated in the iteration. This reflects the fact that the fixed point approximates
the reaction always from the beginning of and concurrent with P . In contrast, the
environment S is an initialisation which captures the sequential history of the thread
P which remains fixed each time the iteration takes place. The fixed point µC.〈〈P 〉〉SC
closes P off against its concurrent environment C. It lets P communicate with itself
by treating P as its own concurrent context.
42
For the fixed point to exist the termination function cmpl 〈P,C〉 and functional
〈〈P 〉〉SC must be well-behaved. This is the content of the following Prop. 10. We do
not use more than elementary fixed point theory over finite domains, here. For a
detailed exposition of the technical background the reader is referred to [22].
Proposition 10. Let P be an arbitrary fprog, S, E environments. Then,
1) The functional cmpl 〈P,E〉 is monotonic with respect to v in E.
2) The functional 〈〈P 〉〉SC is inflationary in the sequential environment S with
respect to .
3) The functional 〈〈P 〉〉SE is monotonic with respect to v in both the concurrent
environment E and the sequential environment S and monotonic for  in S.
Proof: (1) Suppose E1 vE2. We show cmpl 〈P,E1〉 v cmpl 〈P,E2〉 by induction
on the structure of P .
• For the base cases P ∈ {, ¡s} the statement is trivial since cmpl 〈P,E1〉= {0}=
cmpl 〈P,E2〉. P = pi we have cmpl 〈P,E1〉= {1}= cmpl 〈P,E2〉.
• For P = !s we observe that {⊥,0} v {0} and that if E1(s) = α1:r1 with r1  1
is given and E1 v E2 then we also have E2(s) = α2:r2 and r2  r1  1.
• For parallel composition P ||Q the induction step follows directly from mono-
tonicity of ⊕ and the induction hypothesis.
• The crucial case for sequential composition is when 0 ∈ cmpl 〈P,E1〉, for which
cmpl 〈P ; Q,E1〉 = cmpl 〈P,E1〉 ⊕ cmpl 〈Q,E1〉, yet 0 6∈ cmpl 〈P,E2〉 when the
completion function switches to cmpl 〈P ;Q,E2〉= cmpl 〈P,E2〉. We must show
that cmpl 〈P,E2〉 ⊆ cmpl 〈P,E1〉⊕cmpl 〈Q,E1〉. By induction hypothesis we have
cmpl 〈P,E2〉 ⊆ cmpl 〈P,E1〉, so it suffices to prove cmpl 〈P,E1〉 ⊆ cmpl 〈P,E1〉⊕
cmpl 〈Q,E1〉. By assumption 0 6∈ cmpl 〈P,E1〉, so this inclusion only needs to
hold for codes ⊥ and 1. But this follows since a ∈ γ1⊕γ2 iff a ∈ γ1 or a ∈ γ2
for a ∈ {⊥,1} and γ1,γ2 ∈ I(C).
• First, suppose 0:1 6v E2(s) and 1:1 6v E2(s). For the completion codes we get
cmpl 〈s ? P :Q,E2〉= upp(cmpl 〈P,E2〉)uupp(cmpl 〈Q,E2〉)⊆ upp(cmpl 〈P,E1〉u
upp cmpl 〈Q,E1〉) = cmpl 〈s ? P :Q,E2〉 using the induction hypothesis and mono-
tonicity of upp and u. If 1:1 v E2(s) then cmpl 〈s ? P : Q,E2〉 = cmpl 〈P,E2〉.
Also, we must have 0:1 6vE1(s). Otherwise, if 0:1vE1(s), then by E2⊆E1, both
0:1vE2(s) and 1:1vE2(s) which is impossible. Therefore, cmpl 〈s ? P :Q,E1〉
is either (i) cmpl 〈P,E1〉 or (ii) upp(cmpl 〈P,E1〉uupp cmpl 〈Q,E1〉). In either
cases, cmpl 〈P,E1〉 ⊆ cmpl 〈s ? P :Q,E1〉 since the operators upp and u are ⊆-
increasing. Overall, cmpl 〈s ? P :Q,E2〉= cmpl 〈P,E2〉 ⊆ cmpl 〈P,E1〉 ⊆ cmpl 〈s ?
P :Q,E1〉, by induction hypothesis, as desired. For 0:1v E2(s) we argue in a
similar fashion.
(2) We show that for all S, S  〈〈P 〉〉SC by induction on the structure of P .
• The cases P =  and P = pi are trivial since 〈〈P 〉〉SC = S implies S  〈〈P 〉〉SC by
reflexivity.
• For !s: Since ∨ is the join in the -lattice we have S  S ∨{〈s1〉} and S 
S∨{〈s[⊥,1]〉}∨⊥:1. Hence, S  〈〈!s〉〉SC whether [⊥,>]:1v C(s) or not.
• For ¡s: Again, S  S∨{〈sγ〉}= 〈〈¡s〉〉SC in all cases of γ ∈ {>,0,0:2, [0,>]:2,>:2}.
• For P ||Q: Assume by induction hypothesis that S  〈〈P 〉〉SC and S  〈〈Q〉〉SC .
Since S = S∨S, monotonicity of ∨ gives us S∨S  〈〈P 〉〉SC ∨〈〈Q〉〉SC , and thus
S  〈〈P 〉〉SC ∨ 〈〈Q〉〉SC . The definition 〈〈P ||Q〉〉SC = 〈〈P 〉〉SC ∨ 〈〈Q〉〉SC implies S 
〈〈P ||Q〉〉SC .
• For P ;Q: The induction hypothesis applied for P and Q yields the inequalities
43
S  〈〈P 〉〉SC  〈〈Q〉〉〈〈P 〉〉
S
C
C . (17)
Since the upper projection is -monotonic, (17) implies upp(S) upp 〈〈P 〉〉SC .
Further, using -monotonicity of ∨ and upp, we find
S  S∨upp(S) 〈〈P 〉〉SC ∨upp 〈〈P 〉〉SC  〈〈P 〉〉SC ∨upp 〈〈Q〉〉〈〈P 〉〉
S
C
C . (18)
Finally, by definition, 〈〈P ;Q〉〉SC is either one of the three environments 〈〈P 〉〉SC ,
〈〈Q〉〉〈〈P 〉〉
S
C
C or 〈〈P 〉〉SC ∨upp 〈〈Q〉〉〈〈P 〉〉
S
C
C , depending on cmpl 〈P,C〉, which results
in S  〈〈P ;Q〉〉SC , from (17) or (18) respectively, as desired.
• For the conditionals: By induction hypothesis both S  〈〈P 〉〉SC and S  〈〈Q〉〉SC .
Further, S  S∨upp 〈〈P 〉〉S∨⊥:1C ∨upp 〈〈Q〉〉S∨⊥:1C exploiting the properties of ∨.
The fact that 〈〈P 〉〉SC , 〈〈Q〉〉SC and S∨upp 〈〈P 〉〉S∨⊥:1C ∨upp 〈〈Q〉〉S∨⊥:1C are the only
possible responses of the conditionals implies S  〈〈s ? P :Q〉〉SC .
(3) First we prove monotonicity with respect to v. Suppose S1 v S2 and E1 vE2.
We show 〈〈P 〉〉S1E1 v 〈〈P 〉〉
S2
E2
by induction on the structure of P . For notational
compactness let us generally abbreviate 〈〈P 〉〉SiEi as 〈〈P 〉〉ii wherever possible. Also,
notice that [1,>]v [a,b] is equivalent to 1 [a,b] and [⊥,0]v [a,b] is the same as
[a,b] 0.
• For P =  and P = pi the statement is trivial because 〈〈P 〉〉11 = S1 v S2 = 〈〈P 〉〉22.
• If E1(s) =α1:r1 with r1 1 then also E2(s) =α2:r2 with r2 r1 1. Then, since
∨ is monotonic for v we have 〈〈!s〉〉11 = S1∨{〈s1〉} v S2∨{〈s1〉}= 〈〈!s〉〉22. Further,
note that (S1∨{〈s[⊥,1]〉}∨⊥:1)(s) =S1(s)∨ [⊥,1]∨⊥:1=S1(s)∨ [⊥,1]:1vS2(s)∨
1 and for x 6= s we calculate (S1∨{〈s[⊥,1]〉}∨⊥:1)(x) = S1(x)∨⊥:1v S2(x)∨⊥=
S2(x). Hence, 〈〈!s〉〉11 v 〈〈!s〉〉22 in all other cases, too.
• First note that [0,>]:2 is v-minimal among all statuses γ ∈ {>,0,0:2,>:2}.
Hence, if S1(s) = [a1, b1]:r1 with 1  r1, a1  0 and 1  b1 we have 〈〈¡s〉〉11 =
S1∨{〈s[0,>]:2〉} v S2∨{〈s[0,>]:2〉} v 〈〈¡s〉〉22 by monotonicity. If 1 S1(s)> then
S1 v S2 implies 1 S2(s)>, too, and if S1(s) 0, then also S2(s) 0. Hence,
〈〈¡s〉〉11 = S1 ∨ {〈sγ〉} v S2 ∨ {〈sγ〉} = 〈〈¡s〉〉22 independently of whether γ = 0 or
γ =>. The only remaining cases are S1(s) = α1:r1 with 1 r1 and (i) α1  0 or
(ii) α1 1. From S1v S2 it follows that S2(s) = α2:r2 with α2 0 in case (i) and
α2  1 in case (ii). On top of that, in each case either 1 r2 or r2 = 0. For (i)
the result then follows directly since 〈〈¡s〉〉11 = S1∨{〈s0:2〉} v S2∨{〈sγ〉}= 〈〈¡s〉〉22
for both γ = 0:2 or γ = 0. For (ii) we observe that 〈〈¡s〉〉11 = S1 ∨ {〈s>:2〉} v
S2∨{〈sγ〉}= 〈〈¡s〉〉22 for both γ ∈ {>:2,>}.
• Parallel composition P ||Q is handled by induction hypothesis and monotonicity:
〈〈P ||Q〉〉11 = 〈〈P 〉〉11∨〈〈Q〉〉11 v 〈〈P 〉〉22∨〈〈Q〉〉22 = 〈〈P ||Q〉〉22.
• Sequential composition P ;Q needs more effort. Suppose first that 0∈ cmpl 〈P,E2〉
and cmpl 〈P,E2〉 6= {0}. Then, by monotonicity of the completion function,
Prop. 10(1), we also have 0 ∈ cmpl 〈P,E1〉 and cmpl 〈P,E1〉 6= {0}. In this case
we get
〈〈P ;Q〉〉11 = 〈〈P 〉〉11∨upp〈〈Q〉〉〈〈P 〉〉
1
1
1 v 〈〈P 〉〉22∨upp〈〈Q〉〉〈〈P 〉〉
2
2
2 = 〈〈P ;Q〉〉22
by induction hypothesis and v-monotonicity of ∨ and upp. Similarly, if 0 6∈
cmpl 〈P,E1〉 then also 0 6∈ cmpl 〈P,E2〉. We calculate
〈〈P ;Q〉〉11 = 〈〈P 〉〉11 v 〈〈P 〉〉22 = 〈〈P ;Q〉〉22.
44
Now consider the case that cmpl 〈P,E1〉= {0} and thus also cmpl 〈P,E2〉= {0}
by monotonicity Prop. 10(1). Then,
〈〈P ;Q〉〉11 = 〈〈Q〉〉〈〈P 〉〉
1
1
1 v 〈〈Q〉〉〈〈P 〉〉
2
2
2 = 〈〈P ;Q〉〉22
again exploiting the induction hypothesis and monotonicity of 〈〈〉〉 in the
sequential input. If 0 6∈ cmpl 〈P,E1〉 = {1}, then also 0 6∈ cmpl 〈P,E2〉 = {1}
and thus 〈〈P ;Q〉〉11 = 〈〈P 〉〉11 v 〈〈P 〉〉22 = 〈〈P ;Q〉〉22 by induction hypothesis.
It remains to treat the cases where 0 ∈ cmpl 〈P,E1〉 and cmpl 〈P,E1〉 6= {0},
while either (i) cmpl 〈P,E2〉= {0} or (ii) 0 6∈ cmpl 〈P,E2〉. Consider case (i) first:
Since upp 〈〈Q〉〉〈〈P 〉〉111 v 〈〈Q〉〉〈〈P 〉〉
1
1
1 by Lem. 3(4) and monotonicity of ∨ for v, the
inflationary property Prop. 10(2)
〈〈P ;Q〉〉11 = 〈〈P 〉〉11∨upp 〈〈Q〉〉〈〈P 〉〉
1
1
1
v 〈〈P 〉〉11∨〈〈Q〉〉〈〈P 〉〉
1
1
1 = 〈〈Q〉〉〈〈P 〉〉
1
1
1 v 〈〈Q〉〉〈〈P 〉〉
2
2
2 = 〈〈P ;Q〉〉22
using the induction hypothesis. For (ii) we argue as follows:
〈〈P ;Q〉〉11 = 〈〈P 〉〉11∨upp 〈〈Q〉〉〈〈P 〉〉
1
1
1 v 〈〈P 〉〉11 v 〈〈P 〉〉22 = 〈〈P ;Q〉〉22
by induction hypothesis and Lem. 3(3). This concludes the case of sequential
composition.
• Next consider a branching s ? P :Q. The first case which we take a look at is
when variable s does not have a decided Boolean value in the environment E2,
i.e., when 1:1 6v E2(s) and 0:1 6v E2(s). This also means that 1:1 6v E1(s) and
0:1 6v E1(s) because E1 v E2. Then,
〈〈s ? P :Q〉〉11 = S1∨upp 〈〈P 〉〉S1∨⊥:11 ∨upp 〈〈Q〉〉S1∨⊥:11
v S2∨upp 〈〈P 〉〉S2∨⊥:12 ∨upp 〈〈Q〉〉S2∨⊥:12 = 〈〈s ? P :Q〉〉22
by induction hypothesis and monotonicity of ∨ and upp with respect to v. It
remains to verify the cases when s is decided in the increased environment E2,
i.e., when 1:1v E2(s) or 0:1v E2(s).
To start with let us assume 0:1 v E2(s), i.e., 〈〈s ? P : Q〉〉22 = 〈〈Q〉〉22. If also
0:1 v E1(s) we are done immediately since then 〈〈s ? P : Q〉〉11 = 〈〈Q〉〉11 v
〈〈Q〉〉22 = 〈〈s ? P : Q〉〉22 by induction hypothesis. What if 0:1 6v E1(s)? Then,
certainly we also have 1:1 6v E1(s), because otherwise this would contradict
the assumption 0:1 v E2(s) and the inclusion E1 v E2. Hence, since then
1:1 6vE1(s), the reaction of s ? P :Q in S1, E1 is determined as 〈〈s ? P :Q〉〉11 =
S1∨upp 〈〈P 〉〉S1∨⊥:11 ∨upp 〈〈Q〉〉S1∨⊥:11 . Since by Prop. 6, Prop. 3(1), Prop. 10(2),
Lem. 2(2) and Lem. 3(2) we have
low(S1∨upp 〈〈P 〉〉S1∨⊥:11 ∨upp 〈〈Q〉〉S1∨⊥:11 )
= low(S1)∨ low upp(〈〈P 〉〉S1∨⊥:11 ∨〈〈Q〉〉S1∨⊥:11 )
= low low(S1) = low(S1) v low 〈〈Q〉〉11.
The inequation S1  S1 ∨⊥:1 together with monotonicity of 〈〈 〉〉S in the
sequential environment S (proved above) and monotonicity of upp with respect
to  implies
upp〈〈Q〉〉11  upp〈〈Q〉〉S1∨⊥:11  S1∨upp〈〈P 〉〉S1∨⊥:11 ∨upp〈〈Q〉〉S1∨⊥:11
45
and then Lem. 2(2) and Prop. 3(1) means
upp(S1∨upp〈〈P 〉〉S1∨⊥:11 ∨upp〈〈Q〉〉S1∨⊥:11 )v upp upp 〈〈Q〉〉11 = upp 〈〈Q〉〉11.
Now we can invoke Prop. 3(3) to get
〈〈s ? P :Q〉〉11 = S1∨upp〈〈P 〉〉S1∨⊥:11 ∨upp〈〈Q〉〉S1∨⊥:11
v 〈〈Q〉〉11 v 〈〈Q〉〉22 = 〈〈s ? P :Q〉〉22
by the induction hypothesis.
It remains to treat the case 1:1 v E2(s), i.e., 〈〈s ? P : Q〉〉22 = 〈〈P 〉〉22. If also
1:1 v E1(s) the desired result follows directly from the induction hypothesis,
because 〈〈s ? P :Q〉〉11 = 〈〈P 〉〉11v 〈〈P 〉〉22 = 〈〈s ? P :Q〉〉22. Otherwise, if 1:1 6vE1(s)
then it must also be the case that 0:1 6vE1(s) for otherwise the inclusion E1vE2
would imply 0:1vE2(s), in contradiction with the assumption 1:1vE2(s). Thus,
〈〈s ? P :Q〉〉11 = S1∨upp〈〈P 〉〉S1∨⊥:11 ∨upp〈〈Q〉〉S1∨⊥:11
v 〈〈P 〉〉11 v 〈〈P 〉〉22 = 〈〈s ? P :Q〉〉22
using the same argument as above.
Finally, let us argue monotonicity for  in the sequential environment, i.e., to show
that S1  S2 implies 〈〈P 〉〉S1E  〈〈P 〉〉S2E . We proceed essentially as above by induction
on P . Most cases follow directly by induction hypothesis and -monotonicity of the
operators ∨ and upp used in the definition of 〈〈 〉〉SE . The only interesting induction
step is the one where the sequential environment S is used in a case analysis, viz.
in the definition of 〈〈¡s〉〉SE . There, an increase S1  S2 may result in the following
switch-overs:
• We may have 1S1(s)> and 1:1S2(s). This results in an increase 〈〈¡s〉〉S1E =
S1∨{〈s>〉}  S2∨{〈s>〉}  S2∨{〈s>:2〉}= 〈〈¡s〉〉S2E .
• For S1 we may have S1(s) 0 and for S2 any one of the other conditions in the
definition of 〈〈¡s〉〉S2E holding true. This is fine since then 〈〈¡s〉〉S1E = S1∨{〈s0〉}
and 0 γ for all γ ∈ {>,0:2, [0,>]:2,>:2}.
• The environment S1 may satisfy ⊥:1 S1(s) 0:2 while for the increased S2
we may find a switch to [⊥,1]:1 S2(s) [0,>]:2 or 1:1 S2(s). This is covered
by the inequations 0:2 [0,>]:2 and 0:2>:2.
• The situation where [⊥,1]:1 S1(s) [0,>]:2 may change to 1:1 S2(s), yet
we have [0,>]:2>:2 which produces an increase 〈〈¡s〉〉S1E  〈〈¡s〉〉S2E .
No other switch-over is possible. Specifically, if S1  S2 then 1:1 S1(s) implies also
1:1 S2(s).
Corollary 1. The lower projection low 〈〈P 〉〉SE is inflationary in the sequential
environment S with respect to both  and v.
Proof: First observe that is suffices to show one of low(S)  low(〈〈P 〉〉SE) or
low(S)v low(〈〈P 〉〉SE), since each implies the other in-equation considering Lem. 2
and the fact that low(low(E)) = low(E) (Prop. 3). However, the former follows
directly from Prop. 10(2) and monotonicity of low.
Example 21. Note that 〈〈P 〉〉SE is not in general inflationary in S wrt v. For instance,
if [⊥,>]:1v C(x) 〈〈!x〉〉⊥E(x) = 1, but ⊥ 6v 1. Also, because of the reaction to absence
〈〈P 〉〉SE is not in general monotonic for  in the concurrent environment E.
46
Monotonicity (Prop. 10) together with finiteness of I(D,P) implies that the least
fixed point µC.〈〈P 〉〉SC given by (16) is well-defined, for any sequential environment
S, if we start from an initial concurrent environment C0 that is a post-fixed point
of 〈〈P 〉〉S , i.e., if C0 v 〈〈P 〉〉SC0 . The trivial concurrent environment satisfying this
is C0 = [⊥,>]:2 for all x ∈ V . This is the least element wrt v which codes null-
information about the concurrent environment. With this choice of C0, the sequential
environment S is in fact completely arbitrary. We then have Ci v Ci+1 and (16)
is the stationary limit of this monotonically increasing sequence, which must exist
because of the finiteness of I(D,P).
On the modelling side, the fixed point semantics, discussed so far, is able to
accommodate different levels of synchronous constructiveness within it, as we will
see next. Different notions of constructiveness are specified by means of certain
properties in the fixed point response. First, the connection with Esterel can be made
through the two versions of constructiveness introduced in [4]. Then, the denotational
companion for the operational notion of IB-causality, namely IB-constructiveness
(IBC), is identified and a soundness result is presented. The relationship between
the various notions of constructiveness is also discussed.
