Compositionality in dataflow synchronous languages: specification & distributed code generation by Benveniste, Albert et al.
Compositionality in dataflow synchronous languages:
specification & distributed code generation
Albert Benveniste, Benoit Caillaud, Paul Le Guernic
To cite this version:
Albert Benveniste, Benoit Caillaud, Paul Le Guernic. Compositionality in dataflow syn-
chronous languages: specification & distributed code generation. Information and Compu-
tation, Elsevier, 2000, 163 (1), pp.125-171. <10.1006/inco.2000.9999>. <hal-00543297>
HAL Id: hal-00543297
https://hal.archives-ouvertes.fr/hal-00543297
Submitted on 6 Dec 2010
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destine´e au de´poˆt et a` la diffusion de documents
scientifiques de niveau recherche, publie´s ou non,
e´manant des e´tablissements d’enseignement et de
recherche franc¸ais ou e´trangers, des laboratoires
publics ou prive´s.
Compositionality in dataow synchronous
languages : specication & distributed code
generation
yz
Albert Benveniste Beno^t Caillaud Paul Le Guernic
x
October 16, 2001

This paper is a signicantly revised version of a preliminary report which appeared
under the same title in the Proceedings of 1997 Malente Workshop on Compositionality,
organized by W.P. de Roever and H. Langmaack ; these proceedings will be published in
the LNCS, Springer Verlag.
y
This work is or has been supported in part by the following projects : Eureka-
SYNCHRON, Esprit R&D -SACRES (Esprit project EP 20897), Esprit LTR-SYRF (Esprit
project EP 22703).
z
In addition to the listed authors, the following people have indirectly, but strongly,
contributed to this work : the sts formalism has been shamelessly borrowed from Amir
Pnueli, the background on labelled partial orders is mostly ackowledged to Paul Caspi.
x
Irisa/Inria, Campus de Beaulieu, 35042 Rennes cedex, France; email : rst-
name.lastname@irisa.fr
1
Abstract
Modularity is advocated as a solution for the design of large sys-
tems, the mathematical translation of this concept is often that of
compositionality. This paper is devoted to the issues of composition-
ality for modular code generation, in dataow synchronous languages.
As careless reuse of object code in new or evolving system designs
fails to work, we rst concentrate on what are the additional features
needed to abstract programs for the purpose of code generation: we
show that a central notion is that of scheduling specication as result-
ing from a causality analysis of the given program. Using this notion,
we study separate compilation for synchronous programs. An entire
section is devoted to the formal study of causality and scheduling
specications.
Then we discuss the issue of distributed implementation using an
asynchronous medium of communication. Our main results are that
it is possible to characterize those synchronous programs which can
be distributed on an asynchronous architecture without loosing se-
mantic properties. Two new notions of endochrony and isochrony are
introduced for this purpose. As a result, we derive a theory for syn-
thesizing additional schedulers and protocols needed to guarantee the
correctness of distributed code generation.
Corresponding algorithms are implemented in the framework of the
DC+ common format for synchronous languages, and the V4-release
of the Signal language.
Keywords : synchronous languages, modularity, distributed code gen-
eration, separate compilation, desynchronization.
2
Contents
1 Rationale 4
2 Specication 5
2.1 The essentials of the synchronous paradigm . . . . . . . . . . 6
2.2 Synchronous Transition Systems (sts) . . . . . . . . . . . . . 7
3 Compositionality in code generation : informal analysis 11
3.1 What is the problem? . . . . . . . . . . . . . . . . . . . . . . 11
3.2 Scheduling specications . . . . . . . . . . . . . . . . . . . . . 13
3.3 Causality analysis : examples . . . . . . . . . . . . . . . . . . . 18
3.4 Generating scheduling for separate modules . . . . . . . . . . 20
3.5 Relaxing synchrony . . . . . . . . . . . . . . . . . . . . . . . . 22
3.6 Modular design, gals architectures . . . . . . . . . . . . . . . 24
4 Formal study of desynchronization 25
4.1 Desynchronizing sts, and two fundamental problems . . . . . 26
4.2 Endochrony and re-synchronization . . . . . . . . . . . . . . . 29
4.2.1 Formal results . . . . . . . . . . . . . . . . . . . . . . . 29
4.2.2 Practical consequences . . . . . . . . . . . . . . . . . . 33
4.3 Isochrony, and synchronous and asynchronous compositions . . 34
4.4 Getting gals architectures . . . . . . . . . . . . . . . . . . . . 42
4.5 Handling endo/isochrony in practice . . . . . . . . . . . . . . 42
4.5.1 Checking endo/isochrony . . . . . . . . . . . . . . . . . 43
4.5.2 Enforcing endo/isochrony . . . . . . . . . . . . . . . . 44
5 Formal study of causality 45
5.1 Encoding scheduling specications using an algebraic domain . 46
5.2 Circuitfree schedulings . . . . . . . . . . . . . . . . . . . . . . 47
5.3 Deriving scheduling specications as causality constraints . . . 51
5.4 Correct programs . . . . . . . . . . . . . . . . . . . . . . . . . 54
6 Conclusion 57
3
1 Rationale
Modularity is advocated as the ultimate solution for the design of large sys-
tems, and this holds in particular for embedded systems, for both software
and architecture. Modularity allows the designer to scale down design prob-
lems, and facilitates the reuse of pre-existing modules.
The mathematical translation of the concept of modularity is often that
of compositionality. Paying attention to the composition of specication-
s [Manna and Pnueli 1992] is central to any system model involving con-
currency or parallelism. More recently, signicant eort has been devot-
ed toward the introduction of compositionality in verication, which aims
at deriving proofs of large programs from partial proofs involving (abstrac-
tions of) components [Manna and Pnueli 1995]. See also the whole volume
[de Roever et al., Eds, 1998] where a number of papers are devoted to this
topic.
Compilation and code generation has been given less attention from this
very same point of view. This is unfortunate, as it is critical for the designer
to scale down the design of large systems by 1/ storing modules like black-
box \procedures" or \processes" with minimal interface description, and 2/
generating code which uses these modules only on the basis of their interface
description, while preserving in any case the correctness of the design. This
paper is devoted to the issues of compositionality of dataow synchronous
languages, aimed at modular code generation.
Dataow synchrony is rather a paradigm than a set of concrete languages
or visual formalisms [Benveniste and Berry, 1991], hence it is desirable to
abstract from such and such particular language. Thus we have chosen to
work with Synchronous Transition Systems (sts), a lightweight formalism
proposed by Amir Pnueli, general enough to capture the essence of the syn-
chronous paradigm. This is the topic of section 2. Using this formalism, we
study in section 2 the composition of specications.
Most of our eort is then devoted to issues of compositionality that are
critical to code generation. Section 3 contains an informal discussion of this
problem. It is known that careless storing of object code for further reuse
in systems design fails to work. Hence we rst concentrate on the addition-
al features that are required to abstract programs for the purpose of code
generation and reuse : we show that a central notion is that of scheduling
specication as resulting from a causality analysis of the given program. Re-
lated issues of compositionality are investigated. Then we show that there
4
is some appropriate level of \intermediate code", which at the same time
allows us to scale down code generation for large systems, and still main-
tains correctness at the system integration phase. Finally we discuss the
side issue of distributed implementation using an asynchronous medium of
communication.
In section 4 we formally study desynchronization. We rst formalize what
we mean by desynchronization. Our theory requires that the communication
medium or operating system : 1/ shall not loose messages, and 2/ shall pre-
serve the total ordering of messages, for each ow individually (but, of course,
not globally). These assumptions are typically satised by services oered by
reliable communication media or operating system. Our main result is that it
is possible to check, directly on the original synchronous specication, whether
semantic properties will or will not be preserved after desynchronization. The
two fundamental notions are endochrony, which guarantees that, for a single
sts, desynchronization is a \revertible" transformation, and isochrony, which
guarantees that, for a pair of sts, desynchronizing communications is also a
\revertible" transformation. In some sense formalized in section 4, semantics
is preserved by desynchronization when these conditions are satised.
Then section 5 is devoted to a formal study of causality. In many re-
spects, this formal study is important. First, it is instrumental in getting
executable, deterministic code from a given sts specication. Then, it is a
cornerstone of proper abstractions for separate compilation and reuse. We
pay strong attention to this study, using a technique not unlike the one used
for analyzing causality in Esterel [Berry, 1995]. Our analysis encompasses
the case of arbitrary data types, and suitable abstractions are used for this
purpose.
In the conclusion we discuss how our views on compositionality are mod-
ied by this study. We sketch the resulting system design methodology, and
we briey mention the implementation resulting from this theory, mostly
developed in the framework of the Esprit-SACRES project.
2 Specication
This section discusses compositionality aspects of specications, rst infor-
mally, and then formally.
5
2.1 The essentials of the synchronous paradigm
There have been several attempts to characterize the essentials of the syn-
chronous paradigm [Berry, 1989] [Benveniste and Berry, 1991] [Halbwachs, 1993].
With some experience, we feel that the following features are indeed essential
and sucient for characterizing this paradigm :
1. Programs progress via an innite sequence of reactions, informally writ-
ten :
P = R
!
where R denotes the set of legal reactions
1
.
2. Within a reaction, decisions can be taken on the basis of the absence of
some events, as exemplied by the following typical statements, taken
from Esterel, Lustre, and Signal respectively :
present S else `stat'
y = current x
y := u default v
The rst statement is self-explanatory. The \current" operator deliv-
ers the most recent value of x at the clock of the considered node, it
thus has to test for absence of x before producing y. The \default"
operator delivers its rst argument when it is present, and otherwise
its second argument.
3. Communication is performed via instantaneous broadcast. In other
words, when it is dened, parallel composition is always given by the
conjunction of associated reactions :
P
1
kP
2
= (R
1
^R
2
)
!
The above formula is a perfect denition of parallel composition when
the intention is specifying. In contrast, if producing executable code
was the intention, then this denition has to be compatible with an
operational semantics. This very much complicates the \when it is
dened" prerequisite
2
.
1
In fact, \reaction" is a slightly restrictive term, as we shall see in the sequel that
\reacting to the environment" is not the only possible kind of interaction a synchronous
system may have with its environment.
2
For instance, most of the eort related to the semantics of Esterel has been directed
toward solving this issue satisfactorily [Berry, 1995].
6
Of course, such a characterization of the synchronous paradigm makes the
class of \synchrony{compliant" formalisms much larger than usually consid-
ered. However it has been our experience that these were the key features of
the techniques we have developed so far.
Clearly, this calls for the simplest possible formalism comprizing the above
features, and on which fundamental questions should be investigated. This
is one of the objectives of the sts formalism described next.
2.2 Synchronous Transition Systems (sts)
Synchronous Transition Systems (sts).
We assume a vocabulary V which is a set of typed variables. All types are
implicitly extended with a special element ? to be interpreted as \absent".
Some of the types we consider are the type of pure signals with domain ftg,
and booleans with domain ft; fg (recall both types are extended with the
distinguished element ?).
We dene a state s to be a type-consistent interpretation of V, assigning
to each variable v a value s[v] over its domain. We denote by S the set of
all states. For a subset of variables V  V, we dene a V -state to be a
type-consistent interpretation of V .
We dene a Synchronous Transition System (sts) to be a triple
 = hV;; i
consisting of the following components :
 V is a nite set of typed variables,
  is an assertion characterizing the set of initial states : fs j s j= g.
   S  S is the transition relation relating past and current states
denoted by s
 
and s respectively
3
. For example the assertion x = x
 
+1
states that the value of x in s is greater by 1 than its value in s
 
. If
(s
 
; s) j= , we say that state s
 
is a -predecessor of state s.
3
Usually, states and primed states are used to refer to current and next states. This is
equivalent to our present notation. We have preferred to consider s
 
and s, just because
the formulas we shall write mostly involve current variables, rather than past ones. Using
the standard notation would have resulted in a burden of primed variables in the formulas.
7
Runs.
A run  : s
0
; s
1
; s
2
; : : : is a sequence of states such that
s
0
j= 
^
8i > 0 ; (s
i 1
; s
i
) j=  (1)
Composition.
The composition of two sts  = 
1
k 
2
is dened as follows :
V = V
1
[ V
2
 = 
1
^ 
2
 = 
1
^ 
2
;
the composition is thus the pairwise conjunction (denoted by ^) of initial
and transition relations. Composition is thus commutative and associative.
Note that, in sts composition, interaction occurs through common variables
only.
Notations for sts.
For the convenience of specication, sts have a set of declared variables,
written V
d
, implicitly augmented with associated auxiliary variables : the
whole constitutes the set V of variables. We shall use the following generic
notations in the sequel :
 b; c; v; w; : : : denote sts declared variables, and b; c are used to refer to
variables of boolean type.
 for v a declared variable, h
v
2 ft;?g denotes its clock :
[h
v
6= ?] , [v 6= ?]
 for v a declared variable, 
v
denotes its associated state-variable, dened
by :
if h
v
then 
v
= v
else 
v
= 
 
v
(2)
Values can be given to s
0
[
v
] as part of the initial condition. Then, 
v
is always present after the 1st occurrence of v. Note that 

v
= 
v
, thus
only state variables of declared variables have to be considered.
8
Stuttering.
As modularity is desirable, an sts should be permitted to do nothing while it-
s environment is possibly working. This feature has been yet identied in the
litterature and is known as stuttering invariance or robustness [Lamport, 1983a,
Lamport, 1983b]. Stuttering invariance of an sts  is dened as follows : if
 : s
0
; s
1
; s
2
; : : :
is a run of , so is

