Verification of clock constraints: CCSL Observers in Esterel by André, Charles
Verification of clock constraints: CCSL Observers in
Esterel
Charles Andre´
To cite this version:
Charles Andre´. Verification of clock constraints: CCSL Observers in Esterel. [Research Report]
RR-7211, INRIA. 2010, pp.59. <inria-00458847>
HAL Id: inria-00458847
https://hal.inria.fr/inria-00458847
Submitted on 22 Feb 2010
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destine´e au de´poˆt et a` la diffusion de documents
scientifiques de niveau recherche, publie´s ou non,
e´manant des e´tablissements d’enseignement et de
recherche franc¸ais ou e´trangers, des laboratoires
publics ou prive´s.
appor t  

de  r ech er ch e
IS
S
N
02
49
-6
39
9
IS
R
N
IN
R
IA
/R
R
--
72
11
--
FR
+E
N
G
Thème COM
INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET EN AUTOMATIQUE
Verification of clock constraints:
CCSL Observers in Esterel
Charles André
N° 7211
February 2010

Unité de recherche INRIA Sophia Antipolis
2004, route des Lucioles, BP 93, 06902 Sophia Antipolis Cedex (France)
Téléphone : +33 4 92 38 77 77 — Télécopie : +33 4 92 38 77 65
Veriﬁcation of clock constraints:
CCSL Observers in Esterel
Charles André∗
Thème COM  Systèmes communicants
Projet Aoste
Rapport de recherche n° 7211  February 2010  59 pages
Abstract: The Clock Constraint Speciﬁcation Language (ccsl) has been informally intro-
duced in the speciﬁcations of the uml Proﬁle for Modeling and Analysis of Real-Time and
Embedded systems (MARTE). In a previous report entitled Syntax and Semantics of the
Clock Constraint Speciﬁcation Language, we equipped a kernel of ccsl with an operational
semantics. In the present report we pursue this clariﬁcation eﬀort by giving a mathematical
characterization to each ccsl constructs. We also propose a systematic approach to the
formal veriﬁcation of ccsl constraints with dedicated Observers. A comprehensive library
of Esterel modules, which supports this approach, is provided.
Key-words: CCSL, UML, time constraints, veriﬁcation, observer, Esterel
∗ Université de Nice Sophia Antipolis
Vériﬁcation de contraintes d'horloges :
Observateurs CCSL en Estérel
Résumé : Le langage de Spéciﬁcation de Contraintes d'Horloges (connu sous le nom
de Clock Constraint Speciﬁcation Language ou sous l'acronyme ccsl) a été introduit de
façon informelle dans le document de spéciﬁcation du proﬁl uml pour la modélisation et
l'analyse des systèmes temps réel et embarqués (marte). Dans un précédent rapport intitulé
Syntax and Semantics of the Clock Constraint Speciﬁcation Language nous avons déﬁni
une sémantique opérationnelle pour un noyau de ccsl. Le présent rapport poursuit cet eﬀort
de formalisation en donnant une caractérisation mathématique précise à chaque élément du
langage ccsl. Nous proposons également une approche systématique pour la vériﬁcation
formelle de contraintes ccsl s'appuyant sur le concept d'Observateur. Une bibliothèque
complète de modules Esterel est fournie pour la mise en ÷uvre de cette approche.
Mots-clés : CCSL, UML, contraintes temporelles, vériﬁcation, observateurs, Esterel
CCSL Observers 3
1 Introduction
Modeling of distributed systems, as well as electronic systems with multi-cores or multi-
clock domains, needs multiple time bases. The uml proﬁle for Modeling and Analysis of
Real-Time and Embedded systems [1] (marte) addresses this modeling issue through its
rich model of Time. marte also introduces the concept of clock constraints and proposes
the non-normative language ccsl (short for Clock Constraint Speciﬁcation Language) for
specifying such constraints.
The marte time model has been ﬁrst presented at the 10th international conference on
Model Driven Engineering Languages and Systems [2]. This paper introduced the concepts of
time bases, clocks and clock constraints. ccsl appeared only in a few illustrative examples.
On the other hand, the omg speciﬁcation of marte contains neither a precise syntax nor
a formal semantics for ccsl; only an informal (English) semantics is given. This lack of
formal description of ccsl has been partially ﬁlled in our research report entitled Syntax
and Semantics of the Clock Constraint Speciﬁcation Language [3], which described a kernel
of ccsl and provided a structural operational semantics for this kernel. The present report
contributes further to the semantics of ccsl by giving full mathematical characterization of
the clock relations and clock expressions of ccsl.
ccsl has also been used in veriﬁcation of time requirements [4, 5]. The ﬁrst reference
proposed simulation of ccsl speciﬁcations to ﬁnd constraint violations. The second one dealt
with formal veriﬁcation: we ﬁrst speciﬁed time constraints of a simpliﬁed signal processing
application with ccsl, and we then used model checking techniques to verify that an Esterel
program eﬀectively met these speciﬁcations. Esterel [6, 7] is an imperative synchronous
language, well-suited to control-dominated system programming. As usual with synchronous
languages [8,9], we applied an observer -based approach [10] for safety property veriﬁcation.
The second contribution of the present report is to propose a general approach to ccsl
constraint checking with ccsl-observers.
The report consists of three main sections. The ﬁrst section introduces the multiform
logical time, the clocks, and the clock constraints. A clock constraint is a clock relation that
applies to two clock expressions. In this section, all the clock relations from the kernel ccsl,
and two often used derived relations (alternation and synchronization), are mathematically
deﬁned. The primitive clock expressions of the kernel ccsl, and some derived expressions
are characterized in the same way.
The second section ﬁrst explains the concept of observer. Then, a general approach is
proposed for the implementation of (ccsl) observers, generators, and adaptors, which are
modules that implement clock relations, clock expressions, and ccsl clocks, respectively.
The behavior of each module is dictated by the operational semantics given in the previous
report on ccsl [3]. For each relation, the condition under which the relation is violated is
clearly stated.
The third section describes, in details, an Esterel module library library that implements
the proposed veriﬁcation approach.
RR n° 7211
4 C. André
2 Clock Constraint Speciﬁcation Language
2.1 Multiform logical time
marte Time model deals with both discrete and dense time. In marte, a clock gives
access to a time structure made of time bases, which are themselves ordered sets of instants.
A clock can be either chronometric or logical. The former is related to physical time
while the latter is not. This report focuses on the structural relations between clocks and
these relations do not diﬀerentiate between chronometric and logical clocks. However, some
relations only apply to discrete clocks (logical or chronometric) and others apply to both
discrete and dense clocks. Dense clocks considered in marte are necessarily chronometric.
Logical clocks refer to discrete-time logical clocks and represent logical time.
Leslie Lamport [11] introduced logical clocks in the late 70's. The logical clocks associate
numbers (logical timestamps) with events in a distributed system, such that there exists a
consistent total ordering of all the events of the system. These clocks can be implemented
by counters with no actual timing mechanisms. In the 80's, the synchronous languages [12]
introduced their own concept of logical time. This logical time shares with Lamport's time
the fact that they need not actually refer to physical time. Logical time only relies on
(partial or total) ordering of instants. In what follows, we consider logical time in the sense
of synchronous languages. In the synchronous language Signal, a signal s is an inﬁnite
totally ordered sequence (st)t∈N of typed elements. Index t denotes a logical instant. At
each logical instant of its clock, a signal is present and carries a unique value. Signal is a
multi-clock (or polychronous) language: it does not assume the existence of a global clock.
Instead, it allows multiple logical clocks. Signal composition is ruled by operators which
are either mono-clock operators (composing signals deﬁned on a same clock) or multi-clock
operators (allowing composition of signals having diﬀerent clocks).
Indeed, a logical clock can be associated with any event. This point of view has been
adopted in the marte time model [1, Chap. 10]. A logical clock ticks with each new
occurrence of its associated event. Synchronous languages like Esterel exploit this property.
In an Esterel program, time may be counted in seconds, meters, laps. . . (see the Berry's
RUNNER program [7] which describes the training of a runner). This variety of events
supporting time leads to the concept of multiform time. More technical examples can be
found in automotive applications. For instance, the electronic ignition is driven by the
angular position of the crankshaft rather than by a chronometric time (see our study of a
knock controller in a 4-stroke engine [13]).
In this report, we consider only (discrete) logical clocks and their relationships through
clock constraints. Many aspects are extendable to dense clocks, but these are not addressed
in this report.
2.2 Clocks
In the marte time model, a clock is a model element giving access to the time structure
underlying the application. A clock refers to a time base. In this report, we adopt a simpliﬁed
INRIA
CCSL Observers 5
model, already used in our papers (see for instance [14]). This model hides the concept of
time base and considers that a clock directly owns an ordered set of instants.
A Clock is a 5-tuple 〈I,≺,D, λ, u〉 where I is a set of instants, ≺ is a quasi-order relation
on I, named strict precedence, D is a set of labels, λ : I → D is a labeling function, u is a
symbol, standing for a unit. For logical clocks, u is often called tick, it can be processorCycle
as well or any other logical activation of a behavior. The ordered set 〈I,≺〉 is the temporal
structure associated with the clock.≺ is a total, irreﬂexive, and transitive binary relation on
I.
A discrete-time clock is a clock with a discrete set of instants I. Since I is discrete, it can
be indexed by natural numbers in a fashion that respects the ordering on I: let N? = N\{0},
idx : I → N?, ∀i ∈ I, idx(i) = k if and only if i is the kth instant in I.
For any discrete time clock c = 〈Ic,≺c,Dc, λc, uc〉, c[k] denotes the kth instant in Ic (i.e.,
k = idxc (c[k])). For any instant i ∈ Ic of a discrete time clock, °i is the unique immediate
predecessor of i in Ic. For simplicity, we assume a virtual instant the index of which is 0, and
which is the (virtual) immediate predecessor of the ﬁrst instant. i° is the unique immediate
successor of i in Ic, if any.
2.2.1 Time structure
A Time Structure is a pair 〈C,4〉 where C is a set of clocks, 4 is a binary relation on⋃c∈C Ic,
named precedence. 4 is reﬂexive and transitive. From 4 we derive four new relations:
 Coincidence (≡ , 4 ∩4−1),
 Strict precedence (≺ , 4 \ ≡),
 Independence (‖ , 4 ∪ 4−1), and
 Exclusion (# , ≺ ∪≺−1).
The graphical representation of instant relations is given in Table 1.
instant relation symbol graphical representation
strict precedence ≺
(non strict) precedence 4
coincidence ≡
exclusion # #
