Linearization of CIF Through SOS
BB. Luttik and F. D. Valencia (Eds.): 18th International Workshop onExpressiveness in Concurrency (EXPRESS 2011)EPTCS 64, 2011, pp. 74–88, doi:10.4204/EPTCS.64.6 c (cid:13)
D.E. Nadales Agut & M.A. ReniersThis work is licensed under the Creative CommonsAttribution-Share Alike License.
Linearization of CIF Through SOS
D.E. Nadales Agut M.A. Reniers
Systems EngineeringDepartment of Mechanical EngineeringEindhoven University of Technology (TU/e) { d.e.nadales.agut, m.a.reniers } @tue.nl Linearization is the procedure of rewriting a process term into a linear form, which consist only ofbasic operators of the process language. This procedure is interesting both from a theoretical anda practical point of view. In particular, a linearization algorithm is needed for the CompositionalInterchange Format (CIF), an automaton based modeling language.The problem of devising efficient linearization algorithms is not trivial, and has been alreadyaddressed in literature. However, the linearization algorithms obtained are the result of an inventiveprocess, and the proof of correctness comes as an afterthought. Furthermore, the semantic specifica-tion of the language does not play an important role on the design of the algorithm.In this work we present a method for obtaining an efficient linearization algorithm, through astep-wise refinement of the SOS rules of CIF. As a result, we show how the semantic specifica-tion of the language can guide the implementation of such a procedure, yielding a simple proof ofcorrectness.
Linearization is the procedure of rewriting a process term into a linear form, which consist only of basicoperators of a process language [10, 4, 15]. Linearization is also referred to as elimination in ACP styleprocess algebras [1].From a theoretical perspective, linearization of process terms is an interesting result. It allows to get abetter understanding about the expressiveness of the language constructs, since it shows that all its termsare reducible to some normal form (which contains only a limited set of operators of the language). Also,linearization is useful in proving properties about closed terms, since the number of cases that needs tobe dealt with in a proof by structural induction becomes smaller.The Compositional Interchange Format (CIF) [2], is a language for modeling real-time, hybrid andembedded systems. CIF is developed to establish inter-operability of a wide range of tools by meansof model transformations to and from the CIF. As such it plays a central role in the European projectsMultiform [12], HYCON [9], C4C [5], and HYCON 2 [8]. CIF has a formal semantics [2], which isdefined in terms of Structured Operational Semantics Rules (SOS) in the style of Plotkin [14].Besides its theoretical importance, linearization of CIF models eliminates operators, such as urgency,that cannot be handled in other languages. Since CIF is meant to be used as an interchange format, theelimination of the operators broadens the set of models that can be translated to other languages. For thehierarchical extension of CIF [3], hCIF, linearization makes the elimination of hierarchy possible, andthus, all the tools available for CIF become available for use with hCIF models as well.It is our goal to build a linearization algorithm for CIF, which results in an efficient representationof the original model, and such that all the operators of the language, such as parallel composition orsynchronization are eliminated. The problem of efficient linearization has been already studied in lit-erature [15, 4, 10] for process-algebraic languages for describing and analyzing discrete-event systems .E. Nadales Agut & M.A. Reniers symbolic rules , which induced transition systems that do not contain the valuation part.It was also noted that the symbolic transition system induced by these rules is finite, and it resembles a(CIF) automaton. Thus, the symbolic SOS rules for CIF offer a straightforward algorithm for linearizingCIF models. However, the resulting automaton has a size that may be exponential in the size of the inputmodel.In this work we study the possibility of reusing the existing results on efficient linearization algo-rithms for obtaining a linear form of CIF from SOS rules. The idea is to give a more concrete version ofthe symbolic SOS rules of CIF (which is in turn a concrete version of the SOS rules with data), such thatthe transition system they induce can be translated to an automaton whose size does not grow exponen-tially as the result of interleaving actions (for synchronizing action the growth is still exponential, but inpractice this is not a serious limitation since synchronization takes place only among a limited numberof components).As a result, we show a linearization procedure, which is obtained from the SOS specification of thelanguage. In this way, the design of the algorithm requires less invention steps, reducing the opportunitiesto introduce mistakes, and at the same time it yields a simple proof of correctness.