The class of strongly Berry-constructive programs corresponds to the notion of
constructiveness in Esterel, yet is able to manage explicit initialisations. This, as
expected, can deal with a variable being reset to 0 and then either remaining 0 (signal
absence) or being set to 1 (signal presence). Besides, it verifies proper initialisations
as part of the constructiveness analysis. It holds the programmer responsible for
proper initialisation, not the compiler or the run-time system. Thus, it is important
to distinguish whether a variable retains its original value ⊥ from the initial memory
or not.
Definition 7 (Strong Berry-Constructiveness [4] SBC). An fprog P is strongly Berry-
constructive, or SBC, iff for all variables x ∈ V we have (µC.〈〈P 〉〉⊥C)(x) ∈ {⊥,0,1}.
It is worth observing that in a SBC program the status ⊥ for a variable corresponds
to a witness for checking initialisations. It indicates that the variable is neither set
nor reset by the program. If such a variable is read and thus used in a branching
decision the program would be rejected, except for trivial cases. In other words, the
resulting status ⊥ from the fixed point indicates that the variable is indeed never
accessed (set, reset or read) by the program.
Example 22. Fprog P := x ?  : !y is not SBC since variable x (with status ⊥) is
not properly initialised in the code and thus it cannot be decided if variable y is set
or not. The fixed point satisfies µC.〈〈P 〉〉⊥C(y) = [⊥,1]:1. In contrast, for the properly
initialised fprog !x ; P the fixed point will give us µC.〈〈!x ; P 〉〉⊥C = {〈x1,y⊥〉} which is
SBC.
On the other hand, the actual Esterel’s semantics resets all signals to 0 by default,
at the beginning of every instant. Thus, in this case, we need to look at ternary
behaviours, i.e., those which remain inside environments with E(x) ∈ {0,1, [0,1]}
for all x ∈ V . In order to keep the status of variables in the ternary domain, we
could initialise with the reset construct and avoid sequentially forced resets from
happening after sets. However, in the semantics 〈〈 〉〉S one can emulate initialisation
directly by running the fixed point in the sequential environment S = 0 instead of
S =⊥. This give us the class of Berry-constructive programs:
47
Definition 8 (Berry-Constructiveness [4] BC). An fprog P is Berry-constructive,
or BC, iff for all variables x ∈ V we have (µC.〈〈P 〉〉0C)(x) ∈ {0,1}.
Example 23. The fprog P from Ex. 22 is BC because now µC.〈〈P 〉〉0C(y) = {〈x0,y1〉}.
In Esterel’s hardware translation [12], the corresponding Boolean equations are x= 0
and y = x+ 0 which stabilise to x= 0 and y = 1. This depends on the initialisation
of x to 0, however. On the other hand, Q := x ?  : !x, which emits signal x if x is
absent and does not emit it if x is present, is not BC: µC.〈〈Q〉〉0C(x) = [0,1]:1. Its
hardware translation would be an inverter loop, or combinational equation x := x+ 0,
which may exhibit oscillations. Q is not SBC either since µC.〈〈Q〉〉⊥C(x) = [⊥,1]:1.
Examples 22 and 23 show that SBC is properly more restrictive than BC. The
difference between the two forms of Berry-constructiveness is whether we run the
simulation with the sequential stimulus ⊥ or 0, respectively.
The above are not sufficient for capturing SC-read-determinacy as given in
Def. 6 which induces an open-world version of constructiveness that takes into
consideration external inputs to the program. SC-read-determinacy is constructed
from any arbitrary initial memory state that is not controlled by the code such as
registered variables. The conditions imposed by this notion can, therefore, be read
as follows. For all external inputs, there is always a schedule that does not lead to >
(reset safe) and for all read variables and all such schedules either: the final memory
value for the variable (temporary variable) is controlled by the program and always
the same (0 or 1) or by the environment (registered variable) in which case it is not
changed at all during the computation (read safe). In short, this specifies that every
variable used for branching of control is either causally justified or never modified in
the code, independently of the initial external input. This leads us to the following
definition:
Definition 9 (IB-Constructiveness IBC). Fprog P is Input Berry-constructive ( IB-
constructive or IBC), iff its fixed point C∗ = µC.〈〈P 〉〉⊥C is safe for P , that is:
• reset-safe: ∀x ∈ V . C∗(x) 1:1, and
• read-safe: ∀x ∈ rd(P ). C∗(x) ∈ {⊥,0,1}.
One can show that the class of IBC programs lies between the SBC and the BC
programs and that these inclusions are proper.
Example 24. The BC fprog x ?  : !y from Ex. 22, which is not SBC, is also IBC.
The fixed point result is µC.〈〈x ?  : !y〉〉⊥C = {〈x⊥,y[⊥,1]:1〉}. Since x is not properly
initialised the status of y cannot be decided. This does not matter for IBC as y is not a
read variable. Now take the program Q := x ? (y ?  : !y) : . If we initialise with 0, we get
µC.〈〈Q〉〉0C = {〈x0,y0〉}, so Q is BC. Yet, it is not IBC because µC.〈〈Q〉〉⊥C(y) = [⊥,1]:1
and y ∈ rd(Q) is a read variable. The problem is that not every initial memory for
Q admits of an IB-causal micro-step execution. Specifically, if ρ0(x) = 1, then the
sub-program y ?  : !y is scheduled which creates a read-write hazard. It reads the
initial (environment-controlled) value of y and then, sequentially afterwards, may
change it itself.
The result in [4] establishes that for every fprog P , if P is SBC then P is SC-
reactive and SC-determinate. Here, we show the following stronger result:
Theorem 1. For every fprog P , if P is IBC then it is B-reactive and SC-read-
determinate.
Thm. 1 gives a stronger soundness result for the application of the theory compared
48
to Thm. 1 of [4] because it permits us to prove strictly stronger forms of reactiveness
and determinacy for a strictly wider class of programs, considering that there are
more IBC programs than SBC programs.
D. Soundness of the Denotational Fixed Point Semantics
In this section we prove our main theorem (Thm. 1) stating that every IB-
constructive fprog is B-reactive and SC-read-determinate, and a fortiori also sequen-
tially constructive as introduced in [84], [85], [86].
The key element in the soundness proof is to relate the abstract values in D
and P used in the fixed point analysis with the operational behavior of process
executions. These status values are interpreted as abstractions of the write accesses
in a finite sequence of micro steps generating what we call the sequential yield of
each thread. More precisely, a sequential yield is a function µ which assigns each
possible thread identifier ι∈TI to a sequential environment µ(ι) : V →D×P subject
to the condition that ι ι′ implies µ(ι′) µ(ι). The idea is that µ(ι) codes the local
view of a thread instance ι about the sequential status of the variable values. So,
if ι≺ ι′ then ι′ is a (sequential) descendant of thread ι all of whose memory write
accesses are visible to the waiting ancestor thread ι. The fact that the view of the
ancestor ι is wider, also encompassing other threads (e.g., siblings of ι and their
descendants) running concurrently with ι, is captured by the constraint µ(ι′) µ(ι).
The descendant ι′ is behind the parent since the parent ι sees all variable accesses
of all its active children while ι′ only knows about its own.
With the following definition of the sequential yield we are interpreting the actions
of a micro-sequence as an incremental update of a sequential state. The pairs in
D×P are treated naturally as elements of I(D,P), viz. (a,r) ∈ D×P is the same as
[a,a]:r ∈ I(D,P) and therefore written a:r. In this way, all operations on environments
over I(D,P) can be used for the sequential environments, too.
Definition 10 (Sequential Yield). Let R be a finite sequence of micro-steps R :
(Σ0,ρ0) (Σn,ρn) and C an environment. We define the sequential yield |R|C : TI →
V →D×P of R by iteration through R, as follows: If R= ε, then |R|C(ι)(x) :=⊥=⊥:0
for all ι ∈ TI and x ∈ V . Otherwise, suppose R = R′,Tn consists of a sequence
R′ : (Σ1,ρ1) (Σn−1,ρn−1) followed by a final action Tn : (Σn−1,ρn−1)→ (Σn,ρn).
Then, |R|C is computed from |R′|C by case analysis on the action Tn.
Generally, the yield does not change for all threads concurrent to Tn.id, i.e.,
for all κ ∈ TI such that κ 6 Tn.id and Tn.id 6 κ we have |R|C(κ) := |R′|C(κ).
Also, if the next control is a non-empty list Tn.next = Q::Ks′ and the program
Tn.prog ∈ {, !s, ¡s} instantaneously terminates, then the execution of Tn installs
the process 〈inc(ι),Q,Ks′〉. This incremented thread inherits the sequential state from
ι. In this case we put |R|C(inc(ι)) := |R|C(ι). Otherwise, if Tn.prog ∈ {, !s, ¡s} and
Ks = [] is empty, then |R|C(inc(ι)) := |R′|C(ι).
In all other cases, for ancestor and descendant threads κ, the new yield |R|C(κ) is
determined according to the following clauses:
1) Executing a sequential composition or the empty statement does not change the
yield. Formally, if Tn.prog ∈ {P ;Q,}, then |R|C(κ) := |R′|C(κ);
2) Executing a conditional test which is undecided in environment C raises the
init status of the thread and its ancestors to 1; otherwise, if the test is decided
in C the yield is preserved. Formally, if Tn = 〈ι,s ? P :Q,Ks〉 and for all
b∈{⊥,0,1}, b:1 6vC(s), then we put |R|C(κ) := |R′|C(κ)∨⊥:1 for all κ inc(ι);
49
Otherwise, for κ 6 inc(ι) or if b:1v C(s) for some b ∈ {⊥,0,1}, then we define
|R|C(κ) := |R′|C(κ);
3) Upon forking a parallel process we copy the sequential status of the parent
thread to its two children. Formally, if Tn = 〈ι,P ||Q,Ks〉, then |R|C(ι.l.0) =
|R|C(ι.r.0) := |R′|C(ι) and for all κ 6= ι.r.0 and κ 6= ι.l.0 we have |R|C(κ) :=
|R′|C(κ);
4) A set !s increases the sequential yield of s in the executing thread and its
ancestors and also the speculation status (for all variables) if the set is blocked
by C due to a potentially pending reset. Formally, suppose Tn = 〈ι, !s,Ks〉. Then,
for all inc(ι)≺ κ, |R|C(κ) := |R′|C(κ) and for all κ ι,
• if [⊥,>]:1 v C(s) then |R|C(κ)(s) := |R′|C(κ)(s)∨ 1 and |R|C(κ)(x) :=
|R′|C(κ)(x) for all variables x 6= s. More compactly, |R|C(κ) := |R′|C(κ)∨
{〈s1〉};
• if [⊥,>]:1 6v C(s) then |R|C(κ)(s) := |R′|C(κ)(s)∨1:1 and |R|C(κ)(x) :=
|R′|C(κ)(x)∨⊥:1 for x 6= s. More compactly, |R|C(κ) := |R′|C(κ)∨{〈s1〉}∨
⊥:1.
5) A reset ¡s increases the sequential yield for s to 0 if the status is still smaller
than 0, or to > if the status of s in the thread is already at or above 1.
At the same time, if the thread has entered the speculative mode, then the
reset ¡s raises the speculation status to 2. Formally, if Tn = 〈ι, ¡s,Ks〉, then
|R|C(κ)(x) := |R′|C(κ)(x) for all inc(ι)≺ κ or x 6= s; Otherwise, for all κ ι
we put
• |R|C(κ)(s) := |R′|C(κ)(s)∨> if 1 |R′|C(ι)(s)>;
• |R|C(κ)(s) := |R′|C(κ)(s)∨>:2 if 1:1 |R′|C(ι)(s);
• |R|C(κ)(s) := |R′|C(κ)(s)∨0 if |R′|C(ι)(s) 0;
• |R|C(κ)(s) := |R′|C(κ)(s)∨0:2 if ⊥:1 |R′|C(ι)(s) 0:2;
Observe that a sequential yield µ assigns a status µ(ι)(x) = a:r ∈ D×P⊂ I(D,P)
to every thread identifier ι ∈ TI and variable x ∈ V . A special case is the totally
pristine sequential yield µ⊥ with µ⊥(ι) = ⊥ for all ι ∈ TI . This is the yield |ε|C
of the empty micro sequence. Also, if a thread identifier ι does not occur in (any
action of) a micro-sequence R, then |R|C(ι) =⊥. Moreover, the yield operation is
monotonic, i.e., if R is a prefix of R′ then |R|C(ι) |R′|C(ι).
Observe further that if R does not have any write accesses to a variable x then
the value status of x in the sequential yield remains ⊥, the init status may raise to
1 but not to 2, i.e., |R|C(ι)(x)⊥:1.
Lemma 4. Let R : (Σ0,ρ0) (Σn,ρn) be an SC-admissible micro-step sequence and
C an environment. Then, |R|C is consistent for the final memory ρn in the following
sense:
(i) If |R|C(Root.id)(x)⊥:2 then ρ0(x) = ρn(x);
(ii) If |R|C(Root.id)(x) = b:r with b ∈ {0,1} ⊂ D then ρn(x) = b;
(iii) If |R|C(Root.id)(x)  1 then there exists a micro step 1 ≤ i ≤ n such that
Ti.prog = !x and for all T ∈ Σn with Ti.id T.id we have 1 |R|C(T.id)(x).
(iv) Whenever in R a thread ι reads a variable x, the value status of x in any other
concurrent thread remains constant from this point onwards. In other words,
no thread changes the value status of x after it is has been read by another
thread concurrent to it. Formally, suppose R(i) = 〈ι,x ? P :Q,Ks〉 and for some
i ≤ j ≤ n and ι′ ∈ TI we have |R@i|C(ι′)(x)∧> 6= |R@j|C(ι′)(x)∧>. Then,
ι′  ι or ι ι′.
50
Proof: Statement (iv) follows directly from the “no concurrent write after read”
constraint of SC-admissibility. Note that the value status of a variable can only
change, i.e., strictly increase, for a thread ι′ between |R@i|C(ι′)(x) and |R@j|C(ι′)(x)
if ι′ performs a write access !x or ¡x at some intermediate point k with i≤ k ≤ j.
But then ι′ cannot be concurrent to the read R(i), which otherwise would violate
the iur protocol of SC-admissibility. Thus, ι′  ι or ι ι′.
For R= ε the claim (i) is trivial and also (ii) and (iii) by the choice of µ0 = |ε|C =⊥
and Def. 10(1). For the induction step we assume (i)–(iii) for the yield µn = |R|C of
sequence R : (Σ0,ρ0) (Σn,ρn) and consider one additional action Tn+1 : (Σn,ρn)→
(Σn+1,ρn+1) extending R. We show that the yield µn+1 = |R,Tn+1|C also satisfies
(i)–(iii). Now, µn+1 is updated from µn = |R|C according to the rules of Def. 10 by
action Tn+1.
For case (i) we exploit the fact that if µn+1(Root.id)(x)⊥:2 then µn(Root.id)(x)
⊥:2 and ρn+1(x) = ρn(x). The former follows from the inflationary nature of form-
ing the yield. The latter holds because the only way in which we could have
ρn+1(x) 6= ρn(x) is when Tn+1 is a set or a reset access on x which necessarily implies
µn+1(Root.id)(x) 0 in contradiction to the assumption. Hence, µn(Root.id)(x)
⊥:2, so that in combination with the induction hypothesis ρ0(x) = ρn(x), the claim
(i) follows.
Condition (ii) of the Lemma needs more thought and a case analysis. By way
of contradiction suppose that µn+1(Root.id)(x) = 0:r and ρn+1(x) = 1. We can
exclude the case that Tn+1.prog is a reset ¡x, because this cannot result in the
memory value ρn+1(x) = 1. If Tn+1.prog is not a write access (set or reset), then
by Def. 10, µn+1(Root.id)(x) = 0:r implies that also µn(Root.id)(x) = 0:r′ as well
as ρn(x) = ρn+1(x) = 1. However, this contradicts the induction hypothesis which
would enforce ρn(x) = 0. This means that Tn+1.prog must be a write access !x. But
if Tn+1.prog = !x then µn+1(Root.id)(x) = µn(Root.id)(x)∨1 or µn+1(Root.id)(x) =
µn(Root.id)(x)∨1:1, contradicting the assumption, where we observe that Root
Tn+1.id.
Now, suppose µn+1(Root.id)(x) = 1:r and ρn+1(x) = 0. Then, Tn+1.prog must be
a reset ¡x. It has to be a write access for otherwise we would get a contradiction to
the induction hypothesis as above, yet it cannot be a !x because of the final memory
value ρn+1(x) = 0. By definition of µn+1 this means the reset action is executed either
with µn(Tn+1.id)(x)  0 and 1:r = µn+1(Root.id)(x) = µn(Root.id)(x)∨ 0 or with
⊥:1 µn(Tn+1.id)(x) 0:2 and then 1:r = µn+1(Root.id)(x) = µn(Root.id)(x)∨0:2.
Either case can only be true if µn(Root.id)(x) 1. The other situations for executing
a reset on x, viz. 1  µn(Tn+1.id)(x)  > or 1:1  µn(Tn+1.id)(x) would result in
µn+1(Root.id)(x)>.
Now we can use the induction hypothesis (iii) on µn, i.e., conclude that there
exists a micro step 1≤ i≤ n with Ti.prog = !x and Ti.id 6 Tn+1.id (consider that
µn(Tn+1.id)(x)  0:2). The former implies that µi(Ti.id)(x)  1 by Def. 10. But
then, Tn+1.id 6 Ti.id, because otherwise if Tn+1.id  Ti.id, by the monotonicity
of sequential states and the yield function, it would have to be the case that
µi(Ti.id)  µi(Tn+1.id)  µn+1(Tn+1.id)  0:2, contradicting µi(Ti.id)  1. Thus,
both Ti.id 6 Tn+1.id and Tn+1.id 6 Ti.id, i.e, the reset action ¡x with identifier
Tn+1.id and the set !x with identifier Ti.id are concurrent. One can show that by
admissibility all reads between i and n+ 1 must be confluent with the reset Tn+1.
Therefore, there is a configuration reachable from (Σi,ρi) in which Ti and Tn+1
conflict. But then the micro sequence R,Tn+1 would not be ∆∗-admissible, containing
a concurrent reset after a set.
51
This completes the proof of case (ii) of the Lemma. It remains to argue for (iii).
But this is simple, without explicit induction: The only way in which the initial
state µ0(Root.id) =⊥ can change to µn(Root.id)(x) 1, by construction Def. 10, is
if some action of R is a set !x. But if this set access is executed in a thread identifier
Ti.id, so that µi(Ti.id)(x)  1, then all its descendants Ti.id  ι becoming active
afterwards, at steps j > i, inherit this value and thus satisfy µj(ι)(x) 1.
The strategy for proving Thm. 1, stating that every IB-constructive program is
B-reactive and SC-determinate, is to show that the fixed point µC.〈〈P 〉〉⊥C ∈ I(D,P)
computes sound information about the sequential yield of every SC-admissible micro-
step sequence R of P . More specifically, we show that µC.〈〈P 〉〉⊥C is an abstract
predictor for the SC-admissible behavior of P in the sense that (i) the yield of every
SC-admissible micro-sequence lies within the window specified by µC.〈〈P 〉〉⊥C and
(ii) there exists a B-admissible instant. This is done by induction on the structure
of P . However, since the fixed point of a composite expression cannot be obtained
from the fixed points of its sub-expressions, induction on P for the full fixed point
µC.〈〈P 〉〉⊥C does not work. Instead, we need to break up the fixed point and do an
outer induction along the iteration that obtains the fixed point in the limit. The
idea is to extract the logical meaning of a single iteration step Ci+1 = 〈〈P 〉〉SCi as a
conditional specification of the SC-admissible behavior of P assuming a sequential
environment S and concurrent environment Ci. This can then be proven by induction
on P .
The main observation is that a single application of the response functional 〈〈P 〉〉SCi
covers the behavior of an initial slice of any micro-sequence R generated from P ,
consisting of an atomic “read;update” burst of P . This burst consists of all those
statements of R that can be executed solely based on the concurrent environment
Ci to decide which branch to take in a conditional and whether a set can go ahead
or is blocked because of a pending reset. At such a point, or if a conditional is
undecided, the slice stops. We have reached the stopping index of the slice in R. In
the slice, control branching is decided entirely in terms of the variables whose values
are decided in Ci and not on variables whose value may be changing as a result of
executing P . In particular, the execution in R covered by a slice decided from Ci
does not involve any communication between concurrent processes inside P . Since
effect of executing the slice is described by the response environment Ci+1 = 〈〈P 〉〉SCi ,
the communication between threads is then handled by feeding back the result Ci+1
as the new concurrent environment in the next iteration Ci+2 = 〈〈P 〉〉SCi+1 of the
response functional.