Table 1: Instant relations
Let I =
(⋃
c∈C Ic
)
/ ≡ (the set of instants quotiented by the equivalence relation ≡).
The Time Structure T = 〈C,4〉 is well-structured if 〈I,4〉 is a partially ordered set (POset).
RR n° 7211
6 C. André
2.3 Clock constraints
Specifying a full time structure using only instant relations is not realistic. Moreover a
set of instants is usually inﬁnite, thus forbidding an enumerative speciﬁcation of instant
relations. Hence the idea to extend relations to clocks. We have introduced the concept
of clock constraints in the marte speciﬁcation (chapter 10) and also a dedicated language
for expressing such constraints: ccsl [1, Annex C.3]. This language is non normative (the
marte proﬁle implementors are not obliged to support it). The semantics of ccsl given in
the speciﬁcation is informal. A ﬁrst formal semantics, based on mathematical expressions
has been proposed in a paper [14] and a research report [15], which is an extended version
of the paper. A precise deﬁnition of the syntax of a kernel of ccsl along with a structural
operational semantics is now available [3, 16]. This semantics is the golden reference for
the ccsl constraint solver implemented in TimeSquare1, the software environment that
supports ccsl and the marte time proﬁle.
Clock constraints are classiﬁed into four categories:
1. coincidence-based constraints (also known as synchronous constraints),
2. precedence-based constraints (also known as asynchronous constraints),
3. mixed constraints, which combine synchronous and asynchronous aspects,
4. NFP chronometric constraints (NFP stands for Non Functional Property).
The last category, which is pertinent for chronometric clocks only, is not considered in this
report.
A ccsl speciﬁcation S consists of clock declarations and a set of binary clock relations.
These relations apply to clocks or clock expressions. A run (execution sequence) represents
a legal evolution. Each step of the run consists of a set of clocks that are ﬁred2. Of course,
all the clocks ﬁred during a step must respect S. For each clock, at any step of a run, the
operational semantics of ccsl [3] allows the computation of an enabling condition (necessary
condition for the clock to ﬁre) and the change in state induced by its possible ﬁring.
The basic (i.e., part of the kernel) clock relations, some usual derived clock relations,
and a set of clock expressions are presented in the next subsections. Most of these deﬁnitions
are borrowed from the previously mentioned papers on ccsl.
2.4 Clock relations
2.4.1 Primitive clock relations
Let a and b two discrete time clocks. Five primitive relations on clocks are deﬁned:
1http://www-sop.inria.fr/aoste/dev/time_square
2A clock ﬁres or a clock ticks are two equivalent expressions equally used in this report.
INRIA
CCSL Observers 7
 Subclocking: a ⊂ b is a synchronous clock relation. There exists a mapping h from
Ia to Ib which is injective and order preserving. a is said to be a sub-clock of b, and
b a super-clock of a.
a ⊂ b⇔((∀k ∈ N?, a[k] ∈ Ia)(∃l ∈ N?, b[l] ∈ Ib)(a[k] ≡ b[l] = h(a[k]))) ∧((∀k1, k2 ∈ N?, a[k1], a[k2] ∈ Ia)(a[k1] ≺ a[k2]⇒ h(a[k1]) ≺ h(a[k2])))
(1)
1 2 3
b
a
4 5 6
a b⊂
Figure 1: Exemple of subclocking.
 Tight Subclocking: a D b is a subclocking relation in which the image of Ia by h is
an interval of Ib. In a formal way:
a D b⇔(
(∃j ∈ N)(∀k ∈ N?, a[k] ∈ Ia)((b[j + k] ∈ Ib) ∧ (a[k] ≡ b[j + k]))) ∧((∀k1, k2 ∈ N?, a[k1], a[k2] ∈ Ia)(a[k1] ≺ a[k2]⇒ h(a[k1]) ≺ h(a[k2])))
(2)
1
1
2
2
3
3
b
a
4 5 6
a b⊂+
Figure 2: Exemple of tight subclocking.
In this example clock a is ﬁnite (|Ia| = 3) and j = 1.
 Strict precedence: a ≺ b is an asynchronous clock relation. a is said to be strictly
faster than b, and b strictly slower than a.
a ≺ b⇔ (∀k ∈ N?, b[k] ∈ Ib)((a[k] ∈ Ia) ∧ (a[k] ≺ b[k])) (3)
RR n° 7211
8 C. André
1
1
2
2
3
3
a
b
4 5 6
a b≺
Figure 3: Exemple of strict precedence.
 Precedence: a 4 b is similar to the previous one but considering the non strict
precedence instead. a is said to be faster than b, and b slower than a.
a 4 b⇔ (∀k ∈ N?, b[k] ∈ Ib)((a[k] ∈ Ia) ∧ (a[k] 4 b[k])) (4)
1
1
2
2
3
3
a
b
4 5 6
a b?
4
Figure 4: Exemple of non strict precedence.
In this example, note that a[3] and b[3] are coincident.
 Exclusion: a # b means that a and b have no coincident instants.
a # b⇔ (∀j ∈ N?, a[j] ∈ Ia)(∀k ∈ N?, b[k] ∈ Ib)(¬(a[j] ≡ b[k])) (5)
2.4.2 Derived clock relations
We mention three often used derived clock relations: Equality, Alternation, Synchronization.
Equality a = b is a typical synchronous clock relation derived from tight subclocking.
a = b⇔ (a D b) ∧ (b D a) (6)
Hence, there is a bijection between instants of a and b. This bijection is order preserving and
the instants are point-wise coincident: ∀k ∈ N?, a[k] ≡ b[k]. Hence another characterization
of the clock equality relation is given in equation 7.
a = b⇔((∀k ∈ N?, a[k] ∈ Ia)(b[k] ∈ Ib) ∧ (a[k] ≡ b[k])) ∧((∀k ∈ N?, b[k] ∈ Ib)(a[k] ∈ Ia) ∧ (a[k] ≡ b[k]))
(7)
INRIA
CCSL Observers 9
For inﬁnite sets, the speciﬁcation simpliﬁes to equation 8:
a = b⇔ ((∀k ∈ N?)(a[k] ≡ b[k])) (8)
1
1
2
2
3
3
a
b
4
4
a b=
Figure 5: Exemple of clock equality.
The next two relations are asynchronous. They involve precedence relations and auxiliary
clocks. Given a clock c, we denote c$1 the tight sub-clock of c such that(∀k ∈ N?, c[k + 1] ∈ Ic)(c$1[k] ∈ Ic$1) ∧ (c$1[k] ≡ c[k + 1]) (9)
In other words, c$1 is c deprived of its ﬁrst instant. We will see later on page 18, how this
can be easily deﬁned with clock expressions.
Alternation a ∼ b. The strict form of alternation can be speciﬁed as
a ∼ b⇔ (a ≺ b) | (b ≺ a$1) (10)
The composition of clock relation (operator |) imposes the conjunction of the relations.
So, the alternation can be also deﬁned as
a ∼ b⇔ (∀k ∈ N?, a[k + 1] ∈ Ia)((b[k] ∈ Ib) ∧ (a[k] ≺ b[k] ≺ a[k + 1])) (11)
1
1
2
2
3
3
a
b
4 5
4
a b∼
Figure 6: Exemple of strict alternation.
This deﬁnition is far simpler when only inﬁnite sets are considered:
a ∼ b⇔ (∀k ∈ N?)(a[k] ≺ b[k] ≺ a[k + 1]) (12)
For the sake of simplicity, from now on, we give only deﬁnitions for inﬁnite sets. Since
there exists a non strict form of precedence
(
4
)
, three other variants of alternation can
be deﬁned.
RR n° 7211
10 C. André
 RNS-alternation (right non-strict alternation)
a ∼= b⇔
(∀k ∈ N?)(a[k] 4 b[k] ≺ a[k + 1]) (13)
 LNS-alternation (left non-strict alternation)
a =∼ b⇔
(∀k ∈ N?)(a[k] ≺ b[k] 4 a[k + 1]) (14)
 NS-alternation (non-strict alternation, which is both right and left non-strict)
a =∼= b⇔
(∀k ∈ N?)(a[k] 4 b[k] 4 a[k + 1]) (15)
a[k]
b[k]
a[k+1] a[k]
b[k]
a[k+1] a[k]
b[k]
a[k+1] a[k]
b[k]
a[k+1]
strict right non strict
left non 
strict non strict
Figure 7: Various forms of alternation.
Synchronization This relation, unlike the alternation, does not impose a strict ordering
on instants of a and b. Instead, the kth instants of a and b are not ordered, but they both
precede the k+1th instants of a and b. Figure 8 shows an example of strict synchronization.
This relation is borrowed from the General Net Theory and stands for a synchronic distance
of 2 (see Reisig's book [17], chapter 4).
1
1
2
2
3
3
a
b
4
4
a b
Figure 8: Exemple of strict synchronization.
Like the alternation, synchronization has four variants:
INRIA
CCSL Observers 11
a ./ b⇔
((
a ≺ b$1) | (b ≺ a$1)) (16)
a ./= b⇔
((
a 4 b$1
) | (b ≺ a$1)) (17)
a =./ b⇔
((
a ≺ b$1) | (b 4 a$1)) (18)
a =./= b⇔
((
a 4 b$1
) | (b 4 a$1)) (19)
Using quantiﬁers, the inﬁnite forms can be redeﬁned as follows:
 synchronization (strict synchronization)
a ./ b⇔ (∀k ∈ N?)((a[k] ≺ b[k + 1]) ∧ (b[k] ≺ a[k + 1])) (20)
 RNS-synchronization (right non-strict synchronization)
a ./= b⇔
(∀k ∈ N?)((a[k] 4 b[k + 1]) ∧ (b[k] ≺ a[k + 1])) (21)
 LNS-synchronization (left non-strict synchronization)
a =./ b⇔
(∀k ∈ N?)((a[k] ≺ b[k + 1]) ∧ (b[k] 4 a[k + 1])) (22)
 NS-synchronization (non-strict synchronization, which is both right and left non-strict)
a =./= b⇔
(∀k ∈ N?)((a[k] 4 b[k + 1]) ∧ (b[k] 4 a[k + 1])) (23)
a[k] a[k+1]
b[k] b[k+1]
a[k] a[k+1]
b[k] b[k+1]
a[k] a[k+1]
b[k] b[k+1]
a[k] a[k+1]
b[k] b[k+1]
strict right non strict
left non 
strict non strict
Figure 9: Various forms of synchronization.
2.5 Clock expressions
A clock expression deﬁnes a new implicit clock. In this subsection we name this implicit
clock c.
RR n° 7211
12 C. André
2.5.1 Index independent clock expressions
Clock union a + b deﬁnes a clock that ticks whenever a or b ticks.
Let c = a + b the following properties hold:
1)
(
a ⊂ c) ∧
2)
(
b ⊂ c) ∧
3)
((∀i ∈ Ic)(∃j ∈ Ia ∪ Ib)i ≡ j)
(24)
Equations 24-1 and 24-2 state that c is a super-clock of both a and b. Equation 24-3 makes
c minimal with respect to the subclocking relation.
Clock intersection a ∗ b deﬁnes a clock that ticks whenever both a or b tick.
Let c = a ∗ b the following properties hold:
1)
(
c ⊂ a) ∧
2)
(
c ⊂ b) ∧
3)
((∀i ∈ Ia)(∀j ∈ Ib)(∃k ∈ Ic)(i ≡ j)⇒ (i ≡ k))
(25)
Equations 25-1 and 25-2 state that c is a sub-clock of both a and b. Equation 25-3 makes c
maximal with respect to the subclocking relation.
Clock diﬀerence a − b deﬁnes a clock that ticks whenever a ticks but b does not.
Let c = a − b the following properties hold:
1)
(
c ⊂ a) ∧
2)
((∀i ∈ Ia,@j ∈ Ib, i ≡ j)(∃k ∈ Ic)i ≡ k) (26)
Equation 26-1 states that c is a sub-clock of a. Equation 26-2 makes c maximal with respect
to the subclocking relation by ensuring that all the instants of a not coincident with an
instant of b have a coinciding instant in c.
Figure 10 illustrates the three clock expressions just deﬁned.
INRIA
CCSL Observers 13
a
b
1 2 3 4 5 6
1 2 3 4 5 6 7
a b 1 2 4 5 8 10
1
1
a b
3
1
6 7 9
2
a b 1 2 3 4
Figure 10: Exemples of clock expressions union, intersection, and diﬀerence.
2.5.2 Index dependent clock expressions
As from a  k, where k is a natural number, deﬁnes a clock that is a tight sub-clock of a
starting after index k.
c = a  k ⇔ (c D a) ∧ (c[1] ≡ a[k + 1]) (27)
This clock expression is illustrated in ﬁgure 11. The virtual intial instant of a  k, indicates
that the birth of this clock is between instant k and k + 1 of clock a.
a k+1
1
1 k
0
k+2
2
k+3
3↗a k
Figure 11: Exemples of clock expression `as from'.
A variant of this expression is a  ∗. It is dynamically evaluated during a run and takes
χ(a) as its parameter.
Sup a ∨ b deﬁnes a clock that is the fastest among all the clocks slower than a and b
(equation 28).
Let C4a,b =
{
d ∈ C | (a 4 d) ∧ (b 4 d)} , (∀c′ ∈ C4a,b)((a ∨ b) 4 c′) (28)
RR n° 7211
14 C. André
This ﬁxpoint relation can be also expressed using instants:
Let c = a ∨ b the following properties hold:(∀k ∈ N?, c[k] ∈ Ic)
1)
(
a[k] ∈ Ia
) ∧
2)
(
b[k] ∈ Ib
) ∧
3)
(
c[k] ≡
{
a[k] if b[k] 4 a[k]
b[k] if a[k] 4 b[k]
) (29)
Equations 29-1 and 29-2 state that for any instant c[k] of c, there exist instants with the
same index in both a and b. Equation 29-3 imposes that c[k] is coincident with the later
of a[k] and b[k]. Note that the two branches of the case-statement (equation 29-3) are not
exclusive. There may be the case that c[k] ≡ a[k] ≡ b[k].
Inf a ∧ b deﬁnes a clock that is the slowest among all the clocks faster than a and b
(equation 30).
Let C<a,b =
{
d ∈ C | (d 4 a) ∧ (d 4 b)} , (∀c′ ∈ C<a,b)(c′ 4 (a ∧ b)) (30)
This ﬁxpoint relation can be also expressed using instants:
Let c = a ∧ b the following properties hold:(∀k ∈ N?, c[k] ∈ Ic)
1)
(
(a[k] ∈ Ia) ∧ (b[k] ∈ Ib ⇒ a[k] 4 b[k]) ∧ (c[k] ≡ a[k])
) ∨
2)