For the discussion presented here, we consider a simplified version of CIF, which is untimed and containsonly automata, a parallel composition operator, and a synchronizing action operator. This helps to keepthe focus on the ideas, without distracting the reader with the complexity of CIF . The techniques andresults presented here can be easily extended to the setting of timed and hybrid systems, since we handleconcepts such as invariants and time-can-progress conditions in a symbolic manner.We begin by defining automata and the terms of our language. Throughout this work, notation P is used to refer to a set of predicates, V is a set of variables, A is a set of actions, τ is the silent action( τ / ∈ A ), and A τ (cid:44) A ∪ { τ } . Definition 1 (Automaton)
An automaton is a tuple ( V , init , inv , E , act S ) , where V ⊆ L is a set of lo-cations, init ∈ V → P is the initial predicate function, inv ∈ V → P is the invariant function, E ⊆ V × A τ × P × V is the set of edges, and act S ⊆ A is a set of synchronizing actions. Figure 1 presents a model of a railroad gate. It has two modes of operation (locations), closed andopened, denoted C and O respectively. Its initial predicate function associates the condition wq = [ ] tolocation C (represented graphically with an incoming arrow without source location), and the predicatefalse to location O (represented by the absence of such an arrow). Here wq is the waiting queue thatcontains the id’s of the trains waiting to pass through the gate, [ ] is the empty list, and we denote lists by This language contains over 30 deduction rules Linearization Through SOS writing their elements between brackets, and separated by commas. Location C has n = n is the numbers of trains crossing the gate, and location O has invariant n ≤
1. The automatonsynchronizes with other components in actions rq , go , and out .The automaton has four edges. Two edges ( C , rq , wq + = wq ++ [ id + ] , C ) , and ( O , rq , wq + = wq ++ [ id + ] , O ) , which are used to enqueue requests from the trains that want to pass the gate. Given twosequences xs and ys , xs ++ ys denotes their concatenation. The predicate wq + = wq ++ [ id + ] expressesthat the new value of the waiting queue after performing action rq will be the old waiting queue ( wq )extended with the id of the train that request access (this id is contained in variable id + ). Graphicallythese edges are represented by two self loops in locations C and O , labeled rq , wq + = wq ++ [ id + ] . Thegate can make a transition from the closed state to the opened state, by issuing a go action, which sendsthe id at the front of the waiting queue using variable p . C inv : n = wq = [ ] O inv : n ≤ go , [ p + ] ++ wq + = wqout rq , wq + = wq ++ [ id + ] rq , wq + = wq ++ [ id + ] Gate act S = { rq , go , out } Figure 1: CIF model of a gate.In Figure 2 we present the model of a train, which will be run in parallel with the gate model. Ithas a parameter i , which represents the train’s id. It has four locations: far ( F ), near ( N ), stopped ( S ),and passing ( P ). Location F is the only initial location. When the train approaches the gate it issues arequest to pass the gate by sending its id though variable id . Once in the near location, it can only go tothe passing state if variable p is updated to its id (this update is carried out by the gate, as we have seenabove). Otherwise it makes a transition to the stopped state. When the train enters the gate it incrementsvariable n , and it decrements it upon departure.These models can be composed in parallel using the parallel composition operator, denoted as (cid:107) .Actions in CIF are not synchronizing by default. Thus in the parallel composition Train ( ) (cid:107) Train ( ) the actions of the two trains will be interleaved.We want to put the parallel composition of the two trains in parallel with the gate automaton, in sucha way that the trains synchronize with the actions rq , go , and out of the gate. This can be achieved usingthe synchronizing action operator, denoted as γ A . Informally, composition γ A ( p ) behaves as composition p , except that all the actions of the set A are made synchronizing in p . Below we explain this. Usingthese operators, we can express train gate model in CIF as follows: γ { rq , go , out } ( Train ( ) (cid:107) Train ( )) (cid:107) Gate (1) .E. Nadales Agut & M.A. Reniers F N SPrq , id + = i stopgo , p + = i ∧ n + = n + go , p + = i ∧ n + = n + out , n + = n − Train ( i ) Figure 2: CIF model of a train.As a consequence of the use of the synchronizing action operator in (1), action i ∈ { rq , go , out } in Train ( j ) , j ∈ { , } , will synchronize with action i in the gate. Actions in the set { rq , go , out } are in-terleaved in the parallel compositions of the trains (they do not synchronize) since the scope operatoronly make actions synchronizing in the outer scope. For more details see the rules of and their explana-tion Table 1.Formally, the set of all CIF compositions is defined as follows: Definition 2 (Compositions)
The set C of all compositions is defined through the following abstractgrammar: C :: = α | C (cid:107) C | γ A ( C ) , where α is an automaton and A ⊆ A . In the next section we present the formal semantics of CIF compositions, both its explicit versionand its symbolic counterpart.