0
: s
0
;?
s
0
; : : : ;?
s
0
| {z }
0 #f?
s
0
g <1
; s
1
;?
s
1
; : : : ;?
s
1
; s
2
;?
s
2
; : : : ;?
s
2
; : : : ; (3)
where, for every state s, symbol ?
s
denotes the silent state associated with
s, dened by :
8v 2 V
d
:
(
?
s
[v] = ?
?
s
[
v
] = s[
v
]
:
This means that state variables are kept unchanged, whenever their associ-
ated declared variables are absent. Note that stuttering invariance allows for
runs possessing only a nite number of present states.
We require in the sequel that all sts we consider are stuttering invariant.
They should indeed satisfy :
h
(s
 
; s) j= 
i
)
h
(s
 
;?
s
 
) j= 
i
^ [ (?
s
 
; s) j=  ] (4)
By convention, we shall simply write ? when mentioning a particular state
s is not required.
Examples of Transition Relations :
 A selector :
if b then z = u else z = v :
(5)
Note that the \else" part corresponds to the property \ [b = f] _ [b =
?] ".
9
 A register :
if h
z
then v = 
 
z
else v = ?
: (6)
where 
z
is the state variable associated with z as in (2), and 
 
z
denotes
its past value. The more intuitive interpretation of this statement is :
v
n
= z
n 1
, where index \n" denotes the instants at which both v and
z are present (their clocks are specied to be equal). Decrementing a
register would simply be specied by :
if h
z
then v = 
 
z
  1 else v = ?
; (7)
where z is of integer type. Note that both statements (6,7) imply the
equality of clocks :
h
z
= h
v
:
 Testing for a property :
if h
v
then b = (v  0) else b = ?
: (8)
Note that a consequence of this denition is, again,
h
v
= h
b
:
 A synchronization constraint :
(b = t) = (h
u
= t)
; (9)
meaning that the clock of u is the set of instants where the boolean
variable b is true.
Putting (5,7,8,9) together yields the sts :
u
u
u
-1
time
z
if b then z = u else z = v
^ if h
z
then v = 
 
z
  1 else v = ?
^ if h
v
then b = (v  0) else b = ?
^ h
v
= h
z
= h
b
^ (b = t) = (h
u
= t)
10
A run of this sts for the variable z is depicted on the gure above. Each
time u is received, z is set to the value of u. Then z is decremented by one
at each activation cycle of the sts, until it reaches the value 0. Immediately
after this, a fresh u can be read, and so on. Note the schyzophrenic nature of
the \inputs" of this sts. While the value carried by u is an input, the instant
at which u is read is not : reading of the input is on demand-driven mode.
This is reected by the fact that inputs of this sts are the pair factivation
clock h, value of u when it is presentg.
Using the primitives (5,6,8,9), dataow synchronous languages such as
Lustre [Halbwachs, 1993] and Signal [LeGuernic et al., 1991] are easily
encoded. Note that primitives (5,6,8,9) and their composition are stuttering
invariant sts, i.e., they satisfy condition (4).
3 Compositionality in code generation : in-
formal analysis
In this section, we informally discuss issues of compositionality aiming at code
generation. After a brief review of the problems, we acknowledge the impor-
tance of extending our basic sts model with preorders ; preorders are useful
to capture causality, to specify schedulings, and to model communications
in a distributed environment. Also, preorders are instrumental in handling
abstractions. Then we discuss causality analysis and we analyse a few simple
examples. Separate compilation is discussed, using preorders : we show that
separate compilation requires a new level of intermediate code which allows
us to store and reuse modules in a correct way. Finally we discuss the issue
of distributed code generation on an asynchronous architecture.
3.1 What is the problem ?
Basically, the problem is twofold : 1/ bruteforce separate compilation can be
the source of deadlock, and 2/ generating distributed code is generally not
compatible with maintaining strict compliance with the synchronous model
of computation. We illustrate briey these two issues next.
Naive separate compilation may be dangereous. This is illustrated
in the following picture :
11
The rst diagram depicts the \dependencies" associated with some sts spec-
ication : the 1st output needs the 1st input for its computation, and the 2nd
output needs the 2nd input for its computation. The second diagram shows
a possible scheduling, corresponding to the standard scheduling : 1/ read in-
puts, 2/ compute reaction, 3/ emit outputs. This gives a correct sequential
execution of the sts. In the third diagram, an additional dependency is en-
forced by setting the considered sts in some environment which reacts with
no delay to its inputs : a deadlock is created. In the last diagram, however,
it is revealed that this additional dependency caused by the environment in-
deed was compatible with the original specication, and no deadlock resulted
from applying it. Here, deadlock was caused by the actual implementation
of the specication, not by the specication itself.
The traditional answer to this problem by the synchronous programming
school has been to refuse considering separate compilation : modules for
further reuse should be stored as source code, and combined as such before
code generation. We shall later see that this does not need to be the case,
however.
Desynchronization. This is illustrated in the following picture :
This gure depicts a communication scenario : two processors, modelled as
sequential machines, exchange messages using an asynchronous medium for
12
their communications. The natural structure of time is that of a partial or-
der, as derived from the directed graph composed of 1/ linear time on each
processor, and 2/ communications. This structure for time does not match
the linear time corresponding to the innite sequence of reactions which is
the very basis of synchronous paradigm.
The need for reasoning about causality, schedulings, and communi-
cations. This need emerges from the above discussion. In the next subsec-
tion, we shall introduce a unique framework to handle these diverse aspects :
the formalism of scheduling specications.
3.2 Scheduling specications
Causality relations have been investigated for several years in the past in the
area of models of distributed systems and computations. The classical ap-
proach considers a classical automaton, in which concurrency is modelled via
an \independence" equivalence relation among the labels of the transitions.
Since independence is generally not a symmetric relation (actions of writing
and reading are not symmetric), the theory of traces [Aabelsberg and Rozenberg, 1988]
has been extended to so-called \semi-commutations" [Clerbout and Latteux, 1987],
and this technique has been recently applied to the implementation of reac-
tive automata on distributed architectures [Caillaud et al., 1997]. Causality
preorder relations have also been used in a dierent way in [LeGuernic and Gautier, 1991],
and also in [Benveniste Caspi et al., 1994], from which we borrow the essen-
tials of the present technique. In addition to modelling causality relations,
preorders can be used to specify scheduling requirements, they can also be
used to model send/receive type of communications.
sts with scheduling specications
We consider a set V of variables. A preorder on the set V is a relation
(generically denoted by ) which is reexive (x  x) and transitive (x  y
and y  z imply x  z). To  we associate the equivalence relation ,
dened by x  y i x  y and y  x. If equivalence classes of  are
singletons, then  is a partial order. Preorders are naturally specied via
(possibly cyclic) directed graphs, denoted :
x! y for x; y 2 V ; (10)
13
by dening x  z i there is a path originating from x and terminating in z.
The supremum of two preorders, written

1
_ 
2
; (11)
is the least preorder which is an extension of 
1
and 
2
. The set of all
preorders on V is denoted 
V
.
A labelled preorder on V is a preorder on V , together with a value s[v]
for each v 2 V over its domain. A state ~s is a labelled preorder. The set of
all states is denoted
~
S. As before for sts, we denote by S the set of all type
consistent intepretations of V . Thus
~
S = S  
V
, and a state ~s decomposes
as
~s = (s;
V
) : (12)
An sts with scheduling specications is a triple
~
 = hV;; ~ i, where V;
are as before, and
~  S 
~
S = S  S  
V
; (13)
i.e., ~ relates the value for the tuple of previous variables to the current state.
By convention, transition relation ~ is trivially extended to a transition
on
~
S, i.e., a subset of
~
S 
~
S, and runs are sequences s
0
; s
1
; s
2
; : : : that are
consistent with transition relation (13).
We shall denote by  the transition relation on S obtained by projecting ~
on SS, i.e., by ignoring the preorder component. Note that  = hV;;  i
is an ordinary sts. The composition of two sts with scheduling specications
~
 =
~

1
k
~

2
; (14)
is dened as follows :
1. Associated underlying sts (without scheduling specications) are sim-
ply composed :
 = 
1
k 
2
: (15)
Then we need to dene how preorders are combined.
14
2. For s a state for , for i = 1; 2 let s
i
be the restriction of s to V
i
, we
know that s
i
is a state for 
i
. Let ~s
i
= (s
i
;
V
i
) be the corresponding
state for
~

i
, cf (12). Dene

V
=
def

V
1
_ 
V
2
(cf. (11), (16)
~s =
def
(s;
V
) : (17)
Thus (15,16,17) dene how states of the components
~

i
are combined to-
gether, building up the states and runs of
~
 =
~

1
k
~

2
. Again, composition
k as extended to sts with scheduling specications, is commutative and
associative.
Notations for scheduling specications
We now introduce convenient notations for the graphs generating the above
introduced preorders. The notation u
>
v corresponds to the edge
(10). For b a variable of type bool[f?g, and u; v variables of any type, the
following generic conjunct will be used to specify preorders :
if b then u
>
v , resp. if b else u
>
v
also written :
u
b
>
v resp. u
b
>
v
In subsection 5.1, it is shown that scheduling specications have the following
properties :
x
b
>
y k y
c
>
z ) x
b ^ c
>
z (18)
x
b
>
y k x
c
>
y ) x
b _ c
>
y (19)
Properties (18,19) can be used to compute input/output abstractions of
scheduling specications :
h l
kch
b l
(a (b c)) ka
b
h
c
l
k
15
In this gure, the diagram on the left depicts a scheduling specication in-
volving local variables. These are hidden in the diagram on the right, using
rules (18,19).
Inferring scheduling specications from causality analysis
We now provide a technique for inferring schedulings from causality analysis
for sts specied as conjunctions of the particular set of generic conjuncts we
have introduced so far. Considering this restricted set of generic conjuncts is
justied by the fact that 1/ all known synchronous languages can be encoded
using this set of basic conjuncts, and even more, 2/ these primitives allow
to express the most general synchronization mechanisms that are compatible
with the paradigm of perfect synchrony [Benveniste et al., 1992]. We recall
next this set of basic conjuncts for the sake of clarity :
if b then w = u
else w = v
u
b
>
w
w = f(u
1
; : : : ; u
k
)
h
w
= h
u
1
= : : : = h
u
k
)
(20)
In addition to the set (20) of primitives, state-variable 
v
associated to vari-
able v can be used on the right hand side of each of the above primitive
statements. The third primitive involves a conjunction of statements that
are considered jointly. Later on, in the examples, we shall freely use nested
expressions such as \if b then w = expr", where \expr" denotes an expres-
sion built on the same set of primitives. It is understood that such expressions
need to be expanded prior to applying the rules of formulas (21) given next.
In formulas (21), each primitive statement has a scheduling specication
associated with it, given on the corresponding right hand side of the table.
Given an sts specied as the conjunction of a set of such statements, for each
conjunct we add the corresponding scheduling specication to the considered
sts. Since, in turn, scheduling specications themselves have scheduling
specications associated with them, this mechanism of adding scheduling
specications must be applied until xpoint is reached. Note that applying
these rules until xpoint is reached takes at most two successive passes. In
16
formulas (21), labels of schedulings are expressions involving variables in the
domain f?; f;tg ordered by f? < f < tg ; with this in mind, expressions
involving the symbols \^" (min) and \_" (max) have a clear meaning.
(R-1) 8u h
u
>
u
(R-2)
if b then w = u
else w = v
)
8
>
>
>
>
>
>
>
>
>
>
>
<
>
>
>
>
>
>
>
>
>
>
>
:
b
h
b
^ (h
u
_h
v
)
>
h
w
h
u
b ^ h
u
>
h
w
h
v
b ^ h
v
>
h
w
u
b ^ h
u
>
w
v
b ^ h
v
>
w
(R-3) u
b
>
w ) b
>
h
w
(R-4)
w = f(u
1
; : : : ; u
k
)
h
w
= h
u
1
= : : : = h
u
k
)
) u
i
h
w
>
w
(21)
Note that there is no rule involving variables of the form 
 