(
(b[k] ∈ Ib) ∧ (a[k] ∈ Ia ⇒ b[k] 4 a[k]) ∧ (c[k] ≡ b[k])
) (31)
Equation 31-1 imposes that any instant c[k] of c coincides with instant a[k] when a[k]
precedes b[k] or b[k] does not exist. Equation 31-2 imposes that c[k] coincides with instant
b[k] when b[k] precedes a[k] or a[k] does not exist. Note that if a[k] ≡ b[k], the two equa-
tions 31-1 and 31-2 are not exclusive. In this case, c[k] ≡ a[k] ≡ b[k]. Figure 12 shows the
sup and inf of two clocks.
a
b
1 2 3 4 5 6 7
1 2 3 4 5 6 7 8
a b 1 2 3 4 5 6 7 8
a b 1 2 3 4 5 6 7
Figure 12: Exemples of clock expressions sup and inf.
INRIA
CCSL Observers 15
2.5.3 Clock expressions with clock death
Upto a  b deﬁnes a clock c that ticks whenever a ticks upto the ﬁrst tick of b. As of this
tick, c dies (can not tick any more).
Let c = a  b the following properties hold:
1)
(
c ⊂ a) ∧
2)
(
(∀k ∈ N?, a[k] ∈ Ia)(a[k] ≺ b[1])⇒ (c[k] ≡ a[k])
) (32)
Equation 32-1 imposes c to be a sub-clock of a. Equation 32-2 speciﬁes that any instant of
a that strictly precedes the ﬁrst instant of b, is coincident with an instant of c. Figure 13 is
an illustration where |Ia| = 3.
a
b
1 2 3 4
1 2
a b 31 2
Figure 13: Exemples of clock expression upto.
The clock expression awaiting, which also dies, is deﬁned on page 15.
2.5.4 Clock expressions with schedule
Here, schedule has the meaning of a plan that gives a list of events or tasks and the times
at which each one should happen or be done. More precisely, the schedule associated with
an expression contains the future times at which the clock should tick in coincidence with
a given clock. Clock expressions like sampling have a very short schedule that contains at
most one future coincidence. Others, like defer or ﬁltering may be arbitrary large.
Awaiting aˆn, where n ∈ N?, is a synchronous clock expression. This expression waits
for the nth strictly future tick of a. On this occurrence, a ticks once and dies.
Let c = aˆn the following properties hold:
1)
(|Ic| = 1) ∧
2)
(
(∃a[n] ∈ Ia)(c[1] ≡ a[n])
) (33)
Note that aˆn ticks once and dies (see ﬁgure 14).
RR n° 7211
16 C. André
a
a ^ n 1
n1 2 n+1
Figure 14: Exemple of clock awaiting.
Strict sampling a D b is a mixed clock expression (i.e., based on both precedence and
coincidence). It deﬁnes a subclock of b that ticks whenever clock a has ticked at least once
since the previous tick of b. Figure 15 shows the corresponding instant ordering.
a
b
i
j
a  b k
°j
Figure 15: Strict sampling instant ordering.
Let c = a D b the following properties hold:
1)
(
c ⊂ b) ∧
2)
(
(∀i ∈ Ia)(∃j ∈ Ib, °j 4 i ≺ j)⇒ (∃k ∈ Ic, j ≡ k)
) (34)
Equation 34-1 says that c is a subclock of b. Equation 34-2 speciﬁes the ordering relations
given in ﬁgure 15.
Non strict sampling a C b is also a mixed clock expression, similar to the previous one,
just changing the precedence relations. Figure 16 shows the corresponding instant ordering.
INRIA
CCSL Observers 17
a
b
i
j
k
°j
a  b
Figure 16: Non strict sampling instant ordering.
Let c = a C b the following properties hold:
1)
(
c ⊂ b) ∧
2)
(
(∀i ∈ Ia)(∃j ∈ Ib, °j ≺ i 4 j)⇒ (∃k ∈ Ic, j ≡ k)
) (35)
Figure 17 highlights the diﬀerent behaviors of the strict and non strict clock expression
samplings.
a
b
1 2 3 4
2 3 4 5 6
a b 2 3
a b
1
2 3
1
1
Figure 17: Exemple of clock sampling.
Defer a ( n ) b is also a mixed clock expression that deals with multiple future scheduled
ticks. Figure 18 shows the corresponding instant ordering.
a
b j-n+1j-n
i
j
k( )a n b?
Figure 18: Defer instant ordering.
RR n° 7211
18 C. André
Let c = a ( n ) b the following properties hold:
1)
(
c ⊂ b) ∧
2)
(
(∀i ∈ N?, a[i] ∈ Ia)(∃ni ∈ N?)
(∃j ∈ N?, j > ni, b[j] ∈ Ib, b[j − ni] 4 a[i] ≺ b[j − ni + 1])
(∃k ∈ N?, c[k] ∈ Ic, c[k] ≡ b[j])
)
(36)
Figure 19 shows clock expression `defer' when n is a constant. In this case, the clock
expression is also known as clock expression `delayedFor'.
( )?a 2 b
a
b
1 32
3 4 5 6 7
2 31
21 8
2 b 2 b
2 b
Figure 19: Exemple of clock expression `defer'.
Filtering a H w, where w is a binary word is a often used synchronous clock expression.
Binary words are described in Annex A.
a H w ⇔ ((∀k ∈ N?, c[k] ∈ Ic)(c[k] ≡ a[w ↑ k])) (37)
w ↑ k denotes the index of the kth `1' in the binary word w. So, c is a sub-clock of a. Example
in ﬁgure 20 considers a periodic binary word (transient part `01', periodic part `100'). Note
that the operation $1 deﬁned in equation 9 might have been deﬁned by ﬁltering, using the
periodic binary word 0 (1)
ω
.
= ▼c a w
01(100) 01100100...100...ω= =w
1 2 3 4 5 6 7 8 9a
1 2 3 4
Figure 20: Exemple of ﬁltering by a binary word.
INRIA
CCSL Observers 19
2.5.5 Clock expression concatenation
Concat a • b deﬁnes a clock c that ticks whenever a ticks upto the death of a. As of this
tick, c ticks whenever b ticks.
Let c = a • b the following properties hold:
Let l = |Ia|,
(∀k ∈ N?, c[k] ∈ Ic)
1)
(
(k 6 l) ∧ (c[k] ≡ a[k])) ∨
2)
(
(k > l) ∧ (∃m ∈ N?, b[m] 4 a[l] ≺ b[m+ 1]) ∧ (b[k +m− l] ∈ Ib)
∧ (c[k] ≡ b[m+ k − l]))
(38)
Equation 38-1 deals with the case when a is alive, whereas equation 38-2 addresses the case
when a is dead. Figure 21 is an illustration where l = |Ia| = 5 and m = 3.
a
b
1 2 3 4 5
1 2 3 4 5 6 7
a b 1 2 3 4 7 8 95 6
Figure 21: Exemples of clock expression concat.
3 Observers
3.1 Veriﬁcation by observers
Veriﬁcation by observers is a technique widely applied to synchronous languages [10]. The
principle is given in ﬁgure 22. An observer (right-hand box in the ﬁgure) is a reactive
program expressing a safety property P that has to be veriﬁed for a program (middle box).
In synchronous language, the observer is put in (synchronous) parallel with the program.
The observer has a unique output that signals possible violations of P . The observer receives
the same input signals as the program. It also receives its output signals. Thus, the observer
is purely passive: it only listen to the program without interfering with it. Often, a property
holds only under some contexts. The assumptions made on the system environment are
represented by another reactive program called Environment (left box in the ﬁgure). The
Environment only generates useful input sequences.
The veriﬁcation consists of checking that the synchronous parallel composition of the
three reactive programs Environment, Program, and Observer never emits a violation for
any input sequence provided by the Environment. The analysis can be done by standard
reachability analysis techniques. If the property is false, an input sequence leading to the
violation can be generated. This is called a counter-example.
RR n° 7211
20 C. André
Program Observer
Violation
Environment
Inputs Outputs
Figure 22: Property checking of reactive programs.
With the synchronous languages, the observers can be written in the very same language
as the program to verify. This is illustrated with the language Esterel. Before, we give a
guide-line for implementing ccsl observers.
3.2 Principle of the implementation
Adaptor
ClockSpec
Generator
violation:Boolean
Observer
1 leftright 1
ClockRelation
ClockSpecification
ClockRef
ClockConstraint
Specification
*
Event
0..1
definingEvent
CCSLTarget Language
CCObservation
*
ClockExpression
Clock
ref1
coperands
*
right11left
1
implicitClock
C_Clock
1
c_clock
coperands*
Parameters
*
Parameter
*
1
TimeRelated
Element
TimeRelated
Observation
obs1
elems 1..*
Figure 23: Metamodel for property observation.
We are interested in temporal property checking. These properties are expressed in ccsl
and rely on the concept of logical clocks. On its left side, ﬁgure 23 contains a metamodel
for temporal property observations. The simpliﬁed metamodel of ccsl has been put on
INRIA
CCSL Observers 21
the right-hand side. The correspondance between the metamodel elements is summarized
in table 2. In our approach, we adopt a uniform naming convention for the identiﬁers of
programming elements related to time property observations. The third column gives these
preﬁxes.
Table 2: Metamodel element correspondances.
CCSL Target Language Preﬁx
ClockConstraintSpeciﬁcation CCObservation
ClockRelation Observer Ccsl_R_
ClockExpression Generator Ccsl_E_
Adaptor Ccsl_A_
Clock C_Clock c_
Conceptually, a logical clock may represent an event whose occurrences are represented
by the instants of the clock. An adaptor yields a C_Clock, representation of a ccsl clock
in the target language. To determine whether a c_clock has to tick or not, the adoptor
observes the state of one or several objects3 of the program (property elems in the meta-
model). For instance, in vhdl, a rising edge of a signal a, while a signal b is set to `1'
(statement a'event and a='1' and b='1') may represent an event and thus be associated
with a c_clock. A generator represents a ccsl clock expression. Like an adaptor, a gener-
ator has a c_clock as output. Finally, an observer represents a ccsl clock relation. In the
target language implementation an observer provides a Boolean called violation.
We propose a modular approach. For a given target language (Esterel in this report), we
provides a library of modules for observers, generators, and adaptors. Figure 24 illustrates
the use of such a library for property veriﬁcation. The next three sub-sections describe what
should be the behavior of the various observers, generators, and adaptors, independently of
any target language. The behavior results from the operational semantics of ccsl described
in the report on the kernel ccsl [3]. This semantics transforms any ccsl speciﬁcation S
into a Boolean expression JSK. These Boolean expressions use extended logical operators
deﬁned in table 3.
Operator Meaning Equivalent expression
i⇒ j implication ¬i ∨ j
i = j equality (i ∧ j) ∨ (¬i ∧ ¬j)
i # j exclusion ¬(i ∧ j)
i ⊕ j exclusive disjunction (¬i ∧ j) ∨ (i ∧ ¬j)
Table 3: Extended logical operators
3Here, object has not the restrictive meaning given by object languages. An object can be a variable
(e.g., in C), a signal (e.g., Esterel, vhdl), etc.
RR n° 7211
22 C. André
Written in the same language
Property Observer
Adaptors Tree of CCSL generators
/ CCSL observer
G
G G
G
O
A
A
Violation
Automated 
generation from 
CCSL specification
Chosen by the 
verifier
Legend:
ACCSL adaptor GCCSL generator OCCSL observer
Program
T
T
TimeRelatedElement TIn the program:
In the observer:
Figure 24: Use of CCSL observer libraries.
For each clock c, χ(c) is the index of its current instant in a run, and JcK is a Boolean
variable associated with c. When this variable is true, the associated clock can be ﬁred at
the current step.
3.3 Observers of clock relations
3.3.1 Observers for primitive clock relations
Table 4 groups together semantic information relative to the primitive clock relations. The
ﬁrst column indicates the relation, the second column the enabling condition, the third
column the possible changes in state induced by clock ﬁrings. The last column gives the
logical expression for the violation of the clock relation. This expression is the logical
negation of the condition contained in the second column. An observer must evaluate the
violation condition and update an internal state, if needed.
Table 4: Violations of primitive clock relations
Relation Enabling Changes Violation
a ⊂ b JaK⇒ JbK JaK ∧ ¬ JbK
Continued on next page
INRIA
CCSL Observers 23
Relation Enabling Changes Violation
a D b JaK = JbK JaK ⊕ JbK
a # b JaK # JbK JaK ∧ JbK
a ≺ b (δ = 0)⇒ ¬ JbK δ ←

