

# **Delay-insensitive communication**

*Citation for published version (APA):* Schols, H. M. J. L. (1992). *Delay-insensitive communication*. [Phd Thesis 1 (Research TU/e / Graduation TU/e), Mathematics and Computer Science]. Technische Universiteit Eindhoven. https://doi.org/10.6100/IR387170

DOI: 10.6100/IR387170

# Document status and date:

Published: 01/01/1992

#### Document Version:

Publisher's PDF, also known as Version of Record (includes final page, issue and volume numbers)

#### Please check the document version of this publication:

• A submitted manuscript is the version of the article upon submission and before peer-review. There can be important differences between the submitted version and the official published version of record. People interested in the research are advised to contact the author for the final version of the publication, or visit the DOI to the publisher's website.

• The final author version and the galley proof are versions of the publication after peer review.

• The final published version features the final layout of the paper including the volume, issue and page numbers.

Link to publication

#### General rights

Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.

- · Users may download and print one copy of any publication from the public portal for the purpose of private study or research.
- You may not further distribute the material or use it for any profit-making activity or commercial gain
  You may freely distribute the URL identifying the publication in the public portal.

If the publication is distributed under the terms of Article 25fa of the Dutch Copyright Act, indicated by the "Taverne" license above, please follow below link for the End User Agreement:

www.tue.nl/taverne

#### Take down policy

If you believe that this document breaches copyright please contact us at:

openaccess@tue.nl

providing details and we will investigate your claim.

# Delay-insensitive Communication

Huub Schols

Copyright © Huub M.J.L. Schols, 1992

Copying without fee is permitted provided that the copies are not made or distributed for direct commercial advantage, and credit to the source is given. Abstracting with credit is permitted. To copy otherwise, or republish, requires written authorization by Huub M.J.L. Schols.

# Delay-insensitive Communication

# PROEFSCHRIFT

ter verkrijging van de graad van doctor aan de Technische Universiteit Eindhoven, op gezag van de Rector Magnificus, prof. dr. J.H. van Lint, voor een commissie aangewezen door het College van Dekanen in het openbaar te verdedigen op woensdag 9 december 1992 om 14.00 uur

DOOR

Hubert Marie Jean Louis Schols

Geboren te Amby

# Dit proefschrift is goedgekeurd door de promotoren

prof. dr. M. Rem

en

prof. C.E. Molnar, Sc. D.

to my friends

If the car industry behaved like the computer industry over the last 30 years, a Rolls-Royce would cost \$5, get 300 miles per gallon, and blow up once a year killing all passengers inside.

origin unknown

# Acknowledgments

The author thanks the members of the Institute for Biomedical Computing of Washington University in St. Louis for their contributions to his understanding of the material in this monograph; in particular the intense and enthusiastic co-operation of Charles E. Molnar has sharpened many ideas and has been very stimulating during the development of the theory presented. Furthermore, the author gratefully acknowledges the discussions with and suggestions from Martin Rem, Ting-Pien Fang, Jan Tijmen Udding, Alain Martin, Jan van de Snepscheut, Jo Ebergen, Wilbert Körver, Tom Verhoeff, Frans Kruseman Aretz, and Cees Jan Koomen. Thanks also go to the members of the Department of Computer Science of Washington University, particularly Jerome R. Cox jr. and Takayuki (Dan) Kimura, to Alain Martin and his graduate students for their helpful criticisms and suggestions at several presentations of parts of this material, to Mohammed Gouda, and to the members of the Eindhoven VLSI club for their criticisms on this material. Furthermore, the author thanks Occo Nolf for pointing out many typographical errors in the final draft of this monograph.

Acknowledgments

# Contents

| A | ckno         | wledgements                           | i  |  |  |  |  |  |  |
|---|--------------|---------------------------------------|----|--|--|--|--|--|--|
| C | Contents     |                                       |    |  |  |  |  |  |  |
| 0 | Introduction |                                       |    |  |  |  |  |  |  |
|   | 0.0          | Synchronous and asynchronous          | 1  |  |  |  |  |  |  |
|   |              | 0.0.0 Asynchronous communication      | 3  |  |  |  |  |  |  |
|   |              | 0.0.1 Communication Model             | 4  |  |  |  |  |  |  |
|   |              | 0.0.2 Computation interference hazard | 4  |  |  |  |  |  |  |
|   | 0.1          | Subsequent chapters                   | 5  |  |  |  |  |  |  |
|   | 0.2          | Denotations in the English language   | 6  |  |  |  |  |  |  |
|   | 0.3          | Notions related to "asynchronous"     | 6  |  |  |  |  |  |  |
|   | 0.4          | Delay-insensitivity                   | 7  |  |  |  |  |  |  |
|   | 0.5          | Proofs                                | 7  |  |  |  |  |  |  |
| 1 | For          | Formalism and notation                |    |  |  |  |  |  |  |
|   | 1.0          | Sets                                  | 9  |  |  |  |  |  |  |
|   | 1.1          | Operators                             | 11 |  |  |  |  |  |  |
|   |              | 1.1.0 Priority of operators           | 11 |  |  |  |  |  |  |
|   | 1.2          | Quantification                        | 11 |  |  |  |  |  |  |
|   | 1.3          | Denotation of proofs                  | 12 |  |  |  |  |  |  |
|   | 1.4          | Trace theory.                         | 13 |  |  |  |  |  |  |
|   |              | 1.4.0 Basic notions of trace theory   | 14 |  |  |  |  |  |  |
|   |              |                                       | 17 |  |  |  |  |  |  |
|   |              | 1.4.2 State graphs                    | 20 |  |  |  |  |  |  |
|   |              |                                       | 22 |  |  |  |  |  |  |
|   |              |                                       | 22 |  |  |  |  |  |  |
|   |              |                                       | 23 |  |  |  |  |  |  |
|   |              |                                       | 25 |  |  |  |  |  |  |

## Contents

| 2 | Con | nmuni  | cation Model                                         | 27 |
|---|-----|--------|------------------------------------------------------|----|
|   | 2.0 | Defini | tion of Communication Model                          | 28 |
|   |     | 2.0.0  | Commports                                            | 28 |
|   |     | 2.0.1  | Comminsts and commsigs                               | 29 |
|   |     | 2.0.2  | Comminstorders and commsigorders                     | 30 |
|   |     | 2.0.3  | Iodirs and modules                                   | 32 |
|   |     | 2.0.4  | Opdirs and interconnections                          | 33 |
|   | 2.1 | Interp | retation of Communication Model                      | 34 |
|   |     | 2.1.0  | Commports                                            | 34 |
|   |     | 2.1.1  | Comminsts                                            | 35 |
|   |     | 2.1.2  | Comminstorders                                       | 35 |
|   |     | 2.1.3  | Modules                                              | 36 |
|   |     |        | 2.1.3.0 Connected modules                            | 38 |
|   |     | 2.1.4  | Commsigs                                             | 40 |
|   |     | 2.1.5  | Commsigorders                                        | 40 |
|   |     | 2.1.6  | Interconnections                                     | 41 |
|   |     |        | 2.1.6.0 Interconnection between two modules          | 42 |
|   |     | 2.1.7  | Overview of interpretative issues                    | 46 |
|   |     | 2.1.8  | Notational convention                                | 47 |
|   | 2.2 | Introd | uction of trace theory in our Communication Model    | 47 |
|   |     | 2.2.0  | Commports, comminsts, and comminstorders             | 48 |
|   |     | 2.2.1  | Commsigs and commsigorders                           | 49 |
|   |     | 2.2.2  | Opdirs and iodirs                                    | 50 |
|   |     | 2.2.3  | Components.                                          | 51 |
|   |     |        | 2.2.3.0 Enabling and disabling                       | 57 |
|   |     | 2.2.4  | Channels.                                            | 59 |
|   |     | 2.2.5  | Comparison with the use of directed trace structures | 61 |
|   | 2.3 | Exam   | ples of components                                   | 61 |
|   | 2.4 | Event  | -based model                                         | 73 |

| Contents |
|----------|
|          |

| 3 | Cor | nputat                                  | tion interference hazard                              | 75  |  |  |  |  |  |
|---|-----|-----------------------------------------|-------------------------------------------------------|-----|--|--|--|--|--|
|   | 3.0 | Hazar                                   | Iazards                                               |     |  |  |  |  |  |
|   | 3.1 | Conne                                   | ected components                                      | 79  |  |  |  |  |  |
|   | 3.2 | Abser                                   | ace of computation interference hazard                | 79  |  |  |  |  |  |
|   |     | 3.2.0                                   | Direct connection                                     | 80  |  |  |  |  |  |
|   |     | 3.2.1                                   | Acceptance of commsigs                                | 82  |  |  |  |  |  |
|   | 3.3 | Transi                                  | formation into computation interference hazard        | 83  |  |  |  |  |  |
|   |     | 3.3.0                                   | 3.3.0 The technique                                   |     |  |  |  |  |  |
|   |     | 3.3.1                                   | Example of transformation technique                   | 85  |  |  |  |  |  |
|   |     |                                         | 3.3.1.0 Ambiguous quiescence hazard                   | 85  |  |  |  |  |  |
|   |     |                                         | 3.3.1.1 Transformation of ambiguous quiescence hazard | 87  |  |  |  |  |  |
|   |     |                                         | 3.3.1.2 Examples                                      | 89  |  |  |  |  |  |
| 4 | Con | nmuni                                   | cating delay-safely                                   | 99  |  |  |  |  |  |
|   | 4.0 | lity                                    | 100                                                   |     |  |  |  |  |  |
|   |     | 4.0.0                                   | Composability diagram.                                | 103 |  |  |  |  |  |
|   |     | 4.0.1                                   | Properties of composability                           | 106 |  |  |  |  |  |
|   |     | 4.0.2                                   | 0.2 Composability versus independence of comminsts    |     |  |  |  |  |  |
|   | 4.1 | Communication in channels               |                                                       |     |  |  |  |  |  |
|   |     | 4.1.0                                   | 4.1.0 Delay-safe channels                             |     |  |  |  |  |  |
|   |     | 4.1.1                                   | Delay-safe closure                                    | 111 |  |  |  |  |  |
|   | 4.2 | .2 Communication behavior of components |                                                       |     |  |  |  |  |  |
|   |     | 4.2.0                                   | Computation interference hazard                       | 113 |  |  |  |  |  |
|   |     | 4.2.1 Delay-safe enclosure              |                                                       |     |  |  |  |  |  |
|   |     | 4.2.2                                   | Properties of delay-safe enclosure                    | 122 |  |  |  |  |  |
|   |     |                                         | 4.2.2.0 Computation interference hazard               | 123 |  |  |  |  |  |
|   |     |                                         | 4.2.2.1 Trace structure inclusion                     | 124 |  |  |  |  |  |
|   |     |                                         | 4.2.2.2 Regularity and choice                         | 129 |  |  |  |  |  |
|   |     | 4.2.3                                   | Behavior of delay-safely communicating components     | 133 |  |  |  |  |  |
|   |     | 4.2.4                                   | Impact of delay-safe communication on components      | 139 |  |  |  |  |  |
|   |     | 4.2.5 'Off-the-shelf' mechanisms        |                                                       |     |  |  |  |  |  |

| 5 | Cor                                      | nmuni                                          | icating delay-insensitively 14                        | 43 |  |
|---|------------------------------------------|------------------------------------------------|-------------------------------------------------------|----|--|
|   | 5.0                                      | Comn                                           | nunication in channels                                | 44 |  |
|   | 5.1                                      | Comn                                           | nunication behavior of components                     | 46 |  |
|   |                                          | 5.1.0                                          | Transformation into computation interference hazard 1 | 46 |  |
|   |                                          |                                                | 5.1.0.0 Initializability                              | 46 |  |
|   |                                          |                                                | 5.1.0.1 Delay-insensitive enclosure                   | 48 |  |
|   |                                          |                                                | 5.1.0.2 Properties of delay-insensitive enclosure 1   | 53 |  |
|   |                                          |                                                | 5.1.0.3 Behavior of delay-insensitively communicating |    |  |
|   |                                          |                                                | components                                            | 59 |  |
|   |                                          | 5.1.1                                          | 'Off-the-shelf' mechanisms                            | 63 |  |
| 6 | Cor                                      | nposit                                         | ion 10                                                | 65 |  |
|   | 6.0                                      | Conne                                          | ection of components                                  | 65 |  |
|   |                                          | 6.0.0                                          | External input and output 1                           | 67 |  |
|   |                                          | 6.0.1                                          | General composability                                 | 69 |  |
|   |                                          |                                                | 6.0.1.0 Relation to composability                     | 71 |  |
|   |                                          |                                                | 6.0.1.1 General composability diagram                 | 72 |  |
|   | 6.1                                      | Comp                                           | osition without computation interference hazard 1     | 76 |  |
|   | 6.1.0 Combining two connected components |                                                |                                                       |    |  |
|   |                                          | 6.1.1                                          | Absence of computation interference hazard1           | 84 |  |
|   |                                          | 6.1.2                                          | Hiding the internal communication                     | 91 |  |
|   | 6.1.3 Composite of two components.       |                                                |                                                       |    |  |
|   |                                          | 6.1.4                                          | Examples                                              | 00 |  |
|   |                                          | 6.1.5 Interpretation of the composition method |                                                       |    |  |
|   | 6.2                                      | Comp                                           | osition without transmission interference hazard      | 03 |  |
|   |                                          | 6.2.0                                          | Transformation into computation interference hazard 2 | 03 |  |
|   |                                          | 6.2.1                                          | Condition for composition                             | 04 |  |
|   |                                          | 6.2.2                                          | Composite of two components                           | 05 |  |
|   | 6.3                                      | Decor                                          | nposition                                             | 08 |  |
|   | 6.4                                      | Other                                          | correctness concerns                                  | 10 |  |

| Contents |
|----------|
|----------|

| 7                                   | Con                             | luding remarks 2                                          | 11 |  |  |  |
|-------------------------------------|---------------------------------|-----------------------------------------------------------|----|--|--|--|
|                                     | 7.0                             | Formal definitions of delay-insensitive                   | 13 |  |  |  |
|                                     |                                 | 7.0.0 Relation between self-timed and delay-insensitive 2 | 13 |  |  |  |
|                                     |                                 | V.0.1 Modular approach to delay-insensitivity             | 15 |  |  |  |
|                                     |                                 | V.0.2 Delay-safety and delay-insensitivity                | 18 |  |  |  |
|                                     |                                 | 2.0.3 Fairness and delay-insensitivity                    | 19 |  |  |  |
|                                     |                                 | 7.0.4 Testing for delay-insensitivity                     | 20 |  |  |  |
|                                     | 7.1                             | Sopics for further research                               | 20 |  |  |  |
| Appendix A Proofs                   |                                 |                                                           |    |  |  |  |
| A.3 Computation interference hazard |                                 |                                                           |    |  |  |  |
| A.4 Communicating delay-safely      |                                 |                                                           |    |  |  |  |
|                                     | A.5                             | Communicating delay-insensitively                         | 47 |  |  |  |
| Re                                  | eferei                          | ces 20                                                    | 65 |  |  |  |
| Glossary of symbols and operators   |                                 |                                                           |    |  |  |  |
| Su                                  | bjec                            | index 2                                                   | 82 |  |  |  |
| Summary                             |                                 |                                                           |    |  |  |  |
| Sa                                  | Samenvatting (summary in Dutch) |                                                           |    |  |  |  |
| Cı                                  | Curriculum vitae                |                                                           |    |  |  |  |
|                                     |                                 |                                                           |    |  |  |  |

vii

Contents

viii

# 0

# Introduction

In the middle of the 20th century Huffman, cf. [Huffman 54], and Muller and Bartky, cf. [Muller-Bartky 59], started to develop theories for designing asynchronous circuits. Since then, interest in asynchronous design has existed at just a few places. Only in the last decade, asynchronous design seems to have become a topic of general interest, cf. [Barney 85], culminating in Sutherland's Turing Award lecture, see [Sutherland 89], and spreading over many research institutes since then.

# 0.0 Synchronous and asynchronous

In this section we indicate how we interpret the terms "synchronous" and "asynchronous". These interpretations are inspired by [Molnar92].

The terms "synchronous" and "asynchronous" have been used with different meanings in different contexts. As applied to circuits, the terms have generally distinguished those

that employ a "clock signal" that serves as a reference to separate consecutive circuit states from one another

from those

that do not make use of such a signal, but that define states in terms of input values and internal actions that result in changes of circuit conditions.

Some circuits, such as those designed with "fundamental mode" restrictions on the changes of input values, may be interpreted either way. As applied to communications rather than circuits, the term "synchronous" has been used to mean that the sending and the reception of a communication signal are regarded as the same event. In the case of CSP, cf. [Hoare 85], there is an even stronger requirement that both "sender" and "receiver" must agree upon a communication signal, and hence that there is no distinction between sender and receiver. In a more general case, the term "synchronous" has been taken to mean that there is no delay between the sending of a signal and its reception, or, more abstractly, that the actions of sending and receiving a particular signal each stand in precisely the same ordering relation to other signaling actions. In comparison, "asynchronous" communication signals have distinct sending and receiving actions associated with them, which, in general, have different ordering relations to other signaling actions. In other words, there may be a non-zero delay between the sending of an asynchronous communication signal and its arrival at the receiver.

The different usages of the terms "synchronous" and "asynchronous" have arisen in the context of, on the one hand, circuit design and, on the other hand, abstract process communication models. They threaten no confusion when used exclusively within these distinct domains. Opportunities for severe confusion arise when these domains overlap, as they do in the discussion of the design of circuits to implement structures that are defined in the language and formalism of communication models, as in this monograph.

At this point we want to distinguish and discuss three kinds of communication :

- (i) The sending of a communication signal and its arrival are not identified; there is a condition that the arrival of such a signal must not precede the sending of this signal. The sender alone controls if and when a signal is sent.
- (ii) The sending of a communication signal and its arrival are identified; the sending and arrival actions of each communication signal are identically ordered with respect to all other actions. The sender alone controls if and when a signal is sent.
- (iii) The sending of a communication signal and its arrival are identified; the sending and arrival actions of each communication signal are identically ordered with respect to all other actions. Both sender and receiver jointly control if and when such a joint action occurs. As a consequence, there is no difference in the role of "sender" and "receiver".

There may exist general agreement that (i) and (iii) are in the categories "asynchronous communication" and "synchronous communication", respectively; however, (ii) might be classified either way. In this monograph we discuss communication in a physical context. We consider (ii) to be in the

category "synchronous communication"; the connection between components that model mechanisms that communicate as described by (ii) is called *direct*. Furthermore, the connection between components that model mechanisms that communicate as described by (i) is called *indirect*. In the kind of communication described by (iii) sender and receiver share the control whether and, if so, when a joint action occurs; we consider this to constitute a higher level communication primitive that falls outside the scope of this monograph.

# 0.0.0 Asynchronous communication

There exist various reasons why one may be interested in asynchronous communication. Here, we mention scaling, variable or unknown delays, and metastability.

When integrating circuits at an increasingly larger scale, delays in the interconnections between the switching elements tend to increase relatively to the delays in the switching elements, cf. [Seitz80, van de Snepscheut85]. In order to obtain a lot of freedom for placement and routing, we are interested in separating the functional and geometrical design tasks. This can be established by designing circuits that behave correctly independent of the size of the delays. This goal is achieved in the area "delay-insensitive communication" in the discipline "asynchronous communication design".

Another source of motivation for studying delay-insensitive communication is the occurrence of metastable behavior in digital circuits. We consider a system that has a continuous state space with at least two stable states and at least one unstable state. The system will converge to one of its stable states. Which stable state the system will end up in depends on the initial condition. For such a system and a given finite interval of time, there exists an initial condition such that the system doesn't reach any stable state within this interval. This phenomenon is called *metastability*. Chaney and Molnar, cf. [Chaney – Molnar73], presented experimental evidence showing metastable behavior in digital circuits. Hurtado, cf. [Hurtado75], argued that metastable behavior is an important and intrinsic issue; therefore we mention it next to (other) variable delays, see also [Kleemann – Cantoni 87].

Furthermore, asynchronous communication can be used as a model for the communication in distributed systems, e.g. transputers, Cosmic Cubes, cf. [Seitz 85, Dally-Seitz 86], or the FFP-machine, cf. [Mago 85]. Asynchronous communication can also be used in an interface between internally synchronous parts.

In this monograph we address communication between mechanisms. Mechanisms communicate by sending and receiving (physical) signals. We treat communication between mechanisms that are modeled to have an indirect connection. This results in the formal definitions of delay-safe and delay-insensitive communication. Our notion of delay-safe (and also delayinsensitive) communication comprises that the value of the delay between the sending and the reception of each such signal has an unknown non-negative value.

# 0.0.1 Communication Model

We introduce the formal Communication Model. In the Communication Model we use trace theory as a tool. The trace theory formalism has been developed at Eindhoven University of Technology by Rem and others, cf. [Rem 85, Rem – van de Snepscheut – Udding 83, van de Snepscheut 85, Kaldewaij 86]. The interpretation of trace theory in the Communication Model yields a formalization of delay-safe (and delay-insensitive) communication. Our research is concerned with three topics:

- delay-safe communication,
- delay-insensitive communication, and
- absence of computation interference hazard.

We address these topics at three levels:

- the relation between the Communication Model and the underlying physics,
- notions in the Communication Model and the relations between them, and
- the use of the trace theory formalism in the Communication Model.

Although we like to play formal games, the formal game presented in this monograph has been inspired by physical problems. We think that the material presented in this monograph may be a helpful tool for designers who are concerned with asynchronous communication; we show the limitations of delay-safe and delay-insensitive communication. Furthermore, our work provides a starting point for the integration of synchronous communication design and asynchronous communication design.

# 0.0.2 Computation interference hazard

Molnar and Fang pointed out that a specification of the mechanism to be designed should not only be interpreted as a specification for the mechanism itself, but that, in general, such a specification puts restrictions upon the communication between the mechanism and its environment, see [Molnar-Fang83]. Our study of asynchronous communication has revealed the urge to distinguish between the reception (arrival) of a signal and its acceptance. The arrival of a signal at a moment that it cannot be accepted by a mechanism is called "computation interference". The danger that this might happen is called computation interference <u>hazard</u>. The correctness concern "absence of computation interference hazard" is the basic correctness concern in this monograph. The distinction between the "reception" and "acceptance" of a signal provides the context that is needed for the discussion of computation interference hazard originally has emerged within the context of "asynchronous communication". Separating the correctness concern from this context has enabled us to address synchronous as well as asynchronous communication, using direct and indirect connections respectively, within one formal framework: our Communication Model.

# 0.1 Subsequent chapters

In chapter 1 we present some tools that we use in this monograph. The Communication Model is presented in chapter 2. We use the word "model" to relate notions in our Communication Model to notions in the underlying physics. Our Communication Model provides a clear separation between the interpretation of physical issues and the formalism. We distinguish between the communication behavior of a module and the communication of an interconnection. Furthermore, we introduce abstractions: we define components as equivalence classes of modules and we define channels as equivalence classes of interconnections. We address computation interference hazard in chapter 3. Absence of computation interference hazard being our basic correctness concern, we present a technique to transform other correctness concerns into absence of computation interference hazard. In chapter 4 we are concerned with delay-safe communication; absence of computation interference hazard is the correctness concern. In this chapter we focus on the communication behavior of mechanisms that communicate in a delay-safe way. Within the context of delay-safe communication, we address in chapter 5 an additional correctness concern. viz. absence of transmission interference hazard. Transmission interference hazard models that it is possible that some signals interfere with each other. The communication is delay-insensitive if and only if the communication is delay-safe and there is no transmission interference hazard. In chapter 6 we address composition and decomposition. We present necessary and sufficient conditions for composition under some given correctness concerns and a method to calculate the composition under these conditions. In this chapter we are concerned with connections that are partially direct and partially indirect. Within our study at the

level of process communication, an indirect connection between components models allowing for delays of unknown size in signals exchanged between mechanisms, whereas a direct connection between components models allowing only for zero delays in signals exchanged between mechanisms. Both direct and indirect connections are discussed in chapter 6. We present a relation between our research and the work of others in chapter 7; there, we also give some concluding remarks and we pinpoint some topics for future research.

# 0.2 Denotations in the English language

We use double quotes to indicate that we refer to the enclosed passage as a concept, not as a part of the sentence. Single quotes are used to indicate that we are skeptical about the enclosed passage. We use underlining to stress a part of a sentence. Italics are used to indicate the first appearance and/or definition of a formal notion in this monograph.

We also use italics to distinguish the formal objects from the words in the English language; furthermore, boldface printing is used to indicate formal operators.

# 0.3 Notions related to "asynchronous"

In this section we present terms that have been used in literature to refer to asynchronous communication design; we have included a lot of references which can be a starting point for exploring this area. Readers familiar with the research in this area may want to continue reading in section 0.4. At Eindhoven University of Technology a public bibliography on asynchronous communication has been set up. A compressed version of the bibliography file is available for anonymous ftp on Internet from <ftp.win.tue.nl> (address: [131.155.70.100]) as file async.bib.Z in directory /pub/tex. All communication concerning this library can be sent to the corresponding e-mail address:

<async-bib@win.tue.nl>

Many people have been concerned with notions that are related to delayinsensitivity. In the literature one encounters a variety of terms: <u>asynchronous</u>, <u>speed-independent</u>, <u>self-timed</u>, <u>delay-safe</u>, <u>delay-insensitive</u>, <u>delay-independent</u>. Although distinct terms are used, people are dealing with related intuitive notions. Attempts have been made to formalize these notions stressing distinct characteristics. Furthermore, the same term has been used by different people to indicate different aspects of the intuitive notions.

The term asynchronous arose to distinguish between synchronous, e.g. globally clocked, and not synchronous, e.g. locally clocked or not clocked, systems, cf. [Muller-Bartky59, Unger69, Rosenberger69, Keller75, Molnar-Fang81, Dill-Clarke 85, Molnar 86, Brzozowski-Seger 89, Brzozowski-Ebergen 89, Yoeli 87]. In [Josephs-Hoare-Jifeng 89] Josephs, Hoare, and Jifeng have introduced asynchronous processes in CSP, cf. [Hoare 85]. Muller, cf. [Miller 65], Keller, cf. [Keller 74], Fang and Molnar, cf. [Fang – Molnar 83], and Dill. cf. [Dill88], use the term "speed-independent", and Seitz is among others concerned with "self-timed" systems, cf. [Seitz 79, Martin 85b, Yakovlev 85, Greenstreet - Williams - Staunstrup 88]. Van de Snepscheut and Martin both use "delay-insensitive". They stress the internal communication, cf. [van de Snepscheut 85, Martin 86]; the external communication between the mechanisms and an external environment need not be delay-insensitive. Molnar, Fang, and Rosenberger apply delay-insensitivity to the external communication of Macromodules, cf. [Molnar-Fang-Rosenberger 85, Clark-Molnar 74, Molnar-Fang81, Rosenberger-Molnar-Chaney-Fang88]. The internal communication is, generally, not delay-insensitive. Based upon the latter approach several formalizations have emerged, cf. [Udding 84, Schols 85, Verhoeff 85, Black 86, Ebergen 87].

Udding was the first to capture delay-insensitivity formally. He has presented a set of rules, i.e. predicates on trace structures, that are necessary and sufficient for delay-insensitivity, cf. [Udding84]. Udding is concerned with the communication behavior of components rather than with the communication in channels. He distinguishes four classes; the largest class he has called the "delay-insensitive class", see also chapter 5 and subsection 7.0.1.

Within the study of asynchronous communication design the multiple use of terms has led to argument and confusion. In this monograph, see chapter 5, we will work within the area "delay-insensitive communication", see [Udding 84].

# 0.4 Delay-insensitivity

Restricting communication to delay-insensitive communication turns out to reduce the class of implementable specifications of circuits. Many questions arise, e.g.:

- what are the limitations of delay-insensitive communication?
- can delay-insensitive communication be integrated with more synchronized forms of communication?
- is any liveness property implementable when using delay-insensitive communication?

In this monograph we address the first two questions extensively. Regarding the third question, it has been argued that liveness properties are not expressable using finite trace theory. We have shown that it is possible to express some liveness properties in finite trace theory, e.g. absence of ambiguous quiescence hazard, cf. "absence of unspecified termination hazard" in [Schols 88]; in this monograph ambiguous quiescence hazard is presented as an example of the transformation technique shown in chapter 3.

Seitz argues that a strict protocol of signaling conventions has to be imposed throughout a system in order to deal with the complexity of the design, cf. [Seitz80]. We agree with him. On the other hand, confining oneself to such a restriction may make the design problem fundamentally unsolvable or require unacceptable penalties in cost, performance, manufacturability, or testability. We would like to know whether our inability to find an acceptable solution for such a problem, is fundamentally due to the problem itself or to a possibly too severe restriction that we imposed and that perhaps should be relaxed. In chapters 4 and 5 we present tools that help to answer this question.

# **0.5** Proofs

Within this monograph we present formal statements in theorems, lemmas, and properties. We present properties without formal proofs, since the proofs of them are either trivial, easy, presented elsewhere, or analogous to other proofs; we do give hints when this is appropriate. The proofs of lemmas and theorems are presented in appendix A; this is done in order not to interrupt the flow of the discourse by the rather technical proofs. Theorems represent the formal conclusions drawn in this monograph; lemmas are intended for local use within the context of this monograph only.

# 1

# Formalism and notation

In this chapter we present some tools and notational conventions that we use in the remainder of this monograph.

# 1.0 Sets

In this monograph a *set* is denoted by a pair of curly brackets. The elements of a set are listed between these brackets. The elements are separated from each other by commas. We also use quantification to denote sets, see section 1.2.

We denote the *empty set* by " $\emptyset$ ". Between an element and a set there exists a binary relation, viz. "*is an element of*"; this relation is denoted by the infix operator " $\in$ ". The negation of this relation, i.e. the binary relation "*is not an element of*", is denoted by the infix operator " $\notin$ ".

### example 1.0

 $\{3, 8\}$  denotes the set that consists of the natural numbers 3 and 8.

 $0 \in \{0, 1, 2\}$ 

4∉{0,1,2}

end of example

The *intersection* of two sets is denoted by the infix operator " $\cap$ ". The *union* of two sets is denoted by the infix operator " $\cup$ ". The binary relation "*subset*" is denoted by the infix operator " $\subseteq$ ".

# example 1.1

 $\{2,3\} \cap \{2,4\} = \{2\}$  $\{2,3\} \cup \{2,4\} = \{2,3,4\}$  $\{2,4\} \subseteq \{2,3,4\}$  $\{2,3,4\} \subseteq \{2,3,4\}$ end of example

The binary relation "proper subset" is denoted by the infix operator " $\subset$ ". For sets M and N,  $M \subset N$  is equal to  $(M \subseteq N) \land (M \neq N)$ . For sets M and N, we denote the asymmetric set difference of M and N by  $M \setminus N$ . In definition 1.2 we use quantification to denote the set that is defined as  $M \setminus N$ ; we explain this notation in section 1.2.

definition 1.2 asymmetric set difference For sets M and N,  $M \setminus N \stackrel{\text{def}}{=} \{m : m \in M \land m \notin N : m\}.$ end of definition

For sets M and N, the symmetric set difference of M and N is denoted by  $M \div N$ .

definition 1.3 symmetric set difference For sets M and N,  $M \div N \stackrel{\text{def}}{=} (M \setminus N) \cup (N \setminus M).$ 

end of definition

```
example 1.4
```

 $\{2,3\}\setminus\{2,4\}=\{3\}$ 

 $\{2,3\} \div \{2,4\} = \{3,4\}$ 

end of example

The set of *natural numbers* is denoted by  $\mathbb{N}$ ; in this monograph, zero is a natural number. The set of all positive natural numbers is denoted by  $\mathbb{N}^+$ .

```
property 1.5
```

```
(i) 0 \in \mathbb{N}
(ii) \mathbb{N}^+ = \mathbb{N} \setminus \{0\}
end of property
```

# 1.1 Operators

We assume that the reader is familiar with the following operators in propositional calculus: *equality*, denoted by "=", *inequality*, denoted by " $\neq$ ", *negation*, denoted by " $\neg$ ", *conjunction*, denoted by " $\wedge$ ", *disjunction*, denoted by " $\vee$ ", and *implication*, denoted by " $\Rightarrow$ ". The disjunction is <u>inclusive</u>, i.e.  $x \lor y$  does not imply  $x \ne y$ .

# 1.1.0 Priority of operators

We define the *priority* of operators in order to save on parentheses. To do this we have grouped the operators; within each group all operators have equal *binding power*. The groups of operators are listed in table 1.0 in order of increasing binding power.

| =        | ¥       |           |         |          |           |     |
|----------|---------|-----------|---------|----------|-----------|-----|
| ٨        | v       | ⇒         |         |          |           |     |
| e        | ∉       | ⊆         |         |          |           |     |
| ١        | ÷       | $\cap$    | υ       | h        |           |     |
| all othe | r opera | tors that | have at | least tw | o paramet | ers |
| all unar | y opera | tors      |         |          |           | _   |
| catenati | ion     |           |         |          |           |     |

table 1.0

Priority of operators in order of increasing binding power.

As a consequence, catenation has the highest binding power; equality and inequality have the lowest binding power.

# **1.2 Quantification**

In order to denote quantification, we need a variable binding construct. For such a construct we use a slightly unconventional notation. For instance, *universal quantification*, i.e. generalized conjunction, is denoted by

 $(\mathbf{A}l: R: E),$ 

where A is the quantifier, l is the list of bound variables, R is the predicate that delineates the range of the variables, and E is the quantified expression. Both R and E will, in general, contain variables from l. Analogously, we denote *existential quantification*, i.e. generalized disjunction, by

 $(\mathbf{E}l: R: E).$ 

Furthermore, we may use quantification to denote sets:

 $\{l: R: e\},\$ 

where e denotes an element of the set.

In this monograph, all variables that range over numbers, range over the natural numbers, unless stated otherwise.

# example 1.6

 $(A i: 6 \le i < 9: P_i) \text{ is equal to } P_6 \land P_7 \land P_8.$ (E i, j: (2 \le i \le 5) \lapha EVEN(j) \lapha(i=j): P\_i) is equal to P\_2 \lapha P\_4. {i: 2 \le i \le 4: i^2} is equal to {4,9,16}. end of example

# 1.3 Denotation of proofs

Proofs are often split into a number of steps. For instance, for expressions E, F, and G, we can prove  $E \Rightarrow G$  by arguing that E = F and  $F \Rightarrow G$ . The sameness of the two occurrences of F is essential for the argument that the total proof is correct. To establish this sameness, a string comparison is needed. In order to prevent that the reader has to perform such comparisons, we denote proofs like this in the following way:

$$= \begin{cases} E \\ + \text{ hint why } E = F \end{cases}$$

$$\Rightarrow \begin{cases} \text{ hint why } F \Rightarrow G \end{cases}$$

$$G$$

In an analogous way, we denote the proof of  $A \subseteq C$  that consists of the steps A = B and  $B \subseteq C$ . This denotation of proofs is called *hint calculus*. It has been adopted from [Dijkstra-Feijen 88].

# 1.4 Trace theory

When we refer to *trace theory* in this monograph, we mean the trace theory that has been developed at Eindhoven University of Technology by Rem and others, cf. [Rem-van de Snepscheut-Udding 83, van de Snepscheut 85, Kaldewaij 86, Rem 85]. Trace theory is a tool that has been developed to formalize communication. In this section we present the trace theory notions that are used in this monograph. In subsection 1.4.3 we present the notions that we have added to the notions that exist in trace theory. For a detailed overview of trace theory we refer to [Kaldewaij 86]. In subsection 1.4.4 we present a notational convention that may make it easier to appreciate trace theory.

# remark 1.7

Mazurkiewicz, cf. [Mazurkiewicz85], has developed a formalism that is also called trace theory. Mazurkiewicz's trace theory differs from our trace theory. Mazurkiewicz's traces correspond to equivalence classes over our traces.

# end of remark

In our trace theory all traces have finite length. For this reason it is also called finite trace theory. Finite trace theory has been extended by Van Horn, cf. [Van Horn 86], and Black, cf. [Black 86], with infinite traces; this extension is used by them in order to deal with liveness properties. Although liveness properties are not a primary concern in this monograph, we use a liveness

property as an example of a correctness concern in section 3.4. From this we conclude that some liveness properties can be expressed in finite trace theory.

# 1.4.0 Basic notions of trace theory

We assume the existence of a finite set  $\Omega$ ;  $\Omega$  is called the *universe*. The elements of  $\Omega$  are called *symbols*. We assume that  $\Omega$  is large enough, i.e. we will not run out of symbols. A subset of  $\Omega$  is called an *alphabet*. A sequence of symbols is called a *trace*. A set of traces is called a *trace set*. The sequence containing no symbols is denoted by  $\varepsilon$ ; trace  $\varepsilon$  is called the *empty trace*. We link sequences by *catenating* them. Catenation is denoted by juxtaposition. In trace theory the noun "concatenation" is sometimes used instead of "catenation", cf. [Kaldewaij 86].

The set of all finite-length sequences of symbols chosen from an alphabet is called the *Kleene-closure* of this alphabet.

#### definition 1.8 Kleene-closure of alphabet

For alphabet A, the trace set that is the Kleene-closure of A is denoted by  $A^*$ ; it is defined recursively by:

- (i)  $\varepsilon \in A^*$
- (ii)  $(As, a: s \in A^* \land a \in A: sa \in A^*)$
- (iii) completeness axiom: A\* contains no elements that are not required by (i) or (ii).

# end of definition

Notice that  $\emptyset^* = \{\varepsilon\}$ . Furthermore, traces are elements of  $\Omega^*$ . We extend definition 1.8, "Kleene-closure of alphabet", to trace sets.

#### definition 1.9 Kleene-closure of trace set

For trace set S, the trace set that is the Kleene-closure of S is denoted by  $S^*$ ; it is defined recursively by:

- (i)  $\epsilon \in S^*$
- (ii)  $(\mathbf{A}s, t: s \in S^* \land t \in S: st \in S^*)$
- (iii) completeness axiom: S\* contains no elements that are not required by (i) or (ii).

#### end of definition

### 1.4 Trace theory

We define the binary operation prefix on traces.

### definition 1.10 prefix

For traces s and t, s is called a prefix of t, denoted by s prefixt, if and only if

 $(\mathbf{E} u : u \in \Omega^* : su = t)$ 

end of definition

In trace theory the symbol " $\leq$ " has been used to denote the operation "prefix", cf. [Kaldewaij86]; since the operator " $\leq$ " has been used in literature to denote many different operations, we prefer to use prefix to denote the operation prefix.

For trace sets we define the unary operation prefix-closure.

```
definition 1.11prefix-closure of trace setFor trace set S, prefS denotes the trace set that contains all prefixes of S:prefS \stackrel{def}{=} \{s, t : (sprefixt) \land (t \in S) : s\}
```

end of definition

We call a trace set S prefix-closed if and only if S = pref S.

We denote the *length* of trace t by *lt*.

definition 1.12 *length of trace* 

We define the length of a trace recursively by:

(i) 
$$l \varepsilon \stackrel{\text{def}}{=} 0$$

(ii) for trace t and symbol a,

$$lta \stackrel{\text{def}}{=} lt + l$$

end of definition

For trace t and alphabet A we denote the projection of t on A by t|A.

```
definition 1.13 projection of trace

We define projection of a trace on an alphabet A recursively by:

(i) \varepsilon \upharpoonright A \stackrel{\text{def}}{=} \varepsilon

(ii) for trace t and symbol a such that a \in A,

ta \upharpoonright A \stackrel{\text{def}}{=} (t \upharpoonright A)a

(iii) for trace t and symbol a such that a \notin A,
```

$$a \mid A \stackrel{\text{def}}{=} t \mid A$$

end of definition

We extend the definition of projection to trace sets.

definition 1.14 projection of trace set

For trace set S and alphabet A,

 $S \upharpoonright A \stackrel{\text{def}}{=} \{t : t \in S : t \upharpoonright A\}$ 

end of definition

In traces, occurrences of symbols are counted from the left to the right. As a consequence, the first occurrence of a symbol in a trace is the left most occurrence of this symbol in this trace. For trace t and symbol a we denote the number of occurrences of a in t by  $\#_a t$ .

definition 1.15 *number of occurrences* 

We define the number of occurrences of a symbol a in a trace t by:

$$\#_a t \stackrel{\text{def}}{=} l(t | \{a\}).$$

end of definition

We define the notion bag.

definition 1.16 bag

A bag, say B, is a set of pairs such that

 $B = \{a : a \in \Omega : (a, f(a))\}$  for some function  $f : \Omega \to \mathbb{N}$ .

### end of definition

In definition 1.16, "bag", for every symbol a, f(a) is the number of occurrences of a in the bag B. In order to avoid a cumbersome notation, we abbreviate the denotation of a bag, say B, to  $\{a, n : (a, n) \in B \land n > 0 : (a, n)\}$ .

We define the bag of a trace:

definition 1.17 bag of trace For trace t, bag t denotes the bag of t: bag  $t \stackrel{\text{def}}{=} \{a : a \in \Omega : (a, \#_a t)\}$ end of definition

# 1.4.1 Trace structures

A trace structure is an ordered pair  $\langle A, S \rangle$ , in which A denotes an alphabet and S denotes a trace set satisfying  $S \subseteq A^*$ . For trace structure T, aT denotes the alphabet of trace structure T, and tT denotes the trace set of trace structure T.

We define the partial order inclusion on trace structures.

## definition 1.18 trace structure inclusion

For trace structures T and U, we say that T is included in U, denoted by  $T \subseteq U$ , if and only if

 $(\mathbf{a}T = \mathbf{a}U) \land (\mathbf{t}T \subseteq \mathbf{t}U)$ 

# end of definition

Of course, the proper inclusion  $T \subset U$  equals  $(aT = aU) \land (tT \subseteq tU) \land (tT \neq tU)$ . We extend the definition of prefix-closure to trace structures.

### definition 1.19 prefix-closure of trace structure

For trace structure T, pref T denotes the trace structure that is the prefixclosure of T:

pref  $T \stackrel{\text{def}}{=} < aT$ , pref(tT) >

# end of definition

We call a trace structure T prefix-closed if and only if T = pref T. We call a trace structure nonempty if and only if its trace set is nonempty.

### property 1.20

For prefix-closed trace structure T,

 $(\varepsilon \in \mathbf{t}T) = (T \text{ is nonempty})$ 

end of property

We often refer to prefix-closed trace structures that contain  $\varepsilon$  in their trace set. Using property 1.20 we call such a trace structure a nonempty and prefix-closed trace structure.

For trace structures with equal alphabets we define their intersection.

definition 1.21 intersection of trace structures

For trace structures T and U such that aT = aU, the intersection of T and U, denoted by  $T \cap U$ , is defined by

 $T \cap U \stackrel{\text{def}}{=} < \mathbf{a} T \cap \mathbf{a} U, \, \mathbf{t} T \cap \mathbf{t} U >$ 

end of definition

Analogously, for trace structures with equal alphabets we define their union.

definition 1.22 union of trace structures

For trace structures T and U such that aT = aU, the union of T and U, denoted by  $T \cup U$ , is defined by

 $T \cup U \stackrel{\text{def}}{=} < \mathbf{a} T \cup \mathbf{a} U, \ \mathbf{t} T \cup \mathbf{t} U >$ 

end of definition

We extend the definition of projection to trace structures.

definition 1.23 projection of trace structure For trace structure T and alphabet A,

 $T \downarrow A \stackrel{\text{def}}{=} < a T \cap A, t T \downarrow A >$ 

## end of definition

For trace structures T and U we denote their *weave* by TwU. TwU is a trace structure. We consider traces t,  $t \in tT$ , and u,  $u \in tU$ , that are equal w.r.t. the common symbols, i.e.  $t \mid (aT \cap aU) = u \mid (aT \cap aU)$ . Traces t and u are 'merged' into one or more traces of t(TwU); the common symbols are not duplicated by this 'merging'. All pairs of traces t and u that satisfy  $t \mid (aT \cap aU) = u \mid (aT \cap aU)$  are 'merged' in this way.

definition 1.24 weave

For trace structures T and U,

 $T \mathbf{w} U \stackrel{\text{def}}{=} \langle \mathbf{a} T \cup \mathbf{a} U, \{ s : s \in (\mathbf{a} T \cup \mathbf{a} U)^* \land s \mid \mathbf{a} T \in \mathbf{t} T \land s \mid \mathbf{a} U \in \mathbf{t} U : s \} \rangle$ 

end of definition

In example 1.25 we give examples of the weave of trace structures.

example 1.25

- (i)  $\langle \{a,b\}, \{\varepsilon,a,ab,aba\} \rangle w \langle \{b,c\}, \{\varepsilon,b,bc\} \rangle$ =  $\langle \{a,b,c\}, \{\varepsilon,a,ab,aba,abc,abac,abca\} \rangle$
- (ii)  $\langle \{a, b, d\}, \{\varepsilon, b, d, ba\} \rangle w \langle \{b, c, d\}, \{\varepsilon, b, d, dc\} \rangle$ =  $\langle \{a, b, c, d\}, \{\varepsilon, b, d, ba, dc\} \rangle$

end of example

property 1.26 weaving is symmetric For trace structures T and U,

 $T\mathbf{w}U = U\mathbf{w}T$ 

end of property

For trace structures T and U such that  $aT \cap aU = \emptyset$ , the trace set of TwU consists of all traces that are interleavings of a trace of tT and a trace of tU. Property 1.27 shows that weaving is equal to intersection if the alphabets of the trace structures are equal.

# property 1.27

For trace structures T and U such that  $\mathbf{a}T = \mathbf{a}U$ ,

 $T \mathbf{w} U = T \cap U$ 

# end of property

The weave of nonempty prefix-closed trace structures is a nonempty prefix-closed trace structure :

## property 1.28

For nonempty prefix-closed trace structures T and U,

 $T \mathbf{w} U$  is nonempty and prefix-closed.

# end of property

For trace structures T and U we denote their *blend* by TbU. TbU is a trace structure, viz. the projection of TwU on the non-common symbols.

definition 1.29 blend For trace structures T and U,  $T\mathbf{b}U \stackrel{\text{def}}{=} (T\mathbf{w}U)|(\mathbf{a}T \div \mathbf{a}U)$ end of definition

In example 1.25 we considered the weave of some trace structures. Examples of the blend of these same trace structures are given in example 1.30.

### example 1.30

end of example

# 1.4.2 State graphs

We often denote a nonempty prefix-closed trace set by a *state graph* (i.e. a simple, arc-labeled, directed graph) that is deterministic and minimal, cf. [Kaldewaij86]. The nodes of the graph are the *states*; the arcs of the graph are the *transitions*. The state, to which trace *t* corresponds, is denoted by [t]. As a consequence,  $[\varepsilon]$  denotes the *initial state*. Each path starting in  $[\varepsilon]$  yields a trace by catenating the labels of the arcs on that path as they are traversed. If a state graph has a finite number of states, it is called *regular*. In a diagram of a regular state graph the initial state is indicated by a fat dot, see figure 1.1.



figure 1.1 State graph of trace set { $\varepsilon$ , a, b, ab, ba }.

A state graph can also denote a nonempty prefix-closed trace structure, say T, if every symbol of  $\mathbf{a}T$  occurs in at least one of the traces of  $\mathbf{t}T$ . In that case the alphabet of the trace structure consists of all symbols that occur as a label of some arc in the state graph. If the state graph in figure 1.1 is used to denote a trace structure, it denotes  $\langle \{a, b\}, \{\varepsilon, a, b, ab, ba\} \rangle$ .

#### 1.4 Trace theory

Often we present state graphs in which two states are connected by two arcs that point in opposite directions and have the same label, see figure 1.2.



figure 1.2 A state graph.

We abbreviate such a pair of arcs by replacing these two arcs by one bidirectional arc with the same label, see figure 1.3.



figure 1.3 Abbreviated diagram of the state graph of figure 1.2.

As a consequence, the diagrams in figure 1.2 and figure 1.3 are diagrams of the same state graph.

# 1.4.3 Extensions of trace theory

In this subsection we introduce two extensions of trace theory that are used in this monograph.

## 1.4.3.0 The bipartitions alphbip and iobip

We introduce the notion *alphbip*. An alphbip is an unordered pair of disjoint sets of symbols. The union of these sets is called the *alphabet of the alphbip*; an alphbip is a bipartition of its alphabet. Given alphbip D, the alphabet of D is denoted by aD. Given two disjoint sets of symbols, say A and B, the alphbip of which A and B are the parts is denoted by  $A \oplus B$ .

For two disjoint sets, A and B, of symbols,

 $A \oplus B = B \oplus A$ 

end of property

definition 1.32 intersection of alphbip and alphabet

For two disjoint sets, A and B, of symbols, and alphabet C, the intersection of alphbip  $A \oplus B$  with C is defined by:

 $(A \oplus B) \cap C \stackrel{\text{def}}{=} (A \cap C) \oplus (B \cap C)$ 

end of definition

For symbol a and alphbip D such that  $a \in aD$ , we denote the alphabet of symbols in aD that are in the same part of alphbip D as a by spa(a, D); we denote the alphabet of symbols in aD that are in the other part of alphbip D than a by opa(a, D).

property 1.33

For alphbip D,

 $(\mathbf{A}a: a \in \mathbf{a}D: D = \mathbf{spa}(a, D) \oplus \mathbf{opa}(a, D)).$ 

## end of property

We also introduce the notion *iobip*. An iobip is a pair of disjoint sets of symbols, viz. the *input alphabet of the iobip* and the *output alphabet of the iobip*. The union of these sets is called the *alphabet of the iobip*; an iobip is an ordered bipartition of its alphabet. Given iobip F, the alphabet of F is denoted by  $\mathbf{a}F$ . The input alphabet of F is denoted by  $\mathbf{i}F$ ; the output alphabet of F is denoted by  $\mathbf{o}F$ . For iobip F we define its *reflection*, which is denoted by  $\overline{F}$ :  $\mathbf{i}\overline{F} \stackrel{\text{def}}{=} \mathbf{o}F$  and  $\mathbf{o}\overline{F} \stackrel{\text{def}}{=} \mathbf{i}F$ . The reflection of an iobip is an iobip.

# 1.4.3.1 Reduction operator

We introduce the function redts; this function reduces the trace set of a trace structure by removing certain traces. The motivation for the introduction of this operator redts can only be provided in the context of the following chapters. Until there, the reader may not fully appreciate it.

## definition 1.34 redts

For trace structure T, alphabet A, and trace set S, we define trace structure redts(T, A, S) by:

redts $(T, A, S) \stackrel{\text{def}}{=}$ <**a**T, **t**T \ {x, y, w : x \in (**a**T)<sup>\*</sup>  $\land$  y \in (**a**T \ A)<sup>\*</sup>  $\land$  xy  $\in$  (**t**T  $\cap$  S)  $\land$  w  $\in$  (**a**T)<sup>\*</sup> : xw } >

end of definition

In definition 1.34, "redts", not only every trace (xy) in  $tT \cap S$  is removed from tT, but also all prefixes (x) of such a trace (xy) that differ from it (xy) by a sequence (y) of symbols that are not in A; to ensure the prefix-closedness of t(redts(T, A, S)), all traces (xw) of which a prefix (x) is removed are removed, too. For the necessity of the intersection with tT in definition 1.34, "redts", we refer to example 1.43. The role of alphabet A is illuminated by property 1.35: every trace in  $tT \cap S$  causes the elimination from tT of a trace that contains a symbol in A.

## property 1.35

For prefix-closed trace structure T, alphabet A, and trace set S such that  $\varepsilon \in t(redts(T, A, S))$ ,

```
(As: s \in (tT \cap S): (Ex, a: x \in (aT)^* \land a \in A \land xa \text{ prefix } s: x \in t(\text{redts}(T, A, S)) \land xa \notin t(\text{redts}(T, A, S))))
```

end of property

In property 1.36 we present a generalization of property 1.35.

## property 1.36

For prefix-closed trace structure T, alphabet A, and trace sets S and R such that  $\varepsilon \in t(\operatorname{redts}(T, A, S))$  and  $R = (tT \setminus t(\operatorname{redts}(T, A, S)))$ ,

$$(\mathbf{A}r : r \in \mathbb{R} : (\mathbf{E}x, a : x \in (aT)^* \land a \in A \land xa \text{ prefix} r$$
$$: x \in t(\text{redts}(T, A, S)) \land xa \notin t(\text{redts}(T, A, S))$$
))

end of property

#### remark 1.37

Trace x and symbol a in the existential quantification in properties 1.35 and 1.36 do not only exist: they are also unique.

## end of remark

In order to distinguish between statements about formal objects in definitions, properties, lemmas, and theorems and statements about specific instantiations of such objects in examples, we index the instantiations in examples with natural numbers. We refer to the indexed instantiations locally: in the chapter in which they occur.

#### example 1.38

We consider prefix-closed trace structure  $T_0$ , alphabet  $A_0$ , and trace sets  $R_0$  and  $S_0$ ; they are defined by:

 $T_{0} \stackrel{\text{def}}{=} \{a, b\}, \{\varepsilon, a, ab\} >,$   $A_{0} \stackrel{\text{def}}{=} \{a\},$   $R_{0} \stackrel{\text{def}}{=} \{a\},$   $S_{0} \stackrel{\text{def}}{=} \{ab\}.$ 

From definition 1.34, "redts", follows redts $(T_0, A_0, R_0) = \langle \{a, b\}, \{\epsilon\} \rangle$ . We also see that redts $(T_0, A_0, S_0) = \langle \{a, b\}, \{\epsilon\} \rangle$ , since trace *a* is eliminated from  $tT_0$  because  $b \in (aT_0 \setminus A_0)^*$  and  $ab \in (tT_0 \cap S_0)$ .

## end of example

The following properties follow from definition 1.34, "redts".

#### property 1.39 redts preserves prefix-closedness

For prefix-closed trace structure T, alphabet A, and trace set S,

redts(T, A, S) is prefix-closed.

#### end of property

#### property 1.40

For nonempty, prefix-closed trace structure T, alphabet A, and trace set S,

 $(\mathbf{A}s: s \in (\mathbf{t}T \cap S): l(s|A) > 0) = (\varepsilon \in \mathbf{t}(\mathbf{redts}(T, A, S)))$ 

end of property

#### property 1.41

For trace structure T, alphabet A, and trace sets R and S,

 $\operatorname{redts}(T, A, R \cup S) = \operatorname{redts}(\operatorname{redts}(T, A, R), A, S)$ 

end of property

24

## property 1.42

For trace structure T, alphabet A, and trace set S such that  $tT \cap S = \emptyset$ ,

redts(T, A, S) = T

#### end of property

In example 1.43 we illustrate the necessity of the intersection with tT in definition 1.34, "redts".

## example 1.43

We consider prefix-closed trace structure  $T_i$ , alphabet  $A_i$ , and trace set  $S_i$ ; they are defined by:

 $T_{I} \stackrel{\text{def}}{=} \{ a, b \}, \{ \varepsilon, a \} >,$  $A_{I} \stackrel{\text{def}}{=} \{ a \},$  $S_{I} \stackrel{\text{def}}{=} \{ a \}.$ 

We are interested in redts $(T_I, A_I, S_I)$ . If the intersection with  $tT_I$  in definition 1.34, "redts", is not present, then trace *a* would be removed when reducing the trace set of  $T_I$ , since  $ab \in S_I$  and  $b \in (aT_I \setminus A_I)^*$ . We see, however, that there is no need to remove trace *a* from  $tT_I$ , since  $ab \notin tT_I$  anyway.

end of example

# 1.4.4 Notational convention

Lower case letters near the beginning of the Latin alphabet are symbols; when they are used as variables, they denote symbols. Lower case letters near the end of the Latin alphabet denote traces. Capital letters are used to denote alphabets, alphbips, trace sets, and trace structures.

Boldface lower case operators are used in the trace theory formalism; this does allow them to range over objects in the Communication Model. Boldface upper case operators are used in the Communication Model; this does allow them to range over objects in the trace theory formalism.

Formalism and notation

# **Communication Model**

In this chapter we introduce the *Communication Model*. By introducing this model we achieve a separation of concerns between the interpretation of the underlying physics and the use of the trace theory formalism. We do <u>not</u> interpret any notions of trace theory in the underlying physics directly: we interpret them in our Communication Model. The importance of establishing the separation of concerns between the interpretation of the physical model and the formalism has been recognized previously by others. Van de Snepscheut, see [ van de Snepscheut 85 ], and Udding, see [ Udding 84 ], carefully distinguished trace theory from its mechanistic appreciation. We make this separation of concerns even more explicit by the introduction of our Communication Model.

When one addresses communication in a formal way, one introduces an abstraction from the underlying physics; the latter is either some physical model, that is considered to constitute a good model for some physical phenomena, or it is one's private notion of 'physical reality'. In this chapter we will set down the postulates for our Communication Model. These postulates have been chosen so as to be consistent with at least one class of "physical models" that is used for the design of computing machinery. In this monograph we will not present rigorous arguments for this consistency: we rather discuss the 'reasonableness' of the postulates in one interpretational example, which we will address as "the physical model" in the remainder of this monograph.

The Communication Model is introduced formally in section 2.0. We discuss the relation between our Communication Model and the physical model in section 2.1. In section 2.2 we introduce the trace theory formalism. In section 2.3 we present some examples and in section 2.4 we motivate why we have chosen to make our Communication Model an event-based model.

# 2.0 Definition of Communication Model

In this section we present the definitions and postulates that form the foundation of our Communication Model. The motivation for choosing these definitions and postulates is provided in section 2.1.

# 2.0.0 Commports

We assume the existence of a finite set  $\Psi$ . The elements of  $\Psi$  are called *commports*.  $\Psi$  is partitioned into two parts:  $\Psi^o$ , the set of *output commports*, and  $\Psi^i$ , the set of *input commports*. Of course, the set of commports is disjunct with the set  $\Omega$  of symbols, which has been introduced in subsection 1.4.0.

postulate 2.0

(i) 
$$\Psi = \Psi^o \cup \Psi^i$$
  
(ii)  $\Psi^o \cap \Psi^i = \emptyset$   
(iii)  $\Psi \cap \Omega = \emptyset$   
end of postulate

For output commport  $\alpha$  and input commport  $\beta$ , we introduce the predicate " $\alpha$  matches  $\beta$ ", which is denoted by  $\alpha$ MATCH $\beta$ . We postulate that a commport matches exactly one commport. Matching commports are either "connected directly" or "connected indirectly".

#### postulate 2.1

(i) For input commport  $\gamma$ ,

 $(\mathbf{E}\alpha:\alpha\in\Psi^o:\alpha MATCH\gamma)$ 

(ii) for output commports  $\alpha$  and  $\beta$ , and input commport  $\gamma$ ,

 $(\alpha MATCH\gamma \land \beta MATCH\gamma) \Rightarrow (\alpha = \beta)$ 

(iii) for output commport  $\alpha$ ,

 $(\mathbf{E}\gamma:\gamma\in\Psi^{i}:\alpha MATCH\gamma)$ 

(iv) for output commport  $\alpha,$  and input commports  $\gamma$  and  $\delta,$ 

 $(\alpha MATCH\gamma \land \alpha MATCH\delta) \Rightarrow (\gamma = \delta)$ 

(v) for commports  $\alpha$  and  $\beta$  such that  $\alpha MATCH\beta$ , either  $\alpha$  and  $\beta$  are "connected directly" or  $\alpha$  and  $\beta$  are "connected indirectly".

end of postulate

From postulate 2.1 we infer that  $\Psi^o$  and  $\Psi^i$  have the same number of elements. From the definition of matching commports we infer property 2.2.

property 2.2

For commports  $\alpha$  and  $\beta$ ,

 $\alpha MATCH\beta \Rightarrow (\alpha \in \Psi^o \land \beta \in \Psi^i)$ 

end of property

# 2.0.1 Comminsts and commsigs

The elements of the Cartesian product of  $\Psi$  and  $\mathbb{N}^+$  are called *comminsts*. The comminst with commport  $\alpha$  and positive natural number *n* is denoted by  $\alpha_n$ . If  $\alpha$  is an output commport, we call  $\alpha_n$  an *output comminst*; if  $\alpha$  is an input commport, we call  $\alpha_n$  an *input comminst*. A set of comminsts, say  $\Lambda$ , is called an *initial set* of comminsts if, for every comminst in  $\Lambda$ ,  $\Lambda$  contains all comminsts with the same commport and a smaller number, see definition 2.3.

definition 2.3 initial set of comminsts A set of comminsts Λ is called an *initial set of comminsts* if and only if

 $(\mathbf{A}\alpha, m, n: \alpha_n \in \Lambda \land m \in \mathbb{N}^+ \land m < n: \alpha_m \in \Lambda)$ end of definition The elements of the Cartesian product of  $\Psi^o$ ,  $\mathbb{N}^+$ , and  $\Psi^i$ , for which the output commport matches the input commport, are called *commsigs*, see definition 2.4:

definition 2.4

For  $\alpha$ ,  $\beta$ , and *n* such that  $\alpha \in \Psi^o$ ,  $\beta \in \Psi^i$ ,  $n \in \mathbb{N}^+$ , and  $\alpha MATCH\beta$ , the triple  $(\alpha, n, \beta)$  is a commsig.

end of definition

Analogously to "initial set of comminsts", we define the predicate "initial" for sets of commsigs. A set of commsigs, say  $\Lambda$ , is called an *initial set of commsigs* if, for every commsig in  $\Lambda$ ,  $\Lambda$  contains all commsigs with the same pair of matching commports and a smaller number, see definition 2.5.

definition 2.5initial set of commsigsA set of commsigs  $\Lambda$  is called an initial set of commsigs if and only if

 $(\mathbf{A}\alpha,\beta,m,n:(\alpha,n,\beta)\in\Lambda \land m\in\mathbb{N}^+ \land m< n:(\alpha,m,\beta)\in\Lambda)$ end of definition

# 2.0.2 Comminstorders and commsigorders

In order to define comminstorders and commsigorders we need the notion *strict partial order*. A strict partial order is an antireflexive and transitive relation; as a consequence, it is antisymmetric. It is also referred to as an "antireflexive partial order" in literature.

A comministorder is a pair  $\langle \Lambda, \Box \rangle$ , in which  $\Lambda$  denotes a finite <u>initial</u> set of comminists and " $\Box$ " is a strict partial order on  $\Lambda$ . For comministorder  $\phi$ ,  $\Lambda_{\phi}$  denotes the set of comminists of comministorder  $\phi$ , and  $\Box_{\phi}$  denotes the strict partial order of comministorder  $\phi$ .