z
, as previous
state variables are available prior to starting the current reaction and thus
do not participate to the causality calculus. Rules (R-1,. . . ,R-4) are formally
justied in section 5. We briey report the corresponding results. For P an
sts, rst apply Rules (R-1,. . . ,R-4) until xpoint is reached : this yields an
sts we call sched(P). Then, a sucient condition for P to have a unique
deterministic run is :
1. sched(P) is circuitfree at each instant, meaning that it is never true
that
x
1
b
1
>
x
2
b
2
>
x
1
and
(b
1
^ b
2
= t)
17
where x
1
and x
2
are distinct variables.
2. sched(P) has no multiple denition of variables at any instant, meaning
that, whenever
if b
1
then x = exp
1
^ if b
2
then x = exp
2
holds in P and the exp
1
and exp
2
are dierent expressions, then
b
1
^ b
2
= t
never holds in P.
Then P is said to be executable, and sched(P) provides (dynamic) schedul-
ing specications for this run. Note that proof obligations resulting from
the above two conditions are generally not automatically provable, therefore
abstractions may have to be considered.
Summary. What do we have at this stage ?
1. sts composition is just the conjunction of constraints.
2. Scheduling specications do compose as well.
3. Since causality analysis is based on an abstraction, the rules (R-1,...,R-
4) for inferring scheduling from causality are bound to the syntax of the
sts conjuncts. Hence, in order to maximize the chance of eectively
recognizing that an sts P is executable, P is generally rewritten in a dif-
ferent but semantically equivalent syntax (runs remain the same) while
causality analysis is performed
4
. But this latter operation is global and
not compositional : here we reach the limits of ideal compositionality.
3.3 Causality analysis : examples
We show here some sts statements and their associated scheduling as derived
from causality analysis. In the following gures, vertices in boldface denote
input clocks, vertices in bold-italic denote input data, and vertices in courier
4
This is part of the job performed by the Signal compiler's \clock calculus".
18
denote other variables. It is of interest to split between these two dierent
types of inputs, as input reading for an sts can occur with any combina-
tion of data{ and demand{driven mode. Note that, for each vertex of the
graph, the labels sitting on the incoming branches are evaluated prior to the
considered vertex. Thus, when this vertex is to be evaluated, the other vari-
ables needed for its evaluation are already known. Resulting directed graphs
(which are labelled with booleans) specify the set of all legal schedulings for
the execution of the considered sts ; this is formalized in section 5.
A reactive sts :
if b then z = u else z = v
(input clock)
(input data)
(other)
u
b
h v
h
h
u hvhb ( )
hu b hv
h
hu b hv b
vu
b
z
h
b
z
In the above example, input data are associated with their corresponding
input clocks : this sts reads its inputs on a purely data-driven mode, input
patterns (u; v; b) are free to be present or absent, and, when they are present,
their value is free also. We call it a \reactive" sts.
The full example, a proactive sts :
u
u
u
-1
time
z
if b then z = u else z = v
^ if h
z
then v = 
 
z
  1 else v = ?
^ if h
v
then b = (v  0) else b = ?
^ h
v
= h
z
= h
b
^ (b = t) = (h
u
= t)
Applying scheduling rules (R-1,. . . ,R-4) and then performing some straight-
forward simplications, we get the result shown in gure 1. Note the change
in control : f input clock, input datag have been drastically modied from
the \ if b then z = u else z = v" statement to the complete sts : inputs
now consist of the pair fh; v
u
g, where v
u
refers to the value carried by u
19
uh
b
v
b
z
b
u
h
h
h
h
hh
if b then z = u else z = v
^ if h
z
then v = 
 
z
  1 else v = ?
^ if h
v
then b = (v  0) else b = ?
^ h
v
= h
z
= h
b
=
def
h
^ (b = t) = (h
u
= t)
Figure 1: Scheduling from causality analysis for the example.
when present. Reading of u occurs on demand, when condition b is true. We
propose to call such an sts \proactive".
3.4 Generating scheduling for separate modules
Relevant target architectures for embedded applications are typically 1/ pure-
ly sequential code (such as C-code), 2/ code using a threading or tasking
mechanism provided by some kind of a real-time OS (here the threading
mechanism oers some degree of concurrency), or 3/ DSP-type multiproces-
sor architectures with associated communication media.
On the other hand, the scheduling specications we derive from causality
rules (R-1,...,R-4) still exhibit maximal concurrency. Actual implementations
will have to conform to these scheduling specications. In general, they
will exhibit less (and even sometimes no) concurrency, meaning that further
sequentialization has been performed to generate code.
Of course, this additional sequentialization can be the source of potential,
otherwise unjustied, deadlock when the considered module is reused in the
form of object code in some environment, this was illustrated in subsection
3.1. The traditional answer to this problem by the synchronous programming
school has been to refuse considering separate compilation : modules for
further reuse should be stored as source code, and combined as such before
code generation.
We shall however see that this does not need to be the case, however.
Instead, a careful use of the scheduling specications of an sts will allow us
to decompose it into modules that can be stored as object code for further
reuse, whatever the actual environment and implementation architecture will
be.
For the sake of clarity, we restrict our discussion to the case of single-
clocked sts, i.e., an sts in which all declared variables have the same clock.
20
The issue is illustrated in the following picture, in which the directed graph
dening the circuitfree scheduling specication of some single-clocked sts is
depicted :
input clock
input data
other
they all depend on the same inputs
In the above picture, the gray zones group all variables which depend on
the same subset of inputs, let us call them \tasks". Tasks are not subject to
the risk of creating fake deadlocks from implementation, unlike the example
from subsection 3.1. In fact, as all variables belonging to the same task de-
pend on the same inputs, each task can be executed safely according to the
following scheme : 1/ collect inputs, 2/ execute task.
In the next picture, we show how the actual implementation is prepared :
task for reuseabstract scheduler
The thick arrows inside the task depicted on the right show one possible
fully sequential scheduling of this task. Then, what should be really stored
as source code for further reuse is only the abstraction consisting of the tasks
viewed as black-boxes, together with their associated interface scheduling spec-
ications. In particular, if the supporting execution architecture involves a
real-time tasking system implementing some preemption mechanism in order
to dynamically optimize scheduling for best response time, tasks can be freely
suspended/resumed by the real-time kernel, without impairing conformity of
the object code to its specication. Using our notion of scheduling speci-
cation, the above approach easily extends to general sts, in which several
dierent clocks are involved.
21
3.5 Relaxing synchrony
Loosening synchrony. The major problem is that of testing for absence
in an asynchronous environment. This is illustrated in the following picture
in which the information about presence of variables in the considered instant
is lost when passing from left{ to right{hand side, since explicit denition of
the \instant" is not available any more :
absence
test for
synchrony asynchrony
?
The question mark indicates that it is generally not possible, in an asyn-
chronous environment, to decide upon presence/absence of a signal relatively
to another one. While testing for absence is perfectly sound in a synchronous
paradigm, it is meaningless in an asynchronous one.
The solution consists in restricting ourselves to so-called endochronous
sts. Endochronous sts are those for which the control depends only on
1/ the past state, and 2/ the values possibly carried by environment signals,
but not on the presence/absence status of these signals. For an endochronous
sts, loosing the synchronization barriers that dene the successive reactions
will not result in changing its semantics ; this is formalized in subsection 4.2.
An example of an sts which is \exochronous" is the \reactive" sts given
on the left{hand side of the following picture, whereas the \proactive" sts
shown on the right{hand side is endochronous :
(input clock)
(input data)
(other)
u
b
h v
h
h
u hvhb ( )
hu b hv
h
hu b hv b
vu
b
z
h
b
z uh
b
v
b
z
b
u
h
h
h
h
hh
In the diagram on the left{hand side, three dierent clocks are source n-
odes of the directed graph. This means that the rst decision in executing a
22
reaction consists in deciding upon relative presence/absence of these clock-
s. In contrast, in the diagram on the right{hand side, only one clock, the
activation clock h, is a source node of the graph. Hence no test for relative
presence/absence is needed, and the control only depends on the value of the
internally computed boolean variable b.
How endochrony allows us to desynchronize an sts is illustrated in an in-
tuitive way on the following diagram, which depicts the scheduling specica-
tion associated with the (endochronous) pseudo-statement \ if b then get u" :
T TF F
u
b T TF Fb
u
In the diagram on the left, a history of this statement is depicted, showing
the successive instants (or reactions) separated by thick dashed lines. In
the right{hand side diagram, thick dashed lines have been removed. Clearly,
no information has been lost : we know that u should happen exactly when
b = t, and thus awaiting for the value of b is enough for deciding whether u
is to be waited for. A formal study of desynchronization and endochrony is
presented in section 4.
Moving from exochronous programs to endochronous programs can be
performed, we only show one typical but simple example :
k k’k k’
h
b b’
(other)
(input data)
(input clock)
hh
The idea is to add to the considered sts a monitor which delivers the pres-
ence/absence information via two boolean variables b; b
0
with identical clocks
h, and such that [k = t] = [b = t], and similarly for k
0
; b
0
. The resulting
sts is endochronous, since boolean variables b; b
0
are scrutinized at the pace
of activation clock h. Other schemes are also possible, this is discussed in
subsection 4.5.
23
Loosening synchronous composition. The second question is that of
preserving the semantics of synchronous composition when an asynchronous
communication medium is used. In the synchronous programming paradigm,
communication occurs via instantaneous broadcast, meaning that all com-
ponents must agree on 1/ which variable is present/absent in the considered
reaction, and then 2/ what is the value carried by each present variable.
Again this protocol is meaningless in an asynchronous communication medi-
um. In subsection 4.3, it is shown that the condition for semantics preserving
desynchronization of the communication is that the considered pair of sts
should be isochronous.
Isochrony is a property of the synchronous composition P k Q of two sts.
Roughly speaking, a pair of sts is isochronous if every pair of reactions, of
P and Q respectively, which agree on present common variables, also agree
on all common variables. Thus, again, common agreement for composition
of reactions can disregard absence.
Endochrony and isochrony are the basic concepts for our theory of desyn-
chronization. For this theory to hold, requirements for the communication
medium are : 1/ it should not lose messages, and, 2/ it should not change
the order of messages associated with each given variable.
3.6 Modular design, gals architectures
From the theory informally presented in the previous subsections, the follow-
ing approach results for modular design and distributed implementations of
reactive systems. The target architecture is Globally Asynchronous, Locally
Synchronous (gals) by nature. The whole approach is summarized in the
diagram of gure 2, where the considered sts is assumed to possess a unique,
deterministic execution, i.e., it satises the correctness criteria stated in sec-
tion 3.2. In this diagram, gray rectangles denote three modules P
1
; P
2
; P
3
of
the source sts specication, hence given by P = P
1
k P
2
k P
3
. We assume here
that this partitioning has been given by the designer, based on functional and
architectural considerations.
White bubbles inside the gray rectangles depict the structuration into
tasks as discussed in subsection 3.4. The black half-ellipses denote the mon-
itors. Monitors are in charge of 1/ providing the additional protocols if
asynchronous communication media are to be used, and 2/ specifying the
scheduling of the abstract tasks.
24
original
module
monitor:
protocols
+ scheduling
Figure 2: Implementation architecture.
In principle, communication media and real-time kernels do not need
to be specied here, as they can be used freely provided they respect the
send-receive abstract communication model and conform to the scheduling
constraints set by the monitors.
4 Formal study of desynchronization
How far/close is indeed synchrony from asynchrony has already been dis-
cussed in the litterature, thus questioning the oversimplied vision of \zero
time" computation and instantaneous broadcast communication. Early pa-
per [Benveniste and Berry, 1991] informally discussed the link between per-
fect synchrony and token-based asynchronous dataow networks, see in par-
ticular section V therein. The rst formal and deep study is [Caspi 1992] :
a precise relation is established between so-called well-clocked synchronous
functional programs and the subset of Kahn networks amenable to \buer-
less" evaluation.
Distributed code generation from synchronous programs, requires to ad-
dress the issue of the relationship between synchrony and asynchrony in some
way or another. Mapping synchronous programs to a network of automa-
ta, communicating asynchronously via unbounded fos, has been proposed
in [Caillaud et al., 1997]. Mapping Signal programs to distributed archi-
tectures was proposed in [Maeis and LeGuernic, 1994, Aubry 1997], based
on an early version of the theory we present in this paper. The SynDEx
25
tool [Sorel and Lavarenne, Sorel 1996] also implements a similar approach.
Recent work [Berry and Sentovich 1998] on the Polis system proposes to
reuse the \constructive semantics" approach for the Esterel synchronous
language, with CFSM (Codesign Finite State Machines) as a model of syn-
chronous machines which can be desynchronized.
Independently, another route to relate synchrony and asynchrony has
been followed. In [Benveniste and LeGuernic 1990, LeGuernic et al., 1991]
it was shown how nondeterministic Signal programs can be used to mod-
el asynchronous communication media such as queues, buers, etc. Reactive
Modules were proposed [Alur and Henzinger 1996] as a synchronous language
for hardware modelling, in which asynchrony is emulated by the way of non-
determinism. Although this is of interest, we believe this approach is not
suited to analyze true asynchrony, in which no notion of a global state is
available, unlike for synchrony.
We rst informally discuss the essentials of asynchrony. Synchronous
Transition Systems were dened in section 2.2, and their asynchronous coun-
terpart is dened in subsection 4.1, where desynchronization is also formally
dened. The rest of this section is devoted to the analysis of desynchroniza-
tion and its inverse, namely resynchronization.
4.1 Desynchronizing sts, and two fundamental prob-
lems
We rst start with an informal discussion, following the discussion of subsec-
tion 2.1. Keeping in mind the essentials of the synchronous paradigm, we are
now ready to discuss informally how asynchrony relates to synchrony. Re-
ferring to points 1, 2, and 3 of the discussion of subsection 2.1, the following
can be stated about asynchrony :
1. Reactions cannot be observed any more : as no global clock exists, the
global synchronization barriers which indicate the transition from one
reaction to the next one are no more available. Instead, we only assume
a reliable distributed communication medium, in which messages are
not lost, and messages within each individual channel are sent and
delivered in the same order. We call a ow such a totally ordered
sequence of messages.
2. Absence cannot be sensed, and thus cannot be used to exercise control.
26
3. Composition occurs by means of separately unifying each common ow
of the two components. This models in particular the communications
via asynchronous unbounded fos, such as used, say, in Kahn networks.
Rendez-vous type of communication can also be abstracted in this way.
From the denition (1) of a run of an sts, we can say that a run is a
sequence of tuples of values in domains extended with the extra symbol ?.
Desynchronizing a run amounts to discarding the synchronization barriers
dening the successive reactions. Hence, for each variable v 2 V , we only
know the ordered sequence of present values. Thus desynchronizing a run
amounts to mapping a sequence of tuples of values in domains extended with
the extra symbol ?, into a tuple of sequences of present values, one sequence
per each variable. This is formalized next.
For  : s
0
; s
1
; s
2
; : : : a run for , we decompose state s
k
as
s
k
= (s
k
[v])
v2V
Thus we can rewrite run  as follows :
 = ([v])
v2V
; where
[v] = s
0
[v] ; s
1
[v] ; : : : ; s
k
[v] ; : : : :
Now, compress each [v] by deleting those s
k
[v] that are equal to?. Formally,
we denote by k
0
; k
1
; k
2
; : : : the subsequence of k = 0; 1; 2; : : : such that s
k
[v] 6=
?. Then we set