δ + 1 if JaK ∧ ¬ JbK
δ − 1 if ¬ JaK ∧ JbK
δ otherwise.
(δ = 0) ∧ JbK
a 4 b (δ = 0)⇒ (JbK⇒ JaK) δ ←

δ + 1 if JaK ∧ ¬ JbK
δ − 1 if ¬ JaK ∧ JbK
δ otherwise.
(δ = 0) ∧ JbK ∧ ¬ JaK
where δ , χ(a)− χ(b)
3.3.2 Observers for derived clock relations
Equality At any step of a run, for any existing clocks a and b, the clock relation a = b
is the same as the tight subclocking relation. The condition and the validation are the same
as those of the tight subclocking (see table 5).
Alternation This relation is not primitive. Its enabling and violation conditions result
from a composition of the enabling and violation conditions of the composed relations.
Starting with the deﬁnition a ∼ b⇔ (a ≺ b) | (b ≺ a$1), we apply the transforma-
tions rules to each precedence. This yields the enabling condition((
χ(a) = χ(b)
)⇒ ¬ JbK) ∧ ((χ(a)− 1 = χ(b))⇒ ¬ JaK) (39)
Introducing δ , χ(a)− χ(b), condition 39 becomes((
δ = 0
)⇒ ¬ JbK) ∧ ((δ = 1)⇒ ¬ JaK) (40)
The changes in state for the two precedence relations are the same, and therefore apply
to the alternation relation as well.
δ ←

δ + 1 if JaK ∧ ¬ JbK
δ − 1 if ¬ JaK ∧ JbK
δ otherwise.
(41)
Starting with the initial condition δ = 0, from equations 40 and 41 we deduce that only
two values δ = 0 and δ = 1 are possible. Therefore, alternation can be be speciﬁed by the
fsm shown in ﬁgure 25, where S0 corresponds to the enabling condition δ = 0, whereas state
RR n° 7211
24 C. André
S1 corresponds to δ = 1. While the state machine associated with a precedence observer is
inﬁnite, the composition of the two precedence relations involved in an alternation results
in a 2-state machine. This graphical speciﬁcation of clock relations is exploited in Annex B.
S0 S1
a
b
Figure 25: fsm of the strict alternation relation.
The violation condition for the alternation is the negation of the enabling condition 40:((
δ = 0
) ∧ JbK) ∨ ((δ = 1) ∧ JaK) (42)
The fsm of the alternation observer (ﬁgure 26) is obtained by adding a sink state (SV),
and violation transitions, shown as red arcs. V is the violation signal. The original speciﬁ-
cation of the alternation observer (table 5) a priori needs integers for encoding δ. The fsm
(ﬁgure 26) can be preferred for the observer implementation because it can be encoded with
simple Boolean variables. Table 5 groups together the results in equational forms.
a / Vb / V
S0 S1
a.b’
a'.b
SV
Figure 26: fsm detecting the violation of the strict alternation relation.
Synchronization a ./ b, which deﬁned as
(
a ≺ b$1) | (b ≺ a$1), can be transformed
similarily. The details are skipped and gathered in table 5. There exist only three values for
δ: 0, 1, and −1. States S0, SA, and SB correspond to conditions δ = 0, δ = 1, and δ = −1
respectively. Here again, a fsm can be used to specify the behavior of the synchronization
(ﬁgure 27). Note that in this fsm, when a and b tick simultaneously in state S0, the state
is unchanged. This is why the transition has not been explicitly drawn.
INRIA
CCSL Observers 25
SA SB
b.a’
S0
a.b’
ab
Figure 27: fsm of the strict synchronization relation.
Table 5: Violations of derived clock relations
Relation Enabling Changes Violation
a = b JaK = JbK JaK ⊕ JbK
a ∼ b
(
(δ = 0)⇒ ¬ JbK )
∧(
(δ = 1)⇒ ¬ JaK ) δ ←

1 if JaK ∧ ¬ JbK
0 if ¬ JaK ∧ JbK
δ otherwise.
(
(δ = 0) ∧ JbK )
∨(
(δ = 1) ∧ JaK )
a ./ b
(
(δ = 1)⇒ ¬ JaK )
∧(
(δ = −1)⇒ ¬ JbK ) δ ←

δ + 1 if JaK ∧ ¬ JbK
δ − 1 if ¬ JaK ∧ JbK
δ otherwise.
(
(δ = 1) ∧ JaK )
∨(
(δ = −1) ∧ JbK )
where δ , χ(a)− χ(b)
The observers for the various forms of alternation and synchronization are given in An-
nex B as fsm.
3.4 Generators for clock expressions
With each clock expression, we associate a generator. It generates clock ticks and maintains
an internal state according to the presence or absence of ticks of its operand clocks. In
this sub-section, generators are grouped according to the kind of their internal state. The
results are presented in a tabular form: the expression in the ﬁrst column, the condition to
generate a tick in the second column, the possible changes in state in the third column, and
the initial state in the last column. The last three columns reﬂect the operational semantics
of ccsl [3].
3.4.1 Combinatorial generators
For these generators, emitting a tick results only from the presence/absence of incoming
clock ticks. This group concerns the clock expressions union, intersection, and diﬀerence.
No internal state is needed.
RR n° 7211
26 C. André
Table 6: Combinatorial generators
Expression Ticks when Changes Initial
a + b JaK ∨ JbK
a ∗ b JaK ∧ JbK
a − b JaK ∧ ¬ JbK
3.4.2 Clock index dependent generators
The clock expressions sup and inf depends on the diﬀerence (δ) between the indexes of the
two clock operands. The integer δ is the internal state. It keeps track of the incoming ticks.
Table 7: Clock index dependent generators
Expression Ticks when Changes Initial
a  k JaK χ← {χ+ 1 if JaK
χ otherwise.
χ = 0
a ∨ b
(
(δ < 0) ∧ JaK ) ∨(
(δ = 0) ∧ (JaK ∧ JbK)) ∨(
(δ > 0) ∧ JbK ) δ ←

δ + 1 if JaK ∧ ¬ JbK
δ − 1 if ¬ JaK ∧ JbK
δ otherwise.
δ = 0
a ∧ b
(
(δ < 0) ∧ JbK ) ∨(
(δ = 0) ∧ (JaK ∨ JbK)) ∨(
(δ > 0) ∧ JaK ) δ ←

δ + 1 if JaK ∧ ¬ JbK
δ − 1 if ¬ JaK ∧ JbK
δ otherwise.
δ = 0
where δ , χ(a)− χ(b)
3.4.3 Generators for clocks with death
The clock expression a  b dies on the ﬁrst tick of b. The internal state is a Boolean isDead.
Boolean values are denoted as 0 and 1, for false and true, respectively.
Table 8: Generators for clocks with death
Expression Ticks when Changes Initial
a  b ¬isDead ∧
(JaK ∧ ¬ JbK) isDead←
{
1 if JbK
isDead otherwise.
isDead = 0
3.4.4 Generators for clocks with schedule
INRIA
CCSL Observers 27
Table 9: Generators for clocks with schedule
Expression Ticks when Changes Initial
aˆn
JaK ∧
(bw = 1)
bw ←

v if JaK ∧ (bw = 0.v)
0 if JaK ∧ (bw = 1)
bw otherwise.
bw = 0JnK−1.1
a D b
JbK ∧
(bw = 1)
bw ←

1 if JaK
0 if JbK ∧ ¬ JaK
bw otherwise.
bw = 0
a C b
JbK ∧(
(bw = 1)
∨ JaK ) bw ←

1 if JaK ∧ ¬ JbK
0 if JbK
bw otherwise.
bw = 0
a H w JaK ∧
(bw = 1.v)
bw ←
{
v if JaK ∧ (bw = b.v)
bw otherwise.
bw = w
a ( n ) b JbK ∧
(bw = 1.v)
bw ←