In the strict partial order of a comminstorder, a comminst is preceded by every comminst with the same commport and a smaller number.

postulate 2.6 For comminitorder  $\phi$ ,

 $(\mathbf{A}\alpha, m, n: \alpha_n \in \Lambda_{\phi} \land m \in \mathbb{N}^+ \land m < n: \alpha_m \sqsubset_{\phi} \alpha_n)$ 

end of postulate

For comminstorders we define the *restriction* to an initial set of comminsts:

definition 2.7 restriction of comminstorder

For comminstorder  $\phi$  and initial set of comminsts  $\Lambda$ , we denote the comminstorder that is *the restriction of*  $\phi$  *to*  $\Lambda$  by  $\phi^{\dagger}\Lambda$ ; it is defined by:

 $\phi^{\uparrow} \Lambda \stackrel{\text{def}}{=} < \Lambda_{I}, \sqsubset_{I} >$ 

where  $\Lambda_I = \Lambda_{\phi} \cap \Lambda$  and  $\sqsubset_I$  is given by:

$$(\mathbf{A}\lambda,\mu::(\lambda\in\Lambda_{I}\wedge\mu\in\Lambda_{I}\wedge\lambda\sqsubset_{\phi}\mu)=(\lambda\sqsubset_{I}\mu))$$

#### end of definition

Notice that  $\Lambda_i$  in definition 2.7, "restriction of comminstorder", is an <u>initial</u> set of comminsts.

Analogously to comministorders, we define commisgorders. A commisgorder is a pair  $\langle \Lambda, \Box \rangle$ , in which  $\Lambda$  denotes a finite <u>initial</u> set of commisgs and " $\Box$ " is a strict partial order on  $\Lambda$ . For commisgorder  $\phi$ ,  $\Lambda_{\phi}$  denotes the set of commisgs of commisgorder  $\phi$ , and  $\Box_{\phi}$  denotes the strict partial order of commisgorder  $\phi$ .

In the strict partial order of a commsigorder, a commsig is preceeded by every commsig with the same output commport and a smaller number; notice that commsigs with the same output commport also have the same input commport.

#### postulate 2.8

For commsigorder  $\phi$ ,

 $(\mathbf{A}\alpha,\beta,m,n:(\alpha,n,\beta)\in\Lambda_{\phi}\wedge m\in\mathbb{N}^{+}\wedge m< n:(\alpha,m,\beta)\sqsubset_{\phi}(\alpha,n,\beta))$ 

#### end of postulate

For commsigorders we define the restriction to an initial set of commsigs:

#### definition 2.9 restriction of commsigorder

For commsigorder  $\phi$  and initial set of commsigs  $\Lambda$ , we denote the commsigorder that is *the restriction of*  $\phi$  *to*  $\Lambda$  by  $\phi^{\dagger}\Lambda$ ; it is defined by:

$$\phi \mid \Lambda \stackrel{\text{def}}{=} < \Lambda_{I}, \sqsubset_{I} >$$

where  $\Lambda_i = \Lambda_{\phi} \cap \Lambda$  and  $\Box_i$  is given by:

 $(\mathbf{A}\lambda,\mu::(\lambda\in\Lambda_{I}\wedge\mu\in\Lambda_{I}\wedge\lambda\sqsubset_{\phi}\mu)=(\lambda\sqsubset_{I}\mu))$ 

## end of definition

Notice that  $\Lambda_i$  in definition 2.9, "restriction of commsigorder", is an <u>initial</u> set of commsigs.

# 2.0.3 Iodirs and modules

An *iodir*, say  $\Phi$ , is a pair  $\langle \Phi^o, \Phi^i \rangle$ , in which  $\Phi^o$  is a set of output commports and  $\Phi^i$  is a set of input commports.

## postulate 2.10

For iodir  $\Phi$ ,

- (i)  $\Phi^o \subseteq \Psi^o$
- (ii)  $\Phi^i \subseteq \Psi^i$

## end of postulate

We define the *reflection* of an iodir. The reflection of an iodir is an iodir.

# definition 2.11 reflection of iodir For an iodir $\Phi$ , the reflection of $\Phi$ , which is denoted by $\overline{\Phi}$ , is defined by $\overline{\Phi}^o \stackrel{\text{def}}{=} \Phi^i$ $\overline{\Phi}^i \stackrel{\text{def}}{=} \Phi^o$

end of definition

A module, say  $\Delta$ , is a pair <IO $\Delta$ , CB $\Delta$ >, in which IO $\Delta$  is an iodir and CB $\Delta$  is a set of comministorders; IO $\Delta$  is called the *iodir of module*  $\Delta$ , and CB $\Delta$  is called the *communication behavior of module*  $\Delta$ .  $\Psi^o_{\Delta}$  is called the set of output commports of module  $\Delta$ ,  $\Psi^i_{\Delta}$  is called the set of input commports of module  $\Delta$ . Of course, IO $\Delta = \langle \Psi^o_{\Delta}, \Psi^i_{\Delta} \rangle$ . We postulate that no two commports of  $\Delta$  match, that the empty comministorder, i.e.  $\langle \emptyset, \emptyset \rangle$ , is in CB $\Delta$ , and that CB $\Delta$  is closed with respect to restriction.

## postulate 2.12

For module  $\Delta$ ,

(i) for every output commport  $\alpha \in \Psi_{\Delta}^{o}$  and input commport  $\beta \in \Psi_{\Delta}^{i}$ ,

 $\neg$  ( $\alpha$  MATCH  $\beta$ )

(ii) for every comminstorder  $\phi \in CB\Delta$ ,

 $\Lambda_{\phi} \subseteq \{\Psi^{o}_{\Delta} \cup \Psi^{i}_{\Delta}\} \times \mathbb{N}^{+}$ 

- (iii)  $\langle \emptyset, \emptyset \rangle \in CB\Delta$ ,
- (iv) for every comminstorder  $\phi \in CB\Delta$  and comminst  $\lambda \in \Lambda_{\phi}$  such that  $(A\mu: \mu \in \Lambda_{\phi}: \neg (\lambda \sqsubset_{\phi} \mu)),$

 $(\phi^{\uparrow}(\Lambda_{\phi} \setminus \{\lambda\})) \in CB \Delta$ 

end of postulate

## 2.0.4 Opdirs and interconnections

An opdir, say  $\Xi$ , is an unordered pair  $\langle \Xi', \Xi'' \rangle$ , in which  $\Xi'$  and  $\Xi''$  are disjoint sets of input commports. Since an opdir is an unordered pair, the opdirs  $\Xi$ , i.e.  $\langle \Xi', \Xi'' \rangle$ , and  $\langle \Xi'', \Xi' \rangle$  are equal.

#### postulate 2.13

For opdir  $\Xi$ ,

- (i)  $\Xi' \subseteq \Psi^i$
- (ii)  $\Xi'' \subseteq \Psi^i$
- (iii)  $\Xi' \cap \Xi'' = \emptyset$
- (iv) for opdirs  $\Xi_1$  and  $\Xi_2$  such that  $\Xi_1' = \Xi_2''$  and  $\Xi_1'' = \Xi_2'$ ,

$$\Xi_1 = \Xi_2$$

#### end of postulate

An interconnection, say  $\Pi$ , is a pair  $\langle OP\Pi, CM\Pi \rangle$ , in which  $OP\Pi$  is an opdir and  $CM\Pi$  is a set of commsigorders;  $OP\Pi$  is called the *opdir of interconnection*  $\Pi$  and  $CM\Pi$  is called the *communication of interconnection*  $\Pi$ . We postulate that the *empty commsigorder*, i.e.  $\langle \emptyset, \emptyset \rangle$ , is in  $CM\Pi$ , and that  $CM\Pi$  is closed with respect to restriction.

#### postulate 2.14

For interconnection  $\Pi$ ,

- (i)  $(OP\Pi)' \cap (OP\Pi)'' = \emptyset$
- (ii) for every commsigorder  $\phi \in CM \Pi$  and commsig  $(\alpha, m, \beta) \in \Lambda_{\phi}$ ,  $\beta \in ((OP \Pi)' \cup (OP \Pi)'') \land m \in \mathbb{N}^+ \land \alpha MATCH\beta$
- (iii) <Ø,Ø>∈ СМП,
- (iv) for every commsigorder  $\phi \in CM \Pi$  and commsig  $\lambda \in \Lambda_{\phi}$  such that  $(A\mu: \mu \in \Lambda_{\phi}: \neg (\lambda \sqsubset_{\phi} \mu))$ ,

 $(\phi (\Lambda_{\phi} \setminus \{\lambda\})) \in CM \Pi$ 

#### end of postulate

The asymmetry in postulate 2.14(ii) is caused by  $\beta$  being the input commport in  $(\alpha, m, \beta)$  and both (**OP**  $\Pi$ )' and (**OP**  $\Pi$ )'' being sets of input commports.

We say that two commports have the same type with respect to interconnection  $\Pi$  if either both are in (OP  $\Pi$ )' or both are in (OP  $\Pi$ )''.

# 2.1 Interpretation of Communication Model

We interpret our Communication Model in the physical model. In the physical model we refer to "mechanisms", "terminals", "wires", and "signals". Mechanisms convey information to each other by exchanging signals: a mechanism sends a signal at one of its terminals; this signal is received by a mechanism at a terminal. Either these two terminals are connected by a wire or they coincide.

In our Communication Model we abstract from voltage levels, transmission times, and the difference between high-going and low-going transitions. Furthermore, we model the sending and reception of signals as point actions, i.e. they have no duration.

# 2.1.0 Commports

A terminal in the physical model is modeled in our Communication Model by zero or more *commports*. A terminal that can only be used by one mechanism to send signals to one terminal of one other mechanism is modeled by one output commport. Analogously, a terminal that can only be used by one mechanism to receive signals from one terminal of one other mechanism is modeled by one input commport. In general, a terminal, that can be used by a mechanism to send signals to *m* terminals and to receive signals from *n* terminals, is modeled by *m* output commports and *n* input commports. As a consequence, every commport is either an output commport or an input commport, see postulate 2.0(i) and (ii).

Let a mechanism be able to send a signal from a terminal, say terminal I, to one specific terminal, say terminal II, of another mechanism. The output commport that models the sending of such a signal at terminal I is said to *match* the input commport that models the reception of this signal at terminal II. From the way the terminals have been 'split' into commports we infer that every commport matches exactly one other commport, see postulate 2.1. Matching commports that model terminals that coincide are said to be *directly connected*. Matching commports that model terminals that are connected by a wire are said to be *indirectly connected*, see postulate 2.1(v).

## remark 2.15

Not allowing one-to-many communication from a commport does not exclude broadcasting or buswire communication from the descriptive power of our Communication Model. We deal with these communication forms by introducing modules for them.

#### end of remark

# 2.1.1 Comminsts

The act of sending a signal by a mechanism is modeled by a *comminst*. Let commport  $\alpha$  model (the part of) the terminal, say terminal *I*, that is used by a mechanism to send signals to one specific terminal, say terminal *II*, of another mechanism. The act of sending the first signal from terminal *I* to terminal *II* is modeled by  $\alpha_1$ , the act of sending the second one by  $\alpha_2$ , and so on. In a similar way we denote the act of receiving a signal. We treat comminsts as point actions, i.e. they have no duration.

No second signal can be sent from one terminal to another before the first one has been sent. The same holds for the reception of signals. For this reason we are often interested in sets of comminsts that are closed with respect to the lower numbered comminsts. Such a set was called an *initial set of comminsts* (see definition 2.3).

# 2.1.2 Comminstorders

An order in which signals are sent and received is modeled by a *comminstorder*. When the sending or reception of a signal causally precedes the sending or reception of another signal, we model this by: a comminst occurs *before* another comminst in a comminstorder. Signals that are sent or received in *parallel* or *concurrently* are modeled in our Communication Model as comminsts that occur *independently* –i.e. there exists no causal relation between the sending or reception (of signals) that they model– in a comminstorder. Notice that in our Communication Model the negation of "before" is "*after* or independently". For this reason, a comminstorder is a strict partial order on a set of comminsts, cf. subsection 2.0.2. Comminsts occur either one before the other or independently; no two comminsts occur together. As a consequence, our Communication Model has an interleaving semantics.

Comminst  $\alpha_2$  models the act of sending (or receiving) the second signal at the part of the terminal that is modeled by commport  $\alpha$ , see subsection 2.1.1. If  $\alpha_2$  occurs before  $\beta_3$  in comminstorder  $\phi$ , then, of course,  $\alpha_1$  occurs before  $\beta_3$  in comminstorder  $\phi$ . In order not to need to specify this explicitly, we require that  $\alpha_1 \sqsubset_{\phi} \alpha_2$ , cf. postulate 2.6. Using postulate 2.6 and the transitivity of strict partial orders, we infer from  $\alpha_2 \sqsubset_{\phi} \beta_3$  that  $\alpha_1 \sqsubset_{\phi} \beta_3$ . This motivates why  $\Lambda_{\phi}$  is an *initial* set of comminsts, cf. subsection 2.0.2. We have chosen to introduce postulate 2.6 in order to be able to state that  $\alpha_i \sqsubset_{\phi} \beta_i$  in stead of ( $Ak: 1 \le k \le i: \alpha_k \sqsubset_{\phi} \beta_i$ ).

In our Communication Model we deal with finite behaviors. For this reason, we only consider comminstorders with finite sets of comminsts, cf. subsection 2.0.2.

# 2.1.3 Modules

A mechanism is modeled in our Communication Model by a *module*. The terminals of this mechanism, that can be used by this mechanism to send signals to another mechanism, are modeled by one or more output commports, cf. subsection 2.1.0. These output commports are the *output commports of the module* that models the mechanism, cf. subsection 2.0.3. Analogously, we define the *input commports of the module* that models the mechanism, cf. subsection 2.0.3. We distinguish output and input commports, while we assume that mechanisms actively send signals but passively undergo the reception of signals: a mechanism controls the production of the signals that it sends, but it has no control over the production of the signals that it receives. This distinction is elaborated on in chapter 3. A comminst that models the sending of a signal by a mechanism; a comminst that models the reception of a signal by a mechanism; a comminst that models the reception of a signal by a mechanism is called an *output comminst* of the module that models this mechanism.

We assume that no mechanism sends a signal to itself, cf. postulate 2.12(i). An order in which a mechanism may send or receive signals is modeled by a *comminstorder of the module*. From this follows postulate 2.12(ii). Initially, no signals have been sent or received. This is modeled by the empty comminstorder being a member of the set of comminstorders of the module, cf. postulate 2.12(iii). A comminstorder models a possible behavior of a mechanism. If we omit from such a behavior a signal that has no successors, we are left with another possible behavior of the mechanism. The latter behavior is also modeled by a comminstorder of the module that models this mechanism, cf. postulate 2.12(iv).

We consider a comminst that models the reception of a signal by a mechanism. The mechanism is modeled by a module. We say that the mechanism *accepts* this signal, if this comminst is in accordance with a comminstorder of the module: in this case there is no instance of computation interference. For a formal definition of computation interference we refer to chapter 3.

#### remark 2.16

We have postulated that the communication behavior of a module is such that the mechanism accepts a signal when the comminst that models this signal is in accordance with a comminstorder of the module. Furthermore, the mechanism may send a signal when the comminst that models this signal is in accordance with a comminstorder of the module. There is no obligation for a mechanism to send a signal, even if it is consistent with a comminstorder of the module.

## end of remark

We present some modules in the following examples.

#### example 2.17

We consider a mechanism that can receive one out of two input signals after which it sends an output signal. The module that models this mechanism has one output commport, say  $\gamma$ , and two input commports, say  $\alpha$  and  $\beta$ . This module has five comminstorders, viz.

 $< \emptyset, \emptyset >$   $< \{\alpha_{I}\}, \emptyset >$   $< \{\beta_{I}\}, \emptyset >$   $< \{\alpha_{I}, \gamma_{I}\}, \{\alpha_{I} \sqsubset \gamma_{I}\} >$   $< \{\beta_{I}, \gamma_{I}\}, \{\beta_{I} \sqsubset \gamma_{I}\} >$ 

## end of example

#### example 2.18

We consider a mechanism that can receive two input signals independently of each other after which it sends an output signal. The module that models this mechanism has one output commport, say  $\gamma$ , and two input commports, say  $\alpha$  and  $\beta$ . This module has five comminstorders, viz.

```
< \emptyset, \emptyset >
< \{\alpha_{I}\}, \emptyset >
< \{\beta_{I}\}, \emptyset >
< \{\alpha_{I}, \beta_{I}\}, \emptyset >
< \{\alpha_{I}, \beta_{I}, \gamma_{I}\}, \{\alpha_{I} \sqsubset \gamma_{I}, \beta_{I} \sqsubset \gamma_{I}\} >
```

end of example

#### remark 2.19

It is possible to infer the comminstorders of a module from the <u>causal orderings</u> of signals exchanged by a mechanism: i.e. no <u>temporal</u> ordering of signals has to be taken into account, cf. example 2.20.

## end of remark

#### example 2.20 "Pure Delay" element

In the mechanism "Pure Delay" element every output is causally preceded by an input. Let  $\alpha$  denote the input commport and let  $\beta$  denote the output commport. For every pair (m, n) such that  $0 \le n \le m$ , we infer one comminstorder, say  $\phi$ , of the module that models this mechanism:  $\Lambda_{\phi}$  is  $\{i: 0 < i \le m: \alpha_i\} \cup \{j: 0 < j \le n: \beta_j\}$  and the transitive closure of  $\{k: 0 < k \le n: \alpha_k \sqsubset_{\phi} \beta_k\} \cup \{k: 0 < k < m: \alpha_k \sqsubset_{\phi} \alpha_{k+1}\} \cup \{k: 0 < k < n: \beta_k \sqsubset_{\phi} \beta_{k+1}\}$ defines  $\sqsubset_{\phi}$ .

end of example

## 2.1.3.0 Connected modules

We postulate that modules can be connected in different ways: a direct connection and an indirect connection; furthermore, we consider the general case in which both connection ways are combined: a mixed connection.

Two modules have a *direct connection* if all their matching commports are directly connected, see figure 2.34.



figure 2.0 Direct connection of modules  $\Gamma$  and  $\Delta$  .

In figures of modules (and components) we indicate the commports of a module (component) by crosses at the boundary of this module (component).

Two modules have an *indirect connection* if all their matching commports are indirectly connected, see figure 2.1.



figure 2.1 Indirect connection of modules  $\Gamma$  and  $\Delta$  .

In the general case, in which some of the matching commports of two modules are directly connected and the others are indirectly connected, we say that the modules have a *mixed connection*, see figure 2.2.



figure 2.2 Mixed connection of modules  $\Gamma$  and  $\Delta$  .

We discuss directly connected modules in chapter 3; in chapters 4 and 5 we are concerned with indirectly connected modules; we discuss modules that have a mixed connection in chapter 6.

We say that modules have a *closed* connection if every output commport of every module in this connection matches an input commport of another module in this connection, i.e. there is no communication between the connected modules and some environment. Modules that have a connection that is not closed are said to have an *open* connection. We address modules that have a closed connection in chapters 3, 4, and 5. In chapter 6 we deal with modules that either have a closed or an open connection.

## 2.1.4 Commsigs

A signal travels from the terminal at which it has been sent to the terminal at which it is received. This is modeled by a *commsig*. We do not distinguish between two signals that have been sent from one terminal to one other terminal, while they travel between these terminals. As a consequence, "overtaking of <u>such</u> signals" is a meaningless notion in our model. Furthermore, we assume that every signal that is sent also is received. As a consequence, the first signal that is sent from a terminal, say terminal *I*, to another terminal, say terminal *II*, is the first signal that is received by terminal *II* from terminal *I*. This is modeled in definition 2.4: two commports are used to define a commsig, yet only <u>one</u> number is used. Since signals sent from one specific terminal to one other terminal do not overtake one another, we are often interested in *initial sets of commsigs* (see definition 2.5).

We consider a module, which models a mechanism. A commsig that models a signal that is sent by the mechanism is said to be *sent by the module*. A commsig that models a signal that is received by the mechanism is said to be *received by the module*; a commsig that models a signal that is accepted by the mechanism is said to be *accepted by the module*.

# 2.1.5 Commsigorders

An order, in which signals that travel between two mechanisms occur, is modeled by a *commsigorder*. When a mechanism has to receive a signal *I* before it sends signal *II*, we say that signal *I* precedes signal *II*. This causality relation is modeled by: a commsig occurs *before* another commsig in a commsigorder. Again, cf. subsection 2.1.2, the negation of "before" is "*after* or *independently*". For this reason, a commsigorder is a strict partial order on a set of commsigs, cf. subsection 2.0.2. And again, commsigs occur either one before the other or independently; we do not model that commsigs occur together.

We argued in subsection 2.1.4 that overtaking of signals that have been sent from one terminal to one other terminal is a meaningless notion in our Communication Model. This is why we are allowed to introduce postulate 2.8. The reason for introducing it is the same one as the reason for introducing postulate 2.6, cf. subsection 2.1.2. Analogously to subsection 2.1.2, we use postulate 2.8 and the transitivity of strict partial orders to motivate that, for commsigorder  $\phi$ ,  $\Lambda_{\phi}$  is an *initial* set of commsigs, cf. subsection 2.0.2. Furthermore, since we deal with finite behaviors in our Communication Model, we only consider commsigorders with a finite set of commsigs, cf. subsection 2.0.2.

## 2.1.6 Interconnections

We next consider two mechanisms such that the modules that model these mechanisms have a closed connection. The communication between such two mechanisms is modeled in our Communication Model by an *interconnection*. In such a closed connection every output commport of one module matches one input commport of the other module. For this reason, the input commports suffice to identify all commports of the two modules, the communication between which is modeled by the interconnection, cf. subsection 2.0.4. The amount of delay between the sending of a signal by a mechanism and the reception of this signal by another mechanism is nonnegative. Due to this asymmetric delay we distinguish two directions in an interconnection, which are opposite to each other.

#### remark 2.21

Unlike the types of comminsts with respect to modules, which have been classified as either input or output, there is no point in classifying commsigs of an interconnection based upon their direction: they merely are distinct.

#### end of remark

The sets of input commports of the two modules are disjunct, cf. postulate 2.14(i). An order in which signals that are exchanged by two mechanisms happen, is modeled by a *commsigorder* of the interconnection. This is our motivation for postulate 2.14(ii). Initially, no signals have been exchanged. This is modeled by the empty commsig order being a member of the set of commsigorders of the interconnection, cf. postulate 2.14(ii). A commsigorder models a possible exchange of signals between two mechanisms. If we omit from such an exchange a signal that has no successors, we are left with another possible exchange of signals between the two mechanisms. The latter exchange is also modeled by a commsigorder of the interconnection that models the exchange of signals between these two mechanisms, cf. postulate 2.14(iv).

#### remark 2.22

We do not discuss *observation* nor problems related to observing communication. Although it is possible to discuss some observation issues within our Communication Model, we will not do so in this monograph. As a consequence, our results do not depend upon notions of observation.

#### end of remark

# **2.1.6.0 Interconnection between two modules**

In this subsection we present a method to *construct the interconnection between two modules that have a closed connection*. This construction method depends on the way in which the commports of these modules are connected. We consider the interconnection, say  $\Pi$ , between two modules, say  $\Gamma$  and  $\Delta$ . In general,  $\Gamma$  and  $\Delta$  have a mixed connection.

First, we define an operator that reduces the amount of ordering in a comminstorder. We only keep orderings of the forms  $\alpha_i \sqsubset \beta_j$  and  $\gamma_m \sqsubset \gamma_n$ , in which commports  $\alpha$ ,  $\beta$ , and  $\gamma$  are such that  $\beta$  is an output commport and that  $\alpha$  is not an indirectly connected output commport. In the remainder of this subsection we denote by  $\Psi_{ic}$  the set of commports that are *connected indirectly* to their matching commport.

## definition 2.23 REDOC

For comminstorder  $\phi$ , we define comminstorder REDOC  $\phi$ . The set  $\Lambda_{REDOC\phi}$  of comminsts is equal to the set  $\Lambda_{\phi}$  of comminsts. The set of orderings of REDOC  $\phi$  is:

 $\begin{aligned} \{\alpha, \beta, i, j : \alpha_i \sqsubset_{\phi} \beta_j \land \beta \in \Psi^o \land \alpha \notin (\Psi^o \cap \Psi_{ic}) : \alpha_i \sqsubset_{\text{REDOC}\phi} \beta_j \} \\ \cup \{\gamma, m, n : \gamma_m \sqsubset_{\phi} \gamma_n : \gamma_m \sqsubset_{\text{REDOC}\phi} \gamma_n \} \end{aligned}$ 

## end of definition

Notice that in the definition above  $\beta$  is an output commport and that  $\alpha$  is either an input commport or a directly connected output commport. Furthermore, from  $\gamma_m \sqsubset_{\varphi} \gamma_n$  follows that m < n.

We use the reduction operator **REDOC** to construct the commsigorders of  $\Pi$  out of the comminstorders of  $\Gamma$  and  $\Delta$ .

Let  $\phi_{\Gamma}$  be a comminstorder of  $\Gamma$ , and let  $\phi_{\Delta}$  be a comminstorder of  $\Delta$  such that for every output commport  $\alpha$  and input commport  $\beta$  such that  $\alpha MATCH\beta$ , if  $\beta_j$  is in the set of comminsts of one of these comminstorders then  $\alpha_j$  is in the set of comminsts of the other comminstorder. For every such pair we construct a commsigorder  $\xi_{\Pi}$  in the following way:

- We define  $\phi$  to be the comminstorder on the union of the sets of comminsts of  $\phi_{\Gamma}$  and  $\phi_{\Delta}$  such that the set of orderings of  $\phi$  is the union of the sets of orderings of **REDOC**  $\phi_{\Gamma}$  and **REDOC**  $\phi_{\Delta}$ .

- Now, we transform comministorder φ into commisigorder ξ<sub>Π</sub> by renaming the comminists in φ. Let α be an output commport of Γ; let β be the input commport of Δ such that α*MATCH*β. We rename output comminist α<sub>i</sub> into commsig (α, i, β). Analogously, let α be an input commport of Γ; let β be the output commport of Δ such that β*MATCH*α. We rename input comminist α<sub>i</sub> into commsig (β, i, α).

In this way, we rename every comminst of  $\phi_{\Gamma}$  into a commsig of  $\xi_{\Pi}$ ; analogously, we rename every comminst of  $\phi_{\Delta}$  into a commsig of  $\xi_{\Pi}$ .

- Commsigorder  $\xi_{\Pi}$  is the result of this renaming in comminstorder  $\phi$ .

We now define interconnection  $\Pi$ . Its opdir OP  $\Pi$  is equal to  $\langle \Psi_{\Gamma}^{i}, \Psi_{\Delta}^{i} \rangle$ ; its communication CM  $\Pi$  is equal to the union of the set of all commsigorders  $\xi_{\Pi}$  that can be constructed in the way described above and the set of all commsigorders that are restrictions of such a  $\xi_{\Pi}$  to an initial set of commsigs. This construction method is demonstrated in example 2.24.

#### example 2.24

We consider modules  $\Delta_0$  and  $\Delta_1$ .  $\Delta_0$  has output commport  $\alpha$  and input commports  $\beta$  and  $\gamma$ .  $\Delta_1$  has output commports  $\zeta$  and  $\eta$  and input commport  $\delta$ . These commports match in the following way:  $\alpha MATCH\delta$ ,  $\zeta MATCH\beta$ , and  $\eta MATCH\gamma$ .  $\alpha$  and  $\delta$  are indirectly connected,  $\zeta$  and  $\beta$  are indirectly connected, but  $\eta$  and  $\gamma$  are directly connected. As a consequence,  $\Delta_0$  and  $\Delta_1$  have a closed mixed connection, see figure 2.3.



figure 2.3 Connected modules  $\Delta_{\rho}$  and  $\Delta_{I}$ .

Module  $\Delta_0$  sends two commsigs at commport  $\alpha$ ; independently, it may receive one commsig at commport  $\beta$  and one commsig at commport  $\gamma$ . Of course, comminst  $\alpha_1$  occurs before comminst  $\alpha_2$ ; this is the only order between comminsts of  $\Delta_0$ . As a consequence,  $\Delta_0$  has twelve comminstorders, say  $\phi_0$  through  $\phi_{11}$ :

$$\begin{split} \varphi_{0} & \stackrel{\text{def}}{=} < \emptyset, \emptyset > \\ \varphi_{1} & \stackrel{\text{def}}{=} < \{\beta_{l}\}, \emptyset > \\ \varphi_{2} & \stackrel{\text{def}}{=} < \{\gamma_{l}\}, \emptyset > \\ \varphi_{3} & \stackrel{\text{def}}{=} < \{\alpha_{l}, \gamma_{l}\}, \emptyset > \\ \varphi_{4} & \stackrel{\text{def}}{=} < \{\alpha_{l}, \beta_{l}\}, \emptyset > \\ \varphi_{5} & \stackrel{\text{def}}{=} < \{\alpha_{l}, \beta_{l}\}, \emptyset > \\ \varphi_{6} & \stackrel{\text{def}}{=} < \{\alpha_{l}, \beta_{l}\}, \emptyset > \\ \varphi_{7} & \stackrel{\text{def}}{=} < \{\alpha_{l}, \alpha_{2}\}, \{\alpha_{l} \sqsubset \varphi_{8} \alpha_{2}\} > \\ \varphi_{9} & \stackrel{\text{def}}{=} < \{\alpha_{l}, \alpha_{2}, \beta_{l}\}, \{\alpha_{l} \sqsubset \varphi_{9} \alpha_{2}\} > \\ \varphi_{10} & \stackrel{\text{def}}{=} < \{\alpha_{l}, \alpha_{2}, \gamma_{l}\}, \{\alpha_{l} \sqsubset \varphi_{10} \alpha_{2}\} > \\ \varphi_{11} & \stackrel{\text{def}}{=} < \{\alpha_{l}, \alpha_{2}, \beta_{l}, \gamma_{l}\}, \{\alpha_{l} \sqsubset \varphi_{11} \alpha_{2}\} > \end{split}$$

Module  $\Delta_1$  may receive two commsigs at commport  $\delta$ ; thereafter it sends one commsig at commport  $\zeta$ , after which it sends one commsig at commport  $\eta$ . Comminst  $\delta_1$  occurs before comminst  $\delta_2$ ;  $\delta_2$  occurs before  $\zeta_1$ ;  $\zeta_1$  occurs before  $\eta_1$ . As a consequence,  $\Delta_1$  has five comminstorders, say  $\phi_{12}$ through  $\phi_{16}$ :

$$\begin{split} \varphi_{I2} &\stackrel{\text{def}}{=} \langle \emptyset, \emptyset \rangle \\ \varphi_{I3} &\stackrel{\text{def}}{=} \langle \{\delta_I\}, \emptyset \rangle \\ \varphi_{I4} &\stackrel{\text{def}}{=} \langle \{\delta_I, \delta_2\}, \{\delta_I \sqsubset_{\phi_{I4}} \delta_2\} \rangle \\ \varphi_{I5} &\stackrel{\text{def}}{=} \langle \{\delta_I, \delta_2, \zeta_I\}, \{\delta_I \sqsubset_{\phi_{I5}} \delta_2, \delta_2 \sqsubset_{\phi_{I5}} \zeta_I\} \rangle \\ \varphi_{I6} &\stackrel{\text{def}}{=} \langle \{\delta_I, \delta_2, \zeta_I, \eta_I\}, \{\delta_I \sqsubset_{\phi_{I6}} \delta_2, \delta_2 \sqsubset_{\phi_{I6}} \zeta_I, \delta_2 \sqsubset_{\phi_{I6}} \eta_I\} \rangle \end{split}$$

There are twelve pairs of comminstorders that can be used to construct a commsigorder:  $(\phi_0, \phi_{12}), (\phi_4, \phi_{12}), (\phi_4, \phi_{13}), (\phi_8, \phi_{12}), (\phi_8, \phi_{13}), (\phi_8, \phi_{14}), (\phi_8, \phi_{15}), (\phi_8, \phi_{16}), (\phi_9, \phi_{15}), (\phi_9, \phi_{16}), (\phi_{10}, \phi_{16}), and (\phi_{11}, \phi_{16})$ . There is no partner for comminstorders  $\phi_1$ ,  $\phi_2$ ,  $\phi_3$ ,  $\phi_5$ ,  $\phi_6$ , and  $\phi_7$ , since  $\Delta_1$  will not send any commsig until it has received two commsigs. From definition 2.23, we infer that **REDOC**  $\phi_j = \phi_j$  for  $0 \le j \le 15$ ; furthermore, we infer that:

$$\mathbf{REDOC} \phi_{16} = \langle \{\delta_1, \delta_2, \zeta_1, \eta_1\}, \{\delta_1 \sqsubset_{\phi_{16}} \delta_2, \delta_2 \sqsubset_{\phi_{16}} \zeta_1, \delta_2 \sqsubset_{\phi_{16}} \eta_1\} \rangle$$

After the combining of the comminstorders and the renaming of the comminsts into commsigs, we are left with five commsigorders, say  $\xi_0$  through  $\xi_4$ :

$$\begin{split} \xi_{0} &= < \emptyset, \emptyset > \\ \xi_{I} &= < \{(\alpha, 1, \delta)\}, \emptyset > \\ \xi_{2} &= < \{(\alpha, 1, \delta), (\alpha, 2, \delta)\}, \{(\alpha, 1, \delta) \sqsubset_{\xi_{2}} (\alpha, 2, \delta)\} > \\ \xi_{3} &= < \{(\alpha, 1, \delta), (\alpha, 2, \delta), (\zeta, 1, \beta)\} \\ &, \{(\alpha, 1, \delta) \sqsubset_{\xi_{3}} (\alpha, 2, \delta), (\alpha, 2, \delta) \sqsubset_{\xi_{3}} (\zeta, 1, \beta)\} \\ &> \\ \xi_{4} &= < \{(\alpha, 1, \delta), (\alpha, 2, \delta), (\zeta, 1, \beta), (\eta, 1, \gamma)\} \\ &, \{(\alpha, 1, \delta) \sqsubset_{\xi_{4}} (\alpha, 2, \delta), (\alpha, 2, \delta) \sqsubset_{\xi_{4}} (\zeta, 1, \beta), (\alpha, 2, \delta) \sqsubset_{\xi_{4}} (\eta, 1, \gamma)\} \\ &> \end{split}$$

The pair of comminstorders  $(\phi_0, \phi_{12})$  yields commsigorder  $\xi_0$ ; the pairs  $(\phi_4, \phi_{12})$  and  $(\phi_4, \phi_{13})$  both yield  $\xi_1$ ; the pairs  $(\phi_8, \phi_{12})$ ,  $(\phi_8, \phi_{13})$ , and  $(\phi_8, \phi_{14})$ , all three yield  $\xi_2$ ; the pairs  $(\phi_8, \phi_{15})$  and  $(\phi_9, \phi_{15})$ , both yield  $\xi_3$ ; the pairs  $(\phi_8, \phi_{16})$ ,  $(\phi_9, \phi_{16})$ ,  $(\phi_{10}, \phi_{16})$ , and  $(\phi_{11}, \phi_{16})$ , all four yield  $\xi_4$ . When we restrict these five commsigorders to all possible initial sets of commsigs, we find one additional commsigorder  $\xi_5$  ( $\xi_5 = \xi_4$ ) {( $\alpha, 1, \delta$ ), ( $\alpha, 2, \delta$ ), ( $\eta, 1, \gamma$ )} ):

$$\xi_{5} = \langle \{(\alpha, 1, \delta), (\alpha, 2, \delta), (\eta, 1, \gamma) \} \\, \{(\alpha, 1, \delta) \sqsubset_{\xi_{5}} (\alpha, 2, \delta), (\alpha, 2, \delta) \sqsubset_{\xi_{5}} (\eta, 1, \gamma) \} \rangle$$

We now have constructed interconnection  $\Pi_0$  between modules  $\Delta_0$  and  $\Delta_1$  that are connected in the way described above: opdir OP  $\Pi_0$  is equal to  $\langle \{\beta, \gamma\}, \{\delta\} \rangle$  and communication CM  $\Pi_0$  is equal to  $\{\xi_0, \xi_1, \xi_2, \xi_3, \xi_4, \xi_5\}$ .

#### end of example

When constructing the interconnection between two modules as desribed in this subsection, we are not concerned with the correctness concerns "absence of computation interference hazard" and "absence of transmission interference hazard". We deal with these when we address composition, see chapter 6.

# 2.1.7 Overview of interpretative issues

In table 2.4 we present the relation between our Communication Model and the underlying physics.

| modeling communication                 |                                                                                         |
|----------------------------------------|-----------------------------------------------------------------------------------------|
| Communication Model                    | the physical model                                                                      |
| module                                 | mechanism                                                                               |
| one or more commports                  | terminal                                                                                |
| directly connected commports           | coinciding terminals                                                                    |
| indirectly connected commports         | terminals connected by a wire                                                           |
| comminst                               | individual instance of signal at terminal                                               |
| modules have<br>a direct connection    | mechanisms exchange signals<br>via coinciding terminals                                 |
| modules have<br>an indirect connection | mechanisms exchange signals<br>via wires                                                |
| comminstorder of module                | order in which a mechanism<br>may exchange signals                                      |
| interconnection                        | all coinciding terminals of two<br>mechanisms and all wires<br>between these mechanisms |
| commsig                                | individual instance of signal<br>that propagates between<br>two terminals               |
| commsigorder of interconnection        | order in which signals may<br>happen that are exchanged<br>by two mechanisms            |

| table | 2.4 |
|-------|-----|
| more  | ·   |

Relation between Communication Model and underlying physics.

Of course, to our Communication Model one can relate another physical model or some particular notion of 'physical reality' that one considers as the underlying physics; as a consequence, the entries in the right column will vary in accordance with the particular physical model or notion of physical reality that one wants to relate to our Communication Model.

# 2.1.8 Notational convention

When we need variables in our Communication Model we use Greek letters that are not in the Latin alphabet. We do not use  $\varepsilon$  or  $\Omega$ , since we use them for other purposes in trace theory, see subsection 1.4.0; we do not use  $\omega$ , since it has been used in the extension of trace theory with infinite traces.

Lower case letters near the beginning of the Greek alphabet are used to denote commports. Lower case letters near the middle of the Greek alphabet are used to denote comminsts and commsigs. Lower case letters near the end of the Greek alphabet are used to denote comminstorders and commsigorders. Capital Greek letters are used to denote modules, components, interconnections, channels, and sets of commports, comminsts, commsigs, comminstorders, or commsigorders. We will use  $\Gamma$  or  $\Delta$  to denote a module or a component,  $\Pi$  to denote an interconnection, and  $\Theta$  to denote a channel. We use  $\Psi$  to denote a set of commports,  $\Lambda$  to denote a set of commsigs,  $\Phi$  to denote an iodir or a set of commistorders, and  $\Xi$  to denote an opdir or a set of commsigorders.

When we refer to specific objects, e.g. in examples, we use indexes. We use natural numbers as indexes to refer to specific objects locally, i.e. within one chapter of this monograph. When we want to refer to a specific object throughout the chapters of this monograph we use letters (or short words) as indexes.

As stated in subsection 1.4.4, boldface lower case operators are used in trace theory; boldface upper case operators are used in our Communication Model.

# 2.2 Introduction of trace theory in our Communication Model

In subsection 2.2.0 we associate notions in trace theory with commports, comminsts, and comminstorders; we associate notions in trace theory with commsigs and commsigorders in subsection 2.2.1. In subsection 2.2.2 we introduce the notions opdir and iodir in our Communication Model and we associate notions in trace theory with them. We abstract components from modules in subsection 2.2.3. In subsection 2.2.4 we abstract channels from interconnections. In subsection 2.2.5 we address the difference between our usage of the trace theory formalism and the earlier usage of directed trace structures to model delay-insensitive communication.

# 2.2.0 Commports, comminsts, and comminstorders

With commports and comminists we associate *symbols*. With a commport  $\alpha$  and each of its comminists  $\alpha_i$  the same symbol is associated. We associate the same symbol with either of two matching commports. With two commports that do not match, we associate distinct symbols.

With a comminstorder (strict partial order) we associate a *trace set*, viz. the set that consists of every full order (trace) that is consistent with the strict partial order (comminstorder). With every comminst in a comminstorder we associate a distinct symbol in every trace of the trace set that is associated with this comminstorder, see example 2.25.

## example 2.25

Symbols *a* and *b* are associated with commports  $\alpha$  and  $\beta$ , respectively. In trace *aba* we associate the leftmost occurrence of *a* with  $\alpha_1$ , *b* with  $\beta_1$ , and the rightmost occurrence of *a* with  $\alpha_2$ . With the comminstorder  $\phi$ , in which

- comminst  $\alpha_1$  occurs before comminsts  $\alpha_2$  and  $\beta_1$ , and
- $\beta_1$  occurs before  $\alpha_2$ ,

viz.  $\phi = \langle \{\alpha_1, \alpha_2, \beta_l\}, \{\alpha_l \sqsubset_{\phi} \beta_l, \beta_l \sqsubset_{\phi} \alpha_2\} \rangle$ , we associate trace set  $\{aba\}$ . end of example

A trace is a totally ordered object (full order). Let symbols *a* and *b* be associated with commports  $\alpha$  and  $\beta$ , respectively. The occurrence of comminst  $\alpha_i$  before comminst  $\beta_i$  in a comminstorder is modeled by

in every trace of the trace set that is associated with this comminstorder, the *i*-th occurrence of a is to the left of the *j*-th occurrence of b.

To model that comminsts  $\alpha_i$  and  $\beta_j$  occur independently, we include in the trace set both: traces in which the *i*-th occurrence of *a* is to the left of the *j*-th occurrence of *b* and traces in which the *j*-th occurrence of *b* is to the left of the *i*-th occurrence of *a*.

## example 2.26

Symbols *a* and *b* are associated with commports  $\alpha$  and  $\beta$ , respectively. Trace set  $\{ab\}$  is associated with the comminstorder  $\phi$  in which comminst  $\alpha_l$  occurs before comminst  $\beta_l$ :  $\phi = \langle \{\alpha_l, \beta_l\}, \{\alpha_l \sqsubset_{\phi} \beta_l\} \rangle$ .

#### end of example

All traces in the trace set that is associated with a comminstorder have the same bag of symbols; as a consequence, they all have the same length. If and only if two comminsts are ordered in a comminstorder, the symbols, that are associated with these two comminsts, occur in this same order in every trace of the trace set. On the other hand, if two comminsts are not ordered in a comminstorder, then there are traces (in the trace set that is associated with this comminstorder) in which the symbols, that are associated with these two comminsts, occur in one order, and there are traces (in this trace set) in which these symbols occur in the other order, see example 2.27.

example 2.27

Symbols *a*, *b*, and *c* are associated with commports  $\alpha$ ,  $\beta$ , and  $\gamma$ , respectively. With the comminstorder  $\phi$ , in which

- comminst  $\alpha_l$  occurs before comminst  $\beta_l$ , and
- comminst  $\gamma_l$  occurs independently of  $\alpha_l$  and  $\beta_l$ ,

viz.  $\phi = \langle \{\alpha_l, \beta_l, \gamma_l\}, \{\alpha_l \sqsubset_{\phi} \beta_l\} \rangle$ , we associate trace set  $\{abc, acb, cab\}$ . end of example

# 2.2.1 Commsigs and commsigorders

With commsigs we associate symbols. We consider output commport  $\alpha$  and input commport  $\beta$  such that  $\alpha MATCH\beta$ . Let symbol a be associated with  $\alpha$  and  $\beta$ , cf. subsection 2.2.0. We associate symbol a with every commsig  $(\alpha, n, \beta)$ , for  $n \ge 1$ .

Analogously to comministorders, we associate with a commisgorder a *trace set*, viz. the set that consists of every full order (trace) that is consistent with the strict partial order (commisgorder). With every commisg in a commisgorder we associate a distinct symbol in every trace of the trace set that is associated with this commisgorder.

Again, all traces in the trace set that is associated with a commsigorder have the same bag of symbols; as a consequence, they all have the same length. If and only if two commsigs are ordered in a commsigorder, the symbols, that are associated with these two commsigs, occur in this same order in every trace of the trace set. On the other hand, if two commsigs are not ordered in a commsigorder, then there are traces (in the trace set that is associated with this commsigorder) in which the symbols, that are associated with these two commsigs, occur in one order, and there are traces (in this trace set) in which these symbols occur in the other order.

# 2.2.2 Opdirs and iodirs

An opdir consists of two disjoint sets of commports. In trace theory we associate an *alphbip* with an opdir. With opdir  $\Xi$ , alphbip  $ab\Xi$  is associated. The union of the sets of symbols that are associated with the two sets of commports of  $\Xi$  is called the *alphabet of*  $\Xi$ , which is denoted by  $a\Xi$ . Of course,  $a\Xi = a(ab\Xi)$ .

An *iodir* consists of a set of input commports and a set of output commports. In trace theory we associate an *iobip* with an iodir. With iodir  $\Phi$ , the iobip io $\Phi$  is associated. The set of symbols that are associated with the input commports of  $\Phi$  is denoted by  $i\Phi$ , the *input alphabet*; the set of symbols that are associated with the output commports of  $\Phi$  is denoted by  $o\Phi$ , the *output alphabet*.

## property 2.28

For iodir  $\Phi$ ,

 $a\Phi = o\Phi \cup i\Phi$  $i(io\Phi) = i\Phi$  $o(io\Phi) = o\Phi$ 

## end of property

From definition 2.11, reflection of iodir, we infer property 2.29.

```
property 2.29

For iodir \Phi,

a\overline{\Phi} = a\Phi

o\overline{\Phi} = i\Phi

i\overline{\Phi} = o\Phi

end of property
```

# 2.2.3 Components

In subsection 2.0.3 we have introduced modules. The communication behavior of a module is a set of comminstorders. In subsection 2.2.0 we have associated a trace set with every comminstorder. As a consequence, a set of trace sets is associated with the set of comminstorders of a module. We define components as an abstraction from modules:

## definition 2.30 equivalence class of modules

We call two modules equivalent if and only if they have

- (i) the same iodir,
- (ii) the same union of the trace sets that are associated with the comminstorders in the communication behavior of the module.

The equivalence classes are called components.

## end of definition

Since the abstraction is confined to the communication behavior of modules, we feel free to discuss *commports*, *comminsts*, *sending*, *reception*, *and acceptance of commsigs*, and *open*, *closed*, *direct*, *indirect*, *and mixed connections* with respect to components as we do with respect to modules. Formally, a component  $\Gamma$  is a pair  $\langle io\Gamma, ptr\Gamma \rangle$ . Iobip  $io\Gamma$  is called the *iobip of*  $\Gamma$ , and trace structure  $ptr\Gamma$  is called the *communication behavior of*  $\Gamma$ .

## definition 2.31 component

We consider component  $\Gamma$ . Let  $\Delta$  be a module in the equivalence class component  $\Gamma$ . Now  $\Gamma$  is defined by

- (i) io  $\Gamma \stackrel{\text{def}}{=} io(IO \Delta)$
- (ii)  $\mathbf{a}(\mathbf{ptr}\,\Gamma) \stackrel{\text{def}}{=} \mathbf{a}(\mathbf{IO}\,\Delta)$
- (iii)  $t(ptr\Gamma)$  is defined as the union of all trace sets that are associated with the comminstorders of  $\Delta$ .

## end of definition

The definition of  $t(ptr\Gamma)$  in definition 2.31(iii) is independent of the particular choice of the module in the equivalence class  $\Gamma$ , cf. definition 2.30(ii). Since for component  $\Gamma$ ,  $a(ptr\Gamma)=a(io\Gamma)$ , we could have defined a component as an iobip – "trace set" pair in stead of as an iobip – "trace structure" pair. We have chosen not to do so, while on the one hand we like to separate the iobip from the communication behavior, and on the other hand trace sets are not very well suited for modeling composition due to the absence of associativity, cf. [Rem 85, Rem - van de Snepscheut – Udding 83].

In remark 3.16 we argue that we may lose some information when abstracting from module to component. In example 2.32 we present two distinct modules that are in one equivalence class. In the examples in this subsection 2.2.3 we use  $\Delta$  to denote a module and  $\Gamma$  to denote a component.

#### example 2.32

A module  $\Delta_2$  has two output commports  $\alpha$  and  $\beta$  and no input commports. Only one comminst of each commport can occur. They occur independently of each other.

$$\begin{aligned} \Psi^{o}_{\Delta_{2}} &= \{\alpha, \beta\} \\ \Psi^{o}_{\Delta_{2}} &= \emptyset \\ \mathbf{CB} \ \Delta_{2} &= \{\langle \emptyset, \emptyset \rangle, \langle \{\alpha_{l}\}, \emptyset \rangle, \langle \{\beta_{l}\}, \emptyset \rangle, \langle \{\alpha_{l}, \beta_{l}\}, \emptyset \rangle \} \end{aligned}$$

Let module  $\Delta_2$  be a member of the equivalence class component  $\Gamma_2$ . Let symbols *a* and *b* be associated with commports  $\alpha$  and  $\beta$ , respectively:

$$o(io\Gamma_2) = \{a, b\}$$
  

$$i(io\Gamma_2) = \emptyset$$
  

$$ptr\Gamma_2 = \langle a, b \rangle, \{\varepsilon, a, b, ab, ba \} >$$

We consider module  $\Delta_3$ . Module  $\Delta_3$  has two output commports  $\alpha$  and  $\beta$  and no input commports. Only one comminst of each commport can occur. Either  $\alpha_1$  occurs before  $\beta_1$  or  $\beta_1$  occurs before  $\alpha_1$ .

$$\begin{split} \Psi_{\Delta_{3}}^{o} &= \{\alpha, \beta\} \\ \Psi_{\Delta_{3}}^{o} &= \emptyset \\ \mathbf{CB} \ \Delta_{3} &= \{<\emptyset, \emptyset>, <\{\alpha_{l}\}, \emptyset>, <\{\beta_{l}\}, \emptyset> \\ &, <\{\alpha_{l}, \beta_{l}\}, \{\alpha_{l} \sqsubset \beta_{l}\}>, <\{\alpha_{l}, \beta_{l}\}, \{\beta_{l} \sqsubset \alpha_{l}\}> \\ &\} \end{split}$$

Module  $\Delta_3$  also is a member of the equivalence class  $\Gamma_2$ . end of example

The alphabet of component  $\Gamma$  is the set of symbols that are associated with the commports of  $\Gamma$ ; it is denoted by  $\mathbf{a}\Gamma$ . The set of symbols that are associated with the output commports of component  $\Gamma$  is called the *output alphabet* of  $\Gamma$ , which is denoted by  $\mathbf{o}\Gamma$ . The set of symbols that are associated with the input commports of component  $\Gamma$  is called the *input alphabet* of  $\Gamma$ , which is denoted by  $\mathbf{i}\Gamma$ . We also associate an alphbip with  $\Gamma$ , which is denoted by  $\mathbf{ab}\Gamma$ . Even a symbol that is associated with a commport of a component at which no commsig will be received or sent, is an element of the alphabet of this component: the alphabet of a component is not restricted to symbols that occur in some trace in the trace structure of the component.

#### property 2.33

For component  $\Gamma$ ,

- (i)  $\mathbf{a}\Gamma = \mathbf{a}(\mathbf{ptr}\Gamma)$
- (ii)  $\mathbf{a}\Gamma = \mathbf{o}\Gamma \cup \mathbf{i}\Gamma$
- (iii)  $o\Gamma = o(io\Gamma)$
- (iv)  $i\Gamma = i(io\Gamma)$
- (v)  $ab\Gamma = o\Gamma \oplus i\Gamma$

## end of property

Notice that  $\oplus$  is a symmetric operator, see property 1.31.

Using postulate 2.12 we infer property 2.34.

## property 2.34

For component  $\Gamma$ ,

- (i)  $\varepsilon \in t(ptr \Gamma)$
- (ii) ptr  $\Gamma$  is prefix-closed

## end of property

Of course, the input alphabet and the output alphabet of a component are not interchangeable, cf. example 2.35.

#### example 2.35

We consider components  $\Gamma_4$  and  $\Gamma_5$ . Their output alphabets, input alphabets, and trace structures are defined by:

 $\begin{array}{l} \mathbf{o} \Gamma_4 \stackrel{\text{def}}{=} \{a\} & \mathbf{i} \Gamma_4 \stackrel{\text{def}}{=} \{b\} \\ \mathbf{o} \Gamma_5 \stackrel{\text{def}}{=} \{b\} & \mathbf{i} \Gamma_5 \stackrel{\text{def}}{=} \{a\} \\ \mathbf{t} (\mathbf{ptr} \Gamma_4) \stackrel{\text{def}}{=} \{\varepsilon, a, ab\} \\ \mathbf{t} (\mathbf{ptr} \Gamma_5) \stackrel{\text{def}}{=} \mathbf{t} (\mathbf{ptr} \Gamma_4) \end{array}$ 

Components  $\Gamma_4$  and  $\Gamma_5$  differ:  $\Gamma_4$  may initially send a commsig (comminst to which *a* is associated), after which it has to be able to accept a commsig (comminst to which *b* is associated); initially,  $\Gamma_5$  has to be able to accept a commsig (comminst to which *a* is associated), after which it may send a commsig (comminst to which *b* is associated).

## end of example

We extend definition 2.11, reflection of iodir, to components. The reflection of a component is a component.

#### definition 2.36 reflection of component

For component  $\Gamma$ , component  $\overline{\Gamma}$  is the reflection of  $\Gamma$ ; it is defined by

 $\begin{array}{ccc}
\mathbf{o}\,\overline{\Gamma} \stackrel{\text{def}}{=\!\!=} \mathbf{i}\,\Gamma\\ \mathbf{i}\,\overline{\Gamma} \stackrel{\text{def}}{=\!\!=} \mathbf{o}\,\Gamma\\ \mathbf{p}\mathbf{t}\mathbf{r}\,\overline{\Gamma} \stackrel{\text{def}}{=\!\!=} \mathbf{p}\mathbf{t}\mathbf{r}\,\Gamma\\ \end{array}$ 

end of definition

In subsection 1.4.2 we have introduced state graphs to denote trace sets and trace structures. We also use a *state graph* to denote a component, say  $\Gamma$ ; we shall only do this if every symbol of  $a\Gamma$  occurs in at least one trace of  $t(ptr\Gamma)$ . If  $t(ptr\Gamma)$  has a regular state graph, then in the diagram of this state graph we shall postfix the symbols of  $i\Gamma$  with a question mark (?), and we shall postfix the symbols of  $o\Gamma$  with an exclamation mark (?); in figure 2.5 we show such a diagram, see example 2.37.

#### example 2.37

We consider the module that we presented in example 2.18. In this example we call it  $\Delta_6$ . Module  $\Delta_6$  has one output commport  $\gamma$  and two input commports  $\alpha$  and  $\beta$ . Only one comminst of each commport can occur. Comminsts  $\alpha_l$  and  $\beta_l$  occur independently of each other; comminst  $\gamma_l$  occurs after both  $\alpha_l$  and  $\beta_l$  have occurred.

$$\begin{aligned} \Psi^{o}_{\Delta_{\sigma}} &= \{\gamma\} \\ \Psi^{i}_{\Delta_{\sigma}} &= \{\alpha, \beta\} \\ \mathbf{CB} \ \Delta_{\sigma} &= \{< \varnothing, \varnothing >, <\{\alpha_{I}\}, \varnothing >, <\{\beta_{I}\}, \varnothing >, <\{\alpha_{I}, \beta_{I}\}, \varnothing > \\ , <\{\alpha_{I}, \beta_{I}, \gamma_{I}\}, \{\alpha_{I} \sqsubset \gamma_{I}, \beta_{I} \sqsubset \gamma_{I}\} > \\ \} \end{aligned}$$

Let module  $\Delta_{\delta}$  be a member of the equivalence class component  $\Gamma_{\delta}$ . Let symbols *a*, *b*, and *c* be associated with commports  $\alpha$ ,  $\beta$ , and  $\gamma$ , respectively:

$$o\Gamma_{6} = \{c\}$$
  

$$i\Gamma_{6} = \{a, b\}$$
  

$$ptr\Gamma_{6} = \langle a, b, c \rangle, \{\varepsilon, a, b, ab, ba, abc, bac \} >$$

The state graph of  $\Gamma_6$  is shown in figure 2.5.



figure 2.5 State graph of component  $\Gamma_6$ .

end of example

#### example 2.38

A module  $\Delta_7$  has one output commport  $\alpha$  and one input commport  $\beta$ . Output comminst  $\alpha_1$  occurs before input comminst  $\beta_1$ ; output comminst  $\alpha_2$  occurs after input comminst  $\beta_1$ .

$$\begin{aligned}
\Psi_{\Delta_{7}}^{i} &= \{\alpha\} \\
\Psi_{\Delta_{7}}^{i} &= \{\beta\} \\
\mathbf{CB} \ \Delta_{7} &= \{<\emptyset, \emptyset>, <\{\alpha_{I}\}, \emptyset>, <\{\alpha_{I}, \beta_{I}\}, \{\alpha_{I} \sqsubset \beta_{I}\}> \\
&, <\{\alpha_{I}, \beta_{I}, \alpha_{2}\}, \{\alpha_{I} \sqsubset \beta_{I}, \beta_{I} \sqsubset \alpha_{2}\}> \\
&\}
\end{aligned}$$

Let module  $\Delta_7$  be a member of the equivalence class component  $\Gamma_7$ . Let symbols *a* and *b* be associated with commports  $\alpha$  and  $\beta$ , respectively:

$$\mathbf{o} \Gamma_7 = \{a\}$$
  

$$\mathbf{i} \Gamma_7 = \{b\}$$
  

$$\mathbf{ptr} \Gamma_7 = \langle a, b \rangle, \{\varepsilon, a, ab, aba \} >$$

We notice that the two comminsts  $\alpha_1$  and  $\alpha_2$  are explicitly distinguished from each other by their indexes. In the traces of trace set **ptr**  $\Gamma_7$ , however, this explicit distinction is not present.

## end of example

# 2.2.3.0 Enabling and disabling

We consider a component  $\Gamma$ .  $\Gamma$  has two commports:  $\alpha$  and  $\beta$ . With these commports we associate symbols *a* and *b*, respectively. We say that comminst  $\alpha_i$  enables comminst  $\beta_j$  in  $\Gamma$  (for  $i \ge l$  and  $j \ge l$ ) if and only if  $(\mathbf{E}t: t \in \Omega^* \land (\#_a t = i - l) \land (\#_b t = j - l): tb \notin t(\mathbf{ptr} \Gamma) \land tab \in t(\mathbf{ptr} \Gamma))$ . We give an example of the enable relation in example 2.39.

Analogously, we say that comminst  $\alpha_i$  disables comminst  $\beta_j$  in  $\Gamma$  if and only if  $(\mathbf{E} t: t \in \Omega^* \land (\#_a t = i-1) \land (\#_b t = j-1): tb \in t(\mathbf{ptr} \Gamma) \land tab \notin t(\mathbf{ptr} \Gamma))$ . We notice that every comminst disables itself. In example 2.39 we also give an example of the disable relation.

#### example 2.39

We consider component  $\Gamma_8$ .  $\Gamma_8$  has one input commport  $\alpha$  and two output commports  $\beta$  and  $\gamma$ . With commports  $\alpha$ ,  $\beta$ , and  $\gamma$  we associate symbols a, b, and c, respectively, see figure 2.6.



figure 2.6 State graph of component  $\Gamma_8$ .

In component  $\Gamma_{\mathcal{S}}$  comminst  $\alpha_i$  enables comminst  $\beta_i$ , since  $b \notin t(\operatorname{ptr} \Gamma_{\mathcal{S}})$  and  $ab \in t(\operatorname{ptr} \Gamma_{\mathcal{S}})$ . Analogously,  $\alpha_i$  enables  $\gamma_i$  in  $\Gamma_{\mathcal{S}}$ . In general, comminst  $\alpha_k$  enables comminsts  $\beta_j$  and  $\gamma_j$  in component  $\Gamma_{\mathcal{S}}$  and  $\beta_j$  and  $\gamma_j$  both enable  $\alpha_{k+1}$  in  $\Gamma_{\mathcal{S}}$  (for  $1 \le j \le k$ ).

In component  $\Gamma_8$  comminst  $\beta_1$  disables comminst  $\gamma_1$ , since  $ac \in t(ptr \Gamma_8)$  and  $abc \notin t(ptr \Gamma_8)$ . Analogously,  $\gamma_1$  disables  $\beta_1$  in  $\Gamma_8$ . In general, comminst  $\beta_j$  disables comminst  $\gamma_k$  in component  $\Gamma_8$  and  $\gamma_k$  disables  $\beta_j$  in  $\Gamma_8$  (for  $j \ge 1$  and  $k \ge 1$ ); furthermore, every comminsts disables itself in  $\Gamma_8$ .

#### end of example

We could have defined more sophisticated "enabling" and "disabling" relations, e.g. on triples of two comminsts and a comminstorder. Since we do not need such sophisticated relations, we didn't choose to define them in this monograph.

#### remark 2.40

Notice that the "enabling" and "disabling" relations do not exclude each other: it is possible that comminst  $\alpha_i$  enables and disables comminst  $\beta_j$  in  $\Gamma$  (for  $i \ge 1$  and  $j \ge 1$ ), see example 2.41.

#### end of remark

#### example 2.41

We consider component  $\Gamma_9$ .  $\Gamma_9$  has no input commports and three output commports  $\alpha$ ,  $\beta$ , and  $\gamma$ . With commports  $\alpha$ ,  $\beta$ , and  $\gamma$  we associate symbols *a*, *b*, and *c*, respectively, see figure 2.7.



figure 2.7 State graph of component  $\Gamma_{\rho}$ .

In component  $\Gamma_{9}$  comminst  $\alpha_{1}$  enables comminst  $\beta_{1}$ , since  $b \notin t(\text{ptr} \Gamma_{9})$ and  $ab \in t(\text{ptr} \Gamma_{9})$ . Furthermore,  $\alpha_{1}$  disables  $\beta_{1}$ , since  $cb \in t(\text{ptr} \Gamma_{9})$  and  $cab \notin t(\text{ptr} \Gamma_{9})$ .

end of example

## 2.2.4 Channels

In this subsection we define channels as an abstraction from interconnections. This abstraction is analogous to the abstraction from modules to components in subsection 2.2.3.

#### definition 2.42 equivalence class of interconnections

We call two interconnections equivalent if and only if they have

- (i) the same opdir,
- (ii) the same union of the trace sets that are associated with the commsigorders in the communication of the interconnection.

The equivalence classes are called channels.

#### end of definition

Since the abstraction is confined to the communication of interconnections, we feel free to discuss *commports* and *commsigs* with respect to channels as we do with respect to interconnections. Formally, a channel  $\Theta$  is a pair  $\langle ab\Theta, ptr\Theta \rangle$ . Alphbip  $ab\Theta$  is called the *alphbip of*  $\Theta$ , and trace structure  $ptr\Theta$  is called the *communication of*  $\Theta$ .