Definition 11 (C-Stopping Index). Let R : (Σ0,ρ0) (Σn,ρn) be a finite micro-
sequence and C an environment. A process Ti ∈ Σi for 0≤ i < n is called C-blocked
if Ti is active in Σi and either
• Ti.prog is a branching x ? Q : R and the status of x is undecided in C, i.e.,
⊥:1 6v C(x), 0:1 6v C(x) and 1:1 6v C(x), or
• Ti.prog is a set !x and the concurrent environment indicates an incomplete
initialization phase, i.e., [⊥,>]:1 6v C(x).
In all other cases, the process Ti is called C-enabled. Let 〈ιP ,P,Ks〉 ∈ Σi be active
in Σi. The C-stopping index of program P in R is the earliest step index i≤ t≤ n
such that one of the following holds:
• P pauses
• P has terminated instantaneously and handed over to the first program Q in the
next control Ks =Q :: Ks′
52
• all remaining active descendants 〈ι′,P ′,Ks〉 ∈ Σt with ι ι′ are C-blocked.
Note that the C-stopping index of a program in a micro-sequence R may not
exist if R is not long enough so that R still has an active process from P in its last
configuration and this process is not C-blocked. Also, if C is safe, i.e., reset-safe
and read-safe then at its C-stop in R the program P must either pause or terminate
instantaneously.
Definition 12 (C-Consistency). Let R : (Σ0,ρ0) (Σn,ρn) be a micro sequence and
C an environment. For any 0 ≤ i < n, abbreviate by ρi(x) .= b the condition that
ρi(x) = b if b ∈ {0,1} and ρi(x) = ρ0(x) if b=⊥. We say a read action R(i).prog =
x ? P :Q with 0< i≤ n is C-consistent in R if b:1v C(x) for b ∈ {⊥,0,1} implies
ρi−1(x) .= b. R is called C-consistent for a thread ι if all read actions performed by
all descendants of ι in R are C-consistent.
Note that if a read action is C ′-consistent and C v C ′ then the read is also
C-consistent.
Proposition 11 (Soundness of the Lower/Must Prediction).
Let R : (Σ0,ρ0) (Σn,ρn) be a micro sequence with an active process 〈ιP ,P,Ks〉 in
Σs, 0< s≤ n, and C an environment such that R is C-consistent for ιP and n the
C-stopping index of P in R.
(i) If cmpl 〈P,C〉= {0} then P instantaneously terminates at step n by executing an
action of the form , ¡s, !s; If cmpl 〈P,C〉= {1} then P pauses at step n where
the last of its descendants has reached the action pi.
(ii) Suppose S  |R@s|C(ιP )> for some sequential environment S. Then, for each
variable x∈V there exists an index s≤ i≤ n and a descendant thread ι ιP such
that 〈〈P 〉〉SC(x)∧> |R@i|C(ι)(x)∨ [⊥,>]>. Moreover, if ⊥ 6∈ cmpl 〈P,C〉 then
i= n and ι= ιP .
(iii) If S  low |R@s|C(ιP ) then 〈〈P 〉〉SC  low |R@n|C(ιP ).
Proof: Both parts (i) and (ii) of the proposition are shown by induction on P .
Regarding part (iii) we observe that under the assumptions of (ii) it follows that
low(〈〈P 〉〉SC(x)∧>) low(|R@i|C(ι)(x)∨ [⊥,>]) =
low |R@i|C(ι)(x) low |R@n|C(ιP )(x)
and therefore
〈〈P 〉〉SC  (low 〈〈P 〉〉SC)∧>:2 = low 〈〈P 〉〉SC ∧ low(>)
= low (〈〈P 〉〉SC ∧>)  low |R@n|C(ιP ).
One can show that this in-equation for the lower bound does not depend on
the assumption |R@s|C(ιP )  >. We omit the proof. It is the upper bound con-
straint upp |R@i|C(ι)(x)> implied by Prop. 11(ii) which needs the precondition
|R@s|C(ιP )>.
For the following note that the assumption S  > and |R@s|C(ιP )  > are
equivalent to S = S∧> and |R@s|C(ιP ) = |R@s|C(ιP )∧>, respectively.
• Regarding statement (i) for P =  or P = pi note that cmpl 〈,C〉= {0} and at
the C-stopping index n the program P =  terminates instantaneously, while
cmpl 〈pi,C〉= {1} and at the C-stop, n= s, the program P pauses.
Further, if P =  or P = pi then 〈〈P 〉〉SC = S. The micro sequence R contains no
write access or conditional test at all by a descendant of P between s and n.
53
Therefore, |R@s|C(ιP ) = |R@n|C(ιP ) and thus >=>∨ [⊥,>] |R@n|C(ιP )∨
[⊥,>] = |R@n|C(ιP )∨ [⊥,>]  S = 〈〈P 〉〉SC  〈〈P 〉〉SC ∧>, by assumption. This
proves (ii) for all variables x with i= n and ι= ιP .
• For P = !x observe that cmpl 〈P,C〉= {0} implies [⊥,>]:1vC(x) in which case
P is C-enabled and executed at the C-stopping index n, where P terminates
instantaneously. Since cmpl 〈P,C〉 6= {1} statement (i) of the proposition is
proven.
Here the prediction is 〈〈P 〉〉SC = S ∨{〈x1〉} if [⊥,>]:1v C(x) and 〈〈P 〉〉SC = S ∨
{〈x[⊥,1]〉}∨⊥:1, if [⊥,>]:1 6v C(x). The assumption is S  |R@s|C(ιP )  >. If
[⊥,>]:1 6v C(x), and thus ⊥ ∈ cmpl 〈P,C〉, then we find
〈〈P 〉〉SC ∧> = (S∨{〈x[⊥,1]〉}∨⊥:1)∧>
= (S∧>)∨ ({〈x[⊥,1]〉}∧>)∨ (⊥:1∧>)
= S∨{〈x[⊥,1]〉}∨⊥
 S∨ [⊥,>]
 |R@s|C(ιP )∨ [⊥,>]
 >∨> = >.
This proves the statement (ii) for i= s and ι= ιP . Hence, it remains to consider
the case that [⊥,>]:1v C(x) for statement (ii). Then, the set action !x of P is
C-enabled and ⊥ 6∈ cmpl 〈P,C〉. So, the C-stop at n occurs because ιP is finally
selected and executed, at which moment P also terminates. By Def. 10(4),
|R@n|C(ιP ) = |R@n−1|C(ιP )∨{〈x1〉}= |R@s|C(ιP )∨{〈x1〉} and therefore
〈〈P 〉〉SC ∧> = (S∨{〈x1〉})∧>
= (S∧>)∨ ({〈x1〉}∧>)
= S∨{〈x1〉}
 |R@s|C(ιP )∨{〈x1〉}
= |R@n|C(ιP )
 |R@n|C(ιP )∨ [⊥,>]
= |R@s|C(ιP )∨{〈x1〉}∨ [⊥,>]
 >∨{〈x1〉}∨ [⊥,>]  >.
as desired, taking i= n and ι= ιP .
• Suppose P = ¡x and S  |R@s|C(ιP )  >. This write action is the first and
only one of process P in R. Since a reset is never blocked, by assumption, the
C-stop occurs at the very step n in R when the reset action is executed. At
this point P terminates instantaneously which validates statement (i) in view
of the fact that cmpl 〈P,C〉= {0}. Moreover, by Def. 10(5),
|R@n|C(ιP ) = |R@n−1|C(ιP )∨{〈x>〉} if 1 |R@n−1|C(ιP )(x)> (19)
|R@n|C(ιP ) = |R@n−1|C(ιP )∨{〈x>:2〉} if 1:1 |R@n−1|C(ιP )(x) (20)
|R@n|C(ιP ) = |R@n−1|C(ιP )∨{〈x0〉} if |R@n−1|C(ιP )(x) 0 (21)
|R@n|C(ιP ) = |R@n−1|C(ιP )∨{〈x0:2〉} if ⊥:1 |R@n−1|C(ιP )(x) 0:2.
(22)
Since |R@n−1|C(ιP ) = |R@s|C(ιP )> this eliminates the cases (20) and (22)
right away. Thus, |R@n|C(ιP ) = |R@n−1|C(ιP )∨{〈xδ〉}= |R@s|C(ιP )∨{〈xδ〉}
for δ ∈ {0,>}. We treat both cases separately:
54
– In the first case (19) 1  |R@n− 1|C(ιP )(x)  > we have |R@n|C(ιP ) =
|R@s|C(ιP )∨{〈x>〉}, and thus
〈〈P 〉〉SC ∧>  (S∨{〈x>:2〉})∧>
= (S∧>)∨ ({〈x>:2〉}∧>)
= S∨{〈x>〉}
 |R@s|C(ιP )∨{〈x>〉}
= |R@n|C(ιP )
 |R@n|C(ιP )∨ [⊥,>]
= |R@s|C(ιP )∨{〈x>〉}∨ [⊥,>]
 >∨{〈x>〉}∨ [⊥,>]  >.
The first of the above in-equations holds, because ∧ is -monotonic and >:2
is maximal under  and thus γ >:2 for all γ ∈ {>,0,0:2, [0,>]:2,>:2}.
– Secondly, consider (21) where S(x) |R@s|C(ιP )(x) = |R@n−1|C(ιP )(x)
0. This implies S(x) = [l,u]:r with l  0. Hence, 〈〈P 〉〉SC = S∨{〈xγ〉} where
γ ∈ {0,0:2, [0,>]:2}. Now we find |R@n|C(ιP ) = |R@n−1|C(ιP )∨{〈x0〉}=
|R@s|C(ιP )∨{〈x0〉}, which goes down a similar route as above:
〈〈P 〉〉SC ∧> = (S∨{〈xγ〉})∧>
 S∨{〈x[0,>]〉}
 S∨{〈x0〉}∨ [⊥,>]
 |R@s|C(ιP )∨{〈x0〉}∨ [⊥,>]
= |R@n|C(ιP )∨ [⊥,>]
= |R@s|C(ιP )∨{〈x0〉}∨ [⊥,>]
 >∨{〈x0〉}∨ [⊥,>]  >.
Thus in all cases we proved statement (ii) of the Proposition with i = n and
ι= ιP .
• Let us look at parallel composition P ||Q. For (i) suppose {c} = cmpl 〈P ||
Q,C〉= cmpl 〈P,C〉⊕ cmpl 〈Q,C〉 where c ∈ {0,1}. The definition of ⊕ implies
that cmpl 〈P,C〉 = {cP} and cmpl 〈Q,C〉 = {cQ} with max(cP , cQ) = c. For if
one of these completion sets contains ⊥ then cmpl 〈P ||Q,C〉 would contain ⊥,
too. So, if c= 0 then we must have both cmpl 〈P,C〉= {0} and cmpl 〈Q,C〉=
{0}. By induction hypothesis both P and Q terminate instantaneously at
their C-stop, whence P ||Q terminates at the last of them, i.e., at n. If c= 1
then max(cP , cQ) = 1 and therefore, by induction, both threads P and Q are
terminating instantaneously or pausing at their C-stop, but at least one of them
is pausing. Hence, P ||Q is pausing at the C-stop with index n.
Now assume S  |R@s|C(ιP||Q)>. As n is the C-stop of ιP||Q there must be
an index s < j ≤ n where the forking of the parallel statement is executed. This
results in a configuration (Σj ,ρj) in which both sub-programs P and Q are
activated as child processes, 〈ιP ,P, [ ]〉 ∈Σj and 〈ιQ,Q, [ ]〉 ∈Σj with ιP = ιP||Q.l.0
and ιQ = ιP||Q.r.0. Between steps s and j all actions of R are concurrent to ιP||Q, so
that |R@j|C(ιP||Q) = |R@s|C(ιP||Q). Also, by Def. 10(3) we have |R@j|C(ιP ) =
|R@j|C(ιP||Q) = |R@j|C(ιQ). It follows that both S  |R@j|C(ιP )  > and
S  |R@j|C(ιQ)  >. Since R is C-consistent for ιP||Q, it is C-consistent for
ιP||Q  ιP and ιP||Q  ιQ, too. We can apply the induction hypothesis on P
55
and Q from position j in the sequence. To this end let j ≤ tP , tQ ≤ n be the
C-stopping indices for each, which must exist, because otherwise P ‖Q would
not have reached its C-stop at n. This implies that for each variable x ∈ V
there exist step indices j ≤ iP ≤ tP and j ≤ iQ ≤ tQ, as well as descendants
ιP  ι′P and ιQ  ι′Q, so that
〈〈P 〉〉SC(x)∧>  |R@iP |C(ι′P )(x)∨ [⊥,>]  >
〈〈Q〉〉SC(x)∧>  |R@iQ|C(ι′Q)(x)∨ [⊥,>]  >.
Further, if ⊥ 6∈ cmpl 〈P,C〉 then iP = tP and ι′P = ιP , if ⊥ 6∈ cmpl 〈Q,C〉 then
iQ = tQ and ι′Q = ιQ. Then, by the properties of ∨, and because of 〈〈P ||Q〉〉SC =
〈〈P 〉〉SC ∨〈〈Q〉〉SC we must have low 〈〈P ||Q〉〉SC(x) = low 〈〈X〉〉SC(x) for X = P or
X = Q. If the former holds, low 〈〈P ||Q〉〉SC(x) = low 〈〈P 〉〉SC(x), we obtain the
following chain
〈〈P ||Q〉〉SC(x)∧>  low(〈〈P ||Q〉〉SC)(x)∧>
= low 〈〈P 〉〉SC(x)∧>
= (〈〈P 〉〉SC(x)∨ [⊥,>]:2)∧>
= (〈〈P 〉〉SC(x)∧>)∨ ([⊥,>]:2∧>)
= (〈〈P 〉〉SC(x)∧>)∨ [⊥,>]
 |R@iP |C(ι′P )∨ [⊥,>]∨ [⊥,>]
= |R@iP |C(ι′P )∨ [⊥,>]
 >.
This proves statement (ii) of the Proposition for i= iP and ι= ι′P . The second
case where X =Q and low 〈〈P ||Q〉〉SC(x) = low 〈〈Q〉〉SC(x) is argued analogously,
with i = iQ and ι = ι′Q. Finally, suppose that ⊥ 6∈ cmpl 〈P ||Q,C〉, i.e., P ||Q
terminates or pauses. Then both ⊥ 6∈ cmpl 〈P,C〉 and ⊥ 6∈ cmpl 〈Q,C〉, i.e.,
iP = tP , ι′P = ιP , iQ = tQ and ι′Q = ιQ by the induction hypothesis. The C-
stopping index for ιP||Q is either n= max(tP , tQ) if one of the threads pauses, or,
if both P and Q terminate, the point n≥max(tP , tQ) at which the join action
is executed. In the latter case, |R@iX |C(ι′X) = |R@tX |C(ιX) = |R@n|C(ιP||Q)
where X =P or X =Q is the thread which terminates last, i.e., tX = max(tP , tQ).
This implies in all the cases that i= n and ι= ιP||Q.
• Let a conditional test x ? P :Q with identifier ιx?P :Q be active in (Σs,ρs) and
S |R@s|C(ιx?P :Q)>. We must show that the prediction 〈〈x ? P :Q〉〉SC(y)∧>
for each variable y ∈ V is surpassed by the yield |R@i|C(ι)(y)∨ [⊥,>], at some
index s ≤ i ≤ n for some descendant thread ι  ιx?P :Q, where n is the C-
stopping index of program x ? P : Q in R. For this to occur, the branch test
must be executed at some step index j with s < j ≤ i≤ n. At this point j, the
value of x is determined from the memory ρj−1(x) and control branches into
either P or Q. The successor configuration (Σj ,ρj) contains either 〈ιP ,P,Ks〉
as an active process if ρj−1(x) = 1, or 〈ιQ,Q,Ks〉 if ρj−1(x) = 0. In either case,
ιP = ιQ = inc(ιP ;Q). If the status of x is boolean decided in C, i.e., if 0:1vC(x)
or 1:1 v C(x), we call the test of x at step j a non-speculative branching,
otherwise a speculative branching step. Since the process 〈ιx?P :Q,x ? P :Q,Ks〉
does not execute any action between s and j, we must have |R@s|C(ιx?P :Q) =
|R@j|C(ιx?P :Q).
56
The simplest case is the speculative case. From Prop. 6(2) and Lem. 3(1,2),
with S = S∧>, we obtain
〈〈x ? P :Q〉〉SC ∧> = (S∨upp 〈〈P 〉〉S∨⊥:1C ∨upp 〈〈Q〉〉S∨⊥:1C )∧>
= (S∧>)∨ (upp(〈〈P 〉〉S∨⊥:1C ∨〈〈Q〉〉S∨⊥:1C ))∧>
= S∨ ((〈〈P 〉〉S∨⊥:1C ∨〈〈Q〉〉S∨⊥:1C )∧ [⊥,>]:2∧>)
 S∨ [⊥,>]
 |R@s|C(ιx?P :Q)∨ [⊥,>]
 >∨ [⊥,>] = >
which is what we are after for statement (ii) of the proposition taking i= s and
ι= ιx?P :Q.
Regarding the proof of statement (i) consider that cmpl 〈x ? P :Q,C〉= {c} can
only hold true if 0:1vC(x) or 1:1vC(x), i.e. if the branching is non-speculative.
Otherwise, cmpl 〈x ? P : Q,C〉 = upp(cmpl 〈P,C〉 u cmpl 〈Q,C〉) which would
result in ⊥ ∈ cmpl 〈x ? P :Q,C〉.
Now suppose the branching is non-speculative, say 1:1v C(x). Then, the fact
that R is C-consistent for ιx?P :Q means that ρj−1(x) = 1 and we know that the
branch P is taken in R. Therefore, the process 〈ιP ,P,Ks〉 is part of the process
pool Σj and |R@j|C(ιP ) = |R@j|C(ιx?P :Q) = |R@s|C(ιx?P :Q) by Def. 10(2).
Then the C-stopping index n of x ? P :Q is at the same time the C-stopping
index of P . Since R is C-consistent for ιx?P :Q it follows that it is C-consistent
for ιP . Also, S  |R@s|C(ιx?P :Q) = |R@j|C(ιP )>. Therefore, the induction
hypothesis can be invoked for any x ∈ V to give an index j ≤ i ≤ n and a
descendant thread ι ιP such that
〈〈x ? P :Q〉〉SC(x)∧> = 〈〈P 〉〉SC(x)∧>  |R@i|C(ι)(x)∨ [⊥,>]  >,(23)
as required because s≤ i≤ n and ιx?P :Q  ιP  ι. The same reasoning applies
if 0:1v C(x), leading to
〈〈x ? P :Q〉〉SC(x)∧> = 〈〈Q〉〉SC(x)∧>  |R@i|C(ι)(x)∨ [⊥,>]  >.(24)
for s≤ i≤ n and ιx?P :Q  ιQ  ι.
Also, note that statement (i) is obtained trivially by induction hypothesis in
case the branching is decided ⊥ 6∈ cmpl 〈x ? P :Q,C〉 since then cmpl 〈x ? P :
Q,C〉= cmpl 〈P,C〉 or cmpl 〈x ? P :Q,C〉= cmpl 〈Q,C〉 and at the C-stop n the
conditional program x ? P :Q completes (terminates or pauses) if P completes
or Q completes, respectively. Let X =P or X =Q be the thread which completes
at n. By induction hypothesis, we know that then i= n and ι= ιX as well as
|R@i|C(ι)(x) = |R@n|C(ιX)(x) = |R@n|C(ιx?P :Q)(x). This means that in either
case (23) or (24) we get 〈〈x ? P :Q〉〉SC(x)∧> |R@n|C(ιx?P :Q)(x)∨ [⊥,>]>.