a
= (
a
[v])
v2V
; where

a
[v] = s
k
0
[v] ; s
k
1
[v] ; s
k
2
[v] ; : : : :
This denes the desynchronization mapping
 7 ! 
a
; (22)
where each

a
[v] = s
k
0
[v] ; s
k
1
[v] ; s
k
2
[v] ; : : :
is called a ow in the sequel.
For  = hV;; i an sts, we dene

a
=
def
hV;
a
i ; (23)
27
where 
a
is the family of all 
a
, for  ranging over the set of runs of . For

i
= hV
i
;
i
; 
i
i ; i = 1; 2, we dene

a
1
k
a

a
2
=
def
hV;
a
i ;where
(
V = V
1
[ V
2

a
= 
a
1
^
a

a
2
(24)
and ^
a
denotes the conjunction of sets of asynchronous runs, which we
dene now. For 
a
i
2 
a
i
; i = 1; 2, we say that 
a
1
and 
a
2
are uniable, written

a
1
./
a

a
2
; (25)
if the following condition holds :
8v 2 V
1
\ V
2
: 
a
1
[v] = 
a
2
[v] holds.
If condition (25) holds, then we dene 
a
=
def

a
1
^
a

a
2
as
8v 2 V
1
\ V
2
: 
a
[v] = 
a
1
[v] = 
a
2
[v]
8v 2 V
1
n V
2
: 
a
[v] = 
a
1
[v]
8v 2 V
2
n V
1
: 
a
[v] = 
a
2
[v]
Finally, 
a
is the set of the so dened 
a
. Thus asynchronous composition
proceeds via unication of shared ows.
Synchrony vs. Asynchrony ? At this point two natural questions arise,
namely :
Question 1 (desynchronizing a single sts) Is resynchronization feasible
and uniquely dened ? More precisely, is it possible to uniquely reconstruct
the original run  for our sts from its desychronised version 
a
as dened
in (22) ?
Question 2 (desynchronizing a communication) Does communication
behave equivalently for both the synchronous and asynchronous compositions ?
More precisely, does the following property hold :

a
1
k
a

a
2
= (
1
k 
2
)
a
? (26)
28
If question 1 had a positive answer, then we could desynchronize a run of
the considered sts, and then still recover the original synchronous run. Thus
a positive answer to question 1 would guarantee the preserving of the syn-
chronous semantics when performing desynchronization, for a single sts.
On the other hand, if question (26) had a positive answer, then we could
interpret our sts composition equivalently as synchronous or asynchronous.
Unfortunately, neither 1 nor 2 have positive answers in general, due to
the possibility to exercise control by the way of absence in synchronous com-
position k . In the following section, we show that questions 1 and 2 have
positive answers under certain sucient conditions, in which the two notions
of endochrony (for point 1) and isochrony (for point 2) play a central role
5
.
4.2 Endochrony and re-synchronization
4.2.1 Formal results
In this section, we use notations from section 2.2. For  = hV;; i an sts,
and s a reachable state of , we denote by s
h
the clock-abstraction of s,
dened by
8v 2 V : s
h
[v] 2 f?;>g; and s
h
[v] = ? , s[v] = ? (27)
For  = hV;; i an sts, s
 
a reachable previous state for , and W
0

W  V , we say that W
0
is a clock inference of W given s
 
, written
W
0
,!
s
 
W ; (28)
if, for each state s reachable from s
 
for , knowing the presence/absence and
actual value carried by each variable belonging to W
0
, allows us to determine
exactly the presence/absence for each variable belonging to W . In other
words,
s[W
0
] determines s
h
[W ] : (29)
If W
0
,!
s
 
W
1
and W
0
,!
s
 
W
2
hold, then W
0
,!
s
 
(W
1
[W
2
) follows, thus
there exists a greatestW such thatW
0
,!
s
 
W holds. Hence we can consider
the unique increasing chain, for s
 
given,
; = V (0) ,!
s
 
V (1) ,!
s
 
V (2) ,!
s
 
: : : (30)
5
Endochronous, from ancient greek "o{inside and oo&{time ; Isochronous, from
ancient greek o{identical and oo&{time. It's sometimes nice to remember that an-
cient greeks used to be great scientists, and thus honor them by reusing their words in our
context.
29
of subsets of V such that, for each k, V (k) is the greatest set of variables such
that V (k   1) ,!
s
 
V (k) holds. As ; = V (0), V (1) consists of the subset of
variables that are present as soon as the considered sts gets activated
6
. Of
course chain (30) must become stationary at some nite k
max
: V (k
max
+1) =
V (k
max
). In general, we only know that V (k
max
)  V . Chain (30) is called
the synchronization chain of .
Denition 1 (endochrony) sts  is said to be endochronous if, for each
state s
 
reachable for , V (k
max
) = V , i.e., if the following condition is
satised : the synchronization chain
(E) ; = V (0) ,!
s
 
V (1) ,!
s
 
V (2) ,!
s
 
: : : converges to V . (31)
Condition (31) expresses that presence/absence of all variables can be in-
ferred incrementally from already known values carried by present variables
and state variables of the sts in consideration. Hence no test for pres-
ence/absence on the environment is needed. The following theorem justies
our approach :
Theorem 1 Consider an sts  = hV;; i.
1. Conditions (a) and (b) are equivalent, where :
(a)  is endochronous.
(b) For each  2 
a
, we can reconstruct the corresponding synchronous
run  such that 
a
= , in a unique way up to silent reactions.
2. Assume  is endochronous and stuttering invariant. If 
0
= hV;; 
0
i
is another endochronous and stuttering invariant sts then
(
0
)
a
= 
a
) 
0
=  (32)
Proof : We prove successively points 1 and 2.
1. We x the previous state s
 
and prove the result by induction. Pick a
 2 
a
, and assume for the moment that we were able to decompose it
as :
s
1
; s
2
; : : : ; s
n
| {z }
n initial segment of 
; 
n
(33)
6
Of course we assume here that no variable is absent in every reachable state.
30
i.e., into a nite sequence of length n composed of non-silent states s
i
(the head of the synchronous run  we wish to reconstruct), followed
by the tail of the asynchronous run , which we denote by 
n
, and we
assume that such a decomposition is unique. Then we claim that
(33) is also valid with n substituted by n+ 1. (34)
To prove (34), we note that, when sts  gets activated, then we know
that variables belonging to V (1) will be present in the considered state.
By assumption, the clock-abstracted state s
h
n+1
[V (1)], having V (1) as
variables, is uniquely determined. In the sequel we write s
h
n+1
(1) for
short instead of s
h
n+1
[V (1)]. Thus, presence/absence of variables for
state s
n+1
(1) is known, it remains to determine the values carried by
present variables.
For v 2 V
1
, we simply pick the value carried by the minimal element
of the sequence associated with variable v in 
n
. Values carried by
corresponding state variables are updated accordingly. Thus we know
all of s
n+1
(1).
Next we move on constructing s
n+1
(2). From s
n+1
(1) we know s
h
n+1
(2).
Thus we know how to split V
2
into present and absent variables for the
considered state. Pick the present ones, and repeat the same argument
as before to get s
n+1
(2).
Repeat this argument until V (k) = V for some nite k (by endochrony
assumption). This proves claim (34).
Given the initial condition for , we get from (34), by induction, the
desired proof that (a) ) (b).
Next, we prove (b)) (a). We assume that  is not endochronous, and
show that condition (b) cannot be satised. If  is not endochronous,
there must be some reachable state s
 
for which chain (31) does not
converge to V . Thus again we pick a  2 
a
, decomposed as for case
1, cf. formula (33) :
s
1
; s
2
; : : : ; s
n
| {z }
n initial segment of 
; 
n
and we assume in addition that s
n
= s
 
, the given state for which
endochrony is violated. We now show that (34) is disproved. Let
31
k
 0 be the smallest index such that V (k) = V (k + 1), we know
V
k

6= V . Thus we can apply the algorithm of case 1 for reconstructing
the reaction, until variables of V
k

. Then presence/absence for variables
belonging to V n V
k

cannot be determined based on the knowledge of
variables belonging to V
k

. Thus there are several possible extensions
for s
h
n+1
(k

+ 1) and thus (n + 1)-st reaction is not determined in a
unique way. Hence condition (b) is falsied.
2. Assume  is endochronous, and consider 
0
as in point 2 of the theo-
rem. As both  and 
0
are stuttering invariant, point 2 is an immediate
consequence of point 1. 
Comments.
1. For an sts, endochrony is not decidable in general. It is decidable for
sts involving, say, only nite domains for their variables, and model
checking can be used for that. For general sts, model checking can be
used, in combination with abstraction techniques. The case of interest
is when the chain V (0); V (1); : : : does not depend upon the particular
state s
 
, and we write simply V (k) ,! V (k + 1) in this case.
2. The proof of this theorem in fact provides an eective algorithm for
the on-the-y reconstruction of the successive reactions, for a desyn-
chronized run of an endochronous program.
(Counter)examples.
examples :
 a single-clocked sts.
 sts \ if b = t then get u ", where b; u are the two inputs, and
b is boolean. The clock of b coincides with the activation clock
for this sts, and thus V (1) = fbg. Then, knowing the value for b
indicates whether or not u is present, thus V (2) = fb; ug = V .
counterexample : sts \ if ( [present a ] k [present b ] ) then::: " is not
endochronous, as the environment is free to oer any combination of
presence/absence for the two inputs a; b. Thus ; = V (0) = V (1) =
V (2) = : : :

6= V , and endochrony does not hold.
32
4.2.2 Practical consequences
A rst use of endochrony is shown in the following gure :
1 2Φ
Ψ1,2
Φ
In this gure, a pair (
1
;
2
) of sts is depicted, with W as set of shared
variables. Rewrite their composition as follows :

1
k 
2
= 
1
k 	
1;2
k 
2
where 	
1;2
is the restriction of 
1
k 
2
to W , hence 	
1;2
models the syn-
chronous communication channel. Using the property  k  =  for every
sts , we get