The semantics of CIF is defined in terms of hybrid transition systems [6]. In the context of the presentwork, we restrict our attention to ordinary transition systems (thus omitting time transitions), extendedwith environment transitions (see below).The labeled transition systems we are considering have states of the form ( p , σ ) . Here p ∈ C , and σ ∈ Σ is a valuation, where Σ = V → Λ , and Λ denotes a set of values. The valuation records the valuesof the model variables at a certain moment. There are two types of transitions in these labeled transitionsystems. Action transitions , of the form ( p , σ ) a , b −→ ( p (cid:48) , σ (cid:48) ) model the execution of an action a by composition p in an initial valuation σ , which changes composition p into p (cid:48) and results in a new valuation σ (cid:48) . Label b is a boolean that indicates whether action a issynchronizing. Environment transitions , of the form ( p , σ ) A (cid:57)(cid:57)(cid:75) ( p (cid:48) , σ (cid:48) ) Linearization Through SOS model the fact that the initial conditions and invariants of p ( p (cid:48) respectively) are satisfied in σ ( σ (cid:48) ), and A is the set of synchronizing actions of p and p (cid:48) . Environment transitions are used to obtain the statechanges allowed by a model in a parallel composition context.The transition system associated to a composition can be obtained by means of SOS rules. Below wepresent the explicit rules, where we have omitted the symmetric version of the parallel composition rule.Given a valuation σ , we define σ (cid:48) + (cid:44) { ( x + , v ) | ( x , v ) ∈ σ } . We use notation α to refer to the automaton ( V , init , inv , E , act S ) , and α [ x ] to refer to ( V , id x , inv , E , act S ) , where id x ( w ) (cid:44) w ≡ x . Throughout thiswork, FV ( p ) is the set of free variables of p . ( v , a , r , v (cid:48) ) ∈ E , σ | = init ( v ) ∧ inv ( v ) , σ (cid:48) | = inv ( v (cid:48) ) , σ (cid:48) + ∪ σ | = r , (cid:104)∀ x :: x + / ∈ FV ( r ) ⇒ σ ( x ) = σ (cid:48) ( x ) (cid:105) ( α , σ ) a , a ∈ act S −−−−→ ( α [ v (cid:48) ] , σ (cid:48) ) v ∈ V , σ | = init ( v ) ∧ inv ( v ) , σ (cid:48) | = inv ( v )( α , σ ) act S (cid:57)(cid:57)(cid:75) ( α [ v ] , σ (cid:48) ) ( p , σ ) a , true −−−→ ( p (cid:48) , σ (cid:48) ) , ( q , σ ) a , true −−−→ ( q (cid:48) , σ (cid:48) )( p (cid:107) q , σ ) a , true −−−→ ( p (cid:48) (cid:107) q (cid:48) , σ (cid:48) ) ( p , σ ) a , b −→ ( p (cid:48) , σ (cid:48) ) , ( q , σ ) A (cid:57)(cid:57)(cid:75) ( q (cid:48) , σ (cid:48) ) , a / ∈ A ( p (cid:107) q , σ ) a , b −→ ( p (cid:48) (cid:107) q (cid:48) , σ (cid:48) ) ( p , σ ) A p (cid:57)(cid:57)(cid:75) ( p (cid:48) , σ (cid:48) ) , ( q , σ ) A q (cid:57)(cid:57)(cid:75) ( q (cid:48) , σ (cid:48) )( p (cid:107) q , σ ) A p ∪ A q (cid:57)(cid:57)(cid:75) ( p (cid:48) (cid:107) q (cid:48) , σ (cid:48) ) ( p , σ ) a , b , X −−−→ ( p (cid:48) , σ (cid:48) )( γ A ( p ) , σ ) a , b ∨ a ∈ A , X −−−−−−→ ( γ A ( p (cid:48) ) , σ (cid:48) ) ( p , σ ) A (cid:48) (cid:57)(cid:57)(cid:75) ( p (cid:48) , σ (cid:48) )( γ A ( p ) , σ ) A ∪ A (cid:48) (cid:57)(cid:57)(cid:75) ( γ A ( p (cid:48) ) , σ (cid:48) ) ( v , a , r , v (cid:48) ) such thatthe initial predicate and the invariant are satisfied in the initial valuation σ , and it is possible to find a newvaluation σ (cid:48) in which the invariant and the reset predicate are satisfied. The only variables that changein σ (cid:48) w.r.t. σ are those free variables of r that are of the form x + . Rule 2 states that an automaton isconsistent in initial valuation σ if the initial predicate and invariant are satisfied