v if JbK ∧ ¬ JaK ∧ (bw = b.v)
v + 0JnK−1.1 if JbK ∧ JaK ∧ (bw = b.v)
bw + 0JnK−1.1 if JaK ∧ ¬ JbK
bw otherwise.
bw = 0
where v is a binary word
3.4.5 Generators for clock concatenation
The concatenation a • b is rewritten into b when a dies.
Table 10: Generators for clock concatenation
Expression Ticks when Changes Initial
a • expr2 JaK expr ← {expr2 if a.isDead
expr otherwise.
expr = a • expr2
3.5 Adaptors
An adaptor has to generate ticks of a c_clock according to the state of one or several objects
of the program. Collectively, the states of these objects characterize an event of interest for
the system. Such events are greatly dependent on the application, and the way to detect
their occurrences is language speciﬁc. So, there is little to say about adaptors in general.
RR n° 7211
28 C. André
4 Esterel implementation
In this section we propose a library of Esterel modules that implement the general concepts
of adaptors, observers, and generators introduced in the previous chapter. The code is
written in Esterel v7, version v7_60 for Esterel Studio 6.1.
4.1 Data and interface units
Esterel allows separate programming of data, interface, and module units. Genericity is also
supported. Existence of various units and genericity are exploited in our implementation of
ccsl observers in Esterel.
C_clocks
To implement ccsl observers in Esterel, we have ﬁrst to decide how to represent a ccsl
clock. We have chosen a pair of pure signals. The presence of the signal `presence' represents
a tick of the associated clock. The second signal `alive' reﬂects the status of the clock: the
clock is alive when the signal is present, whereas the clock is not existing (not yet created
or dead) when the signal is absent. The two signals are grouped together in a port, and a
c_clock is a port typed by C_Clock_Intf.
interface C_Clock_Intf :
output presence ;
output a l i v e ;
end interface
Other data and interface units will be deﬁned in the following sub-sections.
4.2 Adaptors
In Esterel a logical clock can be associated with any signal. This clock ticks whenever the
signal is present. Hence, an Esterel adaptor maps an Esterel signal to a c_clock. We have
to distinguish between pure and valued signals.
4.2.1 Pure signal adaptor
For a pure signal A, the adaptor code is obvious:
1 module Ccsl_A_pure :
2 input A;
3 port c_A: C_Clock_Intf ;
4
5 sustain {
6 c_A. a l i v e ,
7 c_A. presence i f A
8 }
INRIA
CCSL Observers 29
9
10 end module
Note that c_A.alive is emitted at each instant (line 6) when this module is active.
4.2.2 Valued signal adaptor
For a valued signal, the adaptor code is also very simple. It is a generic module which
considers only the presence status of the input signal.
1 module Ccsl_A_valued :
2 generic type T;
3 input A: T;
4 port c_A: C_Clock_Intf ;
5
6 sustain {
7 c_A. a l i v e ,
8 c_A. presence i f A
9 }
10
11 end module
In line 2, a generic type is introduced. It types signal A (line 3). The actual type must
be given at the module instantiation. When the module is active, signal c_A.presence is
emitted whenever the input signal A is present (line 8).
4.2.3 Rising-edge signal adaptor
Since the presence status of a signal is not persistent, hand-shake in Esterel is often imple-
mented as
abort
sustain r e s que s t
when re sponse
The actual event in this case is the rising edge of signal request (i.e., a signal present
at the ﬁrst instant of the sustain). The adaptor Ccsl_A_risingEdge represents this behavior
(Synchart in ﬁgure 28).
Note that the ﬁrst two adaptors are so simple that their code is usually in-lined.
4.3 Observers
4.3.1 Observer interface
Each ccsl relation observer has two input c_clocks and one output that signals possible
violations. This ﬁx interface can be speciﬁed by an interface.
RR n° 7211
30 C. André
Ccsl_A_risingEdge
Super and not Level
On Entry:
/ c_Sub.presence
OFF ON
Super and Level
Super and Level
12
   « interface »
input Super, Level;
port c_Sub: C_Clock_Intf
A
/ c_Sub.alive
Figure 28: SyncChart of the Rising Edge adaptor.
1 interface Ccsl_R_Intf :
2 port c_A: mirror C_Clock_Intf ;
3 port c_B: mirror C_Clock_Intf ;
4 output Vio l a t i on ;
5 end interface
Port c_A is typed mirror C_Clock_Intf (line 2). This means that the port consists of
the signals declared in interface C_Clock_Intf but with their direction reverted (imposed
by the keyword `mirror'). It is the same for port c_b, line 3. As for Violation, it is a pure
signal emitted as soon as a violation occurs. Each Observer module includes this interface
in its code (statement extends Ccsl_R_Intf;).
4.3.2 Subclocking
1 module Ccsl_R_subclock :
2 extends Ccsl_R_Intf ;
3 sustain Vio l a t i on i f c_A. presence and not c_B. presence
4 end module
The statement sustain (line 4) emits Violation if c_A ticks while c_B does not. This
condition is directly extracted from table 4, ﬁrst row, last column.
4.3.3 Tight subclocking
This clock relation should be tested when c_a is alive. In Esterel, this is easily done by
waiting for c_a to be born (line 3), and checking the violation (line 5) while c_a is alive
(lines 46).
1 module Ccsl_R_tightsubclock :
2 extends Ccsl_R_Intf ;
3 await immediate c_A. a l i v e ;
4 abort
5 sustain Vio l a t i on i f c_A. presence xor c_B. presence
INRIA
CCSL Observers 31
6 when not c_A. a l i v e
7 end module
Line 5 encodes V =
(
c_a ⊕ ∧c_b) from table 4.
4.3.4 Exclusion
The third clock relation observer emits Violation if both c_A and c_B tick.
module Ccsl_R_exclusive :
extends Ccsl_R_Intf ;
sustain Vio l a t i on i f c_A. presence and c_B. presence
end module
4.3.5 Precedences
The precedence observers are more complex. They have to maintain an internal counter
(delta). The strict and non strict version have common behavior and they diﬀer on their
violation conditions (see table 4). Their code can be combined and the discremination done
by a generic constant set at the observer module instantiation. The discreminant is the
the generic constant KIND, the type of which is a the enumeration Ccsl_Strictness_Kind
deﬁned in a data unit.
data Ccsl_Types :
type Ccsl_Strictness_Kind =
enum {
STRICT=0, NONSTRICT=1, LNS=2, RNS=3
} ;
end data
The precedence observer is a generic module.
1 module Ccsl_R_precedes :
2 extends Ccsl_Types ;
3 extends Ccsl_R_Intf ;
4
5 constant KIND: Ccsl_Strictness_Kind ;
6 generic constant UMAX: unsigned ;
7 type CounterType = unsigned<UMAX>;
8
9 signal Delta : value CounterType in i t 0 in
10 sustain {
11 Vio l a t i on i f
12 (pre (? Delta ) = 0) and c_B. presence and
13 ( (KIND = STRICT) or ( (KIND=NONSTRICT) and not c_A. presence ) ) ,
14 ?Delta <= sat<UMAX>(pre (? Delta ) + 1) i f
15 not Vio l a t i on and c_A. presence and not c_B. presence ,
16 ?Delta <= pre (? Delta ) − 1 i f
RR n° 7211
32 C. André
17 not Vio l a t i on and not c_A. presence and c_B. presence
18 }
19 end signal
20
21 end module
This observer module deserves explanations:
 two constants must be provided at the module instantiation: KIND and UMAX; the latter
is the expected maximal value for Delta;
 CounterType is a generic type which contains natural numbers from 0 to UMAX-1;
 Delta counts the diﬀerence on the numbers of ticks of c_a and c_b (lines 1518);
 at each instant the violation condition is tested (lines 1214);
 the value of Delta is changed only if there is no violation, this ensures that Delta is
never decremented below 0 (line 17).
 since Esterel applies strict arithmetic rules, we have to assert that Delta never exceeds
value UMAX-1, hence the use of the sat<UMAX>() predeﬁned function.
4.3.6 Equality
This clock relation is similar to the tight sub-clocking on page 30, but must be always valid:
there is no longer conditions on the birth and death of clocks.
1 module Ccsl_R_equal :
2 extends Ccsl_R_Intf ;
3 sustain Vio l a t i on i f c_A. presence xor c_B. presence
4 end module
4.3.7 Alternation
The violation conditions for the four variants of alternation are given in annex B.1. They are
speciﬁed as fsms. In Esterel they are better speciﬁed as SyncCharts. The usage of explicit
priority on transition makes the arc labels simpler. For instance, ﬁgure 29) is the syncChart
equivalent to the fsm in ﬁgure 33. Both check the strict alternation.
A generic module speciﬁes the four variants.
1 module Ccsl_R_alternates :
2 extends Ccsl_Types ;
3 extends Ccsl_R_Intf ;
4 constant KIND: Ccsl_Strictness_Kind ;
5
6 signal Turn : value bool in i t '0 in
7 loop
INRIA
CCSL Observers 33
Ccsl_R_alternates
S0 S1
A
B
A / 
Violation
B / 
Violation
1
1
2
2
Figure 29: SyncChart of the alternation observer.
8 i f pre (?Turn ) then
9 // s t a t e S1
10 i f (KIND = STRICT) or (KIND = RNS) then
11 i f
12 case c_A. presence do
13 emit Vio l a t i on
14 case c_B. presence do
15 emit Turn ( '0 )
16 end i f
17 else // (KIND = LNS) or (KIND = NONSTRICT)
18 i f
19 case c_A. presence and not c_B. presence do
20 emit Vio l a t i on
21 case c_A. presence and c_B. presence
22 case c_B. presence do
23 emit Turn ( '0 )
24 end i f
25 end i f
26 else
27 // s t a t e S0
28 i f (KIND = STRICT) or (KIND = LNS) then
29 i f
30 case c_B. presence do
31 emit Vio l a t i on
32 case c_A. presence do
33 emit Turn ( '1 )
34 end i f
35 else // (KIND = RNS) or (KIND = NONSTRICT)
36 i f
37 case not c_A. presence and c_B. presence do
38 emit Vio l a t i on
RR n° 7211
34 C. André
39 case c_A. presence and c_B. presence
40 case c_A. presence do
41 emit Turn ( '1 )
42 end i f
43 end i f
44 end i f //Turn
45 each tick
46
47 end signal
48
49 end module
This is a hand-encoded version of the syncCharts, it is easier to read than the automated
translation. Of course, such a textual version of SyncCharts is not required, the Esterel
compiler directly deals with the graphical speciﬁcation. The above textual version is just
to show how a purely textual speciﬁcation is possible. The two states S0 and S1 have been
encoded as a bool signal `Turn' initialized to '0 (line 6). The conditions are evaluated at
each instant (statement loop ... each tick, in lines 745). For each state, the outgoing
conditions are written in a decreasing order of priority (statement if case ... do end if).
The ﬁrst matching transition is taken. A case ... without a do ... means that nothing has
to be executed so that no violation is emitted and the state is left unchanged. The eﬀective
changes in state are caused by emitting the next state value (i.e., emit Turn('1) on line 41).
4.3.8 Synchronization
The violation conditions for the four variants of synchronization are given as fsms in an-
nex B.2. The following Esterel module encodes the four fsms.
1 module Ccsl_R_synchronizes :
2 extends Ccsl_Types ;
3 extends Ccsl_R_Intf ;
4 constant KIND: Ccsl_Strictness_Kind ;
5 type State = enum {S0=0, SA=1, SB=2};
6
7 signal S : State in i t S0 in
8 loop
9 i f
10 case pre (?S)=S0 do // in S0
11 i f
12 case c_A. presence and not c_B. presence do
13 emit S(SA)
14 case c_B. presence and not c_A. presence do
15 emit S(SB)
16 end i f
17 case pre (?S)=SA do // in SA
18 i f (KIND = STRICT) or (KIND = RNS) then
INRIA
CCSL Observers 35
19 i f
20 case c_A. presence do
21 emit Vio l a t i on
22 case c_B. presence do
23 emit S(S0 )
24 end i f
25 else // (KIND = NONSTRICT) or (KIND = LNS)
26 i f
27 case c_A. presence and not c_B. presence do
28 emit Vio l a t i on
29 case c_B. presence and not c_A. presence do
30 emit S(S0 )
31 end i f
32 end i f
33 case pre (?S)=SB do // in SB
34 i f (KIND = STRICT) or (KIND = LNS) then
35 i f
36 case c_B. presence do
37 emit Vio l a t i on
38 case c_A. presence do
39 emit S(S0 )
40 end i f
41 else // (KIND = NONSTRICT) or (KIND = RNS)
42 i f
43 case c_B. presence and not c_A. presence do
44 emit Vio l a t i on
45 case c_A. presence and not c_B. presence do
46 emit S(S0 )
47 end i f
48 end i f
49 end i f
50 each tick
51 end signal
52 end module
4.4 Generators
4.4.1 CCSL expressions
4.4.2 Union
1 module Ccsl_E_union :
2 port c_A: mirror C_Clock_Intf ;
3 port c_B: mirror C_Clock_Intf ;
4 port c_O: C_Clock_Intf ;
5 abort
RR n° 7211
36 C. André
6 sustain {
7 c_O. a l i v e ,
8 c_O. presence i f
9 c_A. presence or c_B. presence
10 }
11 when not (c_A. a l i v e or c_B. a l i v e )
12 end module
The union expression dies when both input clocks die.
4.4.3 Intersection
1 module Ccsl_E_inter :
2 port c_A: mirror C_Clock_Intf ;
3 port c_B: mirror C_Clock_Intf ;
4 port c_O: C_Clock_Intf ;
5 abort
6 sustain {
7 c_O. a l i v e ,
8 c_O. presence i f
9 c_A. presence and c_B. presence
10 }
11 when not (c_A. a l i v e and c_B. a l i v e )
12 end module
The inter expression dies when any input clock dies.