1
k 
2
= (
1
k 	
1;2
)
| {z }
e

1
k (	
1;2
k 
2
)
| {z }
e

2
=
e

1
k
e

2
(35)
Assume now that channel model 	
1;2
is endochronous, and composition

1
k 
2
is implemented as the (equivalent) composition
e

1
k
e

2
. Then,
as
e

1
knows channel 	
1;2
and the latter is endochronous, then communica-
tion can be equivalently implemented according to perfect synchrony or full
asynchrony.
This is ne, but it does not extend to networks of sts involving more
than two nodes. The following gure shows an example :
1 Φ2Φ Φ
ΨΨ1 2
Assume 	
1
;	
2
are both endochronous. Then communication between 
1
and  on the one hand, and  and 
2
on the other hand, can be desynchro-
nized. Unfortunately, communication between 
1
and 
2
via  can't, as it
is not true in general that 	
1
k  k 	
2
is endochronous. The problem is
that endochrony is not compositional, hence even ensuring in addition that
 itself is endochronous would not do. Thus we would need to ensure that
	
1
;	
2
as well as 	
1
k  k 	
2
are all endochronous, not an elegant solution
33
when networks are considered ! Thus we move on introducing the alternative
notion of isochrony, which focusses on communication, and is compositional.
4.3 Isochrony, and synchronous and asynchronous com-
positions
The next result addresses the question of when property (26) holds true. We
are given two sts 
i
= hV
i
;
i
; 
i
i ; i = 1; 2. Denote by W = V
1
\V
2
the set of
their common variables, and by  = 
1
k 
2
their synchronous composition.
For s a reachable state in , we denote by s
1
=
def
s[V
1
] and s
2
=
def
s[V
2
] the
restrictions of state s to 
1
and 
2
, respectively. Note that, for i = 1; 2, s
i
is
a reachable state for 
i
. Corresponding notations s
 
; s
 
1
; s
 
2
for past states
will be used accordingly.
Denition 2 (isochrony) Consider a pair (
1
;
2
) of sts. Transitions of

i
; i = 1; 2, are written (s
 
i
; s
i
). Consider the following conditions on pairs
((s
 
1
; s
1
); (s
 
2
; s
2
)) of transitions for (
1
;
2
) :
(i) 1. s
 
1
= s
 
[V
1
] and s
 
2
= s
 
[V
2
] holds for some reachable state s
 
for
, in particular s
 
1
and s
 
2
are uniable ;
2. none of the states s
i
; i = 1; 2 are silent on the common variables,
i.e., it is not the case that, for some i = 1; 2 : s
i
[v] = ? holds
8v 2 W ;
3. s
1
and s
2
coincide over the set of present common variables
7
, i.e. :
8v 2 W : ( s
1
[v] 6= ? and s
2
[v] 6= ? )) s
1
[v] = s
2
[v] ;
(ii) States s
1
and s
2
coincide over the whole set of common variables, i.e.,
states s
1
and s
2
are uniable :
s
1
= s[V
1
] and s
2
= s[V
2
] holds for some state s for  :
The pair (
1
;
2
) is called isochronous if condition (i) implies condition (ii),
for each pair ((s
 
1
; s
1
); (s
 
2
; s
2
)) of transitions for (
1
;
2
).
7
By convention this is satised if the set of present common variables is empty.
34
Comment. Roughly speaking, condition of isochrony expresses that unify-
ing over present common variables is enough to guarantee the unication of
the two considered states s
1
and s
2
. Condition of isochrony is illustrated on
the following gure :
        
        
        
        
        
        
        
        








        
        
        
        
        
        
        
        








    
         
    
         
    
         
    
         








s [w]s [w]1
         
         
         
         
         
         
         
         








2s [w]1
2
s [w]
    
The gure depicts, for uniable previous states s
 
1
; s
 
2
, corresponding states
s
1
; s
2
where (s
 
i
; s
i
) is a valid transition for 
i
. It shows the interpretation
of s
1
(circle on the left) and s
2
(circle on the right) over shared variables W .
White and dashed areas represent absent and present values, respectively.
The two left and right circles are superimposed in the mid circle. In general,
vertically and horizontally dashed areas do not coincide, even if s
1
and s
2
unify over the subset of shared variables that are present for both transitions
(double-dashed area). Pictorially, unication over double-dashed area does
not imply in general that dashed areas coincide. Isochrony indeed requires
that unication over double-dashed area does imply that dashed areas coin-
cide, hence unication of s
1
and s
2
follows. It is interesting to reformulate
isochrony in a dierent way.
Dene the desynchronized conjunction of two transition relations 
1
^
a

2
as follows. For t
1
and t
2
two transitions, we dene asynchronous uniability
t
1
./
a
t
2
by :
t
1
./
a
t
2
i
 
v 2 V
1
\ V
2
; and
t
1
[v] 6= ? and t
2
[v] 6= ?
!
) ( t
1
[v] = t
2
[v] ) (36)
Note that t
1
./
a
t
2
means that transitions t
1
and t
2
are uniable on their
common present ports, regardless of absence (this is just the restriction to
transitions of the denition of ./
a
which was formulated for ows). Denition
(36) is in contrast to synchronous uniability, or uniability for short, t
1
./ t
2
dened by :
t
1
./ t
2
i ( v 2 V
1
\ V
2
)) ( t
1
[v] = t
2
[v] ) (37)
35
which means that transitions t
1
and t
2
are uniable on their common ports,
including presence/absence. Condition (37) corresponds to the conjunction
of transition relations introduced in the denition of sts composition. If
t
1
./
a
t
2
, we can dene t
1
t
a
t
2
by
(t
1
t
a
t
2
)[v]
=
def
if 9i = 1; 2 : ( v 2 V
i
and t
i
[v] 6= ? ) then t
i
[v] else ?
With this in mind, we dene 
1
^
a

2
as follows :

1
^
a

2
= ft
1
t
a
t
2
: t
i
j= 
i
8i = 1; 2 ^ t
1
./
a
t
2
g ;
and isochrony is equivalently reformulated as follows :
Denition 3 (Isochrony, reformulation) Let (
1
;
2
) be a pair of sts
and  = 
1
k 
2
be their parallel composition. The pair (
1
;
2
) is called
isochronous if

1
^ 
2
= 
1
^
a

2
(38)
holds, restricted to the set of reachable states for .
The following theorem justies introducing this notion of isochrony.
Theorem 2
1. If the pair (
1
;
2
) is isochronous, then it satises property (26).
2. Conversely, assume in addition that 
1
and 
2
are both endochronous.
If the pair (
1
;
2
) satises property (26), then it is isochronous.
Thus, isochrony is sucient for (26) to hold, and it is also in fact necessary
when the components are endochronous.
Comments :
1. We already discussed the importance of guaranteing property (26).
Now, why is this theorem interesting ? Mainly because it replaces con-
dition (26), which involves innite runs, by condition (I) of isochrony,
which only involves a single reaction for the considered pair of sts.
2. Comment 1 for endochrony also applies here.
36
Proof : We successively prove points 1 and 2.
1. Isochrony implies property (26). We proceed into two steps.
1. The desynchronization of , dened by (23), is denoted by 
a
, and
we denote by  a run of 
a
. For each  2 
a
, there is at least one
corresponding synchronous run  for  such that  = 
a
. Any such
 is clearly the synchronous composition of two uniable runs 
1
and

2
for 
1
and 
2
, respectively. Hence associated asynchronous runs 
a
1
and 
a
2
are also uniable, and their asynchronous composition 
a
1
^
a

a
2
belongs to 
a
1
^
a

a
2
. Thus we always have the inclusion

a
1
k
a

a
2
 (
1
k 
2
)
a
; (39)
which proves the rst part of (26). So far we have only used the def-
inition of desynchronization and asynchronous composition, isochrony
has not yet been used.
2. To prove the opposite inclusion, we need to prove that, when mov-
ing from asynchronous composition to synchronous one, the additional
need for a reaction-per-reaction matching of uniable runs will not re-
sult in rejecting pairs of runs that otherwise would be uniable in the
asynchronous sense. This is where condition (I) of isochrony enters the
game.
Pick a pair (
1
; 
2
) such that 
1
./
a

2
(cf. (25)) : they can be combined
while performing the asynchronous composition 
a
1
k
a

a
2
to form some
 (cf. (24)), this is denoted by 
1
^
a

2
= . By denition of desynchro-
nization (cf. subsection 4.1), there exist a (synchronous) run 
1
for 
1
,
and a (synchronous) run 
2
for 
2
, such that 
i
is obtained by desyn-
chronizing 
i
, i = 1; 2 (as we do not assume endochrony at this point,
run 
i
is not uniquely determined). Thus each run 
i
is a succession of
states. Clearly, inserting nitely many silent states between successive
states of 
i
would also provide valid candidates for recovering 
i
after
desynchronization. We shall show, by induction over successive states,
that :
properly inserting such a silent state in the appropriate
component will provide two runs which are
uniable in the synchronous sense.
(40)
37
This will show that, from a pair (
1
; 
2
) such that 
1
./
a

2
, we can
reconstruct (at least) one pair (
1
; 
2
) of runs for 
1
and 
2
that are
uniable in the synchronous sense, and thus will prove the alternative
inclusion

a
1
k
a

a
2
 (
1
k 
2
)
a
: (41)
From (39) and (41) we then deduce property (26). We prove (40) now,
by induction over successive states.
We are given a pair (
1
; 
2
) such that 
1
./
a

2
. Pick a 
1
such that

a
1
= 
1
, and similarly for 
2
. For s
1
; s
2
; : : : ; s
n
a nite run, we
say that another run s
0
1
; s
0
2
; : : : ; s
0
m
is a stretching of s
1
; s
2
; : : : ; s
n
,
written
s
0
1
; s
0
2
; : : : ; s
0
m
= (s
1
; s
2
; : : : ; s
n
)
"
(42)
if there is a strictly increasing subsequence k
1
; : : : ; k
n
of 1; : : : ; m such
that s
0
k
j
= s
j
; j = 1; : : : ; n, and s
0
k
= ? for k 6= k
1
; : : : ; k
n
. Note that
(42) implies m  n. Using notation (42) we introduce the following
hypothesis, for use in our inductive reasoning : for i = 1; 2, run 
i
decomposes as

i
= s
i;1
; s
i;2
; : : : ; s
i;n
i
| {z }
initial segment of length n
i
; 
i;n
i
(43)
and there are stretchings such that
s
0
i;1
; s
0
i;2
; : : : ; s
0
i;n
= (s
i;1
; s
i;2
; : : : ; s
i;n
i
)
"
for i = 1; 2
s
0
1;m
./ s
0
2;m
for m = 1; : : : ; n (44)
Note that (44) implies 
a
1;n
1
./
a

a
2;n
2
. Dene index
(n) = minfn
1
; n
2
g
where n
i
is dened in (43). To perform the proof by induction, we need
to extend (43,44) in such a way that index (n) grows to innity.
To this end, decompose the tail 
i;n
i
into

i;n
i
= s
i;n
i
+1
; 
i;n
i
+1
:
The following cases can occur :
38
case 1 : none of the two states s
1;n
1
+1
and s
2;n
2
+1
is silent over the
common W variables. Concentrate on those v 2 W variables that
are present in both states s
1;n
1
+1
and s
2;n
2
+1
. As 
1
./
a

2
holds,
then we must have s
1;n
1
+1
[v] = s
2;n
2
+1
[v] for any such v. Thus
points 1,2,3 of condition (I) of isochrony are satised. Hence
s
1;n
1
+1
and s
2;n
2
+1
are indeed uniable in this case, by isochrony.
Therefore, in this case, hypothesis (43,44) extends in such a way
that (n+ 1) = minfn
1
+ 1; n
2
+ 1g = (n) + 1 holds.
case 2 : both states s
1;n
1
+1
and s
2;n
2
+1
are silent over the common W
variables. They are uniable. Again, hypothesis (43,44) extends
in such a way that (n+ 1) = (n) + 1 holds.
case 3 : one and only one of the two states s
1;n
1
+1
and s
1;n
1
+1
is silent
over the common W variables, say 8v 2 W : s
1;n
1
+1
[v] = ?.
In this case we unify state s
1;n
1
+1
with the silent state ? for 
2
.
Thus the matching hypothesis (44) is extended as :
s
0
1;1
; s
0
1;2
; : : : ; s
0
1;n
; s
0
1;n+1
= (s
1;1
; s
1;2
; : : : ; s
1;n
1
; s
1;n
1
+1
)
"
s
0
2;1
; s
0
2;2
; : : : ; s
0
2;n
; ?
|{z}
s
0
2;n+1
= (s
2;1
; s
2;2
; : : : ; s
2;n
2
)
"
s
0
1;m
./ s
0
2;m
for m = 1; : : : ; n+ 1 : (45)
Therefore (n + 1) = minfn
1
+ 1; n
2
g and we cannot infer that
(n+ 1) > (n) holds in this case.
Given the analysis above, we only need to show that
case 3 cannot occur for innitely
many successive induction steps.
(46)
Assume (46) does not hold. Then this implies that the whole tail 
1;n
1
is
silent over the commonW variables, while 
2;n
2
is not. But on the other
hand we should have 
a
1;n
1
./
a

a
2;n
2
, see(44), whence a contradiction.
This nishes the induction proof, hence (41) follows.
2. Under endochrony of the components, property (26) implies
isochrony. This is easy. From Theorem 1 we know that, in our argument
for proving point 1 of theorem 2, the synchronous runs 
i
are uniquely de-
ned, up to silent states, from their desynchronized respective versions 
a
i
.
39
Now, focus on case 1 of this argument. If isochrony is not satised, then, for
some pair 
a
1
./
a

a
2
of uniable asynchronous runs, and some decomposition
(43) of them, it follows that points 1,2,3 of condition (I) of isochrony are sat-
ised, but states s
1;n+1
and s
2;n+1
are not uniable. As our only possibility is
to try to insert silent states for one of the two components { not feasible in
case 1 { our process of incremental unication on a per reaction basis fails.
Thus (41) is violated, and so is property (26). This nishes the proof of the
theorem. 
The following result is intrumental in proving compositionality of isochrony.
Lemma 1 If pairs (	;
1
) and (	;
2
) are isochronous, then so is pair
(	;
1
k 
2
).
Proof : Let (s
 