#### definition 2.43 channel

We consider channel  $\Theta$ . Let  $\Pi$  be an interconnection in the equivalence class channel  $\Theta$ .

- (i)  $ab(ptr \Theta) \stackrel{def}{=} ab(OP \Pi)$
- (ii)  $\mathbf{a}(\mathbf{ptr}\,\Theta) \stackrel{\text{def}}{=} \mathbf{a}(\mathbf{OP}\,\Pi)$
- (iii)  $t(ptr \Theta)$  is defined as the union of all trace sets that are associated with the commsigorders of  $\Pi$ .

## end of definition

The definition of  $t(ptr \Theta)$  in definition 2.43(iii) is independent of the particular choice of the module in the equivalence class  $\Theta$ , cf. definition 2.42(ii).

The *alphabet of channel*  $\Theta$  is the set of symbols that are associated with the commports of channel  $\Theta$ ; it is denoted by  $a\Theta$ . Of course,  $a\Theta = a(ptr \Theta)$ . Like the alphabet of a component, the alphabet of a channel is not restricted to symbols that occur in some trace in the trace structure of the channel.

## property 2.44

For channel  $\Theta$  and sets of symbols A and B such that  $ab\Theta = A \oplus B$ ,

 $\mathbf{a}\Theta = A \cup B$ 

end of property

From postulate 2.14 we infer property 2.45.

## property 2.45

For channel  $\Theta$ ,

(i)  $\varepsilon \in t(ptr \Theta)$ 

(ii)  $ptr \Theta$  is prefix-closed

## end of property

property 2.46alphbip of channel between two componentsFor channel  $\Theta$  between components  $\Gamma$  and  $\Delta$ ,

 $ab\Theta = (o\Gamma \cap i\Delta) \oplus (o\Delta \cap i\Gamma).$ 

end of property

60

## 2.2.5 Comparison with the use of directed trace structures

Until now <u>directed</u> trace structures have been used to model delay-insensitive communication, cf. [van de Snepscheut 85, Udding 84, Schols 85, Verhoeff 85, Black 86, Ebergen 87, Schols 88, Dill 88]. In directed trace structures the alphabet is partitioned into disjoint, possibly empty sets, for example the "input alphabet" and the "output alphabet".

In this monograph we use (undirected) trace structures to model either the communication in an interconncetion or the communication behavior of a module.

We consider directions to be issues that are related to the use of an interconnection or to the use of the commports by a module. Hence, directions are interpretative issues. For this reason we use (undirected) trace structures to model the communication of an interconnection (channel) and the communication behavior of a module (component).

The use of (undirected) trace structures in this monograph leads to formally different definitions of properties such as delay-safety, delay-insensitivity, computation interference hazard, and transmission interference hazard. These now appear as properties of channels and/or components, see chapters 4 and 5. The redefinitions given here have equivalent consequences as the definitions given earlier, see [Udding 84, Schols 85, Verhoeff 85, Ebergen 87].

## 2.3 Examples of components

In this section we give some examples of components. These components will be used in the following chapters.

#### example 2.47 "Wire" element

We consider a mechanism that is a "Wire" element. It has one input and one output. Initially the input is low, the output is low, and there are no signals on their way. When the input is high the output may go high; when the input is low the output may go low. No input change is allowed whenever an output change is pending. The transitions between low and high (and vice versa) are modeled as the comminsts of component  $\Gamma_w$ , see figure 2.8.



figure 2.8 State graph of component  $\Gamma_w$ .

Symbol *a* is associated with the input commport of  $\Gamma_w$ ; symbol *b* is associated with the output commport.

We consider the same mechanism with a different initial condition: initially the input is high, the output is low, and there is one signal on its way. We call the mechanism with this initial condition a "Wire with Initial Transition" element. The transitions between low and high (and vice versa) are modeled as the comminsts of component  $\Gamma_{wit}$ , see figure 2.9.



figure 2.9 State graph of component  $\Gamma_{wit}$ .

Symbol *a* is associated with the input commport of  $\Gamma_{wit}$ ; symbol *b* is associated with the output commport.

#### end of example

62

#### example 2.48 "Muller-C" element

We consider a mechanism that is a "Muller-C" element. The "Muller-C" element is also called a "Rendez Vous" element. It has two inputs and one output. Initially both inputs are low and the output is low. When both inputs are high the output may go high; when both inputs are low the output may go low. No input that has the other value (low versus high) than the output, is allowed to change. The transitions between low and high (and vice versa) are modeled as the comminists of component  $\Gamma_c$ , see figure 2.10.



figure 2.10 State graph of component  $\Gamma_c$ .

Symbols *a* and *b* are associated with the input commports of  $\Gamma_c$ ; symbol *c* is associated with the output commport. end of example

63

#### example 2.49 "Fork" elements

We consider a mechanism that is a "Fork" element. It has one input and two outputs. Initially the input is low, both outputs are low, and there are no signals on their way. When the input is high the outputs may go high; when the input is low the outputs may go low. No input change is allowed whenever an output change is pending. The transitions between low and high (and vice versa) are modeled as the comminsts of component  $\Gamma_f$ , see figure 2.11.



figure 2.11 State graph of component  $\Gamma_{f}$ .

Symbol *a* is associated with the input commport of  $\Gamma_f$ ; symbols *b* and *c* are associated with the output commports.

We consider a mechanism that is an "Asymmetric Fork" element, see the scheme in figure 2.12.



figure 2.12 Scheme of an Asymmetric Fork element.

The delay element has a delay that is large enough to guarantee that, after a signal has happened at the input terminal (1), a signal happens at the lower left output terminal (11) before a signal happens at the upper right output terminal (111). This mechanism is modeled by component  $\Gamma_{af}$ . Component  $\Gamma_{af}$  has input commport  $\alpha$  and output commports  $\beta$  and  $\gamma$ , see figure 2.13.

#### 2.3 Examples of components



figure 2.13 Component  $\Gamma_{af}$ .

Output commport  $\gamma$  models the output terminal 'after the delay element'; output commport  $\beta$  models the other output terminal. We associate symbol *a* with input commport  $\alpha$  of  $\Gamma_{af}$ ; symbols *b* and *c* are associated with the output commports  $\beta$  and  $\gamma$  of  $\Gamma_{af}$ , respectively.



figure 2.14 State graph of component  $\Gamma_{af}$ .

The state graph of component  $\Gamma_{af}$  is shown in figure 2.14. end of example In example 2.50 we illustrate that a given mechanism might be associated with different behavioral abstractions. In our Communication Model this leads to –possibly different– components that model these different behavioral abstractions of a mechanism.

#### example 2.50 wires with bundling constraint

We consider a communication mechanism for which the delay from input to output is less for the data wires than for the control wire. There is one control wire and there are a number of data wires. The control wire is a so-called "data-valid wire". No input change on a wire is allowed whenever an output change on this wire is pending. Initially all inputs are low, all outputs are low, and there are no signals on their way. When a signal at the input of a data wire is received (by the communication mechanism) before a signal at the input of the control wire is received, this communication mechanism behaves such as to produce a signal at the output of the particular data wire before it produces a signal at the output of the control wire. In figure 2.15 we present a scheme of such a mechanism with one data wire.



figure 2.15 Scheme of a mechanism that has a bundling constraint.

#### 2.3 Examples of components

The most general use of such a mechanism with one data wire is modeled by component  $\Gamma_{bc}$ . The terminals of the control wire are modeled by input commport  $\alpha$  and output commport  $\beta$  of  $\Gamma_{bc}$ ; the terminals of the data wire are modeled by input commport  $\gamma$  and output commport  $\delta$  of  $\Gamma_{bc}$ , see figure 2.16.



figure 2.16 Component  $\Gamma_{bc}$ .

We associate symbols *a* and *c* with input commports  $\alpha$  and  $\gamma$ , respectively; we associate symbols *b* and *d* with output commports  $\beta$  and  $\delta$ , respectively. The state graph of component  $\Gamma_{bc}$  is presented in figure 2.17.



figure 2.17 State graph of component  $\Gamma_{bc}$ .

A signal at the input of the control wire of this mechanism may be received before a signal at the input of a data wire is received, i.e. the control and data wires can be used as normal wires. Still this communication mechanism differs from two normal wires due to the existing bundling constraint, cf. component  $\Gamma_{2w}$ , see figure 2.18.



figure 2.18 State graph of component  $\Gamma_{2w}$ .

Component  $\Gamma_{bc}$  does not model the typical use of this mechanism. This use is modeled by component  $\Gamma_{ubc}$ , see figure 2.19.



figure 2.19 State graph of component  $\Gamma_{lubc}$ .

The typical use modeled by  $\Gamma_{tubc}$  is a restriction of the general use as modeled by  $\Gamma_{bc}$ ; formally, ptr  $\Gamma_{tubc} \subseteq$  ptr  $\Gamma_{bc}$ . end of example

#### example 2.51 "Or" and "And" elements

We consider a mechanism that is an "Or" element. It has two inputs and one output. Initially both inputs are low, the output is low, and there are no signals on their way. When at least one of the inputs is high the output may go high; when both inputs are low the output may go low. There are no restrictions on input changes. The transitions between low and high (and vice versa) are modeled as the comminsts of component  $\Gamma_{or}$ , see figure 2.20.



figure 2.20 State graph of component  $\Gamma_{or}$  .

## 2.3 Examples of components

Symbols a and b are associated with the input commports of  $\Gamma_{or}$ ; symbol c is associated with the output commport.

Since our Communication Model is event-based, the only difference between component  $\Gamma_{or}$  and  $\Gamma_{and}$ , which models the "And" element, is the initial state, see figure 2.21.



figure 2.21 State graph of component  $\Gamma_{and}$ .

end of example

#### example 2.52 "Majority" element

We consider a mechanism that is a "Majority" element. It has three inputs and one output. Initially all inputs are low and there are no signals on their way. When at least two of the inputs are high the output may go high; when at least two of the inputs are low the output may go low. There are no restrictions on input changes. The transitions between low and high (and vice versa) are modeled as the comminsts of component  $\Gamma_{maj}$ , see figure 2.22.



figure 2.22 State graph of component  $\Gamma_{maj}$ .

Symbols *a*, *b*, and *c* are associated with the input commports of  $\Gamma_{maj}$ ; symbol *d* is associated with the output commport.

The diagram of the state graph in figure 2.22 is not minimal. Nevertheless, we have chosen to show this diagram. The reason for doing so is clearness. end of example

## 2.4 Event-based model

We have chosen to make our Communication Model an *event-based* model. In an event-based model the changes of inputs and outputs are modeled. In a state-based model the states of the inputs and outputs, e.g. low or high, are modeled. We prefer an event-based model to a state-based model, see also [Rem91], because we want to model delay-safe and delay-insensitive communication: there are no clocks in our model and there is no sampling of 'states of terminals (or wires)'. Notice that trace theory also is an event-based model, see [Rem - van de Snepscheut - Udding 83].

States and state graphs are derived notions in our Communication Model. A state is an equivalence class of traces; our states do, in general, not correspond to the 'states of wires', cf. example 2.53.

#### example 2.53

Component  $\Gamma_{10}$  is given by the state graph in figure 2.23.



State graph of component  $\Gamma_{10}$ .

We see that symbol *a* is associated with the output commport of  $\Gamma_{10}$  and symbol *b* is associated with the input commport of  $\Gamma_{10}$ . Let us assume that  $\Gamma_{10}$  models a mechanism of which the terminals are connected to wires; and let us assume that initially these wires are low (i.e. they have a voltage that corresponds to the logical 0), and that transitions change the wires from low to high and vice versa. We see that in the state graph of  $\Gamma_{10}$  in our Communication Model the state that contains trace  $\varepsilon$  differs from the state that contains trace *abab*; the 'state of both wires' in the physical model, however, is equal to low in both cases. This is why in a "four-phase handshake protocol" extra variables are needed, cf. [Martin 85b].

On the other hand we consider component  $\Gamma_w$ , see example 2.47. The initial state in the state graph of  $\Gamma_w$  contains trace *ab*. However, in the mechanism the 'state of the terminals' is initially low, whereas after the comminsts with which *a* and *b* are associated have occurred, the 'state of the terminals' is high.

#### end of example

Notice that we do not assume that the mechanisms, which implement the components in the physical model, are designed event-driven: we have only chosen to model the communication in our Communication Model event-based. For a detailed treatment of the event-driven (transition-signaling) concept we refer to [Seitz80]. For an example of the transition-signaling conceptual framework we refer to the micropipelines in [Sutherland89].

# 3

## **Computation interference hazard**

In this chapter we define the correctness concern *absence of computation interference hazard*. Furthermore, we present a technique to 'transform' other correctness concerns into absence of computation interference hazard. An example of such an other correctness concern is "absence of transmission interference hazard". Josephs and Udding have chosen an opposite approach: they 'transform' absence of computation interference hazard into absence of transmission interference hazard, see [Josephs-Udding90].

In this chapter we study the communication between two components that have a closed direct connection. At some places we refer to one component only; then the environment of this component implicitly plays the role of the other component. In section 3.0 we explain why we often refer to "computation interference hazard" when we discuss the phenomenon "computation interference". Computation interference hazard can arise when we compose components. In order to compose components, we have to connect them in a proper way. This is discussed in section 3.1. In section 3.2 we define computation interference hazard formally. In the next chapters we will transform some phenomenon hazards into computation interference hazard. The general transformation technique is presented in section 3.3.

## 3.0 Hazards

In our Communication Model we shall refer to some (undesired) phenomena, viz. "computation interference", "transmission interference", and "ambiguous quiescence", using the word *hazard* in order to indicate that it is <u>possible</u> for such a phenomenon to occur. The "phenomenon hazard" is a weaker notion than a guaranteed occurrence of the phenomenon. As a consequence, given some phenomenon, "absence of phenomenon hazard" is a stronger notion than "absence of (any guaranteed occurrence of) this phenomenon": when we have proven "absence of phenomenon hazard", we may conclude that the phenomenon is not present. The name hazard originates from switching theory, cf. [Unger69], where it has the same connotation that we attach to it now.

There exists "computation interference" if a mechanism receives a signal that it doesn't accept, cf. subsection 2.1.3. We say that there exists "computation interference <u>hazard</u>" if we cannot guarantee that a mechanism only receives signals that it does accept.

#### example 3.0 computation interference hazard

We consider components  $\Gamma_0$  and  $\Delta_0$ .  $\Gamma_0$  and  $\Delta_0$  have a direct connection.  $\Gamma_0$  has one output commport ( $\alpha$ ) and one input commport ( $\beta$ );  $\Delta_0$  has one output commport ( $\delta$ ) and one input commport ( $\gamma$ ). Commport  $\alpha$  matches commport  $\gamma$  and commport  $\delta$  matches commport  $\beta$ , see figure 3.74.



figure 3.0 Directly connected components  $\Gamma_0$  and  $\Delta_0$  .

We associate symbol *a* with commports  $\alpha$  and  $\gamma$ ; we associate symbol *b* with commports  $\beta$  and  $\delta$ . Components  $\Gamma_0$  and  $\Delta_0$  are defined by:

$$\mathbf{o} \Gamma_0 \stackrel{\text{def}}{=} \{a\} \qquad \mathbf{i} \Gamma_0 \stackrel{\text{def}}{=} \{b\} \qquad \mathbf{t} (\mathbf{ptr} \Gamma_0) \stackrel{\text{def}}{=} \{\varepsilon, a, ab\}$$
$$\mathbf{o} \Delta_0 \stackrel{\text{def}}{=} \{b\} \qquad \mathbf{i} \Delta_0 \stackrel{\text{def}}{=} \{a\} \qquad \mathbf{t} (\mathbf{ptr} \Delta_0) \stackrel{\text{def}}{=} \{\varepsilon, a, b, ab, ba\}$$

Initially,  $\Delta_0$  may send  $\delta_1$ . In this case  $\Gamma_0$  receives  $\beta_1$  before it has sent  $\alpha_1$ . This is not allowed according to ptr  $\Gamma_0$ :  $\Gamma_0$  does not accept  $\beta_1$  before it has sent  $\alpha_1$ . Thus there is an occurrence of "computation interference". If  $\Delta_0$  sends  $\delta_1$  after it has received  $\gamma_1$ ,  $\Gamma_0$  receives  $\beta_1$  after it has sent  $\alpha_1$ . In this case, there is no occurrence of computation interference.

Since  $\Delta_0$  may send  $\delta_1$  before it has received  $\gamma_1$ , it is possible that  $\beta_1$  is received by  $\Gamma_0$  before  $\Gamma_0$  has sent  $\alpha_1$ . Thus we cannot guarantee that there is no occurrence of computation interference. We say that there exists "computation interference hazard".

#### end of example

There exists "transmission interference" if two signals exchanged by two mechanisms interfere. We say that there exists "transmission interference <u>hazard</u>" if we cannot guarantee that two signals exchanged by two mechanisms do not interfere.

#### example 3.1 transmission interference hazard

We consider indirectly connected components  $\Gamma_i$  and  $\Delta_i$ .  $\Gamma_i$  has one output commport ( $\alpha$ );  $\Delta_i$  has one input commport ( $\beta$ ). Commport  $\alpha$  matches commport  $\beta$ , see figure 3.1.



figure 3.1 Indirectly connected components  $\Gamma_{i}$  and  $\Delta_{i}$  .

We associate symbol *a* with both commports. The components  $\Gamma_i$  and  $\Delta_i$  are defined by:

 $\mathbf{o} \Gamma_{I} \stackrel{\text{def}}{=} \{a\} \quad \mathbf{i} \Gamma_{I} \stackrel{\text{def}}{=} \emptyset \qquad \mathbf{t} (\operatorname{ptr} \Gamma_{I}) \stackrel{\text{def}}{=} \{\varepsilon, a, aa\}$  $\mathbf{o} \Delta_{I} \stackrel{\text{def}}{=} \emptyset \qquad \mathbf{i} \Delta_{I} \stackrel{\text{def}}{=} \{a\} \qquad \mathbf{t} (\operatorname{ptr} \Delta_{I}) \stackrel{\text{def}}{=} \{\varepsilon, a, aa\}$ 

The mechanisms modeled by these components agree about the communication between them: the mechanism modeled by  $\Gamma_i$  sends two signals, which are accepted by the mechanism modeled by  $\Delta_i$ . If the two signals interfere, there is an occurrence of "transmission interference". Since  $\Gamma_i$  may send  $\alpha_2$  before  $\Delta_i$  has received  $\beta_i$ , it is possible that the two signals interfere. We say that there exists "transmission interference hazard".

end of example

## 3.1 Connected components

We associate the same symbol with either of two matching commports. The connection of the components must be such that no input commports are connected to each other and no output commports are connected to each other. This restriction is captured in the definition of "i/o-connectable".

definition 3.2i/o-connectableComponents  $\Gamma$  and  $\Delta$  are i/o-connectable if and only if

 $\mathbf{a}\Gamma \cap \mathbf{a}\Delta = (\mathbf{o}\Gamma \cap \mathbf{i}\Delta) \cup (\mathbf{i}\Gamma \cap \mathbf{o}\Delta)$ 

end of definition

From definition 3.2, "i/o-connectable", we infer that i/o-connectable is a symmetric relation. The following property shows a different characterization of i/o-connectable.

property 3.3

Components  $\Gamma$  and  $\Delta$  are i/o-connectable if and only if

 $(i\Gamma \cap i\Delta = \emptyset) \land (o\Gamma \cap o\Delta = \emptyset)$ 

end of property

We notice that definition 3.2, "i/o-connectable", doesn't require that  $\Gamma$  and  $\Delta$  have a closed connection. Nevertheless, in this chapter we are concerned with closed connections only. In chapter 6 we consider open connections.

## 3.2 Absence of computation interference hazard

In subsection 3.2.0 we present the definitions of "absence of computation interference hazard" for two components that have a closed direct connection. In subsection 3.2.1 we relate the acceptance of commsigs by a component to (absence of) computation interference.

#### remark 3.4

Absence of computation interference hazard is the correctness concern that has a central part in this monograph. Whatever we do, we always see to it that there is absence of computation interference hazard. This means that, whatever we do, we always establish that no commsig might be received by any component that is not able to accept this commsig.

#### end of remark

## 3.2.0 Direct connection

In this subsection we will define absence of computation interference hazard for two i/o-connectable components that have a closed direct connection. We first define absence of computation interference hazard *at one component* for two i/o-connectable components that have a closed direct connection. For all definitions of absence of computation interference hazard in this chapter we need two components. In chapter 6 we refer to absence of computation interference hazard in connections of more than two components.

#### definition 3.5 NCIHA

For i/o-connectable components  $\Gamma$  and  $\Delta$ , we define predicate  $\Gamma$  NCIHA  $\Delta$  by:  $\Gamma$ NCIHA  $\Delta \stackrel{\text{def}}{=} (A t, u, a : ta \in t(ptr \Gamma) \land u \in t(ptr \Delta) \land a \in (o \Gamma \cap i\Delta)$   $\land (t \upharpoonright (a\Gamma \cap a\Delta) = u \upharpoonright (a\Gamma \cap a\Delta))$  $: ua \in t(ptr \Delta)$ 

#### end of definition

The predicate  $\Gamma NCIHA \Delta$ , is the formalization of *there is absence of computation* interference hazard <u>at  $\Delta$ </u> for components  $\Gamma$  and  $\Delta$  that have a direct connection. If  $\Gamma NCIHA \Delta$ , then  $\Delta$  accepts every commsig that it may receive from  $\Gamma$ . To illustrate definition 3.5, "NCIHA", we present some examples.

#### example 3.6

We consider components  $\Gamma_2$  and  $\Gamma_{wit}$ ; they are defined by:

 $o\Gamma_2 \stackrel{\text{def}}{=} \{a\} \quad i\Gamma_2 \stackrel{\text{def}}{=} \{b\} \quad t(\operatorname{ptr}\Gamma_2) \stackrel{\text{def}}{=} \operatorname{pref}(\{ab\}^*)$  $o\Gamma_{wit} = \{b\} \quad i\Gamma_{wit} = \{a\} \quad t(\operatorname{ptr}\Gamma_{wit}) = \operatorname{pref}(\{ba\}^*)$ 

Both components model a "Wire with Initial Transition" element, cf. example 2.47. Since  $a \in t(\operatorname{ptr} \Gamma_2)$ ,  $\varepsilon \in t(\operatorname{ptr} \Gamma_{wit})$ , and  $a \in (o \Gamma_2 \cap i \Gamma_{wit})$ , but  $a \notin t(\operatorname{ptr} \Gamma_{wit})$ , we conclude from definition 3.5, "*NCIHA*", that  $\neg (\Gamma_2 NCIHA \Gamma_{wit})$ : there is computation interference hazard at  $\Gamma_{wit}$  for components  $\Gamma_2$  and  $\Gamma_{wit}$  that have a direct connection.

By symmetry we conclude also that  $\neg(\Gamma_{wit} NCIHA \Gamma_2)$ . end of example

#### example 3.7

We consider components  $\Gamma_{wit}$ , cf. example 2.47, and  $\Gamma_3$ ; they are given by:

 $o\Gamma_{wit} = \{b\} \qquad i\Gamma_{wit} = \{a\} \qquad t(ptr\Gamma_{wit}) = pref(\{ba\}^*)$  $o\Gamma_3 \stackrel{\text{def}}{=} \{a\} \qquad i\Gamma_3 \stackrel{\text{def}}{=} \{b\} \qquad t(ptr\Gamma_3) \stackrel{\text{def}}{=} pref(\{ab, ba\}^*)$ 

We notice that  $\Gamma_{wit}$  NCIHA  $\Gamma_3$ , but  $\neg(\Gamma_3 NCIHA \Gamma_{wit})$ , cf. example 3.6. end of example

Using definition 3.5, "*NCIHA*", we define absence of computation interference hazard for two components that have a direct connection.

#### definition 3.8 NCIH

For i/o-connectable components  $\Gamma$  and  $\Delta$ , we define predicate  $\Gamma$ *NCIH* $\Delta$  by:

 $\Gamma NCIH \Delta \stackrel{\text{def}}{=} (\Gamma NCIHA \Delta) \wedge (\Delta NCIHA \Gamma)$ 

#### end of definition

The predicate  $\Gamma NCIH \Delta$ , is the formalization of there is absence of computation interference hazard for components  $\Gamma$  and  $\Delta$  that have a direct connection. From definition 3.8, "*NCIH*" follows the symmetry of *NCIH*.

#### property 3.9 symmetry of NCIH

For i/o-connectable components  $\Gamma$  and  $\Delta$ ,

 $\Gamma NCIH \Delta = \Delta NCIH \Gamma$ 

end of property

To illustrate definition 3.8, "NCIH", we present some examples.

#### example 3.10

We consider components  $\Gamma_w$ , see example 2.47, and  $\Gamma_4$ .  $\Gamma_4$  models a "Wire with Initial Transition" element, see example 2.47. They are defined by:

| $\mathbf{o}\Gamma_{\!\!\boldsymbol{w}}=\{b\}$ | $i\Gamma_w = \{a\}$                                             | $\mathbf{t}(\mathbf{ptr}\Gamma_{w}) = \mathbf{pref}(\{ab\}^{*})$                       |
|-----------------------------------------------|-----------------------------------------------------------------|----------------------------------------------------------------------------------------|
| $o \Gamma_4 \stackrel{\text{def}}{=} \{a\}$   | $\mathbf{i} \Gamma_{\mathbf{a}} \stackrel{\text{def}}{=} \{b\}$ | $t(\operatorname{ptr}\Gamma_4) \stackrel{\text{def}}{=} \operatorname{pref}(\{ab\}^*)$ |

We notice that  $\Gamma_4 NCIHA \Gamma_w$  and  $\Gamma_w NCIHA \Gamma_4$ ; from definition 3.8, "NCIH", we conclude that  $\Gamma_w NCIH \Gamma_4$ .

#### end of example

#### example 3.11

We consider components  $\Gamma_c$ , cf. example 2.48, and  $\Gamma_5$ ; they are given by:

$$\mathbf{o}\Gamma_{c} = \{c\} \qquad \mathbf{i}\Gamma_{c} = \{a, b\} \qquad \mathbf{t}(\mathbf{ptr}\Gamma_{c}) = \mathbf{pref}(\{abc, bac\}^{*})$$
$$\mathbf{o}\Gamma_{s} \stackrel{\text{def}}{=} \{a, b\} \qquad \mathbf{i}\Gamma_{s} \stackrel{\text{def}}{=} \{c\} \qquad \mathbf{t}(\mathbf{ptr}\Gamma_{s}) \stackrel{\text{def}}{=} \mathbf{pref}(\{abc\}^{*})$$

We notice that  $\Gamma_5 NCIHA \Gamma_c$ . We see that  $\operatorname{ptr} \Gamma_5 \subseteq \operatorname{ptr} \Gamma_c$ ; nevertheless, we conclude from definition 3.5, "*NCIHA*", that  $\Gamma_c NCIHA \Gamma_5$ . From definition 3.8, "*NCIH*", we conclude that  $\Gamma_c NCIH \Gamma_5$ . Notice that we infer that  $\Gamma_c NCIH \Gamma_5$  although  $t(\operatorname{ptr} \Gamma_c) \neq t(\operatorname{ptr} \Gamma_5)$ .

#### end of example

From definition 3.8, "*NCIH*" and definition 2.36, "reflection of component" we infer property 3.12.

#### property 3.12

For component  $\Gamma$ ,

Г*NСІН* Г

end of property

#### **3.2.1** Acceptance of commsigs

In subsection 2.1.3 we introduced informally the distinction between the "acceptance" and the "reception" of a signal. In subsection 2.1.4 we modeled this in our Communication Model by distinguishing the acceptance and the reception of a commsig by a module. In subsection 2.2.3 we argued that we also distinguish the acceptance and the reception of a commsig by a component. We now define that a *component accepts a commsig* if and only if it receives this commsig without an occurrence of computation interference. As a consequence, a module accepts a commsig if both the module receives this commsig and the occurrence of the comminant that represents the reception of this commsig is in accordance with the communication behavior of the module. A component directly controls the production of a commsig and the sending of it; however, a component has no direct control over the production of the commsig can be accepted by another component. A component has to cooperate in order to send or accept commsigs; it 'undergoes' the reception of commsigs.

#### remark 3.13

We say that a component *engages* in a comminst, which represents the sending or the reception of a commsig, if it either sends or accepts this commsig.

#### end of remark

In the remainder of this monograph we abbreviate "a component engages in a comminst that represents the sending of a commsig" into "a component sends a comminst". Analogously, we abbreviate "a component receives a commsig, the act of reception of which is represented by a comminst" into "a component receives a comminst". We also abbreviate "a component engages in a comminst that represents the acceptance of a commsig" into "a component accepts a comminst".

#### 3.3 Transformation into computation interference hazard

We have seen in remark 3.4 that computation interference hazard amounts to "a component is not able to accept a commsig that it may receive at one of its input commports". In this section, we present a technique called *transformation into computation interference hazard*. By this technique, we 'transform' "undesired phenomenon hazards" into computation interference hazard: we establish that we deal with the undesired phenomenon hazard whenever we deal with computation interference hazard. In this way we reduce the number of undesired phenomenon hazards with which we have to deal. In subsection 3.3.0 we present the technique; in subsection 3.3.1 we give an example how this technique is applied.

#### 3.3.0 The technique

The technique "transformation into computation interference hazard" consists of two steps:

- (1) Find a trace structure T, an alphabet A, and a trace set S such that
  - (i) T is the trace structure of a component,
  - (ii) A is the input alphabet of this component, and
  - (iii) S is the trace set that is associated with the (undesired) phenomenon hazard.
- (2) Calculate redts(T, A, S).

We consider a component, say  $\Gamma$ . By replacing ptr  $\Gamma$  by redts(ptr $\Gamma$ , i $\Gamma$ , S), see definition 1.34, we achieve absence of the phenomenon hazard with which S is associated, whenever absence of computation interference hazard is established. In this technique we choose for A the input alphabet of the component, since the environment of this component directly controls the 'production' of the commsigs that it sends to the component, but it has no direct control over the 'production' of the commsigs that the component sends to it.

There is an initial problem when applying this transformation technique. In order to interpret redts(ptr $\Gamma$ ,  $i\Gamma$ , S) as the trace structure of a component, we have to guarantee that redts(ptr $\Gamma$ ,  $i\Gamma$ , S) is non-empty, cf. property 1.40. In other words: the empty trace  $\varepsilon$  must not be removed when computing redts(ptr $\Gamma$ ,  $i\Gamma$ , S).

theorem 3.14

Let UndesPh be some undesired phenomenon. Let trace set S be associated with UndesPh. Let  $\Gamma$  be a component such that  $(A_s: s \in t(ptr\Gamma) \cap S: l(s|i\Gamma) > 0)$ . We define component  $\Gamma'$  by  $\Gamma' \stackrel{\text{def}}{=} < io\Gamma, redts(ptr\Gamma, i\Gamma, S) > .$ 

Then  $\Gamma'$  is the maximal (w.r.t. trace structure inclusion) component such that

- (i)  $io\Gamma' = io\Gamma$ ,
- (ii)  $ptr \Gamma' \subseteq ptr \Gamma$ ,

(iii)  $\Gamma'$  has absence of UndesPh hazard.

#### end of theorem

In theorem 3.14 component  $\Gamma'$  has absence of UndesPh hazard, since no traces that are associated with UndesPh are in  $t(ptr\Gamma')$ . For every component  $\Delta$ , such that  $\Delta NCIH\Gamma'$ , we conclude using definition 1.34, that  $\Delta NCIH\Gamma$ ; furthermore, using theorem 3.14 we find that  $\Gamma$  has absence of UndesPh hazard when communicating with such a  $\Delta$ .

In subsection 3.3.1 we present an example of this transformation technique. In chapter 5 we shall transform transmission interference hazard in the communication between a component and its environment into computation interference hazard. In chapter 6 we shall transform transmission and computation interference hazard in the (internal) communication between two components into computation interference hazard at the (external inputs of the) composition of these components.

## 3.3.1 Example of transformation technique

In this subsection we show how we apply the technique "transformation into computation interference hazard". We choose to transform "ambiguous quiescence hazard" into computation interference hazard. In subsection 3.3.1.0 we explain the notion "ambiguous quiescence hazard" and we argue why one may be interested in it. In subsection 3.3.1.1 we show how we transform ambiguous quiescence hazard into computation interference hazard. Examples of ambiguous quiescence hazard and its transformation into computation interference hazard. Examples of ambiguous quiescence hazard are shown in subsection 3.3.1.2. The notion "ambiguous quiescence hazard" was introduced in [Schols 88] under the name "unspecified termination hazard". The correctness concern "absence of ambiguous quiescence hazard" is a *liveness* property.

## 3.3.1.0 Ambiguous quiescence hazard

We have noticed in remark 2.16 that a mechanism has no obligation to send output signals. As a consequence, a component has no obligation to send commsigs. This turns a *Molnar's-universal-do-nothing-wrong-component* (with the appropriate iobip) into an acceptable (i.e. free of computation interference hazard when connected to any i/o-connectable environment) implementation of any specification, see example 3.15. The mechanism that is modeled by such a component accepts every input signal that it may receive. Unfortunately, in general it isn't very useful, since it doesn't produce any output signal.

## example 3.15 Molnar's-universal-do-nothing-wrong-component

Given iodir  $\Phi$ , we consider component  $\Gamma_{DNW(\Phi)}$ ; its iobip and its trace structure are defined by:

io  $\Gamma_{DNW(\Phi)} \stackrel{\text{def}}{=} io \Phi$ ptr  $\Gamma_{DNW(\Phi)} \stackrel{\text{def}}{=} < a\Phi$ , pref(( $i\Phi$ )\*) >

This component can do nothing wrong: it accepts every commsig that it may receive; however, it doesn't send any commsig.

## end of example

The correctness concern "absence of *ambiguous quiescence hazard*" amounts to "a component that is allowed to engage in an output comminst will eventually engage in some output comminst, unless it engages in an input comminst". In other words: a component has absence of ambiguous quiescence hazard if it will not stop engaging in comminsts in a state in which it is allowed to engage in an output comminst.

#### remark 3.16

By discussing ambiguous quiescence hazard we step outside the scope of our Communication Model: for each trace in the trace set of a component we indicate whether it is guaranteed 'to be extended' or not. One point at which ambiguous quiescence hazard might be introduced is the abstraction from module to component in subsection 2.2.3. We demonstrate this in example 3.17.

#### end of remark

#### example 3.17

We consider module  $\Delta_6$ . It has one output commport  $\gamma$  and two input commports  $\alpha$  and  $\beta$ . At most one comminst of each commport can occur. When  $\alpha_1$  and  $\beta_1$  occur independently, no output comminst occurs. When either  $\alpha_1$  occurs before  $\beta_1$  or  $\beta_1$  occurs before  $\alpha_1$ , output comminst  $\gamma_1$  occurs thereafter:

$$\begin{split} \Psi_{\Delta_{6}}^{o} &= \{\gamma\} \\ \Psi_{\Delta_{6}}^{i} &= \{\alpha, \beta\} \\ \mathbf{CB} \ \Delta_{6} &= \{\langle \varnothing, \varnothing \rangle, \langle \{\alpha_{I}\}, \varnothing \rangle, \langle \{\beta_{I}\}, \varnothing \rangle, \langle \{\alpha_{I}, \beta_{I}\}, \varnothing \rangle \\ &\quad , \langle \{\alpha_{I}, \beta_{I}\}, \{\alpha_{I} \sqsubset \beta_{I}\} \rangle, \langle \{\alpha_{I}, \beta_{I}\}, \{\beta_{I} \sqsubset \alpha_{I}\} \rangle \\ &\quad , \langle \{\alpha_{I}, \beta_{I}, \gamma_{I}\}, \{\alpha_{I} \sqsubset \beta_{I}, \beta_{I} \sqsubset \gamma_{I}\} \rangle, \langle \{\alpha_{I}, \beta_{I}, \gamma_{I}\}, \{\beta_{I} \sqsubset \alpha_{I}, \alpha_{I} \sqsubset \gamma_{I}\} \rangle \\ &\quad \} \end{split}$$

Module  $\Delta_6$  has absence of ambiguous quiescence hazard. We associate symbols *a*, *b*, and *c*, with commports  $\alpha$ ,  $\beta$ , and  $\gamma$ , respectively. Let component  $\Gamma_6$  be the equivalence class of which module  $\Delta_6$  is a member. The state graph of  $\Gamma_6$  is shown in figure 3.2.



figure 3.2 State graph of component  $\Gamma_6$ .

In figure 3.2 we have put the label c! between angle brackets to indicate that we cannot guarantee that comminst  $\gamma_l$  takes place. Thus, component  $\Gamma$  might engage in output comminst  $\gamma_l$ , but we cannot guarantee that it engages in any comminst. We conclude that component  $\Gamma_6$  has ambiguous quiescence hazard.

One might argue that the introduction of ambiguous quiescence hazard shown in this example has more to do with the modeling in our Communication Model than with the abstraction from module  $\Delta_6$  to component  $\Gamma_6$ . We discuss this in section 7.1.

## end of example

Ambiguous quiescence hazard, see also unspecified termination hazard in [Schols88], is related to "livelock" and "deadlock", cf. [Kimura79, Kaldewaij86]; it is an example of a liveness property that can be expressed in finite trace theory. In order to deal with more sophisticated liveness properties, finite trace theory has been extended, e.g. with refusal sets, cf. [Hoare85, Verhoeff86], or with infinite traces, cf. [Van Horn86, Black86].

## 3.3.1.1 Transformation of ambiguous quiescence hazard

We consider component  $\Gamma$  with trace structure ptr  $\Gamma$  and (input) alphabet i $\Gamma$ . We want to transform  $\Gamma$  into a component that has absence of ambiguous quiescence hazard. We need to calculate redts, see subsection 3.3.0. In order to apply redts we need a trace set, say S, that is associated with ambiguous quiescence hazard in  $\Gamma$ . S is defined as the set of all traces t such that

- (i) t can be extended with a symbol of  $o\Gamma$ (formally:  $(Eb: b \in o\Gamma: tb \in t(ptr \Gamma)))$ ,
- (ii) we cannot guarantee that t will be extended (with a symbol of  $a\Gamma$ ).

Let  $\Gamma'$  be the component such that  $io\Gamma' = io\Gamma$  and  $ptr\Gamma' = redts(ptr\Gamma, i\Gamma, S)$ . Component  $\Gamma'$  has absence of ambiguous quiescence hazard. If we connect component  $\Gamma$  only to components  $\Delta$  for which  $\Delta NCIH\Gamma'$ , then  $\Gamma$  will not enter a state in which it can stop engaging in comminsts although it is allowed to engage in an output comminst.

#### remark 3.18

We consider components  $\Gamma$  and  $\Gamma'$  and trace set S such that  $io\Gamma' = io\Gamma$ ,  $ptr\Gamma' = redts(ptr\Gamma, i\Gamma, S)$ , and S is associated with ambiguous quiescence hazard in  $\Gamma$ . If we connect  $\Gamma$  only to components  $\Delta$  (environment of  $\Gamma$ ) for which  $\Delta NCIH\Gamma'$ , then no instance of ambiguous quiescence will occur in component  $\Gamma$ . In this case component  $\Gamma$  behaves like component  $\Gamma'$ , since it can only engage in comminsts in which also  $\Gamma'$  can engage. Component  $\Gamma'$  has absence of ambiguous quiescence hazard.

#### end of remark

In remark 3.18 we see that after reducing  $\Gamma$  (to  $\Gamma'$ ) we establish absence of ambiguous quiescence hazard for  $\Gamma$  by establishing absence of computation interference hazard (by  $\triangle NCIH \Gamma'$ ).

## 3.3.1.2 Examples

In this subsection we present some examples of ambiguous quiescence hazard. In the diagrams of the state graphs of components we will indicate which output transitions cannot be guaranteed to take place (not even if no other transitions take place) by putting their labels between angle brackets. A state is called *lazy* if and only if

(i) it has at least one outgoing output transition, and

(ii) all its outgoing output transitions have labels between angle brackets.

In the diagrams of the state graphs of components we will mark lazy states by "L". We will use these extensions of state graphs only in this subsection (3.3.1.2).

We present a small example of ambiguous quiescence hazard and its transformation into computation interference hazard in example 3.19.

#### example 3.19

Component  $\Gamma_7$  has one input commport, to which *a* is associated, and one output commport, to which *b* is associated. Initially,  $\Gamma_7$  accepts an input comminst; thereafter it will produce an output comminst, unless it first receives a second input comminst: if  $\Gamma_7$  receives a second input comminst before it has produced an output comminst, it will either produce two output comminsts or it will not produce any output comminst at all. If  $\Gamma_7$  receives a second input comminst after it has produced an output comminst, it will produce a second output comminst thereafter. We notice that  $\Gamma_7$  accepts the second input comminst anyway, but its reaction to it depends on whether it received this input comminst before or after it has sent an output comminst. The state graph of  $\Gamma_7$  is shown in figure 3.3.



figure 3.3 State graph of component  $\Gamma_2$ .

In figure 3.3 the arc leaving state [aa] (see subsection 1.4.2) has been labeled with "< b! >". This means that we cannot guarantee that the transition b will take place. Since b is an element of  $o\Gamma_7$ , state [aa] is lazy. For this reason it has been labeled with "L". State [aa] is the only lazy state of  $\Gamma_7$ . Trace aa is the only trace leading from the initial state to state [aa]. From this follows that set  $\{aa\}$  is the trace set that is associated with ambiguous quiescence hazard in  $\Gamma_7$ . We now calculate redts(ptr $\Gamma_7$ ,  $i\Gamma_7$ ,  $\{aa\}$ ). We consider component  $\Gamma_7'$ , that is defined by:

 $\begin{aligned} \mathbf{o}\,\Gamma_{7}' &\stackrel{\text{def}}{=} \{b\}, \qquad \mathbf{i}\,\Gamma_{7}' \stackrel{\text{def}}{=} \{a\}, \\ \mathbf{t}(\mathbf{ptr}\,\Gamma_{7}') \stackrel{\text{def}}{=} \mathbf{redts}(\mathbf{ptr}\,\Gamma_{7},\mathbf{i}\,\Gamma_{7},\{aa\}). \end{aligned}$ 

The state graph of  $\Gamma_7$  is shown in figure 3.4.



figure 3.4 State graph of component  $\Gamma_7'$ .

For any component, say  $\Delta_7$ , such that  $\Delta_7 NCIH \Gamma_7'$ , we notice that  $\Delta_7 NCIH \Gamma_7'$ and  $\Gamma_7$  has absence of UndesPh hazard when communicating with  $\Delta_7$ . We see that the transformation of  $\Gamma_7$  into  $\Gamma_7'$  has transformed ambiguous quiescence hazard into computation interference hazard: if absence of computation interference is guaranteed between any component  $\Delta_7$  and  $\Gamma_7'$ ,  $\Gamma_7$  has no ambiguous quiescence hazard, when  $\Gamma_7$  communicates with such a  $\Delta_7$ .

#### end of example

In example 3.20 we show that not only traces of the trace set that is associated with the undesired phenomenon hazard are removed, but that also prefixes thereof may be removed.

#### example 3.20

Component  $\Gamma_{\delta}$  has one input commport, to which *a* is associated, and one output commport, to which *b* is associated. Component  $\Gamma_{\delta}$  is given by figure 3.5.



figure 3.5 State graph of component  $\Gamma_8$ .

After  $\Gamma_8$  has received an input, it produces an output; however, thereafter it may or may not produce a second output. We notice that trace *ab* can be extended with *b*, which is an element of  $\circ \Gamma_8$ , but that we cannot guarantee that *ab* will be extended by a symbol of  $\circ \Gamma_8$ . Since *ab* is the only trace for which this is the case, trace set  $\{ab\}$  is the trace set that is associated with ambiguous quiescence hazard in  $\Gamma_8$ . We notice that there is no problem with trace *ab* itself, but the problem has to do with extending *ab*. We consider component  $\Gamma_8'$ ; it is defined by:

 $\mathbf{o} \Gamma_{\mathbf{g}}^{\prime} \stackrel{\text{def}}{=} \{b\}, \qquad \mathbf{i} \Gamma_{\mathbf{g}}^{\prime} \stackrel{\text{def}}{=} \{a\}, \\ \mathbf{t}(\mathbf{ptr} \Gamma_{\mathbf{g}}^{\prime}) \stackrel{\text{def}}{=} \mathbf{redts}(\mathbf{ptr} \Gamma_{\mathbf{g}}, \mathbf{i} \Gamma_{\mathbf{g}}, \{ab\}).$ 

The state graph of the trace set of  $\Gamma_{\delta}$  is shown in figure 3.6.

## •

#### figure 3.6 State graph of $t(ptr(\Gamma_{\delta}))$ .

We see that by transforming  $\Gamma_{\delta}$  into  $\Gamma_{\delta}'$  not only trace *ab* is removed from the trace set, but also trace *a*.

#### end of example

The following examples are more realistic and more complex.

Example 3.21 is spread over two pages. It starts at page 94.

#### example 3.21

We consider component  $\Gamma_0$  that is given by figure 3.7.



figure 3.7 State graph of component  $\Gamma_{p}$  .

When  $\Gamma_9$  is in a state labeled with "L" it may or may not produce an output; in all other states in which it is allowed to produce an output, it will eventually produce it. Let  $S_9$  be the set of all traces that lead to a state labeled with "L" in figure 3.7. Now,  $S_9$  is the trace set that is associated with ambiguous quiescence hazard in  $\Gamma_9$ . We consider component  $\Gamma_9'$ , that is defined by:

$$\begin{split} \mathbf{o} \, \Gamma_{9}' &\stackrel{\text{def}}{=} \mathbf{o} \, \Gamma_{9} \,, \qquad \mathbf{i} \, \Gamma_{9}' \stackrel{\text{def}}{=} \mathbf{i} \, \Gamma_{9} \,, \\ \mathbf{t}(\mathbf{ptr} \, \Gamma_{9}') \stackrel{\text{def}}{=} \mathbf{redts}(\mathbf{ptr} \, \Gamma_{9} \,, \mathbf{i} \, \Gamma_{9} \,, S_{9}). \end{split}$$

The state graph of  $\Gamma_{0}'$  is shown in figure 3.8. We notice that  $\Gamma_{0}' = \Gamma_{f}$ , cf. example 2.49.



figure 3.8 State graph of component  $\Gamma_{9}^{\prime}$ .

Again, the transformation of  $\Gamma_9$  into  $\Gamma_9'$  has transformed ambiguous quiescence hazard into computation interference hazard.

# end of example

#### example 3.22

We consider component  $\Gamma_{l0}$  that is given by figure 3.9. Component  $\Gamma_{l0}$  models some kind of "Or" element (see example 2.51):  $ptr \Gamma_{or} \subseteq ptr \Gamma_{l0}$ . The difference between them is that  $\Gamma_{l0}$  may at some points engage in two output comminsts of the same output commport whereas in such a case  $\Gamma_{or}$  doesn't engage in any output comminst at all.

Computation interference hazard



figure 3.9 State graph of component  $\Gamma_{10}$ .

Let  $S_{10}$  be the trace set that is associated with ambiguous quiescence hazard in  $\Gamma_{10}$ , viz. the set of all traces that lead from the initial state to one of the four states labeled with "L" in figure 3.9. We consider component  $\Gamma_{10}$ , that is defined by:  $\mathbf{o} \Gamma_{I0}^{\prime} \stackrel{\text{def}}{=} \mathbf{o} \Gamma_{I0}, \qquad \mathbf{i} \Gamma_{I0}^{\prime} \stackrel{\text{def}}{=} \mathbf{i} \Gamma_{I0}, \\ \mathbf{t} (\mathbf{ptr} \Gamma_{I0}^{\prime}) \stackrel{\text{def}}{=} \mathbf{redts} (\mathbf{ptr} \Gamma_{I0}, \mathbf{i} \Gamma_{I0}, S_{10}).$ 

The state graph of  $\Gamma_{i0}$  is shown in figure 3.10.



figure 3.10 State graph of component  $\Gamma_{10}$ .

Again, the transformation of  $\Gamma_{10}$  into  $\Gamma_{10}$  has transformed ambiguous quiescence hazard into computation interference hazard. end of example

97

Computation interference hazard

n

# **Communicating delay-safely**

In this chapter we address *indirect connections*. In an indirect connection matching commports model terminals that are connected by a wire, see subsection 2.1.0.

Our formal definition of the delay-safety of a channel is based on our *causality* notion:

no commsig is received before it has been sent.

This causality notion models that there is only one assumption made with respect to the delay of a signal that is sent from one terminal via a wire to another terminal in the physical model, viz.:

the value of this delay is nonnegative.

Even distinct signals that travel along the same wire may have different values of delays.

Notice that delay-safety is <u>not</u> a property of a component, but it is a property of a channel. We shall carefully distinguish between "communication in a channel" and "communication behavior of a component". These two topics are, of course, related to each other. Distinguishing these two topics enables us to separate the communication behavior of components from the delay requirements in the channel.

In this chapter we introduce three important operators in our Communication Model. In subsection 4.1.1 we present the delay-safe closure of a channel. Given channel  $\Theta$ , channel DSC  $\Theta$  is the smallest (w.r.t. trace structure inclusion) delay-safe channel such that  $ptr \Theta \subseteq ptr(DSC \Theta)$ . In subsection 4.2.1 we present DSE,

i.e. the delay-safe enclosure of a component. For component  $\Gamma$ , component  $\overline{\text{DSE}\Gamma}$  is the maximal (w.r.t. trace structure inclusion) partner of  $\Gamma$ ; when  $\Gamma$  and  $\overline{\text{DSE}\Gamma}$  are indirectly connected, they have no computation interference hazard. In subsection 4.2.3 we present CBDS, i.e. the communication behavior of a delay-safely communicating component. The maximal (w.r.t. trace structure inclusion) communication behavior of a component, say  $\Gamma$ , that communicates delay-safely without computation interference hazard equals trace structure cbds $\Gamma$  (cbds $\Gamma \subseteq ptr\Gamma$ ). This means that  $\Gamma$  behaves in that case like component CBDS $\Gamma$  (io(CBDS $\Gamma$ )= io $\Gamma$  and ptr(CBDS $\Gamma$ )= cbds $\Gamma$ ).

# 4.0 Causality

In this section we formalize our causality notion. We consider the components  $\Gamma$  and  $\Delta$  such that io  $\overline{\Gamma} = io\Delta$ ; as a consequence,  $\Gamma$  and  $\Delta$  have a closed connection, i.e.  $\mathbf{a}\Gamma = \mathbf{a}\Delta$ . Let t and u be traces such that  $t \in t(\mathbf{ptr}\Gamma)$  and  $u \in t(\mathbf{ptr}\Delta)$ . In chapter 3 we have considered components that have a direct connection; in that case, if t and u are consistent, they are equal. In this chapter we deal with components that are indirectly connected; now, t and u need not be equal; the condition that t and u have to satisfy is called *composability*. In figure 4.0 we show these two components that have an indirect connection.



figure 4.0 Components  $\Gamma$  and  $\Delta$  that have an indirect connection.

We have stated in the beginning of this chapter that no commsig can be received before it has been sent. In order to model this causality we define the *composability* relation between traces. Let iobip F be such that  $F = io\Gamma$ . Let t and u be traces such that  $t \in t(ptr\Gamma)$  and  $u \in t(ptr\Delta)$ . We call t composable under F with u, if, at some moment, t is associated with a comminstorder of  $\Gamma$  and u is associated with a comminstorder of  $\Delta$  such that t and u are consistent with our causality notion, cf. also subsection 4.0.2.

#### 4.0 Causality

#### remark 4.0

Molnar has characterized "composability" in a nice way:

Trace t is a member of a trace set that is associated with a comminstorder of  $\Gamma$ . Trace u is a member of a trace set that is associated with a comminstorder of  $\Delta$ . Causality implies a partial order between comminsts of  $\Gamma$  and  $\Delta$ . Composability of t and u equals the existence of a full order consistent with the union of these three partial orders (viz., the two comminstorders and the partial order that is implied by causality).

# end of remark

Initially, when no comminsts have happened yet, both t and u are equal to  $\varepsilon$ . From a pair of composable traces we construct another pair of composable traces by extending one of the traces with one symbol. Since no commsig can be received before it has been sent, the extension of a trace with an input symbol is restricted, see definition 4.1.

#### definition 4.1 composability

Given are traces t and u, and iobip F such that  $t \in (\mathbf{a}F)^*$  and  $u \in (\mathbf{a}F)^*$ ; we define that t is composable under F with u, denoted by  $tc_F u$ , recursively by

- (i)  $\epsilon c_F \epsilon$
- (ii) for traces t and u and symbol a such that  $tc_F u$  and  $a \in oF$ ,

tac<sub>F</sub>u

- (iii) for traces t and u and symbol a such that  $tc_F u$ ,  $a \in oF$ , and  $\#_a t > \#_a u$ ,  $tc_F ua$
- (iv) for traces t and u and symbol b such that  $tc_F u$  and  $b \in iF$ ,

tc<sub>F</sub>ub

- (v) for traces t and u and symbol b such that  $tc_F u, b \in iF$ , and  $\#_b u > \#_b t$ ,  $tbc_F u$
- (vi) completeness axiom: t is not composable under F with u, unless this is required by (i), (ii), (iii), (iv), or (v).

#### end of definition

The conditions in the definition above reflect that no commsig is received before it has been sent, see also subsection 4.0.2.

Udding was the first to define composability formally, cf. [Udding84]. Composability as defined in definition 4.1 is equal to composability as defined by Verhoeff, cf. [Verhoeff85]. In definition 4.1 no trace set or trace structure is involved: only the iobip is important. The earlier definitions in [Udding84] and [Schols85] restrict the traces to elements of given trace sets. When this restriction is dropped, all definitions are equivalent, see [Schols85] and [Verhoeff85]. The present definition is nicer from a mathematical point of view, cf. [Verhoeff85], than the definitions in [Udding84] and [Schols85]. Property 4.2 asserts that the non-restricted version of the definition in [Schols85] is equivalent to definition 4.1; for a proof of this property we refer to [Siccama86].

```
property 4.2 composability
```

For traces t and u, and iobip F such that  $t \in (\mathbf{a}F)^*$  and  $u \in (\mathbf{a}F)^*$ ,

 $t\mathbf{c}_{F}u = ((\mathbf{A}a : a \in \mathbf{o}F : \#_{a}t \ge \#_{a}u) \land (\mathbf{A}b : b \in \mathbf{i}F : \#_{b}u \ge \#_{b}t) \land (\mathbf{A}a, b, r, s : a \in \mathbf{o}F \land b \in \mathbf{i}F \land rb\mathbf{prefix}t \land sa\mathbf{prefix}u : (\#_{a}r > \#_{a}s) \lor (\#_{b}s > \#_{b}r))))$ 

#### end of property

Unfortunately, none of the definitions of composability mentioned above is very well suited to check manually whether two traces are composable under an iobip. For this reason, we present Verhoeff's method to check this graphically, see subsection 4.0.0.

# 4.0.0 Composability diagram

Whether a trace t is composable under an iobip F with a trace u, can be concluded by constructing a *composability diagram*. Such a diagram provides more insight into the composability relation, and its construction is a practical tool for concluding whether t and u are composable under F or not.

The symbols in trace t are listed in the top row; each symbol is postfixed with an exclamation mark or a question mark to indicate whether it is an element of  $\mathbf{o}F$  or  $\mathbf{i}F$ , respectively. The symbols in trace u are listed in the bottom row; each symbol is postfixed with an exclamation mark or a question mark to indicate whether it is an element of  $\mathbf{o}\overline{F}$  or  $\mathbf{i}\overline{F}$ , respectively. To the right of the last (right most) symbol of each trace an end of trace marker (\$) is added.

For every symbol, its first (left most) occurrence in t is connected to its first occurrence in u by an arrow pointing from the occurrence that is postfixed with an exclamation mark to the occurrence that is postfixed with a question mark (if there are not enough occurrences in either one of the traces, the \$ at the end of that trace is used instead). The second and higher occurrences of symbols in t or u are connected in the same way. Now, all occurrences of symbols are connected by some arrow. See figures 4.1 and 4.3 for such a composability diagram.

In a composability diagram two intersecting arrows are said to form a *backward intersection* if and only if one arrow (the *tu*-arrow) starts at trace *t* and the other arrow (the *ut*-arrow) starts at trace *u*, the *tu*-arrow points in trace *u* to the left of the beginning of the *ut*-arrow, and the *ut*-arrow points in trace *t* to the left of the beginning of the *tu*-arrow.

Trace t is composable under iobip F with trace u if and only if in the composability diagram:

- (i) there is no arrow starting from a \$, and
- (ii) there is no backward intersection of two arrows.

#### example 4.3 composable traces

We consider traces t and u, symbols a, b, c, and d, and iobip  $F_0$  such that  $oF_0 = \{a, c\}$  and  $iF_0 = \{b, d\}$ . We are interested in whether trace abca (=t) is composable under  $F_0$  with trace adbcb (=u). In figure 4.1 this composability diagram is shown.



figure 4.1 Composability diagram.

The absence of both an arrow starting from a a and a backward intersection of two arrows in the composability diagram indicates that *t* and *u* are composable under  $F_0$ . By direct application of definition 4.1, "composability", we can derive in several ways a confirmation that  $abcac_{F_0}adbcb$ :

| εс <sub>Fo</sub> ε             | ε <b>c</b> <sub>F0</sub> ε   | εc <sub>Fo</sub> ε            |
|--------------------------------|------------------------------|-------------------------------|
| $a\mathbf{c}_{F_0}\varepsilon$ | $ac_{F_0}\varepsilon$        | $ac_{F_0}\varepsilon$         |
| $a\mathbf{c}_{F_0}a$           | $a\mathbf{c}_{F_0}a$         | $a\mathbf{c}_{F_0}a$          |
| $ac_{F_0}ad$                   | $ac_{F_0}ad$                 | $ac_{F_0}ad$                  |
| $a\mathbf{c}_{F_0}adb$         | $a\mathbf{c}_{F_0}adb$       | $ac_{F_0}adb$                 |
| $abc_{F_0}adb$                 | $abc_{F_0}adb$               | $ab \mathbf{c}_{F_0} adb$     |
| $abc \mathbf{c}_{F_0} adb$     | $abc \mathbf{c}_{F_0} adb$   | $abc \mathbf{c}_{F_0} adb$    |
| $abc \mathbf{c}_{F_0} adbc$    | $abc \mathbf{c}_{F_0} adbc$  | $abca \mathbf{c}_{F_0} adb$   |
| $abc \mathbf{c}_{F_0} adbcb$   | $abca \mathbf{c}_{F_0} adbc$ | $abca \mathbf{c}_{F_0} adbc$  |
| $abca \mathbf{c}_{F_0} adbcb$  | $abca\mathbf{c}_{F_0}adbcb$  | abca $\mathbf{c}_{F_0}$ adbcb |
|                                |                              |                               |

table 4.2 Three derivations of  $abca c_{F_0} adbcb$ .

end of example

We consider the case that two traces, say t and u, are not composable under an iobip, say F. Now, there must exist an arrow starting from a or a backward intersection of two arrows in the composability diagram. All arrows that form some backward intersection indicate together the longest prefixes (of traces t and u) that are composable under iobip F, cf. example 4.4

### example 4.4 traces that are not composable

We consider traces t and u, symbols a, b, c, and d, and iobip  $F_0$  such that  $oF_0 = \{a, c\}$  and  $iF_0 = \{b, d\}$ . We are interested in whether trace bca(=t) is composable under  $F_0$  with trace acdb(=u).



Composability diagram.

In figure 4.3 this composability diagram is shown. From definition 4.1, "composability", we infer that  $\neg(bc_{F_0}\varepsilon)$  and  $\neg(\varepsilon c_{F_0}a)$ . We conclude that  $\neg(bcac_{F_0}acdb)$ . Notice that the leftmost arrowheads of all arrowheads of the arrows that form some backward intersection indicate the longest prefixes that are composable under  $F_0$ :  $\varepsilon c_{F_0}\varepsilon$ .

#### end of example

This construction of the composability diagram has first been shown by Verhoeff, cf. [Verhoeff89]. He has characterized  $tc_F u$  by requirements (i) and (ii) (see p. 103) w.r.t. the composability diagram of  $tc_F u$ ; this characterization corresponds to the (non-recursive) definition of composability in property 4.2, "composability". In this property, the first two conjuncts at the right hand side of the equation formalize requirement (i) in the construction of the composability diagram above; they reflect that each received commsig is sent at some moment before or after it is received. The third conjunct formalizes requirement (ii) in that construction; it reflects that, when two commsigs travel in opposite directions, at least one of them must <u>have been</u> sent when either of them is received. The first two conjuncts are insufficient to model the nonnegativeness of the delays: together with the third conjunct, they impose this requirement.

# 4.0.1 Properties of composability

In this subsection we present some properties of composability. These properties were given in [Udding 84].

### property 4.5

For traces t and u, symbols a and b, and iobip F such that  $t \in (\mathbf{a}F)^*$ ,  $u \in (\mathbf{a}F)^*$ ,  $a \in \mathbf{a}F$ , and  $b \in \mathbf{a}F$ ,

- (i)  $tc_F t$
- (ii)  $tac_F \varepsilon \Rightarrow tc_F \varepsilon$
- (iii)  $\varepsilon \mathbf{c}_F u b \Rightarrow \varepsilon \mathbf{c}_F u$
- (iv)  $tac_F ub \Rightarrow (tac_F u \lor tc_F ub)$

end of property

### property 4.6

For trace t, symbol a, and iobip F such that  $t \in (aF)^*$ ,

(i) for  $a \in oF$ ,  $tac_F t$ 

(ii) for  $a \in iF$ ,  $tc_F ta$ 

### end of property

#### property 4.7

For traces t and u, symbol a, and iobip F such that  $t \in (aF)^*$ ,  $u \in (aF)^*$ , and  $a \in aF$ ,

 $t\mathbf{c}_F ua \Rightarrow (\mathbf{E}s: sprefixt: s\mathbf{c}_F u)$ 

end of property

#### example 4.8

```
For symbols a and b, and iobip F_i such that oF_i = \{a\} and iF_i = \{b\},
```

```
ab\mathbf{c}_{F}, ba \land \neg (ab\mathbf{c}_{F}, ba)
```

end of example

From the example above we observe that, in general, the definition of composable traces is not symmetric in inputs and outputs. (A contrary statement by Udding, see [Udding84, p.44], is erroneous; this does not invalidate Udding's work). Because of this asymmetry, an asymmetric iobip  $\overline{F}$  is needed to define composability.