4.4.4 Diﬀerence
1 module Ccsl_E_minus :
2 port c_A: mirror C_Clock_Intf ;
3 port c_B: mirror C_Clock_Intf ;
4 port c_O: C_Clock_Intf ;
5 abort
6 sustain {
7 c_O. a l i v e ,
8 c_O. presence i f
9 c_A. presence and not c_B. presence
10 }
11 when not c_A. a l i v e
12 end module
The minus expression dies when the ﬁrst input clock dies.
4.4.5 As from
1 module Ccsl_E_asfrom :
2 generic constant UMAX: unsigned ;
INRIA
CCSL Observers 37
3 generic constant K: unsigned ;
4 type Unsigned_t = unsigned<UMAX>;
5 port c_A: mirror C_Clock_Intf ;
6 port c_O: C_Clock_Intf ;
7 signal Chi : value Unsigned_t in i t 0 in
8 abort
9 i f K = 0 else
10 weak abort
11 sustain
12 ?Chi <= assert<UMAX−1>(pre (? Chi ))+1 i f c_A. presence
13 when ?Chi = K
14 end i f ;
15 sustain {
16 c_O. a l i v e ,
17 c_O. presence i f c_A. presence ,
18 ?Chi <= assert<UMAX−1>(pre (? Chi ))+1 i f c_A. presence
19 }
20 when immediate not c_A. a l i v e
21 end signal
22 end module
The asfrom expression dies when the input clock dies.
4.4.6 Sup
1 module Ccsl_E_sup :
2 generic constant SMAX: unsigned ;
3 type Signed_t = unsigned<SMAX>;
4 port c_A: mirror C_Clock_Intf ;
5 port c_B: mirror C_Clock_Intf ;
6 port c_O: C_Clock_Intf ;
7 signal Delta : value Signed_t in i t 0 in
8 abort
9 sustain {
10 // changes in i n t e r n a l s t a t e
11 ?Delta <= sat<SMAX>(pre (? Delta )+1) i f
12 c_A. presence and not c_B. presence ,
13 ?Delta <= sat<SMAX>(pre (? Delta )−1) i f
14 c_B. presence and not c_A. presence ,
15 // t i c k s
16 c_O. a l i v e ,
17 c_O. presence i f (pre (? Delta ) < 0) and c_A. presence ,
18 c_O. presence i f (pre (? Delta ) > 0) and c_B. presence ,
19 c_O. presence i f (pre (? Delta ) = 0) and c_A. presence and c_B. presence
20 }
21 when immediate
22 ( (pre (? Delta < 0) and not c_A. a l i v e ) or
RR n° 7211
38 C. André
23 ( (pre (? Delta > 0) and not c_B. a l i v e )
24 end signal
25 end module
The sup expression dies when the clock with the lower index dies, i.e., a if δ < 0, or b is
δ > 0.
4.4.7 Inf
1 module Ccsl_E_inf :
2 generic constant SMAX: unsigned ;
3 type Signed_t = unsigned<SMAX>;
4 port c_A: mirror C_Clock_Intf ;
5 port c_B: mirror C_Clock_Intf ;
6 port c_O: C_Clock_Intf ;
7 signal Delta : value Signed_t in i t 0 in
8 abort
9 sustain {
10 // changes in i n t e r n a l s t a t e
11 ?Delta <= sat<SMAX>(pre (? Delta )+1) i f
12 c_A. presence and not c_B. presence ,
13 ?Delta <= sat<SMAX>(pre (? Delta )−1) i f
14 c_B. presence and not c_A. presence ,
15 // t i c k s
16 c_O. a l i v e ,
17 c_O. presence i f (pre (? Delta ) > 0) and c_A. presence ,
18 c_O. presence i f (pre (? Delta ) < 0) and c_B. presence ,
19 c_O. presence i f (pre (? Delta ) = 0) and (c_A. presence or c_B. presence )
20 }
21 when immediate not (c_A. a l i v e or c_B. a l i v e )
22 end signal
23 end module
The inf expression dies when both input clocks die.
4.4.8 Upto
1 module Ccsl_E_upto :
2 port c_A: mirror C_Clock_Intf ;
3 port c_B: mirror C_Clock_Intf ;
4 port c_O: C_Clock_Intf ;
5 i f c_A. a l i v e then
6 abort
7 sustain {
8 c_O. a l i v e ,
9 c_O. presence i f c_A. presence
10 }
11 when c_B. presence or not c_A. a l i v e
INRIA
CCSL Observers 39
12 end i f
13 end module
The upto expression dies when b ticks or a dies.
4.4.9 Await
1 module Ccsl_E_await :
2 generic constant N: unsigned ;
3 port c_A: mirror C_Clock_Intf ;
4 port c_B: mirror C_Clock_Intf ;
5 port c_O: C_Clock_Intf ;
6 i f c_A. a l i v e then
7 abort
8 abort
9 sustain c_O. a l i v e
10 when N c_A. presence ;
11 emit c_O. presence
12 // then d i e
13 when not c_A. a l i v e
14 end i f
15 end module
The await expression dies after n ticks of a or when a dies.
4.4.10 Sample
1 module Ccsl_E_sample :
2 extends Ccsl_Types ;
3
4 constant KIND: Ccsl_Strictness_Kind ;
5 port c_A: mirror C_Clock_Intf ;
6 port c_B: mirror C_Clock_Intf ;
7 port c_O: C_Clock_Intf ;
8 i f c_A. a l i v e and c_B. a l i v e then
9 signal Bw: value bool in i t '0 in
10 abort
11 sustain {
12 c_O. a l i v e ,
13 // i n t e r n a l s t a t e management
14 ?Bw <= '1 i f c_A. presence and
15 (
16 (KIND = STRICT) or
17 ( (KIND = NONSTRICT) and not c_B. presence )
18 ) ,
19 ?Bw <= '0 i f c_B. presence and
20 (
21 ( (KIND = STRICT) and not c_A. presence )
RR n° 7211
40 C. André
22 or (KIND = NONSTRICT)
23 ) ,
24 // t i c k
25 c_O. presence i f c_B. presence and
26 (
27 pre (?Bw) or
28 ( (KIND = NONSTRICT) and c_A. presence )
29 )
30 }
31
32 when not (c_B. a l i v e and (pre (?Bw) or c_A. a l i v e ) )
33 end signal
34 end i f
35 end module
The sample expression dies when b dies or when a is dead and the schedule (Bw) is empty.
4.4.11 Defer
1 module Ccsl_E_defer :
2 generic constant DELAYMAX: unsigned ;
3 type T = unsigned<DELAYMAX>;
4 type Bv_t = bool [DELAYMAX] ;
5
6 port c_A: mirror C_Clock_Intf ;
7 port c_B: mirror C_Clock_Intf ;
8 port c_O: C_Clock_Intf ;
9 input N: T;
10 constant Bw0: Bv_t = r e s i z e ( ' b0 ,DELAYMAX) ;
11
12 i f c_A. a l i v e and c_B. a l i v e then
13 signal Bw: value Bv_t in i t '0 , Update : value Bv_t in
14 abort
15 sustain {
16 c_O. a l i v e ,
17 // i n t e r n a l s t a t e management
18 ?Update <= u2onehot (?N−1,DELAYMAX) i f c_A. presence ,
19 ?Bw <= (pre (?Bw) >> 1) i f c_B. presence and
20 not c_A. presence ,
21 ?Bw <= ((pre (?Bw) >> 1) [ or ] ?Update ) i f
22 c_A. presence and c_B. presence ,
23 ?Bw <= (pre (?Bw) [ or ] ?Update ) i f
24 c_A. presence and not c_B. presence ,
25 // t i c k
26 c_O. presence i f c_B. presence and pre (?Bw[ 0 ] )
27 }
28 when not (c_B. a l i v e and ( (pre (?Bw) = Bw0) or c_A. a l i v e ) )
INRIA
CCSL Observers 41
29 end signal
30 end i f
31 end module
4.4.12 Filter
1 interface Ccsl_E_fi lteredBy_Intf :
2 generic constant SIZE : unsigned ;
3 type Bv_t = bool [ SIZE ] ;
4 input Bw: value Bv_t ;
5 port c_Super : mirror C_Clock_Intf ;
6 port c_Sub : C_Clock_Intf ;
7 end interface
1 module Ccsl_E_Pref_fi l ter :
2 generic constant PREF_SIZE: unsigned ;
3 extends Ccsl_E_fi lteredBy_Intf [
4 constant PREF_SIZE/SIZE ;
5 type PREF_Bv_t/Bv_t ] ;
6
7 i f c_Super . a l i v e then
8 abort
9 var SR: PREF_Bv_t := ?Bw in
10 trap T in
11 sustain c_Sub . a l i v e
12 | |
13 repeat PREF_SIZE times
14 await c_Super . pre sence ;
15 emit c_Sub . presence i f SR [ 0 ] ;
16 SR := SR >> 1
17 end repeat ;
18 exit T
19 end trap
20 end var
21 when not c_Super . a l i v e
22 end i f
23
24 end module
1 module Ccsl_E_Per_filter :
2 generic constant PER_SIZE: unsigned ;
3 extends Ccsl_E_fi lteredBy_Intf [
4 constant PER_SIZE/SIZE ;
5 type PER_Bv_t/Bv_t ] ;
6
7 i f c_Super . a l i v e then
8 abort
RR n° 7211
42 C. André
9 var SR: PER_Bv_t := ?Bw, Carry : bool in
10 sustain c_Sub . a l i v e
11 | |
12 loop
13 await c_Super . pre sence ;
14 Carry := SR [ 0 ] ;
15 emit c_Sub . presence i f Carry ;
16 SR := SR >> 1 ;
17 SR[PER_SIZE−1] := Carry
18 end loop
19 end var
20 when not c_Super . a l i v e
21 end i f
22
23 end module
1 module Ccs l_E_fi l ter :
2 generic constant PREF_SIZE: unsigned ;
3 generic constant PER_SIZE: unsigned ;
4 extends data Ccsl_E_fi lteredBy_Intf [
5 constant PREF_SIZE/SIZE ;
6 type Pref_Bv_t/Bv_t ] ;
7 extends data Ccsl_E_fi lteredBy_Intf [
8 constant PER_SIZE/SIZE ;
9 type Per_Bv_t/Bv_t ] ;
10
11
12 input Pref : value Pref_Bv_t ;
13 input Per : value Per_Bv_t ;
14
15 port c_Super : mirror C_Clock_Intf ;
16 port c_Sub : C_Clock_Intf ;
17
18 abort
19 // p r e f i x
20 run Ccsl_E_Pref_fi l ter [ signal Pref /Bw] ;
21 // per iod
22 run Ccsl_E_Per_filter [ signal Per/Bw]
23 when not c_Super . a l i v e
24
25 end module
The ﬁlter expression dies when the super clock dies or if the period is empty when the preﬁx
terminates.
INRIA
CCSL Observers 43
4.5 Extended observers
This sub-section shows how the library of Esterel modules can be extended. We have chosen
to illustrate this capability with the by-packet-relations. These relations are useful in Digital
Signal Processing applications (e.g., see the signal ﬁltering described in [5]). The principle
is to consider packets of ticks, instead of individual ticks. The size of the packets is a
constant.
Figure 30 represents the strict by-packet alternation where the ticks of a are grouped
together by α = 4, and the ticks of b by β = 3. This is symbolically written a/α ∼ b/β
and read a by α strictly alternates with b by β.
4α =
3β =
4α =
3β =
( ) [ ] ( )( ) [ ] [ ]( )* 4 1 3 1 3 4 1
/ 4 / 3
k A k B k B k A k
A B
∈ − + ∧ +⎡ ⎤⎣ ⎦≺ ≺
∼
N
Figure 30: Example of strict by-packet alternation relation.
To deal with the by-packet relations, we introduce two auxiliary clock expressions: ﬁrstBy
and lastBy. The associated ﬁrstBy generator ticks at the ﬁrst instant of each packet, whereas
the lastBy generator ticks at the last instant of each packet. Equations 43 and 44 specify
these clock expressions.
(∀k ∈ N?)(a. firstBy (α)[k] ≡ a[(k − 1)α+ 1]) (43)
(∀k ∈ N?)(a. lastBy (α)[k] ≡ a[kα]) (44)
They can be seen as special cases of ﬁltering (Eqs 45 and 46):(
a. firstBy (α)
)
=
(
a H
(
1.0α−1
)ω )
(45)(
a. lastBy (α)
)
=
(
a H
(
0α−1.1
)ω )
(46)
The Esterel modules (sub-section 4.5.1) implement these generators.
4.5.1 By-packet generators
1 module Ccsl_E_firstBy :
2 port c_Super : mirror C_Clock_Intf ;
3 port c_Sub : C_Clock_Intf ;
RR n° 7211
44 C. André
4 constant SIZE : unsigned ;
5
6 i f c_Super . a l i v e then
7 // a s s e r t posSIZE = (SIZE > 0) ;
8 abort
9 sustain c_Sub . a l i v e
10 | |
11 i f stat ic SIZE = 1 then
12 sustain c_Sub . presence i f c_Super . pre sence
13 else
14 await immediate c_Super . pre sence ;
15 emit c_Sub . presence ;
16 every SIZE c_Super . pre sence do
17 emit c_Sub . presence
18 end every
19 end i f
20 when not c_Super . a l i v e
21 end i f
22
23 end module
1 module Ccsl_E_lastBy :
2 port c_Super : mirror C_Clock_Intf ;
3 port c_Sub : C_Clock_Intf ;
4 constant SIZE : unsigned ;
5
6 i f c_Super . a l i v e then
7 // a s s e r t posSIZE = (SIZE > 0) ;
8 abort
9 sustain c_Sub . a l i v e
10 | |
11 i f stat ic SIZE = 1 then
12 sustain c_Sub . presence i f c_Super . pre sence
13 else
14 await immediate c_Super . pre sence ;
15 await (SIZE−1) c_Super . pre sence ;
16 loop
17 emit c_Sub . presence
18 each SIZE c_Super . pre sence
19 end i f
20 when not c_Super . a l i v e
21 end i f
22
23 end module
INRIA
CCSL Observers 45
4.5.2 By-packet alternation
...
α
...
β
...
α
al=a.lastBy( )
a
af=a.firstBy( )
b
bl=b.lastBy( )
bf=b.firstBy( )
af[1] af[2]
al[1]
bl[1]
bf[1]
a[1]
b[1]
Figure 31: Strict by-packet alternation instant ordering.
Consider relation a/α ∼ b/β. Let af , a. firstBy (α) and al , a. lastBy (α). bf and bl are
deﬁned in a similar way. Referring to ﬁgure 31, the following relations hold:
af 4 al (47)
al ≺ bf (48)
bf 4 bl (49)
bl ≺ af$1 (50)
Relations 47 and 49 are trivially true because of the total ordering over the instants of a
clock. We used the non strict precedence instead of the strict one to cover the case of a
packet of size 1 (in which case the ﬁrst and last instants of a packet are coincident). From
these relations we deduce that al strictly alternates with bf (equation 51) and af strictly
alternates with bl (equation 52).
(
bf
(49)
4 bl
) (
bl
(50)
≺ af$1) af
(47)
4 al
af$1 4 al$1
bf ≺ al$1
(
al
(48)
≺ bf)
al ∼ bf
(51)
RR n° 7211
46 C. André
(
af
(47)
4 al
) (
al
(48)
≺ bf) (bf (49)4 bl)
af ≺ bl
(
bl
(50)
≺ af$1)
af ∼ bl
(52)
Conversely, assuming af ∼= al, bf ∼= bl, al ∼ bf , and af ∼ bl, we get equa-
tions 4750. So, a / α ∼ b / β is equivalent to the conjunction of the four relations:
af ∼= al, al ∼ bf , bf ∼= bl, and af ∼ bl. The implementation of the corresponding
observer is made by instantiating the previously given Esterel module (Ccsl_R_alternates,
on page 32). For the sake of eﬃciency, the four modules can be combined into one that
implements the synchronous product of the associated fsm. Figure 41 on page 56 in Annex
B.3, is the resulting fsm.
Like alternation, the by-packet alternation has four variants:
a / α ∼ b / β ⇔ (af ∼= al) | (al ∼ bf) | (bf ∼= bl) | (af ∼ bl) (53)
a / α ∼= b / β ⇔
(
af ∼= al
) | (al ∼= bf) | (bf ∼= bl) | (af ∼ bl) (54)
a / α =∼ b / β ⇔
(
af ∼= al
) | (al ∼ bf) | (bf ∼= bl) | (af =∼ bl) (55)
a / α =∼= b / β ⇔
(
af ∼= al
) | (al =∼= bf) | (bf ∼= bl) | (af =∼= bl) (56)
The corresponding fsms are provided in Annex B.3.
4.5.3 By-packet synchronization
The extension of synchronization to by-packet synchronization follows the same approach as
for alternation. We just give an illustration of strict by-packet synchronization (ﬁgure 32).
4α =
3β =
4α =
3β =
( ) [ ] [ ]( ) [ ] [ ]( )* 4 3 1 3 4 1
/ 4 / 3
k A k B k B k A k
A B
∈ + ∧ +≺ ≺N
3β = 3β =
4α = 4α =