• Finally, consider a sequential composition P ; Q active in (Σs,ρs) with id
ιP ;Q and S  |R@s|C(ιP ;Q)>. Before its C-stop at n the thread ιP ;Q must
perform its first “sequentialization” action, say at micro-step s < j ≤ n. Then,
the statement is broken up so that Σj contains the process 〈ιP ,P,Q::Ks〉 and
ιP ;Q = ιP . Since all actions in R between s and j are taken by threads concurrent
to ιP ;Q, we have
|R@j|C(ιP ) = |R@j−1|C(ιP ;Q) = |R@s|C(ιP ;Q)
57
by Def. 10(1). By assumption, R is C-consistent for ιP . Let j ≤ k ≤ n be the
C-stopping index of P which must exist because n is the C-stop of P ;Q, so we
must pass through the C-stop of P . The induction hypothesis on P then says
that for every variable x ∈ V there is a step index j ≤ i ≤ k and descendant
ι ιP such that
〈〈P 〉〉SC(x)∧>  |R@i|C(ι)(x)∨ [⊥,>]  >. (25)
Further, if ⊥ 6∈ cmpl 〈P,C〉 then i= k and ι= ιP . Now, if 0 ∈ cmpl 〈P,C〉 and
cmpl 〈P,C〉 6= {0} then ⊥ ∈ cmpl 〈P ; Q,C〉 and our claim for statement (ii)
follows:
〈〈P ;Q〉〉SC(x)∧> = (〈〈P 〉〉SC(x)∨upp 〈〈Q〉〉〈〈P 〉〉
S
C
C )(x)∧>
= (〈〈P 〉〉SC(x)∧>)∨ (〈〈Q〉〉〈〈P 〉〉
S
C
C (x)∧ [⊥,>]:2∧>)
 (〈〈P 〉〉SC(x)∧>)∨ [⊥,>]
 |R@i|C(ι)(x)∨ [⊥,>]  >.
Statement (i) is trivially satisfied since in this situation cmpl 〈P ;Q,C〉 6= {0}
and cmpl 〈P ;Q,C〉 6= {1}.
The second case is that cmpl 〈P,C〉 = {0}. Then, cmpl 〈P ; Q,C〉 = {c} for
c ∈ {0,1} implies that cmpl 〈Q,C〉= {c}. Thus, we can regress to the induction
hypothesis on Q to argue that x ? P : Q completes at the C-stop n which
coincides with the C-stop of Q. This proves statement (i).
Regarding statement (ii) consider that Prop. 8(2) and the assumption S >
yields 〈〈P 〉〉SC >, which in turn permits us to derive
〈〈P 〉〉SC(x) |R@k|C(ιP )(x)>
from (25) exploiting that ⊥ 6∈ cmpl 〈P,C〉. Then, by Prop. 11(i) the stopping
index k of P is actually the termination point so that 〈ιQ,Q,Ks〉 ∈ Σk. The
stopping index of program P ; Q is then also the stopping index of Q. Since
ιP ;Q = ιP  ιQ and R is C-consistent for ιQ, Def. 10(1) gives |R@k|C(ιP ) =
|R@k|C(ιQ). This means 〈〈P 〉〉SC(x) |R@k|C(ιQ)(x)>, whence we can use
the induction hypothesis on Q to obtain an index k ≤ i≤ n and ι ιQ  ιP ;Q
〈〈P ;Q〉〉SC ∧> = 〈〈Q〉〉〈〈P 〉〉
S
C
C ∧>  |R@i|C(ι)∨ [⊥,>]  >.
In addition if ⊥ 6∈ cmpl 〈P ;Q,C〉 we must have ⊥ 6∈ cmpl 〈Q,C〉 so that i= n
and ι = ιQ. This settles statement (ii) since then |R@i|C(ι) = |R@n|C(ιQ) =
|R@n|C(ιP ;Q).
The remaining case is when 0 6∈ cmpl 〈P,C〉. But then by Prop. 12(i) P cannot
terminate instantaneously at its C-stopping index k, and thus it cannot pass on
control to Q at step k. This means we have n= k, i.e., the C-stop of P is already
the C-stop of P ;Q. Then, (25) together with the definition of the fixed point
〈〈P ; Q〉〉SC = 〈〈P 〉〉SC and |R@k|C(ιP ) = |R@k|C(ιP ;Q) = |R@n|C(ιP ;Q) obtains
the desired result for statement (ii) of the proposition. Also, cmpl 〈P ;Q,C〉=
cmpl 〈P,C〉, whence cmpl 〈P ; Q,C〉 = {c} implies c = 1 which tells us that P
must pause at its C-stop, by induction hypothesis. Hence, P ;Q pauses at n.
This deals with statement (i) of the proposition.
58
Proposition 12 (Soundness of Upper/Cannot Prediction). Let R : (Σ0,ρ0) 
(Σn,ρn) be a finite micro sequence with an active process 〈ιP ,P,Ks〉 ∈ Σs, 0≤ s≤ n,
and C an environment such that R is C-consistent for ιP . Suppose that all actions
executed between s and n are from processes concurrent to ιP or from descendants of
P . In particular, there are no actions from the continuation list Ks. Then,
(i) If 0 6∈ cmpl 〈P,C〉 then at least one descendant of P is active or pausing in Σn
and if 1 6∈ cmpl 〈P,C〉 then not all descendants of P in Σn, if there are any, are
pausing.
(ii) upp |R@s|C(ιP ) S implies upp |R@n|C(ιP ) 〈〈P 〉〉SC .
Proof: We proceed by induction on the structure of the program and the length
of the continuation list Ks. Note that the statements (i) and (ii) of the Prop. 12
hold trivially, if program P does not perform any actions between s and n. In this
case, upp |R@n|C(ιP ) = upp |R@s|C(ιP ) S  〈〈P 〉〉SC by the inflationary nature of
the prediction (Prop. 10(2)). Hence, in the following we may assume for (ii) that P
performs at least one action after s. Note that this deals with the case P = pi which
cannot perform any actions at all for both (i) and (ii).
• Let P =  and upp |R@s|C(ιP ) S. As there is no write access performed by ιP ,
the sequential yield remains constant, i.e., |R@s|C(ιP ) = |R@n|C(ιP ). Therefore,
upp |R@n|C(ιP ) = upp |R@s|C(ιP ) S = 〈〈P 〉〉SC as desired. This proves (ii).
The case for statement (i) of Prop. 12 is trivial because cmpl 〈P,C〉= {0} and
P cannot pause.
• Let P = !x for which the prediction is 〈〈P 〉〉SC = S ∨{〈x1〉} if [⊥,>]:1 v C(x),
whereas it is 〈〈P 〉〉SC = S∨{〈x[⊥,1]〉}∨⊥:1, otherwise. The only action of ιP after
s is the set !x. Suppose first that [⊥,>]:1v C(x). By Def. 10(4), |R@n|C(ιP ) =
|R@s|C(ιP )∨{〈x1〉}. From this we obtain
upp |R@n|C(ιP ) = upp(|R@s|C(ιP )∨{〈x1〉})
= upp |R@s|C(ιP )∨upp{〈x1〉}
 S∨{〈x[⊥,1]〉}  S∨{〈x1〉} = 〈〈P 〉〉SC
as required. The last in-equation holds because {〈x[⊥,1]〉}  {〈x1〉}. Second,
consider the case [⊥,>]:1 6v C(x). Here, by Def. 10(4), we get
upp |R@n|C(ιP ) = upp(|R@s|C(ιP )∨{〈x1〉}∨⊥:1)
= upp |R@s|C(ιP )∨upp{〈x1〉}∨upp(⊥:1)
= upp upp |R@s|C(ιP )∨upp upp{〈x1〉}∨upp(⊥:1)
 upp(S)∨upp{〈x[⊥,1]〉}∨upp(⊥:1)
= upp(S∨{〈x[⊥,1]〉}∨⊥:1)
= upp 〈〈P 〉〉SC  〈〈P 〉〉SC .
Again, statement (i) of Prop. 12 is trivial in this case because 0 ∈ cmpl 〈P,C〉,
whatever the environment C looks like, and also P cannot pause.
• Suppose P = ¡x and upp |R@s|C(ιP ) S. Suppose that all actions performed by
ιP between s and n are from processes concurrent to ιP or from descendants of P ,
and that the reset is performed at step s < t≤ n. Hence, |R@s|C(ιP ) = |R@t−
1|C(ιP ) and |R@n|C(ιP ) = |R@t|C(ιP ). We must show upp |R@n|C(ιP ) 〈〈P 〉〉SC .
59
Let us see what we have got on both sides of the desired inequation: One the
left hand side,
upp |R@n|C(ιP ) = upp |R@t|C(ιP )
= upp(|R@t−1|C(ιP )∨{〈xδ〉}
= upp |R@t−1|C(ιP )∨upp{〈xδ〉}
= upp |R@s|C(ιP )∨upp{〈xδ〉}
 S∨upp{〈xδ〉},
where δ is chosen in accordance with Def. 10(5) so that
d1) δ => if 1 |R@s|C(ιP )(x)>
d2) δ =>:2 if 1:1 |R@s|C(ιP )(x)
d3) δ = 0 if |R@s|C(ιP )(x) 0
d4) δ = 0:2 if ⊥:1 |R@s|C(ιP )(x) 0:2.
On the other right-hand side we have 〈〈P 〉〉SC = S∨{〈xγ〉} where γ is determined
from the sequential status S as follows
g1) γ => if 1 S(x)>
g2) γ =>:2 if 1:1 S(x)
g3) γ = 0 if S(x) 0
g4) γ = 0:2 if ⊥:1 S(x) 0:2
g5) γ = [0,>]:2 if [⊥,1]:1 S(x) [0,>]:2.
We now observe that the constraint upp |R@s|C(ιP )(x) S(x) enforces a logical
coupling between the cases (d1)–(d4) and (g1)–(g5) such that always upp{〈xδ〉}
{〈xγ〉}. This then proves that upp |R@n|C(ιP )  S ∨ upp{〈xδ〉}  S ∨{〈xγ〉} =
〈〈P 〉〉SC . We proceed by case analysis on S(x) = [l,u]:r:
− If both u ≥ 1 and r  1 then we have the cases (g2) or (g5), i.e., γ ∈
{>:2, [0,>]:2} and thus upp{〈xδ〉}  {〈xγ〉} is trivially true.
− Next, we may have u ≥ 1 and r = 0 which implies 1  S(s)  >, i.e., we
have case (g1) where γ =>. But also, upp |R@s|C(ιP )(x) S(x)>. Hence,
the only possible solution for δ is (d3). Now the argument is completed by the
approximation upp{〈xδ〉}= upp{〈x0〉}= {〈x[⊥,0]〉}  {〈x>〉}= {〈xγ〉}.
− If u≤ 0 and r = 0 then upp |R@s|C(ιP )(x) S(x) 0 which means we are
looking at case (g3) and (d3) in which case upp{〈xδ〉} = upp{〈x0〉}  {〈x0〉} =
{〈xγ〉}.
• If u≤ 0 and r 0 then ⊥:1 S(x) 0:2 and upp |R@s|C(ιP )(x) S(x) 0:2.
This gives case (g4) and either (d3) or (d4), i.e., δ ∈ {0,0:2}. In either case,
γ = 0:2 and upp{〈xδ〉}  {〈xγ〉} as one verifies readily.
Since 0 ∈ cmpl 〈P,C〉 and P cannot pause, the proof of statement (i) of the
proposition is trivial. This complete the case of P = ¡x for Prop. 12.
• Let us look at parallel composition P ||Q. The interval between s and n must
contain the initial forking action 〈ιP||Q,P ||Q,Ks〉 executed at some index s <
t≤ n in R. Remember that we may assume that the program performs at least
one action in R and this action must be the forking. As a result, the processes
〈ιP ,P, [ ]〉 and 〈ιQ,Q, [ ]〉 are activated in Σt. Thereafter, all actions from ιP||Q
are actions of the children ιP or ιQ, in some interleaving, possibly followed by
the execution of the join 〈ιP||Q, ,Ks〉. R must be C-consistent for both ιP  ιP||Q
and ιQ  ιP||Q, because it is C-consistent for ιP||Q by assumption. Therefore, the
induction hypothesis applies to both P and Q, taking t as the point of prediction.
60
Also, since both children inherit the yield of their parent, |R@s|C(ιP||Q) =
|R@t|C(ιP||Q) = |R@t|C(ιP ) = |R@t|C(ιQ). Therefore, both upp |R@t|C(ιP ) =
upp |R@s|C(ιP||Q) S and upp |R@t|C(ιQ) S, by assumption. The induction
hypothesis obtains
upp |R@n|C(ιP ) 〈〈P 〉〉SC and upp |R@n|C(ιQ) 〈〈Q〉〉SC .
Moreover, since all write actions of ιP||Q between t and n are write actions of
either ιP or of ιQ, we have |R@n|C(ιP||Q) = |R@n|C(ιP )∨|R@n|C(ιQ). Thus,
upp |R@n|C(ιP||Q) = upp(|R@n|C(ιP )∨|R@n|C(ιQ))
= upp |R@n|C(ιP )∨upp |R@n|C(ιQ)
 〈〈P 〉〉SC ∨〈〈Q〉〉SC = 〈〈P ||Q〉〉SC .
Finally, suppose 0 6∈ cmpl 〈P ||Q,C〉= cmpl 〈P,C〉⊕ cmpl 〈Q,C〉. The definition
of ⊕ implies 0 6∈ cmpl 〈P,C〉 or 0 6∈ cmpl 〈Q,C〉. Hence, by induction hypothesis
the final process pool Σn must contain descendants from P or Q that are active
or pausing. As these are descendants of P ||Q, this means that program P ||Q
must still be active or pausing in Σn. On the other hand, if 1 6∈ cmpl 〈P ||Q,C〉
then by definition of ⊕ we must have both 1 6∈ cmpl 〈P,C〉 and 1 6∈ cmpl 〈Q,C〉.
By induction then none of the parallel threads P or Q is pausing in Σn, so
neither is P ||Q.
• Now we tackle a conditional test x ? P :Q, active in (Σs,ρs). Our assumption
is that upp |R@s|C(ιx?P :Q) S and that all actions in R from ιx?P :Q after s
are either concurrent or from descendants of x ? P :Q.
At some point t in R with s < t ≤ n the read action on variable x installs
one of the branches P or Q into the process pool. So, either 〈ιP ,P,Ks〉 or
〈ιQ,Q,Ks〉 are active in Σt, depending on the value ρt−1(x). If ρt−1(x) = 1,
then 〈ιP ,P,Ks〉 ∈ Σt and if ρt(x) = 0, then 〈ιQ,Q,Ks〉 ∈ Σt.
Let us first consider the situation in which the branching variable is undecided
by C, i.e., 0:1 6v C(x) and 1:1 6v C(x). Between s and t all actions are from
processes concurrent to ιx?P :Q and thus, depending on which branch is taken,
by Def. 10(2), either
(i) ιP = inc(ιx?P :Q) and
upp |R@t|C(ιP ) = upp(|R@t−1|C(ιx?P :Q)∨⊥:1)
= upp(|R@s|C(ιx?P :Q)∨⊥:1)
= upp |R@s|C(ιx?P :Q)∨upp(⊥:1)
 S∨⊥:1
(ii) ιQ = inc(ιx?P :Q) and upp |R@t|C(ιQ) S∨⊥:1 using the analogous calcu-
lation.
Since R must be C-consistent for the respective branch ιP or ιQ by assumption,
the induction hypothesis obtains the in-equations
upp |R@n|C(ιx?P :Q) = upp |R@n|C(ιP ) 〈〈P 〉〉S∨⊥:1C
in case (i) or
upp |R@n|C(ιx?P :Q) = upp |R@n|C(ιQ) 〈〈Q〉〉S∨⊥:1C
in case (ii). But this means
upp |R@n|C(ιx?P :Q) 〈〈P 〉〉S∨⊥:1C ∨〈〈Q〉〉S∨⊥:1C
61
independent of the memory value ρt−1(x). So, if the branching variable x is
undecided under C, i.e., 0:1 6v C(x) and 1:1 6v C(x), then we are done, since
upp |R@n|C(ιx?P :Q) = upp upp |R@n|C(ιx?P :Q)
 upp
(
〈〈P 〉〉S∨⊥:1C ∨〈〈Q〉〉S∨⊥:1C
)
= upp 〈〈P 〉〉S∨⊥:1C ∨upp 〈〈Q〉〉S∨⊥:1C
 S∨upp 〈〈P 〉〉S∨⊥:1C ∨upp 〈〈Q〉〉S∨⊥:1C
= 〈〈s ? P :Q〉〉SC
since E  S ∨E and by Props. 3, 6 as well as -monotonicity of upp. This
establishes (ii) of the proposition.
In order to prove statement (i) of Prop. 12, suppose 0 6∈ cmpl 〈x ? P :Q,C〉=
upp(cmpl 〈P,C〉u cmpl 〈Q,C〉). From this we can infer that 0 6∈ cmpl 〈P,C〉 and
also 0 6∈ cmpl 〈Q,C〉. So, whatever branch is taken by R at micro-step t, the
induction hypothesis guarantees that at least one descendant of x ? P : Q is
active or pausing in Σn. Similarly, 1 6∈ upp(cmpl 〈P,C〉ucmpl 〈Q,C〉) means that
1 6∈ cmpl 〈P,C〉 and 1 6∈ cmpl 〈Q,C〉, so that x ? P : Q cannot pause in Σn by
induction hypothesis.
Otherwise, if the branching is decided in C, i.e., the run-time value ρt−1(x)
is predicted by a status 1:1 v C(x) or 0:1 v C(x), then the prediction will
include the respective branch and thereby follow the actual run tightly. For
instance, suppose 1:1vC(x). The assumption that R is C-consistent for ιx?P :Q
means that the memory value of x is ρt−1(x) = 1. Hence the run R takes
the P branch and considering Def. 10(2) we calculate upp |R@n|C(ιx?P :Q) =
upp |R@n|C(ιP )  〈〈P 〉〉SC = 〈〈s ? P : Q〉〉SC based on the induction hypothesis
and the fact that every variable access in R that is concurrent to ιP is also
concurrent to ιP ;Q.
Finally, observe that if 1:1 v C(x) then 0 6∈ cmpl 〈x ? P : Q,C〉 = cmpl 〈P,C〉
permits us to invoke the induction hypothesis on P to conclude that P , and
thus x ? P :Q, cannot be terminated instantaneously in Σn. The same is true
for the 1 6∈ cmpl 〈x ? P : Q,C〉 = cmpl 〈P,C〉 showing that P and hence P ; Q
cannot pause.
Since the argument for 0:1v C(x) is analogous, just P replaced by Q we have
completed the inductive step of Prop. 12 for conditional expressions.
• Finally, it remains to consider the case of a sequential composition P ;Q active
in (Σs,ρs) such that upp |R@s|C(ιP ;Q) S. The first action of ιP ;Q in R breaks
up the statement, say at index s < t≤ n, and adds 〈ιP ,P,Q::Ks〉 with ιP = ιP ;Q
into the process pool Σt. As there are no actions from ιP ;Q between s and t
we have |R@s|C(ιP ;Q) = |R@t−1|C(ιP ;Q) = |R@t|C(ιP ), by Def. 10(1), and so
upp |R@t|C(ιP ) S.
From step index t the execution of ιP ;Q continues with the execution of ιP
and by assumption only consists of actions from the descendants of P ;Q but
not of the continuation list Ks. There are two cases depending on whether P
terminates instantaneously or not. If P happens to terminate instantaneously in
R, then at this step index, say t < k ≤ n the process 〈ιQ,Q,Ks〉 ∈ Σk is started.
Deriving from the assumption that R is C-consistent for ιP ;Q we infer that R
is C-consistent for both ιP and ιQ.
First, let us assume that P does not terminate instantaneously in R, i.e.,
either it pauses at some step t < k ≤ n or some descendant of P is still active
62
and non-pausing in Σn. In either case, |R@n|C(ιP ;Q) = |R@n|C(ιP ). Then,
upp |R@n|C(ιP ;Q) = upp |R@n|C(ιP )  〈〈P 〉〉SC by induction hypothesis on P .
Now observe that, independently of the completion cmpl 〈P,C〉, we always have
〈〈P 〉〉SC  〈〈P ; Q〉〉SC , which implies upp |R@n|C(ιP ;Q)  〈〈P ; Q〉〉SC overall, as
desired.
Note that if 1 6∈ cmpl 〈P ;Q,C〉 then also 1 6∈ cmpl 〈P,C〉, regardless if cmpl 〈P ;
Q,C〉 = cmpl 〈P,C〉 or cmpl 〈P ; Q,C〉 = cmpl 〈P,C〉 ⊕ cmpl 〈Q,C〉. So, if 1 6∈
cmpl 〈P ;Q,C〉 we can argue by induction that P cannot pause and therefore,
in this case, P must still be active in Σn. Hence, P ;Q does not pause in Σn,
either.
This takes care of (i) of the proposition since if 0 6∈ cmpl 〈P ;Q,C〉 then P ;Q
does not terminate because by assumption in this case P does not terminate in
R.