# property 4.9

For traces t and u, and iobip F such that  $t \in (\mathbf{a}F)^*$  and  $u \in (\mathbf{a}F)^*$ ,

 $t\mathbf{c}_F u = u\mathbf{c}_F^- t$ 

end of property

Property 4.9 illustrates that pairs of composable traces do satisfy some symmetry property; as a consequence, the particular choice of the iobip with respect to the alphbip of a channel, say  $\Theta$ , viz. (given symbol  $a \in a\Theta$ )  $iF = spa(a, \Theta)$  and  $oF = opa(a, \Theta)$  or the other possibility  $iF = opa(a, \Theta)$  and  $oF = spa(a, \Theta)$ , is irrelevant.

From property 4.2, "composability", we infer that composability is transitive.

property 4.10 transitivity of composability

For traces s, t, and u, and iobip F,

 $(sc_F t \wedge tc_F u) \Rightarrow sc_F u$ 

end of property

#### property 4.11

For traces t and u, symbol a, and iobip F such that  $t \in (\mathbf{a}F)^*$  and  $u \in (\mathbf{a}F)^*$ ,

| (i)         | for $a \in \mathbf{o}F$ , | $(t\mathbf{c}_F u \wedge \#_a t > \#_a u) = t\mathbf{c}_F u a$    |  |
|-------------|---------------------------|-------------------------------------------------------------------|--|
| (ii)        | for $a \in oF$ ,          | $t\mathbf{c}_F u = (ta\mathbf{c}_F u \wedge \#_a t \ge \#_a u)$   |  |
| (iii)       | for $a \in iF$ ,          | $(t\mathbf{c}_F u \wedge \#_a t < \#_a u) = ta\mathbf{c}_F u$     |  |
| (iv)        | for $a \in iF$ ,          | $t\mathbf{c}_F u = (t\mathbf{c}_F u a \wedge \#_a t \leq \#_a u)$ |  |
| of property |                           |                                                                   |  |

# end of property

In property 4.11 the implications from right to left are the most important ones, since the implications from left to right are similar to those in definition 4.1, "composability". From property 4.11 we derive property 4.12.

#### property 4.12

For iobip F, traces t and u, and symbol a such that  $t \in (\mathbf{a}F)^*$ ,  $u \in (\mathbf{a}F)^*$ , and  $a \in \mathbf{a}F$ ,

 $t\mathbf{c}_F u = ta\mathbf{c}_F ua$ 

end of property

# 4.0.2 Composability versus independence of comminsts

In section 4.0 we formalized our causality notion "no commsig is received before it has been sent". In this subsection we have a closer look at this formalization. We first study the following example.

#### example 4.13

We consider components  $\Gamma_i$  and  $\Delta_i$  that have a closed and indirect connection, see figure 4.4.



figure 4.4 Components  $\Gamma_i$  and  $\Delta_i$ .

Component  $\Gamma_l$  accepts one input comminst before it sends one output comminst. Let  $T_l$  be the trace set that is associated with the comminstorder of  $\Gamma_l$  in which the input comminst occurs before the output comminst of  $\Gamma_l$ :  $T_l = \{ba\}$ . Component  $\Delta_l$  accepts one input comminst and sends one output comminst; these comminsts occur independently. Let  $U_l$  be the trace set that is associated with the comminstorder of  $\Delta_l$  in which the input comminst and output comminst of  $\Delta_l$  occur independently:  $U_l = \{ab, ba\}$ .

$$\mathbf{o} \Gamma_{I} \stackrel{\text{def}}{=} \{a\}, \quad \mathbf{i} \Gamma_{I} \stackrel{\text{def}}{=} \{b\}, \quad \mathbf{t} (\operatorname{ptr} \Gamma_{I}) \stackrel{\text{def}}{=} \operatorname{pref} \{ba\}, \\ \mathbf{o} \Delta_{I} \stackrel{\text{def}}{=} \{b\}, \quad \mathbf{i} \Delta_{I} \stackrel{\text{def}}{=} \{a\}, \quad \mathbf{t} (\operatorname{ptr} \Delta_{I}) \stackrel{\text{def}}{=} \operatorname{pref} \{ab, ba\}.$$

Let iobip  $F_i$  be such that  $F_i = io\Gamma_i$ . We notice that  $\neg (bac_{F_i}ab)$  in spite of the independence of the comminsts of  $\Delta_i$ .

end of example

In example 4.13 we considered the comminstorder of  $\Gamma_i$ , with which trace set  $T_i$  is associated, and the comminstorder of  $\Delta_l$ , with which trace set  $U_l$  is associated. These comminstorders are consistent with our causality notion. Trace ba is an element of  $T_i$  and trace *ab* is an element of  $U_i$ . Nevertheless, these traces are not composable under  $F_I$ . This seems to be a problem: the question arises whether our composability operator, see definition 4.1, can be associated with our causality notion. We consider iobip F and trace t. We are not interested whether  $tc_{F}u$  holds for a particular trace u. But, we are interested in whether  $(\mathbf{E}\boldsymbol{\mu}:\boldsymbol{\mu}\in\boldsymbol{U}:t\mathbf{c}_{F}\boldsymbol{\mu})$  holds for some trace set U. Furthermore, trace set U is such that it is the union of trace sets that are associated with comminstorders, cf. subsection 2.2.3. As a consequence, if two comminstorders are consistent with our causality notion, then for every trace (t) in the trace set that is associated with one of these comminstorders there exists a trace (u) in the trace set that is associated with the order comminstorder such that these two traces are composable  $(tc_{F}u)$ . This is why there is no problem in associating our composability operator with our causality notion. We illustrate this by example 4.14.

#### example 4.14

We consider components  $\Gamma_i$  and  $\Delta_i$ , trace sets  $T_i$  and  $U_i$ , and iobip  $F_i$ , see example 4.13. We notice that  $ba \in t(\operatorname{ptr} \Gamma_i)$ ,  $ba \in T_i$ ,  $ba \in t(\operatorname{ptr} \Delta_i)$ ,  $ba \in U_i$ , and  $bac_{F_i}ba$ . As a consequence,  $(Eu: u \in U_i: bac_{F_i}u)$ . From this we find  $(Et, u: t \in T_i \land u \in U_i: tc_{F_i}u)$ . We conclude that the comminstorders with which  $T_i$  and  $U_i$  are associated are consistent with our causality notion.

# end of example

# remark 4.15

Since we are only interested in predicate ( $\mathbf{E} u : u \in U : t\mathbf{c}_F u$ ) for trace *t*, trace set *U*, and iobip *F*, we conclude that, in this way, we may associate the composability of traces in the trace theory formalism with our causality notion in our Communication Model.

# end of remark

The statement in remark 4.15 has been relied on by everyone that uses Udding's composability operator, see [Udding84], to model concurrent or parallel behavior.

# 4.1 Communication in channels

In this section we address the communication in channels. From subsection 2.2.4 we recall that a channel is a pair: an alphbip and a trace structure.

# 4.1.0 Delay-safe channels

We define the class  $D_4$  in order to formalize that a channel is "delay-safe", see definition 4.19.

# definition 4.16 D<sub>4</sub>

For trace structure T and alphbip D, the pair (T,D) is an element of  $D_4$  if and only if T is nonempty and prefix-closed and

 $T = \langle \mathbf{i}F \cup \mathbf{o}F, \{s, t, u: s \in \mathbf{t}T \land s\mathbf{c}_F t \land t\mathbf{c}_F u \land u \in \mathbf{t}T: t\} \rangle$ 

for some iobip F such that  $D = iF \oplus oF$ .

# end of definition

In definition 4.16 an iobip is needed in order to address the composability of traces; this is why there is an existential quantification over iobip F.

# remark 4.17

Property 4.18 shows that we need to consider only one iobip when proving that a "trace structure" – alphbip pair is not in  $D_4$ .

end of remark

# property 4.18

For trace structure T and iobip F such that  $aT = iF \cup oF$ ,

```
(\mathbf{t}T \neq \{s, t, u: s \in \mathbf{t}T \land s\mathbf{c}_F t \land t\mathbf{c}_F u \land u \in \mathbf{t}T: t\}) \Rightarrow (T, \mathbf{i}F \oplus \mathbf{o}F) \notin \mathbf{D}_4
```

# end of property

In [Schols 85] we used the "Foam Rubber Wrapper Postulate" (see also remark 4.35) to give the definition of what we now call "delay-safe channel". Here we present an equivalent form of this definition, using the class  $D_4$ , cf. [Schols 85, Siccama 86, Verhoeff 85]. In section 4.0 we have shown that the composability of traces formalizes our causality notion ("no commsig is received before it has been sent"). Using class  $D_4$  we now define that *a channel is delay-safe*.

definition 4.19 *delay-safe channel* 

For channel  $\Theta$ , we call  $\Theta$  delay-safe if and only if

 $(ptr \Theta, ab\Theta) \in D_4$ 

end of definition

# 4.1.1 Delay-safe closure

The operator dsc yields the trace structure of the mathematical closure of a "trace structure" – alphbip pair within the class  $D_4$ .

#### definition 4.20 dsc

For trace structure T and alphbip D such that  $\mathbf{a}T=\mathbf{a}D$ , trace structure  $\operatorname{dsc}(T,D)$  is the smallest (w.r.t. trace structure inclusion) trace structure such that

 $T \subseteq \operatorname{dsc}(T,D) \land (\operatorname{dsc}(T,D),D) \in \mathbb{D}_4$ 

end of definition

Notice that in the definition above  $\mathbf{a}T = \mathbf{a}(\mathbf{dsc}(T,D))$ ; this follows from definition 1.18, "trace structure inclusion". In [Schols 85] we derived that such a unique minimum exists.

property 4.21

For trace structure T and alphbip D such that  $(T, D) \in \mathbf{D}_4$ ,

 $\operatorname{dsc}\left(T,D\right)=T$ 

end of property

remark 4.22

From property 4.21 we infer that, for every alphbip D, the function dsc(T,D) is idempotent in T, i.e.

dsc (dsc (T, D), D) = dsc (T, D)

end of remark

property 4.23 dsc is monotonic in its first argument

For trace structures T and U, and alphbip D such that  $\mathbf{a}T = \mathbf{a}D$  and  $\mathbf{a}U = \mathbf{a}D$ ,

 $(T \subseteq U) \Rightarrow (\operatorname{dsc}(T, D) \subseteq \operatorname{dsc}(U, D))$ 

end of property

We extend the definition of dsc to components and channels.

definition 4.24 dsc of component or channel

For component or channel  $\Theta$ , trace structure dsc $\Theta$  is defined by

 $\operatorname{dsc} \Theta \stackrel{\operatorname{def}}{=\!\!=} \operatorname{dsc} \left( \operatorname{ptr} \Theta, \operatorname{ab} \Theta \right)$ 

end of definition

property 4.25

For component  $\Gamma$ ,

 $\operatorname{dsc} \Gamma = \operatorname{dsc} \overline{\Gamma}$ 

end of property

definition 4.26 delay-safe closure of channel

For channel  $\Theta$  the channel DSC  $\Theta$  denotes the *delay-safe closure* of  $\Theta$ ; it is defined by

 $ab(DSC \Theta) \stackrel{def}{=} ab\Theta$ 

and

 $\mathbf{ptr}(\mathbf{DSC}\,\Theta)\stackrel{\mathrm{def}}{=\!\!\!=}\mathbf{dsc}\,\Theta$ 

end of definition

Given a channel  $\Theta$ , channel DSC $\Theta$  is the smallest (w.r.t. trace structure inclusion) delay-safe channel such that  $ptr \Theta \subseteq dsc \Theta$ .

#### remark 4.27

Given is a channel  $\Theta$  that is not delay-safe. Now dsc $\Theta$  can be associated with the communication in  $\Theta$  instead of ptr $\Theta$ . This is formalized in definition 4.26, "delay-safe closure of channel".

### end of remark

We have no interpretation for the "delay-safe closure of a component", cf. remark 4.59 and example 4.58. For this reason we do not define it.

From property 4.21 we derive that DSC is idempotent, see also remark 4.22.

property 4.28 DSC is idempotent For channel  $\Theta$ ,

 $DSC(DSC\Theta) = DSC\Theta$ 

end of property

# 4.2 Communication behavior of components

In this section we concentrate on the communication behavior of components that communicate delay-safely. We have one correctness concern: absence of computation interference hazard. We shall show that delay-safe communication may restrict the communication behavior of a component, when absence of computation interference hazard is a correctness concern.

# 4.2.0 Computation interference hazard

We extend definition 3.5, "NCIHA", and definition 3.8, "NCIH", to indirect connections.

### definition 4.29 NCIHADS

Given are i/o-connectable components  $\Gamma$  and  $\Delta$ . Let iobip F be such that  $iF = i\Gamma \cap o\Delta$  and  $oF = o\Gamma \cap i\Delta$ . By  $\Gamma NCIHADS \Delta$ , we denote that there is no computation interference hazard at  $\Delta$ , when  $\Gamma$  and  $\Delta$  have an indirect connection;  $\Gamma NCIHADS \Delta$  is defined by

$$\Gamma NCIHADS \Delta \stackrel{\text{def}}{=} (\mathbf{A} t, u, a : t \in t(\text{ptr} \Gamma) \land u \in t(\text{ptr} \Delta) \land a \in \mathbf{o}F \\ \land (t | (\mathbf{a} \Gamma \cap \mathbf{a} \Delta)) \mathbf{c}_F(u | (\mathbf{a} \Gamma \cap \mathbf{a} \Delta)) \land \#_a t > \#_a u \\ : ua \in t(\text{ptr} \Delta)$$

#### end of definition

Given that  $\Gamma$  and  $\Delta$  have an indirect connection, the condition  $(t \mid (\mathbf{a} \Gamma \cap \mathbf{a} \Delta))\mathbf{c}_F(u \mid (\mathbf{a} \Gamma \cap \mathbf{a} \Delta))$  in definition 4.29 reflects that t and u are consistent with our causality notion. Definition 4.29 reflects that  $\Delta$  accepts every commsig that it may receive.

Using definition 4.29, "*NCIHADS*", we define absence of computation interference hazard when the connection is indirect.

### definition 4.30 computation interference hazard for indirect connection

Given are i/o-connectable components  $\Gamma$  and  $\Delta$ .  $\Gamma$  and  $\Delta$  have no computation interference hazard, when they have an indirect connection, which is denoted by  $\Gamma NCIHDS \Delta$ , is defined by

 $\Gamma NCIHDS \Delta \stackrel{\text{def}}{=} (\Gamma NCIHADS \Delta) \wedge (\Delta NCIHADS \Gamma)$ 

end of definition

"Computation interference hazard <u>at</u> one component for indirectly connected components" and "computation interference hazard for indirectly connected components" have been defined first by Verhoeff, cf. [Verhoeff85]. From definition 4.30, "computation interference hazard for indirect connection", follows the symmetry of *NCIHDS*.

property 4.31 symmetry of NCIHDS For i/o-connectable components  $\Gamma$  and  $\Delta$ ,  $\Gamma$  NCIHDS  $\Delta = \Delta$  NCIHDS  $\Gamma$ 

#### end of property

Since indirect connections are used to model nonnegative delays, whereas direct connections are used to model zero delays only, we find the relations between "computation interference hazard for indirectly connected components" and "computation interference hazard for directly connected components" shown in property 4.32.

#### property 4.32

For i/o-connectable components  $\Gamma$  and  $\Delta$ ,

(i)  $\Gamma NCIHADS \Delta \Rightarrow \Gamma NCIHA \Delta$ 

(ii)  $\Gamma NCIHDS \Delta \Rightarrow \Gamma NCIH \Delta$ 

÷.

#### end of property

In general, implications from right to left in property 4.32 do not hold, see example 4.33.

#### example 4.33

We consider component  $\Gamma_2$  that is defined by

| $\mathbf{i}\Gamma_2 \stackrel{\mathrm{def}}{=} \emptyset,$ | $\mathbf{o}\Gamma_2 \stackrel{\mathrm{def}}{=} \{a, b\},\$ | $\mathbf{t}(\mathbf{ptr}\Gamma_2) \stackrel{\text{def}}{=} \{\varepsilon, a, ab\},\$ |
|------------------------------------------------------------|------------------------------------------------------------|--------------------------------------------------------------------------------------|
| $\mathbf{o}\Delta_2 \stackrel{\mathrm{def}}{=} \emptyset,$ | $\mathbf{i}\Delta_2 \stackrel{\mathrm{def}}{=} \{a, b\},\$ | $t(ptr \Delta_2) \stackrel{\text{def}}{=} \{\varepsilon, a, ab\}.$                   |

We see that  $\Gamma_2 NCIHA \Delta_2$ , but not  $\Gamma_2 NCIHADS \Delta_2$ . Furthermore, we see that  $\Gamma_2 NCIH \Delta_2$ , but not  $\Gamma_2 NCIHDS \Delta_2$ .

# end of example

In chapters 4, 5, and 6 we present more properties that show relations between NCIHA and NCIHADS and between NCIH and NCIHDS.

# 4.2.1 Delay-safe enclosure

We are interested in the communication behavior of a component, say  $\Gamma$ , that has an indirect connection with its environment, say  $\Delta$ . In order to study this communication behavior and the communication between  $\Gamma$  and  $\Delta$ , we introduce the notion *delay-safe enclosure* of a component. The delay-safe enclosure of component  $\Gamma$  is a component. It is denoted by DSE  $\Gamma$ . Using the delay-safe enclosure, we learn about the indirect connection of  $\Gamma$  and  $\Delta$  by studying the direct connection of DSE  $\Gamma$  and DSE  $\Delta$ , see figure 4.5.



figure 4.5 Components  $\Gamma$  and  $\Delta$  and their delay-safe enclosures.

We will define the delay-safe enclosure such that the indirectly connected components  $\Gamma$  and  $\Delta$  communicate delay-safely and have absence of computation interference hazard, if and only if the directly connected components DSE  $\Gamma$  and DSE  $\Delta$  have absence of computation interference hazard, see theorem 4.56.

The reflection of the delay-safe enclosure of a component, say  $\Gamma$ , can be interpreted as an environment of  $\Gamma$  that is able to communicate delay-safely with  $\Gamma$ , see figure 4.6.



figure 4.6 Components  $\Gamma$  and  $\overline{\text{DSE }\Gamma}$ .

For component  $\Gamma$ , component  $\overline{\text{DSE}\Gamma}$  is the maximal (w.r.t. trace structure inclusion) partner of  $\Gamma$ ; when  $\Gamma$  and  $\overline{\text{DSE}\Gamma}$  are indirectly connected, they have no computation interference hazard, see definition 4.34.

#### definition 4.34 delay-safe enclosure

For component  $\Gamma$ , we define the *delay-safe enclosure* of  $\Gamma$ , denoted by DSE  $\Gamma$ , as the maximal (w.r.t. trace structure inclusion) component such that

- (i)  $io\Gamma = io(DSE\Gamma)$
- (ii)  $\Gamma NCIHDS \overline{DSE\Gamma}$

(iii)  $(A a, t: a \in i(\overline{DSE \Gamma}) \land ta \in t(ptr(\overline{DSE \Gamma})): (E s: s \in t(ptr\Gamma): sc_{io\Gamma}ta))$ end of definition

The existence of the maximum in definition 4.34, "delay-safe enclosure", above follows from the "delay-safe enclosure" theorem 4.45. Requirement (iii) in definition 4.34, "delay-safe enclosure", restricts in the traces of  $\overline{DSE\Gamma}$  the occurrences of symbols  $a \in i(\overline{DSE\Gamma})$  to those occurrences that are associated with the reception by  $\overline{DSE\Gamma}$  of commsigs that may have been sent by  $\Gamma$ . In requirement (iii) there is no need to quantify over symbols  $a \in o(\overline{DSE\Gamma})$ , since their occurrences in traces of ptr( $\overline{DSE\Gamma}$ ) are restricted by requirement (ii).

# remark 4.35

Molnar introduced the metaphor "a component wrapped in a *Foam Rubber Wrapper*" for a component that communicates delay-safely, cf. [Schols 85]. Readers that are familiar with this metaphor will recognize the delay-safe enclosure as its formalization.

### end of remark

For component  $\Gamma$  we define trace structure dse $\Gamma$ . It will turn out that this is the trace structure of the delay-safe enclosure of  $\Gamma$ , see theorem 4.45.

#### definition 4.36 dse

For component  $\Gamma$ , we define trace structure dse  $\Gamma$  recursively by

- (i)  $a(dse\Gamma) \stackrel{\text{def}}{=} a(ptr\Gamma)$
- (ii)  $\varepsilon \in t(dse\Gamma)$
- (iii) for trace x and symbol a such that  $x \in t(dse\Gamma)$ ,  $a \in o\Gamma$ , and  $(Es: s \in t(ptr\Gamma) \land sc_{lo\Gamma}x: \#_a s > \#_a x)$ ,

 $xa \in t(dse\Gamma)$ 

- (iv) for trace x and symbol a such that  $x \in t(dse\Gamma)$ ,  $a \in i\Gamma$ , and  $(As, b: s \in t(ptr\Gamma) \land b \in i\Gamma \land sc_{lo\Gamma}xa \land \#_b s < \#_b xa : sb \in t(ptr\Gamma))$ ,  $xa \in t(dse\Gamma)$
- (v) completeness axiom: t(dse Γ) contains no elements that are not required by (ii), (iii), or (iv).

### end of definition

In definition 4.34 (ii) absence of computation interference hazard between the indirectly connected  $\Gamma$  and  $\overline{DSE\Gamma}$  has been required. In definition 4.36, (iii) reflects that a component may produce any output whenever this output is enabled, and, hence,  $\overline{DSE\Gamma}$  accepts any input from  $\Gamma$ , whenever it receives this input. Furthermore, (iv) reflects that  $\Gamma$  accepts all inputs it might receive from  $\overline{DSE\Gamma}$ , and, hence,  $\overline{DSE\Gamma}$  does not produce any output unless  $\Gamma$  is able to accept it. In addition to this, the quantification over input b in (iv) reflects that  $\overline{DSE\Gamma}$ may only produce an output when this will not prevent  $\Gamma$  from accepting all inputs that it might receive from  $\overline{DSE\Gamma}$ , cf. example 4.37.

#### example 4.37

We consider component  $\Gamma_3$ , see figure 4.7.



figure 4.7 State graph of component  $\Gamma_{4}$ .

Using definition 4.36, "dse", we find that  $t(dse \Gamma_3) = \{\varepsilon, a, b\}$ . Let symbols a and b be associated with commsig  $\alpha_l$  and  $\beta_l$ , respectively. We notice that trace ab is not a member of trace set  $t(dse \Gamma_3)$ , despite that  $\Gamma_3$  will accept  $\beta_l$ . The reason for the absence of ab is that  $\Gamma_3$  might receive  $\beta_l$  first; hereafter  $\Gamma_3$  will not accept  $\alpha_l$  any more.

# end of example

We illustrate definition 4.36, "dse", by calculating dse for some components introduced in chapter 2.

#### example 4.38

We consider component  $\Gamma_w$ , see example 2.47. From definition 4.36, "dse", we conclude that dse  $\Gamma_w = ptr \Gamma_w$ , see figure 4.8.



figure 4.8 State graph of trace structures  $ptr(\Gamma_w)$  and dse  $\Gamma_w$ .

end of example

#### example 4.39

We consider component  $\Gamma_{af}$ , see example 2.49 and figure 4.9a. Using definition 4.36, "dse", we calculate dse  $\Gamma_{af}$ , see figure 4.9b.



figure 4.9afigure 4.9bState graphs of component  $\Gamma_{af}$  (figure 4.9a) and trace structure dse  $\Gamma_{af}$  (figure 4.9b).

We notice that dse  $\Gamma_{af} = ptr \Gamma_f$ , see example 2.49 end of example

The following properties and lemmas are used in the proof of theorem 4.45, "delay-safe enclosure".

#### property 4.40

For component  $\Gamma$ ,

- (i)  $\varepsilon \in t(dse\Gamma)$
- (ii) dse  $\Gamma$  is prefix-closed

end of property

```
property 4.41
```

For component  $\Gamma$ ,

```
(A s, b, x : s \in t(ptr\Gamma) \land b \in i\Gamma \land sbc_{io\Gamma}x \land x \in t(dse\Gamma) : sb \in t(ptr\Gamma))
end of property
```

Property 4.42 will be used in theorem 4.45 to reflect that there is absence of computation interference hazard between indirectly connected components  $\Gamma$  and  $\overline{\text{DSE }\Gamma}$ .

```
property 4.42
```

Given is component  $\Gamma$ . Let  $\Delta$  be a component such that  $io \Delta = io \overline{\Gamma}$ and  $ptr \Delta = dse \Gamma$ . Now,

 $\Gamma NCIHDS \Delta$ 

end of property

lemma 4.43

For component  $\Gamma$ ,

 $(\mathbf{A}t: t \in \mathbf{t}(\mathsf{dse}\Gamma): (\mathbf{E}s: s \in \mathbf{t}(\mathsf{ptr}\Gamma): s\mathbf{c}_{\mathsf{io}\Gamma}t))$ 

end of lemma

lemma 4.44

For components  $\Gamma$  and  $\Delta$  such that io  $\Gamma$  = io  $\Delta$  and  $\overline{\Delta}$  NCIHADS  $\Gamma$ ,

 $(\mathbf{A} s, t: s \in \mathbf{t}(\mathbf{ptr} \Gamma) \land t \in \mathbf{t}(\mathbf{ptr} \Delta) \setminus \mathbf{t}(\mathbf{dse} \Gamma): \neg (s\mathbf{c}_{\mathbf{i} o \Gamma} t))$ 

end of lemma

Now, we can link trace structure dse  $\Gamma$  to component DSE  $\Gamma$ .

theorem 4.45 delay-safe enclosure For component  $\Gamma$ ,

 $ptr(DSE\Gamma) = dse\Gamma$ 

end of theorem

#### remark 4.46

The operator dse is equal to Verhoeff's operator  $\hat{}$ , cf. [Verhoeff85]. We consider component  $\Gamma$ ; in our terminology, Verhoeff considers all components  $\Delta$  with  $\Delta NCIHDS \Gamma$  and  $io\Delta = io\overline{\Gamma}$ . He defines dse  $\Gamma$  as the union of the trace structures of the channels between each such a  $\Delta$  and  $\Gamma$ . Our definition is constructive: starting from  $\varepsilon$ , every trace of  $t(dse\Gamma)$  can be constructed in the way described in definition 4.36, "dse".

end of remark

#### remark 4.47

The following example illustrates that, for component  $\Gamma$ , ptr  $\Gamma$  and dse  $\Gamma$  are, in general, not ordered with respect to trace structure inclusion, see also [van der Veeken 87]; Chen, Udding, and Verhoeff have defined a different, more complex order with respect to which ptr  $\Gamma$  and dse  $\Gamma$  are ordered, see [Chen-Udding-Verhoeff 89].

#### end of remark

#### example 4.48

We consider component  $\Gamma_4$ , see figure 4.10.



figure 4.10 State graph of component  $\Gamma_4$ .

Using definition 4.36, "dse", we calculate  $dse \Gamma_4$ ; io(DSE  $\Gamma_4$ ) = io  $\Gamma_4$ ; trace set t(dse  $\Gamma_4$ ) is shown in figure 4.11.



figure 4.11 State graph of trace set  $t(dse \Gamma_4)$ .

Let iobip  $F_4$  be such that  $F_4 = io\Gamma_4$ . From  $abc_{F_4}b$  follows  $b \in t(dse\Gamma_4)$ , cf. definition 4.34 (iii). Analogously, from  $abc_{F_4}ba$  follows  $ba \in t(dse\Gamma_4)$ . We see that the ordering of a and b is lost. We conclude that  $\neg(dse\Gamma_4 \subseteq ptr\Gamma_4)$ . Furthermore, from  $ac_{F_4}c$ ,  $a \in t(ptr\Gamma_4)$  and  $ac \notin t(ptr\Gamma_4)$  follows  $c \notin t(dse\Gamma_4)$ , cf. definition 4.36 (iv). We conclude that  $\neg(ptr\Gamma_4 \subseteq dse\Gamma_4)$ . end of example

# 4.2.2 Properties of the delay-safe enclosure

In this subsection we present some properties of DSE. Of course, see theorem 4.45, "delay-safe enclosure", we also present some properties of dse.

#### lemma 4.49

For component  $\Gamma$ ,

```
(\mathbf{A} t: t \in \mathbf{t}(\mathbf{ptr} \Gamma) \land (\mathbf{E} y: y \in \mathbf{t}(\mathbf{dse} \Gamma): t\mathbf{c}_{\mathbf{io}\Gamma} y): t \in \mathbf{t}(\mathbf{dse} \Gamma))
```

### end of lemma

From lemma 4.49 we infer property 4.50.

#### property 4.50

For component  $\Gamma$ ,

```
(\mathbf{A}t: t \in \mathbf{t}(\mathbf{ptr}\Gamma): (\mathbf{E}y: y \in \mathbf{t}(\mathsf{dse}\Gamma): t\mathbf{c}_{\mathsf{io}\Gamma}y)) \Rightarrow \mathsf{ptr}\Gamma \subseteq \mathsf{dse}\Gamma
```

end of property

lemma 4.51

For component  $\Gamma$ ,

 $(\operatorname{dse}\Gamma,\operatorname{ab}\Gamma)\in \mathbb{D}_4$ 

end of lemma

lemma 4.52

For component  $\Gamma$ ,

 $(ptr \Gamma, ab\Gamma) \in D_4 = (dse \Gamma = ptr \Gamma)$ 

end of lemma

From theorem 4.45, "delay-safe enclosure", lemma 4.51, and lemma 4.52 we infer property 4.53.

property 4.53 DSE is idempotent For component  $\Gamma$ , DSE(DSE $\Gamma$ ) = DSE $\Gamma$ end of property

# 4.2.2.0 Computation interference hazard

In this subsection we present some properties about the delay-safe enclosure and computation interference hazard.

# property 4.54

For i/o-connectable components  $\Gamma$  and  $\Delta$ ,

- (i)  $\Gamma NCIHADS \Delta = (DSE \Gamma) NCIHADS \Delta$
- (ii)  $\Gamma NCIHADS \Delta = \Gamma NCIHADS (DSE \Delta)$
- (iii)  $\Gamma NCIHDS \Delta = (DSE \Gamma) NCIHDS \Delta$

# end of property

The delay-safe enclosure enables us to express "(input) computation interference hazard when the communication is delay-safe" in terms of "(input) computation interference hazard". In order to do this we substitute one of the components by its delay-safe enclosure, see property 4.55 (iii).

# property 4.55

For i/o-connectable components  $\Gamma$  and  $\Delta$ ,

- (i)  $\Gamma NCIHADS \Delta = (DSE \Gamma) NCIHA \Delta$
- (ii)  $\Gamma NCIHADS \Delta = \Gamma NCIHA (DSE \Delta)$
- (iii)  $\Gamma NCIHDS \Delta = (DSE \Gamma)NCIH \Delta$

# end of property

From property 4.54 (iii) and property 4.55 (iii) we conclude that the delay-safe enclosure has been defined such that the indirectly connected components  $\Gamma$  and  $\Delta$  communicate delay-safely and have absence of computation interference hazard, if and only if the directly connected components DSE  $\Gamma$  and DSE  $\Delta$  have absence of computation interference hazard, cf. theorem 4.56.

# theorem 4.56

```
For i/o-connectable components \Gamma and \Delta ,
```

 $\Gamma NCIHDS \Delta = (DSE \Gamma) NCIH (DSE \Delta)$ 

end of theorem

# 4.2.2.1 Trace structure inclusion

In this subsection we present some examples that show some properties of trace structures  $ptr\Gamma$ ,  $dse\Gamma$ , and  $dsc\Gamma$ , for component  $\Gamma$ .

# remark 4.57

In general, the delay-safe enclosure is not monotonic w.r.t. trace structure inclusion, as is shown in example 4.58 and in example 4.81.

# end of remark

#### example 4.58

We consider component  $\Gamma_5$ ; the state graph of  $\Gamma_5$  is given in figure 4.12.



figure 4.12 State graph of component  $\Gamma_{5}$ .

The state graph of trace structure  $dscr_5$  is given in figure 4.13.



figure 4.13 State graph of trace structure  $\operatorname{dsc}\Gamma_{5}$ .

The state graph of component  $DSE \Gamma_5$  is given in figure 4.14.



State graph of component DSE  $\Gamma_5$ .

We see that  $cba \notin t(dsc \Gamma_5)$  and  $cba \in t(dse \Gamma_5)$ .

Let component  $\Delta_5$  be such that  $io \Delta_5 = io \Gamma_5$  and  $ptr \Delta_5 = dsc \Gamma_5$ . From  $(ptr \Delta_5, ab\Gamma_5) \in \mathbf{D}_4$  and lemma 4.52 it follows that  $dse \Delta_5 = ptr \Delta_5$ . Now, it can be seen that  $\neg (dse \Gamma_5 \subseteq dse \Delta_5)$ ; nevertheless,  $ptr \Gamma_5 \subseteq ptr \Delta_5$ .

end of example

# remark 4.59

In general,  $\neg(\operatorname{dse} \Gamma \subseteq \operatorname{dsc} \Gamma)$ , for component  $\Gamma$ , see example 4.58; however, there exist components  $\Gamma$  for which dse  $\Gamma \subset \operatorname{dsc} \Gamma$ , see example 4.60. end of remark

# example 4.60

We consider component  $\Gamma_{lubc}$ , see example 2.50. The state graph of  $\Gamma_{lubc}$  is shown in figure 4.15. The state graph of trace structure dsc  $\Gamma_{lubc}$  is shown in figure 4.16.



figure 4.15 State graph of component  $\Gamma_{tubc}$ .



figure 4.16 State graph of trace structure dsc  $\Gamma_{tubc}$ .

c? d!d!a?figure 4.17State graph of component DSE  $\Gamma_{hubc}$ .

The state graph of component DSE  $\Gamma_{lubc}$  is shown in figure 4.17.

Despite  $ca \in t(ptr \Gamma_{lubc})$ , ca is not an element of  $t(dse \Gamma_{lubc})$ , while  $ac \notin t(ptr \Gamma_{lubc})$ , cf. definition 4.36 (iv). We notice that  $dse \Gamma_{lubc} \subset dsc \Gamma_{lubc}$  (i.e.  $dse \Gamma_{lubc} \subseteq dsc \Gamma_{lubc}$  and  $dse \Gamma_{lubc} \neq ptr \Gamma_{lubc}$ ).

end of example

#### example 4.61

We consider component  $\Gamma_{bc}$ , see example 2.50. The state graph of component DSE  $\Gamma_{bc}$  is shown in figure 4.18.



figure 4.18 State graph of component DSE  $\Gamma_{bc}$ .

We see that DSE  $\Gamma_{bc} = \Gamma_{2w}$ , see example 2.50. Furthermore, using definition 4.24, "dsc of component or channel", we find that dse  $\Gamma_{bc} = dsc \Gamma_{bc}$ . end of example

# 4.2.2.2 Regularity and choice

In this subsection we present some examples to illustrate some properties of the delay-safe enclosure.

#### remark 4.62

Example 4.63 shows that the delay-safe enclosure does not preserve regularity.

### end of remark

example 4.63 DSE does not preserve regularity We consider component  $\Gamma_6$ , see figure 4.19.



figure 4.19 State graph of component  $\Gamma_6$ .

Since the number of states of  $\Gamma_{\delta}$  is finite, the state graph of component  $\Gamma_{\delta}$  is regular, see subsection 1.4.2. Using definition 4.36, "dse", we infer that

 $(\mathbf{A} n : n \in \mathbb{N} : (a^n b^n \in \mathbf{t}(\operatorname{dse} \Gamma_6)) \land (a^n b^{n+l} \notin \mathbf{t}(\operatorname{dse} \Gamma_6))),$ 

where  $a^n$  denotes the trace that consists of *n* symbols that are all equal to *a*. We notice that the number of states of  $dse \Gamma_6$  is infinite. Using theorem 4.45, "delay-safe enclosure", we conclude that the state graph of component DSE  $\Gamma_6$  is not regular.

Analogously, the regularity of the state graphs of components  $\Gamma_{or}$  and  $\Gamma_{and}$ , see example 2.51, and  $\Gamma_{maj}$ , see example 2.52, is not preserved by DSE.

# end of example

#### remark 4.64

Example 4.65 shows that the delay-safe enclosure does <u>not</u> preserve "absence of choice between outputs".

# end of remark

### example 4.65

We consider component  $\Gamma_7$ ; the state graph of  $\Gamma_7$  is shown in figure 4.20.



figure 4.20 State graph of component  $\Gamma_7$ .

The state graph of component DSE  $\Gamma_7$  is shown in figure 4.21.



State graph of component DSE  $\Gamma_7$ .

Whereas in  $\Gamma_7$  "no outputs disable each other", in DSE  $\Gamma_7$  this does not hold:  $abc \in t(dse \Gamma_7)$  and  $abd \in t(dse \Gamma_7)$ , but  $abcd \notin t(dse \Gamma_7)$  and  $abdc \notin t(dse \Gamma_7)$ . In example 4.67 we will refer to  $dsc \Gamma_7$ ; for this reason we present this trace structure in figure 4.22.



figure 4.22 State graph of trace structure  $dsc T_7$ .

Notice that *abc* has no successor in  $t(dsc \Gamma_7)$ . end of example

### remark 4.66

In example 4.67 we present two components that have the same dsc but different dse .

### end of remark

#### example 4.67

We consider components  $\Gamma_8$  and  $\Delta_8$ ;  $\Gamma_8$  is equal to component  $\Gamma_7$  in example 4.65.  $\Delta_8$  has two inputs *a* and *b*, and two outputs *c* and *d*. The state graph of component  $\Delta_8$  is shown in figure 4.23.



figure 4.23 State graph of component  $\Delta_8$ .

Notice that the state graph of  $\Delta_8$  is almost equal to the state graph of component  $\Gamma_8$ . From definition 4.24, "dsc of component or channel", we infer that dsc  $\Delta_8 = \text{dsc }\Gamma_8$ , see figure 4.22.



figure 4.24 State graph of  $t(dse \Delta_8)$ .

In figure 4.24 we show the state graph of trace set  $t(dse \Delta_8)$ . Let iobip  $F_8$  be such that  $ioF_8 = io\Gamma_8$ . Using definition 4.36 (iv), we infer from  $bcac_{F_8}ab$ ,  $bc \in t(ptr \Delta_8)$ , and  $bca \notin t(ptr \Delta_8)$ , that  $ab \notin t(dse \Delta_8)$ . Using that  $ab \in t(dse \Gamma_8)$ , we conclude that  $dse \Gamma_8 \neq dse \Delta_8$ , whereas  $dsc \Gamma_8 = dsc \Delta_8$ .

### end of example

### 4.2.3 Behavior of delay-safely communicating components

In remark 4.47 we noticed that, in general, ptr  $\Gamma$  and dse  $\Gamma$  are not ordered with respect to trace structure inclusion. This is due to to the fact that the boundaries at which components  $\Gamma$  and DSE  $\Gamma$  are interpreted do not coincide, cf. figure 4.5. In this subsection we are interested in the impact of delay-safe communication on the communication behavior of a component. We define the *maximal communication behavior of a component that communicates delay-safely*, i.e. the maximal communication behavior of the component at the commports of the <u>component</u> when the component has an indirect connection with its environment and there is absence of computation interference hazard between them. The "maximal communication behavior of component  $\Gamma$  that communicates delay-safely" is a component. It is denoted by CBDS  $\Gamma$ . Components  $\Gamma$  and CBDS  $\Gamma$  are interpreted at the same boundary, see figures 4.25 and 4.26.



figure 4.25 Components  $\Gamma$  and  $\Delta$ .



figure 4.26 Components CBDS  $\Gamma$  and  $\Delta$ .

We consider the indirectly connected components  $\Gamma$  and  $\Delta$  that communicate delay-safely and have absence of computation interference hazard. Let, at some moment, trace *t* be associated with a comminstorder of  $\Gamma$  and trace *u* be associated with a comminstorder of  $\Gamma$  and trace *u* be associated with a comminstorder of  $\Gamma$  and trace *u* be associated with a comminstorder of  $\Delta$  such that *t* and *u* are consistent with our causality notion. We will define CBDS such that  $t \in t(ptr(CBDS\Gamma))$ ,  $u \in t(ptr(CBDS\Delta))$ , and  $tc_{i_0\Gamma}u$ ; this is formally expressed by theorem 4.77. Furthermore, for every trace  $t \in t(ptr(CBDS\Gamma))$  there exist a component  $\Delta$  (e.g.  $\overline{DSE\Gamma}$ ) and a trace  $u \in t(ptr\Delta)$  such that  $\Gamma$  and  $\Delta$  communicate delay-safely without computation interference hazard, and, at some moment, *t* is associated with the order of comminsts at the commports of  $\Gamma$ , *u* is associated with the order of comminsts at the commports of  $\Delta$ , and *t* and *u* are consistent with our causality notion; this is formally expressed by property 4.78.

definition 4.68 maximal communication behavior for delay-safe communication For component  $\Gamma$ , we define the maximal communication behavior of  $\Gamma$ when  $\Gamma$  communicates delay-safely, denoted by CBDS  $\Gamma$ , as the maximal (w.r.t. trace structure inclusion) component such that

- (i)  $io(CBDS \Gamma) = io\Gamma$
- (ii)  $ptr(CBDS\Gamma) \subseteq ptr\Gamma$
- (iii)  $(\mathbf{A}a, s: a \in i\Gamma \land sa \in t(ptr(\mathbf{CBDS}\Gamma)): (\mathbf{E}t: t \in t(dse\Gamma): sac_{io\Gamma}t))$

### end of definition

The existence of the maximum in definition 4.68, "maximal communication behavior for delay-safe communication", follows from theorem 4.74. In requirement (iii) of definition 4.68 we restrict the communication behavior of CBDS  $\Gamma$  by eliminating traces that are not composable under iobip io  $\Gamma$  with any trace of dse  $\Gamma$ . In requirement (iii) we do not quantify over symbols  $a \in o \Gamma$ , since there is no way to prevent a component from sending commsigs, cf. subsections 2.2.3, 2.1.4, and 2.1.3.

### lemma 4.69

For component  $\Gamma$ ,

 $(CBDS \Gamma)NCIHDS \overline{DSE \Gamma}$ 

### end of lemma

From lemma 4.69 we conclude that there is no need to require that  $(CBDS\Gamma)NCIHDS \overline{DSE\Gamma}$  in definition 4.68, "maximal communication behavior for delay-safe communication".

For component  $\Gamma$  we define trace structure  $cbds\Gamma$ . It will turn out that this is the trace structure of CBDS  $\Gamma$ , see theorem 4.74.

### definition 4.70 cbds

For component  $\Gamma$  trace structure cbds  $\Gamma$  is defined by

```
cbds \Gamma \stackrel{\text{def}}{=} < a\Gamma, \{t, u : t \in t(ptr\Gamma) \land tc_{io\Gamma} u \land u \in t(dse\Gamma) : t\} >
```

### end of definition

The definition above reflects that only the traces in  $t(ptr\Gamma)$ , that are composable with some trace in  $t(dse\Gamma)$ , are associated with the maximal communication behavior of component  $\Gamma$  when  $\Gamma$  communicates delay-safely. For an appreciation of this definition we refer to theorem 4.74. Using definition 4.36, "dse", we derive the following property.

### property 4.71

For component  $\Gamma$ , trace *t*, and symbol *a*,

(i) for  $a \in o\Gamma$ ,  $(t \in t(cbds\Gamma) \land ta \in t(ptr\Gamma)) = ta \in t(cbds\Gamma)$ 

(ii) for  $a \in i\Gamma$ ,  $(t \in t(cbds \Gamma) \land ta \in t(dse \Gamma)) = ta \in t(cbds \Gamma)$ 

### end of property

In property 4.71(ii)  $ta \in t(cbds\Gamma) \Rightarrow ta \in t(dse\Gamma)$  follows from lemma 4.49; from lemma 4.49 we also infer property 4.72.

### property 4.72

For component  $\Gamma$ ,

 $\operatorname{cbds} \Gamma = \operatorname{ptr} \Gamma \cap \operatorname{dse} \Gamma$ 

### end of property

From the nonemptiness and prefix-closedness of ptr and dse we infer the nonemptiness and prefix-closedness of cbds.

### property 4.73

For component  $\Gamma$ ,

 $cbds\Gamma$  is nonempty and prefix-closed.

### end of property

Now, we can link trace structure  $cbds\Gamma$  to component CBDS  $\Gamma$ .

theorem 4.74 maximal communication behavior for delay-safe communication For component  $\Gamma$ ,

 $ptr(CBDS \Gamma) = cbds \Gamma$ 

end of theorem

#### example 4.75

We consider component  $\Gamma_4$  of example 4.48, see figure 4.10. io(CBDS  $\Gamma_4$ ) = io  $\Gamma_4$ . Trace set t(dse  $\Gamma_4$ ) is shown in figure 4.11.



figure 4.27 State graph of trace set  $t(cbds \Gamma_4)$ .

In figure 4.27 the state graph of trace set  $t(cbds \Gamma_4)$  is shown. end of example

#### example 4.76

```
From definition 4.70, "cbds", we derive that \operatorname{cbds}\Gamma_{or} = \operatorname{ptr}\Gamma_{or},

\operatorname{cbds}\Gamma_{and} = \operatorname{ptr}\Gamma_{and}, \operatorname{cbds}\Gamma_{bc} = \operatorname{ptr}\Gamma_{bc}, \operatorname{cbds}\Gamma_{maj} = \operatorname{ptr}\Gamma_{maj}, and \operatorname{cbds}\Gamma_{af} = \operatorname{ptr}\Gamma_{af};

however, \operatorname{cbds}\Gamma_{lubc} = \operatorname{dse}\Gamma_{lubc}.
```

### end of example

We now present some properties of CBDS announced in the introduction of this subsection. Theorem 4.77 expresses that CBDS  $\Gamma$  is not too small.

#### theorem 4.77

For components  $\Gamma$  and  $\Delta$  such that io  $\Gamma = io \overline{\Delta}$ ,

 $\Gamma NCIHDS \Delta$  $\Rightarrow (At, u: t \in t(ptr \Gamma) \land tc_{io\Gamma} u \land u \in t(ptr \Delta)$  $: t \in t(ptr(CBDS \Gamma)) \land u \in t(ptr(CBDS \Delta))$ )

end of theorem

Property 4.78 expresses that CBDS  $\Gamma$  is not too large.

#### property 4.78

```
For component \Gamma,
```

```
(\mathbf{A} t : t \in \mathbf{t}(\mathbf{ptr}(\mathbf{CBDS} \Gamma)) : (\mathbf{E} u : u \in \mathbf{t}(\mathbf{ptr}(\overline{\mathbf{DSE} \Gamma})) : t\mathbf{c}_{\mathbf{io}\Gamma}u))
```

end of property

From lemma 4.43 and definition 4.36, "dse", we infer property 4.79; it is used in theorem 4.80.

### property 4.79

```
For components \Gamma and \Delta such that io \Gamma = io \Delta and ptr \Delta \subseteq ptr \Gamma,
```

 $(s \in t(dse\Gamma) \land t \in (o\Gamma)^* \land st \in t(dse\Delta)) \Rightarrow st \in t(dse\Gamma)$ 

### end of property

Theorem 4.80 expresses that the traces that have been left out when reducing  $ptr \Gamma$  to cbds  $\Gamma$  do not play a role for a component that communicates delay-safely.

### theorem 4.80

```
For components \Gamma and \Delta such that io \Gamma = io\Delta, cbds \Gamma \subseteq ptr\Delta, and ptr\Delta \subseteq ptr\Gamma,
```

```
dse \Gamma = dse \Delta
```

### end of theorem

In theorem 4.80 we have proven that  $\operatorname{dse} \Gamma = \operatorname{dse} \Delta$ , for components  $\Gamma$  and  $\Delta$  such that  $(\operatorname{ptr} \Gamma \cap \operatorname{dse} \Gamma) \subseteq \operatorname{ptr} \Delta$  and  $\operatorname{ptr} \Delta \subseteq \operatorname{ptr} \Gamma$ ; in example 4.81 we show that this, in general, does not hold for components  $\Gamma$  and  $\Delta$  such that  $\operatorname{ptr} \Gamma \subset \operatorname{ptr} \Delta$  and  $\operatorname{ptr} \Delta \subseteq (\operatorname{ptr} \Gamma \cup \operatorname{dse} \Gamma)$ .

.

### example 4.81

We consider components  $\Gamma_0$  and  $\Delta_0$ , see figure 4.28.



figure 4.28a figure 4.28b State graphs of components  $\Gamma_{p}$  (figure 4.28a ) and  $\Delta_{p}$  (figure 4.28b ).

The delay-safe enclosures of  $\Gamma_9$  and  $\Delta_9$  are given in figure 4.29; of course, io (DSE  $\Delta_9$ ) = io  $\Delta_9$ .



figure 4.29afigure 4.29bState graphs of component DSE  $\Gamma_{g}$  (fig. 4.29a) and trace set t(dse  $\Delta_{g}$ ) (fig. 4.29b).

We see that  $ptr \Gamma_9 \subset ptr \Delta_9$  and  $ptr \Delta_9 \subseteq dse \Gamma_9$ , but  $\neg (dse \Gamma_9 = dse \Delta_9)$ . end of example

lemma 4.82 CBDS is idempotent For component  $\Gamma$ ,

 $CBDS(CBDS\Gamma) = CBDS\Gamma$ 

end of lemma

#### property 4.83

For i/o-connectable components  $\Gamma$  and  $\Delta$ ,

- (i)  $\Gamma NCIHADS \Delta = (CBDS \Gamma)NCIHADS \Delta$
- (ii)  $\Gamma NCIHADS \Delta = \Gamma NCIHADS (CBDS \Delta)$
- (iii)  $\Gamma NCIHDS \Delta = (CBDS \Gamma) NCIHDS \Delta$

end of property

### 4.2.4 Impact of delay-safe communication on components

We consider a component  $\Gamma$  that communicates delay-safely, see figure 4.30.



figure 4.30 Component  $\Gamma$  communicating delay-safely.

Now, the allowed communication behavior of  $\Gamma$  is restricted. We notice that in **CBDS**  $\Gamma$ :

- no input comminst enables an input comminst, and
- no output comminst disables an input comminst.

### lemma 4.84

For component  $\Gamma$ , no input comminst enables an input comminst in **CBDS**  $\Gamma$ .

### end of lemma

#### lemma 4.85

For component  $\Gamma$ , no output comminst disables an input comminst in CBDS  $\Gamma$ .

### end of lemma

### remark 4.86

Example 4.87 illustrates that the lemmas above are the only relations between comminsts as far as enabling and disabling are concerned. In the six other cases no such lemmas can be derived: the existence of such lemmas is disproved by example 4.87.

### end of remark

### example 4.87

In the communication behavior of a delay-safely communicating component

- (i) an input comminst may disable an input comminst,
- (ii) an input comminst may disable an output comminst,
- (iii) an input comminst may enable an output comminst,
- (iv) an output comminst may enable an input comminst,
- (v) an output comminst may disable an output comminst,
- (vi) an output comminst may enable an output comminst.

Table 4.31 lists components that illustrate the above.

|       | iΓ           | оΓ           | $t(ptr\Gamma)$                  | t(dseΓ)                        | t(cbdsΓ)                |
|-------|--------------|--------------|---------------------------------|--------------------------------|-------------------------|
| (i)   | $\{a,b\}$    | { <i>c</i> } | $pref(\{ac, bc\}^*)$            | $pref(\{ac, bc\}^*)$           | $pref(\{ac, bc\}^*)$    |
| (ii)  | $\{a\}$      | { <i>b</i> } | pref {a, ba}                    | pref {ab , ba }                | $pref\{a, ba\}$         |
| (iii) | $\{a\}$      | { <i>b</i> } | $pref({ab}^*)$                  | pref({ <i>ab</i> }*)           | $pref({ab}^*)$          |
| (iv)  | <i>{b}</i>   | <i>{a}</i>   | $\operatorname{pref}(\{ab\}^*)$ | pref({ <i>ab</i> }*)           | $pref({ab})^*)$         |
| (v)   | { <i>c</i> } | $\{a,b\}$    | $pref(\{ac, bc\}^*)$            | $pref(\{ac, bc\}^*)$           | $pref(\{ac, bc\}^*)$    |
| (vi)  | { <i>c</i> } | $\{a,b\}$    | <pre>pref({abc}*)</pre>         | <pre>pref({abc , bac }*)</pre> | <pre>pref({abc}*)</pre> |

#### table 4.31

Example iobips and trace sets for components  $\Gamma$ , DSE  $\Gamma$ , and CBDS  $\Gamma$ .

### end of example

#### remark 4.88

From example 4.89 we conclude that lemma 4.84 and lemma 4.85 are not sufficient to characterize CBDS.

### end of remark

example 4.89

We consider component  $\Gamma_{l0}$  that is defined by

 $i\Gamma_{lo} \stackrel{\text{def}}{=} \{a, c\},\$ o $\Gamma_{lo} \stackrel{\text{def}}{=} \{b\}, \text{ and}\$ t(ptr  $\Gamma_{lo}) \stackrel{\text{def}}{=} \text{pref}\{abc, ba\}.$ 

We see:

 $t(dse \Gamma_{l0}) = pref \{ab, ba\}, and$  $t(cbds \Gamma_{l0}) = pref \{ab, ba\}.$ 

For component  $\Gamma_{10}$  no input comminst enables an input comminst and no output comminst disables an input comminst; nevertheless, ptr  $\Gamma_{10} \neq cbds \Gamma_{10}$ .

end of example

### 4.2.5 'Off-the-shelf' mechanisms

In subsection 4.2.1 we have defined the operator dse for components. For component  $\Gamma$ , dse  $\Gamma$  is the trace structure of the delay-safe enclosure of  $\Gamma$ . Using dse we have defined the operator cbds in subsection 4.2.3; cbds  $\Gamma$  is the trace structure of the maximal communication behavior of  $\Gamma$ , if  $\Gamma$  communicates delay-safely. Let component  $\Gamma$  model some 'off-the-shelf' mechanism; now, trace structure cbds  $\Gamma$  can be used as a label that can be attached to such a mechanism to show its maximal delay-safe communication behavior.

Suppose that we have such a mechanism. From its specification we can tell the iobip of the component that models this mechanism. If there are no explicit timing requirements, we are able to derive the trace structure of this component from the specification of the mechanism. If there are explicit timing requirements (e.g. signal II may not happen until at least 3 microseconds after signal I has happened), we have to separate them from '(the rest of) the communication behavior of the mechanism'. Adding delay elements may be effective. An alternative is to add clock signals to indicate when the timing requirements have been met. In both cases we create a new mechanism from which the explicit timing requirements have been separated. Again, we are able to derive the trace structure of the component from the specification of the (new) mechanism. In this way, the component models the "new mechanism from which the explicit timing conditions have been separated".

After we have determined the trace structure of the component that models the mechanism, we calculate the cbds of this component. If this cbds is too restricted, we conclude that we do not want to require that the communication between this component and its environment is delay-safe. We might choose a mixed connection between this component and its environment, cf. partial delay-safety in chapter 6; or we might create a new mechanism, e.g. by adding some clock signals in the way described above.

# **Communicating delay-insensitively**

In this chapter we deal with "absence of transmission interference hazard" within the context of delay-safe communication; as a consequence we are only concerned here with *indirect connections*. We consider a component and its environment that have a closed connection. We study the communication in the channel between this component and its environment. If a channel is delay-safe and there is no transmission interference hazard, we say that the channel is *delay-insensitive*.

In subsection 5.1.0.1 we present DIE, i.e. the delay-insensitive enclosure of a di-initializable (see subsection 5.1.0.0) component. For di-initializable component  $\Gamma$ , component  $\overline{\text{DIE}\Gamma}$  is the maximal (w.r.t. trace structure inclusion) partner of  $\Gamma$ . When  $\Gamma$  and  $\overline{\text{DIE}\Gamma}$  are indirectly connected, they have no computation interference hazard and there is no transmission interference hazard in the communication between them. In subsection 5.1.0.3 we present CBDI, i.e. the communication behavior of a delay-insensitively communicating di-initializable component. The maximal (w.r.t. trace structure inclusion) communication behavior of a di-initializable component, say  $\Gamma$ , that communicates delay-insensitively without computation interference hazard equals trace structure  $cbdi\Gamma$  ( $cbdi\Gamma\subseteq ptr\Gamma$ ). This means that  $\Gamma$  behaves in that case like component CBDI  $\Gamma$  (io(CBDI  $\Gamma$ )= io $\Gamma$  and  $ptr(CBDI \Gamma)=cbdi\Gamma$ ).

### 5.0 Communication in channels

We define class  $C_4$  in order to formalize "delay-insensitive channel". Absence of transmission interference hazard is characterized by:

no two signals are permitted to interfere with each other.

### remark 5.0

Within the context of delay-safe communication absence of transmission interference hazard is equal to:

no commsig is sent from a commport before all commsigs, that previously have been sent from that commport, have been received.

### end of remark

#### definition 5.1 C<sub>4</sub>

For trace structure T and alphbip D, the pair (T,D) is an element of C<sub>4</sub> if and only if

```
(T,D) \in \mathbf{D}_4
```

```
\wedge (\mathbf{A}s, t, a: s \in (\mathbf{a}T)^* \wedge t \in (\mathbf{a}T)^* \wedge a \in \mathbf{a}T \wedge sata \in \mathbf{t}T: l(t \mid \mathbf{opa}(a, D)) > 0)
```

### end of definition

That the communication is delay-safe is reflected by the first conjunct in definition 5.1, " $C_4$ ", cf. definition 4.19, "delay-safe channel". The second conjunct reflects, given that the communication is delay-safe, absence of transmission interference hazard: no commsig may propagate from a commport of the component at 'one end of the channel' to a commport of the component at 'the other end of the channel', unless all commsigs that have previously propagated between these commports have been received. As a consequence, using that the communication is delay-safe, no commsig must be <u>sent</u> from a commport unless all commsigs that have previously been sent from this commport have been received. Since the connection between the component and its environment is closed, the only way in which the component that sends these commsigs is able to know that a commsig has been received, is by receiving one or more commsigs that travel in the opposite direction.

Class  $C_4$  has been called the "delay-insensitive class" by Udding, cf. subsection 7.0.1. Definition 5.1, " $C_4$ ", differs from Udding's original definition, cf. [Udding84]; in theorem 5.2, " $C_4$ ", we prove that these definitions are equivalent. Udding's definition is simpler from a formal point of view; we believe that our definition is closer to our intuitive notion "absence of transmission interference hazard".

### theorem 5.2 C<sub>4</sub>

For trace structure T and alphbip D,

$$(T,D) \in \mathbf{C}_4 = (T,D) \in \mathbf{D}_4 \land (\mathbf{A} \ s, a : s \in (\mathbf{a} T)^* \land a \in \mathbf{a} T : saa \notin \mathbf{t} T)$$

### end of theorem

Notice, that in the proof of theorem 5.2, " $C_4$ ", we need that the communication is delay-safe in order to prove that absence of transmission interference hazard is equal to Udding's requirement, viz.  $(As, a: s \in (aT)^* \land a \in aT: saa \notin tT)$ . Using class  $C_4$ , we define the notion "delay-insensitive channel".

### definition 5.3 *delay-insensitive channel*

For channel  $\Theta$ , we say that  $\Theta$  is delay-insensitive if and only if

 $(ptr \Theta, ab\Theta) \in C_4$ 

### end of definition

We deal with absence of transmission interference hazard as a property that may or may not hold for the communication in a delay-safe channel. Udding, cf. [Udding84], and Ebergen, cf. [Ebergen87], however, take delay-insensitivity as their starting point.

We do not define, for trace structure T and alphbip D, the smallest (w.r.t. trace structure inclusion) trace structure X such that  $T \subseteq X$  and  $(X,D) \in C_4$ : in general, such a trace structure X does not exist, see example 5.4. Furthermore, if such an X exists, then X = dsc(T,D), see definition 4.20, "dsc".

### example 5.4

Component  $\Gamma_0$  is defined by:

$$\mathbf{o} \Gamma_0 \stackrel{\text{def}}{=} \{a\}$$
  
 
$$\mathbf{i} \Gamma_0 \stackrel{\text{def}}{=} \{b\}$$
  
 
$$\mathbf{t} (\mathbf{ptr} \Gamma_0) \stackrel{\text{def}}{=} \mathbf{pref} \{baa\}$$

From theorem 5.2, "C<sub>4</sub>", we conclude that  $(AX : t(ptr \Gamma_0) \subseteq tX : (X, ab\Gamma_0) \notin C_4)$ . end of example

### 5.1 Communication behavior of components

In this section we focus our attention on the communication behavior of a component that communicates via a delay-insensitive channel. In chapter 4 we have proven that delay-safe communication restricts the communication behavior of a component, when absence of computation interference hazard is the correctness concern. We shall show here that the additional correctness concern, viz. absence of transmission interference hazard, gives an additional restriction on the communication behavior of a component.

Throughout the remainder of this section we will only consider components that communicate via a delay-safe channel.

### 5.1.0 Transformation into computation interference hazard

In this subsection we use the transformation technique presented in subsection 3.3.0 to transform "transmission interference hazard" into "computation interference hazard", see subsection 5.1.0.1. We recall that there is an initial problem when this technique is applied. We deal with this problem in subsection 5.1.0.0.

### 5.1.0.0 Initializability

In subsection 4.2.4 we studied the restriction imposed by delay-safe communication on the communication behavior of components. We were able to calculate the maximal communication behavior of every component that communicates via a delay-safe channel. In this section we deal with the restriction imposed by "delay-insensitive communication" on the communication behavior of components. It turns out that some components are not able to communicate via a delay-insensitive channel: they may initially 'produce transmission interference' before the environment is able to control them. Such components are said to be not *di-initializable*.

definition 5.5 di-initializable Component  $\Gamma$  is di-initializable if and only if  $(As, t, a: s \in (a\Gamma)^* \land t \in (a\Gamma)^* \land a \in o\Gamma \land sata \in t(dse\Gamma)$   $: l(st \circ pa(a, ab\Gamma)) > 0$ ) end of definition We consider the condition that is used to define that a component is di-initializable, see definition 5.5. This condition looks very much like the second conjunct in definition 5.1, " $C_4$ ". The restriction sata  $\in t(dse \Gamma)$  is included, because we assume that component  $\Gamma$  communicates via a <u>delay-safe</u> channel and because we are concerned with "absence of transmission interference hazard" only in the context of delay-safe communication. The restriction  $a \in o\Gamma$  is included, because  $\Gamma$  'produces' the communication. The restriction  $a \in o\Gamma$  is whereas the communicates the communication are 'produced' by some other component. The requirement  $l(t \mid opa(a, D)) > 0$  is weakened to  $l(st \mid opa(a, D)) > 0$ , since we are only concerned with absence of transmission interference hazard in the <u>initial</u> part of the communication behavior of  $\Gamma$ . Notice that in definition 5.5  $opa(a, ab\Gamma) = i\Gamma$  holds, while  $a \in o\Gamma$ .