Figure 32: Example of strict by-packet synchronization relation.
Consider relation a/α ./ b/β. Let af , a. firstBy (α) and al , a. lastBy (α). bf and bl
are deﬁned in a similar way. The following relations hold:
INRIA
CCSL Observers 47
af 4 al (57)
al ≺ bf$1 (58)
bf 4 bl (59)
bl ≺ af$1 (60)
Remind that a ./ b =
(
a ≺ b$1) | (b ≺ a$1). From equations 57 to 60 we deduce
af ./ bf (Eq 61) and al ./ bl (Eq 62).
(
af
(57)
4 al
) (
al
(58)
≺ bf$1)
af ≺ bf$1
(
bf
(59)
4 bl
) (
bl
(60)
≺ af$1)
bf ≺ af$1
af ./ bf
(61)
(
al
(58)
≺ bf$1) bf (59)4 bl
bf$1 4 bl$1
al ≺ bl$1
(
bl
(60)
≺ af$1) af (57)4 al
af$1 4 al$1
bl ≺ al$1
al ./ bl
(62)
Hence, a / α ./ b / β is the conjunction of four relations: af ∼= al, af ./ bf ,
bf ∼= bl, and al ./ bl. The implementation of the corresponding observer is made by
instantiating the Esterel modules Ccsl_R_alternates and Ccsl_R_synchronizes. The three
other variants of the by-packet synchronization are left as exercises for the reader.
5 Future work
The continuation of this work is twofoldto consolidate the semantics of ccsl, and to apply
the ccsl observer techniques to other languages.
Semantics
In section 2 we have given mathematical characterizations of ccsl relations and expressions.
On the other hand, in section 3, we started with the structural operation semantics of ccsl,
which has been introduced in a previous report [3], to determine the violation conditions of
ccsl constraints. The formal link between the ﬁrst (denotational) semantics and the second
(operational) semantics of ccsl is still to be established.
The concepts of birth and death of a clock have also to be formally introduced in both
semantics. The operational semantics has a form of death through its rewriting rules (when
RR n° 7211
48 C. André
an expression is rewritten as 0). However the propagation of death through constraints,
which is eﬀectively used in several modules of section 4, has not been formally speciﬁed yet.
A third necessary improvement in ccsl is the introduction of local clock constraints.
The relation tight subclocking on page 7 and the expression As from on page 13 were not
deﬁned in the original operational semantics. They have been introduced to open the way
to local clock constraints.
Libraries for observers
Section 3 has explained how to build ccsl observers, generators, and adaptors for any ccsl
constraints. A comprehensive library of Esterel modules has been provided in section 4.
Esterel relies on the perfect synchrony hypothesis. As a consequence, this language has a
well-deﬁned notion of instant, and at each reaction, any signal has a unique status. This is
not the case with non-strictly synchronous languages. Languages with micro-step semantics,
like vhdl or systemC, have a notion of (simulation) instant, but an instant may consist of
several δ-cycles. The status of a signal may diﬀer at two δ-cycles of the same simulation
instant. This may lead to false-violations. So, δ-delay insensitive observers and generators
must be implemented. Such a library for ccsl observers/generators in vhdl will be released
soon.
References
[1] OMG. UML Proﬁle for MARTE, v1.0. Object Management Group, November 2009.
Document number: formal/2009-11-02.
[2] C. André, F. Mallet, and R. de Simone. Modeling time(s). In G. Engels, B. Opdyke, D.
C. Schmidt, and F. Weil, editors, MoDELS, volume 4735 of Lecture Notes in Computer
Science, pages 559573. Springer, 2007.
[3] Charles André. Syntax and semantics of the clock constraint speciﬁcation language
(CCSL). Research Report 6925, INRIA, 05 2009.
[4] Frédéric Mallet, Marie-Agnès Peraldi-Frati, and Charles André. Marte CCSL to execute
East-ADL timing requirements. In ISORC [18], pages 249253.
[5] Charles André and Frédéric Mallet. Speciﬁcation and veriﬁcation of time requirements
with CCSL and esterel. In LCTES, pages 167176. ACM, June 2009.
[6] F. Boussinot and R. De Simone. The esterel language. Proceeding of the IEEE,
79(9):12931304, September 1991.
[7] Gérard Berry. The Esterel Language Primer, version v5_91. Ecole des Mines de Paris,
CMA, INRIA, July 2000.
INRIA
CCSL Observers 49
[8] N. Halbwachs. Synchronous Programming of Reactive Systems. Kluwer Academic Pub-
lishers, Amsterdam, 1993.
[9] A. Benveniste, P. Caspi, S. Edwards, N. Halbwachs, P. Le Guernic, and R. de Simone.
The synchronous languages twelve years later. Proceedings of the IEEE, 91(1):6483,
2003.
[10] Nicolas Halbwachs, Fabienne Lagnier, and Pascal Raymond. Synchronous observers
and the veriﬁcation of reactive systems. In AMAST '93: Proceedings of the Third In-
ternational Conference on Methodology and Software Technology, pages 8396, London,
UK, 1994. Springer-Verlag.
[11] Leslie Lamport. Time, clocks, and the ordering of events in a distributed system.
Commun. ACM, 21(7):558565, 1978.
[12] A. Benveniste and G. Berry. The synchronous approach to reactive and real-time
systems. Proceeding of the IEEE, 79(9):12701282, September 1991.
[13] C. André, F. Mallet, and M.-A. Peraldi-Frati. A multiform time approach to real-
time system modeling: Application to an automotive system. In Universidade Nova
de Lisboa, editor, Int. Symp. on Industrial Embedded Systems, pages 234241, Lisboa,
Portugal, July 2007. IEEE.
[14] Frédéric Mallet and Charles André. On the semantics of UML/marte clock constraints.
In ISORC [18], pages 305312.
[15] Charles André and Frédéric Mallet. Clock constraint speciﬁcation language in UML/-
MARTE CCSL. Research Report 6540, INRIA, 05 2008.
[16] Charles André and Frédéric Mallet. Modèles de contraintes temporelles pour systèmes
polychrones. JESA, 43(789):725739, 2009.
[17] W. Reisig. Petri nets: an introduction. Monograph on Theoretical Computer Science.
Springer-Verlag, Berlin, 1985.
[18] IEEE. 12th IEEE Int. Symp. on Object-Oriented Real-Time Distributed Computing
(ISORC 2009). IEEE Computer Society, March 2009.
RR n° 7211
50 C. André
A Binary Words
A.1 Finite/inﬁnite binary words
Deﬁnition A.1 (Set of bit values). B = {0, 1}.
Deﬁnition A.2 (Finite binary word). A ﬁnite binary word is a word of (0 + 1)∗.
Deﬁnition A.3 (Inﬁnite binary word). An inﬁnite binary word is a word of (0 + 1)ω.
Deﬁnition A.4 (Periodic binary word). A periodic binary word is an inﬁnite binary word
deﬁned by the following grammar:
w ::= u (v)
ω
u ::= ε | 0 | 1 | 0 • u | 1 • u
v ::= 0 | 1 | 0 • v | 1 • v
(63)
u is called the preﬁx of w, v is the period of w, and (v)
ω
= limn v
n denotes the inﬁnite
repetition of v. ε is the empty binary word. In order to avoid confusion between parentheses
denoting periodic binary words and usual parentheses, the former are colored red. The
associated ω symbol is also red.
For convenience, we adopt a power notion for repeated bits:
bn = b • bn−1 (b ∈ B, n ∈ N?)
b0 , ε
(64)
A periodic binary word with an empty preﬁx is called a strictly periodic binary word
(w = (v)
ω
).
A periodic binary word has inﬁnitely many representations:
Let b ∈ B, u, v ∈ B∗, u • b (v • b)ω = u (b • v)ω (65)
Notation A.1 (Length of a binary word). |w| denotes the length of the binary word w.
Notation A.2. |w|b denotes the number of bits set to b ∈ B in the binary word w.
Notation A.3. w [k] denotes the kth bit of the binary word w.
Notation A.4. w[k..l] denotes the (sub) binary word from w starting at the kth bit upto the
lth bit included.
Notation A.5. w[k..] denotes the (sub) binary word from w starting at the kth bit. Possibly
inﬁnite.
INRIA
CCSL Observers 51
A.2 Operations on binary words
Deﬁnition A.5 (Number of 1 upto k). w ↓ k denotes the number of 1 upto the kth bit
included in the binary word w.
w ↓ k , |w[1..k]|1 (66)
Let k ∈ N?, b ∈ B, w a binary word
w ↓ 0 , 0
b • w ↓ k = b+ (w ↓ (k − 1))
(67)
Deﬁnition A.6 (Index of the kth one). w ↑ k denotes the index of the kth one in the binary
word w.
w ↑ k , j ∈ N? such that w[j] = 1 ∧ (w ↓ j = k) (68)
Let k ∈ N?, w a binary word
w ↑ 0 , 0
w ↑ k , ω if |w|1 < k
(1 • w) ↑ k = 1 + w ↑ (k − 1)
(0 • w) ↑ k = 1 + w ↑ k
(69)
Deﬁnition A.7 (Binary word composition). For any two binary words w1 and w2, the
binary word composition (◦ operator) is deﬁned as follows:
(0 • w1) ◦ w2 = 0 • (w1 ◦ w2)
(1 • w1) ◦ (b • w2) = b • (w1 ◦ w2) (for b ∈ B)
(0 • w1) ◦ ε = 0 • (w1 ◦ ε)
(1 • w1) ◦ ε = ε
ε ◦ w2 = ε
(70)
Properties:
|w1 ◦ w2| = min{|w1| , w1 ↑ (|w2| + 1)− 1} (71)
Deﬁnition A.8 (Binary word union). For any two binary words w1 and w2, the binary
word addition (+ operator) is deﬁned as follows:
(b1 • w1) + (b2 • w2) = (b1 or b2) • (w1 + w2)
ε + w = w
w + ε = w
ε + ε = ε
(72)
RR n° 7211
52 C. André
Deﬁnition A.9 (Binary word shift left). For any binary word w, the binary word shift left
( operator) is deﬁned as follows:
ε 1 = ε
(b.w) 1 = w (73)
B Observer speciﬁcations
The detection of a violation by an observer is considered as an error, and the analysis is
stopped. So, there is no need for the violation state; emitting the output signalV is suﬃcient.
In the fsm given in this annex, the sink state has been removed, and for each violation
transition, its source and target states are the same. A further simpliﬁcation consists in
removing any transition having the same source and target state, but not emitting the
violation signal. For instance in ﬁgure 34, the transition from S0 to itself, and labeled by
a.b has been omitted.