Second, what if P terminates at some t < k ≤ n instantaneously? Then, we have
〈ιQ,Q,Ks〉 ∈ Σk by Def. 10(1,4,5), and upp |R@k|C(ιQ) = upp |R@k|C(ιP ) 
〈〈P 〉〉SC . Moreover, R is C-consistent for ιQ and so the induction hypothesis
guarantees
upp |R@n|C(ιP ;Q) = upp |R@n|C(ιQ)  〈〈Q〉〉〈〈P 〉〉
S
C
C , (26)
where the equation follows from the fact that ιP ;Q  ιQ, i.e., all write accesses
in R that are concurrent to ιQ are also concurrent to ιP ;Q. Now, since P
terminates instantaneously, we must have 0 ∈ cmpl 〈P,C〉 by Prop. 12(i). If
cmpl 〈P,C〉= {0} we directly get
〈〈P ;Q〉〉SC = 〈〈Q〉〉〈〈P 〉〉
S
C
C
from which (26) gives the desired result. If both 0∈ cmpl 〈P,C〉 and cmpl 〈P,C〉 6=
{0} we can also use (26) as follows:
upp |R@n|C(ιP ;Q) = upp upp |R@n|C(ιP ;Q)
 upp 〈〈Q〉〉〈〈P 〉〉
S
C
C
 〈〈P 〉〉SC ∨upp 〈〈Q〉〉〈〈P 〉〉
S
C
C = 〈〈P ;Q〉〉SC .
Let us look at the inductive step for statement (i) of Prop. 12. As 0∈ cmpl 〈P,C〉
the completion code for the sequential composition is
cmpl 〈P ;Q,C〉= cmpl 〈P,C〉⊕ cmpl 〈Q,C〉.
In this situation the assumption 0 6∈ cmpl 〈P ;Q,C〉 implies that 0 6∈ cmpl 〈Q,C〉.
So, we can use the induction hypothesis for Q from micro-step k to infer that
at least one descendant of P ; Q, or more specifically of Q, is still active or
pausing in Σn. Finally, the assumption 1 6∈ cmpl 〈P,C〉 ⊕ cmpl 〈Q,C〉 means
1 6∈ cmpl 〈Q,C〉. Hence, Q does not pause and therefore P ;Q does not pause
in Σn, considering that P terminates instantaneously at k ≤ n.
Thm 1. For every fprog P , if P is IBC then P is both B-reactive and SC-read-
determinate.
Proof: Let P be an IBC program, i.e., C∗ = µC.〈〈P 〉〉⊥C is safe: for all x ∈ V ,
C∗(x) 1:1 and for all x∈ rd(P ), C∗(x)∈ {⊥,0,1}. Further, let (Σ0,ρ0) be an initial
configuration in which program P appears as the sole active process in the pool,
i.e., Σ0 = {Root}, where Root = 〈ιP ,P, [ ]〉 and ιP = Root.id = 0.
63
a) B-reactivity.: We now show that there must exist at least one B-admissible
execution for P from any memory state. This proof demonstrates how the fixed
point iteration can be used as a predictive B-admissible scheduler. We are going to
build iteratively a contiguous sequence of B-admissible micro-sequences
(Σn0 ,ρn0)
R0 (Σn1 ,ρn1)
R1 (Σn2 ,ρn2)
R2 (Σn3 ,ρn3) · · ·
Ri−1 (Σni ,ρni)
with n0 = 0 and ni−1 ≤ ni, where in each scheduling round Ri−1 we are pushing the
execution as far as possible while staying Ci−1-enabled, where Ci−1 is the sequence
of concurrent environments generated by the fixed point iteration. Since the initial
pool is Σ0 = {〈ιP ,P, [ ]〉}, all threads in any of the process pools Σk reached during
R0,R1, . . . ,Ri−1 are descendants of P . By construction, each descendant thread
remaining active in round Ri−1 is Ci−1-stopped in the final configuration Σni .
For the fixed point C∗, which is safe, this means that in the corresponding end
configuration (Σn∗ ,ρn∗) all threads descending from ιP are either instantaneously
terminated or pausing. Recall that in the final configuration (Σn∗ ,ρn∗) no set !x can
be C∗-blocked since C∗ is reset-safe and no read x ? P ′ :Q′ can be blocked because
C∗ is read-safe. Hence, at the fixed point, we have constructed a maximal micro
sequence and thus reached the end of the macro step (instant). Here are the key
invariants of the construction:
(I1) The yield of each partial schedule is in the range predicted by the fixed point
approximation, i.e., Ci v |R0,R1, . . . ,Ri−1|Ci−1(ιP ).
(I2) Each partial schedule R0,R1, . . . ,Ri−1 is B-admissible.
(I3) For every free schedule R′ starting from (Σni ,ρni), the extended schedule
R0,R1,R2, . . . ,Ri−1,R′ is Ci-consistent. Further, if Ci(x)>:1 then R′ does
not contain a reset ¡x.
The invariants (I1)–(I3) tell us that the full sequence R = R0,R1, . . . ,R∗ up to
the fixed point, obtained as the result of our scheduling strategy, is C∗-consistent
and that every conditional test performed in the full schedule R reads exactly the
memory value predicted by the read-safe fixed point environment.
Base Case. Observe that the empty schedule ε is trivially B-admissible and its
sequential yield |ε|(ιP ) =⊥ lies in the environment C0 = [⊥,>]:2, i.e., C0 v⊥. So,
both (I1) and (I2) hold for the empty sequences. Regarding (I3) note that every
free schedule R′ starting in the configuration (Σn0 ,ρn0) is trivially C0-consistent
since no variable is decided in C0. Since C0 6 >:1 the schedule R′ is not constrained
regarding resets.
This is the base case of our construction. However, for better understanding of the
procedure let us go on into the first round: To create R0 we simply execute every
active process in any order provided the action is C0-enabled. In C0 all conditional
branching and set actions are C0-blocked. The only C0-enabled actions are resets ¡x
and actions such as , sequencing P ′ ;Q′ and the forking and joining of a parallel
P ′ ||Q′. These actions can be executed in any order without violating B-admissibility.
We continue until we reach a configuration (Σn1 ,ρn1) in which all descendants of ιP
have either completed (pausing or terminated) or are C0-blocked. The proof that
R0 satisfies (I1)–(I3) is covered by the step case which is handled next.
Step Case. By way of induction hypothesis (I1)–(I3), suppose we have constructed a
B-admissible schedule R0,R1, . . . ,Ri−1 (I2) such that for every j ≤ i (using course-of-
values induction) the yield of R0,R1, . . . ,Rj−1 with respect to Cj−1 lies in the range
predicted by Cj (I1) and for every free schedule R′ from (Σnj ,ρnj ) the extension
64
R0,R1, . . . ,Rj−1,R′ is Cj-consistent (I3). Moreover, from (I3) we may assume that
if Cj(x)>:1 then R′ is reset-free for x.
From (Σni ,ρni) we now continue to schedule all and only those actions that are
active and Ci-enabled. We do this until ιP stops under Ci, i.e., until it completes or
all remaining active threads are Ci-blocked. This procedure builds a round schedule
Ri and leads to a configuration (Σni+1 ,ρni+1). Then, ni+1 is the Ci-stopping index of
P in R0,R1, . . . ,Ri−1,Ri. If it happens that there is no active process in Σni which
is Ci-enabled, then Σni+1 = Σni and ρni+1 = ρni . In this case, we just move on to
the next iteration round Ci+1 of the fixed point without progressing the schedule.
In the sequel we will argue that (I2) – the schedule R0,R1, . . . ,Ri−1,Ri is B-
admissible, that (I1) – its yield is constrained by Ci+1 and (I3) – that every freely
extended schedule R0, R1, . . ., Ri−1, Ri, R′ is Ci+1-consistent so that if Ci+1(x)>:1
then R′ is reset-free on x.
(I1) By induction hypothesis (I3) the schedule R0,R1, . . . ,Ri−1,Ri is Ci-consistent.
Consider that Ci+1 = 〈〈P 〉〉⊥Ci . Then, we apply Prop. 11(ii) to obtain the lower
constraint
Ci+1  low |R0,R1, . . . ,Ri−1,Ri|Ci(ιP )
and the upper bound
upp |R0,R1, . . . ,Ri−1,Ri|Ci(ιP ) Ci+1
is provided by Prop. 12(ii). Both together yield Ci+1v |R0,R1, . . . ,Ri−1,Ri|Ci(ιP ),
which proves (I1) for the extended sequence.
(I2) In order to show that Ri preserves B-admissibility we argue by induction on
the length of Ri. Refer to Def. 4 for the notion of B-admissibility. Suppose that
after a partial B-admissible schedule
(Σn0 ,ρn0)
R0,R1,...,Ri−1 (Σni ,ρni)
R′i (Σn,ρn) T→ (Σn+1,ρn+1) (27)
of Ci-enabled actions R′i, which are a prefix of Ri, we reach a process pool Σn
with n < ni+1, containing an active and Ci-enabled action T ∈ Σn which is now
picked to be executed. We show that whatever such T we choose, we preserve
B-admissibility.
– “No reset after set.” Suppose some set !x is executed before in round
j ≤ i, i.e., in R′i or as part of R0,R1, . . . ,Ri−1. Now, since every Cj-enabled
action is also Ci-enabled, the fact that !x has been scheduled already, by
construction, implies [⊥,>]:1 v Ci(x) which is the same as Ci(x)  >:1.
The induction hypothesis (I3) tells us that there cannot be a reset on x in
any free (schedule) extending R0,R1, . . . ,Ri−1. Hence, the action T cannot
be a reset ¡x in this case.
– “Late writes are ineffective and confluent.” Suppose T is a write access to a
variable x∈V and some read access x ? P ′ :Q′ has been executed before in
R0,R1, . . . ,Ri−1,R′i, say in round j ≤ i at step nj < k≤ nj+1, where it must
be Cj-enabled. Let R0,R1, . . . ,Rj−1,R′j : (Σn0 ,ρn0) (Σk,ρk) be the prefix
sequence up to the point of the read. From Cj-enabledness of the read we
obtain b:1v Cj(x) for b ∈ {⊥,0,1}. Also, we must have j > 0 because of
the choice of the initial environment C0.
∗ We first show that T must be a set !x and b= 1.
65
Recall that the inclusion Cj v Ci means that b:1 v Ci(x). But then
Ci(x)>:1, so that the induction hypothesis (I3) implies that T cannot
be a reset of variable x. Moreover, since the schedule R0,R1, . . . ,Ri−1,R′i,T
is Ci−1-consistent by induction hypothesis (I3), applying Prop. 12(ii)
implies that
upp |R0,R1, . . . ,Ri−1,R′i,T |Ci−1(ιP )(x) 〈〈P 〉〉⊥Ci−1(x) = Ci(x) b:1.(28)
On the other hand, the last action T is a set !x, so we also have
1 |R0,R1, . . . ,Ri−1,R′i,T |Ci−1(ιP )(x) (29)
by Def. 10(4). But (28) and (29) together imply b= 1.
∗ We next show that T is ineffective.
Exploiting the induction hypothesis (I2) gives
1:1 = b:1v Cj(x)v |R0,R1, . . . ,Rj−1|Cj−1(ιP )(x)
which can only hold if there is at least one set !x already in the schedule
R0,R1, . . . ,Rj−1 which is before the read x ? P ′ :Q′ at step k in round
j. Otherwise, we would have
|R0,R1, . . . ,Rj−1|Cj−1(ιP )(x) 0:2
(by Def. 10). Hence T is ineffective.
∗ It remains to see that T is confluent with the read.
By Cj-consistency of R0,R1, . . . ,Ri−1,R′i and 1:1v Cj(x), the memory
value must be ρk−1(x) = 1 at the point of the read. Then, a conflict
to violate confluence can only occur if there exists a free schedule R′′
forward from Σk so that at (i) the end of R0,R1, . . . ,Rj−1,R′j ,R′′ both
the read and the set are jointly active and (ii) during this free schedule
the memory value of x is changed to 0 by a reset action ¡x. However,
since any such free schedule extends from (Σnj ,ρnj ) this contradicts
the induction hypothesis (I3) and Cj(x) 1:1 which tells us that there
cannot be a reset of x in R′j ,R′′.
(I3) We claim that the extended schedule R0,R1, . . . ,Ri−1,Ri,R′ is Ci+1-consistent
for every free schedule R′. Further, if Ci+1(x)>:1 then R′ contains no reset
¡x.
Let us assume a read action T.prog = x ? P : Q is performed for which the
environment Ci+1 is decided, say b:1 v Ci+1(x) for some b ∈ {⊥,0,1}, which
implies Ci+1(x) b:1 in particular. We must show that the memory value of x
at the point of the read is identical to the prediction b.
– Clearly, the read cannot be in round R0 since all reads are C0-blocked and
thus not executable in R0.
– Next, suppose the read on x in question occurs in round Rj for 1≤ j ≤ i, say
at index nj−1 < k ≤ nj . As the read has been performed in round Rj , it is
Cj-enabled, and so bj :1vCj(x) for some bj ∈B. But then Cj vCi+1 implies
bj = b. On the other hand, by induction hypothesis, R0,R1, . . . ,Ri−1,Ri,R′
is Cj-consistent and so in fact ρk−1(x)
.= b, as desired.
– The remaining possibility is that the read T occurs in R′. Without loss
of generality we can assume that the read is the last action of R′. Using
invariant (I1) for the sequence R0,R1, . . . ,Ri which was proven above, we
66
conclude b:1 v Ci+1(x) v |R0,R1, . . . ,Ri|Ci(ιP )(x). Further, by invariant
(I2) proven above, the schedule R0,R1, . . . ,Ri is B-admissible and thus in
particular SC-admissible. But then Lem. 4 says that the value of x in
memory ρni+1 is fixed by Ci+1. More specifically, ρni+1(x)
.= b. By way of
contradiction, suppose that ρk−1(x) 6 .= b, i.e., the memory read by T at the
end of R′ is different from ρni+1(x):
One possibility is that b= 1 and the memory read by T is ρk−1(x) = 0. As
seen above, the value of x in memory ρni+1 is 1. Hence, the schedule R′
must activate a reset ¡x to bring x’s value to 0. Also, the fact that 1:1v
|R0,R1, . . . ,Ri|Ci(ιP )(x) means there must have been a set !x executed in
some round Rj for j ≤ i. This set action !x must be Cj-enabled (otherwise it
would have blocked and not been executed), i.e., [⊥,>]:1vCj(x)vCi(x) or
〈〈P 〉〉⊥Ci−1(x) =Ci(x)>:1. But then the reset in the schedule R′ contradicts
the induction hypothesis (I3).
The other possibility for a violation of Ci+1-consistency is when b ∈ {⊥,0}
and the read T at the end of R′ finds the memory value of x is 1 when
b = 0, or different from from ρni+1(x) when b = ⊥. In any case, this
can only happen if the schedule R′ from (Σni+1 ,ρni+1) executes a set
!x or a reset ¡x to change the memory from ρni+1(x) to ρk−1(x). We
exploit that the schedule R0,R1, . . . ,Ri,R′ is Ci-consistent by inductive
invariant (I3). So we can use Prop. 12(ii) to conclude that the sequential
yield of R0,R1, . . . ,Ri,R′ cannot go above level b. More precisely, since
upp |(R0,R1, . . . ,Ri,R′)@0|Ci(ιP )(x) = upp(⊥)⊥, Prop. 12(ii) guarantees
that
upp |R0,R1, . . . ,Ri,R′|Ci(ιP )(x) 〈〈P 〉〉⊥Ci = Ci+1(x) b:1. (30)
Now if R0,R1, . . . ,Ri,R′ is to contain a write access at all then (30) implies
b 6=⊥. Hence, b= 0 and the read T at the end of R′ finds the memory value
of x is 1. Therefore, the schedule R′ must execute a set !x to change the
memory value of x from ρni+1(x) = 0 to ρk−1(x) = 1. This, in turn, implies
1 |R0,R1, . . . ,Ri,R′|Ci(ιP )(x) by Def. 10(4). However, this contradicts (30)
as no status γ satisfies both 1 γ and upp(γ) 0:1.
Finally, by way of contradiction, suppose R′ contains a reset ¡x and
Ci+1(x)  >:1. Let T be the reset action in R′ and R′′,T the prefix of
R′ up to and including the reset. Then by Ci-consistency of the schedule
R0,R1, . . . ,Ri,R′′,T , from the induction hypothesis (I3), and Prop. 12(ii)
we infer
upp |R0,R1, . . . ,Ri,R′′,T |Ci(ιP )(x) 〈〈P 〉〉⊥Ci(x) = Ci+1(x)>:1.
Hence, the init status of x is not raised to 2 by the reset T . Now by
Def. 10(5) this can only be if
upp |R0,R1, . . . ,Ri,R′′|Ci(ιP )(x)>:0.
But this is a contradiction: By construction Σni+1 is the Ci-stop of P , so
already the first action taken by R′′ is Ci-blocked. As a consequence, this
action (either a conditional or a set) must raise the speculation status to 1
for all variables, so that in fact
⊥:1 upp |R0,R1, . . . ,Ri,R′′|Ci(ιP )(x).
67
This completes the proof for (I3).
It is important to observe that the inductive step for (I3) depends on the inductive
steps (I1) and (I2). However, the proof of (I1) does not need (I3) at all and the step
for (I2) only requires the induction hypothesis on (I3). Thus, there is no logical cycle
and the induction is well-grounded.
b) SC-Read-Determinacy.: To prove the determinacy part, let us fix an SC-
admissible instant R : (Σ0,ρ0)  (Σn,ρn), where n = len(R). Observe that all
processes in every pool Σi are descendants of ιP . We are going to cover the micro-
sequence R incrementally with the results from the fixed point iteration, showing
that R can only ever execute variable read accesses within the corridor predicted by
the fixed point responses Ci, where C0 = [⊥,>]:2 and Ci+1 = 〈〈P 〉〉⊥Ci . This exploits
the soundness of lower and upper predictions, Props. 11 and 12.
Initially, C0 does not constrain anything, so R may be arbitrary. But as the
sequence of Ci narrows down in the fixed point iteration, less and less uncertainty
remains for where R is headed. Eventually, at the read-safe fixed point C∗, all read
variables of P receive a crisp value from {⊥,0,1} by which we find the final response
of R is pinned down exactly. More precisely, at this point we find C∗ v |R@n|(ιP ),
thus proving that all read variables eventually receive one of the statuses ⊥ (variable
pristine, retains initial memory value), 0 (variable initialized and never updated
later) or 1 (variable initialized and then updated but never reset again later). In
view of Lem. 4 this ascertains determinacy and coincidence between the fixed point
status and the final memory for all read variables x ∈ rd(P ) in all SC-admissible
executions of P , independent of the initial values in memory ρ0: If C∗(x) =⊥ then
the value of x is not changed in any SC-admissible execution for any initial memory,
i.e. ρ0(x) = ρn(x). If C∗(x) = b∈B, then ρn(x) = b, i.e. the final value of x is constant
b for all initial memories. This verifies condition (2) of Def. 6 for the temporary
variables W = rd(P ). For all other, pure write variables V \ rd(P ) (let us call them
output variables), Def. 6 only requires that the final memory is uniquely determined
for each initial memory. But if we fix the initial memory ρ0 and we know that
all read accesses to variables, by C∗-consistency, see a fixed constant value, then
the only non-determinism left is in the concurrent execution of writes. Yet, since
SC-admissibility prescribes a fixed protocol ordering “resets before sets” on such
concurrent writes to output variables, the final value of the output variables is
uniquely determined. This proves SC-read-determinacy.
In the following we show that every SC-admissible execution R of P is C∗-consistent
and C∗ v |R@n|(ιP ). We start with the start index i0 = 0 and initial concurrent
environment C0 = [⊥,>]:2 which does not impose any constraint on R. Trivially,
the execution R is C0-consistent for thread ιP , since no variable is decided in C0.
Let i1 be the C0-stopping index of P in R. It must exists because R is an instant
and thus a maximal micro-sequence. The first iteration of the response function
yields C1 = 〈〈P 〉〉⊥C0 . Note that low |R@0|C0(ιP ) = low(⊥)⊥. Prop. 11(iii) then says
that C1  low |R@i1|C0(ιP ) and thus for all i1 ≤ j ≤ n, C1  low |R@i1|C0(ιP ) 
low |R@j|C0(ιP ). Hence, from micro-step i1 onwards, the sequential yield of the
sequence R must stay above the lower bound of the prediction C1. On the other hand,
upp |R@0|C0(ιP ) = upp(⊥)⊥. So, by Prop. 12(ii) we derive upp |R@n|C0(ιP )C1.
But this means that for all i1 ≤ j ≤ n we get upp |R@j|C0(ιP ) upp |R@n|C0(ιP )
C1. In other words, from micro-step i1 onwards, the yield of the sequence R must
stay below the upper margin given by the prediction C1. In sum, we find that R is
68
squeezed into the corridor given by C1, i.e.,
C1 v |R@j|C0(ιP ) for all i1 ≤ j ≤ n. (31)
Thus, the environment C1 is a sound approximation of the yield from i1 onwards.