In property 5.6 we present an alternative characterization of "di-initializable".

### property 5.6 *di-initializable*

Component  $\Gamma$  is di-initializable if and only if

 $(Aa: a \in o\Gamma: aa \notin t(dse\Gamma))$ 

### end of property

In property 5.7 we present a characterization of "di-initializable" in which  $dse\Gamma$  does not occur; it shows that in the trace structure that models the communication behavior of di-initializable components all initial 'repetitions' of output symbols are separated by at least one input symbol.

### property 5.7 *di-initializable*

Component  $\Gamma$  is di-initializable if and only if

$$(\mathbf{A}s, t, a: s \in (\mathbf{o}\Gamma)^* \land t \in (\mathbf{o}\Gamma)^* \land a \in \mathbf{o}\Gamma: sata \notin t(\mathbf{ptr}\Gamma))$$

end of property

### example 5.8

Component  $\Gamma_i$  is defined by:

$$\mathbf{o} \Gamma_{l} \stackrel{\text{def}}{=} \{a, b\}$$
  
 
$$\mathbf{i} \Gamma_{l} \stackrel{\text{def}}{=} \{c\}$$
  
 
$$\mathbf{t} (\mathbf{p} \mathbf{t} \Gamma_{l}) \stackrel{\text{def}}{=} \mathbf{p} \mathbf{r} \mathbf{e} \{ abca, bc \}$$

Using  $abcac_{10T_i}bcaa$ , we derive that  $t(dseT_i) = pref\{abca, baca, bcaa\}$  from definition 4.36, "dse". From definition 5.5, "di-initializable", we conclude that  $T_i$  is a di-initializable component. Notice that the environment of  $T_i$  may refuse to send a commsig to which *c* is associated.

### end of example

### 5.1.0.1 Delay-insensitive enclosure

In this subsection we define for di-initializable component  $\Gamma$  component DIE  $\Gamma$ , i.e. the delay-insensitive enclosure of  $\Gamma$ . Furthermore, we give a constructive definition of ptr(DIE  $\Gamma$ ), viz. die  $\Gamma$ .

When di-initializable component  $\Gamma$  communicates via a delay-insensitive channel, trace structure **ptr**(**DIE** $\Gamma$ ) gives the maximal communication in this channel. Furthermore, component **DIE** $\Gamma$  is the maximal (w.r.t. trace structure inclusion) partner of  $\Gamma$ . When  $\Gamma$  and **DIE** $\Gamma$  are indirectly connected, they have no computation interference hazard and there is no transmission interference hazard in the communication between them.

### definition 5.9 delay-insensitive enclosure

For di-initializable component  $\Gamma$ , we define the *delay-insensitive enclosure* of  $\Gamma$ , denoted by **DIE** $\Gamma$ , as the maximal (w.r.t. trace structure inclusion) component such that

- (i) io  $\Gamma = io(DIE \Gamma)$
- (ii)  $\Gamma NCIHDS \overline{DIE\Gamma}$
- (iii)  $(\mathbf{A}a, t: a \in \mathbf{i}(\overline{\mathbf{DIE}\Gamma}) \land ta \in \mathbf{t}(\mathbf{ptr}(\overline{\mathbf{DIE}\Gamma})): (\mathbf{E}s: s \in \mathbf{t}(\mathbf{ptr}\Gamma): s\mathbf{c}_{\mathbf{i}\circ\Gamma}ta))$
- (iv)  $(ptr(\overline{DIE\Gamma}), ab\Gamma) \in C_4$

### end of definition

The existence of the maximum in definition 5.9, "delay-insensitive enclosure", above follows from the "delay-insensitive enclosure" theorem 5.24. Requirement (iii) in definition 5.9 restricts in the traces of  $\overline{\text{DIE }\Gamma}$  the occurrences of symbols  $a \in i(\overline{DIE\Gamma})$  to those occurrences that are associated with the reception by DIE  $\Gamma$  of commsign that may have been sent by  $\Gamma$ . In requirement (iii) there is no need to quantify over symbols  $a \in o(\overline{DIE\Gamma})$ , since their occurrences in traces of  $ptr(\overline{DIE\Gamma})$  are restricted by requirement (ii). Compared to definition 4.34, "delay-safe enclosure", we have added requirement (iv). This additional requirement guarantees absence of transmission interference hazard. In order to achieve absence of transmission interference, it is formally sufficient to require only that the second conjunct in definition 5.1, "C4", holds. However, we are only able to interpret absence of transmission interference hazard by that conjunct within the context of delay-safe communication. For this reason we prefer requirement (iv) in definition 5.9.

For component  $\Gamma$  we will define trace structure die $\Gamma$ . It will turn out that this is the trace structure of the delay-insensitive enclosure of  $\Gamma$ , see theorem 5.24, "delay-insensitive enclosure". In order to define die $\Gamma$ , we first introduce trace set tih $\Gamma$  and component DSENTIH $\Gamma$ . Trace set tih $\Gamma$  will be used to exclude the trace set that is associated with transmission interference hazard from trace structure dse $\Gamma$ ; in this way component DSENTIH $\Gamma$  is a 'reduction' of component DSE $\Gamma$ .

### definition 5.10 tih

For component  $\Gamma$ , let *D* be the alphbip that is associated with io  $\Gamma$ ; we define trace set tih  $\Gamma$ :

tih  $\Gamma \stackrel{\text{def}}{=} \{s, t, a : s \in (a\Gamma)^* \land a \in a\Gamma \land t \in (\operatorname{spa}(a, D))^* \land sata \in t(\operatorname{dse} \Gamma) : sata\}$ end of definition

In definition 5.10, "tih", we use a formula that is similar to the condition in property 5.7, "di-initializable".

In definition 5.11 we transform transmission interference hazard into computation interference hazard, see subsection 3.3.0. The operator dse in this definition is not present to establish absence of computation interference hazard, but it provides the context in which we address transmission interference hazard.

```
definition 5.11 DSENTIH
For di-initializable component \Gamma, component DSENTIH \Gamma is defined by:
io(DSENTIH \Gamma) \stackrel{\text{def}}{=} io \Gamma
ptr(DSENTIH \Gamma) \stackrel{\text{def}}{=} redts(dse \Gamma, i\Gamma, tih \Gamma)
end of definition
```

In definition 5.11, "DSENTIH", the di-initializability of  $\Gamma$  is needed to achieve that  $(As: s \in tih \Gamma: l(s|i\Gamma) > 0)$ . Now, we infer from property 1.40 that  $ptr(DSENTIH \Gamma)$  is nonempty; the prefix-closedness of  $ptr(DSENTIH \Gamma)$  follows from property 1.40, using the prefix-closedness of  $dse\Gamma$ .

In property 5.12 we present an alternative characterization of DSENTIH.

### property 5.12

For di-initializable component  $\Gamma$ ,

```
ptr(DSENTIH \Gamma) =
```

```
redts(dse\Gamma, i\Gamma, {s, a: s \in (a\Gamma)^* \land a \in a\Gamma \land saa \in t(dse\Gamma): saa})
```

end of property

Our motivation for choosing the noun "DSENTIH" is provided by the alternative characterization of DSENTIH in property 5.13.

### property 5.13 For di-initializable component $\Gamma$ , $io(DSENTIH \Gamma) = io(DSE \Gamma)$ $ptr(DSENTIH \Gamma) = redts(ptr(DSE \Gamma), i(DSE \Gamma), tih(DSE \Gamma))$ end of property

In definition 5.14 the operator dse is used to establish absence of computation interference hazard when the communication is delay-safe. Since we have transformed transmission interference hazard into computation interference hazard by definition 5.11, "DSENTIH", we also establish absence of transmission interference hazard by doing so.

### definition 5.14 die

```
For di-initializable component \Gamma we define trace structure die \Gamma by
```

```
\operatorname{die} \Gamma \stackrel{\operatorname{def}}{=} \operatorname{dse}(\operatorname{DSENTIH} \Gamma)
```

### end of definition

The following properties and lemmas are used in the proof of theorem 5.24, "delay-insensitive enclosure".

### property 5.15

For di-initializable component  $\Gamma$ ,

- (i) die  $\Gamma$  is nonempty,
- (ii) die  $\Gamma$  is prefix-closed.

### end of property

### lemma 5.16

For di-initializable component  $\Gamma$ ,

```
(At, u: t \in t(ptr\Gamma) \land tc_{io\Gamma} u \land u \in t(die\Gamma): t \in t(ptr(DSENTIH\Gamma)))
```

### end of lemma

### lemma 5.17

For di-initializable component  $\Gamma$ ,

 $\operatorname{die}\Gamma \subseteq \operatorname{dse}\Gamma$ 

### end of lemma

From lemma 5.17 and lemma 4.43 we infer property 5.18.

### property 5.18

For di-initializable component  $\Gamma$ ,

```
(\mathbf{A}t: t \in \mathbf{t}(\mathbf{die}\Gamma): (\mathbf{E}s: s \in \mathbf{t}(\mathbf{ptr}\Gamma): s\mathbf{c}_{\mathbf{io}\Gamma}t))
```

end of property

lemma 5.19

For di-initializable component  $\Gamma$ ,

die  $\Gamma \subseteq ptr(DSENTIH \Gamma)$ 

end of lemma

lemma 5.20

For di-initializable component  $\Gamma$ ,

(dieΓ, abΓ)∈C<sub>4</sub>

end of lemma

Absence of computation interference hazard is reflected by the following properties. The condition  $io \overline{\Gamma} = io \Delta$  models that  $\Gamma$  and  $\Delta$  have a closed connection.

### property 5.21

For di-initializable components  $\Gamma$  and  $\Delta$  such that io  $\overline{\Gamma} = io \Delta$  and ptr  $\Delta = die \Gamma$ ,

 $(DSENTIH \Gamma)NCIHDS \Delta$ 

end of property

property 5.22

For di-initializable components  $\Gamma$  and  $\Delta$  such that io  $\overline{\Gamma} = io\Delta$  and ptr  $\Delta = die \Gamma$ ,

 $(DSENTIH \Gamma)NCIHDS \Delta \Rightarrow \Gamma NCIHDS \Delta$ 

end of property

From lemma 4.44 we infer property 5.23.

property 5.23

For di-initializable components  $\Gamma$  and  $\Delta$  such that  $io\Gamma = io\Delta$  and  $\overline{\Delta}NCIHADS$  (DSENTIH  $\Gamma$ ),

```
(At, u: t \in t(ptr(DSENTIH \Gamma)) \land u \in (t(ptr \Delta) \land t(die \Gamma)): \neg(tc_{io\Gamma}u))
```

end of property

Now, we can link trace structure die  $\Gamma$  to component DIE  $\Gamma$ .

theorem 5.24 delay-insensitive enclosure

For di-initializable component  $\Gamma$ ,

 $ptr(DIE\Gamma) = die\Gamma$ 

end of theorem

Van der Heijden and Teunissen have developed software to calculate die  $\Gamma$  for di-initializable components  $\Gamma$  that have regular trace structures, see [van der Heijden – Teunissen 89]. From their work we infer theorem 5.25, which is presented here without a proof.

### theorem 5.25

For di-initializable component  $\Gamma$ ,

"ptr  $\Gamma$  is regular"  $\Rightarrow$  "die  $\Gamma$  is regular"

end of theorem

### 5.1.0.2 Properties of delay-insensitive enclosure

In this subsection we present some properties of DIE; of course, see theorem 5.24, "delay-insensitive enclosure", some properties of tih and DSENTIH are included.

### property 5.26

For di-initializable component  $\Gamma$ ,

 $(\operatorname{ptr} \Gamma, \operatorname{ab} \Gamma) \in \mathbb{C}_4 \Rightarrow (\operatorname{tih} \Gamma = \emptyset)$ 

### end of property

Using property 5.26 we infer property 5.27.

property 5.27

For di-initializable component  $\Gamma$ ,

 $(ptr \Gamma, ab\Gamma) \in C_4 = (die \Gamma = ptr \Gamma)$ 

### end of property

We consider a di-initializable component  $\Gamma$ . In order to calculate die $\Gamma$ , we first calculate trace structure dse $\Gamma$ , see definition 5.11, "DSENTIH"; next, we reduce dse $\Gamma$  to ptr(DSENTIH $\Gamma$ ), cf. definition 1.34, "redts"; finally, we calculate trace structure dse(DSENTIH $\Gamma$ ), see definition 5.14, "die". Example 5.28 and remark 5.29 show that the approach "first reducing trace structure ptr $\Gamma$  in some way and next calculating dse only once" does not work.

### example 5.28

Di-initializable component  $\Gamma_2$  is defined by:

```
 \begin{aligned} \mathbf{o} \, \Gamma_2 & \stackrel{\text{def}}{=} \{a, b\} \\ \mathbf{i} \, \Gamma_2 & \stackrel{\text{def}}{=} \{c\} \\ \mathbf{t}(\mathbf{p} \mathbf{t} \, \Gamma_2) & \stackrel{\text{def}}{=} \mathbf{p} \mathbf{ref} \{abca\} \end{aligned}
```

We derive that  $t(dse \Gamma_2) = pref \{abca, baca, bcaa\}$  from definition 4.36, "dse", see also example 5.8. From definition 5.14, "die", we derive that  $t(die \Gamma_2) = pref \{abca, baca\}$ . Let  $\Delta_2$  be a component such that  $io \Delta_2 = io \Gamma_2$ ,  $ptr \Delta_2 \subseteq ptr \Gamma_2$ , and  $ptr \Delta_2 \neq ptr \Gamma_2$ . Since  $ptr \Delta_2$  is prefix-closed,  $t(ptr \Delta_2) \subseteq \{\varepsilon, a, ab, abc\}$ . Hence,  $abca \notin t(dse \Delta_2)$ . As a consequence,  $die \Delta_2 \neq die \Gamma_2$ .

### end of example

### remark 5.29

From example 5.28 we conclude that for a component  $\Gamma$  it is, in general, not possible to reduce  $ptr\Gamma$  to  $ptr\Delta$  for some component  $\Delta$  such that  $io\Delta = io\Gamma$  and  $die\Delta = die\Gamma$ .

### end of remark

From theorem 5.24, "delay-insensitive enclosure", lemma 5.20, and property 5.27 we derive that **DIE** is idempotent.

property 5.30 DIE is idempotent

For di-initializable component  $\Gamma$ ,

 $\mathbf{DIE}(\mathbf{DIE}\,\Gamma) = \mathbf{DIE}\,\Gamma$ 

### end of property

Like DSE, operator DIE is not monotonic.

### remark 5.31

In general, DIE is not monotonic, see example 4.58. For components  $\Gamma_5$  and  $\Delta_5$  in example 4.58, die  $\Gamma_5$  = dse  $\Gamma_5$  and die  $\Delta_5$  = dse  $\Delta_5$ .

end of remark

### property 5.32

For i/o-connectable components  $\Gamma$  and  $\Delta$  such that  $\Gamma$  is di-initializable,

(i)  $(DSE\Gamma)NCIHADS \Delta \Rightarrow (DIE\Gamma)NCIHADS \Delta$ 

(ii)  $\triangle NCIHADS(DIE\Gamma) \Rightarrow \triangle NCIHADS(DSE\Gamma)$ 

### end of property

From lemma 5.16, definition 5.14, "die", and lemma 4.49 we infer lemma 5.33.

lemma 5.33

For di-initializable component  $\Gamma$ ,

```
(At, u: t \in t(ptr\Gamma) \land tc_{io\Gamma} u \land u \in t(die\Gamma): t \in t(die\Gamma))
```

end of lemma

From theorem 4.80 we infer theorem 5.34.

### theorem 5.34

```
For di-initializable components \Gamma and \Delta such that io \Gamma = io\Delta, cbds \Gamma \subseteq ptr\Delta, and ptr\Delta \subseteq ptr\Gamma,
```

```
die \Gamma = die \Delta
```

### end of theorem

We present some examples of die and DIE.

### example 5.35

For component  $\Gamma_w$ , see example 2.47 and example 4.38, die  $\Gamma_w = \text{dse } \Gamma_w$ . Also for  $\Gamma_c$ , see example 2.48,  $\Gamma_f$ , see example 2.49,  $\Gamma_{af}$ , see example 2.49 and example 4.39,  $\Gamma_{tubc}$ , see example 2.50 and example 4.60,  $\Gamma_{bc}$ , see example 2.50 and example 4.61, and  $\Gamma_{2w}$ , see example 2.50, the die is equal to the dse.

end of example

Communicating delay-insensitively

### example 5.36

We consider component  $\Gamma_{or}$ , see example 2.51. The state graph of DIE  $\Gamma_{or}$  is shown in figure 5.0.



figure 5.0 State graph of component DIE  $\Gamma_{or}$ .

Notice that  $t(\operatorname{die} \Gamma_{or}) = \operatorname{pref} \{x, y : x \in \{ \operatorname{acac}, \operatorname{bcbc} \}^* \land y \in \{ \operatorname{acb}, \operatorname{abc}, \operatorname{bca}, \operatorname{bac} \} : xy \}.$  There are some traces in  $t(\operatorname{die} \Gamma_{or})$  that 'lead to dead ends', viz. all traces in  $\{x, y : x \in \{acac, bcbc\}^* \land y \in \operatorname{pref} \{acb, abc, bca, bac\} : xy\}$ . We consider such a trace which is apparently not extendable: acb.

- (i) Since  $(\mathbf{A}s: s \in \mathbf{ptr} \Gamma_{or}: \neg (sc_{io}\Gamma_{or} acbc))$ , we conclude from property 5.18 that  $acbc \notin \mathbf{t}(die\Gamma_{or})$ .
- (ii) From lemma 5.20 and theorem 5.2, "C<sub>4</sub>", we conclude that acbb∉ t(die Γ<sub>or</sub>).
- (iii) From lemma 5.20, definition 5.1, " $C_4$ ", definition 4.16, " $D_4$ ", and theorem 5.2, " $C_4$ ", we conclude, using  $acacbc \in t(die \Gamma_{or})$ ,  $acacbc c_{io \Gamma_{or}} acbacc$ , and  $acbacc c_{io \Gamma_{or}} acba$ , that  $acba \notin t(die \Gamma_{or})$ .

The non-extendability of the other traces 'leading to dead ends' can be argued analogously. The interpretation of the existence of such traces is the following: when some environment communicates delay-insensitively with component  $\Gamma_{or}$  in such a way as to 'move DIE  $\Gamma_{or}$  to a dead end', component  $\Gamma_{or}$  goes along without violating any of the correctness concerns, viz. absence of computation interference hazard and absence of transmission interference hazard; however, any further extension of the communication will violate at least one of the correctness concerns. In this particular example the correctness concern "absence of transmission interference hazard" will be violated.

### end of example

### example 5.37

We consider component  $\Gamma_{and}$ , see example 2.51. The state graph of DIE  $\Gamma_{and}$  is shown in figure 5.1.



figure 5.1 State graph of component DIE  $\Gamma_{and}$ .

Notice that DIE  $\Gamma_{and}$  differs from DIE  $\Gamma_{or}$ , see example 5.36, only in its initial behavior, cf. example 2.51.

### end of example

Component  $\Gamma_{ncel}$ , see example 5.38, has been presented by Ebergen, see [Ebergen 87].

### example 5.38

We consider Ebergen's "NCEL component", cf. [Ebergen 87]. We call it  $\Gamma_{ncel}$ ; it is defined by:

$$\mathbf{o} \Gamma_{ncel} \stackrel{\text{def}}{=} \{c\} \qquad \mathbf{i} \Gamma_{ncel} \stackrel{\text{def}}{=} \{a, b\}$$
$$\mathbf{t}(\mathbf{ptr} \Gamma_{ncel}) \stackrel{\text{def}}{=} \mathbf{pref}(\{aa, bb, abc, bac\}^*),$$

We present the state graph of component  $\Gamma_{ncel}$  in figure 5.2.



figure 5.2 State graph of component  $\Gamma_{ncel}$ .

From theorem 5.24, "delay-insensitive enclosure", and definition 5.14, "die", we conclude that DIE  $\Gamma_{ncel} = \Gamma_c$ , cf. example 2.48. Ebergen presents  $\Gamma_{ncel}$  as an example of a component that is not a "DI component"; in our terminology this means that DIE  $\Gamma_{ncel} \neq \Gamma_{ncel}$ .

end of example

### 5.1.0.3 Behavior of delay-insensitively communicating components

In this subsection we are interested in the impact of delay-insensitive communication on the communication behavior of a component. We define the maximal communication behavior of a component that communicates delay-insensitively, i.e. the maximal (w.r.t. trace structure inclusion) communication behavior of the component at the commports of the component when the component has an indirect connection with its environment and there is absence of computation interference hazard between them and there is absence of transmission interference hazard in the channel between them. The "maximal communication behavior of component  $\Gamma$  that communicates delay-insensitively" is a component. It is denoted by CBDI  $\Gamma$ .

- definition 5.39 maximal communication behavior for delay-insensitive communication For di-initializable component  $\Gamma$ , we define the maximal communication behavior of  $\Gamma$  when  $\Gamma$  communicates via a delay-insensitive channel, denoted by CBDI $\Gamma$ , as the maximal (w.r.t. trace structure inclusion) component such that
  - (i)  $io(CBDI\Gamma) = io\Gamma$
  - (ii)  $ptr(CBDI\Gamma) \subseteq ptr\Gamma$

```
(iii) (\mathbf{A} a, s : a \in \mathbf{i} \Gamma \land sa \in \mathbf{t}(\mathbf{ptr}(\mathbf{CBDI} \Gamma)) : (\mathbf{E} t : t \in \mathbf{t}(\mathbf{die} \Gamma) : sac_{\mathbf{lo}\Gamma} t))
```

### end of definition

The existence of the maximum in definition 5.39, "maximal communication behavior for delay-insensitive communication", above follows from theorem theorem 5.48, "maximal communication behavior for delay-insensitive communication". In requirement (iii) in definition 5.39, "maximal communication behavior for delay-insensitive communication", we do not quantify over symbols  $a \in o\Gamma$ , since there is no way to prevent a component to 'produce' commsigs at its output commports, cf. subsection 2.2.3.

### property 5.40

For di-initializable component  $\Gamma$ ,

### $(CBDI \Gamma)NCIHDS \overline{DIE \Gamma}$

### end of property

From property 5.40 we conclude that there is no need to require that  $(CBDI\Gamma)NCIHDS \overline{DIE\Gamma}$  in definition 5.39, "maximal communication behavior for delay-insensitive communication".

For component  $\Gamma$  we define trace structure **cbdi** $\Gamma$ . It will turn out that this is the trace structure of **CBDI** $\Gamma$ , see theorem 5.48.

### definition 5.41 cbdi

For di-initializable component  $\Gamma$  trace structure cbdi $\Gamma$  is defined by

 $\operatorname{cbdi} \Gamma \stackrel{\mathrm{def}}{=} < \mathbf{a} \Gamma, \{t, u : t \in t(\operatorname{ptr} \Gamma) \land t \operatorname{c}_{\operatorname{io} \Gamma} u \land u \in t(\operatorname{die} \Gamma) : t\} >$ 

end of definition

### property 5.42

For di-initializable component  $\Gamma$ , trace *t*, and symbol *a*,

- (i) for  $a \in o\Gamma$ ,  $(t \in t(cbdi\Gamma) \land ta \in t(ptr\Gamma)) = ta \in t(cbdi\Gamma)$
- (ii) for  $a \in i\Gamma$ ,  $(t \in t(cbdi\Gamma) \land ta \in t(die\Gamma)) = ta \in t(cbdi\Gamma)$

end of property

In property 5.42 (ii)  $ta \in t(cbdi\Gamma) \Rightarrow ta \in t(die\Gamma)$  follows from lemma 5.33; from lemma 5.33 we also infer property 5.43.

### property 5.43

For di-initializable component  $\Gamma$ ,

 $\operatorname{cbdi} \Gamma = \operatorname{ptr} \Gamma \cap \operatorname{die} \Gamma$ 

end of property

theorem 5.44

For di-initializable component  $\Gamma$ ,

 $cbdi\Gamma = cbds\Gamma \cap die\Gamma$ 

### end of theorem

### remark 5.45

In example 4.60 we have seen that the correctness concern "absence of computation interference hazard" restricts the communication behavior of a component. From theorem 5.44 we conclude that the additional correctness concern "absence of transmission interference hazard" indeed gives an additional restriction on the communication behavior of a component, cf. example 5.46.

### end of remark

### example 5.46

Component  $\Gamma_3$  is defined by:

 $o \Gamma_3 \stackrel{\text{def}}{=} \emptyset$  $i \Gamma_3 \stackrel{\text{def}}{=} \{a, b\}$  $t(ptr \Gamma_3) \stackrel{\text{def}}{=} \{\varepsilon, a, b, ba, aa\}$ 

We infer that  $t(\operatorname{cbds} \Gamma_3) = \{\varepsilon, a, b, aa\}$  and  $t(\operatorname{cbdi} \Gamma_3) = \{\varepsilon, a, b\}$ . Since  $\operatorname{cbds} \Gamma_3 = \operatorname{die} \Gamma_3$ , we conclude that the communication behavior of  $\Gamma_3$  is further restricted by the additional correctness concern absence of transmission interference hazard.

### end of example

Due to the nonemptiness and prefix-closedness of ptr and dse we infer property 5.47 from property 5.43.

property 5.47 For di-initializable component  $\Gamma$ ,

сьdiГ is nonempty and prefix-closed

end of property

Now, we can link trace structure  $cbdi\Gamma$  to component CBDI  $\Gamma$ .

theorem 5.48 maximal communication behavior for delay-insensitive communication For di-initializable component  $\Gamma$ ,

 $ptr(CBDI\Gamma) = cbdi\Gamma$ 

### end of theorem

Property 5.49 relates the trace structures of components DSENTIH  $\Gamma$  and CBDI  $\Gamma$ .

#### property 5.49

For di-initializable components  $\Gamma$  and  $\Delta$  such that io  $\overline{\Gamma} = io \Delta$ ,

```
(DSENTIH \Gamma) \land CIHDS \Delta

\Rightarrow (At, u: t \in t(ptr \Gamma) \land tc_{io\Gamma} u \land u \in t(ptr \Delta))

: t \in t(cbdi\Gamma) \land u \in t(cbdi\Delta)
```

### end of property

From theorem 5.34 and definition 5.39, "maximal communication behavior for delay-insensitive communication" we derive that CBDI is idempotent.

property 5.50 CBDI is idempotent

For di-initializable component  $\Gamma$ ,

 $\mathbf{CBDI}(\mathbf{CBDI}\,\Gamma) = \mathbf{CBDI}\,\Gamma$ 

### end of property

In example 5.51 we take another look at Ebergen's  $\Gamma_{ncel}$ .

### example 5.51

We consider Ebergen's "NCEL component", cf. [Ebergen 87] and example 5.38.

Using property 5.43 we calculate trace structure  $cbdi\Gamma_{ncel}$ . From theorem 5.48, "maximal communication behavior for delay-insensitive communication", we now conclude that CBDI  $\Gamma_{ncel} = \Gamma_c$ , cf. example 2.48. end of example

### 5.1.1 'Off-the-shelf' mechanisms

After we have determined the trace structure of the component that models the mechanism, we calculate the **cbdi** of this component. If this **cbdi** is too restricted, we conclude that we do not want to require that the communication between this component and its environment is delay-insensitive. We might choose a mixed connection between this component and its environment, cf. partial delay-insensitivity in chapter 6; or we might create a new mechanism, e.g. by adding some clock signals as described in subsection 4.2.5.

In subsection 5.1.0.1 we have defined the operator die for di-initializable components. For di-initializable component  $\Gamma$ , die  $\Gamma$  is the trace structure of the delay-insensitive enclosure of  $\Gamma$ . Using die we have defined the operator cbdi in subsection 5.1.0.3; cbdi $\Gamma$  is the trace structure of the maximal communication behavior of di-initializable component  $\Gamma$ , if  $\Gamma$  communicates delay-insensitively. Let di-initializable component  $\Gamma$  model some 'off-the-shelf' mechanism: now, trace structure cbdir can be used as a label that can be attached to such a mechanism to show its maximal delay-insensitive communication behavior. This labeling can be done only for di-initializable components; notice that labeling such an 'off-the-shelf' mechanism with trace structure  $cbds\Gamma$  to show its maximal delay-safe communication behavior is always possible, see subsection 4.2.5. For components that are not di-initializable, the cbdi is not defined: such a component cannot be prevented from causing transmission interference hazard when it communicates via a delay-safe channel. This problem might be solved by assuming that the connection between this component and its environment is mixed, cf. partial delay-insensitivity in chapter 6.

Communicating delay-insensitively

# 6

# Composition

In this chapter we present our most general study of composition: we are concerned with mixed connections of components, cf. subsection 2.1.3.0 and subsection 2.2.3. In section 6.0 we introduce some notions that are used in the following sections. In section 6.1 we study composition of components given the correctness concern "absence of computation interference hazard". We deal with an additional correctness concern, viz. "absence of transmission interference hazard", in section 6.2. We address decomposition in section 6.3. We refer to other correctness concerns in section 6.4.

### 6.0 Connection of components

In this chapter we study the composition of two components; in order to refer to them conveniently in the remainder of this chapter, we call them  $\Gamma$  and  $\Delta$ . There are several ways in which two components can be connected. In subsection 2.2.0 we have stated that we associate the same symbol with two matching commports. In order to compose two components they have to be i/o-connectable, cf. definition 3.2.

In chapters 3, 4, and 5 we studied closed connections of two components, cf. subsection 2.1.3.0. In chapter 6 we do not restrict ourselves to closed connections: we are interested in connections of two components that are either open or closed. Furthermore, in chapter 3 we have dealt with direct connections of two components; in chapters 4 and 5 we have dealt with indirect connections. The clearly missing case of *mixed connections* will emerge from the treatment of composition in chapter 6; within a mixed connection of components, some pairs of matching commports may be directly connected, whereas the others may be indirectly connected.

## remark 6.0

The open composition of two components constitutes a problem in which implicitly the environment of these components appears as a third component. As a consequence, we must deal with the closed composition of three components. By calculating the composite of two components given some correctness concerns, we generate conditions on the acceptance of (external) inputs by the composite. If absence of computation interference hazard is a correctness concern for the communication between such a composite and its environment, the allowed communication behavior of this environment is reduced by these conditions on the acceptance of (external) inputs by the composite.

## end of remark

Some people do not care about the environment. We do care about the environment, since we are interested in the correctness concern "absence of computation interference hazard" for the communication between the composite and its environment. As a consequence, when discussing the open composition of two components we address three party composition. We do not explicitly refer to the environment of the composite. Nevertheless, concerns about this environment are present: we address this environment implicitly.

## remark 6.1

When calculating the composite, we assume that the (implicit) environment of this composite is directly connected to this composite.

## end of remark

# 6.0.0 External input and output

Since components that have an open connection participate in communication with the environment of their composite, we define the notions "*external input*" and "*external output*".

## definition 6.2 extinp

For i/o-connectable components  $\Gamma$  and  $\Delta$ , alphabet extinp ( $\Gamma$ ,  $\Delta$ ) is defined by

 $\operatorname{extinp}(\Gamma, \Delta) \stackrel{\operatorname{def}}{=} (i \Gamma \cup i \Delta) \cap (a \Gamma \div a \Delta)$ 

end of definition

definition 6.3 extoutp

For i/o-connectable components  $\Gamma$  and  $\Delta$ , alphabet extoutp( $\Gamma, \Delta$ ) is defined by

extoutp $(\Gamma, \Delta) \stackrel{\text{def}}{=} (o \Gamma \cup o \Delta) \cap (a \Gamma \div a \Delta)$ 

end of definition

The set  $extinp(\Gamma, \Delta)$  is associated with the set of *external input commports* of i/oconnectable components  $\Gamma$  and  $\Delta$ . The set  $extoutp(\Gamma, \Delta)$  is associated with the set of *external output commports* of i/o-connectable components  $\Gamma$  and  $\Delta$ . In our Communication Model all communication is one-to-one communication, cf. subsection 2.1.0. As a consequence, inputs and outputs of  $\Gamma$  and  $\Delta$  that belong to  $a\Gamma \cap a\Delta$  are not available for external communication; for this reason these inputs and outputs are excluded from  $extinp(\Gamma, \Delta)$  and  $extoutp(\Gamma, \Delta)$ . In definition 6.2, "extinp", and definition 6.3, "extoutp", the i/o-connectability of  $\Gamma$  and  $\Delta$  is required to provide the context for these definitions.

When we study composition of components in our Communication Model, we distinguish directly and indirectly connected commports, cf. subsection 2.1.0. Since in this chapter we are concerned with mixed connections of components, we deal with both cases. In the definitions in this chapter, alphabets *I* and *D* are used to indicate which part of the connection (of components  $\Gamma$  and  $\Delta$ ) is indirect and which part is direct: the symbols in  $\mathbf{a}\Gamma \cap \mathbf{a}\Delta \cap I$  are associated with the *indirectly connected commports* of these components, and the symbols in  $\mathbf{a}\Gamma \cap \mathbf{a}\Delta \cap D$  are associated with their *directly connected commports*, see figure 6.0. Set *I* is associated with the set  $\Psi_{ic}$  of indirectly connected commports, see subsection 2.1.6.0; as a consequence, set *D* is associated with  $\Psi \setminus \Psi_{ic}$ .



figure 6.0 Composing components  $\Gamma$  and  $\Delta$  under *I*.

In figure 6.0 we distinguish three kinds of commports of the composite of components  $\Gamma$  and  $\Delta$ :

- the external commports, with which an element of  $\mathbf{a}\Gamma \div \mathbf{a}\Delta$  is associated.
- the indirectly connected matching commports of  $\Gamma$  and  $\Delta$ , with which an element of  $a\Gamma \cap a\Delta \cap I$  is associated; these commports have been encircled.
- the directly connected matching commports of  $\Gamma$  and  $\Delta$ , with which an element of  $\mathbf{a}\Gamma \cap \mathbf{a}\Delta \cap D$  is associated; these commports have been boxed.

Alphabets I and D constitute a bipartition of the universe  $\Omega$  of symbols:  $D = \Omega \setminus I$ . In the remainder of this monograph we will use the expression *the composition of* components under I as an abbreviation for "the composition of components in which with the indirectly connected matching commports an element of I is associated and in which with the directly connected matching commports an element of D is associated".

## remark 6.4

Many definitions in this chapter depend on the bipartition of  $\Omega$  into alphabets *I* and *D*. As a consequence, *I* occurs formally as a parameter in these definitions. For this reason, we explicitly mention *I* in these definitions rather than defining it globally with respect to them.

### end of remark

## 6.0.1 General composability

When two components have a mixed connection, we say that the communication between them is *partially delay-safe*, cf. [Schols86]. In order to deal with the (partial) delay-safe communication in a composition of two components we extend definition 4.1, "composability", leading to definition 6.5, "general composability". In definition 6.5, (i) through (v) are equal to (i) through (v) in definition 4.1. Condition (vi) is added in definition 6.5. We do not use *general composability* to relate traces of  $\Gamma$  to traces of  $\Delta$ ; we use it to give a relation between traces (at the curly boundary in figure 6.1, see also remark 6.1) of the composite of  $\Gamma$  and  $\Delta$ . We project these traces (onto a $\Gamma$  or a $\Delta$ ) when we want to relate them to traces of either  $\Gamma$  or  $\Delta$ , see also definition 6.11, "totcom".



figure 6.1 Composing components  $\Gamma$  and  $\Delta$ .

Definition 6.5, "general composability", will be used such that iobip F is equal to the restriction of iobip io  $\Gamma$  to the indirect connection of  $\Gamma$  and  $\Delta$ :  $iF = (i\Gamma \cap a\Delta \cap I)$ and  $oF = (o\Gamma \cap a\Delta \cap I)$ . This relation between  $\Gamma$ ,  $\Delta$ , and F is shown in definition 6.11, "totcom". As a consequence, each symbol  $c \notin aF$  in definition 6.5(vi) is associated with either a pair of directly connected commports of  $\Gamma$  and  $\Delta$  or a commport of  $\Gamma$  or  $\Delta$  that does not match a commport of the other component:  $(a\Gamma \cap a\Delta) \setminus aF = (a\Gamma \cap a\Delta \cap D) \cup (a\Gamma \div a\Delta)$ . Thus, aF includes only symbols that are associated with the encircled commports of figure 6.1. The boxed commports of figure 6.1 are directly connected. We use general composability to capture our causality notion, cf. section 4.0. Since in definition 6.5, "general composability" (ii) through (v) we are concerned with symbols that are associated with indirectly connected commports, the consistency with our causality notion follows from section 4.0. For this reason (ii) through (v) in definition 6.5, are equal to (ii) through (v) in definition 4.1, "composability". A symbol that is associated with a pair of directly connected commports is added to both general composable traces, see definition 6.5(vi), in order to maintain consistency with our causality notion, see also chapter 3 and section 4.0. A symbol that is associated with a commport of  $\Gamma$  or  $\Delta$ that does not match a commport of the other component is also added to both general composable traces, see definition 6.5(vi); since the environment of the composite of  $\Gamma$  and  $\Delta$  is assumed to be directly connected to this composite, cf. remark 6.1, adding these symbols to both general composable traces maintains consistency with our causality notion.

## definition 6.5 general composability

For traces t and u and iobip F, we define that t is generally composable under F with u, denoted by  $tg_F u$ , recursively by

- (i)  $\epsilon \mathbf{g}_F \epsilon$
- (ii) for traces t and u and symbol a such that  $tg_F u$  and  $a \in oF$ ,

tag<sub>F</sub>u

- (iii) for traces t and u and symbol a such that  $tg_F u$ ,  $a \in oF$ , and  $\#_a t > \#_a u$ ,  $tg_F ua$
- (iv) for traces t and u and symbol b such that  $tg_F u$  and  $b \in iF$ ,

### tg<sub>F</sub>ub

- (v) for traces t and u and symbol b such that  $t\mathbf{g}_F u$ ,  $b \in \mathbf{i}F$ , and  $\#_b u > \#_b t$ ,  $tb\mathbf{g}_F u$
- (vi) for traces t and u and symbol c such that  $tg_F u$  and  $c \notin aF$ ,

 $tc \mathbf{g}_F uc$ 

(vii) completeness axiom: t is not generally composable under F with u, unless this is required by (i), (ii), (iii), (iv), (v), or (vi).

## end of definition

From definition 6.5, "general composability", we conclude that, as far as general composability (under iobip F) is concerned, it is irrelevant whether a symbol that is not in  $\mathbf{a}F$  is an input or an output with respect to some iobip (see also subsection 6.0.1.0). Of course, when we take absence of computation interference hazard into account, this difference is crucial.

In analogy to property 4.9 we infer property 6.6.

```
property 6.6
For traces t and u, and iobip F,
t\mathbf{g}_F u = u\mathbf{g}_F t
```

end of property

# 6.0.1.0 Relation to composability

The relation between definition 6.5, "general composability", and definition 4.1, "composability", is expressed in property 6.7.

## property 6.7

For traces t and u and iobips F and F' such that  $t \in (aF)^*$ ,  $u \in (aF)^*$ ,  $oF' \subseteq oF$ , and  $iF' \subseteq iF$ ,

 $t\mathbf{g}_{F'} u = t\mathbf{c}_F u \wedge (t \mid (\mathbf{a}F \setminus \mathbf{a}F') = u \mid (\mathbf{a}F \setminus \mathbf{a}F'))$ 

## end of property

We consider two i/o-connectable components  $\Gamma$  and  $\Delta$ . When we want to apply property 6.7, we may want to choose iobips *F* and *F'* as follows:

$$oF' = o\Gamma \cap a\Delta \cap I$$
  

$$iF' = i\Gamma \cap a\Delta \cap I$$
  

$$oF = o\Gamma \cup extoutp(\Gamma, \Delta)$$
  

$$iF = i\Gamma \cup extinp(\Gamma, \Delta)$$

The distribution of the external outputs and external inputs over oF and iF is irrelevant from a formal point of view.

We consider traces t and u and iobips F and F' such that  $t \in (\mathbf{a}F)^*$ ,  $u \in (\mathbf{a}F)^*$ ,  $\mathbf{o}F' \subseteq \mathbf{o}F$ ,  $\mathbf{i}F' \subseteq \mathbf{i}F$ , and  $t\mathbf{g}_{F'}u$ . From property 6.7 we infer that our causality constraint, viz.  $t\mathbf{c}_F u$ , holds independently of whether symbols are associated with directly or indirectly connected commports; for symbols that are associated with directly connected commports there is an additional constraint, viz. that they have to occur in the same order in both traces.

## remark 6.8

In chapter 4 we introduced our causality notion: no commsig is received before it has been sent. This causality notion holds independent of whether a commsig is sent between directly or indirectly connected commports. For directly connected commports there is an additional constraint: sending and reception of a commsig coincide.

## end of remark

# 6.0.1.1 General composability diagram

In subsection 4.0.0 we explained the construction of composability diagrams. This construction method of Verhoeff is used to check whether two traces are composable under an iobip. In this subsection 6.0.1.1 we extend this method. The extended method is called *constructing a general composability diagram*. By constructing a general composability diagram we check whether two traces are generally composable under an iobip.

When constructing a composability diagram, see subsection 4.0.0, we are interested in whether traces t and u are composable under iobip F; here, t, u, and F satisfy  $t \in (aF)^*$  and  $u \in (aF)^*$ . We have seen that definition 6.5, "general composability", differs from definition 4.1, "composability", by the addition of (vi). In 6.5(vi) we deal with symbols that are <u>not</u> elements of aF. The construction of a general composability diagram is equal to the construction of a composability diagram with one exception: an occurrence of a symbol that is <u>not</u> an element of aF is connected by a <u>bidirectional arrow</u> (in stead of a unidirectional arrow). The bidirectional arrow is treated as two non-intersecting arrows that point in opposite directions. A symbol that is not in aF is associated with two commports that are directly connected, cf. remark 6.1. As a consequence, such a symbol has to occur consitent with our causality notion either in both composable traces or in none, cf. definition 6.5(vi). These symbols which are not in aF are not postfixed (nor with an exclamation mark nor with a question mark) in the traces in a general composability diagram.

Trace t is generally composable under iobip F with trace u if and only if in the general composability diagram:

- (i) there is no arrow starting from a \$, and
- (ii) there is no backward intersection of two arrows.

These two conditions are equal to the conditions in subsection 4.0.0.

#### example 6.9 generally composable traces

We consider traces t and u, symbols a, b, c, and d, and iobip  $F_3$  such that  $oF_3 = \{a\}$  and  $iF_3 = \{b, d\}$ . We are interested in whether trace *abca* (=t) is generally composable under  $F_3$  with trace *adbcb* (=u). In figure 6.2 this general composability diagram is shown.



General composability diagram.

The absence of a backward intersection in the general composability diagram indicates that t and u are composable under  $F_3$ . By direct application of definition 6.5, "general composability", we can derive in several ways a confirmation that  $abcag_{F_3}adbcb$ :

$$\begin{array}{lll} & \epsilon \mathbf{g}_{F_3} \epsilon & \epsilon \mathbf{g}_{F_3} \epsilon \\ & a \mathbf{g}_{F_3} \epsilon & a \mathbf{g}_{F_3} \epsilon \\ & a \mathbf{g}_{F_3} a & a \mathbf{g}_{F_3} a \\ & a \mathbf{g}_{F_3} a & a \mathbf{g}_{F_3} a \\ & a \mathbf{g}_{F_3} a d & a \mathbf{g}_{F_3} a d \\ & a \mathbf{g}_{F_3} a d b & a \mathbf{g}_{F_3} a d b \\ & a b \mathbf{g}_{F_3} a d b & a b \mathbf{g}_{F_3} a d b \\ & a b c \mathbf{g}_{F_3} a d b c & a b c \mathbf{g}_{F_3} a d b c \\ & a b c \mathbf{g}_{F_3} a d b c & a b c \mathbf{g}_{F_3} a d b c \\ & a b c \mathbf{g}_{F_3} a d b c & a b c \mathbf{g}_{F_3} a d b c \\ & a b c \mathbf{g}_{F_3} a d b c & a b c \mathbf{g}_{F_3} a d b c \\ & a b c \mathbf{g}_{F_3} a d b c & a b c \mathbf{g}_{F_3} a d b c \\ & a b c \mathbf{g}_{F_3} a d b c & a b c \mathbf{g}_{F_3} a d b c \\ & a b c \mathbf{g}_{F_3} a d b c & a b c \mathbf{g}_{F_3} a d b c \\ & a b c \mathbf{g}_{F_3} a d b c & a b c \mathbf{g}_{F_3} a d b c \\ & a b c \mathbf{g}_{F_3} a d b c & a b c \mathbf{g}_{F_3} a d b c \\ & a b c \mathbf{g}_{F_3} a d b c & a b c \mathbf{g}_{F_3} a d b c \\ & a b c \mathbf{g}_{F_3} a d b c & a b c \mathbf{g}_{F_3} a d b c \\ & a b c \mathbf{g}_{F_3} a d b c & a b c \mathbf{g}_{F_3} a d b c \\ & a b c \mathbf{g}_{F_3} a d b c & a b c \mathbf{g}_{F_3} a d b c \\ & a b c \mathbf{g}_{F_3} a d b c & a b c \mathbf{g}_{F_3} a d b c \\ & a b c \mathbf{g}_{F_3} a d b c & a b c \mathbf{g}_{F_3} a d b c \\ & a b c \mathbf{g}_{F_3} a d b c & a b c \mathbf{g}_{F_3} a d b c \\ & a b c \mathbf{g}_{F_3} a d b c & a b c \mathbf{g}_{F_3} a d b c \\ & a b c \mathbf{g}_{F_3} a d b c & a b c \mathbf{g}_{F_3} a d b c \\ & a b c \mathbf{g}_{F_3} a d b c & a b c \mathbf{g}_{F_3} a d b c \\ & a b c \mathbf{g}_{F_3} a d b c & a b c \mathbf{g}_{F_3} a d b c \\ & a b c \mathbf{g}_{F_3} a d b c & a b c \mathbf{g}_{F_3} a d b c \\ & a b c \mathbf{g}_{F_3} a d b c & a b c \mathbf{g}_{F_3} a d b c \\ & a b c \mathbf{g}_{F_3} a d b c & a b c \mathbf{g}_{F_3} a d b c \\ & a b c \mathbf{g}_{F_3} a d b c & a b c \mathbf{g}_{F_3} a d b c \\ & a b c \mathbf{g}_{F_3} a d b c & a b c \mathbf{g}_{F_3} a d b c \\ & a b c \mathbf{g}_{F_3} a d b c & a b c \mathbf{g}_{F_3} a d b c \\ & a b c \mathbf{g}_{F_3} a d b c & a b c \mathbf{g}_{F_3} a d b c \\ & a b c \mathbf{g}_{F_3} a d b c & a b c \mathbf{g}_{F_3} a d b c \\ & a b c \mathbf{g}_{F_3} a d b c & a b c \mathbf{g}_{F_3} a d b c \\ & a b c \mathbf{g}_{F_3} a d b c & a b c \mathbf{g}_{F_3} a d b c \\ & a b c \mathbf{g}_{F_3} c \mathbf{g}_{F_3} c & a c \mathbf{g}_{F_3} c \\ & a b c \mathbf{g}_{F_3} c & a c$$

table 6.3 Two derivations of  $abcag_{F_1}adbcb$ .

In example 6.10 we show how the bidirectional arrows are used to check for general composabability.

### example 6.10

We consider symbols a and b. We are interested in whether trace ab is generally composable under a given iobip with trace ba. In this example we consider several iobips.

Let iobip  $F_4$  be such that  $aF_4 = \emptyset$ . We are interested in whether  $abg_{F_4}ba$ . In figure 6.4 this general composability diagram is shown.



figure 6.4 General composability diagram.

Since the bidirectional arrows give rise to a backward intersection in the general composability diagram, we conclude that  $\neg(abg_{F_a}ba)$ .

Let iobip  $F_5$  be such that  $oF_5 = \{a\}$  and  $iF_5 = \emptyset$ . We are interested in whether  $abg_{F_5}ba$ . In figure 6.5 this general composability diagram is shown.



figure 6.5 General composability diagram of  $ab \mathbf{g}_{F_5} ba$ .

Since there is no a backward intersection in the general composability diagram and there is no arrow starting from a \$, we conclude that  $abg_{Fs}ba$ .

Let iobip  $F_6$  be such that  $oF_6 = \{b\}$  and  $iF_6 = \emptyset$ . We are interested in whether  $abg_{F_6}ba$ . In figure 6.6 this general composability diagram is shown.



figure 6.6 General composability diagram.

Since the bidirectional arrow gives rise to a backward intersection in the general composability diagram, we conclude that  $\neg(abg_{F_6}ba)$ .

# 6.1 Composition without computation interference hazard

When we compose components we define a component that is the composite of them: this composite is under the given correctness concerns maximal with respect to both the (external) inputs that are <u>guaranteed</u> to be accepted by it and the (external) outputs that <u>might</u> be produced by it. In this section we are concerned with only one correctness concern, viz. "absence of computation interference hazard". The composite of two components, say  $\Gamma$  and  $\Delta$ , given this correctness concern is calculated in three steps:

- We calculate in subsection 6.1.0 trace structure  $\Gamma totcom_{I}\Delta$ , which results from 'combining' the trace structures of  $\Gamma$  and  $\Delta$ . This combination is calculated regardless of our correctness concern "absence of computation interference hazard", see definition 6.11, "totcom". Of course, the alphabet of trace structure  $\Gamma totcom_{I}\Delta$  equals  $a\Gamma \cup a\Delta$ .
- In subsection 6.1.1 we deal with the correctness concern "absence of computation interference hazard". Using this correctness concern we calculate trace structure  $\Gamma$ *totcomncih*<sub>I</sub> $\Delta$ , see definition 6.24. Of course, the alphabet of trace structure  $\Gamma$ *totcomncih*<sub>I</sub> $\Delta$  equals  $a\Gamma \cup a\Delta$ . The trace set of  $\Gamma$ *totcomncih*<sub>I</sub> $\Delta$  is a subset of the trace set of  $\Gamma$ *totcom*<sub>I</sub> $\Delta$ .
- In subsection 6.1.2 we hide the internal communication; the resulting trace structure is called  $\Gamma extcomncih_I \Delta$ . Of course, the alphabet of trace structure  $\Gamma extcomncih_I \Delta$  equals  $a\Gamma \div a\Delta$ , see definition 6.29, "extcomncih". In this step we maintain absence of computation interference hazard, which has been established in the previous step.

Of course, we will motivate the calculations performed in the three steps mentioned above. However, since in our Communication Model we cannot give an interpretation for the trace stuctures calculated in the first two steps, we do not give such an interpretation in our Communication Model: no component is defined in these first two steps. Notice that this implies that we do not attempt to define a kind of 'composite regardless of "absence of computation interference hazard" in our Communication Model.

# 6.1.0 Combining two connected components

We combine the trace structures of  $\Gamma$  and  $\Delta$  into one trace structure, viz.  $\Gamma$  totcom<sub>1</sub> $\Delta$ , see definition 6.11.

## definition 6.11 totcom

Given are i/o-connectable components  $\Gamma$  and  $\Delta$  and alphabet *I*. Let iobip *F* be such that  $iF = i\Gamma \cap a\Delta \cap I$  and  $oF = o\Gamma \cap a\Delta \cap I$ . Trace structure  $\Gamma$ *totcom*<sub>1</sub> $\Delta$  is defined by:

- (i)  $\mathbf{a}(\Gamma \operatorname{totcom}_{I}\Delta) \stackrel{\text{def}}{=} \mathbf{a}\Gamma \cup \mathbf{a}\Delta$
- (ii)  $\varepsilon \in t(\Gamma totcom_I \Delta)$
- (iii) for traces s and t and symbol d such that  $d \in (a\Gamma \setminus o\Delta)$ ,  $s \in (a\Gamma \cup a\Delta)^*$ ,  $t \in t(\Gamma totcom_I \Delta)$ ,  $(s \mid a\Gamma) \in t(ptr\Gamma)$ , and  $sg_F td$ ,

 $td \in \mathbf{t}(\Gamma totcom_{I}\Delta)$ 

(iv) for traces t and u and symbol e such that  $e \in (a\Delta \setminus o\Gamma)$ ,  $t \in t(\Gamma totcom_{i}\Delta)$ ,  $u \in (a\Gamma \cup a\Delta)^{*}$ ,  $(u \mid a\Delta) \in t(ptr \Delta)$ , and  $teg_{F}u$ ,

 $te \in t(\Gamma totcom_{I}\Delta)$ 

(v) completeness axiom:  $t(\Gamma totcom_I \Delta)$  contains no traces that are not required by (ii), (iii), or (iv).

## end of definition

In definition 6.11(iii) symbol d is associated with either an external commport of  $\Gamma$  or an internal output commport of  $\Gamma$ , since  $(\mathbf{a}\Gamma \setminus \mathbf{o}\Delta) = (\mathbf{a}\Gamma \setminus \mathbf{a}\Delta) \cup (\mathbf{o}\Gamma \cap \mathbf{i}\Delta)$ . Analogously, in definition 6.11(iv) symbol e is associated with either an external commport of  $\Delta$  or an internal output commport of  $\Delta$ .

## property 6.12 totcom is nonempty and prefix-closed

For i/o-connectable components  $\Gamma$  and  $\Delta$  and alphabet *I*,

- (i)  $\Gamma totcom_1 \Delta$  is nonempty,
- (ii)  $\Gamma$  totcom<sub>1</sub>  $\Delta$  is prefix-closed.

## end of property

We present an alternative characterization of totcom in property 6.13.

```
property 6.13 totcom
```

Given are i/o-connectable components  $\Gamma$  and  $\Delta$  and alphabet *I*. Let iobip *F* be such that  $iF = i\Gamma \cap a\Delta \cap I$  and  $oF = o\Gamma \cap a\Delta \cap I$ ,

```
t(\Gamma totcom_{I}\Delta) = \{s, t, u: (s \mid a\Gamma) \in t(ptr\Gamma) \land (u \mid a\Delta) \in t(ptr\Delta) \land sg_{F}t \land tg_{F}u: t\}
```

end of property

From definition 6.11, "totcom", definition 3.2, "i/o-connectable", and property 6.6 we infer the symmetry of totcom, see property 6.14.

## property 6.14 totcom is symmetric

For i/o-connectable components  $\Gamma$  and  $\Delta$  and alphabet *I*,

 $\Gamma \operatorname{totcom}_{I} \Delta = \Delta \operatorname{totcom}_{I} \Gamma$ 

## end of property

We present some running examples to show applications of the composition method. Apart from this, the specific reason to include the running example that starts in example 6.15 is that the combination of trace structures  $ptr \Gamma_0$  and  $ptr \Delta_0$  reveals computation interference hazard at one of the external inputs.

## example 6.15

We consider i/o-connectable components  $\Gamma_0$  and  $\Delta_0$ ; in this example alphabet *I* equals  $\{b\}$ , see figure 6.7.



figure 6.7 Connection of components  $\Gamma_0$  and  $\Delta_0$  .

Components  $\Gamma_0$  and  $\Delta_0$  are defined by:

$$\mathbf{o} \Gamma_0 \stackrel{\text{def}}{=} \{a\}, \quad \mathbf{i} \Gamma_0 \stackrel{\text{def}}{=} \{b\}, \quad \mathbf{t}(\mathbf{ptr} \Gamma_0) \stackrel{\text{def}}{=} \mathbf{pref} \{ba\}, \\ \mathbf{o} \Delta_0 \stackrel{\text{def}}{=} \{b\}, \quad \mathbf{i} \Delta_0 \stackrel{\text{def}}{=} \{c\}, \quad \mathbf{t}(\mathbf{ptr} \Delta_0) \stackrel{\text{def}}{=} \mathbf{pref} \{cb\}.$$

The state graphs of components  $\Gamma_0$  and  $\Delta_0$  are shown in figure 6.8.



figure 6.8a figure 6.8b State graphs of components  $\Gamma_0$  (figure 6.8a) and  $\Delta_0$  (figure 6.8b).

From definition 6.11, "totcom", we derive that

 $\Gamma_0 \operatorname{totcom}_{\{b\}} \Delta_0$ = < { a, b, c }, { e, c, cb, cc, cba, cbc, ccb, cbac, cbca, ccba } >

Notice that symbol *a* in the traces in this trace structure occurs on account of definition 6.11(iii); symbols *b* and *c* in these traces occur on account of definition 6.11(iv). We present the state graph of  $\Gamma_0 totcom_{\{b\}}\Delta_0$  in figure 6.9.



figure 6.9 State graph of trace structure  $\Gamma_0 totcom_{\{b\}} \Delta_0$ .

We notice that  $cc \in t(\Gamma_0 \operatorname{totcom}_{\{b\}}\Delta_0)$  on account of definition 6.11(iv), since  $c \in a\Delta_0 \setminus o\Gamma_0$ ,  $c \in t(\Gamma_0 \operatorname{totcom}_{\{b\}}\Delta_0)$ ,  $cbc \in (a\Gamma_0 \cup a\Delta_0)^*$ ,  $cbc \upharpoonright a\Delta_0 = cbc$ ,  $cbc \in t(\operatorname{ptr}\Delta_0)$ , and  $ccg_{F_0}cbc$ , for iobip  $F_0$  such that  $iF_0 = \{b\}$  (i.e.  $i\Gamma_0 \cap a\Delta_0 \cap \{b\}$ ) and  $oF_0 = \emptyset$  (i.e.  $o\Gamma_0 \cap a\Delta_0 \cap \{b\}$ ).

The specific reason to include the running example that starts in example 6.16 is that the combination of trace structures  $ptr \Gamma_0$  and  $ptr \Delta_0$  reveals computation interference hazard at one of the internal inputs.

#### example 6.16

We consider i/o-connectable components  $\Gamma_i$  and  $\Delta_i$ ; in this example alphabet *I* equals  $\{b\}$ . Components  $\Gamma_i$  and  $\Delta_i$  are defined by:

$$\mathbf{o} \Gamma_{l} \stackrel{\text{def}}{=} \{a\}, \quad \mathbf{i} \Gamma_{l} \stackrel{\text{def}}{=} \{b\}, \quad \mathbf{t}(\mathsf{ptr} \Gamma_{l}) \stackrel{\text{def}}{=} \mathsf{pref} \{ab\}, \\ \mathbf{o} \Delta_{l} \stackrel{\text{def}}{=} \{b\}, \quad \mathbf{i} \Delta_{l} \stackrel{\text{def}}{=} \{c\}, \quad \mathbf{t}(\mathsf{ptr} \Delta_{l}) \stackrel{\text{def}}{=} \mathsf{pref} \{cb\}.$$

The state graphs of components  $\Gamma_i$  and  $\Delta_i$  are shown in figure 6.10.



figure 6.10a figure 6.10b State graphs of components  $\Gamma_i$  (figure 6.10a) and  $\Delta_i$  (figure 6.10b).

From definition 6.11, "totcom", we derive that

 $\Gamma_l totcom_{\{b\}}\Delta_l = \langle \{a, b, c\}, \{\varepsilon, a, c, ac, ca, cb, acb, cab, cba\} \rangle$ We present the state graph of  $\Gamma_l totcom_{\{b\}}\Delta_l$  in figure 6.11.



figure 6.11 State graph of trace structure  $\Gamma_i$  totcom<sub>(b)</sub>  $\Delta_i$ .

We notice that  $cb \in t(\Gamma_l totcom_{\{b\}}\Delta_l)$  on account of definition 6.11(iv), since  $b \in a\Delta_l \setminus o\Gamma_l$ ,  $c \in t(\Gamma_l totcom_{\{b\}}\Delta_l)$ ,  $cb \in (a\Gamma_l \cup a\Delta_l)^*$ ,  $cb \mid a\Delta_l = cb$ ,  $cb \in t(ptr \Delta_l)$ , and  $cbg_{F_l}cb$ , for iobip  $F_l$  such that  $iF_l = \{b\}$  (i.e.  $i\Gamma_l \cap a\Delta_l \cap \{b\}$ ) and  $oF_l = \emptyset$  (i.e.  $o\Gamma_l \cap a\Delta_l \cap \{b\}$ ). On the other hand we notice that  $ab \notin t(\Gamma_l totcom_{\{b\}}\Delta_l)$  on account of definition 6.11(iv), since  $b \in o\Delta_l$  and  $\neg (abg_{F_l}u)$  for any trace u such that  $u \mid (a\Delta_l) \in t(ptr \Delta_l)$  because of  $\#_c u = 0$ .

ý,

In examples 6.15 and 6.16 we presented 'toy problems' to illustrate the calculation of the composite in this section. We present a more realistic case in the running example that starts in example 6.17: how to compose a Muller C-element out of a majority element and an asymmetric fork element.

#### example 6.17

We consider i/o-connectable components  $\Gamma_2$  and  $\Delta_2$ ; in this example alphabet *I* equals the empty set  $\emptyset$ , see figure 6.12.



figure 6.12 Connection of components  $\Gamma_2$  and  $\Delta_2$  .

Component  $\Gamma_2$  models a majority element, cf. example 2.52, where  $i\Gamma_2 = \{a, b, e\}$  and  $o\Gamma_2 = \{d\}$ . Component  $\Delta_2$  models an asymmetric fork element, cf. example 2.49, where  $i\Delta_2 = \{d\}$ ,  $o\Delta_2 = \{e, c\}$ , and c is associated with the commport that models the delayed output. From definition 6.11, "totcom", we derive  $\Gamma_2$  totcom<sub> $Q</sub>\Delta_2$ , see figure 6.13.</sub>

Notice that symbols a, b, and d in the traces in this trace structure occur on account of definition 6.11(iii); symbols c and e in these traces occur on account of definition 6.11(iv).

We notice that  $abdeabd \in t(\Gamma_2 totcom_{\varnothing} \Delta_2)$  on account of definition 6.11(iii), since  $d \in a\Gamma_2 \setminus o\Delta_2$ ,  $abdeab \in t(\Gamma_2 totcom_{\varnothing} \Delta_2)$ ,  $abdeabd \in (a\Gamma_2 \cup a\Delta_2)^*$ ,  $abdeabd \mid a\Gamma_2 = abdeabd$ ,  $abdeabd \in t(ptr \Gamma_2)$ , and  $abdeabdg_{F_2}abdeabd$  for iobip  $F_2$  such that  $aF_2 = \varnothing$ .



figure 6.13 State graph of trace structure  $\Gamma_2 \textit{ totcom}_{\varpi} \Delta_2$  .

Three states in the above state graph have been marked I; this marking will be explained later.

# 6.1.1 Absence of computation interference hazard

In this subsection we deal with the correctness concern absence of computation interference hazard. We do so in definition 6.24, "totcomncih", by reducing trace structure  $\Gamma$ totcom<sub>I</sub> $\Delta$ . In order to do this we introduce definition 6.18, "cihi". Trace set cihi<sub>I</sub> ( $\Gamma, \Delta$ ) consists of the traces of  $\Gamma$ totcom<sub>I</sub> $\Delta$  that are associated with computation interference hazard at  $\Delta$ .