; s) and (t
 
; t) be pairs of successive states, for 	 and

1
k 
2
respectively, satisfying condition (I) for isochrony, see denition
2 or 3. Let t be the unication of the two states s
1
and s
2
for 
1
and 
2
,
respectively. By point 2 of (I), at least one of these two states is not silent,
assume s
1
is not silent. From point 3 of (I), s and s
1
coincide over the set of
present common variables, and thus, since pair (	;
1
) is isochronous, states
s and s
1
coincide over the whole set of common variables for 	 and 
1
. Thus
s and s
1
are uniable. But, on the other hand, s
1
and s
2
are also uniable
since they are just restrictions of the same global state t for 
1
k 
2
. Thus
states s and t are uniable, and thus pair (	;
1
k 
2
) is isochronous. This
proves lemma 1. 
An interesting immediate byproduct is the extension of the results on
desynchronization, to networks of communicating synchronous components :
Corollary 1 (desynchronizing a network of components) We are giv-
en a nite family (
k
)
k=1;:::;K
of sts. Assume that each pair (
k
;
k
0
) is
isochronous. Then
1. For each disjoints subsets I and J of set f1; : : : ; Kg, the pair

k
k2I

k
; k
k
0
2J

k
0

(47)
is isochronous. Thus isochrony is compositional.
2. Also, desynchronization extends to the network :
(
1
k : : : k 
K
)
a
= 
a
1
k
a
: : : k
a

a
K
: (48)
40
Proof :
1. Property (47) follows from lemma 1 via obvious induction on the car-
dinal of sets I; J .
2. The second statement is proved via induction on the cardinal of the
number of components :
(
1
k : : : k 
K
)
a
= ( ( 
1
k : : : k 
K 1
) k 
K
)
a
= ( 
1
k : : : k 
K 1
)
a
k
a

a
K
;
and the induction step follows from (47). 
The next corollary expresses that isochrony is a \local" property.
Corollary 2 (locality of isochrony) Assume pair (
1
;
2
) is isochronous,
and pair (	
1
;	
2
) is such that 	
1
has no common variable with 
2
k 	
2
and
	
2
has no common variable with 
1
k 	
1
. Then pair (	
1
k 
1
; 
2
k 	
2
)
is also isochronous.
Proof : This follows directly from lemma 1. 
This is a useful result, it says that, in order for a pair ( k
k2I

k
; k
k
0
2J

k
0
)
to be isochronous, it is enough to check isochrony for pairs (
k
;
k
0
) of
interacting components.
Note however that, in order for a pair (	
1
k
1
; 
2
k	
2
) to be isochronous,
it is not necessary, but only sucient, that the pair (
1
;
2
) is isochronous.
(Counter)examples.
examples :
 a single-clocked communication between two sts.
 the pair (
e

1
;
e

2
) of formula (35).
counterexample : assume an sts communicates with another one accord-
ing to the synchronous protocol \ await x k await y ", the resulting
pair of sts is not isochronous.
41
4.4 Getting gals architectures
In practice, only partial desynchronization of networks of communicating
sts may be considered. This means that we really want to have locally
synchronous components communicating via a globally asynchronous com-
munication medium | this is refered to as gals architectures.
In fact, theorems 1 and 2 provide the adequate solution. Let us assume
we have a nite collection 
i
of sts such that :
1. each 
i
is endochronous, and
2. each pair (
i
;
j
) is isochronous.
Then, from corollary 1 and theorem 1, we know that
(
1
k : : : k 
K
)
a
= 
a
1
k
a
: : : k
a

a
K
and each 
a
k
is in one-to-one correspondence with its synchronous counterpart