We now show that R is also C1-consistent (for ιP ). Take any variable x∈ rd(P )⊆V
such that b:1v C1(x) for some b ∈ B and a read action R(j) = 〈ι,x ? Q1 :Q2,Ks〉 ∈
Σj−1 on x, with ιP  ι, occurring at some step index 0< j ≤ n. First, suppose the
read is after the C0-stop, i.e., i1 < j ≤ n, Then, (31) means |R@j−1|C0(Root.id) = b:r,
for r  1, given that Root.id = ιP . Therefore, by Lem. 4(ii) and SC-admissibility,
we conclude that ρj−1(x) .= b as required. What if the read action R(j) on x takes
place at some step index 0 < j ≤ i1? If R(j) is C0-enabled then b′:r′ v C0(x) and
thus b′ = b because of C0 v C1. Then, we have ρj−1(x) .= b immediately because of
C0-consistency. So, let us assume R(j) is C0-blocked.
We claim that |R@j−1|C0(ιP )(x) = b:r′, from which the desired result follows by
Lem. 4(ii) and SC-admissibility. The upper bound part of |R@j−1|C0(ιP )(x) = b:r′
this is already established because upp |R@j−1|C0(ιP )(x) upp |R@i1|C0(ιP )(x)
C1(x) b:1 by (31) and the assumption b:1v C1(x). Thus, it remains to show that
b:0 |R@j−1|C0(ιP )(x). (32)
This is trivially true if b = ⊥. So, suppose b ∈ {0,1} henceforth. By Prop. 11(ii)
(Lower Soundness) there exists a descendant ιP  ι′ and index i≤ i1 such that b:0 =
C1(x)∧> |R@i|C0(ι′)(x)∨ [⊥,>]>, which is the sames as b:0 = |R@i|C0(ι′)(x).
Without loss of generality, let i be the earliest index where this happens. We claim
that i≤ j−1, from which (32) follows directly by monotonicity: b:0= |R@i|C0(ι′)(x)
|R@j−1|C0(ι′)(x) |R@j−1|C0(ιP )(x). By way of contradiction, suppose otherwise,
i.e., j ≤ i. First, note that since the read R(j) is C0-blocked, the init status of the
yield in thread ι is above 1 from index j for all descendants of ι. This implies that
ι′ cannot be a descendant of ι. Also, by the construction of the index i we have
b:0 6= |R@j−1|C0(ι′)(x). So, the status of x in thread ι′, which is concurrent to ι or
an ancestor of ι, changes from something different from b (hence strictly below) at
index j−1 to status b at index i≥ j. By Prop. 4(iv) (SC-Admissibility) the thread
ι′ cannot be concurrent to ι, whence it must be a proper ancestor of ι, i.e., ι′ ≺ ι.
However, this is impossible, too, because no proper ancestor can execute any action
(here: between index j and n) while one of its descendants (here ι at index j−1) is
still active. This completes the proof that R is C1-consistent for ιP .
We now repeat the argument for ιP and C1. Let 0≤ i2 ≤ n be the C1-stopping
index of P in R. From C0 v C1, which implies that every action which is C1-
blocked it also C0-blocked, we conclude that i2 ≥ i1. Then, Prop. 11(iii) gives us
〈〈P 〉〉⊥C1 =C2 low |R@i2|C1(ιP ). Further, Prop. 12(ii) implies upp |R@n|C1(ιP )C2.
We conclude that from i2 onwards, the sequence R must remain in the corridor
given by C2. Formally,
C2 v |R@j|C1(ιP ) for all i2 ≤ j ≤ n. (33)
We argue that R is C2-consistent for ιP exactly as above, and continue in the same
fashion, inductively, until we reach the fixed point C∗ = µC.〈〈P 〉〉⊥C ∈ {⊥,0,1}, thus
proving that R is C∗-consistent for ιP , i.e., all read accesses to variables in R, which
receive a crisp boolean value in the read-safe environment C∗ read the from the
memory the value prescribed by C∗. Further, given that n is the C∗-stopping index,
a final application of Props. 11 and 12 permits us to conclude that C∗ v |R@n|(ιP ),
which was to be shown.
69
V. Related Work
The usefulness of synchronisation primitives is well-established in main-stream
concurrent programming. E.g., C++ and Java are based on a multi-threaded shared-
memory execution model which provides synchronisation of methods to isolate threads
and to ensure safety properties such as mutual exclusion. The clock synchronisation
(pause) and associated scheduling constraints of our SMoCC approach may also be
seen as a synchronisation pattern to ensure memory safety. It provides global snapshot
barriers and pruning of thread interleaving with the aim of ensuring reactiveness and
memory determinacy. The programmer must decide which synchronisation model is
the right one for a given application context. In reactive and embedded systems the
SMoCC has turned out to be a natural choice.
In terms of programming languages, the work presented here is at the interface
between synchronous concurrent languages and C-like sequential languages, and is
strongly influenced by both worlds. Edwards [25] and Potop-Butucaru et al. [69]
provide good overviews of compilation challenges and approaches for concurrent
languages, including synchronous languages. They discuss efficient mappings from
Esterel to C, thus their work is related to ours in the sense that we present a means
to express Esterel-style signal behavior and deterministic concurrency directly with
variables in a C-like language. However, a key difference is that we do not “compile
away” the concurrency as part of our signal-to-variable mapping, but fully preserve
the original, concurrent semantics with shared variables.
Introducing the constructive causality classes SBC, IBC, BC we redress the
synchronous model of computation, well-known in the embedded systems domain,
for main-stream programming. There are already many proposals that extend C or
Java with synchronous concurrency constructs. Reactive C [15] is an extension of C
that employs the concepts of ticks and preemptions, but does not provide concurrency.
FairThreads [16] are an extension introducing concurrency via native threads. PRET-
C [5] and Synchronous C, a.k.a. SyncCharts in C [82], provide macros for defining
synchronous concurrent threads. SC also permits dynamic thread scheduling, and
thus would be a suitable implementation target for the pSCL language discussed here.
SHIM [78], another C-like language, provides concurrent Kahn process networks
with CCS-like rendezvous communication [41] and exception handling. SHIM has
also been inspired by synchronous languages, but it does not use the synchronous
programming model, instead relying on communication channels for synchronisation.
None of these language proposals claims and proves to embed the concept of Esterel-
style constructiveness into shared variables as we do here. As far as these language
proposals include signals, they come as “closed packages” that do not, for example,
allow to separate initialisations from updates.
As traditional sequential, single-core execution platforms are being replaced by
multi-core/processing architectures, determinism is no longer a trade secret of
synchronous programming but has become an important issue in shared memory
concurrent programming. Powerful techniques have recently been developed to verify
program determinism statically. For Java with structured parallelism, the tool DICE
by Vechev et al. [80] performs static analysis to check that concurrent tasks do
not interfere on shared array accesses. Leung et al. [52] present a test amplification
technique based on a combination of instrumented test execution and static data-flow
analysis to verify that the memory accesses of cyclic, barrier-synchronised, CUDA
C++ threads do not overlap during a clock cycle (barrier interval). For polyhedral
X10 programs with finish/async parallelism and affine loops over array-based data
70
structures, Yuki et al. [87] describe an exact algorithm for static race detection that
ensures deterministic execution.
These recently published analyses [80], [52], [87] are targeted at data-intensive,
array/pointer/based code building on powerful arithmetical models and decision
procedures for memory separation. Yet, they address determinism in more limited
models of communication. SMoCC constructiveness concerns the determinism and
reactivity of “control-parallel” rather than “data-parallel” synchronous programs
and permits instantaneous communication between threads during a single tick.
The challenge is to deal with feedbacks and reaction to absence, as in circuit
design, which is difficult. The causality of the SMoCC memory accesses cannot
necessarily be captured in terms of regular affine arithmetics as done in the polyhedral
model of [80], [87] or reduced to a “small core of configuration inputs” as in [52].
Further, analyses such as [80], [52], [87] verify race-freedom for maximally strong
data conflicts: Within the barrier no write must ever compete with a concurrent read
or another conflicting write. Soundness of the analysis is straightforward under such
full isolation. Full thread isolation is fine for Moore-style communication but does
not hold in the SMoCCs whose hallmark is the Mealy model. Threads do in fact
share variables during a clock phase and multi-emissions are permitted. Analysing
SMoCC determinism, therefore, is tricky and arguing soundness of the constructivity
analysis in the SMoCCs (our Thm. 1) is non-trivial. This is particularly true if
reaction to absence is permitted, as in our work, which introduces non-monotonic
system behaviour on which the standard (naive) fixed-point techniques fail.
For functional programming languages, traditionally abstracting from the impurity
of low-level scheduling, determinism on concurrent platforms also has become an
issue. For instance, Kuper et al. [49] extend the IVar/LVar approach in Haskell to
provide deterministic shared data-structures permitting multiple concurrent reads and
writes. This extension, dubbed LVish, adds asynchronous event handlers and explicit
value freezing to implement negative data queries. Since the negative information
is transient, run-time exceptions are possible due to the race between freezing and
writing. However, all error-free executions produce the same result which is called
quasi-determinism. Because of the instantaneous communication and the negative
information carried by the value status of shared data, the quasi-deterministic model
of [49] is similar in spirit to our approach. However, there are at least two differences:
First, our programming model deals with first-order imperative programs on Boolean
data, while [49] considers higher-order λ-functions on more general “atomistic” data
structures. Second, our 〈〈 〉〉 constructivity includes reactivity, which is a liveness
property, whereas [49] only address the safety property of non-interference. Our two-
dimensional lattice I(D) seems richer than the lifted domain Freeze(D) of [49] which
only distinguishes between the “unfrozen” statuses [⊥,>], [0,>], [1,>], [>,>] (lower
information) and the “frozen” statuses [⊥,⊥], [0,0], [1,1] (crisp information). There
do not seem to be genuine upper bound approximations expressible in Freeze(D).
It will be interesting to study the exact relationship between the two models on a
common language fragment.
There is also a large body of related work investigating different notions of construc-
tiveness. Causal Esterel programs on pure signals satisfy a strong scheduling invariant:
they can be translated into constructive circuits which are delay-insensitive [17]
under the non-inertial delay model, which can be fully decided using ternary Kleene
algebra [63]. This makes Malik’s work [57] on causality analysis of cyclic circuits
applicable to constructiveness analysis of (instantaneous) Esterel program. This has
71
been extended by Shiple et al. [75] to state-based systems, as induced by Esterel’s
pause operator, thus handling non-instantaneous programs as well. The algebraic
transformations proposed by Schneider et al. [74] increase the class of programs
considered constructive by permitting different levels of partial evaluation. Pnueli
and Shalev’s non-deterministic model of Statecharts [68] has been studied using an
axiomatic semantics in intuitionistic logic [53], which subsequently has been extended
to Esterel [54]. In [3] a game-theoretic approach is used to define a hierarchy of levels
constructiveness using maximal post fixed points. However, none of these approaches
considers imperative programming, separates initialisations and updates, or permits
sequential writes within a tick as we do here.
Recently, Mandel et.al.’s clock domains [59] and Gemu¨nde et.al.’s clock refine-
ment [31] provide sequences of micro-level computations within an outer clock
tick. This also increases sequential expressiveness albeit in an upside-down fashion
compared to our approach. Our work on SC aims to reconstruct the scope of a
synchronous instant on top of the primitive notion of sequential composition. Different
classes of constructiveness are distinguished by how generous they are in bundling
sequences of variable accesses from concurrent threads within a single clock tick. In
the clock domains and clock refinement approach, clocks are the only sequencing
mechanism, so micro-level sequencing is implemented in terms of lower-level clocks.
It should be possible to combine our approach with that of [59], [31] by considering
the sequential composition operator as a local micro-level clock nested inside an
outer, and global, macro-level clock. This might generate a useful theory of causal
clock abstractions.
Our work focuses on imperative, i.e., control-dominated synchronous programs
rather than data flow semantics. Recently, Talpin et.al. within the “Polycore” project
have started important work on semantically integrating the control-flow synchronous
language Quartz with the data flow language Signal. In [76] they present the first
micro-step (or “small-step”) operational fixed point semantics that is capable of
executing both Signal code and the guarded actions of Quartz. The operational
semantics models the behaviour of each variable in a 6-valued lattice domain D
coding the signal statuses unknown (?), absent (⊥), present (>), present-and-false (0),
present-and-true (1) as well as inconsistency ( ). Based on the operational execution
model they define the notion of constructive programs and prove a soundness theorem
stating that each constructive program is deterministic.
One difference compared to our work is that the domain I(D,P) supports reaction
to absence6 which is a hall-mark of Esterel-style SMoCCs and motivates its richer
interval structure. On the other hand, the polychronous language of [76] is richer than
pSCL in that is has preemption and boolean data values which we do not consider
here. However, these concepts can be easily mapped to pSCL, as demonstrated
in SCCharts [83]. Finally, note that our definition of constructive programs (e.g.,
Def. 9) is based on a genuine denotational semantics 〈〈 〉〉, not an operational one
as in [76]. E.g., it follows from our results that if two program P and Q generate the
same response function 〈〈P 〉〉SC = 〈〈Q〉〉SC in S and C, then P and Q are behaviourally
equivalent in all program contexts. Also, our operational semantics (e.g.. Sec. II) uses
free multi-threaded scheduling in a memory that is ignorant of the signal statuses. In
particular, it does not perform any implicit enabledness, synchronisation or deadlock
6 The oversampling feature of Signal may be seen as an implicit form of reaction to absence in the
asynchronous data-flow part of [76]. Synchronous reaction to absence would map ⊥ to > and > to ⊥ in the
domain D which does not seem to be expressible by the control-flow operators considered in [76].
72
checks like the operational semantics of [76] does, in which execution maintains
scheduling information through variable values in D. Hence, our Soundness Theorem 1
which guarantees B-reactiveness and SC-determinacy makes a stronger soundness
statement which is considerably more difficult to prove. Our result can be applied
directly to standard imperative C/Java code which is not normally executed under
a D-instrumented run-time scheduler. Yet, given the limited language constructs of
pSCL compared to [76], it would be very interesting to combine both approaches.
An acknowledged strength of synchronous languages is their formal foundation [8],
which facilitates formal verification, timing analyses, and inclusion results of the
type presented in this work. This formal foundation has been developed in several
ways in the past; e.g., Berry [12] presents several Plotkin-style structural operational
semantics [67], as well as a definition in terms of circuits for Esterel. Our function-
al/algebraic approach based on I(D,P) generalizes the “must-cannot” analysis for
constructiveness [12] and the ternary analysis for synchronous control flow [71] and
circuits [57], [75]. The extension lies in the ability to deal with non-initialization
(⊥) and re-initialization (>) in sequential control flow, which the analyses [12], [71],
[57], [75], [76] cannot handle. Due to the two-sided nature of intervals our semantics
permits the modeling of instantaneous reaction to absence, a definitive feature of
Esterel-style synchrony for control-flow languages. In contrast, the balance equations
(see, e.g., [51]) or the clock calculus (see, e.g., [18], [66], [30], [76]) of synchronous
reactive data flow do not handle reaction to absence. These analyses are concerned
with inter-tick causality (i.e., in which ticks a signal is present) rather than intra-tick
causality (i.e., presence or absence in a given tick) which we focus on here. Reflected
into I(D), Lustre clocks collapse the signal status (within a tick) to either ⊥ (value
not initialized or computed) or [0,>] (value computed). However, since each program
abstracts to a continuous function on I(D,P)-valued environments our model fits
naturally into the Kahn-style fixed-points semantics and scheduling analysis for
synchronous block diagrams [27], [70].
VI. Conclusions
In this report we study constructiveness analysis, the center-piece of the syn-
chronous model of concurrent computations, from a scheduling perspective. We
advocate the view that constructiveness is the property of a synchronous program
being deadlock-free and determinate with respect to a given scheduling protocol
defining admissible executions. This permits us (i) to apply the concept to (clocked)
multi-threaded shared memory programs and (ii) to obtain different interpretations of
constructiveness by varying the notion of admissibility. The two notions addressed are
Berry-admissibility (Def. 4) introduced here and SC-admissibility (Def. 5) defined
in [86]. Both are instances of the “init-update-read” protocol, which schedules
initialising writes before updating writes, and writes before reads.
For a small imperative synchronous language pSCL we extend the causality analysis
from [4] by initialisation information P and define the class of IBC programs as
those (recursion-free) pSCL programs for which abstract simulation in the extended
domain I(D,P) returns a reset- and read-safe fixed-point (Def. 9). We then prove that
this implies deadlock-freeness under Berry-admissible scheduling (Berry-reactiveness)
and determinacy under SC-admissible scheduling (SC-read-determinacy). This shows
that the denotational fixed-point semantics which associates with every program P
a response behaviour 〈〈P 〉〉 in the domain I(D,P) is sound and compositional for the
operational semantics defined in terms of micro-step scheduling. This strengthens
73
the results of [4] showing that IBC programs are guaranteed to be deadlock-free and
determinate under scheduling principles more robust than those in [4]: B-reactiveness
does not permit reinitialisations as SC-reactiveness does in [4]. SC-read-determinacy
forces read variables to be stable (any change of a read variable must be constant
across all initial memories), which is not precluded by soundness in [4].
We leave as an open problem the question if the I(D,P) fixed-point semantics is
also complete for the notions of admissible scheduling discussed here, or, if there are
natural variations of the scheduling principles for which our semantics is complete.
The ideal is a situation like in [63] where it is shown that Berry’s must-cannot
analysis [12] when applied to circuits is (sound and) complete for scheduling under
non-inertial delays. In another direction, it will be interesting to search for suitable,
more expressive, extensions of the domain I(D,P) in which the fixed point analysis
of pSCL is complete for SC-constructiveness as defined in [86]. Our fixed-point
analysis is sound but rejects programs with more than one init-update-read cycle.
This, however, is permitted by SC-constructiveness.
References
[1] S. Abramsky, R. Jagadeesan, and P. Malacaria. Full abstraction for PCF. Information and Computation,
163(2):409–470, 2000.
[2] Luca Aceto and Anna Ingolfsdottir. CPO models for compact GSOS languages. Information and
Computation, 129(2):107 – 141, 1996.
[3] J. Aguado and M. Mendler. Constructive semantics for instantaneous reactions. Theoretical Computer
Science, 241:931–961, 2011.
[4] Joaqu´ın Aguado, Michael Mendler, Reinhard von Hanxleden, and Insa Fuhrmann. Grounding
synchronous deterministic concurrency in sequential programming. In Proceedings of the 23rd European
Symposium on Programming (ESOP’14), LNCS 8410, pages 229–248, Grenoble, France, April 2014.
Springer.
[5] Sidharta Andalam, Partha S. Roop, and Alain Girault. Deterministic, predictable and light-weight
multithreading using PRET-C. In Proceedings of the Conference on Design, Automation and Test in
Europe (DATE’10), pages 1653–1656, Dresden, Germany, 2010.
[6] Guillaume Baudart, Louis Mandel, and Marc Pouzet. Programming mixed music in ReactiveML. In
Proceedings of the First ACM SIGPLAN Workshop on Functional Art, Music, Modeling &#38; Design,
FARM ’13, pages 11–22, New York, NY, USA, 2013. ACM.
[7] A. Benveniste, B. Caillaud, and P. Le Guernic. Compositionality in dataflow synchronous languages:
Specification and distributed code generation 1,2,3. Information and Computation, 163(1):125–171,
November 2000.
[8] Albert Benveniste, Paul Caspi, Stephen A. Edwards, Nicolas Halbwachs, Paul Le Guernic, and Robert
de Simone. The Synchronous Languages Twelve Years Later. In Proc. IEEE, Special Issue on Embedded
Systems, volume 91, pages 64–83, Piscataway, NJ, USA, January 2003. IEEE.
[9] J.A. Bergstra, A. Ponse, and S.A. Smolka, editors. Handbook of Process Algebra. Elsevier, 2001.
[10] G. Berry, P.-L. Curien, and J.-J. Le´vy. Full abstraction for sequential languages: the state of the art.
In M. Nivat and J. C. Reynolds, editors, Algebraic Semantics, pages 89–132. Cambridge University
Press, 1985.
[11] Ge´rard Berry. The foundations of Esterel. In Gordon Plotkin, Colin Stirling, and Mads Tofte, editors,
Proof, Language, and Interaction: Essays in Honour of Robin Milner, pages 425–454, Cambridge, MA,
USA, 2000. MIT Press.
[12] Ge´rard Berry. The Constructive Semantics of Pure Esterel. Draft Book, Version 3.0, Centre de
Mathe´matiques Appliqe´es, Ecole des Mines de Paris and INRIA, 2004 route des Lucioles, 06902
Sophia-Antipolis CDX, France, December 2002.