### definition 6.18 cihi

Given are i/o-connectable components  $\Gamma$  and  $\Delta$  and alphabet *I*. Let iobip *F* be such that  $iF = i\Gamma \cap a\Delta \cap I$  and  $oF = o\Gamma \cap a\Delta \cap I$ . We define trace set  $cihi_I(\Gamma, \Delta)$  by:

 $\operatorname{cihi}_{I}(\Gamma, \Delta) \stackrel{\text{def}}{=} \{a, t, u \\ : a \in \mathbf{i} \Delta \wedge t \in \mathbf{t}(\Gamma \operatorname{totcom}_{I} \Delta) \wedge u \in (\mathbf{a} \Gamma \cup \mathbf{a} \Delta)^{*} \\ \wedge (u \mid \mathbf{a} \Delta) \in \mathbf{t}(\operatorname{ptr} \Delta) \wedge (ua \mid \mathbf{a} \Delta) \notin \mathbf{t}(\operatorname{ptr} \Delta) \wedge tg_{F} ua \\ : t \\ \}$ 

## end of definition

We continue by calculating the cihi for our running examples. In example 6.19 we present an example in which there is computation interference hazard at an external input.

### example 6.19

We consider components  $\Gamma_0$  and  $\Delta_0$ , see example 6.15. From definition 6.18, "cihi", we derive that

 $\operatorname{cihi}_{\{b\}}(\Gamma_0, \Delta_0) = \{cc\}$  and  $\operatorname{cihi}_{\{b\}}(\Delta_0, \Gamma_0) = \emptyset$ .

Trace *cc* is an element of  $cihi_{\{b\}}(\Gamma_0, \Delta_0)$ , since  $c \in i\Delta_0$ ,  $cc \in t(\Gamma_0 totcom_{\{b\}}\Delta_0)$ ,  $c \in (a\Gamma_0 \cup a\Delta_0)^*$ ,  $c \mid a\Delta_0 = c$ ,  $c \in t(ptr \Delta_0)$ ,  $cc \mid a\Delta_0 = cc$ ,  $cc \notin t(ptr \Delta_0)$ , and  $ccg_{F_0}cc$ .

## end of example

Example 6.20 exhibits computation interference hazard at an internal input.

#### example 6.20

We consider components  $\Gamma_i$  and  $\Delta_i$ , see example 6.16. From definition 6.18, "cihi", we derive that

 $\operatorname{cihi}_{\{b\}}(\Gamma_{I}, \Delta_{I}) = \emptyset$  $\operatorname{cihi}_{\{b\}}(\Delta_{I}, \Gamma_{I}) = \{cb\}$ 

Let iobip  $F_7$  be such that  $F_7 = \overline{F_I}$ . Trace *cb* is an element of  $cihi_{\{b\}}(\Delta_I, \Gamma_I)$ , since  $b \in i\Gamma_I$ ,  $cb \in t(\Gamma_I totcom_{\{b\}}\Delta_I)$ ,  $c \in (a\Gamma_I \cup a\Delta_I)^*$ ,  $c \mid a\Gamma_I = \varepsilon$ ,  $\varepsilon \in t(ptr \Gamma_I)$ ,  $cb \mid a\Gamma_I = b$ ,  $b \notin t(ptr \Gamma_I)$ , and  $cbg_{F_2}cb$ .

#### end of example

Like example 6.20, example 6.21 exhibits computation interference hazard at an internal input.

### example 6.21

We consider components  $\Gamma_2$  and  $\Delta_2$  and iobip  $F_2$ , see example 6.17. The majority element accepts all commsigs that it receives, see example 2.52; we derive from definition 6.18, "cihi", that cihi $_{\emptyset}(\Delta_2, \Gamma_2) = \emptyset$ .

We notice that  $(A t, u: tdud \in t(ptr \Delta_2) \land (\#_d u = 0): u = ec)$ ; as a consequence,  $ded \notin t(ptr \Delta_2)$ . Since  $abdeabd \in t(\Gamma_2 totcom_{\emptyset} \Delta_2)$  and  $ded = abdeabd | a\Delta_2$ , there is computation interference hazard at  $\Delta_2$ . As a consequence, trace set  $cihi_{\emptyset}(\Gamma_2, \Delta_2)$  is nonempty; it consists of all traces that lead from the initial state via states that have not been marked to a state marked *I* in the diagram of the state graph of  $\Gamma_2 totcom_{\emptyset} \Delta_2$  shown in figure 6.13, see example 6.17. From definition 6.18, "cihi", we infer that  $abdeabd \in cihi_{\emptyset}(\Gamma_2, \Delta_2)$ , since  $d \in i\Delta_2$ ,  $abdeabd \in t(\Gamma_2 totcom_{\emptyset} \Delta_2)$ ,  $abdeab \in (a\Gamma_2 \cup a\Delta_2)^*$ ,  $abdeab | a\Delta_2 = de$ ,  $de \in t(ptr \Delta_2)$ ,  $abdeabd | a\Delta_2 = ded$ ,  $ded \notin t(ptr \Delta_2)$ , and  $abdeabdg_{\Gamma_2}abdeabd$ .

In definition 6.24, "totcomncih", we use the technique "transformation into computation interference hazard", see subsection 3.3.0; here we transform "computation interference hazard at the boundary of  $\Gamma$  or  $\Delta$ " into "computation interference hazard at the boundary of the composite of  $\Gamma$  and  $\Delta$ ". We have argued in subsection 3.3.0 that there may be initial problems when modeling correctness concerns in our Communication Model. We do not want to end up with a component that has an empty trace set, when reducing trace structure  $\Gamma$ totcom<sub>1</sub> $\Delta$  to trace structure  $\Gamma$ totcom<sub>1</sub> $\Delta$ . For this reason we define predicate  $\Gamma$  NICIH<sub>1</sub> $\Delta$ , see definition 6.22.

### definition 6.22 NICIH

For i/o-connectable components  $\Gamma$  and  $\Delta$  and alphabet *I*, we define predicate  $\Gamma NICIH_I \Delta$  by:

 $\Gamma NICIH_{I}\Delta$   $\stackrel{\text{def}}{=} (\mathbf{A}s : s \in (\operatorname{cihi}_{I}(\Gamma, \Delta) \cup \operatorname{cihi}_{I}(\Delta, \Gamma)) : I(s^{\dagger}\operatorname{extinp}(\Gamma, \Delta)) > 0)$ 

end of definition

Notice that if  $\neg$  ( $\Gamma$  *NICIH*<sub>1</sub> $\Delta$ ), then the composite of  $\Gamma$  and  $\Delta$ , where *I* is associated with the indirect connection, has computation interference hazard: computation interference can occur before any external input has occurred. I/o-connectable components  $\Gamma$  and  $\Delta$  can be connected under alphabet *I* with *no initial computation interference hazard* if and only if  $\Gamma$  *NICIH*<sub>1</sub> $\Delta$ .

From the symmetry of extinp we infer the symmetry of NICIH<sub>1</sub>.

property 6.23 NICIH is symmetric

For i/o-connectable components  $\Gamma$  and  $\Delta$  and alphabet *I*,

 $\Gamma NICIH_{I} \Delta = \Delta NICIH_{I} \Gamma$ 

end of property

Now we are ready to reduce  $\Gamma totcom_{I} \Delta$  to  $\Gamma totcomncih_{I} \Delta$ .

## definition 6.24 totcomncih

For i/o-connectable components  $\Gamma$  and  $\Delta$  and alphabet *I* such that  $\Gamma NICIH_I \Delta$ , trace structure  $\Gamma$  totcomncih<sub>I</sub> $\Delta$  is defined by:

 $\Gamma$  totcomncih<sub>l</sub>  $\Delta$ 

 $\stackrel{\text{def}}{=} \operatorname{redts}(\Gamma \operatorname{totcom}_{I} \Delta, \operatorname{extinp}(\Gamma, \Delta), \operatorname{cihi}_{I}(\Gamma, \Delta) \cup \operatorname{cihi}_{I}(\Delta, \Gamma))$ 

end of definition

The prefix-closedness of  $\Gamma$ *totcomncih*<sub>I</sub> $\Delta$  follows from property 6.12(ii) and property 1.39. The nonemptiness of  $\Gamma$ *totcomncih*<sub>I</sub> $\Delta$  follows from property 1.40, using  $\Gamma$ *NICIH*<sub>I</sub> $\Delta$  and property 6.12(i).

From property 6.23, "NICIH is symmetric", and property 6.14, "totcom is symmetric", we infer the symmetry of totcomncih.

#### property 6.25 totcomncih is symmetric

For i/o-connectable components  $\Gamma$  and  $\Delta$  and alphabet I such that  $\Gamma NICIH_I \Delta$ ,

 $\Gamma totcomncih_{I} \Delta = \Delta totcomncih_{I} \Gamma$ 

## end of property

We now calculate *totcomncih* for our running examples. We show that by calculating *totcomncih* we have dealt with computation interference hazard.

#### example 6.26

We consider components  $\Gamma_0$  and  $\Delta_0$ , see example 6.15 and example 6.19. From definition 6.24, "totcomncih", we derive that

 $\Gamma_0 totcomncih_{\{b\}}\Delta_0 = \langle \{a, b, c\}, \{\varepsilon, c, cb, cba, cbc, cbac, cbca\} \rangle$ see figure 6.14.



figure 6.14 State graph of trace structure  $\Gamma_0$  totcomncih<sub>(b)</sub>  $\Delta_0$ .

Since  $cc \in cihi_{\{b\}}(\Gamma_0, \Delta_0)$ , we infer that  $cc \notin t(\Gamma_0 totcomncih_{\{b\}}\Delta_0)$ . In subsection 6.1.2 we will deal with hiding the internal communication, while maintaining absence of computation interference hazard.

#### example 6.27

We consider components  $\Gamma_i$  and  $\Delta_i$ , see example 6.16 and example 6.20. From definition 6.24, "totcomncih", we derive that

 $\Gamma_{I} totcomncih_{\{b\}} \Delta_{I} = \langle \{a, b, c\}, \{\varepsilon, a, ac, acb\} \rangle$ 

see figure 6.15.



figure 6.15 State graph of trace structure  $\Gamma_i$  totcomncih<sub>(b)</sub> $\Delta_i$ .

Since  $cb \in cih_{\{b\}}(\Delta_I, \Gamma_I)$ , we infer that  $cb \notin t(\Gamma_I totcomncih_{\{b\}}\Delta_I)$ . Since  $b \notin extinp(\Gamma_I, \Delta_I)$  and  $c \in extinp(\Gamma_I, \Delta_I)$ , we see that not only trace cb has been removed while calculating  $\Gamma_I totcomncih_{\{b\}}\Delta_I$ , but also trace c.

## example 6.28

We consider components  $\Gamma_2$  and  $\Delta_2$ , see example 6.17 and example 6.21. From definition 6.24, "totcomncih", we derive trace structure  $\Gamma_2$  totcomncih<sub>Q</sub>  $\Delta_2$ , see figure 6.16.



figure 6.16 State graph of trace structure  $\Gamma_2$  totcomncih<sub> $\emptyset$ </sub> $\Delta_2$ .

In the state graph shown in figure 6.16 all states have been located at relative positions that are equal to those in figure 6.13. The state graph in figure 6.16 has been redrawn in figure 6.17.



figure 6.17 State graph of trace structure  $\Gamma_2$  totcomncih<sub>0</sub>  $\Delta_2$ .

Since  $abdeabd \in cihi_{\emptyset}(\Delta_2, \Gamma_2)$ , we infer that  $abdeabd \notin t(\Gamma_2 totcomncih_{\emptyset}\Delta_2)$ . Since  $d \notin extinp(\Gamma_2, \Delta_2)$  and  $b \in extinp(\Gamma_2, \Delta_2)$ , we see that not only trace *abdeabd* has been removed while calculating  $\Gamma_2 totcomncih_{\emptyset}\Delta_2$ , but also trace *abdeab*.

# 6.1.2 Hiding the internal communication

The last step in the construction of the composite is "hiding the internal communication". In the beginning of section 6.1 we have argued that the composite has to be maximal. Since absence of computation interference hazard is our correctness concern, projecting onto the external alphabet is sufficient as far as external outputs are concerned, see definition 6.29(iii); however, an additional restriction with respect to external inputs is needed, see definition 6.29(iv).

## definition 6.29 extcomncih

For i/o-connectable components  $\Gamma$  and  $\Delta$  and alphabet *I* such that  $\Gamma NICIH_I \Delta$ , trace structure  $\Gamma extcomncih_I \Delta$  is defined by:

- (i)  $\mathbf{a}(\Gamma extcomncih_I \Delta) \stackrel{\text{def}}{=} \mathbf{a}\Gamma \div \mathbf{a}\Delta$
- (ii)  $\varepsilon \in t(\Gamma extcomncih_l \Delta)$
- (iii) for trace u and symbol f such that  $u \in t(\Gamma extcomncih_l \Delta)$ ,  $f \in extoutp(\Gamma, \Delta)$ , and  $(Et: t \in t(\Gamma totcomncih_l \Delta): t | (a\Gamma \div a\Delta) = uf)$ ,

 $uf \in \mathbf{t}(\Gamma extcomncih_{I}\Delta)$ 

(iv) for trace u and symbol g such that  $u \in t(\Gamma extcomncih_{I}\Delta), g \in extinp(\Gamma, \Delta),$ and  $(At : t \in t(\Gamma totcomncih_{I}\Delta) \land (t \restriction (a\Gamma \div a\Delta) = u) : tg \in t(\Gamma totcomncih_{I}\Delta)),$ 

 $ug \in \mathbf{t}(\Gamma extcomncih_I \Delta)$ 

(v) completeness axiom:  $t(\Gamma extcomncih_I \Delta)$  contains no traces that are not required by (ii), (iii), or (iv).

## end of definition

By  $\Gamma$ *extcomncih*<sub>1</sub> $\Delta$  we denote the trace structure that is associated with the *external communication of the composite of*  $\Gamma$  *and*  $\Delta$  *under I without computation interference hazard.* Every trace in the trace structure of this composite must belong to the projection of trace set  $t(\Gamma$ *totcomncih*<sub>1</sub> $\Delta)$  onto the external alphabet (i.e.  $a\Gamma \div a\Delta$ ). This gives un upper limit for trace set  $t(\Gamma$ *extcomncih*<sub>1</sub> $\Delta)$ . In order to maintain absence of computation interference hazard, there is an additional restriction needed for external inputs; this is why restriction  $(A t: t \in t(\Gamma totcomncih_1\Delta) \land (t) (a\Gamma \div a\Delta) = u): tg \in t(\Gamma totcomncih_1\Delta))$ , occurs in definition 6.29(iv). There is a universal quantification in this restriction, since we deal not only with absence of some instance of computation interference but with absence of a basence of computation interference but with absence of computation interference but with absence of a basence of a babasence of a basence of a basence of a b

In definition 6.29, "extcomncih", we construct extcomncih<sub>I</sub> from totcomncih<sub>I</sub>. This construction can be interpreted as 'projection onto the external alphabet of the composite under invariance of absence of computation interference hazard': we may interpret  $\Gamma$  totcomncih<sub>I</sub>  $\Delta$  as the communication behavior of the composite of  $\Gamma$  and  $\Delta$  under *I* at the curly boundary in figure 6.18a.



figure 6.18a figure 6.18b Interpretation of trace structures  $\Gamma$  totcomncih<sub>I</sub> $\Delta$  (6.18a) and  $\Gamma$  extcomncih<sub>I</sub> $\Delta$  (6.18b).

We interpret  $\Gamma$ *extcomncih*<sub>1</sub> $\Delta$  as the communication behavior of the composite of  $\Gamma$  and  $\Delta$  under *I* at the curly boundary in figure 6.18b.

From property 6.23, "NICIH is symmetric", property 6.25, "totcomncih is symmetric", and definition 6.29, "extcomncih", we infer the symmetry of extcomncih.

## property 6.30 extcomncih is symmetric

For i/o-connectable components  $\Gamma$  and  $\Delta$  and alphabet I such that  $\Gamma NICIH_I \Delta$ ,

 $\Gamma extcomncih_{I} \Delta = \Delta extcomncih_{I} \Gamma$ 

### end of property

### remark 6.31

Notice that the technique that we use in definition 6.29, "*extcomncih*", is generally applicable when hiding internal communication. Since we only use it once in this monograph we have not chosen to present it as a general technique; we only present the one instantiation of it.

### end of remark

We now hide the internal communication in our running examples by calculating *extcomncih* for them.

### example 6.32

We consider components  $\Gamma_0$  and  $\Delta_0$ , see example 6.15 and example 6.26. From definition 6.29, "*extcomncih*", we derive that

 $\Gamma_0$  extcomncih<sub>(b)</sub>  $\Delta_0 = \langle \{a, c\}, \{\varepsilon, c, ca, cac\} \rangle$ 

Notice that by calculating  $\Gamma_0 extcomncih_{\{b\}}\Delta_0$  we have 'lost' trace cc  $(= cbc \mid (\mathbf{a}\Gamma_0 \div \mathbf{a}\Delta_0))$  on account of definition 6.29(iv), since  $c \in \mathbf{t}(\Gamma_0 \text{ totcomncih}_{\{b\}}\Delta_0)$  and  $cc \notin \mathbf{t}(\Gamma_0 \text{ totcomncih}_{\{b\}}\Delta_0)$ .

In subsection 6.1.3 we will interpret trace structure  $\Gamma_0 extcomncih_{\{b\}}\Delta_0$  in the Communication Model: we will define a component that has this trace structure.

#### end of example

#### example 6.33

We consider components  $\Gamma_i$  and  $\Delta_i$ , see example 6.16 and example 6.27. From definition 6.29, "*extcomncih*", we derive that

$$\Gamma_{l} extcomncih_{\{b\}} \Delta_{l} = \langle \{a, c\}, \{\varepsilon, a, ac\} \rangle$$

## end of example

#### example 6.34

We consider components  $\Gamma_2$  and  $\Delta_2$ , see example 6.17 and example 6.28. From definition 6.29, "extcomncih", we derive trace structure  $\Gamma_2$  extcomncih<sub> $\alpha$ </sub> $\Delta_2$ , see figure 6.19.



figure 6.19 State graph of trace structure  $\Gamma_2 extcomncih_{\emptyset} \Delta_2$ .

Notice that by calculating  $\Gamma_2 extcomncih_{\emptyset} \Delta_2$  we have 'lost' –among others– trace *abb* on account of definition 6.29(iv), since  $abd \in t(\Gamma_2 totcomncih_{\emptyset} \Delta_2)$ ,  $abdb \notin t(\Gamma_2 totcomncih_{\emptyset} \Delta_2)$ , and  $abb = abdb | (a\Gamma_2 \div a\Delta_2)$ .

# 6.1.3 Composite of two components

The component that is the composite of  $\Gamma$  and  $\Delta$  under I without computation interference hazard is denoted by  $\Gamma$  COMPNCIH<sub>1</sub> $\Delta$ , see definition 6.35. At this point "composition" becomes defined in our Communication Model. In our Communication Model we are only interested in composites without computation interference hazard.

## definition 6.35 COMPNCIH

For i/o-connectable components  $\Gamma$  and  $\Delta$  and alphabet *I* such that  $\Gamma NICIH_I \Delta$ , component  $\Gamma COMPNCIH_I \Delta$  is defined by:

 $i(\Gamma COMPNCIH_{I}\Delta) \stackrel{\text{def}}{=} extinp(\Gamma, \Delta)$  $o(\Gamma COMPNCIH_{I}\Delta) \stackrel{\text{def}}{=} extoutp(\Gamma, \Delta)$  $ptr(\Gamma COMPNCIH_{I}\Delta) \stackrel{\text{def}}{=} \Gamma extcomncin_{I}\Delta$ 

## end of definition

From property 6.23, "*NICIH* is symmetric", property 6.30, "*extcomncih* is symmetric", and the symmetry of i/o-connectability, extinp, and extoutp, we infer the symmetry of *COMPNCIH*.

## property 6.36 COMPNCIH is symmetric

For i/o-connectable components  $\Gamma$  and  $\Delta$  and alphabet I such that  $\Gamma NICIH_{I}\Delta$ ,

 $\Gamma COMPNCIH_{I} \Delta = \Delta COMPNCIH_{I} \Gamma$ 

end of property

Although the proof of the associativity of *COMPNCIH* is very long and awkward, there is nothing to be learned from it; for this reason we present property 6.37 without a proof.

## property 6.37 COMPNCIH is associative

For alphabet I and components  $\Gamma$ ,  $\Delta$ , and  $\Theta$  such that each pair of them is i/o-connectable,

(i)  $(\Gamma COMPNCIH_{I}\Delta)NICIH_{I}\Theta = \Gamma NICIH_{I}(\Delta COMPNCIH_{I}\Theta)$ 

(ii)  $(\Gamma COMPNCIH_{I}\Delta) COMPNCIH_{I}\Theta = \Gamma COMPNCIH_{I}(\Delta COMPNCIH_{I}\Theta)$ 

## end of property

In property 6.37 (i) <u>either</u> the left and right hand side both hold <u>or</u> each of them "either is not defined or does not hold". In property 6.37 (ii) <u>either</u> the left and right hand side both are defined <u>or</u> neither is defined; if both are defined then they are equal.

We now are able to interpret the composites that have been constructed in our running examples.

#### example 6.38

We consider components  $\Gamma_0$  and  $\Delta_0$ , see example 6.15 and example 6.32. From definition 6.35, "COMPNCIH", we derive component  $\Gamma_0$  COMPNCIH<sub>(b)</sub>  $\Delta_0$ , see figure 6.20.



State graph of component  $\Gamma_0 COMPNCIH_{(b)} \Delta_0$ .

In example 6.15 we have seen that  $cc \in t(\Gamma_0 totcom_{\{b\}}\Delta_0)$  and  $cbc \in t(\Gamma_0 totcom_{\{b\}}\Delta_0)$ , whereas  $cc \notin t(ptr \Delta_0)$ , but  $cbc \in t(ptr \Delta_0)$ . Since  $cc = cbc \mid a\Delta_0$ , we conclude that absence of computation interference hazard was not dealt with by calculating  $\Gamma_0 totcom_{\{b\}}\Delta_0$ . After component  $\Gamma_0 COMPNCIH_{\{b\}}\Delta_0$  has accepted the commsig to which the first c is associated, it may or may not accept the commsig to which the second c is associated. For this reason, the environment of this composite has to postpone the sending of the latter commsig until it has received the commsig to which a is associated. After component  $\Gamma_0 COMPNCIH_{\{b\}}\Delta_0$  has sent the commsig to which a is associated. It accepts the commsig to which the second c is associated.

#### example 6.39

We consider components  $\Gamma_l$  and  $\Delta_l$ , see example 6.16 and example 6.33. From definition 6.35, "COMPNCIH", we derive component  $\Gamma_l$  COMPNCIH<sub>(b)</sub> $\Delta_l$ , see figure 6.21.



figure 6.21 State graph of component  $\Gamma_{I}$  COMPNCIH<sub>(b)</sub> $\Delta_{I}$ .

In example 6.16 we have seen that  $cb \in t(\Gamma_i totcom_{\{b\}}\Delta_i)$ , whereas  $b \notin t(ptr \Gamma_i)$ . Since  $b = cb |a\Gamma_i|$ , we conclude that absence of computation interference hazard was not dealt with by calculating  $\Gamma_i totcom_{\{b\}}\Delta_i$ . We conclude that the environment of the composite  $\Gamma_i COMPNCIH_{\{b\}}\Delta_i$  should not send a commsig to which c is associated until it has received a commsig to which a is associated, since after the sending of the latter commsig it is guaranteed that internally (between  $\Gamma_i$  and  $\Delta_i$ ) no computation interference occurs.

In this example hiding the internal communication (alphabet  $\{b\}$ ) has been no problem: a simple projection onto the external alphabet has been sufficient.

#### example 6.40

We consider components  $\Gamma_2$  and  $\Delta_2$ , see example 6.17 and example 6.34. From definition 6.35, "COMPNCIH", we derive component  $\Gamma_2$  COMPNCIH<sub> $\varphi$ </sub> $\Delta_2$ , see figure 6.22.



figure 6.22 State graph of component  $\Gamma_2 COMPNCIH_{\emptyset}\Delta_2$ .

Component  $\Gamma_2 COMPNCIH_{\emptyset} \Delta_2$  is equal to Ebergen's  $\Gamma_{ncel}$ , see [Ebergen 87]. From example 5.38, we infer that  $DIE(\Gamma_2 COMPNCIH_{\emptyset} \Delta_2) = \Gamma_c$ , cf. example 2.48. From example 5.51, we infer that  $CBDI(\Gamma_2 COMPNCIH_{\emptyset} \Delta_2) = \Gamma_c$ .

### end of example

In property 6.41 we present the unity element of the composition operator *COMPNCIH*.

property 6.41 unity element of COMPNCIH<sub>I</sub>

Given is component  $\Gamma$ . Let component  $\Delta$  be such that  $a\Delta = \emptyset$  and  $t(ptr \Delta) = \{\varepsilon\}$ .

- (i)  $\Gamma$  and  $\Delta$  are i/o-connectable
- (ii) for alphabet I,  $\Gamma NICIH_I \Delta$

(iii) for alphabet I,  $\Gamma COMPNCIH_{I}\Delta = \Gamma$ 

and  $\triangle COMPNCIH_{I}\Gamma = \Gamma$ 

### end of property

We notice that the unity element of  $COMPNCIH_I$  does not depend on alphabet I.

In property 6.41 we give conditions under which the trace structure of the composite of two components is equal to the blend, see definition 1.29, of the trace structures of the two components.

### property 6.42

For i/o-connectable components  $\Gamma$  and  $\Delta$  such that  $cihi_{\emptyset}(\Gamma, \Delta) = \emptyset$  and  $cihi_{\emptyset}(\Delta, \Gamma) = \emptyset$ ,

 $\Gamma extcomncih_{\emptyset} \Delta = (ptr \Gamma) b(ptr \Delta)$ 

### end of property

We investigate the distribution of DSE over COMPNCIH. We first look at example 6.43.

### example 6.43

We consider components  $\Gamma_3$  and  $\Delta_3$ ; they are defined by:

 $\mathbf{o}\,\Gamma_3 \stackrel{\text{def}}{=} \{a\,,b\}, \quad \mathbf{i}\,\Gamma_3 \stackrel{\text{def}}{=} \{c\}, \quad \mathbf{t}(\operatorname{ptr}\Gamma_3) \stackrel{\text{def}}{=} \operatorname{pref}\{cab\}, \\ \mathbf{o}\,\Delta_3 \stackrel{\text{def}}{=} \emptyset, \quad \mathbf{i}\,\Delta_3 \stackrel{\text{def}}{=} \{a\,,b\}, \quad \mathbf{t}(\operatorname{ptr}\Delta_3) \stackrel{\text{def}}{=} \operatorname{pref}\{ab\}.$ 

From definition 4.36, "dse", we derive that  $t(dse\Gamma_3) = \{\varepsilon, c, ca, cb, cab, cba\}$  and  $t(dse\Delta_3) = \{\varepsilon, a\}$ . From definition 6.22, "NICIH", we derive that  $\Gamma_3 NICIH_{\emptyset}\Delta_3$  and  $(DSE\Gamma_3)NICIH_{\emptyset}(DSE\Delta_3)$ . Using theorem 4.45, "delay-safe enclosure", we infer from definition 6.35, "COMPNCIH", that  $ptr((DSE\Gamma_3)COMPNCIH_{\emptyset}(DSE\Delta_3)) = \langle c \rangle, \{\varepsilon \} >$  and  $ptr(\Gamma_3 COMPNCIH_{\emptyset}\Delta_3) = \langle c \rangle, \{\varepsilon, c \} >$ . From definition 4.36, "dse", we derive that  $dse(\Gamma_3 COMPNCIH_{\emptyset}\Delta_3) = \langle c \rangle, \{\varepsilon, c \} >$ .

end of example

### remark 6.44

From example 6.43 we see that, in general, for i/o-connectable components  $\Gamma$  and  $\Delta$  and alphabet *I* such that  $\Gamma NICIH_I \Delta$ ,

### $DSE(\Gamma COMPNCIH_{I}\Delta) \neq (DSE\Gamma)COMPNCIH_{I}(DSE\Delta)$

We conclude that, in general, DSE does not distribute over  $COMPNCIH_I$ . A sufficient condition for the distribution of DSE over COMPNCIH is given in the following property.

end of remark

## property 6.45

For i/o-connectable components  $\Gamma$  and  $\Delta$  and alphabet I such that  $\mathbf{a}\Gamma \cap \mathbf{a}\Delta \subseteq I$ and  $\Gamma NICIH_I \Delta$ ,

```
DSE(\Gamma COMPNCIH_{I}\Delta) = (DSE\Gamma)COMPNCIH_{I}(DSE\Delta)
```

end of property

From trace theory, see [Kaldewaij86], we know that  $\mathbf{a} \cap \mathbf{a} \Delta \subseteq I$  is the condition that is needed for the distribution of projection over weaving of trace structures, i.e.  $((\mathbf{ptr} \Gamma) \mathbf{w} (\mathbf{ptr} \Delta))|_I = (\mathbf{ptr} \Gamma|_I) \mathbf{w} (\mathbf{ptr} \Delta|_I)$ . Analogously to property 6.45 we find property 6.46.

## property 6.46

For i/o-connectable components  $\Gamma$  and  $\Delta$  and alphabet *I* such that  $\mathbf{a}\Gamma \cap \mathbf{a}\Delta \subseteq I$ and  $\Gamma NICIH_I \Delta$ ,

 $CBDS(\Gamma COMPNCIH_{I}\Delta) = (CBDS\Gamma)COMPNCIH_{I}(CBDS\Delta)$ 

end of property

## 6.1.4 Examples

In example 6.47 we show that computation interference hazard may be absent in the composite of components that have a mixed connection, whereas it is present in the composite of these components when they have an indirect connection.

#### example 6.47

We consider components  $\Gamma_4$  and  $\Delta_4$ ; they are defined by:

$$\mathbf{o}\Gamma_{4} \stackrel{\text{def}}{=} \{a, b\}, \quad \mathbf{i}\Gamma_{4} \stackrel{\text{def}}{=} \{c, d\}, \quad \mathbf{t}(\mathbf{ptr}\Gamma_{4}) \stackrel{\text{def}}{=} \mathbf{pref}\{bad\}, \\ \mathbf{o}\Delta_{4} \stackrel{\text{def}}{=} \{c, d\}, \quad \mathbf{i}\Delta_{4} \stackrel{\text{def}}{=} \{a, b\}, \quad \mathbf{t}(\mathbf{ptr}\Delta_{4}) \stackrel{\text{def}}{=} \mathbf{pref}\{abc, bad\}.$$

We consider the composition of  $\Gamma_4$  and  $\Delta_4$  when they have an <u>indirect</u> connection, see figure 6.23.



figure 6.23 Indirect connection of components  $\Gamma_4$  and  $\Delta_4$ .

We infer that  $\Gamma_4$  totcom $_{\{a,b,c,d\}}\Delta_4 = \operatorname{pref} \{abc, abd, bac, bad\}$  from definition 6.11, "totcom". Using definition 6.18, "cihi", we find that  $\operatorname{cihi}_{\{a,b,c,d\}}(\Gamma_4, \Delta_4) = \emptyset$  and  $\operatorname{cihi}_{\{a,b,c,d\}}(\Delta_4, \Gamma_4) = \{abc, bac\}$ . From definition 6.22, "NICIH", we derive that  $\neg(\Gamma_4 \operatorname{NICIH}_{\{a,b,c,d\}}\Delta_4)$ .

We now consider the composition of  $\Gamma_4$  and  $\Delta_4$  when they have a <u>mixed</u> connection, see figure 6.24.



Mixed connection of components  $\Gamma_4$  and  $\Delta_4$ .

Now, we infer that  $\Gamma_4 totcom_{\{a,c,d\}} \Delta_4 = pref \{bad\}$ . Furthermore, we find that  $cihi_{\{a,c,d\}}(\Gamma_4, \Delta_4) = \emptyset$  and also  $cihi_{\{a,c,d\}}(\Delta_4, \Gamma_4) = \emptyset$ . As a consequence, we conclude that  $\Gamma_4 NICIH_{\{a,c,d\}} \Delta_4$ . From definition 6.22, "NICIH", using property 1.42 we derive that  $t(\Gamma_4 totcomncih_{\{a,c,d\}} \Delta_4) = pref \{bad\}$ .

We conclude that the problem with computation interference hazard in the composition with the indirect connection is not present in the composition with the mixed connection. Furthermore, we notice that it hasn't been necessary to confine the connection of  $\Gamma_4$  and  $\Delta_4$  to be direct. Only the commports to which b is associated are directly connected, all other commports are indirectly connected.

#### end of example

In example 6.48 we show that, depending on the particular bipartition of the universe  $\Omega$  into *I* and *D*, we may end up with different composites.

### example 6.48

We consider components  $\Gamma_5$  and  $\Delta_5$ , see figure 6.25.



figure 6.25a figure 6.25b State graphs of components  $\Gamma_3$  (figure 6.25a) and  $\Delta_3$  (figure 6.25b).

We now study the composite of these two components in the four different ways to connect them.

- Let  $\Gamma_5$  and  $\Delta_5$  have a direct connection. We find that  $t(ptr(\Gamma_5 COMPNCIH_{\emptyset}\Delta_5)) = pref \{abef, bafe\}.$
- Let  $\Gamma_5$  and  $\Delta_5$  have a mixed connection such that the commports to which c is associated are <u>indirectly</u> connected and the commports to which d is associated are directly connected. We find that  $t(ptr(\Gamma_5 COMPNCIH_{\{c\}}\Delta_5)) = pref \{abef, abfe, bafe\}.$
- Let  $\Gamma_5$  and  $\Delta_5$  have a mixed connection such that the commports to which c is associated are directly connected and the commports to which d is associated are <u>indirectly</u> connected. We find that  $t(ptr(\Gamma_5 COMPNCIH_{\{d\}}\Delta_5)) = pref \{abef, baef, bafe\}.$
- Let  $\Gamma_5$  and  $\Delta_5$  have an indirect connection. We find that  $t(ptr(\Gamma_5 COMPNCIH_{[c,d]}\Delta_5)) = pref \{abef, abfe, baef, bafe\}.$

We conclude that the condition for composition, viz.  $\Gamma_5 NICIH_1 \Delta_5$  (see definition 6.35, "COMPNCIH"), is satisfied in all four cases (for the appropriate alphabet *I*, of course). The composite depends on the particular alphabet *I*.

end of example

### 6.1.5 Interpretation of the composition method

In the beginning of section 6.1 we have stated that the composite of two components is the result of the composition of these components that, under the given correctness concerns, is maximal with respect to both the inputs that are guaranteed to be accepted by it and the outputs that might be produced by it. In this section we have been concerned with only one correctness concern, viz. "absence of computation interference hazard". The maximality of the composite *COMPNCIH* under absence of computation interference hazard follows from the way in which we have combined the trace structures of the two components in definition 6.11, "totcom", from the subsequent deletion of only those traces that give rise to computation interference hazard in definition 6.24, "totcomncih", and from the hiding in definition 6.29, "extcomncih", such that no computation interference hazard is present in the resulting composite.

## 6.2 Composition without transmission interference hazard

In this section we deal -in addition to absence of computation interference hazard - with the correctness concern *absence of transmission interference hazard*.

### 6.2.0 Transformation into computation interference hazard

We deal with the additional correctness concern absence of transmission interference hazard by transforming it into computation interference hazard, see section 3.3. In order to apply this technique we have to define trace set(s) that model "transmission interference hazard". For this reason we define tihi.

definition 6.49 tihi

For component  $\Gamma$  and alphabet A, we define trace set tihi<sub>A</sub>  $\Gamma$  by:

tihi<sub>A</sub>  $\Gamma \stackrel{\text{def}}{=} \{a, s : a \in (i\Gamma \cap A) \land s \in (a\Gamma)^* \land saa \in t\Gamma : saa\}$ 

end of definition

By  $tih_{I \cap o\Delta}\Gamma$ , see definition 6.49, we denote the trace set that is associated with transmission interference hazard between the indirectly connected input commports of component  $\Gamma$  and their matching output commports of component  $\Delta$ ; the symbols of  $i\Gamma \cap o\Delta \cap I$  are associated with these commports. We transform transmission interference hazard into computation interference hazard by reducing ptr  $\Gamma$  to ptr(CBNTIHI<sub>A</sub> $\Gamma$ ).

definition 6.50 CBNTIHI For component  $\Gamma$  and alphabet A, component CBNTIHI<sub>A</sub> $\Gamma$  is defined by: io(CBNTIHI<sub>A</sub> $\Gamma$ )  $\stackrel{\text{def}}{=}$  io  $\Gamma$ ptr(CBNTIHI<sub>A</sub> $\Gamma$ )  $\stackrel{\text{def}}{=}$  redts(ptr  $\Gamma$ , i $\Gamma$ , tihi<sub>A</sub> $\Gamma$ ) end of definition

# 6.2.1 Condition for composition

From definition 6.22, "*NICIH*", we infer condition  $\Gamma NICTIH_I \Delta$  for the definition of  $\Gamma COMPNCTIH_I \Delta$ .

### definition 6.51 NICTIH

For i/o-connectable components  $\Gamma$  and  $\Delta$  and alphabet *I*, we define predicate  $\Gamma$  *NICTIH*<sub>1</sub> $\Delta$  by:

```
\Gamma NICTIH_{I} \Delta \stackrel{\text{def}}{=} (CBNTIHI_{I \cap o\Delta} \Gamma) NICIH_{I} (CBNTIHI_{I \cap o\Gamma} \Delta)
```

end of definition

The condition  $\Gamma NICTIH_I \Delta$  is sufficient on account of definition 6.22. Furthermore, if i/o-connectable components  $\Gamma$  and  $\Delta$  can be connected under alphabet *I* with *no initial computation and no initial transmission interference hazard*, it has to be satisfied.

From property 6.23, "NICIH is symmetric", we infer the symmetry of NICTIH.

property 6.52 NICTIH is symmetric

For i/o-connectable components  $\Gamma$  and  $\Delta$  and alphabet I,

 $\Gamma NICTIH_{I} \Delta = \Delta NICTIH_{I} \Gamma$ 

end of property

# 6.2.2 Composite of two components

The component, that is the composite of  $\Gamma$  and  $\Delta$  under I without computation interference hazard and without transmission interference hazard, is denoted by  $\Gamma COMPNCTIH_{I}\Delta$ .

### definition 6.53 COMPNCTIH

For i/o-connectable components  $\Gamma$  and  $\Delta$  and alphabet I such that  $\Gamma NICTIH_{I}\Delta$ , component  $\Gamma COMPNCTIH_{I}\Delta$  is defined by:

 $\Gamma COMPNCTIH_{I} \Delta \stackrel{\text{def}}{=} (CBNTIHI_{I \cap o\Delta} \Gamma) COMPNCIH_{I} (CBNTIHI_{I \cap o\Gamma} \Delta)$ end of definition

From property 6.36, "COMPNCIH is symmetric", property 6.52, "NICTIH is symmetric", and definition 6.53, "COMPNCTIH", we infer the symmetry of COMPNCTIH.

### property 6.54 COMPNCTIH is symmetric

For i/o-connectable components  $\Gamma$  and  $\Delta$  and alphabet I such that  $\Gamma NICTIH_{I}\Delta$ ,

### $\Gamma COMPNCTIH_{I}\Delta = \Delta COMPNCTIH_{I}\Gamma$

### end of property

From property 6.37, "COMPNCIH is associative", definition 6.51, "NICTIH", and definition 6.53, "COMPNCTIH", we infer property 6.55.

### property 6.55 COMPNCTIH is associative

For alphabet I and components  $\Gamma$ ,  $\Delta$ , and  $\Theta$  such that each pair of them is i/o-connectable,

(i)  $(\Gamma COMPNCTIH_{I} \Delta) NICTIH_{I} \Theta = \Gamma NICTIH_{I} (\Delta COMPNCTIH_{I} \Theta)$ 

(ii)  $(\Gamma COMPNCTIH_{I}\Delta) COMPNCTIH_{I}\Theta = \Gamma COMPNCTIH_{I}(\Delta COMPNCTIH_{I}\Theta)$ end of property

As in property 6.37, in property 6.55 (i) <u>either</u> the left and right hand side both hold <u>or</u> each of them "either is not defined or does not hold". In property 6.55 (ii) <u>either</u> the left and right hand side both are defined <u>or</u> neither is defined; if both are defined then they are equal.

In example 6.56 we illustrate composition without transmission interference hazard.

#### example 6.56

We consider components  $\Gamma_6$  and  $\Delta_6$ , see figure 6.26.



figure 6.26a figure 6.26b State graphs of components  $\Gamma_6$  (figure 6.26a) and  $\Delta_6$  (figure 6.26b).

We are interested in component  $\Gamma_6 COMPNCTIH_{\{b\}}\Delta_6$ . From definition 6.53, "COMPNCTIH", we infer that we have to calculate CBNTIHI\_{\{b\}\cap o\Delta}\Gamma\_6 and CBNTIHI\_{ $\{b\}\cap o\Gamma}\Delta_6$ . Since  $b\notin o\Delta$  and  $b\in o\Gamma$ , this amounts to computing CBNTIHI\_ $\sigma_6$  and CBNTIHI\_{ $\{b\}}\Delta_6$ . From definition 6.50, "CBNTIHI", we infer that we have to calculate tihi $\sigma_6$  and tihi\_{ $\{b\}}\Delta_6$ . From definition 6.49, "tihi", we conclude that tihi $\sigma_6 = \emptyset$  and tihi\_{ $\{b\}}\Delta_6 = \{bb\}$ . Since  $\Gamma_6 NICTIH\Delta_6$ , cf. definition 6.51, "NICTIH", we can calculate component  $\Gamma_6 COMPNCTIH_{\{b\}}\Delta_6$ , see figure 6.27a.



figure 6.27a figure 6.27b State graphs of components  $\Gamma_{6}$  COMPNCTIH<sub>{b}</sub> $\Delta_{6}$  (6.27a) and  $\Gamma_{6}$  COMPNCIH<sub>{b</sub>} $\Delta_{6}$  (6.27b).

To show the difference with the composite when absence of transmission interference is <u>not</u> a correctness concern, we show the state graph of component  $\Gamma_6 COMPNCIH_{\{b\}}\Delta_6$  in figure 6.27b.

### end of example

6.2 Composition without transmission interference hazard

In property 6.57 we present the unity element of the composition operator COMPNCTIH.

### property 6.57 unity element of COMPNCTIH<sub>1</sub>

Given is component  $\Gamma$ . Let component  $\Delta$  be such that  $a\Delta = \emptyset$  and  $t(ptr \Delta) = \{\epsilon\}$ .

- (i)  $\Gamma$  and  $\Delta$  are i/o-connectable
- (ii) for alphabet I,  $\Gamma NICTIH_I \Delta$
- (iii) for alphabet I,  $\Gamma COMPNCTIH_{I}\Delta = \Gamma$

### end of property

The unity element of  $COMPNCTIH_I$  is equal to the unity element of  $COMPNCIH_I$ , cf. property 6.41. As a consequence, it does not depend on alphabet *I*.

Analogously to property 6.45 we find property 6.58.

### property 6.58

For i/o-connectable components  $\Gamma$  and  $\Delta$  and alphabet *I* such that  $\mathbf{a}\Gamma \cap \mathbf{a}\Delta \subseteq I$ and  $\Gamma NICTIH_I \Delta$ ,

```
DIE(\Gamma COMPNCTIH_{I}\Delta) = (DIE\Gamma)COMPNCTIH_{I}(DIE\Delta)
```

### end of property

Analogously to property 6.46 we find property 6.59.

### property 6.59

For i/o-connectable components  $\Gamma$  and  $\Delta$  and alphabet *I* such that  $\mathbf{a}\Gamma \cap \mathbf{a}\Delta \subseteq I$ and  $\Gamma NICTIH_I \Delta$ ,

### $CBDI(\Gamma COMPNCTIH_{I}\Delta) = (CBDI \Gamma)COMPNCTIH_{I}(CBDI \Delta)$

### end of property

## 6.3 Decomposition

When we discuss decomposition we are motivated by concerns about the implementation of specifications. The decomposition problem that we address is known as *factorization*, cf. [Fang 87]: in this technique a specification  $\Gamma_S$  and a (desired) part  $\Gamma_M$  of a solution of this specification are given; the problem amounts to calculating the specification  $\Gamma_X$  of the remainder, whenever under the given correctness concerns such a remainder exists. Of course, the task of calculating  $\Gamma_X$  has to be accomplished under the given correctness concerns. In this monograph we are concerned with the correctness concerns "absence of computation interference hazard" and "absence of transmission interference hazard". Both correctness concerns are symmetric w.r.t. the specification ( $\Gamma_S$ ) and all parts of the solution. Due to this symmetry factorization is equal to composition. We notice that factorization is concerned with the closed composition of three parts, see figure 6.28.



figure 6.28 Factorization of  $\Gamma_{S}$  into  $\Gamma_{M}$  and  $\Gamma_{X}$ .

When factorizing  $\Gamma_S$  into  $\Gamma_M$  and  $\Gamma_X$ , we deal with a mixed connection between  $\Gamma_S$  and  $\Gamma_M$ . The connection between on the one hand the composite of  $\Gamma_S$  and  $\Gamma_M$  and on the other hand  $\Gamma_X$  is direct; a possible indirect or mixed connection between this composite and  $\Gamma_X$  is left to the next step(s) in the factorization.

In our Communication Model we calculate the specification of the remainder mentioned above by composing the  $\Gamma_S$  with  $\Gamma_M$ . The specification  $\Gamma_X$  of the remainder is the reflection of this composite. As mentioned in section 6.1 this composite is maximal w.r.t. outputs that might be produced and maximal w.r.t. inputs that are guaranteed to be accepted. Since absence of computation interference hazard is a correctness concern the specification of the remainder, which is the reflection of the composite calculated in this way, is maximal w.r.t. the inputs that is has to accept and maximal w.r.t. the outputs that it might produce.

The following examples have been shown by Ebergen, cf. [Ebergen 87]. In example 6.60 we show the decomposition of a wire component into two wire components. In spite of our notational convention we will use  $\Gamma$ ,  $\Delta$ , and  $\Theta$  to denote components in these examples.

### example 6.60

We consider components  $\Gamma_7$ ,  $\Delta_7$ , and  $\Theta_7$ ; all three model wire elements, cf. example 2.47; they are given by:

| $\mathbf{o}\Gamma_{7}\stackrel{\mathrm{def}}{=}\{b\},$ | $\mathbf{i}\Gamma_7 \stackrel{\mathrm{def}}{=} \{a\},\$ | $t(\operatorname{ptr} \Gamma_7) \stackrel{\text{def}}{=} \operatorname{pref} \{ab\},$         |
|--------------------------------------------------------|---------------------------------------------------------|-----------------------------------------------------------------------------------------------|
| $\mathbf{o}\Delta_7\stackrel{\mathrm{def}}{=}\{c\},$   | $\mathbf{i}\Delta_7 \stackrel{\mathrm{def}}{=} \{a\},\$ | $t(\operatorname{ptr} \Delta_7) \stackrel{\text{def}}{=} \operatorname{pref} \{ac\},\$        |
| $\mathbf{o}\Theta_7\stackrel{\mathrm{def}}{=}\{b\},$   | $\mathbf{i}\Theta_7 \stackrel{\mathrm{def}}{=} \{c\},\$ | $\mathbf{t}(\mathbf{ptr}\Theta_7) \stackrel{\mathrm{def}}{=} \mathbf{pref}\left\{cb\right\}.$ |

Since  $\Gamma_7 = (\Delta_7 COMPNCIH_{\emptyset} \Theta_7)$ , we conclude that  $\Gamma_7$  can be decomposed into  $\Delta_7$  and  $\Theta_7$  such that the connection of  $\Delta_7$  and  $\Theta_7$  is direct and there is absence of computation interference hazard, see figure 6.29.



figure 6.29 Decomposition of wire component into two wire components.

Notice that also  $\Gamma_7 = (\Delta_7 COMPNCIH_{\{c\}} \Theta_7)$ , and that  $\Gamma_7 = (\Delta_7 COMPNCTIH_{\{c\}} \Theta_7)$ . end of example In example 6.61 we show the decomposition of a wire component that models a wire element into components that model a fork element and a Muller-C element.

### example 6.61

We consider components  $\Gamma_8$ ,  $\Delta_8$ , and  $\Theta_8$ ;  $\Gamma_8$  models a wire element, see example 2.47,  $\Delta_8$  models a fork element, see example 2.49, and  $\Theta_8$  models a Muller-C element, see example 2.48; they are given by:

$$\mathbf{o} \Gamma_{g} \stackrel{\text{def}}{=} \{b\}, \quad \mathbf{i} \Gamma_{g} \stackrel{\text{def}}{=} \{a\}, \quad \mathbf{t} (\operatorname{ptr} \Gamma_{g}) \stackrel{\text{def}}{=} \operatorname{pref}(\{ab\})^{*}, \\ \mathbf{o} \Delta_{g} \stackrel{\text{def}}{=} \{c, d\}, \quad \mathbf{i} \Delta_{g} \stackrel{\text{def}}{=} \{a\}, \quad \mathbf{t} (\operatorname{ptr} \Delta_{g}) \stackrel{\text{def}}{=} \operatorname{pref}(\{acd, adc\})^{*}, \\ \mathbf{o} \Theta_{g} \stackrel{\text{def}}{=} \{b\}, \quad \mathbf{i} \Theta_{g} \stackrel{\text{def}}{=} \{c, d\}, \quad \mathbf{t} (\operatorname{ptr} \Theta_{g}) \stackrel{\text{def}}{=} \operatorname{pref}(\{cdb, dcb\})^{*}.$$

Since  $\Gamma_8 = (\Delta_8 COMPNCIH_{\emptyset} \Theta_8)$ , we conclude that  $\Gamma_8$  can be decomposed into  $\Delta_8$  and  $\Theta_8$  such that the connection of  $\Delta_8$  and  $\Theta_8$  is direct and there is absence of computation interference hazard, see figure 6.30.



figure 6.30 Decomposition of wire component into fork component and Muller-C component.

Notice that also  $\Gamma_8 = (\Delta_8 COMPNCIH_{\{c\}} \Theta_8)$ , and that  $\Gamma_8 = (\Delta_8 COMPNCTIH_{\{c\}} \Theta_8)$ . end of example

### 6.4 Other correctness concerns

The method for constructing the composite of components presented in this chapter is also suited to deal with other correctness concerns. E.g. we can deal with "absence of ambiguous quiescence hazard", cf. subsection 3.3.1.0, instead of or in addition to "absence of transmission interference hazard".

# 7

# **Concluding remarks**

In chapter 2 we have introduced our Communication Model as a formal abstraction of 'the underlying physics'. In this model we distinguish direct, indirect, and mixed connections of components. Furthermore, we deal with interpretational issues like inputs and outputs in this model; by doing so, we do not saddle the trace theory formalism with this burden. Trace theory is a formalism that is used in several ways in our Communication Model. Furthermore, we believe that the presence of a Communication Model has enabled us to pinpoint the abstraction from module to component, see subsection 2.2.3. We also carefully distinguish between the communication behavior of components and the communication of a channel between them.

In section 3.3 we presented a technique that transforms "undesired phenomenon hazards" into "computation interference hazard". We showed some applications of this technique in the subsequent chapters. The example of the application of this technique in which we deal with the correctness concern "absence of ambiguous quiescence hazard", see subsection 3.3.1, indicates that many correctness concerns (even some liveness properties) can be incorporated in our Communication Model in this way. This transformation technique is also the basis for the composition operators defined in chapter 6, where it suggests a way to define new composition operators for mixed connections of components are helpful tools to compare and combine synchronous and asynchronous design methods.

We have formally defined absence of computation interference hazard in chapters 3 and 4 (for direct and indirect connections of components, respectively). Absence of computation interference hazard is the basic correctness concern in this monograph. The distinction between the reception and the acceptance of a signal provides the context that is needed for the discussion of computation interference hazard.

In chapter 4 we have addressed delay-safety. We do not talk about 'delay-safe circuits': delay-safety is not a property of a physical circuit. At the circuit level delay-safety is just an assumption, viz. the value of the delay of a signal that is sent from one terminal via a wire to another terminal is nonnegative. Of course, we could try to define the predicate "delay-safe" for circuits; this would amount to something like: "the correctness of the functioning of the circuit does not depend on the values of the delays in the wires of the circuit". Notice that the functioning of the circuit may depend on the values of these delays: e.g., depending on the values of the delays the circuit may behave in a different –but correct !- way. In order to define this predicate "delay-safe", however, one does not only need a circuit, but also a description of the correctness of its functioning and a method to check whether this correctness does or does not depend on the values of the delays in the wires of the circuit.

In chapters 4 and 5 we present theorems that link in our Communication Model the constructive definitions of trace structures dse, cbds, die, and cbdi, to the intuitive definitions of components DSE, CBDS, DIE, and CBDI, respectively. These are tools that help a designer to decide whether he wants to use delay-safe (or delay-insensitive) communication or not, since they can be used to indicate the limitations of delay-safe and delay-insensitive communication, see subsection 4.2.5 and subsection 5.1.1, respectively. In these subsections we address so-called 'off-the-shelf' mechanisms, cf. [Molnar 85]:

In the context of delay-safe communication we present in chapter 5 an intuitive definition of "absence of transmission interference hazard". We show furthermore, that "delay-insensitive communication" is equal to "delay-safe communication without transmission interference hazard".

In chapter 6 we address composition. There we deal with the general case: mixed connections of components. We generalize composability to "general composability"; we also present a generalization of "composability diagrams", viz. "general composability diagrams". General composability diagrams can be used to check readily whether two traces are generally composable under some given iobip or not. In this chapter we present necessary and sufficient conditions for composition in two cases: (i) under the correctness concern absence of computation interference hazard, and (ii) under the correctness concerns absence of computation interference hazard and absence of transmission interference hazard. Furthermore, we address factorization in this chapter. Factorization is the decomposition problem, in which the specification and a part of the desired solution are given and the remainder has to be calculated. Factorization is equal to composition if and only if all correctness concerns are symmetric w.r.t. the specification and all parts of the solution.

# 7.0 Formal definitions of delay-insensitive

In this section we present some links between the pieces of research that have been carried out within the field "delay-insensitivity". Furthermore, we show relations between our work and the work of other researchers.

# 7.0.0 Relation between self-timed and delay-insensitive

The class of self-timed circuits has been introduced by Seitz, see [Seitz 80]. He distinguishes time geometry, i.e. time metric, and time topology, i.e. a partial order on the occurrences of events. The relation between the time metric and the time topology is <u>inside</u> the self-timed elements. Self-timed elements either are synchronous systems with an internal clock that can be stopped synchronously and restarted asynchronously or they are speed-independent circuits. The design of self-timed circuits has two principal facets: the design of elements and the design of systems of interconnected elements. Along the seam between those subjects are conventions for self-timed signaling. Equipotential regions have been introduced in order to try to assure consistent physical meaning for the relations that hold within them; it is necessary that a self-timed element is contained in at least one equipotential region; the set of equipotential regions covers all of the elements of the self-timed system.

Seitz argues that a strict protocol of signaling conventions has to be imposed throughout the system in order to deal with the complexity of the design, see [Seitz 80]. Two-phase handshaking and four-phase handshaking are such Van de Snepscheut has given a theoretical foundation, see protocols. [Van de Snepscheut 85]. He defines the "agglutinate", which really is the same operator as the composition operator "<sup>©</sup>" which we presented in [Schols 85]; the only difference is that van de Snepscheut was concerned with the external communication behavior of the composition, whereas we were interested in the internal communication. Van de Snepscheut detects computation interference hazard. His delay-insensitive communication is more restrictive than ours; our composition operator COMPNCIH, see chapter 6, is a generalization of his agglutinate. Building on van de Snepscheut's foundation, Martin shows how a compilation can be performed from a specification to a self-timed circuit in which four-phase handshaking is used for the communication between elements that are not in the same equipotential region, see [ Martin 85b, Martin 86, Martin 87 ]. Among the most significant results of Martin's group is the design of an asynchronous microprocessor, see [Martin-Burns-Lee-Borkovic-Hazewindus 89]. The specification language from which Martin starts his compilation is CSP extended with the communication primitive "probe", see [Martin 85a]. A detailed overview of Martin's method is given in [Martin 90].

We have suggested an alternative approach to Martin's method using invariants. This has been formalized by Langenberg, see [Langenberg92]. Langenberg also addresses *overspecification* in this context. De Graaff has suggested a design method that is somewhat similar to Martin's method, see [de Graaff86]. De Graaff introduces the distinction between the acceptance/reception of a signal by a mechanism and the 'observation' of that signal by this mechanism. Based upon Martin's approach, van Berkel has developed a decomposition method that leads to 'delay-insensitive circuits', see [van Berkel92]. In the graduate student project VOC at Eindhoven University of Technology methods for designing 'delay-insensitive circuits' are investigated and developed, see [Bisseling-Eemers-Kamps-Peeters90]; the ultimate goal is to build a silicon compiler for translating parallel computations into 'delay-insensitive VLSI circuits'.

### 7.0.1 Modular approach to delay-insensitivity

Keller, see [Keller74], defines a "delay-insensitive network" as follows:

A network is called *delay-insensitive* if its external behavior remains unchanged, regardless of whether any number of delay elements are inserted into, or removed from any lines.

In the approach in this monograph we do not require the external behavior to remain unchanged, regardless of the amount of delay in such lines. We allow the external behavior to change, as long as it remains correct w.r.t. its specification; here, the environment plays an important role, see section 6.0. Furthermore, Keller's definition suggests that the delay along such a line is fixed, although unknown; in the approaches mentioned below, the delay constraint has been strengthened to allow values of the delays in a given line to be distinct. Keller's definition refers to delays in "any lines". When such a constraint is imposed rigorously on all parts of the circuit, it results in a very restricted class of delay-insensitive networks, see [Seger 88]. This constraint is weakened in the approaches mentioned below to delays in the lines that connect so-called modules: lines inside these modules are not being considered for inserting such delay elements.

Molnar has introduced the "Foam Rubber Wrapper metaphor", see [Molnar-Fang-Rosenberger85]. With respect to the communication in the channel, it assumes that the values of the delays of the commsigs are nonnegative. With respect to the communication behavior of components, it assumes that there is no computation interference hazard, see [Schols88]. Based upon this intuitive notion three formalizations of delay-insensitivity arose, see [Udding84, Schols85, Black86]. Furthermore, this notion inspired Verhoeff, Ebergen, and Dill to define delay-insensitivity formally, see [Verhoeff85, Ebergen87, Dill88].

Udding has classified 'delay-insensitive circuits', see [Udding 84]. The smallest class is called the "synchronization class". No data communication is possible in this class, since no choice can be made: the only way to disable a communication action is to let it take place. The second class is called the "data communication class". In this class choice between inputs is allowed; this enables data communication. The communication in this class depends on the role of inputs and outputs; interchanging inputs and outputs yields, in general, a circuit that is not in the data communication class. The 'regular circuits' in this class are considered to be synthesizable. Next comes the "arbitration class". This class contains nondeterministic behavior: in addition to choice between inputs, choice between outputs is allowed in this class. The greatest class is called the "delayinsensitive class"; it is also called  $C_4$ . The synchronization class is a subset of the data communication class. The latter is a subset of the arbitration class which, in turn, is a subset of the delay-insensitive class. Except for the arbitration class, all classes are closed under composition, see [Verhoeff 85]. Udding's classes cannot be used to classify the communication behaviors of components that communicate delay-insensitively: such a communication behavior need not belong to the delay-insensitive class, see CBDI in subsection 5.1.0.3. These classes, except for the data communication class, can be used to classify the communication in delay-insensitive channels, cf. section 6.0. The data communication class is not suited to this purpose, since it has been defined asymmetrically w.r.t. the two parts of the alphbip; these two parts are called input and output in [Udding84]. Udding's classes can be used to classify components, say  $\Gamma$ , according to the communication in the channel between  $\Gamma$ and its maximal partner, when they communicate delay-insensitively, see subsection 5.1.0.1. Udding's classes can be interpreted at the boundary between DIE  $\Gamma$  and DIE  $\Delta$  in figure 7.0.



figure 7.0 Components  $\Gamma$  and  $\Delta$  and their delay-insensitive enclosures.

We have eliminated the correctness concern "absence of transmission interference hazard" from the conditions imposed on Udding's delay-insensitive class, see [Schols85]. Verhoeff has eliminated this correctness concern from the conditions imposed on all four classes, see [Verhoeff85]; this yields the classes  $D_1$  through  $D_4$  ( $D_4$ , see subsection 4.1.0, being the largest of the four). These classes can be interpreted at the boundary between DSE  $\Gamma$  and DSE  $\Delta$  in figure 7.1, see subsection 5.2.3.



figure 7.1 Components  $\Gamma$  and  $\Delta$  and their delay-safe enclosures.

Verhoeff has shown which protocols are suited for delay-insensitive data communication, see [Verhoeff 88].

# 7.0.2 Delay-safety and delay-insensitivity

We have previously defined a composition operator that can be used to check delay-safety and also to calculate the smallest delay-safe communication that includes the original communication, see [Schols85]. We have proven that delay-safety can be separated from "absence of transmission interference hazard", see [Schols85, Verhoeff-Schols85]. We show this separation of concerns in [Schols88]. "Delay-safe communication without transmission interference hazard" is called "delay-insensitive communication", see chapter 5. In this monograph we apply our earlier results, see [Schols85], to communication in channels; we discuss the impact of these results on the communication behaviors of components. Furthermore, we address composition in this monograph.

Black uses infinite trace theory, i.e. he allows for traces of infinite length, see [Black 86]. He extends our earlier definition of delay-safety using infinite trace theory. Furthermore, he deals explicitly with the 'capacity' of the "links", which form the connection between indirectly connected commports.

Verhoeff has introduced a Delay-demon, that models the non-negativity of the delays in the "links" in the channels, see [Verhoeff85]. Like Udding, Verhoeff is concerned with the communication behavior of components; he also distinguishes four classes. He does not, however, include "absence of transmission interference hazard" in the definitions of his classes. He deals separately with the 'capacity' of the "links" in the channels.