k
. Here is the resulting running mode for this gals architecture :
 For communications involving a pair (
i
;
j
) of sts, each ow is pre-
served individually, but global synchronization is lost.
 Each sts 
i
reconstructs its own successive reactions by just observ-
ing its (desynchronized) environment, and then locally behaves as a
synchronous sts.
 Note that it is allowed, for each 
i
, to have an internal activation clock
which is faster than communication clocks. Resulting local activation
clocks evolve asynchronously from one another.
4.5 Handling endo/isochrony in practice
While we have given criteria for endochrony and isochrony, we did not pro-
pose a practical algorithm for checking these criteria. We do this now. Our
aim is to prepare for gals architectures such as discussed in subsection 4.4.
In particular, throughout this subsection, a network of sts satisfying condi-
tions 1 and 2 of subsection 4.4 will be called endo/isochronous.
In this subsection, we shall indicate 1/ how a (tight) sucient condition
for endo/isochrony can be actually tested, and 2/ how making an sts en-
do/isochronous can be performed. As both the Dc
+
format and the Signal
42
.
.
.
.
.
.
.
.
.
[c2]
c2
[c1]
c1
k0h0
b2
[b2]
.
.
.
.
.
.
.
.
.
b1
[b1]
Figure 3: The clock hierarchy computed by the Dc
+
or Signal compiler.
language can be considered as concrete instances of our sts model, we shall
rely for our explanation on tools and algorithms already developed in these
environments.
4.5.1 Checking endo/isochrony
As one of the modules of the existing Dc
+
or Signal compiler, the data
structure shown in Figure 3 is computed, for a given program P : In this
gure, b; c denote boolean variables, [b]; [c] denote clocks composed of the in-
stants at which b; c = t holds, respectively. Finally, h; k are also clocks. The
down-arrows h
0
! b
1
, [b
1
]! b
2
, [b
2
]! b
3
, etc, indicate that boolean variable
b
1
has a clock equal to h
0
and only needs variables with clock h
0
for its eval-
uation, and so on. Roots of the trees are related by clock equations, depicted
for instance by the bidirectional arrow relating h
0
and k
0
. This denes a tree
under each clock h
0
; k
0
; : : :, and yields the so-called clock hierarchy in the
form of a \forest", i.e., a collection of trees related by clock equations. This
structure is detailed in [Amagbegnon et al., 1994] [Amagbegnon et al., 1995],
where it is shown to be a canonical representation of the combination of clock
equations and scheduling specications of a program. Now, considering this
clock hierarchy, one easily proves the following :
43
Theorem 3 Assume program P has a clock hierarchy consisting of a single
tree. Also assume it is decomposed as P = P
1
k : : : k P
K
, and, for each k,
the clock hierarchy of component P
k
is a subtree of the clock tree of P . Then
the corresponding network of sts is endo/isochronous.
Theorem 3 is an immediate corollary of Theorem 1 of section 4, it only
states a sucient condition. In computing a clock hierarchy, the abstractions
performed are twofold : 1/ inferring dependencies from causality analysis,
and 2/ abstracting boolean variables which result from the evaluation of a
predicate involving a non-boolean expression. In practice, we shall use the
clock hierarchy as the practical criterion for checking endo/isochrony.
4.5.2 Enforcing endo/isochrony
Assume we have an sts P having a clock hierarchy which is not a tree, and
we still want it to be a tree. What can we do ? As revealed by inspecting
the previous gure, it is sucient to make the roots h
0
; k
0
; : : : of the clock
hierarchy belonging to some single clock tree. In other words, we can concen-
trate on the roots of the clock hierarchy. Thus the problem can be restated
as follows :
We are given a set h
1
; : : : ; h
k
of clocks, which are related by a set of clock
equations of the form :
p
1
(h
1
; : : : ; h
k
) 6= f
: : : (49)
p
q
(h
1
; : : : ; h
k
) 6= f
This corresponds to having a collection p
1
; : : : ; p
q
of predicates on clocks,
which are boolean-valued expressions that are either true or absent. Note
that being always true is the case for predicates in classical boolean log-
ic, while in our case, due to the requirement for stuttering robustness, we
must accept the possibility for a \clock predicate" to be absent. Systems of
equations of the form (49) can be solved for their variables h
1
; : : : ; h
k
, mean-
ing that we can nd a set h
o
1
; : : : ; h
o
l
of clocks, and a set p
o
1
; : : : ; p
o
k
of clock
expressions, such that equation system :
h
1
= p
o
1
(h
o
1
; : : : ; h
o
l
)
: : : (50)
h
k
= p
o
k
(h
o
1
; : : : ; h
o
l
)
44
has the same set of solutions for h
1
; : : : ; h
k
as the original system (49), and
new clocks h
o
1
; : : : ; h
o
l
are free, i.e., unconstrained by the system of equations
(50). Finally, we introduce boolean variables b
o
1
; : : : ; b
o
l
, and a \master clock"
h
o
, such that
h
o
1
= [b
o
1
] ; : : : ; h
o
l
= [b
o
l
]
h
b
o
1
= : : : = h
b
o
l
= h (51)
The bottom line is :
1. System of clock equations (49) is equivalent to (50,51) after hiding
auxiliary variables h; b
o
1
; : : : ; b
o
l
.
2. System (50,51) is a clock tree.
Discussion. Basically, building (51,50) from (49) intuitively corresponds
to equipping the original P program with a suitable communication protocol
Q in such a way that the compound program P kQ is endo/isochronous. This
is not surprising indeed, for it is known in the area of distributed systems
that components in a distributed system must be equipped with suitable
protocols for their communications.
Finally, the way we moved from (49) to (50) reveals one unpleasant feature
of this technique, namely : this part of the process is not unique, and thus
there are possibly many dierent correct protocols.
5 Formal study of causality
In this section we develop a formal theory of causality for sts. Our basic tool
is that of scheduling specications and labelled preorders. We rst formal-
ize this, by adding the value unkown to our domains, like in the Construc-
tive Boolean logic used in [Berry and Sentovich 1998]. Using this extended
domain, we are able to formally state and prove our criterion that circuit-
freedom implies executability. Then we formalize the rules (R-1,2,3,4) of
(21), and we nally show how correct deterministic execution results from a
successful causality analysis.
45
5.1 Encoding scheduling specications using an alge-
braic domain
In this section, we consider the following domain D and its two orderings 
and < as an abstraction of arbitrary domains of values :
D = f? ;
>
z }| {
?; f;t
|{z}
>
g (52)
?  ?; f;t ? < f < t (53)
In these formulas , symbols ? (resp. >) indicate that the value is \unknown"
(resp. \known"). The \unknown" status should not be confused with absence
(?) : absence is a perfectly known status, while \unknown" is intended to
model that a variable has not been produced yet in the current reaction. Non-
boolean types are abstracted as the single distinguished element >, hence,
for booleans, the pair ff;tg can be seen as a renement of the symbol >,
this is shown by the underbrackets. And f?;>g is a renement of >, this is
shown by the overbrackets. Ordering < has already been introduced, and the
additional partial order  is the Scott information ordering : ?  ?; f;t,
the three values ?; f;t being incomparable with respect to .
Denition : Relation x
b
>
y is dened in table 1, where it is specied
in the form of a multivalued function. Its main feature is that it forbids,
whenever b = t, that y gets known while x is not.
Properties of scheduling specications. The following properties hold :
if b; c 6= ?, then :
x
b
>
y
V
y
c
>
z ) x
b^c
>
z
x
b
>
y
V
x
c
>
y ) x
b_c
>
y
(54)
In these equations, b^c and b_c are respectively dened as the inmum (resp.
supremum) w.r.t. relation \<" dened in (53) when both values belong to
the subdomain f?;t; fg. In fact, we do not need formulas (54) in case b or c
are unknown, because the label of a branch is known prior to its extremity, in
executable programs equipped with their scheduling specications as inferred
from rules (R-1,. . . ,R-4).
46
x ? ? >
b
? ? ? ?
?
f
t ?
Table 1: Denition of the dependency x
b
>
y. This table gives the result
of this multivalued function for its output y. When nothing is written, this means
that any value is accepted. If x is boolean, then > is to be rened as any of the
two values ff;tg.
5.2 Circuitfree schedulings
We are given a set of variables x
1
; : : : ; x
n
. Some of them are boolean ; for
the sake of readability, boolean variables used as labels in scheduling spec-
ications, will be generically denoted by b
1
; b
2
; : : : Then we are given 1/ a
set of constraints of the form C(b
1
; : : : ; b
k
) on boolean variables restricted
to subdomain f?;t; fg of known values ; and 2/ a set of scheduling speci-
cations dened on x
1
; : : : ; x
n
. Constraints C(b
1
; : : : ; b
k
) are extended to the
\unknown" value by simply assuming C(b
1
; : : : ; b
k
) is satised as soon as at
least one of the variables b
1
; : : : ; b
k
is \unknown".
Each dependency is interpreted as specied in Table 1. Thus, together
with the boolean constraints of the form C(b
1
; : : : ; b
k
), they specify a sub-
domain of the product domain D
n
of all possible states. The set of states
satisfying these constraints is denoted by S, and we call it a scheduling of
x
1
; : : : ; x
n
. States in S are written s; t; : : : and corresponding interpretations
are denoted by s
1
; : : : ; s
n
for short instead of s[x
1
]; : : : ; s[x
n
], and similarly
for t. The \totally unknown state" :
8i; s
i
= ?, is denoted by s
?
. (55)
Two states of S are said to be neighbours if they dier exactly in one variable,
we call it their discriminating variable. We call a path in S any nite sequence
s(1); s(2); : : : ; s(K) of neighbouring states belonging to S.
For s and t two neighbouring states of S, we write s  t if their respective
values for their discriminating variable x
i
satisfy the relation s
i
 t
i
dened
47
in (52). A path s(1); s(2); : : : ; s(K) such that s(k)  s(k + 1) is called
increasing.
A scheduling S is called circuitfree if it is never true in S that
x
i
1
b
1
>
x
i
2
b
2
>
x
i
3
: : : x
i
p
b
p
>
x
i
1
and (56)
(b
1
^ : : : ^ b
p
= t)
Theorem 4 (circuitfree schedulings) A scheduling is circuitfree i, for
every state s 2 S satisfying 8i : s
i
6= ?, there is an increasing path linking
s
?
to s.
The intuitive interpretation of this theorem is that, for an sts with a cir-
cuitfree scheduling, it is possible to compute sequentially without deadlock
all variables, starting from the inputs. Each increasing path mentioned in
theorem 4 corresponds to one possible sequential execution.
Proof : We rst prove the \if" part by contradiction. Assume (56)
is violated for some circuit x
i
1
b
1
>
x
i
2
b
2
>
x
i
3
: : : x
i
p
b
p
>
x
i
1
,
i.e., b
1
^ : : :^ b
p
= t is possible for this circuit in S. We want to deduce from
this assumption that there are states for which all variables are known, but
there is no increasing path originating from s
?
and terminating at the states
in consideration. Without loss of generality, we can restrict S to those states
for which
8i = 1; : : : ; p : [ b
i
= ? or b
i
= t ] holds,
the set of such states is called S
(b
1
^:::^b
p
=t)
: (57)
By table 1, condition x
i
1
b
1
>
x
i
2
b
2
>
x
i
3
: : : x
i
p
b
p
>
x
i
1
implies
that, on S
(b
1
^:::^b
p
=t)
, the following holds :
x
i
1
 x
i
2
 : : :  x
i
p
 x
i
1
;
and thus the x
i
j
's are either all unknown, or alternatively all known. Thus
there is no increasing path originating from s
?
and leading to any known
state belonging to S
(b
1
^:::^b
p
=t)
. This proves the \if" part.
48
Next, we prove the \only if" part, also by contradiction. Before-
hand, we need a lemma. Two states s and s
0
are said complementary if, for
each variable x,
either s[x] = ? or s
0
[x] = ? :
Two states s and s
0
are said compatible if, for each variable x,
either s[x] = ? or s
0
[x] = ? or s
0
[x] = s[x] :
Complementary states are also compatible. For two compatible states s and
s
0
, we dene their sum s ] s
0
by :
(s ] s
0
)[x] = if s[x] 6= ? then s[x] else s
0
[x]
Lemma 2 (monotonicity) Let t
0
and t
1
be two neighbouring states belong-
ing to S, such that t
0
 t
1
. Let t be a state such that
1. t
1
and t are complementary,
2. t
0
] t 2 S,
3. there is an increasing path contained in S originating from t
0
and ter-
minating in t
0
] t, and
4. t
1
] t satises the boolean constraints C(b
1
; : : : ; b
k
) which contribute to
the denition of S.
Then, t
1
] t 2 S and there is an increasing path contained in S originating
from t
1
and terminating in t
1
] t.
Proof : Note that t
0
]t is well dened, since t
0
and t are also complementary.
Let t
0
! t
0
] t denote the path referred to in item 3. Denote by
~
t the state
such that 1/
~
t and t
0
are complementary, and 2/ t
1
= t
0
]
~
t, such a state exists
and is unique. Denote by t
0
]
~
t! t
0
] t ]
~
t the increasing path obtained by
complementing each state belonging to path t
0
! t
0
] t by
~
t. This is possible
since each intermediate state of path t
0
! t
0
] t and
~
t are complementary.
We claim that
path t
0
]
~
t! t
0
] t ]
~
t is contained in S. (58)
49
Clearly, claim (58) is equivalent to the conclusion of the lemma. To prove
(58), using item 4, we rst note that each state belonging to path t
0
]
~
t !
t
0
] t ]
~
t satises the boolean constraints C(b
1
; : : : ; b
k
) which contribute to
the denition of S. We thus only need to check that they also satisfy the
dependencies contributing to the denition of S ; but the latter results from
an inspection of table 1. This proves the lemma. 
We now return to the proof of theorem 4 and proceed by steps.
1. Assume 9s
?
2 S satisfying 8i : s
?
i
6= ?, such that there is no increasing
path linking s
?
to s
?
. Denote by b
1
; : : : ; b
p
the boolean variables such
that b
1
^ : : : ^ b
p
= t holds at state s
?
. Denote by S the set of states
s 2 S such that s  s
?
. We have s
?
2 S and s
?
2 S. States belonging
to S are all compatible.
2. Let s; s
0
2 S be two states such that increasing paths s
?
! s and
s
?
! s
0
are both contained in S. Then we claim that
s
00
= s ] s
0
2 S; and there exists an increasing path contained in S;
originating from s
?
;
and terminating in s
00
(59)
As all s 2 S satisfy s  s
?
, they satisfy in particular the boolean con-
straints b
1
^ : : :^b
p
= t. Thus we only need to verify the dependencies.
There is a unique state s
0
2 S such that 1/ s
0
2 [s
?
! s] \ [s
?
! s
0
],
and 2/ [s
0
! s] \ [s
0
! s
0
] = fs
0
g, meaning that s
0
is the latest point
at which the two considered path deviate from each other. Let s
1
be
the neighbour state of s
0
belonging to path [s
0
! s
0
]. Apply lemma 2
with the following substitutions : t
0
=s
0
; t
1
=s
1
; t=~s such that s = s
0
] ~s.
We deduce that path [s
?
! s ] s
1
]  S. Then, let s
2
be the neighbour
state of s
1
belonging to path [s
1
! s
0
], we can repeat the same argu-
ment. And we proceed repeatedly in the same way until we prove the
claim (59).
3. Consider the set of s 2 S for which there exists an increasing path [s
?
!
s]  S. From (59) we know that this set has a unique maximal element
s
max
for partial order . By hypothesis we have s
max
 s
?
; s
max
6= s
?
.
Thus there are at least two variables, denote them by x and x
0
, such that
50
smax
[x] = s
max
[x
0
] = ?, but s[x] = s[x
0
] 6= ? for every s 2 Sn[s
?
! s
max
].
Hence, the following holds at each state belonging to S :
x
b
>
x
0
b
>
x where b = b
1
^ : : : ^ b
p
= t
Hence condition of circuit freedom is violated on S, and thus it can be vio-
lated on S. This nishes the proof of theorem 4. 
In the sequel, for  an sts with scheduling specications, we shall consider
its associated scheduling
S

(60)
which is obtained by keeping, from the set of predicates dening the transition
relation of ,
1. the scheduling specications, and
2. the assertions involving only boolean variables and clocks,
and discarding the other ones.
5.3 Deriving scheduling specications as causality con-
straints
In this section, we formally justify rules (21). The principles we follow for
our abstraction mechanism are given next :
(P-1) For x not a boolean variable, we abstract its domain D
x
as the singleton
f>g, and then extend f>g with the additional values f?;?g.
(P-2) Within equations of the form \y = exp" or \if b then y = exp
1
else y =
exp
2
" we shall further abstract y by mapping the set f?; f;tg to the
single value > (known). Note the asymmetry of this abstraction prin-
ciple : for the statement \if b then y = x" where x; y are booleans, we
abstract y but not x.
51
(P-3) Since we are interested in causality constraints, we only need to keep
track of congurations for which y cannot be known, i.e., y = ? is
the only allowed possibility. For other congurations, we weaken the
constraint on y to \y unconstrained", which is depicted in the tables
by an empty box.
We now proceed on deriving the scheduling associated to each primitive s-
tatement, using (P-1,2,3). We use the notation: ?;? to indicate that, for
the considered conguration, either y = ? or y = ? holds, and similarly for
other cases.
Lemma 3 The following holds :
x
b
>
y ) b
>
h
y
Proof : by inspection of table 1.
Lemma 4 The following holds :
h
x
>
x
Proof : by inspection of the following tables (the rst table relates x to h
x
,
as extended to unknown values) :
h
x
? ? t
x ? ?;? ?;>
,
abstacted as (using P-2) :
h
x
? ? t
x ? ?; > ?; >
,
which is equal to :
h
x
? ? t
x ?
which turns out to be equivalent to h
x
>
x by table 1.
Lemma 5 The following holds :
(f) :
(
y = f(u; v)
h
u
= h
v
= h
y
) (u; v)
h
y
>
y
52
Proof : by inspection of table 1 and of the following tables (# denotes a
prohibited value) :
abstraction of (f), using (P-1) :
u ? ? >
v
? ? ?;? ?
? ?;? ? #
> ? # >
,
using (P-2) :
u ? ? >
v
? ? ?; > ?
? ?; > > #
> ? # >
,
using (P-3) :
u ? ? >
v
? ? ?
?
> ?
,
which is equivalent to the formulas of the conclusion of the rule of lemma 5.
Lemma 6 The following holds :
[ if b then x = u] ^ [ if b then h
x
= h
u
] )
8
>
>
>
>
>
>
<
>
>
>
>
>
>
:
u
b ^ h
u
>
x
b
h
b
^ h
u
>
h
x
h
u
b ^ h
u
>
h
x
Proof : by inspection of table 1 and of the following two tables. These
tables dene the possible values, of x and h
x
respectively, for [ if b then x =
u] ^ [ if b then h
x
= h
u
] :
53
u ? ? >
b
? ? ?;? ?
? ?;? ?;? ?;?
t ? ?;? ?;>
f ?;? ?;? ?;?
h
u
? ? t
b
? ? ?;? ?
? ?;? ?;? ?;?
t ? ?;? ?;>
f ?;? ?;? ?;?
,
Applying principles (P-2,3) then yields the formulas corresponding to the
conclusion of the rule of lemma 6. Note the asymmetry between x and u,
while statements x = u and u = x are clearly identical. This asymmetry is
due to principle (P-2) for sts abstraction.
5.4 Correct programs
In this subsection, we formally state and prove the result establishing the
link between circuit freedom and executable sts.
Theorem 5 (correct programs) Let P be an sts satisfying the following
conditions :
1. For each statement of P, the scheduling specications derived from ap-
plying the rules of lemmas 3, 4, 5, 6 are also statements of P.
2. The scheduling S
P
(cf. (60)) dened by P is circuitfree.
3. There is no multiple denition of a variable, meaning that, whenever
if b
1
then x = exp
1
^ if b
2
then x = exp
2
is part of P, then :
b
1
^ b
2
= t never holds.
Then :
1. As far as control is concerned, the inputs of P are the source nodes of
the dependency graph.
2. Input values are those variables which never occur on the left{hand side
of statements of the form \x =exp".
3. For each given input control history of P and compatible input value
history, there is exactly one run of P, i.e., P is deterministic.
54
Nota : Clearly, theorem 5 provides us with a sucient condition, this con-
dition is not necessary. Furthermore, the rules for inferring scheduling speci-
cations as causality constraints is bound to the syntax, not to the semantics
of the program. In particular, from statement \ if b then x = u", we choose
to infer dependency u
b ^ h
u
>
x but not the symmetric one in which x
and u are exchanged. This means that, while P may not satisfy the assump-
tions of theorem 5 for a given syntactic form of P, it may satisfy them after a
proper rewriting into a semantically equivalent form. Here, semantic equiv-
alence means identical runs when scheduling specications are discarded.
Proof : It is organized into several steps.
1. With the formula x
b
>
y we associate the following automaton :
x,y
set x
set y
set y
set x
set x
set b
set x
x,b,y
or Fb =
x y
x,y b,x
b=T
Transitions are labelled with actions. Label \set x" indicates that vari-
able x is set to an arbitrary value of its (extended) domain D
x
[ f?g.
States are labelled with those variables that are ?, i.e., have not been
set. This automaton is the most permissive one with the following
properties :
(a) states are valued with congurations of the triple (x; b; y) that are
compatible with the scheduling constraint x
b
>
y.
(b) Variables are set sequentially.
(c) All variables are eventually set.
55
Thus each path of this automaton species an evaluation scheme for the
triple (x; b; y) which is compatible with the considered scheduling spec-
ication. Conversely, any correct evaluation scheme for triple (x; b; y)
can be specied in this way. We call this automaton the execution
automaton associated to scheduling specication x
b
>
y.
2. To each primitive statement we associate the conjunction of its causal-
ity constraints and possible constraints involving clocks and boolean
variables, and we take the product of associated execution automata.
The paths of the resulting automaton specify all correct schedulings to
evaluate the involved variables. We call the resulting product automa-
ton the execution automaton associated to the considered primitive.
3. Then we take the product of the execution automata associated to
each statement. By theorem 4 we know that, for each tuple of vari-
ables which satises the specication, there is a path of the product
automaton which originates from its initial state and terminates at the
nal state in which all variables are set, meaning that all variables of
the considered tuple are sequentially set.
4. Finally, we rene the transition labels of the form \set x" etc., by as-
signing to x etc the value specied by the program. As source nodes
of the dependency graph are set rst, they appear as inputs of P for its
control. Also, variables u that are set and do not occur on the left{hand
side of any statement u =expression must be read from the environ-
ment : their values are inputs of the considered program P. Finally,
thanks to condition 3 of theorem 5, actions of the form \set x" etc.,
are rened into single writings. This nishes the proof of the theorem.