[13] Ge´rard Berry and Georges Gonthier. The Esterel synchronous programming language: Design,
semantics, implementation. Science of Computer Programming, 19(2):87–152, 1992.
[14] Ge´rard Berry, Cyprien Nicolas, and Manuel Serrano. Hiphop: A synchronous reactive extension for
Hop. In Proceedings of the 1st ACM SIGPLAN International Workshop on Programming Language
and Systems Technologies for Internet Clients, PLASTIC ’11, pages 49–56, New York, NY, USA, 2011.
ACM.
[15] Fre´de´ric Boussinot. Reactive C: An extension of C to program reactive systems. Software Practice
and Experience, 21(4):401–428, 1991.
[16] Fre´de´ric Boussinot. Fairthreads: mixing cooperative and preemptive threads in C. Concurrency and
Computation: Practice and Experience, 18(5):445–469, April 2006.
74
[17] Janusz A. Brzozowski and Carl-Johan H. Seger. Asynchronous Circuits. Springer-Verlag, New York,
1995.
[18] P. Caspi, D. Pilaud, N. Halbwachs, and J. A. Plaice. Lustre: a declarative language for programming
synchronous systems. In Proceedings of the 14th ACM SIGACT-SIGPLAN Symposium on Principles
of Programming Languages (POPL’87), pages 178–188, Munich, Germany, 1987. ACM.
[19] Paul Caspi and Marc Pouzet. A co-iterative characterization of synchronous stream functions. Electronic
Notes in Theoretical Computer Science, 11(0):1–21, 1998. CMCS’98, First Workshop on Coalgebraic
Methods in Computer Science.
[20] R. Cleaveland, G. Lu¨ttgen, and M. Mendler. An algebraic theory of multiple clocks. In CONCUR ’97,
volume 1243 of LNCS, pages 166–180. Springer, 1997.
[21] A. Cohen, M. Duranton, Ch. Eisenbeis, C. Pagetti, F. Plateau, and M. Pouzet. N-synchronous Kahn
networks: A relaxed model of synchrony for real-time systems. In Conference Record of the 33rd ACM
SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’06, pages 180–193,
New York, NY, USA, 2006. ACM.
[22] B. A. Davey and H. A. Priestley. Introduction to Lattices and Order. Cambridge University Press,
2002.
[23] W.-P. de Roever, G. Lu¨ttgen, and M. Mendler. What is in a step: New perspectives on a classical
question. In Z. Manna and D. A. Peled, editors, Time for Verification, pages 370–399. Springer LNCS
6200, 2010.
[24] R. J. Duffin. Topology of series-parallel networks. Journal of Mathematical Analysis and Applications,
10(2):303 – 318, 1965.
[25] Stephen A. Edwards. Tutorial: Compiling concurrent languages for sequential processors. ACM
Transactions on Design Automation of Electronic Systems, 8(2):141–187, April 2003.
[26] Stephen A. Edwards and Edward A. Lee. The semantics and execution of a synchronous block-diagram
language. Science of Computer Programming, 48(1):21–42, July 2003.
[27] Stephen A. Edwards and Edward A. Lee. The Semantics and Execution of a Synchronous Block-
Diagram Language. In Science of Computer Programming, volume 48. Elsevier, July 2003.
[28] Z. E´sik. Axiomatizing the least fixed point operation and binary supremum. In P. Clote and
H. Schwichtenberg, editors, Computer Science Logic (CSL’00), LNCS 1862, pages 302–316. Springer,
2000.
[29] M.P. Fiore, E. Moggi, and D. Sangiorgi. A fully abstract model for the pi-calculus. Information and
Computation, 179(1):76–117, 2002.
[30] Abdoulaye Gamatie´ and Laure Gonnord. Static analysis of synchronous programs in Signal for efficient
design of multi-clocked embedded systems. ACM Sigplan Notices, 46(5):71–80, 2011.
[31] Mike Gemu¨nde, Jens Brandt, and Klaus Schneider. Clock refinement in imperative synchronous
languages. EURASIP J. Emb. Sys., 2013:3, 2013.
[32] J. F. Groote and F. Vaandrager. Structured operational semantics and bisimulation as a congruence.
Information and Computation, 100:202–260, 1992.
[33] Paul Le Guernic, Thierry Goutier, Michel Le Borgne, and Claude Le Maire. Programming real time
applications with SIGNAL. Proceedings of the IEEE, 79(9):1321–1336, September 1991.
[34] Nicolas Halbswachs. Synchronous Programming of Reactive Systems. Kluwer Academic Publishers,
1993.
[35] Nicolas Halbwachs, Paul Caspi, Pascal Raymond, and Daniel Pilaud. The synchronous data-flow
programming language LUSTRE. Proceedings of the IEEE, 79(9):1305–1320, Sept. 1991.
[36] Gre´goire Hamon. A denotational semantics for Stateflow. In EMSOFT’05: Proceedings of the 5th
ACM International Conference on Embedded Software, pages 164–172, New York, NY, USA, 2005.
ACM Press.
[37] D. Harel and A. Naamad. The STATEMATE semantics of Statecharts. ACM Transactions on Software
Engineering, 5(4):293–333, October 1996.
[38] David Harel. Statecharts: A visual formalism for complex systems. Science of Computer Programming,
8(3):231–274, June 1987.
[39] M. Hennessy. Acceptance trees. J. ACM, 32(4):896–928, October 1985.
[40] M. Hennessy and T. Regan. A process algebra for timed systems. Information and Computation,
117:221–239, 1995.
[41] C. A. R. Hoare. Communicating Sequential Processes. Prentice Hall, Upper Saddle River, NJ, 1985.
[42] C. Huizing, R. Gerth, and W.-P. de Roever. Modeling Statecharts behavior in a fully abstract way. In
M. Dauchet and M. Nivat, editors, 13th CAAP (CAAP ’88), volume 299 of Lecture Notes in Computer
Science, pages 271–294, Nancy, France, March 1988. Springer.
[43] M. Hyland and L. Ong. On full abstraction for PCF: I, II and III. Information and Computation,
163(2):285–408, 2000.
[44] A. Ingo´lfsdo´ttir and A. Schalk. A fully abstract denotational model for observational precongruence.
Theoretical Computer Science, 254(1–2):35–61, 2001.
[45] Gilles Kahn. The semantics of a simple language for parallel programming. In Jack L. Rosenfeld, editor,
Information Processing 74: Proceedings of the IFIP Congress 74, pages 471–475. IFIP, North-Holland
Publishing Co., August 1974.
75
[46] Gilles Kahn and David B. MacQueen. Coroutines and networks of parallel processes. In IFIP Congress,
pages 993–998, 1977.
[47] Joost N. Kok. Denotational semantics of nets with nondeterminism. In B. Robinet and R. Wilhelm,
editors, European Symposium on Programming (ESOP), volume 213 of LNCS, pages 237–249. Springer,
1986.
[48] D. Kozen. A completeness theorem for Kleene algebras and the algebra of regular events. Information
and Computation, 110(2):366–390, 1994.
[49] Lindsey Kuper, Aaron Turon, Neelakantan R. Krishnaswami, and Ryan R. Newton. Freeze after
writing: Quasi-deterministic parallel programming with LVars. In Principles of Programming Languages
(POPL’14), pages 257–270, New York, USA, 2014. ACM.
[50] Luciano Lavagno and Ellen Sentovich. ECL: a specification environment for system-level design. In
Proc. 36th ACM/IEEE Conf. on Design Automation (DAC’99), pages 511–516, New York, NY, USA,
1999. ACM Press.
[51] Edward A. Lee and David G. Messerschmitt. Synchronous data flow. In Proceedings of the IEEE,
volume 75, pages 1235–1245. IEEE Computer Society Press, September 1987.
[52] Alan Leung, Manish Gupta, Yuvraj Agarwal, Rajesh Gupta, Ranjit Jhala, and Sorin Lerner. Verifying
GPU kernels by test amplification. In Programming Language Design and Implementation PLDI 2012,
pages 383–394, New York, USA, June 2012. ACM.
[53] G. Luettgen and M. Mendler. The intuitionism behind Statecharts steps. ACM Transactions on
Computational Logic, 3(1):1–41, January 2002.
[54] G. Lu¨ttgen and M. Mendler. Towards a model-theory for Esterel. In F. Maraninchi, A. Girault, and
E. Rutten, editors, SLAP 2002, volume 65,5 of ENTCS. Elsevier Science, 2002.
[55] G. Lu¨ttgen, M. von der Beeck, and R. Cleaveland. Statecharts via process algebra. In Proc. 10th
International Conference on Concurrency Theory CONCUR’99, pages 399–414, 1999.
[56] N. Lynch. Distributed Algorithms. Morgan Kaufmann Publishers, 1996.
[57] Sharad Malik. Analysis of cyclic combinational circuits. IEEE Transactions on Computer-Aided Design
of Integrated Circuits and Systems, 13(7):950–956, July 1994.
[58] L. Mandel and M. Pouzet. ReactiveML: a reactive extension to ML. In Proc. 7th ACM SIGPLAN
Int’l Conf. on Principles and Practice of Declarative Programming, pages 82–93, 2005.
[59] Louis Mandel, Ce´dric Pasteur, and Marc Pouzet. Time refinement in a functional synchronous language.
In ACM SIGPLAN Int. Symp. on Principles and Practice of Declarative Programming (PPDP’13),
pages 169–180, New York, NY, USA, September 2013. ACM.
[60] F. Maraninchi and Y. Re´mond. Argos: An automaton-based synchronous language. Computer
Languages, 27(27):61–92, 2001.
[61] Florence Maraninchi. The Argos language: Graphical representation of automata and description of
reactive systems. In IEEE Workshop on Visual Languages, October 1991.
[62] M. Mendler and G. Lu¨ttgen. Is observational congruence axiomatisable in equational Horn logic?
Information and Computation, 208(6):634–651, June 2010.
[63] Michael Mendler, Thomas R. Shiple, and Ge´rard Berry. Constructive boolean circuits and the exactness
of timed ternary simulation. Formal Methods in System Design, 40(3):283–329, 2012.
[64] R. Milner. Communication and Concurrency. Prentice Hall, 1989.
[65] Christian Motika, Reinhard von Hanxleden, and Mirko Heinold. Programming deterministice reactive
systems with Synchronous Java (invited paper). In Proceedings of the 9th Workshop on Software
Technologies for Future Embedded and Ubiquitous Systems (SEUS 2013), IEEE Proceedings, Paderborn,
Germany, 17/18 June 2013.
[66] Van Chan Ngo, Jean-Pierre Talpin, and Thierry Gautier. Precise deadlock detection for polychronous
data-flow specifications. In Electronic System Level Synthesis Conference (ESLsyn), Proceedings of the
2014, pages 1–6. IEEE, 2014.
[67] Gordon D. Plotkin. A Structural Approach to Operational Semantics. Technical Report DAIMI FN-19,
University of Aarhus, Denmark, 1981. http://homepages.inf.ed.ac.uk/gdp/publications/SOS.ps.
[68] Amir Pnueli and M. Shalev. What is in a step: On the semantics of Statecharts. In Proc. Int. Conf.
on Theoretical Aspects of Computer Software (TACS’91), pages 244–264, London, UK, 1991. Springer.
[69] Dumitru Potop-Butucaru, Stephen A. Edwards, and Ge´rard Berry. Compiling Esterel. Springer, May
2007.
[70] Marc Pouzet and Pascal Raymond. Modular static scheduling of synchronous data-flow networks - an
efficient symbolic representation. Design Autom. for Emb. Sys., 14(3):165–192, 2010.
[71] K. Schneider, J. Brandt, and T. Schuele. Causality analysis of synchronous programs with delayed
actions. In Conference on Compilers, Architecture, and Synthesis for Embedded Systems (CASES’04),
pages 179–189, Washington D.C., USA, September 2004. ACM.
[72] K. Schneider, J. Brandt, T. Schuele, and T. Tuerk. Maximal causality analysis. In Conference on
Application of Concurrency to System Design (ACSD’05), pages 106–115, St. Malo, France, June 2005.
IEEE Computer Society.
[73] Klaus Schneider. The synchronous programming language Quartz. Internal Report 375, Department
of Computer Science, University of Kaiserslautern, Kaiserslautern, Germany, December 2009.
[74] Klaus Schneider, Jens Brandt, Tobias Schu¨le, and Thomas Tu¨rk. Improving constructiveness in
code generators. In Florence Maraninchi, Marc Pouzet, and Vale´rie Roy, editors, Int’l Workshop on
76
Synchronous Languages, Applications, and Programming (SLAP’05), pages 1–19, Edinburgh, Scotland,
UK, apr 2005. ENTCS.
[75] Thomas R. Shiple, Ge´rard Berry, and Herve´ Touati. Constructive Analysis of Cyclic Circuits. In
Proc. European Design and Test Conference (ED&TC’96), Paris, France, pages 328–333, Los Alamitos,
California, USA, March 1996. IEEE Computer Society Press.
[76] J.-P. Talpin, J. Brandt, M. Gemu¨nde, K. Schneider, and S.K. Shukla. Constructive polychronous
systems. Science of Computer Programming, 96(3):377–394, December 2014.
[77] J.-P. Talpin, J. Ouy, Th. Gautier, L. Besnard, and P. Le Guernic. Compositional design of isochronous
systems. Science of Computer Programming, 77(2):113–128, February 2012.
[78] Olivier Tardieu and Stephen A. Edwards. Scheduling-independent threads and exceptions in SHIM.
In Proceedings of the International Conference on Embedded Software (EMSOFT’06), pages 142–151,
Seoul, South Korea, October 2006. ACM.
[79] Olivier Tardieu and Stephen A. Edwards. Instanteneous transitions in Esterel. In Proceedings of Model
Driven High-Level Programming of Embedded Systems (SLA++P’07), Braga, Portugal, March 2007.
[80] Martin Vechev, Eran Yahav, Raghavan Raman, and Vivek Sarkar. Automatic verification of
determinism for structured parallel programs. In R. Cousot and M. Martel, editors, Static Analysis
(SAS 2010), volume 6337 of LNCS, pages 455–471. Springer, 2010.
[81] M. von der Beeck. A comparison of Statecharts variants. In H. Langmaack, W.-P. de Roever, and
J. Vytopil, editors, 3rd International School and Symposium on Formal Techniques in Real-time and
Fault-tolerant Systems (FTRTFT ’94), volume 863 of Lecture Notes in Computer Science, pages
128–148, Lu¨beck, Germany, September 1994. Springer.
[82] Reinhard von Hanxleden. SyncCharts in C—A Proposal for Light-Weight, Deterministic Concurrency.
In Proc. Int’l Conference on Embedded Software (EMSOFT’09), pages 225–234, Grenoble, France,
October 2009. ACM.
[83] Reinhard von Hanxleden, Bjo¨rn Duderstadt, Christian Motika, Steven Smyth, Michael Mendler, Joaqu´ın
Aguado, Stephen Mercer, and Owen O’Brien. SCCharts: Sequentially Constructive Statecharts for
safety-critical applications. In Proc. ACM SIGPLAN Conference on Programming Language Design
and Implementation (PLDI’14), Edinburgh, UK, June 2014. ACM.
[84] Reinhard von Hanxleden, Michael Mendler, Joaqu´ın Aguado, Bjo¨rn Duderstadt, Insa Fuhrmann,
Christian Motika, Stephen Mercer, and Owen O’Brien. Sequentially Constructive Concurrency—A
conservative extension of the synchronous model of computation. In Proc. Design, Automation and
Test in Europe Conference (DATE’13), pages 581–586, Grenoble, France, March 2013. IEEE.
[85] Reinhard von Hanxleden, Michael Mendler, Joaqu´ın Aguado, Bjo¨rn Duderstadt, Insa Fuhrmann,
Christian Motika, Stephen Mercer, Owen O’Brien, and Partha Roop. Sequentially Constructive
Concurrency—A conservative extension of the synchronous model of computation. Technical Report
1308, Christian-Albrechts-Universita¨t zu Kiel, Department of Computer Science, August 2013. ISSN
2192-6247.
[86] Reinhard von Hanxleden, Michael Mendler, Joaqu´ın Aguado, Bjo¨rn Duderstadt, Insa Fuhrmann,
Christian Motika, Stephen Mercer, Owen O’Brien, and Partha Roop. Sequentially Constructive
Concurrency—A conservative extension of the synchronous model of computation. ACM Transactions
on Embedded Computing Systems, Special Issue on Applications of Concurrency to System Design,
13(4s):144:1–144:26, July 2014.
[87] Tomofumi Yuki, Paul Feautrier, Sanjay Rajopadye, and Vijay Saraswat. Array dataflow analysis for
polyhedral X10 programs. In Principles and Practice of Parallel Programming (PPoPP 2013), pages
23–34, New York, USA, 2013. ACM.
Bamberger Beiträge zur Wirtschaftsinformatik 
 
 
Nr. 1 (1989) Augsburger W., Bartmann D., Sinz E.J.: Das Bamberger Modell: Der Diplom-Stu-
diengang Wirtschaftsinformatik an der Universität Bamberg (Nachdruck Dez. 
1990) 
Nr. 2 (1990) Esswein W.: Definition, Implementierung und Einsatz einer kompatiblen Daten-
bankschnittstelle für PROLOG 
Nr. 3 (1990) Augsburger W., Rieder H., Schwab J.: Endbenutzerorientierte Informationsgewin-
nung aus numerischen Daten am Beispiel von Unternehmenskennzahlen 
Nr. 4 (1990) Ferstl O.K., Sinz E.J.: Objektmodellierung betrieblicher Informationsmodelle im 
Semantischen Objektmodell (SOM) (Nachdruck Nov. 1990) 
Nr. 5 (1990) Ferstl O.K., Sinz E.J.: Ein Vorgehensmodell zur Objektmodellierung betrieblicher 
Informationssysteme im Semantischen Objektmodell (SOM) 
Nr. 6 (1991) Augsburger W., Rieder H., Schwab J.: Systemtheoretische Repräsentation von 
Strukturen und Bewertungsfunktionen über zeitabhängigen betrieblichen numeri-
schen Daten 
Nr. 7 (1991) Augsburger W., Rieder H., Schwab J.: Wissensbasiertes, inhaltsorientiertes Retrie-
val statistischer Daten mit EISREVU / Ein Verarbeitungsmodell für eine modulare 
Bewertung von Kennzahlenwerten für den Endanwender 
Nr. 8 (1991) Schwab J.: Ein computergestütztes Modellierungssystem zur Kennzahlenbewertung 
Nr. 9 (1992) Gross H.-P.: Eine semantiktreue Transformation vom Entity-Relationship-Modell 
in das Strukturierte Entity-Relationship-Modell 
Nr. 10 (1992) Sinz E.J.: Datenmodellierung im Strukturierten Entity-Relationship-Modell 
(SERM) 
Nr. 11 (1992) Ferstl O.K., Sinz E. J.: Glossar zum Begriffsystem des Semantischen Objektmo-
dells 
Nr. 12 (1992) Sinz E. J., Popp K.M.: Zur Ableitung der Grobstruktur des konzeptuellen Schemas 
aus dem Modell der betrieblichen Diskurswelt 
Nr. 13 (1992) Esswein W., Locarek H.: Objektorientierte Programmierung mit dem Objekt-Rol-
lenmodell 
Nr. 14 (1992) Esswein W.: Das Rollenmodell der Organsiation: Die Berücksichtigung aufbauor-
ganisatorische Regelungen in Unternehmensmodellen 
Nr. 15 (1992) Schwab H. J.: EISREVU-Modellierungssystem. Benutzerhandbuch 
Nr. 16 (1992) Schwab K.: Die Implementierung eines relationalen DBMS nach dem 
Client/Server-Prinzip 
Nr. 17 (1993) Schwab K.: Konzeption, Entwicklung und Implementierung eines computerge-
stützten Bürovorgangssystems zur Modellierung von Vorgangsklassen und Ab-
wicklung und Überwachung von Vorgängen. Dissertation 
Nr. 18 (1993) Ferstl O.K., Sinz E.J.: Der Modellierungsansatz des Semantischen Objektmodells 
Nr. 19 (1994) Ferstl O.K., Sinz E.J., Amberg M., Hagemann U., Malischewski C.: Tool-Based 
Business Process Modeling Using the SOM Approach 
Nr. 20 (1994) Ferstl O.K., Sinz E.J.: From Business Process Modeling to the Specification of 
Distributed Business Application Systems - An Object-Oriented Approach -. 1st 
edition, June 1994 
 Ferstl O.K., Sinz E.J. : Multi-Layered Development of Business Process Models 
and Distributed Business Application Systems - An Object-Oriented Approach -. 