For all state machines contained in this section, all non explicit variable expressions
trigger a loop transition (same source and target state).
B.1 Alternation
Strict alternation
a / Vb / V
S0 S1
( ) [ ] [ ] [ ]* (salt)1k a k b k a k∈ +≺ ≺N
a.b’
a'.b
Figure 33: fsm detecting the violation of the strict alternation relation.
INRIA
CCSL Observers 53
Right non strict alternation
( ) [ ] [ ] [ ]* (rnsalt)1k a k b k a k∈ +≺YN
a / Va’.b / V
S0 S1
a.b’
a'.b
Figure 34: fsm detecting the violation of the right non strict alternation relation.
Left non strict alternation
( ) [ ] [ ] [ ]* (lnsalt)1k a k b k a k∈ +≺ YN
a.b’ / Vb / V
S0 S1
a.b’
a'.b
Figure 35: fsm detecting the violation of the left non strict alternation relation.
RR n° 7211
54 C. André
Non strict alternation
( ) [ ] [ ] [ ]* (nsalt)1k a k b k a k∈ + N
a’.b / V
S0 S1
a.b’ / V
a.b’
a'.b
Figure 36: fsm detecting the violation of the non strict alternation relation.
B.2 Synchronization
Strict synchronization
SA SB
b.a’
S0
a.b’
a / V b / V
( ) [ ] [ ]( ) [ ] [ ]( )* 1 1k a k b k b k a k∈ + ∧ +≺ ≺N
a'.b a.b’
Figure 37: fsm detecting the violation of the strict synchronization relation.
INRIA
CCSL Observers 55
Right non strict synchronization
( ) [ ] [ ]( ) [ ] [ ]( )* 1 1k a k b k b k a k∈ + ∧ +≺YN
SA SB
b.a’
S0
a.b’
a.b’a'.b
a / V a'.b / V
Figure 38: fsm detecting the violation of the right non strict synchronization relation.
Left non strict synchronization
SA SB
b.a’
S0
a.b’
a.b’a'.b
a.b’ / V b / V
( ) [ ] [ ]( ) [ ] [ ]( )* 1 1k a k b k b k a k∈ + ∧ +≺ YN
Figure 39: fsm detecting the violation of the left non strict synchronization relation.
RR n° 7211
56 C. André
Non strict synchronization
( ) [ ] [ ]( ) [ ] [ ]( )* 1 1k a k b k b k a k∈ + ∧ +Y YN
SA SB
b.a’
S0
a.b’
a.b’a'.b
a.b’ / V a'.b / V
Figure 40: fsm detecting the violation of the non strict synchronization relation.
B.3 By-packet Alternation
Strict alternation
S0 S1
af.al’.bf’.bl’
bf+bl+af’.al
/V
S3 S2
af+bf+bl
/V
af’.al.bf’.bl’
a
f’.a
l’.b
f.b
l
af+al+bf’.bl
/V
af’.al’.bf’.bl
af’.al’.bf.bl’
a
f.a
l.b
f’.b
l’
af+al+bf
/V
Figure 41: fsm detecting the violation of the by-packet strict alternation relation.
INRIA
CCSL Observers 57
Right non strict alternation
S0 S1
af.al’.bf’.bl’
bl+al’.bf+af’.al
/V
S3 S2
af+bf’.bl+al’.bf
/V
a
f’.a
l.b
f’.b
l’
a
f’.a
l’.b
f.b
l
af+al+bf’.bl
/V
a
f ’
. a
l ’
. b
f ’
. b
l
af’.al’.bf.bl’
a
f.a
l.b
f’.b
l’
af+al+bf
/V
af'.al.bf.bl
a
f .
a
l .
b
f .
b
l ’
a
f'.
a
l.b
f.
b
l’
Figure 42: fsm detecting the violation of the by-packet right non strict alternation relation.
Left non strict alternation
S0 S1
af.al’.bf’.bl’
bf+bl+af’.al
/V
S3 S2
af+bf+bl
/V
a
f’.a
l.b
f’.b
l’
a
f’.a
l’.b
f.b
l
al+af.bl’+bf’.bl
/V
a
f ’
. a
l ’
. b
f ’
. b
l
af’.al’.bf.bl’
a
f.a
l.b
f’.b
l’
bf+af.bl’+af’.al
/V
af.al.bf’.bl
a
f.a
l’.b
f.b
l
a
f.
a
l’.
b
f’.
b
l
Figure 43: fsm detecting the violation of the by-packet left non strict alternation relation.
RR n° 7211
58 C. André
Non trict alternation
S0 S1
af.al’.bf’.bl’
bf’.bl+al’.bf+af’.al
/V
S3 S2
af+bf’.bl+al’.bf
/V
a
f’.a
l.b
f’.b
l’
a
f’.a
l’.b
f.b
l
af.bl’+af’.al+bf’.bl
/V
a
f ’
. a
l ’
. b
f ’
. b
l
af’.al’.bf.bl’
a
f.a
l.b
f’.b
l’
bf+af.bl’+af’.al
/V
af'.al.bf.bl
af.al.bf’.bl
a
f .
a
l .
b
f .
b
l ’ a
f.a
l’.b
f.b
l
af
.a
l’.b
f’.
bl
af
'.a
l.b
f.b
l’
Figure 44: fsm detecting the violation of the by-packet non strict alternation relation.
INRIA
CCSL Observers 59
Contents
1 Introduction 3
2 Clock Constraint Speciﬁcation Language 4
2.1 Multiform logical time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2 Clocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.3 Clock constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.4 Clock relations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.5 Clock expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3 Observers 19
3.1 Veriﬁcation by observers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.2 Principle of the implementation . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.3 Observers of clock relations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.4 Generators for clock expressions . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.5 Adaptors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4 Esterel implementation 28
4.1 Data and interface units . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.2 Adaptors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.3 Observers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.4 Generators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
4.5 Extended observers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
5 Future work 47
A Binary Words 50
A.1 Finite/inﬁnite binary words . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
A.2 Operations on binary words . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
B Observer speciﬁcations 52
B.1 Alternation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
B.2 Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
B.3 By-packet Alternation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
RR n° 7211
Unité de recherche INRIA Sophia Antipolis
2004, route des Lucioles - BP 93 - 06902 Sophia Antipolis Cedex (France)
Unité de recherche INRIA Futurs : Parc Club Orsay Université - ZAC des Vignes
4, rue Jacques Monod - 91893 ORSAY Cedex (France)
Unité de recherche INRIA Lorraine : LORIA, Technopôle de Nancy-Brabois - Campus scientifique
615, rue du Jardin Botanique - BP 101 - 54602 Villers-lès-Nancy Cedex (France)
Unité de recherche INRIA Rennes : IRISA, Campus universitaire de Beaulieu - 35042 Rennes Cedex (France)
Unité de recherche INRIA Rhône-Alpes : 655, avenue de l’Europe - 38334 Montbonnot Saint-Ismier (France)
Unité de recherche INRIA Rocquencourt : Domaine de Voluceau - Rocquencourt - BP 105 - 78153 Le Chesnay Cedex (France)
Éditeur
INRIA - Domaine de Voluceau - Rocquencourt, BP 105 - 78153 Le Chesnay Cedex (France)
http://www.inria.fr
ISSN 0249-6399