We illustrate this technique on the following simple sts :
y = f(u; v)
V
h
u
= h
v
= h
y
=
def
h :
The causality constraint and associated execution automaton are :
56
h>
(u; v; y)
V
(u; v)
h
>
y
V
h
u
= h
v
= h
y
=
def
h
set vset u
set uset v
set y
h,u,v,y
y
u,yv,y
u,v,y
h=T
Clock h is the activation clock. The rened execution automaton is ob-
tained by replacing set u and set v by read u and read v, and set y by the
assignment y := f(u; v).
6 Conclusion
Our contribution can be summarized as follows :
 We have proposed sts with scheduling specications as a paradigm for
causality analysis, sts abstraction, separate compilation and reuse.
 We have characterized those sts for which asynchronous and syn-
chronous semantics are equivalent in some precise meaning.
We advocate system design methodology based on the synchronous paradig-
m, possibly followed by a provably correct desynchronization. Advantages of
this approach are numerous, they are listed below according to the dierent
phases of the design :
Specication : designing within the synchronous paradigm allows the de-
signer to exploit the simplicity and elegance of compositionality of syn-
chronous specications. In addition, specication can be performed in-
57
dependently from the execution architecture ; therefore, upgrading an
execution architecture does not require redesigning the specications.
Verication :
 In the synchronous paradigm, composition of specications and
composition of properties are both performed by using the com-
position \ k " of sts. This facilitates reasoning in general, and in
particular compositional reasoning.
 For endo/isochronous sts, proofs based on the synchronous se-
mantics carry over without modications to asynchrony. For such
systems, verications can be performed within the synchronous
framework. This allows to avoid state explosion resulting from
the use of the asynchronous interleaving semantics.
Abstraction, modularity, and reuse :
 Scheduling specications provide the adequate notion of abstrac-
tion for separate compilation. It allows the designer to check
the correctness of component encapsulation at systems integra-
tion phase.
 sts with scheduling specications can be composed using a proper
generalization of the composition \ k " of sts. Thus advantages
of compositionality naturally extend to sts with scheduling spec-
ications.
 The structuration of specications into scheduler and tasks allows
us to dene proper reusable modules. Of course, if assumptions
are available on the possible behaviours of the environment, then
larger modules can be stored as object code for further reuse.
gals networks : the elegant feature is that isochrony is a local proper-
ty within a network of components. As isochrony is composition-
al, adding a new component 
new
to a pre-existing gals network
(
i
)
i=1;:::;n
while preserving its gals nature, only requires to check
whether pairs (
new
;
i
) are isochronous, for each 
i
having direct com-
munication with 
new
in the extended network. Thus gals designs can
be built compositionally, it is not needed to desynchronize at once the
whole synchronous design.
58
Thanks to the outcomes of the SACRES project, the above approach is
supported by the Signal-V4 language
8
, and by the Dc
+
common format
for synchronous languages [DC+ Sacres 1996]. Signal-V4 and the Dc
+
format both are concrete implementations of our sts model. This includes
scheduling specications, which are available as primitive statements in both
formalisms.
In particular, the 1999 release of Sildex [Sildex]
9
implements distributed
code generation based on the approach presented in this paper. The target
architectures above all else are POSIX compliant real-time OS.
The new Signal-V4 compiler developed at Inria implements the whole
methodology, including separate compilation. Services for architecture gen-
eration are also provided, using our notion of abstraction.
Research perspectives. Further work is needed to show that the above
principles are viable for generating architectures built up from pre-existing
C/C++/Java/. . .modules. Then, not all communication media or operating
systems provide services satisfying the requirements of our theory of desyn-
chronization, namely : no loss of messages, rst-in/rst-out semantics for
each individual channel. Additional work is needed for getting a full im-
plementation on each dierent type of distributed architecture ; this can be
very easy (writing a few generic drivers, e.g., for POSIX), or can be more
demanding when adequate services are not provided by the architecture, and
thus need to be emulated.
Acknowledgement. The authors are gratefully indebted to Michael Siegel
for a thorough reading and detailed comments, and in particular the discov-
ery of several inconsistencies in an earlier version of this manuscript in the
formal study of causality.
References
[Aabelsberg and Rozenberg, 1988] I.J. Aabelsberg, and G. Rozenberg, \The-
ory of traces", Theoretical Computer Science, 60, 1{82, 1988.
8
Loic Besnard and other members of the \EpAtr" team at IRISA are gratefully ac-
knowledged for the development of this environment.
9
the Sildex tool is a commercial tool for reactive systems design based on the Signal
language. It is marketed by TNI, Brest, France.
59
[Alur and Henzinger 1996] R. Alur and T. A.Henzinger, \Reactive Mod-
ules", Proceedings of the 11th IEEE Symposium on Logic in Computer
Science 9LICS), 207{218, 1996, extended version submitted for publica-
tion.
[Amagbegnon et al., 1994] T.P. Amagbegnon, L. Besnard and P. Le Guernic,
\Arborescent canonical form of boolean expressions", Inria Research
Report n
o
2290, June 1994.
[Amagbegnon et al., 1995] T.P. Amagbegnon, L. Besnard and P. Le Guernic,
\Implementation of the dataow language Signal", in Programming
Languages Design and Implementation, ACM, 163{173, 1995.
[Aubry 1997] P. Aubry, \Mises en uvre distribuees de programmes syn-
chrones", PhD Thesis, Univ. Rennes I, 1997.
[Benveniste and LeGuernic 1990] A. Benveniste and P. Le Guernic, \Hybrid
dynamical systems theory and the Signal language", IEEE Transactions
on Autom. Control, 35 No 5, 535{546, may 1990.
[Benveniste and Berry, 1991] A. Benveniste and G. Berry, \Real-Time sys-
tems design and programming", Another look at real-time programming,
special section of Proc. of the IEEE, vol. 9 n
o
9, September 1991, 1270{
1282.
[Benveniste LeGuernic and Jacquemot, 1991] A. Benveniste, P. Le Guernic,
and C. Jacquemot. \Synchronous programming with events and rela-
tions: the SIGNAL languages and its semantics", Sci. Comp. Prog.,
16:103{149, 1991.
[Benveniste et al., 1992] A. Benveniste, P. Le Guernic, Y. Sorel, and
M. Sorine, \A denotational theory of synchronous communicating sys-
tems", Information and Computation, Vol. 99 No 2, 192{230, August
1992.
[Benveniste Caspi et al., 1994] A. Benveniste, P. Caspi, N. Halbwachs, and
P. Le Guernic, \Data-ow synchronous languages", In A Decade of Con-
currency, reexions and perspectives, REX School/Symposium, pages 1{
45, LNCS Vol. 803, Springer Verlag, 1994.
60
[Berry, 1989] G. Berry, \Real time programming: Special purpose or general
purpose languages", In IFIP World Computer Congress, San Francisco,
1989.
[Berry, 1995] G. Berry, The Constructive Semantics of Esterel, Draft book,
http://www.inria.fr/meije/esterel, December 1995.
[Berry and Sentovich 1998] G. Berry and E.M. Sentovich, \An implementa-
tion of construtive synchronous programs in polis", manuscript, Novem-
ber 1998.
[Caillaud et al., 1997] B. Caillaud, P. Caspi, A. Giraud, and C. Jard, \Dis-
tributing automata for asynchronous networks of processors", European
Journal on Automated Systems (JESA), Hermes, 31(3), 503{524, May
1997.
[Caspi 1992] P. Caspi, \Clocks in Dataow languages", Theoretical Comput-
er Science, vol. 94:125{140, 1992.
[Clerbout and Latteux, 1987] M. Clerbout, and M. Latteux, \Semi-
commutations", Information and Computation, 73, 59{74, 1987.
[de Roever et al., Eds, 1998] W-P. de Roever, H. Langmaack, and A. Pnueli,
Eds. Compositionality: the signicant dierence, Proc. of the Interna-
tional Symposium COMPOS'97, Bad Malente, Germany, Sept. 1997,
LNCS vol 1536, Springer Verlag, 1998.
[DC+ Sacres 1996] Sacres consortium, The Declarative Code DC+, Ver-
sion 1.2, May 1996; Esprit project EP 20897: Sacres, see
http://www.tni.fr/sacres/
[LeGuernic and Gautier, 1991] P. Le Guernic and T. Gautier, \Dataow to
von Neumann : the Signal approach", in Advanced topics in dataow
computing, L. Biv and J-L. Gaudiot Eds., Prentice Hall, 413-438, 1991.
[Halbwachs, 1993] N. Halbwachs, Synchronous programming of reactive sys-
tems,. Kluwer Academic Pub., 1993.
[Lamport, 1983a] L. Lamport, \Specifying concurrent program modules",
ACM Trans. on Prog. Lang. and Sys., 5(2):190-222, 1983.
61
[Lamport, 1983b] L. Lamport, \What good is temporal logic ?", In Proc.
IFIP 9th World Congress, R.E.A. Mason (Ed.), North Holland, 657-
668, 1983.
[LeGuernic et al., 1991] P. Le Guernic, T. Gautier, M. Le Borgne, C. Le
Maire, \Programming real-time applications with Signal", Another
look at real-time programming, special section of Proc. of the IEEE,
vol. 9 n
o
9, September 1991, 1321{1336.
[Maeis and LeGuernic, 1994] O. Maeis and P. Le Guernic, \Distributed
implementation of Signal : scheduling and graph clustering", in: 3rd In-
ternational School and Symposium on Formal Techniques in Real-Time
and Fault-Tolerant Systems, Lecture Notes in Computer Science 863,
Springer Verlag, 149{169, Sept. 1994.
[Manna and Pnueli 1992] Z. Manna and A. Pnueli, The Temporal Logic of
Reactive and Concurrent Systems: Specication. Springer-Verlag, New
York, 1992.
[Manna and Pnueli 1995] Z. Manna and A. Pnueli, The Temporal Logic of
Reactive and Concurrent Systems: Safety. Springer-Verlag, New York,
1995.
[Sorel and Lavarenne] Y. Sorel and C. Lavarenne, \SynDEx v4.2 User
Guide",
http://www-rocq.inria.fr/syndex/.articles/doc/doc/SynDEx42.html
[Sorel 1996] Y. Sorel, \Sorel: Real-time embedded image processing appli-
cations using the A3 methodology", Proc. IEEE International Conf. on
Image Processing, (Lausanne, September 1996).
[Sildex] TNI, Sildex tool, see http://www.tni.fr/indexgb.html
62