2nd edition, November 1994 
Nr. 21 (1994) Ferstl O.K., Sinz E.J.: Der Ansatz des Semantischen Objektmodells zur Modellie-
rung von Geschäftsprozessen 
Nr. 22 (1994) Augsburger W., Schwab K.: Using Formalism and Semi-Formal Constructs for 
Modeling Information Systems 
Nr. 23 (1994) Ferstl O.K., Hagemann U.: Simulation hierarischer objekt- und transaktionsorien-
tierter Modelle 
Nr. 24 (1994) Sinz E.J.: Das Informationssystem der Universität als Instrument zur zielgerichte-
ten Lenkung von Universitätsprozessen 
Nr. 25 (1994) Wittke M., Mekinic, G.: Kooperierende Informationsräume. Ein Ansatz für ver-
teilte Führungsinformationssysteme 
Nr. 26 (1995) Ferstl O.K., Sinz E.J.: Re-Engineering von Geschäftsprozessen auf der Grundlage 
des SOM-Ansatzes 
Nr. 27 (1995) Ferstl, O.K., Mannmeusel, Th.: Dezentrale Produktionslenkung. Erscheint in CIM-
Management 3/1995 
Nr. 28 (1995) Ludwig, H., Schwab, K.: Integrating cooperation systems: an event-based approach 
Nr. 30 (1995) Augsburger W., Ludwig H., Schwab K.: Koordinationsmethoden und -werkzeuge 
bei der computergestützten kooperativen Arbeit 
Nr. 31 (1995) Ferstl O.K., Mannmeusel T.: Gestaltung industrieller Geschäftsprozesse 
Nr. 32 (1995) Gunzenhäuser R., Duske A., Ferstl O.K., Ludwig H., Mekinic G., Rieder H., 
Schwab H.-J., Schwab K., Sinz E.J., Wittke M: Festschrift zum 60. Geburtstag von 
Walter Augsburger 
Nr. 33 (1995) Sinz, E.J.: Kann das Geschäftsprozeßmodell der Unternehmung das unterneh-
mensweite Datenschema ablösen? 
Nr. 34 (1995) Sinz E.J.: Ansätze zur fachlichen Modellierung betrieblicher Informationssysteme - 
Entwicklung, aktueller Stand und Trends - 
Nr. 35 (1995) Sinz E.J.: Serviceorientierung der Hochschulverwaltung und ihre Unterstützung 
durch workflow-orientierte Anwendungssysteme 
Nr. 36 (1996) Ferstl O.K., Sinz, E.J., Amberg M.: Stichwörter zum Fachgebiet Wirtschaftsinfor-
matik. Erscheint in: Broy M., Spaniol O. (Hrsg.): Lexikon Informatik und Kom-
munikationstechnik, 2. Auflage, VDI-Verlag, Düsseldorf 1996 
Nr. 37 (1996) Ferstl O.K., Sinz E.J.: Flexible Organizations Through Object-oriented and Trans-
action-oriented Information Systems, July 1996 
Nr. 38 (1996) Ferstl O.K., Schäfer R.: Eine Lernumgebung für die betriebliche Aus- und Weiter-
bildung on demand, Juli 1996 
Nr. 39 (1996) Hazebrouck J.-P.: Einsatzpotentiale von Fuzzy-Logic im Strategischen Manage-
ment dargestellt an Fuzzy-System-Konzepten für Portfolio-Ansätze 
Nr. 40 (1997) Sinz E.J.: Architektur betrieblicher Informationssysteme. In: Rechenberg P., Pom-
berger G. (Hrsg.): Handbuch der Informatik, Hanser-Verlag, München 1997 
Nr. 41 (1997) Sinz E.J.: Analyse und Gestaltung universitärer  Geschäftsprozesse und Anwen-
dungssysteme. Angenommen für: Informatik ’97. Informatik als Innovationsmotor. 
27. Jahrestagung der Gesellschaft für Informatik, Aachen 24.-26.9.1997 
Nr. 42 (1997) Ferstl O.K., Sinz E.J., Hammel C., Schlitt M., Wolf S.: Application Objects – 
fachliche Bausteine für die Entwicklung komponentenbasierter Anwendungssy-
steme. Angenommen für: HMD – Theorie und Praxis der Wirtschaftsinformatik. 
Schwerpunkheft ComponentWare, 1997 
Nr. 43 (1997): Ferstl O.K., Sinz E.J.: Modeling of Business Systems Using the Semantic Object 
Model (SOM) – A Methodological Framework - . Accepted for: P. Bernus, K. 
Mertins, and G. Schmidt (ed.): Handbook on Architectures of Information Systems. 
International Handbook on Information Systems, edited by Bernus P., Blazewicz 
J., Schmidt G., and Shaw M., Volume I, Springer 1997 
 Ferstl O.K., Sinz E.J.: Modeling of Business Systems Using  (SOM), 2nd Edition. 
Appears in: P. Bernus, K. Mertins, and G. Schmidt (ed.): Handbook on Architectu-
res of Information Systems. International Handbook on Information Systems, edi-
ted by Bernus P., Blazewicz J., Schmidt G., and Shaw M., Volume I, Springer 
1998 
Nr. 44 (1997) Ferstl O.K., Schmitz K.: Zur Nutzung von Hypertextkonzepten in Lernumgebun-
gen. In: Conradi H., Kreutz R., Spitzer K. (Hrsg.): CBT in der Medizin – Metho-
den, Techniken, Anwendungen -. Proceedings zum Workshop in Aachen 6. – 7. 
Juni 1997. 1. Auflage Aachen: Verlag der Augustinus Buchhandlung 
Nr. 45 (1998) Ferstl O.K.: Datenkommunikation. In. Schulte Ch. (Hrsg.): Lexikon der Logistik, 
Oldenbourg-Verlag, München 1998 
Nr. 46 (1998) Sinz E.J.: Prozeßgestaltung und Prozeßunterstützung im Prüfungswesen. Erschie-
nen in: Proceedings Workshop „Informationssysteme für das Hochschulmanage-
ment“. Aachen, September 1997 
Nr. 47 (1998) Sinz, E.J.:, Wismans B.: Das „Elektronische Prüfungsamt“. Erscheint in: Wirt-
schaftswissenschaftliches Studium WiSt, 1998 
Nr. 48 (1998) Haase, O., Henrich, A.: A Hybrid Respresentation of Vague Collections for Distri-
buted Object Management Systems. Erscheint in: IEEE Transactions on Know-
ledge and Data Engineering 
Nr. 49 (1998) Henrich, A.: Applying Document Retrieval Techniques in Software Engineering 
Environments. In: Proc. International Conference on Database and Expert Systems 
Applications. (DEXA 98), Vienna, Austria, Aug. 98, pp. 240-249, Springer, Lec-
ture Notes in Computer Sciences, No. 1460 
Nr. 50 (1999) Henrich, A., Jamin, S.: On the Optimization of Queries containing Regular Path 
Expressions. Erscheint in: Proceedings of the Fourth Workshop on Next Genera-
tion Information Technologies and Systems (NGITS’99), Zikhron-Yaakov, Israel, 
July, 1999 (Springer, Lecture Notes) 
Nr. 51 (1999) Haase O., Henrich, A.: A Closed Approach to Vague Collections in Partly Inacces-
sible Distributed Databases. Erscheint in: Proceedings of the Third East-European 
Conference on Advances in Databases and Information Systems – ADBIS’99, Ma-
ribor, Slovenia, September 1999 (Springer, Lecture Notes in Computer Science) 
Nr. 52 (1999) Sinz E.J., Böhnlein M., Ulbrich-vom Ende A.: Konzeption eines Data Warehouse-
Systems für Hochschulen. Angenommen für: Workshop „Unternehmen Hoch-
schule“ im Rahmen der 29. Jahrestagung der Gesellschaft für Informatik, Pader-
born, 6. Oktober 1999 
Nr. 53 (1999) Sinz E.J.: Konstruktion von Informationssystemen. Der Beitrag wurde in geringfü-
gig modifizierter Fassung angenommen für: Rechenberg P., Pomberger G. (Hrsg.): 
Informatik-Handbuch. 2., aktualisierte und erweiterte Auflage, Hanser, München 
1999 
Nr. 54 (1999) Herda N., Janson A., Reif M., Schindler T., Augsburger W.: Entwicklung des In-
tranets SPICE: Erfahrungsbericht einer Praxiskooperation. 
Nr. 55 (2000) Böhnlein M., Ulbrich-vom Ende A.: Grundlagen des Data Warehousing. 
Modellierung und Architektur 
Nr. 56 (2000) Freitag B, Sinz E.J., Wismans B.: Die informationstechnische Infrastruktur der 
Virtuellen Hochschule Bayern (vhb). Angenommen für Workshop "Unternehmen 
Hochschule 2000" im Rahmen der Jahrestagung der Gesellschaft f. Informatik, 
Berlin 19. - 22. September 2000 
Nr. 57 (2000) Böhnlein M., Ulbrich-vom Ende A.: Developing Data Warehouse Structures from 
Business Process Models. 
Nr. 58 (2000) Knobloch B.: Der Data-Mining-Ansatz zur Analyse betriebswirtschaftlicher Daten. 
Nr. 59 (2001) Sinz E.J., Böhnlein M., Plaha M., Ulbrich-vom Ende A.: Architekturkonzept eines 
verteilten Data-Warehouse-Systems für das Hochschulwesen. Angenommen für: 
WI-IF 2001, Augsburg, 19.-21. September 2001 
Nr. 60 (2001) Sinz E.J., Wismans B.: Anforderungen an die IV-Infrastruktur von Hochschulen. 
Angenommen für: Workshop „Unternehmen Hochschule 2001“ im Rahmen der 
Jahrestagung der Gesellschaft für Informatik, Wien 25. – 28. September 2001 
Änderung des Titels der Schriftenreihe Bamberger Beiträge zur Wirtschaftsinformatik in Bamberger 
Beiträge zur Wirtschaftsinformatik und Angewandten Informatik ab Nr. 61 
Note: The title of our technical report series has been changed from Bamberger Beiträge zur 
Wirtschaftsinformatik to Bamberger Beiträge zur Wirtschaftsinformatik und Angewandten Informatik 
starting with TR No. 61 
 
Bamberger Beiträge zur Wirtschaftsinformatik und Angewandten 
Informatik 
Nr. 61 (2002) Goré R., Mendler M., de Paiva V. (Hrsg.): Proceedings of the International 
Workshop on Intuitionistic Modal Logic and Applications (IMLA 2002), 
Copenhagen, July 2002. 
Nr. 62 (2002) Sinz E.J., Plaha M., Ulbrich-vom Ende A.: Datenschutz und Datensicherheit in 
einem landesweiten Data-Warehouse-System für das Hochschulwesen. Erscheint 
in: Beiträge zur Hochschulforschung, Heft 4-2002, Bayerisches Staatsinstitut für 
Hochschulforschung und Hochschulplanung, München 2002 
Nr. 63 (2005) Aguado, J., Mendler, M.: Constructive Semantics for Instantaneous Reactions 
Nr. 64 (2005) Ferstl, O.K.: Lebenslanges Lernen und virtuelle Lehre: globale und lokale 
Verbesserungspotenziale. Erschienen in: Kerres, Michael; Keil-Slawik, Reinhard 
(Hrsg.); Hochschulen im digitalen Zeitalter: Innovationspotenziale und 
Strukturwandel, S. 247 – 263; Reihe education quality forum, herausgegeben durch 
das Centrum für eCompetence in Hochschulen NRW, Band 2, Münster/New 
York/München/Berlin: Waxmann 2005 
Nr. 65 (2006) Schönberger, Andreas: Modelling and Validating Business Collaborations: A Case 
Study on RosettaNet 
Nr. 66 (2006) Markus Dorsch, Martin Grote, Knut Hildebrandt, Maximilian Röglinger, Matthias 
Sehr, Christian Wilms, Karsten Loesing, and Guido Wirtz: Concealing Presence 
Information in Instant Messaging Systems, April 2006 
Nr. 67 (2006) Marco Fischer, Andreas Grünert, Sebastian Hudert, Stefan König, Kira Lenskaya, 
Gregor Scheithauer, Sven Kaffille, and Guido Wirtz: Decentralized Reputation 
Management for Cooperating Software Agents in Open Multi-Agent Systems, 
April 2006 
Nr. 68 (2006) Michael Mendler, Thomas R. Shiple, Gérard Berry: Constructive Circuits and the 
Exactness of Ternary Simulation 
Nr. 69 (2007) Sebastian Hudert: A Proposal for a Web Services Agreement Negotiation Protocol 
Framework . February 2007   
Nr. 70 (2007) Thomas Meins: Integration eines allgemeinen Service-Centers für PC-und 
Medientechnik an der Universität Bamberg – Analyse und Realisierungs-
Szenarien. February 2007 (out of print) 
Nr. 71 (2007) Andreas Grünert: Life-cycle assistance capabilities of cooperating Software Agents 
for Virtual Enterprises. März 2007  
Nr. 72 (2007) Michael Mendler, Gerald Lüttgen: Is Observational Congruence on μ-Expressions 
Axiomatisable in Equational Horn Logic? 
Nr. 73 (2007) Martin Schissler: out of print 
Nr. 74 (2007) Sven Kaffille, Karsten Loesing: Open chord version 1.0.4 User’s Manual. 
Bamberger Beiträge zur Wirtschaftsinformatik und Angewandten Informatik Nr. 
74, Bamberg University, October 2007. ISSN 0937-3349. 
Nr. 75 (2008) Karsten Loesing (Hrsg.): Extended Abstracts of the Second Privacy Enhancing 
Technologies Convention (PET-CON 2008.1). Bamberger Beiträge zur 
Wirtschaftsinformatik und Angewandten Informatik Nr. 75, Bamberg University, 
April 2008. ISSN 0937-3349. 
Nr. 76 (2008) Gregor Scheithauer, Guido Wirtz: Applying Business Process Management 
Systems – A Case Study. Bamberger Beiträge zur Wirtschaftsinformatik und 
Angewandten Informatik Nr. 76, Bamberg University, May 2008. ISSN 0937-
3349. 
Nr. 77 (2008) Michael Mendler, Stephan Scheele: Towards Constructive Description Logics for 
Abstraction and Refinement. Bamberger Beiträge zur Wirtschaftsinformatik und 
Angewandten Informatik Nr. 77, Bamberg University, September 2008. ISSN 
0937-3349. 
Nr. 78 (2008) Gregor Scheithauer, Matthias Winkler: A Service Description Framework for 
Service Ecosystems. Bamberger Beiträge zur Wirtschaftsinformatik und 
Angewandten Informatik Nr. 78, Bamberg University, October 2008. ISSN 0937-
3349. 
Nr. 79 (2008) Christian Wilms: Improving the Tor Hidden Service Protocol Aiming at Better 
Performances. Bamberger Beiträge zur Wirtschaftsinformatik und Angewandten 
Informatik Nr. 79, Bamberg University, November 2008. ISSN 0937-3349. 
Nr. 80 (2009) Thomas Benker, Stefan Fritzemeier, Matthias Geiger, Simon Harrer, Tristan 
Kessner, Johannes Schwalb, Andreas Schönberger, Guido Wirtz: QoS Enabled 
B2B Integration. Bamberger Beiträge zur Wirtschaftsinformatik und Angewandten 
Informatik Nr. 80, Bamberg University, May 2009. ISSN 0937-3349. 
Nr. 81 (2009) Ute Schmid, Emanuel Kitzelmann, Rinus Plasmeijer (Eds.): Proceedings of the 
ACM SIGPLAN Workshop on Approaches and Applications of Inductive 
Programming (AAIP'09), affiliated with ICFP 2009, Edinburgh, Scotland, 
September 2009. Bamberger Beiträge zur Wirtschaftsinformatik und Angewandten 
Informatik Nr. 81, Bamberg University, September 2009. ISSN 0937-3349. 
Nr. 82 (2009) Ute Schmid, Marco Ragni, Markus Knauff  (Eds.): Proceedings of the KI 2009 
Workshop Complex Cognition, Paderborn, Germany, September 15, 2009. 
Bamberger Beiträge zur Wirtschaftsinformatik und Angewandten Informatik Nr. 
82, Bamberg University, October 2009. ISSN 0937-3349. 
Nr. 83 (2009) Andreas Schönberger, Christian Wilms and Guido Wirtz: A Requirements Analysis 
of Business-to-Business Integration. Bamberger Beiträge zur Wirtschaftsinformatik 
und Angewandten Informatik Nr. 83, Bamberg University, December 2009. ISSN 
0937-3349. 
Nr. 84 (2010) Werner Zirkel, Guido Wirtz: A Process for Identifying Predictive Correlation 
Patterns in Service Management Systems. Bamberger Beiträge zur 
Wirtschaftsinformatik und Angewandten Informatik Nr. 84, Bamberg University, 
February 2010. ISSN 0937-3349. 
Nr. 85 (2010) Jan  Tobias  Mühlberg und Gerald Lüttgen: Symbolic Object Code Analysis. 
Bamberger Beiträge zur Wirtschaftsinformatik und Angewandten Informatik Nr. 
85, Bamberg University, February 2010. ISSN 0937-3349. 
Nr. 86 (2010) Werner Zirkel, Guido Wirtz: Proaktives Problem Management durch 
Eventkorrelation – ein Best Practice Ansatz. Bamberger Beiträge zur 
Wirtschaftsinformatik und Angewandten Informatik Nr. 86, Bamberg University, 
August 2010. ISSN 0937-3349. 
Nr. 87 (2010) Johannes Schwalb, Andreas Schönberger: Analyzing the Interoperability of WS-
Security and WS-ReliableMessaging Implementations. Bamberger Beiträge zur 
Wirtschaftsinformatik und Angewandten Informatik Nr. 87, Bamberg University, 
September 2010. ISSN 0937-3349. 
Nr. 88 (2011) Jörg Lenhard: A Pattern-based Analysis of WS-BPEL and Windows Workflow. 
Bamberger Beiträge zur Wirtschaftsinformatik und Angewandten Informatik Nr. 
88, Bamberg University, March 2011. ISSN 0937-3349. 
Nr. 89 (2011) Andreas Henrich, Christoph Schlieder, Ute Schmid [eds.]: Visibility in Information 
Spaces and in Geographic Environments – Post-Proceedings of the KI’11 
Workshop. Bamberger Beiträge zur Wirtschaftsinformatik und Angewandten 
Informatik Nr. 89, Bamberg University, December 2011. ISSN 0937-3349. 
Nr. 90 (2012) Simon Harrer, Jörg Lenhard: Betsy - A BPEL Engine Test System. Bamberger 
Beiträge zur Wirtschaftsinformatik und Angewandten Informatik Nr. 90, Bamberg 
University, July 2012. ISSN 0937-3349. 
Nr. 91 (2013) Michael Mendler, Stephan Scheele: On the Computational Interpretation of CKn 
for Contextual Information Processing - Ancillary Material. Bamberger Beiträge 
zur Wirtschaftsinformatik und Angewandten Informatik Nr. 91, Bamberg 
University, May 2013. ISSN 0937-3349. 
Nr. 92 (2013) Matthias Geiger: BPMN 2.0 Process Model Serialization Constraints. Bamberger 
Beiträge zur Wirtschaftsinformatik und Angewandten Informatik Nr. 92, Bamberg 
University, May 2013. ISSN 0937-3349. 
Nr. 93 (2014) Cedric Röck, Simon Harrer: Literature Survey of Performance Benchmarking 
Approaches of BPEL Engines. Bamberger Beiträge zur Wirtschaftsinformatik und 
Angewandten Informatik Nr. 93, Bamberg University, May 2014. ISSN 0937-
3349. 
Nr. 94 (2014) Joaquin Aguado, Michael Mendler, Reinhard von Hanxleden, Insa Fuhrmann: 
Grounding Synchronous Deterministic Concurrency in Sequential Programming. 
Bamberger Beiträge zur Wirtschaftsinformatik und Angewandten Informatik Nr. 
94, Bamberg University, August 2014. ISSN 0937-3349. 
Nr. 95 (2014) Michael Mendler, Bruno Bodin, Partha S Roop, Jia Jie Wang: WCRT for 
Synchronous Programs: Studying the Tick Alignment Problem. Bamberger 
Beiträge zur Wirtschaftsinformatik und Angewandten Informatik Nr. 95, Bamberg 
University, August 2014. ISSN 0937-3349. 
Nr. 96 (2015) Joaquin Aguado, Michael Mendler, Reinhard von Hanxleden, Insa Fuhrmann: 
Denotational Fixed-Point Semantics for Constructive Scheduling of Synchronous 
Concurrency. Bamberger Beiträge zur Wirtschaftsinformatik und Angewandten 
Informatik Nr. 96, Bamberg University, April 2015. ISSN 0937-3349. 
 