Ebergen has defined Wire components, see [Ebergen 87]. He does not distinguish the "links" in the channels from the other components; in his approach transmission interference hazard is a special case of computation interference hazard, viz. at the inputs to the Wire components. Ebergen defines his Wire components in such a way that they have a 'capacity' of <u>one</u> commsig. Furthermore, Ebergen has defined a decomposition method for the translation of specifications (in particular: programs) into 'delay-insensitive circuits', see [Ebergen 87]. [Ebergen 88] is a good introduction to Ebergen's method. The decomposition problem has also been attacked by Fang; he addresses "factorization" in [Fang 87], see also section 6.3.

Dill defines delay-safety for CSP-like processes. His processes are quadruples: input alphabet, output alphabet, set of successful traces, set of failure traces. The set of successful traces and the set of failure traces need not be disjunct.

Josephs and Udding have developed an "algebra for delay-insensitive circuits", see [Josephs-Udding 89] and [Josephs-Udding 90]. Their approach is based upon CSP. Their formalism is such that every specification that is syntactically correct is 'delay-insensitive'. On the one hand this is convenient when one wants to end up with a 'delay-insensitive specification'; on the other hand, it is difficult to express in their formalism the functionality that one desires. Of course, arguing about delay-insensitivity is not possible (nor necessary) within their formal framework.

If we disregard transmission interference hazard, all of the above formalizations are equivalent. Although the definitions of the formalizations differ very much in form, none makes it easy to prove by hand that a particular communication is delay-insensitive. They can more easily be used to show that a particular communication is not delay-insensitive: find a case and show that it does not satisfy the requirements for delay-insensitivity.

### 7.0.3 Fairness and delay-insensitivity

In the past much discussion has gone on concerning the question whether delayinsensitive fair arbitration is possible or not. People interested in building arbiters are referred to [Chaney86] and [Unger80]. Martin has shown that delayinsensitive fair arbiters can be built, see [Martin 85b, Dill88]; in his design the communication that is internal to the fair arbiter is delay-insensitive. On the other hand it has been argued that delay-insensitive fair arbitration is not possible, see [Udding85, Moll85, Cox85]. Our conclusion is: we are able to build fair arbiters that internally communicate delay-insensitively, but when an arbiter communicates delay-insensitively with its environment this arbiter may not be fair any more, seen from the point of view of this environment. The lesson to be learned from this is: if we need a fair arbiter, we can build it such that the internal communication is delay-insensitive; we have to take care that the communication between this arbiter and its environment is not delay-insensitive.

# 7.0.4 Testing for delay-insensitivity

Burstyn and Udding have written a program to test automatically whether the composition of a number of delay-insensitive modules is correct in the sense that no possible sequence of communication actions can result in computation interference hazard. This program can be used to verify that a particular communication is delay-insensitive, see [Burstyn 86]. The program accomplishes this by, first, internally generating the reflection of the given component and Ebergen's Wire components. The Wire components are used to connect the component to its reflection. Next, the program tests the resulting composition for computation interference hazard. If this test is negative, the trace structure of the original component is in Udding's delay-insensitive class, i.e.  $C_4$ .

# 7.1 Topics for further research

In chapter 2 we remarked that it is possible to infer a comminstorder of a module from the causal ordering of signals exchanged by a mechanism. Some initial exercises showed that it might be interesting to consider Dynamical Systems theory as the underlying physical model; it seems promising to pursue a formal relation between Dynamical Systems theory and our Communication Model.

We presented abstractions in chapter 2: a component is an equivalence class of modules, and a channel is an equivalence class of interconnections. Delay-safety and delay-insensitivity could be modeled using modules and interconnections instead of components and channels. In this case, communication behaviors would be sets of trace sets rather than trace sets. The outcome of such work will yield interesting information about what is lost by our abstraction; e.g., ambiguous quiescence hazard can be introduced by this abstraction, see remark 3.16.

For the operators that have been defined in this monograph programs can be developed; these programs might serve as a tool for designers. Furthermore, they might be integrated in larger development environments. Van der Heijden and Teunissen have developed a program for the operator DIE, which is referred to as "DECNTIH" by them, see [ van der Heijden – Teunissen 89 ].

Within our Communication Model, both synchronous and asynchronous communication can be addressed. We integrate them in chapter 6: the composition operators in this chapter deal with mixed connections of components. As such, these operators may constitute a step towards the integration of design techniques based on synchronous and asynchronous communication models, see section 0.0. We believe that in the next decade synchronous and asynchronous design techniques will end to be competitors: they will be integrated in large development environments in which they both can be used by a designer, depending on the particular design task.

In this monograph we have been concerned with the limitations of delay-safe and delay-insensitive communication. Often a strict protocol of signaling conventions is imposed throughout a system in order to deal with the complexity of the design, cf. [Seitz 80]. The operators presented in this monograph can be used to check whether such a methodical approach is consistent with delay-safe and delay-insensitive communication.

Concluding remarks

# Appendix A

# **Proofs**

This appendix has three sections. Section A.3 contains the proof of the theorem of chapter 3. Sections A.4 and A.5 contain the proofs of the lemmas and theorems of chapters 4 and 5, respectively.

### A.3 Computation interference hazard

### theorem 3.14

Let UndesPh be some undesired phenomenon. Let trace set S be associated with UndesPh. Let  $\Gamma$  be a component such that  $(As: s \in t(ptr\Gamma) \cap S: l(s|i\Gamma) > 0)$ . --- We define component  $\Gamma'$  by  $\Gamma' \stackrel{\text{def}}{=} < io\Gamma, redts(ptr\Gamma, i\Gamma, S) > .$ 

Then  $\Gamma'$  is the maximal (w.r.t. trace structure inclusion) component such that

- (i)  $io\Gamma' = io\Gamma$ ,
- (ii)  $ptr\Gamma' \subseteq ptr\Gamma$ ,
- (iii)  $\Gamma'$  has absence of UndesPh hazard.

### proof

Let UndesPh be an undesired phenomenon hazard. Let trace set S be associated with UndesPh. Let  $\Gamma$  be a component. Let component  $\Gamma'$  be defined by  $\Gamma' \stackrel{\text{def}}{=} \langle io\Gamma, redts(ptr\Gamma, i\Gamma, S) \rangle$ .

From the definition of  $\Gamma'$  follows (i). From definition 1.34, "redts", follows (ii). Since all traces of  $t(ptr\Gamma) \cap S$  are missing in  $t(ptr\Gamma')$ , cf. definition 1.34, "redts", we infer that (iii) holds.

In order to argue the maximality of  $\Gamma'$ , we consider a trace *t* such that  $t \in (t(ptr\Gamma) \setminus t(ptr\Gamma'))$ . Using  $ptr\Gamma' = redts(ptr\Gamma, i\Gamma, S)$  we infer from property 1.36, that  $(Ex, a: x \in (a\Gamma)^* \land a \in i\Gamma \land xaprefixt: x \in t(ptr\Gamma') \land xa \notin t(ptr\Gamma'))$ . From

definition 1.34, "redts", we infer that

```
(Ex, y, a: x \in (a\Gamma)^* \land y \in (o\Gamma)^* \land a \in i\Gamma \land xa \text{ prefix } t
: x \in t(ptr\Gamma') \land xa \notin t(ptr\Gamma') \land xay \in (t(ptr\Gamma) \cap S)).
```

Given such traces x and y and such a symbol a. The addition of trace t to  $t(ptr\Gamma')$  leads to the presence of xa in  $t(ptr\Gamma')$ . Since components cannot be prevented from producing their output comminsts, trace xay should be present, too. Since  $xay \in (t(ptr\Gamma) \cap S)$  and S is associated with UndesPh, we infer that the addition of a trace to  $t(ptr\Gamma')$  introduces UndesPh hazard. We conclude that  $\Gamma'$  is maximal.

end of theorem

# A.4 Communicating delay-safely

In this section we present the proofs of the lemmas and theorems of chapter 4.

~

### lemma 4.43

For component  $\Gamma$ ,

```
(\mathbf{A}t: t \in \mathbf{t}(\mathbf{dse}\Gamma): (\mathbf{E}s: s \in \mathbf{t}(\mathbf{ptr}\Gamma): s\mathbf{c}_{\mathbf{i}\circ\Gamma}t))
```

### proof

Given component  $\Gamma$ . Let t be such that  $t \in t(dse\Gamma)$ . We prove this lemma by induction on the length of t.

### induction hypothesis

```
(A u: u \in t(dse\Gamma) \land lu < lt: (Es: s \in t(ptr\Gamma): sc_{io\Gamma}u))
base:
lt=0
true
= \{ property 4.5(i) \}
\stackrel{\varepsilon c_{io\Gamma}\varepsilon}{=} \{ t=\varepsilon, since lt=0 \}
\stackrel{\varepsilon c_{io\Gamma}t}{=} \{ property 2.34(i) \}
(Es: s \in t(ptr\Gamma): sc_{io\Gamma}t)
```

### step:

lt > 0

Let t=xa for trace x and symbol a; hence, lx < lt. From  $t \in t(dse \Gamma)$  follows that  $a \in a\Gamma$  and  $xa \in t(dse \Gamma)$ .

Since  $\mathbf{a}\Gamma$  is bipartitioned into  $\mathbf{o}\Gamma$  and  $\mathbf{i}\Gamma$ , we distinguish:

```
case 0: a \in o\Gamma

true

= \{ xa \in t(dse\Gamma) \}

xa \in t(dse\Gamma) \}

\Rightarrow \{ definition 4.36, "dse", using <math>a \in o\Gamma \}

(Es: s \in t(ptr\Gamma) \land sc_{io\Gamma}x: \#_as > \#_ax)

= \{ property 4.11(i), using <math>a \in o\Gamma \}

(Es: s \in t(ptr\Gamma): sc_{io\Gamma}xa)

= \{ t = xa \}

(Es: s \in t(ptr\Gamma): sc_{io\Gamma}t)
```

case 1: 
$$a \in i\Gamma$$
  
true  
=  $\{ xa \in t(dse\Gamma) \}$   
 $xa \in t(dse\Gamma)$   
 $\Rightarrow \{ dse\Gamma \text{ is prefix-closed } \}$   
 $x \in t(dse\Gamma)$   
 $\Rightarrow \{ \text{ induction hypothesis, using } lx < lt \}$   
 $(Es: s \in t(ptr\Gamma): sc_{lor}x)$   
 $\Rightarrow \{ \text{ property } 4.11(iv), using  $a \in i\Gamma \}$   
 $(Es: s \in t(ptr\Gamma): sc_{lor}xa)$   
 $= \{ t = xa \}$   
 $(Es: s \in t(ptr\Gamma): sc_{lor}t)$$ 

end of lemma

### lemma 4.44

```
For components \Gamma and \Delta such that io \Gamma = io \Delta and \overline{\Delta} NCIHADS \Gamma,
```

```
(As, t: s \in t(ptr \Gamma) \land t \in t(ptr \Delta) \land t(dse \Gamma): \neg(sc_{io\Gamma}t))
```

### proof

Given components  $\Gamma$  and  $\Delta$  such that  $io\Gamma = io\Delta$  and  $\overline{\Delta}NCIHADS\Gamma$ . Let trace t be such that  $t \in t(ptr\Delta) \setminus t(dse\Gamma)$ . Since  $\varepsilon \in t(dse\Gamma)$ ,  $t \neq \varepsilon$ . Let trace x and symbol a be such that xaprefixt,  $a \in a\Gamma$ ,  $x \in t(dse\Gamma)$ ,  $xa \in t(ptr\Delta)$ , and  $xa \notin t(dse\Gamma)$ . We first prove that  $a \in o\Gamma$ .

```
true
           { definition 4.29, "NCIHADS", using \overline{\Delta} NCIHADS \Gamma and a\Gamma = a\Delta
-
           }
     (\mathbf{A}r, s, b: r \in t(\operatorname{ptr}\overline{\Delta})s \in t(\operatorname{ptr}\Gamma)b \in o\overline{\Delta}r\mathbf{c}_{io\overline{\Delta}}s\#_br > \#_bs: sb \in t(\operatorname{ptr}\Gamma))
           { xa \in t(ptr \overline{\Delta}), since xa \in t(ptr \Delta), see definition 2.36, "reflection of
⇒
                component"
           }
     (\mathbf{A}s, b: s \in \mathbf{t}(\mathbf{ptr}\,\Gamma) \land b \in \mathbf{o}\overline{\Delta} \land xa\mathbf{c}_{\mathbf{i}\mathbf{o}\overline{\Delta}} s \land \#_b xa > \#_b s: sb \in \mathbf{t}(\mathbf{ptr}\,\Gamma))
           { property 4.9, and calculus }
=
     (\mathbf{A}s, b: s \in \mathbf{t}(\mathbf{ptr}\,\Gamma) \land b \in \mathbf{o}\overline{\Delta} \land s\mathbf{c}_{\mathbf{i}} \land xa \land \#_b s < \#_b xa: sb \in \mathbf{t}(\mathbf{ptr}\,\Gamma))
           { io \Delta = io \Gamma and o\overline{\Delta} = i\Gamma, see definition 2.36, "reflection of
=
                component"
           }
     (As, b: s \in t(ptr\Gamma) \land b \in i\Gamma \land sc_{io\Gamma}xa \land \#_b s < \#_b xa: sb \in t(ptr\Gamma))
           { definition 4.36, "dse", using x \in t(dse\Gamma) and xa \notin t(dse\Gamma) }
a∉iΓ
           \{a \in \mathbf{a} \Gamma \text{ and } \mathbf{o} \Gamma = \mathbf{a} \Gamma \setminus i \Gamma, \text{ see property } 2.33 \}
=
     a∈ oΓ
We have derived a \in o \Gamma.
     true
```

```
= \{ \text{ definition 4.36, "dse", using } a \in o \Gamma, x \in t(\text{dse } \Gamma), \text{ and } xa \notin t(\text{dse } \Gamma) \} \\ (As: s \in t(\text{ptr } \Gamma) \land sc_{io\Gamma}x: \#_a s \leq \#_a x) \\ = \{ \text{ predicate calculus } \} \\ (As: s \in t(\text{ptr } \Gamma): \neg(sc_{io\Gamma}x \land \#_a s > \#_a x)) \\ = \{ \text{ property 4.11(i), using } a \in o \Gamma \} \\ (As: s \in t(\text{ptr } \Gamma): \neg(sc_{io\Gamma}xa)) \\ \Rightarrow \{ \text{ property 4.7, using xaprefix } t \text{ and property 2.45(ii) } \} \\ (Au: u \in t(\text{ptr } \Gamma): \neg(uc_{io\Gamma}t)) \end{cases}
```

end of lemma

theorem 4.45 *delay-safe enclosure* 

For component  $\Gamma$ ,

 $ptr(DSE\Gamma) = dse\Gamma$ 

proof

Given component  $\Gamma$ . Let component  $\Delta$  be such that  $io \Delta = io \Gamma$  and  $ptr \Delta = dse \Gamma$ .

From property 4.42 we conclude that  $\Gamma NCIHDS\overline{\Delta}$ . From lemma 4.43 we derive that  $(\mathbf{A}a, t: a \in \mathbf{o}\Gamma \land ta \in t(\mathbf{ptr}\Delta): (\mathbf{E}s: s \in t(\mathbf{ptr}\Gamma): s\mathbf{c}_{\mathbf{io}\Gamma}ta))$ . The maximality of  $\Delta$  follows from lemma 4.44.

### end of theorem

### lemma 4.49

For component  $\Gamma$ ,

```
(\mathbf{A}t: t \in t(\mathbf{ptr}\Gamma) \land (\mathbf{E}y: y \in t(\mathbf{dse}\Gamma): t\mathbf{c}_{\mathbf{io}\Gamma}y): t \in t(\mathbf{dse}\Gamma))
```

### proof

Given component  $\Gamma$ . Let trace t be such that  $t \in t(ptr\Gamma)$ , and  $(Ey: y \in t(dse\Gamma): tc_{io\Gamma}y)$ . We prove this lemma by induction on the length of t.

induction hypothesis

```
(Au: u \in t(ptr \Gamma) \land lu < lt \land (Ez: z \in t(dse \Gamma): uc_{io\Gamma}z): u \in t(dse \Gamma))
```

```
base: It=0
```

```
true

= \{ lt=0 \}

t=\varepsilon

\Rightarrow \{ \varepsilon \in t(dse \Gamma), see definition 4.36, "dse" \}

t \in t(dse \Gamma)
```

step: lt > 0

Let t = xa for trace x and symbol a; hence, lx < lt,  $a \in a\Gamma$ ,  $xa \in t(ptr\Gamma)$ , and  $(Ey : y \in t(dse\Gamma) : xac_{lo}y)$ .

### true

$$= \{ xa \in t(ptr\Gamma) \}$$
$$xa \in t(ptr\Gamma) \}$$

- $\Rightarrow \{ ptr \Gamma \text{ is prefix-closed, see property 2.45(ii)} \} \\ x \in t(ptr \Gamma) \}$
- $\Rightarrow \{ \text{ induction hypothesis, using } lx < lt \text{ and calculus } \} \\ (\mathbf{E} z : z \in \mathfrak{t}(\mathsf{dse } \Gamma) : x \mathbf{c}_{\mathsf{lo} \Gamma} z) \Rightarrow x \in \mathfrak{t}(\mathsf{dse } \Gamma)$
- $\Rightarrow \{ \text{ property 4.7, using}(E_y: y \in t(dse \Gamma): xac_{io\Gamma}y) \} \\ x \in t(dse \Gamma)$

Since  $\mathbf{a}\Gamma$  is bipartitioned into  $\mathbf{o}\Gamma$  and  $\mathbf{i}\Gamma$ , we distinguish:

```
case 0:
                    a \in \mathbf{o} \Gamma
              true
                   \{x \in t(dse\Gamma)\}
         =
              x \in t(dse\Gamma)
                   { property 4.6(i), using a \in o\Gamma }
         =
              x \in t(dse\Gamma) \wedge xac_{in\Gamma}x
                   { definition 4.36, "dse", using a \in o\Gamma and xa \in t(ptr\Gamma) }
         =
              xa \in t(dse\Gamma)
case 1:
                    a \in i\Gamma
         We know that (\mathbf{E}y: y \in \mathbf{t}(\mathsf{dse}\Gamma): xac_{\mathsf{ie}\Gamma}y). Given such a trace y.
         Hence y \in t(dse\Gamma) and xac_{ie\Gamma}y. Using a \in i\Gamma we find that
         (\mathbf{E}b, w, z; b \in i\Gamma \land z \in (o\Gamma)^*; wbz = y). Given such a symbol b
         and such traces w and z. Hence b \in i\Gamma. From property 4.40(ii)
                                  that wb \in t(dse\Gamma).
                   derive
                                                                        From
                                                                                       property 4.2,
         we
         "composability", we derive that xac_{in\Gamma}wb.
              true
                   { property 4.41, using wb \in t(dse\Gamma) }
         =
              (\mathbf{A} s, c: s \in \mathbf{t}(\mathbf{ptr} \Gamma) \land c \in \mathbf{i} \Gamma \land sc \mathbf{c}_{\mathbf{lo}\Gamma} wb: sc \in \mathbf{t}(\mathbf{ptr} \Gamma))
                   { predicate calculus }
         ⇒
             (\mathbf{A} s, c: s \in t(\mathbf{ptr} \Gamma) \land c \in i \Gamma \land scc_{i \circ \Gamma} xa \land scc_{i \circ \Gamma} wb: sc \in t(\mathbf{ptr} \Gamma))
                   { property 4.10, "transitivity of composability", using
         =
                      xaciorwb
                   }
             (\mathbf{A} s, c: s \in \mathbf{t}(\mathbf{ptr} \Gamma) \land c \in \mathbf{i} \Gamma \land sc \mathbf{c}_{\mathbf{i} \circ \Gamma} xa: sc \in \mathbf{t}(\mathbf{ptr} \Gamma))
                   { property 4.11(iii) }
         =
              (As, c: s \in t(ptr\Gamma) \land c \in i\Gamma \land sc_{in\Gamma}xa \land \#_c s < \#_c xa: sc \in t(ptr\Gamma))
                   { definition 4.36, "dse", using x \in t(dse \Gamma) and a \in i\Gamma }
         =
              xa \in t(dse\Gamma)
```

Hence,  $xa \in t(dse \Gamma)$ ; since xa = t, we conclude  $t \in t(dse \Gamma)$ .

end of lemma

### lemma 4.51

For component  $\Gamma$ ,

 $(dse \Gamma, ab\Gamma) \in D_4$ 

#### proof

Given component  $\Gamma$ . Let traces t, y, and z be such that  $y \in t(dse\Gamma)$ ,  $z \in t(dse\Gamma)$ ,  $yc_{io\Gamma}t$ , and  $tc_{io\Gamma}z$ . We prove by induction on t, that  $t \in t(dse\Gamma)$ .

### induction hypothesis

 $(\mathbf{A} u : u \operatorname{prefix} t \land lu < lt : u \in t(\operatorname{dse} \Gamma))$ 

base: lt=0

Hence  $t = \varepsilon$ . From definition 4.36, "dse", we derive that  $t \in t(dse \Gamma)$ .

step: lt > 0

Let t = xa for trace x and symbol a; hence,  $x \operatorname{prefix} t$ , lx < lt,  $y \operatorname{c}_{io\Gamma} xa$ , and  $xa \operatorname{c}_{io\Gamma} z$ . From the induction hypothesis we conclude that  $x \in t(\operatorname{dse} \Gamma)$ .

Since  $\mathbf{a}\Gamma$  is bipartitioned into  $\mathbf{o}\Gamma$  and  $\mathbf{i}\Gamma$ , we distinguish:

case 0: a∈ oΓ true  $\{ y \in t(dse\Gamma) \}$ = y∈ t(dseΓ)  $\Rightarrow$  { lemma 4.43 }  $(\mathbf{E} u : u \in \mathbf{t}(\mathbf{ptr} \Gamma) : u\mathbf{c}_{\mathbf{i}\mathbf{o}\Gamma} \mathbf{y})$ { property 4.10, "transitivity of composability", using ⇒ yc<sub>io</sub>r xa }  $(\mathbf{E} u : u \in \mathbf{t}(\mathbf{ptr} \Gamma) : u\mathbf{c}_{\mathbf{i} \circ \Gamma} xa)$ { property 4.11(i), using  $a \in o\Gamma$  } =  $(\mathbf{E} u : u \in \mathbf{t}(\mathbf{ptr} \Gamma) : u\mathbf{c}_{\mathbf{i} o \Gamma} x \land \#_a u > \#_a x)$ { definition 4.36, "dse", using  $a \in o\Gamma$  and  $x \in t(dse\Gamma)$  } =  $xa \in t(dse\Gamma)$ 

### case 1: $a \in i\Gamma$

Since  $a \in i\Gamma$  and  $xac_{io\Gamma}z$  we derive, using property 4.11(iii), that  $\#_a z > 0$ . Hence, there exist traces v and w, and symbol b such that z = vbw,  $b \in i\Gamma$ , and  $w \in (o\Gamma)^*$ . Given such v, w, and b. Hence,  $vbw \in t(dse\Gamma)$  and  $xac_{io\Gamma}vbw$ . From property 4.40(ii) we derive that  $vb \in t(dse\Gamma)$ . Using  $w \in (o\Gamma)^*$  and  $xac_{io\Gamma}vbw$ , we derive from property 4.11(i) that  $xac_{io\Gamma}vb$ .

### true

- = { property 4.41, using  $b \in i\Gamma$  and  $vb \in t(dse\Gamma)$  }
  - $(\mathbf{A} u, c: u \in t(\mathbf{ptr} \Gamma) \land c \in i \Gamma \land ucc_{i \circ \Gamma} \lor b: uc \in t(\mathbf{ptr} \Gamma))$
- $\Rightarrow$  { calculus }
  - $(\mathbf{A}u, c: u \in \mathbf{t}(\mathbf{ptr}\Gamma) \land c \in \mathbf{i}\Gamma \land ucc_{\mathbf{i}\sigma\Gamma}xa \land ucc_{\mathbf{i}\sigma\Gamma}vb: uc \in \mathbf{t}(\mathbf{ptr}\Gamma))$
- $= \{ (As: s \in (a\Gamma)^*: (sc_{io\Gamma}xa \land sc_{io\Gamma}vb) = sc_{io\Gamma}xa), see$ property 4.10, "transitivity of composability", using  $xac_{io\Gamma}vb$

}

- $(A u, c: u \in t(ptr \Gamma) \land c \in i \Gamma \land ucc_{i \circ \Gamma} xa: uc \in t(ptr \Gamma))$
- $= \{ property 4.11(iii) \}$ 
  - $(\mathbf{A}u, c: u \in \mathbf{t}(\mathbf{ptr}\,\Gamma) \land c \in \mathbf{i}\Gamma \land u\mathbf{c}_{\mathbf{lo}\Gamma}xa \land \#_c u < \#_c xa: u \in \mathbf{t}(\mathbf{ptr}\,\Gamma))$
- $= \{ \text{ definition 4.36, "dse", using } x \in t(\text{dse}\Gamma) \text{ and } a \in i\Gamma \}$ xa \in t(dse \Gamma)

Hence,  $xa \in t(dse \Gamma)$ ; since xa = t, we conclude that  $t \in t(dse \Gamma)$ .

We have proven that

```
(\mathbf{A} y, t, z: y \in \mathbf{t}(\mathsf{dse} \Gamma) \land y \mathbf{c}_{\mathsf{io}\Gamma} t \land t \mathbf{c}_{\mathsf{io}\Gamma} z \land z \in \mathbf{t}(\mathsf{dse} \Gamma): t \in \mathbf{t}(\mathsf{dse} \Gamma)).
```

```
Now we conclude from definition 4.16, "D_4", and ab\Gamma = o\Gamma \oplus i\Gamma that (dse \Gamma, ab\Gamma) \in D_4.
```

end of lemma

### lemma 4.52

For component  $\Gamma$ ,

 $(\operatorname{ptr} \Gamma, \operatorname{ab} \Gamma) \in \mathbb{D}_4 = (\operatorname{dse} \Gamma = \operatorname{ptr} \Gamma)$ 

### proof

Given component  $\Gamma$ . We first prove that  $(dse \Gamma = ptr \Gamma) \Rightarrow (ptr \Gamma, ab\Gamma) \in \mathbf{D}_4$ .

Let component  $\Gamma$  be such that dse  $\Gamma = \text{ptr }\Gamma$ . From lemma 4.51 we conclude that  $(\text{ptr }\Gamma, \text{ab }\Gamma) \in \mathbf{D}_4$ .

We now prove that  $(ptr\Gamma, ab\Gamma) \in D_4 \Rightarrow (dse\Gamma = ptr\Gamma)$ . Let component  $\Gamma$  be such that  $(ptr\Gamma, ab\Gamma) \in D_4$ . Now,  $a(dse\Gamma) = a(ptr\Gamma)$ . For trace t we prove that  $t \in t(dse\Gamma) = t \in t(ptr\Gamma)$  by induction on the length of t.

### induction hypothesis

 $(\mathbf{A} u : lu < lt : u \in t(dse\Gamma) = u \in t(ptr\Gamma))$ 

base: lt=0

Hence,  $t=\varepsilon$ . Since  $\varepsilon \in t(dse\Gamma)$  and  $\varepsilon \in t(ptr\Gamma)$ , we conclude that  $t \in t(dse\Gamma) = t \in t(ptr\Gamma)$ .

### step: lt > 0

Let t = xa for trace x and symbol a; hence, lx < lt.

We first prove that  $xa \in (dse \Gamma) \Rightarrow xa \in (ptr \Gamma)$ .

Since  $\mathbf{a}\Gamma$  is bipartitioned into  $\mathbf{o}\Gamma$  and  $\mathbf{i}\Gamma$ , we distinguish:

### case 0: $a \in o\Gamma$

Using  $a \in o\Gamma$  we derive from property 4.6(i) that  $xac_{io\Gamma}x$ .

```
xa∈ t(dseΓ)
```

= { definition 4.36, "dse", using  $a \in o\Gamma$  }

```
x \in t(\operatorname{dse} \Gamma) \land (\operatorname{E} s : s \in t(\operatorname{ptr} \Gamma) \land s \operatorname{c}_{\operatorname{io} \Gamma} x : \#_a s > \#_a x)
```

```
= { induction hypothesis, using lx < lt }
```

```
x \in t(ptr \Gamma) \land (Es: s \in t(ptr \Gamma) \land sc_{io\Gamma}x: #_as > #_ax)
```

```
= { property 4.11(i), using a \in o\Gamma }
```

```
x \in t(ptr \Gamma) \land (Es: s \in t(ptr \Gamma): sc_{io\Gamma}xa)
```

= { definition 4.16, " $D_4$ ", using (ptr  $\Gamma$ , ab $\Gamma$ )  $\in$   $D_4$  and xac<sub>io</sub>rx }

```
x \in t(ptr \Gamma) \land xa \in t(ptr \Gamma)
```

```
= \{ \text{ property } 2.45(\text{ii}) \} \\ xa \in t(\text{ptr}\Gamma)
```

case 1: ae ir Using  $a \in i\Gamma$  we derive from property 4.6(ii) that  $xc_{ie\Gamma}xa$ .  $xa \in t(dse\Gamma)$ = { definition 4.36, "dse", using  $a \in i\Gamma$  }  $x \in t(dse\Gamma)$  $\wedge (\mathbf{A}s, b: s \in \mathbf{t}(\mathbf{ptr}\Gamma) \land b \in \mathbf{i}\Gamma \land s\mathbf{c}_{\mathbf{i}\rho\Gamma} xa \land \#_b s < \#_b xa: sb \in \mathbf{t}(\mathbf{ptr}\Gamma))$ { induction hypothesis, using lx < lt } =  $x \in t(ptr \Gamma)$  $\wedge (\mathbf{A} s, b: s \in \mathbf{t}(\mathbf{ptr} \Gamma) \land b \in \mathbf{i} \Gamma \land s \mathbf{c}_{\mathbf{i} o \Gamma} xa \land \#_b s < \#_b xa: sb \in \mathbf{t}(\mathbf{ptr} \Gamma))$  $\{a \in i\Gamma, xc_{in\Gamma}xa, and calculus\}$ ⇒  $xa \in t(ptr \Gamma)$ Hence,  $xa \in t(dse \Gamma) \Rightarrow xa \in t(ptr \Gamma)$ . We now prove that  $xa \in (ptr \Gamma) \Rightarrow xa \in (dse \Gamma)$ .  $xa \in t(ptr \Gamma)$  $\{ property 2.45(ii) \}$ =  $x \in t(ptr \Gamma) \land xa \in t(ptr \Gamma)$ { induction hypothesis, using lx < lt } =  $x \in t(dse \Gamma) \land xa \in t(ptr \Gamma)$ = {  $(As, b: s \in t(ptr \Gamma) \land b \in i\Gamma: sc_{io}, sb)$ , see property 4.6(ii) }  $x \in t(dse\Gamma) \land xa \in t(ptr\Gamma) \land (As, b: s \in t(ptr\Gamma) \land b \in i\Gamma: sc_{io\Gamma}sb)$ { definition 4.16, " $D_4$ ", using (ptr  $\Gamma$ , ab $\Gamma$ )  $\in$   $D_4$  } ⇒  $x \in t(dse \Gamma) \land (As, b: s \in t(ptr \Gamma) \land b \in i\Gamma: sbc_{in\Gamma}xa \Rightarrow sb \in t(ptr \Gamma))$ { predicate calculus and property 4.11(iii) } =  $x \in t(dse \Gamma)$  $\wedge (\mathbf{A} s, b: s \in \mathbf{t}(\mathbf{ptr} \Gamma) \land b \in \mathbf{i} \Gamma \land s \mathbf{c}_{\mathbf{i} o \Gamma} x a \land \#_b s < \#_b x a: s b \in \mathbf{t}(\mathbf{ptr} \Gamma))$ { definition 4.36, "dse", using  $a \in i\Gamma$  } =  $xa \in t(dse \Gamma)$ 

Hence, we have proven that  $xa \in t(dse\Gamma) = xa \in t(ptr\Gamma)$ ; since xa = t, we conclude that  $t \in t(dse\Gamma) = t \in t(ptr\Gamma)$ .

end of lemma

### theorem 4.56

For i/o-connectable components  $\Gamma$  and  $\Delta$ ,

```
\Gamma NCIHDS \Delta = (DSE \Gamma) NCIH (DSE \Delta)
```

### proof

Given i/o-connectable components  $\Gamma$  and  $\Delta$ .

Г **NCIHDS Δ** 

- = { property 4.31, "symmetry of *NCIHDS*" }  $\Delta NCIHDS \Gamma$
- $= \{ \text{ property } 4.54(\text{iii}) \} \\ (\text{DSE } \Delta) \text{ NCIHDS } \Gamma$
- = { property 4.31, "symmetry of NCIHDS" }  $\Gamma NCIHDS (DSE \Delta)$
- = { property 4.55(iii) }

 $(DSE\Gamma)NCIH(DSE\Delta)$ 

end of theorem

### lemma 4.69

For component  $\Gamma$ ,

 $(CBDS \Gamma)NCIHDS \overline{DSE \Gamma}$ 

### proof

Given component  $\Gamma$ . From definition 4.34, "delay-safe enclosure", we infer that  $\Gamma NCIHADS \overline{DSE\Gamma}$ . Using that  $ptr(CBDS\Gamma) \subseteq ptr\Gamma$ , see definition 4.68, "maximal communication behavior for delay-safe communication", we conclude that (CBDS $\Gamma$ )NCIHADS  $\overline{DSE\Gamma}$ .

Let traces t and u and symbol a be such that  $t \in t(ptr(DSE\Gamma))$ ,  $u \in t(ptr(CBDS\Gamma))$ ,  $a \in i\Gamma$ ,  $tc_{io\Gamma}u$ , and  $\#_a t > \#_a u$ . From definition 4.68 we infer that  $u \in t(ptr\Gamma)$ . Using definition 4.34, "delay-safe enclosure", we conclude that  $ua \in t(ptr\Gamma)$ . From property 4.9, we get that  $uac_{io\Gamma}t$ , where  $t \in t(ptr(DSE\Gamma))$ . Using the maximality (w.r.t. trace structure inclusion) of CBDS, we conclude that  $ua \in t(ptr(CBDS\Gamma))$ . Now, from definition 4.29, "NCIHADS", we infer that  $\overline{DSE\Gamma}NCIHADS(CBDS\Gamma)$ .

From definition 4.30, "computation interference hazard for indirect connection", we conclude that  $(CBDS \Gamma)NCIHDS \overline{DSE \Gamma}$ .

### end of lemma

theorem 4.74 maximal communication behavior for delay-safe communication For component  $\Gamma$ ,

 $ptr(CBDS \Gamma) = cbds \Gamma$ 

## proof

Given component Γ. From property 4.72 derive we that definition 4.70, "cbds",  $\operatorname{cbds}\Gamma \subseteq \operatorname{ptr}\Gamma$ . From derive we that  $(A a, s : a \in i \Gamma \land sa \in t(cbds \Gamma) : (E t : t \in t(dse \Gamma) : sac_{lo \Gamma} t)).$ 

We now have to prove that  $cbds\Gamma$  is maximal. Let trace s and symbol a be such that  $s \in t(cbds\Gamma)$ ,  $sa \in t(ptr\Gamma)$ , and  $a \in i\Gamma \Rightarrow (Et: t \in t(dse\Gamma): sac_{io\Gamma}t)$ . We prove that  $sa \in t(cbds\Gamma)$ .

Since  $\mathbf{a}\Gamma$  is bipartitioned into  $\mathbf{o}\Gamma$  and  $\mathbf{i}\Gamma$ , we distinguish:

```
case 0:
                 a∈oΓ
            true
                 { property 4.72, using s \in t(cbds \Gamma) }
        =
            s \in t(dse \Gamma)
                { property 4.6(i), using a \in o\Gamma }
        =
            s \in t(dse \Gamma) \land sac_{io\Gamma}s
                { definition 4.36, "dse", using a \in o\Gamma and sa \in t(ptr\Gamma) }
        ⇒
            sa \in t(dse \Gamma)
                { property 4.72, using sa \in t(ptr \Gamma) }
        =
            sa \in t(cbds \Gamma)
                  a∈iΓ
case 1:
            true
                { (E t : t \in t(dse \Gamma) : sac_{io \Gamma} t), since a \in i\Gamma }
        =
            (\mathbf{E}t: t \in \mathbf{t}(\mathbf{dse}\Gamma): sac_{\mathbf{i}\sigma\Gamma}t)
                 { definition 4.70, "cbds", using sa \in t(ptr\Gamma) }
        =
            sa \in t(cbds \Gamma)
```

end of theorem

The proof of theorem 4.77 is spread over two pages. It starts at page 240.

#### theorem 4.77

For components  $\Gamma$  and  $\Delta$  such that io  $\Gamma = io \overline{\Delta}$ ,

```
 \Gamma NCIHDS \Delta 
\Rightarrow (At, u: t \in t(ptr \Gamma) \land tc_{b \Gamma} u \land u \in t(ptr \Delta) 
: t \in t(ptr(CBDS \Gamma)) \land u \in t(ptr(CBDS \Delta)) 
)
```

#### proof

Given components  $\Gamma$  and  $\Delta$  such that io  $\Gamma = io \overline{\Delta}$ , Let traces t and u be such that,  $t \in t(\mathbf{ptr}\Gamma)$ ,  $tc_{io\Gamma}u$ , and  $u \in t(\mathbf{ptr}\Delta)$ .

We first prove that  $t \in t(ptr(CBDS \Gamma))$ . In order to be able to prove this, we prove that  $u \in t(dse\Gamma)$ . The latter we prove by induction on the length of u.

#### induction hypothesis

```
(\mathbf{A} v: v \in \mathbf{t}(\mathbf{ptr} \Delta) \land lv < lu \land (\mathbf{E} s: s \in \mathbf{t}(\mathbf{ptr} \Gamma): s\mathbf{c}_{\mathbf{lo}\Gamma} v): v \in \mathbf{t}(\mathbf{dse}\Gamma))
```

#### base: lu=0

```
Hence u = \varepsilon. From property 4.40(i), we conclude that u \in t(dse \Gamma).
```

#### step: lu > 0

Let u=xa for trace x and symbol a; hence,  $x \operatorname{prefix} u$ , lx < lu, and  $t c_{\log \Gamma} xa$ . We prove that  $x \in t(\operatorname{dse} \Gamma)$ 

true

```
= \{ x \operatorname{prefix} u \text{ and property } 4.7, \operatorname{using} t \operatorname{c}_{\operatorname{io}\Gamma} u \} \\ (\operatorname{E} s : s \operatorname{prefix} t : s \operatorname{c}_{\operatorname{io}\Gamma} x) \land x \operatorname{prefix} u \\ \Rightarrow \{ \operatorname{property } 2.45(\operatorname{ii}) \text{ twice, using } t \in t(\operatorname{ptr}\Gamma) \text{ and } u \in t(\operatorname{ptr}\Delta) \} \}
```

```
(\mathbf{E}s: s \in \mathbf{t}(\mathbf{ptr}\,\Gamma): s\mathbf{c}_{\mathbf{i}\mathbf{o}\Gamma}x) \land x \in \mathbf{t}(\mathbf{ptr}\,\Delta)
```

```
\Rightarrow \{ \text{ induction hypothesis, using } lx < lu \} \\ x \in \mathbf{t}(\operatorname{dse} \Gamma)
```

240

Since  $\mathbf{a}\Gamma$  is bipartitioned into  $\mathbf{o}\Gamma$  and  $\mathbf{i}\Gamma$ , we distinguish:

| case 0: | a∈oΓ                                                                                                                                                                                                       |
|---------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|         | true                                                                                                                                                                                                       |
| =       | { property 4.11(i), using $a \in o\Gamma$ and $tc_{lo\Gamma}xa$ }                                                                                                                                          |
|         | $t\mathbf{c}_{\mathbf{i}\mathbf{o}\Gamma}\mathbf{x}\wedge \#_{a}\mathbf{t} > \#_{a}\mathbf{x}$                                                                                                             |
| ⇒       | { definition 4.36, "dse", using $x \in t(dse \Gamma)$ and $a \in o\Gamma$ }                                                                                                                                |
|         | $xa \in t(dse\Gamma)$                                                                                                                                                                                      |
| case 1: | a∈iΓ                                                                                                                                                                                                       |
|         | true                                                                                                                                                                                                       |
| =       | { definition 4.30, using $\Gamma NCIHDS \Delta$ , and definition 4.29,                                                                                                                                     |
|         | using $xa \in t(ptr \Delta)$                                                                                                                                                                               |
|         | }                                                                                                                                                                                                          |
|         | $(\mathbf{A} s, b: s \in \mathbf{t}(\mathbf{ptr} \Gamma) \land b \in \mathbf{i} \Gamma \land s \mathbf{c}_{\mathbf{i} \circ \Gamma} x a \land \#_b s < \#_b x a: s b \in \mathbf{t}(\mathbf{ptr} \Gamma))$ |
| =       | { definition 4.36, "dse", using $a \in i\Gamma$ and $x \in t(dse\Gamma)$ }                                                                                                                                 |
|         | $xa \in t(dse \Gamma)$                                                                                                                                                                                     |

Hence, we have proven that  $xa \in t(dse \Gamma)$ ; since xa = u we conclude that  $u \in t(dse \Gamma)$ .

We have proved that  $u \in t(dse\Gamma)$ . Now, using  $t \in t(ptr\Gamma)$  and  $tc_{io\Gamma}u$ , we infer from definition 4.70, "cbds", that  $t \in t(cbds\Gamma)$ . From theorem 4.74, we now conclude that  $t \in t(ptr(CBDS\Gamma))$ .

We now have proven that for components  $\Gamma$  and  $\Delta$  such that  $io\Gamma = io \overline{\Delta}$ ,  $\Gamma NCIHDS \Delta \Rightarrow (At, u: t \in t(ptr \Gamma) \land tc_{io\Gamma} u \land u \in t(ptr \Delta): t \in t(ptr(CBDS \Gamma))).$ 

Using that  $io \Delta = io \overline{\Gamma}$ , and  $\Gamma NCIHDS \Delta = \Delta NCIHDS \Gamma$ , we conclude that  $\Gamma NCIHDS \Delta \Rightarrow (At, u: t \in t(ptr \Gamma) \land tc_{lo \Gamma} u \land u \in t(ptr \Delta): u \in t(ptr (CBDS \Delta))).$ end of theorem

#### theorem 4.80

For components  $\Gamma$  and  $\Delta$  such that io  $\Gamma = io \Delta$ ,  $cbds \Gamma \subseteq ptr \Delta$ , and  $ptr \Delta \subseteq ptr \Gamma$ ,

```
\mathbf{dse}\,\Gamma = \mathbf{dse}\,\Delta
```

#### proof

Given components  $\Gamma$  and  $\Delta$  such that  $io \Gamma = io \Delta$ ,  $cbds \Gamma \subseteq ptr \Delta$ , and  $ptr \Delta \subseteq ptr \Gamma$ .

We first prove that  $dse \Gamma \subseteq dse \Delta$ . Let trace t be such that  $t \in t(dse \Gamma)$ .

#### induction hypothesis

 $(\mathbf{A} u : u \in \mathbf{t}(\mathbf{dse} \Gamma) \land lu < lt : u \in \mathbf{t}(\mathbf{dse} \Delta))$ 

```
base: lt=0
```

Hence  $t = \varepsilon$ . From property 4.40(i) we conclude that  $t \in t(dse \Delta)$ .

```
step: lt > 0
```

Let t=xa for trace x and symbol a; hence, lx < lt and  $xa \in t(dse\Gamma)$ . From property 4.40(ii) we conclude that  $x \in t(dse\Gamma)$ . From the induction hypothesis we infer that  $x \in t(dse \Delta)$ .

Since  $\mathbf{a}\Gamma$  is bipartitioned into  $\mathbf{o}\Gamma$  and  $\mathbf{i}\Gamma$ , we distinguish:

```
case 0: a \in o \Gamma
```

From io  $\Gamma = io \Delta$  we infer that  $a \in o \Delta$ .

true

```
= \{ \text{ definition 4.36, "dse", using } a \in o\Gamma \text{ and } xa \in t(\text{dse}\Gamma) \} \\ (Es: s \in t(\text{ptr}\Gamma): sc_{io\Gamma}xa) \}
```

```
= { property 4.5, using xa \in t(dse\Gamma) }
```

```
(\mathbf{E}s: s \in \mathbf{t}(\mathbf{cbds}\Gamma): s\mathbf{c}_{\mathbf{lo}\Gamma}xa)
```

```
\Rightarrow \{ cbds \Gamma \subseteq ptr \Delta \}
```

```
(\mathbf{E}s: s \in t(\mathbf{ptr}\Delta): s\mathbf{c}_{\mathbf{i}\mathbf{o}\Gamma}xa)
```

```
= \{ \text{ definition 4.36, "dse", using } x \in t(\text{dse}\Delta) \text{ and } a \in o\Delta \} 
xa \in t(dse \Delta)
```

 $a \in i\Gamma$ case 1: From in  $\Gamma = io \Lambda$  we infer that  $a \in i \Lambda$ . true { definition 4.36, "dse", using  $a \in i\Gamma$  and  $xa \in t(dse\Gamma)$  } =  $(\mathbf{A} s, b: s \in \mathbf{t}(\mathbf{ptr} \Gamma) \land b \in \mathbf{i} \Gamma \land s \mathbf{c}_{\mathbf{i} \circ \Gamma} xa \land \#_b s < \#_b xa: sb \in \mathbf{t}(\mathbf{ptr} \Gamma))$  $\{ ptr \Delta \subseteq ptr \Gamma and io \Gamma = io \Delta \}$ ⇒  $(\mathbf{A} s, b; s \in t(\mathbf{ptr}\Delta) \land b \in i\Delta \land s\mathbf{c}_{i_b} \land a \land \#_b s < \#_b xa; sb \in t(\mathbf{ptr}\Gamma))$ { definition 4.70, "cbds", using  $xa \in t(dse\Gamma)$  } =  $(\mathbf{A} s, b: s \in \mathbf{t}(\mathbf{ptr} \Delta) \land b \in \mathbf{i} \Delta \land s \mathbf{c}_{\mathbf{i} a \land} xa \land \#_b s < \#_b xa: sb \in \mathbf{t}(\mathbf{cbds} \Gamma))$  $\{ cbds \Gamma \subseteq ptr \Delta \}$ ⇒  $(\mathbf{A} s, b: s \in \mathbf{t}(\mathbf{ptr} \Delta) \land b \in \mathbf{i} \Delta \land s \mathbf{c}_{\mathbf{i}_0} \land xa \land \#_b s < \#_b xa: sb \in \mathbf{t}(\mathbf{ptr} \Delta))$ { definition 4.36, "dse", using  $x \in t(dse \Delta)$  and  $a \in i\Delta$  } =  $xa \in t(dse \Delta)$ 

Hence, we have proven that  $xa \in t(dse \Delta)$ ; since t=xa, we conclude that  $t \in t(dse \Delta)$ .

We conclude that dse  $\Gamma \subseteq$  dse  $\Delta$ .

We now prove that  $dse \Delta \subseteq dse \Gamma$ . Let trace t be such that  $t \in t(dse \Delta)$ . We prove that  $t \in t(dse \Gamma)$  by mathematical induction on  $I(t \mid i\Delta)$ .

#### induction hypothesis

 $(\mathbf{A} u : u \in \mathbf{t}(\mathbf{dse}\Delta) \land l(u \mid \mathbf{i}\Delta) < l(t \mid \mathbf{i}\Delta) : u \in \mathbf{t}(\mathbf{dse}\Gamma))$ 

```
base: l(t|i\Delta)=0
```

Since  $a\Delta$  is bipartitioned into  $o\Delta$  and  $i\Delta$ , we conclude that  $t\in (o\Delta)^*$ . From property 4.40(i) we conclude that  $\varepsilon \in t(dse\Gamma)$ . Now we infer from property 4.79 that  $t\in t(dse\Gamma)$ .

## step: $l(t \mid i\Delta) > 0$

Let t=xay for traces x and y and symbol a such that  $a \in i\Delta$ , and  $y \in (o\Delta)^*$ ; hence,  $l(x|i\Delta) < l(t|i\Delta)$  and  $xay \in t(dse\Delta)$ . From property 4.40(ii) we conclude that  $xa \in t(dse\Delta)$  and  $x \in t(dse\Delta)$ . From the induction hypothesis we infer that  $x \in t(dse\Gamma)$ . From  $io\Gamma = io\Delta$  we infer that  $a \in i\Gamma$  and  $y \in (o\Gamma)^*$ .

Let trace w and symbol b be such that  $w \in t(ptr\Gamma)$ ,  $b \in i\Gamma$ ,  $wc_{io\Gamma}xa$ , and  $\#_b w < \#_b xa$ . From property 4.11(iii) we infer that  $wbc_{io\Gamma}xa$ . Since  $io\Gamma = io\Delta$ , we infer that  $b \in i\Delta$  and  $wbc_{io\Delta}xa$ .

Suppose that  $w \notin t(ptr \Delta)$ .

Using definition 4.70, "cbds", we infer that  $ptr \Gamma \cap dse\Gamma \subseteq ptr \Delta$ . Since  $w \in t(ptr \Gamma)$ , we conclude that  $w \notin t(dse\Gamma)$ . Now, using properties 4.40(i) and 4.40(ii) we derive, that there (uniquely) exist traces u and v and symbol c such that w = ucv,  $u \in t(dse\Gamma)$ , and

Given such u, v, and c. Hence,  $ucvbc_{lo\Delta}xa$  and, using property 4.40(ii),  $uc \in t(ptr \Gamma)$  and  $u \in t(ptr \Gamma)$ .

Since  $\mathbf{a}\Gamma$  is bipartitioned into  $\mathbf{o}\Gamma$  and  $\mathbf{i}\Gamma$ , we distinguish:

case 0:  $c \in \mathbf{0}\Gamma$ true = {  $uc \in t(ptr \Gamma)$  and property 4.6(i) using  $c \in o\Gamma$  }  $uc \in t(ptr \Gamma) \land ucc_{lo \Gamma} u$ { definition 4.36, "dse", using  $u \in t(dse \Gamma)$  and  $c \in o\Gamma$ ⇒ }  $uc \in t(dse \Gamma)$ case 1:  $c \in i\Gamma$ First we derive:  $l(uc | i\Delta)$  $\{ b \in i\Delta \}$ <  $l(ucvb|i\Delta)$ { property 4.2, "composability", using  $ucvbc_{ioA}xa$ ≤ }  $l(xa|i\Delta)$  $\{ t = xay \text{ and } y \in (o\Delta)^* \}$ =  $l(t \mid i \Delta)$ Hence,  $l(uc \mid i\Delta) < l(t \mid i\Delta)$ . (several From times) property 4.7. using that  $ucvbc_{io\Delta}xa$ , derive that we  $xa \in t(dse \Delta)$  $(\mathbf{E} z : z \mathbf{prefix} xa : uc \mathbf{c}_{\mathbf{i} a \Delta} z).$ Using and 4.40(ii), conclude that property we  $(\mathbf{E} z : z \in \mathbf{t}(\mathbf{dse}\Delta) : uc \mathbf{c}_{\mathbf{i} \diamond \Delta} z).$ 

```
true

= { property 4.72, using u \in t(ptr \Gamma) and u \in t(dse \Gamma) }

u \in t(cbds \Gamma)

\Rightarrow { cbds \Gamma \subseteq ptr \Delta }

u \in t(ptr \Delta)

= { (Ez: z \in t(dse \Delta): ucc_{io\Delta}z) }

u \in t(ptr \Delta) \land (Ez: z \in t(dse \Delta): ucc_{io\Delta}z)

\Rightarrow { property 4.41, using c \in i\Gamma }

uc \in t(ptr \Delta) \land (Ez: z \in t(dse \Delta): ucc_{io\Delta}z)

\Rightarrow { lemma 4.49 }

uc \in t(dse \Delta)

\Rightarrow { induction hypothesis, using l(uc \restriction i\Delta) < l(t \restriction i\Delta) }

uc \in t(dse \Gamma)
```

We have proven that  $uc \in t(dse \Gamma)$ . This is in contradiction with (\*0).

Hence,  $w \in t(ptr \Delta)$ .

true = { definition 4.36, "dse", using  $xa \in t(dse \Delta)$  and  $a \in i\Delta$  } (Ar, d:  $r \in t(ptr \Gamma) \land d \in i\Gamma \land rc_{io\Gamma}xa \land \#_d r < \#_d xa : rd \in t(ptr \Gamma))$   $\Rightarrow$  {  $w \in t(ptr \Delta), b \in i\Delta, and wbc_{io\Delta}xa$  }  $wb \in t(ptr \Delta)$   $\Rightarrow$  {  $ptr \Delta \subseteq ptr \Gamma$  }  $wb \in t(ptr \Gamma)$ 

Now we have proven that

 $(\mathbf{A}w, b: w \in \mathbf{t}(\mathbf{ptr}\Gamma) \land b \in \mathbf{i}\Gamma \land w\mathbf{c}_{\mathbf{i}\sigma} xa \land \#_b w < \#_b xa: wb \in \mathbf{t}(\mathbf{ptr}\Gamma)).$ 

From definition 4.36, "dse", using  $x \in t(dse\Gamma)$  and  $a \in i\Gamma$ , we derive that  $xa \in t(dse\Gamma)$ . From property 4.79, using  $io\Gamma = io\Delta$ ,  $ptr\Delta \subseteq ptr\Gamma$ ,  $xa \in t(dse\Gamma)$ ,  $y \in (o\Gamma)^*$ , and  $xay \in t(dse\Delta)$ , we derive that  $xay \in t(dse\Gamma)$ . Since t = xay, we conclude that  $t \in t(dse\Gamma)$ .

Hence, dse  $\Delta \subseteq$  dse  $\Gamma$ .

end of theorem

```
lemma 4.82
                  CBDS is idempotent
     For component \Gamma,
            CBDS(CBDS\Gamma) = CBDS\Gamma
```

## proof

```
Given component \Gamma. We notice that a(CBDS(CBDS\Gamma))=a\Gamma and
a(CBDS\Gamma)=a\Gamma.
   ptr(CBDS(CBDS\Gamma))
      { theorem 4.74 }
=
   cbds(CBDS\Gamma)
      { property 4.72 }
=
   ptr(CBDS\Gamma) \cap dse(CBDS\Gamma)
```

```
= \{ \text{ theorem } 4.80 \}
    ptr(CBDS \Gamma) \cap dse \Gamma
```

```
= \{ \text{ theorem } 4.74 \}
      \operatorname{cbds}\Gamma\cap\operatorname{dse}\Gamma
```

```
= { property 4.72 }
      \operatorname{ptr}\Gamma\cap\operatorname{dse}\Gamma\cap\operatorname{dse}\Gamma
```

```
= \{ calculus \}
    ptr \Gamma \cap dse \Gamma
```

```
= { property 4.72 }
  cbds \Gamma
```

```
= { theorem 4.74 }
  ptr(CBDS\Gamma)
```

end of lemma

#### lemma 4.84

For component  $\Gamma$ , no input comminst enables an input comminst in **CBDS**  $\Gamma$ .

proof

Given component  $\Gamma$ . Let trace t and symbols a and b be such that  $a \in i\Gamma$ ,  $b \in i\Gamma$ ,  $ta \in t(cbds\Gamma)$ , and  $tab \in t(cbds\Gamma)$ .

```
true

= { property 4.2, "composability", using a \in i\Gamma }

tbc_{lo\Gamma}tab

= { t \in t(ptr\Gamma) and tab \in t(dse\Gamma), see property 4.72, using property

2.45(ii)

}

t \in t(ptr\Gamma) \land tc_{lo\Gamma}tab \land tab \in t(dse\Gamma)

\Rightarrow { property 4.41, using b \in i\Gamma }

tb \in t(ptr\Gamma) \land tbc_{lo\Gamma}tab \land tab \in t(dse\Gamma)

\Rightarrow { definition 4.70, "cbds" }

tb \in t(cbds\Gamma)
```

Hence, no input comminst may enable an input comminst in CBDS  $\Gamma$  . end of lemma

#### lemma 4.85

For component  $\Gamma,$  no output comminst disables an input comminst in  $\textbf{CBDS}\,\Gamma.$ 

proof

Given component  $\Gamma$ . Let trace t and symbols a and b be such that  $a \in i\Gamma$ ,  $b \in o\Gamma$ ,  $ta \in t(cbds\Gamma)$ , and  $tb \in t(cbds\Gamma)$ .

- true =  $\{ \text{ property 4.2, "composability", using } b \in o\Gamma \}$  $tbac_{b\Gamma} ta$
- =  $\{ tb \in t(ptr \Gamma) \text{ and } ta \in t(dse \Gamma), see property 4.72 }$

```
tb \in t(ptr \Gamma) \wedge tbac_{io\Gamma} ta \wedge ta \in t(dse \Gamma)
```

- $\Rightarrow \{ \text{property 4.41}, \text{using } a \in i\Gamma \} \\ tba \in t(\text{ptr} \Gamma) \land tba c_{\text{lo}\Gamma} ta \land ta \in t(\text{dse} \Gamma) \end{cases}$
- $\Rightarrow \{ \text{ definition 4.70, "cbds"} \} \\ tba \in t(cbds \Gamma)$

Hence, no output comminst may disable an input comminst in CBDS  $\Gamma$ . end of lemma

# A.5 Communicating delay-insensitively

In this section we present the proofs of the lemmas and theorems of chapter 5.

#### theorem 5.2 C<sub>4</sub>

For trace structure T and alphbip D,

$$(T,D) \in \mathbf{C}_4 = (T,D) \in \mathbf{D}_4 \land (\mathbf{A} s, a : s \in (\mathbf{a} T)^* \land a \in \mathbf{a} T : saa \notin \mathbf{t} T).$$

#### proof

Given trace structure T and alphbip D.

#### We first prove that

 $(T,D) \in \mathbb{C}_4 \Rightarrow (T,D) \in \mathbb{D}_4 \land (As, a: s \in (aT)^* \land a \in aT: saa \notin tT).$ 

Let  $(T,D) \in \mathbb{C}_4$ . From definition 5.1, " $\mathbb{C}_4$ ", we conclude that  $(T,D) \in \mathbb{D}_4$ . Let trace s and symbol a be such that  $s \in (aT)^*$  and  $a \in aT$ .

true = { definition 5.1, "C<sub>4</sub>", using  $(T,D) \in C_4$ ,  $s \in (aT)^*$ , and  $a \in aT$  }

```
(\mathbf{A}t: t \in (\mathbf{a}T)^* \land sata \in \mathbf{t}T: l(t \mid opa(a, D)) > 0)
```

= { predicate calculus } (At:  $t \in (aT)^*$ :  $sata \notin tT \lor (I(t \mid opa(a, D)) > 0))$  $\Rightarrow$  { instantiation, using  $\varepsilon \in (aT)^*$  }

 $saa \notin tT \lor (l(\varepsilon | opa(a, D)) > 0)$ 

 $\Rightarrow \{ \text{ definition 1.13, "projection of trace"} \} \\ saa \notin tT$ 

Hence,  $(T,D) \in \mathbb{C}_4 \Rightarrow ((T,D) \in \mathbb{D}_4 \land (A_{s,a} : s \in (aT)^* \land a \in aT : saa \notin tT)).$ 

We now prove that  $((T,D)\in \mathbf{D}_4 \land (\mathbf{A}s, a: s\in (\mathbf{a}T)^* \land a\in \mathbf{a}T: saa\notin \mathbf{t}T)) \Rightarrow (T,D)\in \mathbf{C}_4.$ Let  $(T,D) \in \mathbf{D}_4$  and  $(\mathbf{A}_{z,c} : z \in (\mathbf{a}_T)^* \land c \in \mathbf{a}_T : zcc \notin \mathbf{t}_T)$ . Let traces s and t, and symbol a be such that  $s \in (aT)^*$ ,  $t \in (aT)^*$ ,  $a \in aT$ , and  $sata \in tT$ . Now,  $saa \notin tT$ . Let iobip F be such that oF = spa(a, D) and iF = opa(a, D); hence,  $aT = oF \cup iF$ ,  $a \in oF$ ,  $D = oF \oplus iF$ , and  $s \in (aF)^*$ . true { property 4.6(i), using  $s \in (aF)^*$  and  $a \in aF$  } =  $t \in (\mathbf{0}F)^* \Rightarrow sat\mathbf{c}_F sa$ { example 4.60, using  $s \in (aF)^*$  and  $a \in aF$  } =  $t \in (\mathbf{0}F)^* \Rightarrow satac_F saa$  $\{ t \in (aT)^*, aT = oF \cup iF, and oF \cap iF = \emptyset \}$ =  $(l(t | iF)=0) \Rightarrow satac_Fsaa$  $\{ iF = opa(a, D) \}$ =  $(l(t \mid opa(a, D)) = 0) \Rightarrow satac_F saa$ { property 4.6(i), using  $a \in oF$  } =  $(l(t \mid opa(a, D)) = 0) \Rightarrow (sata c_F saa \land saa c_F s)$  $\Rightarrow$  { definition 4.16, "D<sub>4</sub>", using  $(T,D) \in D_4$ ,  $D = oF \oplus iF$ , and saa  $\notin tT$ ł  $(l(t \mid opa(a, D)) = 0) \Rightarrow (sata \notin tT \lor s \notin tT)$ { tT is prefix-closed, since  $(T, D) \in \mathbf{D}_4$ , see definition 4.16, " $\mathbf{D}_4$ " } =  $(l(t \circ pa(a, D))=0) \Rightarrow sata \notin tT$ { predicate calculus, using  $sata \in tT$  } =  $l(t \mid opa(a, D)) > 0$ 

Hence,  $((T,D) \in \mathbf{D}_4 \land (\mathbf{A} s, a : s \in (\mathbf{a} T)^* \land a \in \mathbf{a} T : saa \notin \mathbf{t} T)) \Rightarrow (T,D) \in \mathbf{C}_4$ . end of theorem

For di-initializable component  $\Gamma$ ,

```
(At, u: t \in t(ptr\Gamma) \land tc_{io\Gamma} u \land u \in t(die\Gamma): t \in t(ptr(DSENTIH\Gamma))).
```

## proof

Given di-initializable component  $\Gamma$ . Let traces t and u be such that  $t \in t(ptr\Gamma)$ ,  $tc_{lo\Gamma}u$ , and  $u \in t(die\Gamma)$ .

Suppose  $t \notin t(ptr(DSENTIH\Gamma))$ 

From property 4.40 we derive that there exist a trace v and a symbol b such that  $v \in (a\Gamma)^*$ ,  $b \in a\Gamma$ , vbprefixt,  $v \in t(ptr(DSENTIH\Gamma))$ , and  $vb \notin t(ptr(DSENTIH\Gamma))$ . Given such v and b. Now, using  $tc_{io\Gamma}u$ , we derive from property 4.7 that there exists a trace w such that wprefixu and  $vbc_{io\Gamma}w$ . Given such w. We first derive that  $b \in o\Gamma$ .

```
true
```

```
\{ u \in t(die\Gamma) \}
=
   u \in t(die \Gamma)
       { definition 5.14, "die" }
=
   \mu \in t(dse(DSENTIH \Gamma))
       { property 4.40(ii), using wprefix u }
⇒
   w \in t(dse(DSENTIH \Gamma))
       { property 4.41, using v \in t(ptr(DSENTIH \Gamma)), vbc_{in\Gamma}w, and
⇒
           vb∉ t(ptr(DSENTIHΓ))
       }
    b∉iΓ
\Rightarrow \{ b \in a\Gamma \text{ and } tsa\Gamma = o\Gamma \cup i\Gamma \}
   b \in \mathbf{0}\Gamma
```

We have derived that  $b \in o \Gamma$ .

true { definition 5.11, "DSENTIH", using  $v \in t(ptr(DSENTIH \Gamma))$  } =  $v \in \mathbf{t}(\mathbf{dse}\,\Gamma)$ { property 2.34(ii), using  $t \in t(ptr \Gamma)$  and vbprefixt } =  $vb \in t(ptr \Gamma) \land v \in t(dse \Gamma)$ { definition 4.36, "dse", using  $b \in o\Gamma$  and  $vbc_{lo\Gamma}v$ , see property ⇒ 4.6(i) }  $vb \in t(dse\Gamma)$ = {  $vb \notin t(ptr(DSENTIH \Gamma))$  }  $vb \in t(dse \Gamma) \land vb \notin t(ptr(DSENTIH \Gamma))$ { definition 5.11, "DSENTIH", and definition 1.34, "redts", ⇒ using  $b \in \mathbf{o}\Gamma$ }  $v \notin t(ptr(DSENTIH\Gamma))$  $\{ v \in t(ptr(DSENTIH \Gamma)) \}$ = false This is a contradiction.

Hence,  $t \in t(ptr(DSENTIH \Gamma))$ .

end of lemma

For di-initializable component  $\Gamma$ ,

die  $\Gamma \subseteq$  dse  $\Gamma$ .

#### proof

Given di-initializable component  $\Gamma$ . Let trace t be such that  $t \in t(\operatorname{die} \Gamma)$ . We prove that  $t \in t(\operatorname{dse} \Gamma)$  by induction on the length of t.

#### induction hypothesis

 $(A u : u \in t(die \Gamma) \land lu < lt : u \in t(dse \Gamma))$ 

#### base: lt=0

```
Hence t = \varepsilon. From property 4.40(i) we infer that \varepsilon \in t(\operatorname{dse} \Gamma).
```

#### step: lt > 0

Let t=xa for trace x and symbol a; hence,  $x \in (a\Gamma)^*$ ,  $a \in a\Gamma$ , lx < lt, and  $xa \in t(die\Gamma)$ .

Since  $\mathbf{a}\Gamma$  is bipartitioned into  $\mathbf{o}\Gamma$  and  $\mathbf{i}\Gamma$ , we distinguish:

```
case 0:
                   a \in o\Gamma
             true
                  { xa \in t(die \Gamma) and property 5.15(ii) }
         =
             x \in t(\operatorname{die} \Gamma) \land xa \in t(\operatorname{die} \Gamma)
                  { induction hypothesis, using lx < lt }
         =
             x \in t(dse\Gamma) \land xa \in t(die\Gamma)
                  { definition 5.14, "die", and definition 4.36, "dse" }
         =
             x \in t(\text{dse}\Gamma) \land (Es: s \in t(\text{ptr}(\text{DSENTIH}\Gamma)) \land sc_{io\Gamma}x: \#_a s > \#_a x)
                  { property 4.11(i), using x \in (a\Gamma)^* }
         =
             x \in t(\text{dse }\Gamma) \land (Es: s \in t(\text{ptr}(\text{DSENTIH }\Gamma)): sc_{lor}xa)
                  { definition 5.11, "DSENTIH" }
         ⇒
             x \in t(dse\Gamma) \land (Es: s \in t(dse\Gamma): sc_{in\Gamma}xa)
                  \{ \text{ lemma 4.43 } \}
         =
             x \in t(dse\Gamma) \land (Er, s: r \in t(ptr\Gamma) \land s \in t(dse\Gamma): rc_{io\Gamma} s \land sc_{io\Gamma} xa)
                  { property 4.10, "transitivity of composability" }
         ⇒
             x \in t(\text{dse}\Gamma) \land (\mathbf{E}r : r \in t(\text{ptr}\Gamma) : rc_{\text{lo}\Gamma}xa)
         =
                  { property 4.11(i), using x \in (\mathbf{a}\Gamma)^* }
             x \in t(dse \Gamma) \land (Er: r \in t(ptr \Gamma) \land rc_{lo \Gamma}x: \#_ar > \#_ax)
                  { definition 4.36, "dse", using a \in o\Gamma }
         =
             xa \in t(dse \Gamma)
```

```
case 1:
                          a∈iΓ
                 Suppose there exist trace s and symbol b such that s \in t(ptr\Gamma), b \in i\Gamma,
                 sc_{ib\Gamma}xa, and \#_b s < \#_b xa. We first prove that sb \in t(ptr\Gamma).
                     true
                         { lemma 5.16, using s \in t(ptr \Gamma), sc_{ie\Gamma}xa, and xa \in t(die\Gamma) }
                 =
                     s \in t(ptr(DSENTIH \Gamma))
                         { definition 4.36, "dse", using xa \in t(dse(DSENTIH \Gamma)), a \in i\Gamma,
                 =
                             s \in t(ptr \Gamma), b \in i\Gamma, sc_{io\Gamma}xa, and \#_b s < \#_b xa
                         }
                     sb \in t(ptr(DSENTIH \Gamma))
                 \Rightarrow { definition 5.11, "DSENTIH" }
                     sb \in t(dse \Gamma)
                         { property 4.5(i) and property 4.11(iii), using b \in i\Gamma }
                 =
                     sb \in \mathbf{t}(\mathbf{dse}\,\Gamma) \wedge s\mathbf{c}_{\mathbf{i}\mathbf{o}\,\Gamma}sb \wedge \#_b s < \#_b sb
                 \Rightarrow \{ \text{ definition 4.36, "dse", using } s \in t(\text{ptr} \Gamma) \text{ and } b \in i\Gamma \} \}
                     sb \in t(ptr \Gamma)
                 We have proven that
                         (As, b: s \in t(ptr\Gamma) \land b \in i\Gamma \land sc_{io\Gamma}xa \land \#_b s < \#_b xa: sb \in t(ptr\Gamma)).(*)
                     true
                         { induction hypothesis, using lx < lt }
                 =
                     x \in t(dse\Gamma)
                         { definition 4.36, "dse", using a \in i\Gamma and (*) }
                 =
                     xa \in t(dse \Gamma)
        From t = xa we conclude that t \in t(dse \Gamma).
end of lemma
```

For di-initializable component  $\Gamma$ ,

die  $\Gamma \subseteq ptr(DSENTIH \Gamma)$ .

#### proof

Given di-initializable component  $\Gamma$ . Let trace t be such that  $t \in t(\operatorname{die} \Gamma)$ .

```
Suppose t \notin t(ptr(DSENTIH\Gamma))

true

= { lemma 5.17, using t \in t(die\Gamma) }

t \in t(dse\Gamma)
```

 $= \{ \text{ definition 5.11, "DSENTIH", using } t \notin t(\text{ptr}(\text{DSENTIH} \Gamma)) \} \\ (Eu: u \in (o\Gamma)^*: tu \in tih\Gamma)$ 

Given such a trace u; hence,  $u \in (o\Gamma)^*$  and  $tu \in tih\Gamma$ . From property 1.35 we conclude that there exist a trace x and a symbol a such that  $x \in (a\Gamma)^*$ ,  $a \in i\Gamma$ , xaprefixtu,  $x \in t(ptr(DSENTIH\Gamma))$ , and  $xa \notin t(ptr(DSENTIH\Gamma))$ . Given such x and a. Since  $a \in i\Gamma$  and  $u \in (o\Gamma)^*$ , we infer xaprefixt. From property 5.15(ii) and  $t \in t(die\Gamma)$ , we conclude that  $xa \in t(dse(DSENTIH\Gamma))$ .

```
true

= \begin{cases} \text{property 4.5(i) and property 4.11(iii), using } x \in (a\Gamma)^* \text{ and } a \in i\Gamma \\ } \\ xc_{io\Gamma}xa \land \#_a x < \#_a xa \\ \Rightarrow & \{ \text{ definition 4.36, "dse", using } xa \in t(\text{dse}(\text{DSENTIH } \Gamma)), x \in t(\text{ptr}(\text{DSENTIH } \Gamma)), \text{ and } a \in i\Gamma \\ } \\ xa \in t(\text{ptr}(\text{DSENTIH } \Gamma)) \\ = & \{ xa \notin t(\text{ptr}(\text{DSENTIH } \Gamma)) \} \\ \text{false} \end{cases}

This is a contradiction.
```

Hence,  $t \in t(ptr(DSENTIH \Gamma))$ . end of lemma

For di-initializable component  $\Gamma$ ,

 $(\operatorname{die} \Gamma, \operatorname{ab} \Gamma) \in \mathbb{C}_4.$ 

proof

Given di-initializable component  $\Gamma$ . From lemma 4.51 we derive that  $(die\Gamma, ab\Gamma) \in D_4$ .

```
Suppose (\mathbf{E}t, a: t \in (\mathbf{a}\Gamma)^* \land a \in \mathbf{a}\Gamma: taa \in t(die\Gamma)).
```

Given such a trace t and such a symbol a; hence,  $t \in (\mathbf{a}\Gamma)^*$ ,  $a \in \mathbf{a}\Gamma$ , and  $taa \in t(die\Gamma)$ . We conclude from definition 5.14, "die", that  $taa \in t(dse(DSENTIH\Gamma))$ .

true

- $= \{ \text{ lemma 5.19, using } taa \in t(\text{die} \Gamma) \} \\ taa \in t(\text{ptr}(\text{DSENTIH} \Gamma))$
- = { definition 5.11, "DSENTIH" }  $taa \in redts(dse \Gamma, i\Gamma, tih \Gamma)$
- $\Rightarrow \{ \text{ definition } 1.34, \text{``redts''} \} \\ taa \in t(dse \Gamma) \land taa \notin tih \Gamma$
- = { definition 5.10, "tih" } false

This is a contradiction.

```
Hence, (\mathbf{A}t, a: t \in (\mathbf{a}\Gamma)^* \land a \in \mathbf{a}\Gamma: taa \notin t(\operatorname{die}\Gamma)). Using (\operatorname{die}\Gamma, \mathbf{a}\mathbf{b}\Gamma) \in \mathbf{D}_4 we conclude from theorem 5.2, "\mathbf{C}_4", that (\operatorname{die}\Gamma, \mathbf{a}\mathbf{b}\Gamma) \in \mathbf{C}_4.
```

#### end of lemma

theorem 5.24 delay-insensitive enclosure

For di-initializable component  $\Gamma$ ,

 $ptr(DIE\Gamma) = die\Gamma.$ 

proof

Given di-initializable component  $\Gamma$ . Let component  $\Gamma'$  be such that  $io\Gamma' = io\Gamma$  and  $ptr\Gamma' = die\Gamma$ . We first prove that  $\Gamma'$  satisfies (i) through (iv) in definition 5.9, "delay-insensitive enclosure".

From property 5.21 and property 5.22 we infer that  $\Gamma NCIHDS \overline{\Gamma'}$ . From property 5.18 we conclude that

 $(Aa, t: a \in o\Gamma \land ta \in t(ptr \Gamma'): (Es: s \in t(ptr \Gamma): sc_{io\Gamma}ta))$ . From lemma 5.20 we conclude that  $(ptr \Gamma', ab\Gamma) \in C_4$ .

We now show the maximality of die  $\Gamma$  by proving that if a component  $\Delta$  satisfies (i) through (iv) in definition 5.9, "delay-insensitive enclosure", then  $ptr \Delta \subseteq die \Gamma$ . Let component  $\Delta$  be such that  $io \Delta = io \Gamma$ ,  $\Gamma NCIHDS \overline{\Delta}$ ,  $(Aa, t: a \in o \Gamma \land ta \in t(ptr \Delta): (Es: s \in t(ptr \Gamma): sc_{io} \Gamma ta))$ , and  $(ptr \Delta, ab\Gamma) \in C_4$ .

#### Suppose $(\mathbf{E}t: t \in \mathbf{t}(\mathbf{ptr}\Delta): t \notin \mathbf{t}(\mathbf{die}\Gamma))$

Given such a trace t. From property 2.34(ii) and property 5.15(i) it follows that

 $(\mathbf{E}x, a: x \in (\mathbf{a}\Gamma)^* \land a \in \mathbf{a}\Gamma \land xa \text{ prefix } t: x \in t(\text{die}\Gamma) \land xa \notin t(\text{die}\Gamma)).$  Given such a trace x and such a symbol a.

From definition 4.34, "delay-safe enclosure", we infer that  $ptr \Delta \subseteq dse \Gamma$ . Hence,  $xa \in t(dse \Gamma)$ . From lemma 5.19 we infer that  $x \in t(ptr(DSENTIH \Gamma))$ . Now, we conclude from definition 5.11, "DSENTIH", and definition 1.34, "redts", that  $a \in i\Gamma$  and furthermore, using property 5.18,  $(Ey: y \in (a\Gamma)^*: x = ya)$  or  $(Ez, b: z \in (o\Gamma)^* \land b \in o\Gamma: xazbb \in t(dse \Gamma))$ .

case 0:  $(\mathbf{E} y : y \in (\mathbf{a}\Gamma)^* : x = ya)$ 

Given such a trace y. Now, xa = yaa. Since  $xa \in t(ptr \Delta)$ , we conclude from theorem 5.2, "C<sub>4</sub>", that  $(ptr \Delta, ab\Gamma) \notin C_4$ .

case 1:  $(\mathbf{E}z, b: z \in (\mathbf{o}\Gamma)^* \land b \in \mathbf{o}\Gamma: xazbb \in \mathbf{t}(dse\Gamma))$ 

Given such a trace z and such a symbol b. Using  $xazbb \in t(dse \Gamma)$ we conclude from lemma 4.43 that  $(Ew: w \in ptr \Gamma: wc_{lo\Gamma}xazbb)$ . Using  $z \in (o\Gamma)^*$ ,  $b \in o\Gamma$ ,  $xa \in t(ptr \Delta)$ , and  $\Gamma NCIHDS \overline{\Delta}$ , we conclude that  $xazbb \in t(ptr \Delta)$ . From theorem 5.2, "C<sub>4</sub>", it follows that  $(ptr \Delta, ab\Gamma) \notin C_4$ .

We conclude that  $(ptr \Delta, ab\Gamma) \notin C_4$ . This is a contradiction.

Hence,  $ptr \Delta \subseteq die \Gamma$ . As a consequence, the maximum in property 4.11(i), exists and  $die \Gamma$  is maximal. end of theorem

For di-initializable component  $\Gamma$ ,

```
(At, u: t \in t(ptr \Gamma) \land tc_{io\Gamma} u \land u \in t(die \Gamma): t \in t(die \Gamma)).
```

#### proof

Given component  $\Gamma$  and trace t such that  $: t \in t(ptr\Gamma)$ . We distinguish two cases:

case 0:  $\neg (\mathbf{E} u : t\mathbf{c}_{\mathbf{i} \circ \Gamma} u : u \in \mathbf{t}(\mathbf{d} i \in \Gamma))$ 

Since the universal quantification over an empty domain holds, we are done.

```
case 1: (\mathbf{E} u : t\mathbf{c}_{\mathsf{lor}} u : u \in t(\mathsf{die}\Gamma))
```

Given such a trace u; hence,  $tc_{io\Gamma}u$  and  $u \in t(die\Gamma)$ .

true

 $= \{ \text{ lemma 5.17, using } : t \in t(\text{ptr} \Gamma), t c_{\text{lo}\Gamma} u, \text{ and } u \in t(\text{die} \Gamma) \} \\ t \in t(\text{ptr}(\text{DSENTIH} \Gamma))$ 

```
= { definition 5.14, "die", using u \in t(die\Gamma) }
```

```
t \in t(ptr(DSENTIH \Gamma)) \land u \in t(dse(DSENTIH \Gamma))
```

```
⇒ { lemma 4.49 }
```

```
t \in t(dse(DSENTIH \Gamma))
```

= { definition 5.14, "die" }

t∈ t(die Γ)

end of lemma

#### theorem 5.34

For di-initializable components  $\Gamma$  and  $\Delta$  such that  $io \Gamma = io\Delta$ ,  $cbds \Gamma \subseteq ptr \Delta$ , and  $ptr \Delta \subseteq ptr \Gamma$ ,

die  $\Gamma$  = die  $\Delta$ .

proof

Given di-initializable components  $\Gamma$  and  $\Delta$  such that  $io \Gamma = io \Delta$ ,  $cbds \Gamma \subseteq ptr \Delta$ , and  $ptr \Delta \subseteq ptr \Gamma$ . From theorem 4.80 we infer that  $dse \Gamma = dse \Delta$ .

```
true
```

```
= { definition 5.10, "tih", using io \Gamma = io \Delta and dse \Gamma = dse \Delta }
tih \Gamma = tih \Delta
```

```
\Rightarrow \{ \text{ definition 5.11, "DSENTIH", using io} \Gamma = \text{io} \Delta \text{ and } \text{dse} \Gamma = \text{dse} \Delta \} 
DSENTIH \Gamma = \text{DSENTIH} \Delta
```

.

```
\Rightarrow { definition 5.14, "die" }
```

 $\operatorname{die} \Gamma = \operatorname{die} \Delta$ 

end of theorem

### theorem 5.44

For di-initializable component  $\Gamma$ ,

 $cbdi\Gamma = cbds\Gamma \cap die\Gamma$ .

## proof

Given di-initializable component  $\Gamma$ .

```
cbdi \Gamma
= \{ property 5.43 \}
ptr \Gamma \cap die \Gamma
= \{ lemma 5.17 \}
ptr \Gamma \cap dse \Gamma \cap die \Gamma
= \{ property 4.72 \}
cbds \Gamma \cap die \Gamma
end of theorem
```

262

theorem 5.48 maximal communication behavior for delay-insensitive communication For di-initializable component  $\Gamma$ ,

 $ptr(CBDI \Gamma) = cbdi \Gamma.$ 

proof

Given di-initializable component  $\Gamma$ . From property 5.43 we derive that  $\mathbf{cbdi}\Gamma \subseteq \mathbf{ptr}\Gamma$ . From definition 5.41, " $\mathbf{cbdi}$ ", we derive that  $(\mathbf{A} a, s: a \in \mathbf{i}\Gamma \land sa \in \mathbf{t}(\mathbf{cbdi}\Gamma): (\mathbf{E} t: t \in \mathbf{t}(\mathbf{die}\Gamma): sa \mathbf{c}_{\mathbf{io}\Gamma}t))$ .

We now have to prove that  $cbdi\Gamma$  is maximal. Let trace s and symbol a be such that  $s \in t(cbdi\Gamma)$ ,  $sa \in t(ptr\Gamma)$ , and  $a \in i\Gamma \Rightarrow (Et: t \in t(die\Gamma): sac_{io\Gamma}t)$ . We prove that  $sa \in t(cbdi\Gamma)$ .

Since  $\mathbf{a}\Gamma$  is bipartitioned into  $\mathbf{o}\Gamma$  and  $\mathbf{i}\Gamma$ , we distinguish:

| case 0:        | a∈ oΓ                                                                                                                                          |
|----------------|------------------------------------------------------------------------------------------------------------------------------------------------|
|                | true                                                                                                                                           |
| =              | { property 5.43, using $s \in t(cbdi\Gamma)$ }                                                                                                 |
|                | $s \in t(die \Gamma)$                                                                                                                          |
| =              | { property 4.6(i), using $a \in o\Gamma$ }                                                                                                     |
|                | $sac_{io\Gamma}s \land s \in t(die\Gamma)$                                                                                                     |
| ⇒              | { lemma 5.16, using $sa \in t(ptr\Gamma)$ }                                                                                                    |
|                | $sac_{io\Gamma}s \wedge sa \in t(ptr(DSENTIH\Gamma))$                                                                                          |
| ⇒              | { definition 4.36, "dse", using $a \in o\Gamma$ }                                                                                              |
|                | $sa \in t(dse(DSENTIH \Gamma))$                                                                                                                |
| =              | { definition 5.14, "die", }                                                                                                                    |
|                | $sa \in t(die \Gamma)$                                                                                                                         |
| =              | { property 5.43, using $sa \in t(ptr \Gamma)$ }                                                                                                |
|                | $sa \in t(cbdi \Gamma)$                                                                                                                        |
| case 1:        | a∈iΓ                                                                                                                                           |
|                | true                                                                                                                                           |
| =              | $\{ (\mathbf{E}t: t \in \mathbf{t}(\operatorname{die}\Gamma): \operatorname{sac}_{\operatorname{io}\Gamma}t), \text{ since } a \in i\Gamma \}$ |
|                | $(\mathbf{E}t: t \in \mathbf{t}(\operatorname{die} \Gamma): \operatorname{sac}_{\operatorname{io} \Gamma} t)$                                  |
| =              | { definition 5.41, "cbdi", using $sa \in t(ptr \Gamma)$ }                                                                                      |
|                | sa∈ t(cbdi∩)                                                                                                                                   |
| end of theorem | 1                                                                                                                                              |

Appendix A: Proofs

# References

[ Barney 85 ] Clifford Barney Logic Designers Toss Out the Clock *Electronics*, (December 9, 1985), pp. 42-45

[Bisseling – Eemers – Kamps – Peeters 90]

Hans Bisseling, Henk Eemers, Michiel Kamps, and Ad Peeters *Designing Delay-Insensitive Circuits* Eindhoven: University of Technology, September 1990 (Instituut Vervolgopleidingen; Final report of the postgraduate programme Software Technology) (ISBN: 90-5282-076-7)

## [ Black 86 ]

David L. Black On the Existence of Delay-Insensitive Fair Arbiters: Trace Theory and its Limitations Distributed Computing, 1, No. 4 (October 1986), pp. 205-225

## [Brzozowski-Ebergen 89]

J.A. Brzozowski and J.C. Ebergen Recent Developments in the Design of Asynchronous Circuits Waterloo, Canada: University of Waterloo, May 1989 (Computer Science Department; Research Report CS-89-18) (Presented at the Seventh International Conference "Fundamentals of Computation Theory", FCT'89, Hungary, August 1989)

## [Brzozowski-Seger 89]

J.A. Brzozowski and C.-J. Seger

A Unified Framework for Race Analysis of Asynchronous Networks *Journal of the ACM*, **36**, No. 1 (January 1989), pp. 20-45

## [Burstyn 86]

David Burstyn

State-Graph Based Verification Techniques for Delay-Insensitive Modules St. Louis: Washington University, April 1986

(Institute for Biomedical Computing, Computer Systems Laboratory; technical memorandum 318)

#### [Chaney 86]

T.J.Chaney

A Comprehensive Bibliography on Synchronizers and Arbiters St. Louis: Washington University, December 1986 (Institute for Biomedical Computing, Computer Systems Laboratory; technical memorandum 306C)

## [Chaney-Molnar73]

T.J.Chaney and C.E. Molnar Anomalous Behavior of Synchronizer and Arbiter Circuit *IEEE Transactions on Computers*, C-22 (April 1973), pp. 421-422

## [ Chen-Udding-Verhoeff89 ]

Wei Chen, Jan Tijmen Udding, and Tom Verhoeff
Networks of Communicating Processes and Their (De-)Composition
in: Mathematics of Program Construction; pp. 174-196
Berlin: Springer, 1989
(Lecture Notes in Computer Science, Vol. 375)
(Proceedings International Conference: 375th Anniversary of the Groningen University, June 1989; ed. by J.L.A. van de Snepscheut)

## [Clark – Molnar 74]

W.A. Clark, and C.E. Molnar Macromodular Computer Systems in: *Computers in Biomedical Research*, Vol. IV; ed. by R.W. Stacey and B.D. Waxman, pp. 45-85 New York: Academic Press, 1974

## [Cox 85]

J.R. Cox Arbiter Specification and Fair Behavior St. Louis: Washington University, November 1985 (Department of Computer Science; internal memorandum)

## [Dally-Seitz 86]

William J. Dally and Charles L. Seitz The Torus Routing Chip *Distributed Computing*, 1, No. 4 (October 1986), pp. 187-196

## [ de Graaff 86 ]

P.J. de Graaff
A Design Method for Self-Timed Circuits
Eindhoven: University of Technology, July 1986
(Department of Mathematics and Computing Science; Master's thesis)

#### [ Dill 88 ]

David L. Dill Automatic Hierarchical Verification of Speed-Independent Circuits Pittsburgh: Carnegie Mellon University, February 1988 (Computer Science Department; memorandum CMU-CS-88-119)

## [Dill-Clarke 85]

David L. Dill and Edmund M. Clarke Automatic Verification of Asynchronous Circuits Using Temporal Logic in: 1985 Chapel Hill Conference on Very Large Scale Integration; ed. by Henry Fuchs, pp. 127-143 Rockville: Computer Science Press, 1985

## [Dijkstra-Feijen 88]

Edsger W. Dijkstra and W.H.J. Feijen

A Method of Programming

Amsterdam: Addison-Wesley, 1988

(Translated by Joke Sterringa; original publication: Een Methode van Programmeren; 's-Gravenhage: Academic Service, 1984) (ISBN: 0-201-17536-3)

## [Ebergen 87]

Jo C. Ebergen

Translating Programs into Delay-Insensitive Circuits

Eindhoven: University of Technology, October 1987

(Department of Mathematics and Computing Science; doctoral dissertation)

## [Ebergen 88]

Jo C. Ebergen

A Formal Approach to Designing Delay-Insensitive VLSI Circuits Eindhoven: University of Technology, February 1988 (Department of Mathematics and Computing Science; Computing Science Notes 88/10)

## [Fang 87]

Ting-Pien Fang On Decomposition by Factoring St. Louis: Washington University, 1987 (Institute for Biomedical Computing; internal memorandum)

## [Fang-Molnar83]

T.P. Fang and C.E. Molnar Synthesis of Reliable Speed-Independent Circuit Modules: II. Circuit and Delay Conditions to Ensure Operation Free of Problems from Races and Hazards St. Louis: Washington University, December 1983 (Institute for Biomedical Computing, Computer Systems Laboratory;

technical memorandum 298)

## [Greenstreet – Williams – Staunstrup 88]

M. Greenstreet, T. Williams, and J. Staunstrup Self-Timed Iteration in: VLSI 87, VLSI Design of Digital Systems; pp. 309-322 Amsterdam: North Holland, 1988 (Proceedings of the IFIP International Conference on Very Large Scale Integration, Vancouver; ed. by Carlo H. Séquin)

## [ Hoare 85 ]

C.A.R. Hoare Communicating Sequential Processes Englewood Cliffs: Prentice-Hall, 1985 (Prentice-Hall International Series in Computer Science) [Huffman 54]
D.A. Huffman The Synthesis of Sequential Switching Machines J. Franklin Institute, 257, No. 3 (March 1954), pp.161-190, and No. 4 (April 1954), pp.275-305 (Reprinted in E.F. Moore, Sequential Machines: Selected Papers; Reading: Addison-Wesley, 1964)

[Hurtado75]

Marco Hurtado Structure and Performance of Asymptotically Bistable Dynamical Systems St. Louis: Washington University, May 1975 (Sever Institute; doctoral dissertation)

## [Josephs-Hoare-Jifeng 89]

Mark B. Josephs, C.A.R. Hoare, and He Jifeng *A Theory of Asynchronous Processes* Oxford: Oxford University, 1989 (Oxford University Computing Laboratory, Programming Research Group)

### [Josephs-Udding 89]

Mark B. Josephs and Jan Tijmen Udding An Algebra for Delay-insensitive Circuits St. Louis: Washington University, 1989 (Department of Computer Science; technical report WUCS-89-54)

## [Josephs-Udding90]

Mark B. Josephs and Jan Tijmen Udding
Delay-insensitive Circuits: an Algebra Approach to their Design
in: CONCUR'90 Theories of Concurrency: Unifications and Extensions;
ed. by J.C.M. Baeten and J.W. Klop, pp. 342-366
Berlin: Springer, 1990
(Lecture Notes in Computer Science, Vol. 458)

## [Kaldewaij 86]

Anne Kaldewaij A Formalism for Concurrent Processes Eindhoven: University of Technology, May 1986 (Department of Mathematics and Computing Science; doctoral dissertation)

## [Keller74]

Robert M. Keller

Towards a Theory of Universal Speed-Independent Modules IEEE Transactions on Computers, C-23, No. 1 (January 1974), pp. 21-33

## [Keller75]

Robert M. Keller A Fundamental Theorem of Asynchronous Parallel Computation in: *Parallel Processing*; pp. 102-112 Berlin: Springer, 1975 (Lecture Notes in Computer Science, Vol. 24) (Proceedings of the Sagamore Computer Conference)

## [Kimura 79]

Takayuki Kimura Behavioral Abstraction of Communicating Sequential Processes St. Louis: Washington University, January 1979 (Department of Computer Science; internal memorandum)

## [Kleemann – Cantoni 87]

Lindsay Kleemann and Antonio Cantoni Metastable Behavior in Digital Systems IEEE Design & Test of Computers, (December 1987) pp. 4-19

## [Langenberg92]

J.C.F.M. Langenberg Designing Processes using Invariants, Eindhoven: University of Technology, June 1992 (Department of Mathematics and Computing Science; Master's thesis)

## [ Mago 85 ]

G.A. Mago
Making Parallel Computation Simple : the FFP Machine
in: *IEEE Spring Compcon*, 1985, pp. 424-428
(Reprinted in: Benjamin Wak and G.J. Li, Computers for Artificial Intelligence Applications, IEEE Computer Press, 1986, pp. 329-338)

[Martin 85a]

Alain J. Martin

The Probe: An Addition to Communication Primitives Information Processing Letters, 20 (1985), pp. 125-130, and 21 (1985), p. 107

### [Martin 85b]

Alain J. Martin

The Design of a Self-Timed Circuit for Distributed Mutual Exclusion in: 1985 Chapel Hill Conference on Very Large Scale Integration; ed. by Henry Fuchs, pp. 245-260 Rockville: Computer Science Press, 1985

## [Martin 86]

Alain J. Martin Compiling Communicating Processes into Delay-Insensitive VLSI Circuits Distributed Computing, 1, No. 4 (October 1986), pp. 226-234

## [Martin 87]

Alain J. Martin

A Synthesis Method for Self-timed VLSI Circuits in: *Proceedings ICCD* '87, pp. 224-229 IEEE Computer Society Press, 1987 (IEEE International Conference on Computer Design: VLSI in Computers & Processors)

## [Martin 90]

Alain J. Martin

Programming in VLSI : From Communicating Processes to Delay-Insensitive Circuits

in: Developments in Concurrency and Communication; ed. by C.A.R. Hoare

Amsterdam: Addison-Wesley, 1990

(Proceedings UT Year of Programming Institute on Concurrent Programming 1988, Austin)

(UT Year of Programming series; ed. by Hamilton Richards Jr.)

[Martin-Burns-Lee-Borkovic-Hazewindus 89]

Alain J. Martin, Steven M. Burns, T.K. Lee, Drazen Borkovic, and Pieter J. Hazewindus

The Design of an Asynchronous Microprocessor

in: Advanced Research in VLSI: proceedings of the Decennial Caltech Conference on VLSI; ed. by Charles L. Seitz, pp. 351-373 Massachusetts: Institute of Technology, 1989

[Mazurkiewicz85]

A. Mazurkiewicz

Semantics of Concurrent Systems: A Modular Fixed Point Trace Approach in: *Advances in Petri nets 1984*; ed. by G. Rozenberg, pp. 353-375 Berlin: Springer, 1985 (Springer Lecture Notes in Computer Science 188)

## [Miller65]

R.E. Miller

Speed Independent Switching Circuit Theory chapter 10 in: Switching Theory. Vol. II: Sequential Circuits and Machines New York: John Wiley, 1965

## [ Mol185 ]

Erik Moll Limitations of Delay-Insensitive Trace Structures Eindhoven: University of Technology, May 1985 (Department of Mathematics and Computing Science; Master's thesis)

## [Molnar 85]

Charles E. Molnar Specifications vs. Descriptions St. Louis: Washington University, November 1985 (Institute for Biomedical Computing; internal memorandum)

## [Molnar 86]

Charles E. Molnar Introduction to Asynchronous Systems in: Proceedings New Frontiers in Computer Science Conference; pp. 83-93 Santa Monica: Citicorp/TTI, March 1986

## [Molnar92]

Charles E. Molnar Private communication.

## [Molnar-Fang81]

C.E. Molnar and T.P. Fang An Asynchronous System Design Methodology St. Louis: Washington University, June 1981 (Institute for Biomedical Computing, Computer Systems Laboratory; technical memorandum 287)

## [Molnar – Fang 83]

C.E. Molnar and T.P. Fang

Synthesis of Reliable Speed-Independent Circuit Modules : I. General Method for Specification of Module-Environment Interaction and Derivation of a Circuit Realization

St. Louis: Washington University, 1983

(Institute for Biomedical Computing, Computer Systems Laboratory; technical memorandum 297)

#### [Molnar-Fang-Rosenberger85]

Charles E. Molnar, Ting-Pien Fang, and Frederick U. Rosenberger Synthesis of Delay-Insensitive Modules in: 1985 Chapel Hill Conference on Very Large Scale Integration; ed. by Henry Fuchs, pp. 67-86 Rockville: Computer Science Press, 1985

#### [Muller – Bartky 59]

David E. Muller and W.S. Bartky A Theory of Asynchronous Circuits in: Proceedings of an International Symposium on the Theory of Switching 2-5 April 1957; pp. 204-243 Boston: Harvard University Press, 1959

## [ Rem 85 ]

Martin Rem Concurrent Computations and VLSI Circuits in: Control Flow and Data Flow: Concepts of Distributed Programming; pp. 399-437 Berlin: Springer, 1985 (Proceedings of the NATO Advanced Study Institute, 1984; ed. by M. Broy) (NATO ASI series. Series F: Computer and Systems Sciences; Vol. 14)

# [Rem 91]

Martin Rem The Nature of Delay-Insensitive Computing in: *IV Higher Order Workshop Banff 1990*; ed. by Graham Birtwistle, pp. 105-122 Berlin: Springer-Verlag, 1991

[ Rem – van de Snepscheut – Udding 83 ]

Martin Rem, Jan L.A. van de Snepscheut, and Jan Tijmen Udding Trace Theory and the Definition of Hierarchical Components in: Proceedings of the third Caltech Conference on Very Large Scale Integration; ed. by Randal Bryant, pp. 225-240 Rockville: Computer Science Press, 1983

#### [Rosenberger 69]

Fred U. Rosenberger
Control of Concurrent Operations in Asynchronous Digital Processes
St. Louis: Washington University, May 1969
(D. Sc. thesis. External publication FR312)

[Rosenberger – Molnar – Chaney – Fang 88]

F.U. Rosenberger, C.E. Molnar, T.J. Chaney, and T.P. Fang Q-modules: Internally Clocked Delay-Insensitive Modules *IEEE Transactions on Computers*, C-37 (1988), pp. 1005-1018

#### [Schols85]

Huub M.J.L. Schols A Formalisation of the Foam Rubber Wrapper Principle, Eindhoven: University of Technology, February 1985 (Department of Mathematics and Computing Science; Master's thesis)

# [Schols86]

Huub M.J.L. Schols Partial Delay-Insensitivity in Trace Theory Eindhoven: University of Technology, February 1986 (Department of Mathematics and Computing Science; internal memorandum)

# [Schols88]

Huub M.J.L. Schols Notes on Delay-Insensitive Communication Eindhoven: University of Technology, March 1988 (Department of Mathematics and Computing Science; Computing Science Notes 88/06)

### [Seger88]

Carl-Johan Henry Seger Models and Algorithms for Race Analysis in Asynchronous Networks Waterloo: University of Waterloo, 1988 (Faculty of Mathematics; research report CS-88-22)

#### [ Seitz 79 ]

Charles L. Seitz Self-Timed VLSI Systems in: Proceedings of the (first) Caltech Conference on Very Large Scale Integration; ed. by Charles L. Seitz, pp. 345-356 Pasadena: California Institute of Technology, 1979 (Department of Computer Science)

### [ Seitz 80 ]

Charles L. Seitz System Timing chapter 7 in: Carver A. Mead and Lynn A. Conway, Introduction to VLSI Systems Reading: Addison-Wesley, 1980

# [ Seitz 85 ]

Charles L. Seitz The Cosmic Cube Communications of the ACM, 28, No. 1 (January 1985), pp. 22-33

# [Siccama 86]

A. Siccama

Minimal Characterisations of Directed Trace Structures Eindhoven: University of Technology, May 1986 (Department of Mathematics and Computing Science; Master's thesis)

### [Sutherland 89]

Ivan E. Sutherland Micropipelines Communications of the ACM, 32, No. 6 (June 1989), pp. 720-738 (Turing Award Lecture)

#### [Udding84]

Jan Tijmen Udding Classification and Composition of Delay-Insensitive Circuits Eindhoven: University of Technology, September 1984 (Department of Mathematics and Computing Science; doctoral dissertation)

### [Udding85]

Jan Tijmen Udding On the Non-Existence of Delay-Insensitive Fair Arbiters St. Louis: Washington University, January 1985 (Institute for Biomedical Computing; internal memorandum JTU14)

# [Unger69]

Stephen H. Unger Asynchronous Sequential Switching Circuits New York: John Wiley, 1969

# [Unger80]

Stephen H. Unger

Equivalence of Synthesis Problems for Arbiters, Synchronizers, and Inertial Delays

in: *Report on the Workshop on Self-Timed Systems*, July 8-12, 1979; ed. by Randal E. Bryant, pp. 8-10

Cambridge, Massachusetts: Massachusetts Institute of Technology, May 1980

(Laboratory for Computer Science; technical memorandum MIT/LCS/TM-166)

[van Berkel92]

C.H. (Kees) van Berkel

Handshake circuits: an intermediary between communicating processes and VLSI

Eindhoven: University of Technology, May 1992

(Department of Mathematics and Computing Science; doctoral dissertation)

[van der Heijden – Teunissen 89]

P.J. van der Heijden and R.A.P. Teunissen The computation of the delay-insensitive enclosure without transmission interference hazard Eindhoven: University of Technology, August 1989 (Department of Mathematics and Computing Science; Master's thesis)

# [van der Veeken 87]

R.A.P.M. van der Veeken A Method for Decomposing Delay-Insensitive Circuits Eindhoven: University of Technology, October 1987 (Department of Mathematics and Computing Science; Master's thesis)

#### [van de Snepscheut 85]

Jan L.A. van de Snepscheut Trace Theory and VLSI Design Berlin: Springer, 1985 (Springer Lecture Notes in Computer Science 200)

#### [Van Horn 86]

Kevin S. Van Horn An Approach to Concurrent Semantics Using Complete Traces Pasadena: California Institute of Technology, December 1986 (Department of Computer Science; memorandum 5236:TR:86)

#### [Verhoeff85]

Tom Verhoeff Notes on Delay-Insensitivity Eindhoven: University of Technology, August 1985 (Department of Mathematics and Computing Science; Master's thesis)

# [Verhoeff88]

Tom Verhoeff

Delay-Insensitive Codes – An Overview Distributed Computing, 3, No. 1 (December 1988), pp. 1-8

# [Verhoeff89]

Tom Verhoeff

Notes of the Directed Specifications Group, DSG08 Eindhoven: University of Technology, January 17, 1989 (Department of Mathematics and Computing Science; internal memorandum)

# [Verhoeff-Schols85]

Tom Verhoeff and Huub M.J.L. Schols Delay-Insensitive Directed Trace Structures Satisfy the Foam Rubber Wrapper Postulate Eindhoven: University of Technology, August 1985 (Department of Mathematics and Computing Science; Computing Science Notes 85/04)

## [Yakovlev 85]

Alexandre Yakovlev Designing Self-Timed Systems VLSI Systems Design, (September 1985), pp. 70-90

# [Yoeli 87]

Michael Yoeli

Specification and Verification of Asynchronous Circuits Using Marked Graphs

in: Concurrency and Nets, Advances in Petri Nets; ed. by H.J. Genrich and G. Rozenberg

Berlin: Springer, 1987

# **Glossary of symbols and operators**

| Ø                              | empty set                                                                     |
|--------------------------------|-------------------------------------------------------------------------------|
| \$                             | end of trace marker in (general) composability diagram                        |
| Γ <sub>Φ</sub>                 | strict partial order of comminstorder (or: commsigorder) $\phi$               |
| $\frac{\Gamma_{\phi}}{\Gamma}$ | reflection of component $\Gamma$                                              |
| $\overline{\Phi}$              | reflection of iodir $\Phi$                                                    |
| A*                             | Kleene-closure of set A                                                       |
| $\neg x$                       | negation: not x                                                               |
| # <sub>a</sub> t               | the number of occurrences of symbol a in trace t                              |
| x = y                          | equality: x equals y                                                          |
| $x \neq y$                     | inequality: x differs from y                                                  |
| x∧y                            | conjunction: x and y                                                          |
| $x \lor y$                     | disjunction: x or y                                                           |
| $x \Rightarrow y$              | implication: x implies y                                                      |
| [8]                            | initial state                                                                 |
| [ <i>t</i> ]                   | state to which trace t corresponds                                            |
| < <i>a</i> !>                  | allowed transition a (possibly leaving a lazy state)                          |
| $\langle A, S \rangle$         | trace structure with alphabet A and trace set S                               |
| $(\alpha, i, \beta)$           | <i>i</i> -th commsig with output commport $\alpha$ and input commport $\beta$ |
| $\{a,b\}$                      | set with elements $a$ and $b$                                                 |
| $\{l: R: e\}$                  | quantification denoting a set                                                 |
| SA                             | projection of trace set (or: trace structure) S on alphabet A                 |
| s A                            | projection of trace s on alphabet A                                           |
| φ¦Λ                            | restriction of comminstorder ( <i>or</i> : commsigorder) $\phi$               |
|                                | to initial set of comminsts (or: commsigs) A                                  |
| $a \in A$                      | member: a is an element of set A                                              |
| a∉A                            | nonmember: $a$ is not an element of set $A$                                   |
| $A \subset B$                  | set A is a proper subset of set B                                             |
| $T \subset U$                  | trace structure $T$ is properly included in trace structure $U$               |
| $A \subseteq B$                | set A is a subset of set B                                                    |
| $T \subseteq U$                | trace structure $T$ is included in trace structure $U$                        |
| $P \cap Q$                     | intersection of sets (or: trace structures) $P$ and $Q$                       |
| $P \cup Q$                     | union of sets (or: trace structures) $P$ and $Q$                              |

| $A \oplus B$                            | alphbip consisting of disjoint alphabets A and B                                               |
|-----------------------------------------|------------------------------------------------------------------------------------------------|
| $A \oplus B$<br>$A \div B$              | symmetric set difference of sets A and B                                                       |
| $A \downarrow B$                        | asymmetric set difference : A minus B                                                          |
| tc <sub>F</sub> u                       | trace t is composable under iobip F with trace u                                               |
|                                         | trace t is generally composable under iobip F with trace u                                     |
| tg <sub>F</sub> u                       | set of comminists ( <i>or</i> : commisigs) of comministorder                                   |
| $\Lambda_{\phi}$                        | ( <i>or</i> : commissionder) $\phi$                                                            |
| Ξ',Ξ''                                  | disjoint sets of input commports of opdir $\Xi$                                                |
| $\Phi^i$                                | set of input commports of iodir $\Phi$                                                         |
| $\Phi^o$                                | set of output commpones of form $\Phi$                                                         |
| Ψ                                       | set of all commports                                                                           |
| $\Psi^i$                                | set of all input commports                                                                     |
| $\Psi^i_{\Lambda}$                      | set of input comports of module $\Delta$                                                       |
| Ψic                                     | set of all indirectly connected commports                                                      |
| $\Psi^{o}$                              | set of all output commports                                                                    |
| $\Psi^o_\Delta$                         | set of output commports of module $\Delta$                                                     |
| Ω                                       | universe: set of all symbols used in trace theory                                              |
| ε                                       | empty trace                                                                                    |
| $(\mathbf{A}l:R:E)$                     | universal quantification                                                                       |
| C <sub>4</sub>                          | class of "trace structure" - alphbip pairs related to                                          |
|                                         | delay-insensitivity                                                                            |
| <b>CB</b> Δ                             | communication behavior of module $\Delta$                                                      |
| CBDIΓ                                   | component: maximal communication behavior of $\Gamma$                                          |
| CBDS Г                                  | component: maximal communication behavior of $\Gamma$                                          |
| CBNTIHI <sub>A</sub> Γ                  | component: reduction of $\Gamma$ by tihi <sub>A</sub> $\Gamma$                                 |
| СМП                                     | communication in interconnection П                                                             |
| $\Gamma COMPNCIH_{I}\Delta$             | composite of $\Gamma$ and $\Delta$ without computation interference hazard                     |
| $\Gamma COMPNCTIH_{I}\Delta$            | composite of $\Gamma$ and $\Delta$ without computation and transmission<br>interference hazard |
| D                                       | alphabet associated with the directly connected commports                                      |
| $\mathbf{D}_4$                          | class of "trace structure" – alphbip pairs related to delay-safety                             |
| DIE Γ                                   | component: delay-insensitive enclosure of component $\Gamma$                                   |
| DSC $\Theta$                            | channel: delay-safe closure of channel $\Theta$                                                |
| DSE C                                   | component: delay-safe enclosure of component $\Gamma$                                          |
| $(\mathbf{E}l: \mathbf{R}: \mathbf{E})$ | existential quantification                                                                     |
| I                                       | state mark : interference indicator                                                            |
| I                                       | alphabet associated with the indirectly connected commports                                    |
| ΙΟΔ                                     | iodir of module $\Delta$                                                                       |
| L                                       | lazy state mark                                                                                |
|                                         | -                                                                                              |

| α <i>ΜΑΤCΗ</i> β                                 | output commport $\alpha$ is connected to input commport $\beta$                   |
|--------------------------------------------------|-----------------------------------------------------------------------------------|
| N                                                | Set of natural numbers (including 0)                                              |
| IN <sup>+</sup>                                  | Set of positive natural numbers                                                   |
| Γ <i>ΝΙCΙΗ</i> <sub>Ι</sub> Δ                    | components $\Gamma$ and $\Delta$ have no computation interference hazard          |
| $\Gamma NICTIH_{I}\Delta$                        | $\Gamma$ and $\Delta$ have computation nor transmission interference hazard       |
| ОРП                                              | opdir of interconnection $\Pi$                                                    |
| REDOC <b>\$</b>                                  | comminstorder : reduction of comminstorder $\phi$                                 |
| аГ, аΘ, аΞ, аΦ                                   | alphabet of component $\Gamma$ , channel $\Theta$ , opdir $\Xi$ , or iodir $\Phi$ |
| aD, aF, aT                                       | alphabet of alphbip $D$ , iobip $F$ , or trace structure $T$                      |
| abΓ, ab⊖, abΞ                                    | alphbip of component $\Gamma$ , channel $\Theta$ , or opdir $\Xi$                 |
| TbU                                              | blend of trace structures $T$ and $U$                                             |
| bags                                             | bag of trace s                                                                    |
| cbdiГ                                            | trace structure of component CBDI Г                                               |
| cbds $\Gamma$                                    | trace structure of component CBDS r                                               |
| $\operatorname{cihi}_{I}(\Gamma, \Delta)$        | trace set associated with computation interference hazard at $\Delta$             |
| die Г                                            | trace structure of component DIE $\Gamma$                                         |
| dsc $\Theta$                                     | mathematical closure within $D_4$ of channel ( <i>or</i> : component) $\Theta$    |
| dse Г                                            | trace structure of component DSE Г                                                |
| $\Gamma$ <i>extcomncih</i> <sub>l</sub> $\Delta$ | trace structure of component $\Gamma COMPNCIH_{I}\Delta$                          |
| $extinp(\Gamma, \Delta)$                         | alphabet associated with the external inputs of the composite                     |
| extoutp $(\Gamma, \Delta)$                       | alphabet associated with the external outputs of the composite                    |
| iΓ, iΦ, i <i>F</i>                               | input alphabet of component $\Gamma$ , iodir $\Phi$ , or iobip F                  |
| ίοΓ, ίοΦ                                         | iobip of component $\Gamma$ , or iodir $\Phi$                                     |
| ls                                               | length of trace s                                                                 |
| οΓ, οΦ, οF                                       | output alphabet of component $\Gamma$ , iodir $\Phi$ , or iobip $F$               |
| opa(a, D)                                        | alphabet: part of alphbip $D$ that does not contain symbol $a$                    |
| pref S                                           | prefix-closure of trace set (or: trace structure) S                               |
| sprefix t                                        | trace $s$ is a prefix of trace $t$                                                |
| ptr Г                                            | trace structure: communication behavior of component $\Gamma$                     |
| ptr $\Theta$                                     | trace structure: communication of channel $\Theta$                                |
| redts(T, A, S)                                   | trace structure (reduction of trace structure $T$ )                               |
| spa(a, D)                                        | alphabet: part of alphbip D that contains symbol a                                |
| t <i>T</i>                                       | trace set of trace structure T                                                    |
| tihi <sub>A</sub> $\Gamma$                       | trace set associated with transmission interference hazard                        |
| $\Gamma totcom_I \Delta$                         | trace structure : combination of the trace structures of $\Gamma$ and $\Delta$    |
|                                                  | when these are composed under I                                                   |
| $\Gamma$ totcomncih <sub>I</sub> $\Delta$        | trace structure : reduction of $\Gamma$ totcom <sub>1</sub> $\Delta$              |
| $T \mathbf{w} U$                                 | weave of trace structures $T$ and $U$                                             |
|                                                  |                                                                                   |

# Subject index

accept, 36, 40, 51, 82 alphabet, 14 alphabet of alphbip, 22 alphabet of channel, 59 alphabet of component, 52 alphabet of iobip, 22 alphabet of iodir, 50 alphabet of opdir, 50 alphabet of trace structure, 17 input alphabet of component, 52 input alphabet of iobip, 22 input alphabet of iodir, 50 output alphabet of component, 52 output alphabet of iobip, 22 output alphabet of iodir, 50 alphbip, 22 alphbip of channel, 59 alphbip of component, 52 alphbip of opdir, 50 ambiguous quiescence hazard, 85 backward intersection, 103 bag, 16 binding power, 11 blend, 19 catenation, 14 causality, 99 channel, 59 class, 110, 144, 216 comminst, 29, 35, 51

comminstorder, 30, 35 empty comminstorder, 32 commport, 28, 34, 51, 59 external commport, 167 commsig, 30, 40, 59 commsigorder, 31, 40, 41 empty commsigorder, 33 communication behavior. - of component, 51 - of module, 32 maximal communication behavior. 133, 160 communication. - of interconnection, 33 - of channel, 59 Communication Model, 27 component, 51 composability, 100 see also: general composability composability diagram, 103 see also: general composite, 194, 205 composition, 168 computation interference hazard, 75, 80, 81, 113 concatenation, 14 conjunction, 11

connection, 3 see also: match closed connection, 39, 51, 166 direct connection. 3 - of commports, 28, 34, 167 - of components, 51 - of modules, 38 indirect connection, 3, 99, 143 - of commports, 28, 34, 167 - of components, 51 - of modules, 38 mixed connection, 39, 51, 166 open connection, 39, 51, 166 delay-insensitive, 143 delay-insensitive channel, 143, 145 delay-insensitive enclosure, 148 delay-safe, 110 partially delay-safe, 169 delay-safe channel, 110 delay-safe closure, 112 delay-safe enclosure, 115 di-initializable, 146 disable, 57 disjunction, 11 element, 9 enable, 57 engage, 83 equality, 11 external input, 167 external output, 167 factorization, 208 Foam Rubber Wrapper, 116 general composability, 170 general composability diagram, 172

happen, 35 hazard, 76 hint calculus, 13 implication, 11 inclusion, 17 inequality, 11 initial computation interference hazard, 186 initial computation or transmission interference hazard, 204 initial state, 20 initial set of comminsts, 29, 35 initial set of commsigs, 30, 40 interconnection, 33, 41 - between modules, 42 intersection, 10, 17 i/o-connectable, 79 iobip, 22, 51 iodir. 32, 50 iodir of module, 32 Kleene-closure, 14 length, 15 liveness, 85 match, 28, 34 mechanism, 34 metastability, 3 module, 32, 36 Molnar's-universal-do-nothingwrong-component, 85

Subject Index

natural numbers, 10 negation, 11 number of occurrences, 16 observation, 41 occur, 35, 40 opdir, 33, 50 opdir of interconnection, 33 overspecification, 214 partial delay-safety, 169 partial order, 30 prefix, 15 prefix-closed, 15, 17 prefix-closure, 15, 17 priority of operators, 11 projection, 15, 18 quantification, 12 receive, 40, 51, 82 reflection, 22, 32 regular state graph, 20 restriction, 30, 31 send, 40, 51 set, 9 empty set, 9 set difference. asymmetric set difference, 10 symmetric set difference, 10 signal, 34 signals happen in parallel, 35, 40 state, 20 state graph, 20, 54

subset, 10 proper subset, 10 symbol, 14, 48, 49 terminal, 34 trace, 14 empty trace, 14 trace set, 14, 48, 49 trace structure, 17 trace theory, 13 transformation into computation interference hazard, 83 transition, 20 transmission interference hazard, 144.203 type of commport w.r.t. interconnection, 33

union, 10, 18 universe, 14

weave, 18 wire, 34

# Summary

In this monograph we study delay-insensitive communication. Communication is called delay-insensitive if it is delay-safe and it has absence of transmission interference hazard (no two signals along the same wire may interfere). Communication is called delay-safe if its correctness does not depend on the values of the delays in wires nor on the reaction times of mechanisms. Notice that the communication may depend on these delays or reaction times, as long as the correctness of it remains unchanged. The formalization of delay-safety is based on our causality notion: "no signal is received before it has been sent". There exist various reasons why one may be interested in delay-safe communication, e.g. scaling (the delays in the wires tend to increase relatively to the delays in the switching elements) and metastability (the reaction time of some mechanisms is unbounded).

We introduce our Communication Model as a formal abstraction of 'the underlying physics'. Modules model the physical mechanisms. The terminals of the mechanisms are modeled by commports. We define components as equivalence classes of modules. We distinguish directly and indirectly connected commports; this leads to components that have a direct, an indirect, or (in general) a mixed connection. The correctness concern "absence of computation interference hazard" (a component accepts every input that it may receive) plays a central role in this monograph. We present a technique to transform other correctness concerns into absence of computation interference hazard.

We distinguish between the communication behavior of components and the communication of a channel between them. We present the limitations of delaysafe communication and of delay-insensitive communication. Furthermore, given the correctness concern absence of computation interference hazard (and possibly also absence of transmission interference hazard) we define composition of components that have a mixed connection. We give necessary and sufficient conditions for the existence of the compositions under the given correctness concern(s). We address factorization, which is a form of decomposition in which the specification and a (desired) part of the solution of this specification are given. Since our two correctness concerns are symmetric w.r.t. the specification and all parts of the solution, factorization is equal to composition.

# Samenvatting

In dit proefschrift bestuderen we vertragingsongevoelige communicatie. We noemen de communicatie vertragingsongevoelig als de communicatie "vertragingsveilig" is en als er geen gevaar bestaat voor transmissie interferentie (geen tweetal signalen op dezelfde verbindingsdraad kunnen met elkaar interfereren). In vertragingsongevoelige communicatie is de correctheid van de communicatie niet afhankelijk van de vertragingen in verbindingsdraden, noch van de snelheid waarmee een mechanisme reageert op signalen; de communicatie zelf mag wel hiervan afhangen. De formele definitie van vertragingsveiligheid is gebaseerd op ons oorzakelijkheidsbegrip: "geen signaal wordt ontvangen voordat het verstuurd is". Er zijn verscheidene redenen waarom we interesse hebben in vertragingsveilige communicatie, bijv. schaalverkleining (vertragingen in verbindingsdraden hebben de neiging relatief toe te nemen in vergelijking met schakeltijden van transistoren) en meta-stabiliteit (de reactietijden van sommige mechanismen zijn niet naar boven begrensd).

Ons communicatiemodel is een formele abstractie van 'de onderliggende fysische begrippen'. Mechanismen worden gemodelleerd door modulen. De communicatie-poorten van deze modulen modelleren de terminals van de mechanismen. Componenten zijn equivalentieklassen van modulen. We maken onderscheid tussen directe en indirecte verbindingen van communicatie-poorten; op deze manier onderscheiden we directe, indirecte en gemengde verbindingen van componenten. Het correctheidscriterium "geen gevaar voor interferentie van inputs met de lopende berekening" (een component accepteert elke input die hij ontvangt) loopt als een rode draad door dit proefschrift. Er wordt een methode gepresenteerd om andere correctheidscriteria te transformeren tot "geen gevaar voor interferentie van inputs met de lopende berekening".

We maken onderscheid tussen het communicatiegedrag van componenten en de communicatie in een kanaal tussen deze componenten. De uiterste grenzen van vertragingsveilige en vertragingsongevoelige communicatie worden aangegeven. Gegeven het correctheidscriterium "geen gevaar voor interferentie van inputs met de lopende berekening" (en eventueel ook "geen gevaar voor transmissie interferentie") definiëren we samenstelling van componenten die een gemengde verbinding hebben. We geven nodig en voldoende voorwaarden voor het bestaan van de samenstellingen van componenten gegeven de correctheidscriteria. Ook wordt aandacht besteed aan de uitsplitsing van componenten; uitsplitsing is een vorm van ontbinding, waarbij de te ontbinden component en een (gewenst) deel van het resultaat van de ontbinding gegeven zijn. Omdat onze twee correctheidscriteria symmetrisch zijn met betrekking tot de uit te splitsen component en alle delen van het resultaat van de uitsplitsing, komt uitsplitsing neer op samenstelling.

# Curriculum vitae

- I was born on August 4, 1955 in Amby, the Netherlands.
- In 1973 I graduated from high-school (viz. Gymnasium-β at "Henric van Veldeke-college) in Maastricht, the Netherlands).
- In 1978 I passed the "kandidaatsexamen" (Bachelor's Degree) in Mathematics at Eindhoven University of Technology in Eindhoven, the Netherlands.
- During 1980 I was a programmer/program-designer with teaching responsabilities at the department of Mechanical Engineering of Eindhoven University of Technology. I developed procedures for programs that solved non-linear stress problems.
- During 1981 and 1982 I performed the military service. After a four-anda-half month military training, I was a programmer/program-designer in the army in The Hague, the Netherlands. I made a monitor for developing interactive programs.
- In February 1985 I received the Master's Degree in Mathematics from the department of Mathematics and Computing Science of Eindhoven University of Technology. My thesis was in the field of theoretical VLSI-design: "A formalisation of the Foam Rubber Wrapper postulate".
- From March 1985 until February 1987 I was a scientific assistent at the department of Mathematics and Computing Science of Eindhoven University of Technology. I did research in the field of (theoretical) VLSI-design, in particular delay-insensitive circuits.
- Since February 1987 I am a "Universitair Docent" (assistant professor) at the department of Mathematics and Computing Science of Eindhoven University of Technology. I do research and teach in the areas parallelism and VLSI-design. Since 1990 I work part-time at Eindhoven University of Technology.

- From April 1987 until October 1987 I was a visiting research associate at the Institute for Biomedical Computing of Washington University in St.Louis, Missouri, U.S.A. My research in VLSI-design was concentrated on the physical interpretation of formal models.
- In 1990 I was a part-time advisor to Mobius B.V. in Vught, the Netherlands.
   I gave scientific advise in the areas authentication, encryption, and identification.
- Since January 1991 I work part-time as the technical coordinator of Mobius B.V.

# **Statements**

that go with the Ph.D. Thesis

Delay-insensitive Communication

by

Huub Schols

Eindhoven, December 9, 1992 0 Delay-safety is not a property of some physical circuits: at the circuit level it is an assumption about delays. In a formal model it can be defined as a property of formal objects.

lit.: - This thesis.

- 1 Udding's composability operator is suited to be used to model the matching of behaviors of mechanisms that exchange signals in a delay-insensitive way; this can be done even in the presence of concurrency or parallellism.
  - lit.: Jan Tijmen Udding, Classification and Composition of Delay-Insensitive Circuits, Eindhoven: University of Technology, September 1984, (Department of Mathematics and Computing Science; doctoral dissertation).
    - This thesis.
- 2 The technique "transformation into computation interference hazard" can be used to transform some liveness properties into safety properties.

lit.: – This thesis.

3 We consider factorization. Factorization is the decomposition problem, in which the specification and a part of the desired solution are given and the remainder has to be calculated. Factorization is equal to composition if and only if all correctness concerns are symmetric w.r.t. the specification and all parts of the solution.

lit.: – This thesis.

- 4 It is possible to give a formal definition of "the observation of delay-insensitive communication".
- 5 The so-called "isochronic forks" have been a severe impediment to the development of design methods for circuits with asynchronous communication.

- 6 Some liveness properties are expressable in finite trace theory. "Absence of ambiguous quiescence hazard" is such a liveness property.
  - lit.: Huub M.J.L. Schols, Notes on Delay-insensitive Communication, Eindhoven: University of Technology, March 1988, (Department of Mathematics and Computing Science; Computing Science Notes 88/06). [In this paper "ambiguous quiescence hazard" is referred to as "unspecified termination hazard"].
- For every natural number N,  $N \ge 2$ , there exist alphabet A and minimal deterministic state graph S, that contains exactly N states, such that projecting S onto A yields a minimal deterministic state graph that contains  $(3 * 2^{(N-2)} 1)$  states.  $((3 * 2^{(N-2)} 1))$  is the upper limit.
  - lit.: Huub M.J.L. Schols, The Maximum Number of States after Projection, Eindhoven: University of Technology, April 1987, (Department of Mathematics and Computing Science; Computing Science Notes 87/08).
- 8 We consider a stack consisting of F fast cells at the top and S slow cells at the bottom. The speed ratio between the fast and the slow cells is r. A sufficient condition for using such a stack at full speed is: S < (F/(2\*(r-1))).
- 9 The technique "restoring an invariant", which is often used in sequential programming, suggests a wrong connotation of the notion "invariant", viz. an invariant may not hold; this connotation is an impediment to the construction of invariants for parallel programs.
- 10 A complete presentation of research does not only contain the final results, but also the discarded results and the reason for discarding them.
- 11 Engineering is a creative profession. Computer scientists should not try to "automate" engineers. They should rather provide the engineers with tools that enable the engineers to use their creativity.