in σ , and the valuationcan be changed to σ (cid:48) only if the invariant is preserved. Rule 3 expresses that an action a can be executedsynchronously if it is marked as synchronizing in both components. The interleaving behavior is modeledin Rule 4, where an action a can be executed in p if it is not synchronizing in q . In Rule 6 an action a ismarked as synchronizing if a ∈ A , or a is synchronizing in p . The environment rule for the synchronizingaction operator (Rule 7) adds A to the set of synchronizing actions of p .As noted in [13], the explicit rules are not suitable for implementation purposes. These rules ofteninduce infinitely branching transition systems, and as a consequence it is not possible to obtain the set ofpossible successor states. In particular, the labels of the hybrid transition systems contain trajectories ,of an dense domain, which are defined in the rules through computations over these dense sets. Anotherproblem is that the valuations specify implicit constraints, such as “variables owned by a certain automa-ton cannot be changed in a parallel composition”, which require to compute operations on infinite setsof valuations to get the set of possible successor states. .E. Nadales Agut & M.A. Reniers symbolic rules [7] from the explicitSOS specification. These symbolic rules represent the possible state changes by means of predicates, andthus, the state change caused by an action is visible on the arrows of the transitions. The symbolic rulesfor the language considered in this paper are shown in Table 2. ( v , a , r , v (cid:48) ) ∈ E (cid:104) α (cid:105) a , a ∈ act S , init ( v ) , inv ( v ) , inv ( v (cid:48) ) , r −−−−−−−−−−−−−−−−−→ (cid:104) α [ v (cid:48) ] (cid:105) v ∈ V (cid:104) α (cid:105) init ( v ) , inv ( v ) , act S (cid:57)(cid:57)(cid:75) (cid:104) α [ v ] (cid:105) (cid:104) p (cid:105) a , true , u p , n p , n (cid:48) p , r p −−−−−−−−−→ (cid:104) p (cid:48) (cid:105) , (cid:104) q (cid:105) a , true , u q , n q , n (cid:48) q , r q −−−−−−−−−→ (cid:104) q (cid:48) (cid:105)(cid:104) p (cid:107) q (cid:105) a , true , u p ∧ u q , n p ∧ n q , n (cid:48) p ∧ n (cid:48) q , r p ∧ r (cid:48) p −−−−−−−−−−−−−−−−−−→ (cid:104) p (cid:48) (cid:107) q (cid:48) (cid:105) (cid:104) p (cid:105) a , b , u p , n p , n (cid:48) p , r −−−−−−−→ (cid:104) p (cid:48) (cid:105) , (cid:104) q (cid:105) u q , n q , A (cid:57)(cid:57)(cid:75) (cid:104) q (cid:48) (cid:105) , a / ∈ A (cid:104) p (cid:107) q (cid:105) a , b , u p ∧ u q , n p ∧ n q , n (cid:48) p ∧ n q , r −−−−−−−−−−−−−−→ (cid:104) p (cid:48) (cid:107) q (cid:48) (cid:105) (cid:104) p (cid:105) u p , n p , A p (cid:57)(cid:57)(cid:75) (cid:104) p (cid:48) (cid:105) , (cid:104) q (cid:105) u q , n q , A q (cid:57)(cid:57)(cid:75) (cid:104) q (cid:48) (cid:105)(cid:104) p (cid:107) q (cid:105) u p ∧ u q , n p ∧ n q , A p ∪ A q (cid:57)(cid:57)(cid:75) (cid:104) p (cid:48) (cid:107) q (cid:48) (cid:105) (cid:104) p (cid:105) a , b , u , n , n (cid:48) , r −−−−−−→ (cid:104) p (cid:48) (cid:105)(cid:104) γ A ( p ) (cid:105) a , b ∨ a ∈ A , u , n , n (cid:48) , r −−−−−−−−−→ (cid:104) γ A ( p (cid:48) ) (cid:105) (cid:104) p (cid:105) u , n , A (cid:48) (cid:57)(cid:57)(cid:75) (cid:104) p (cid:48) (cid:105)(cid:104) γ A ( p ) (cid:105) u , n , A ∪ A (cid:48) (cid:57)(cid:57)(cid:75) (cid:104) γ A ( p (cid:48) ) (cid:105) Theorem 1 (Soundness of action transitions)
For all p, p (cid:48) , a, b, u, n, n (cid:48) , r, σ , and σ (cid:48) we have that ifthe following conditions hold:1. (cid:104) p (cid:105) a , b , u , n , n (cid:48) , r −−−−−−→ (cid:104) p (cid:48) (cid:105) σ | = u, σ | = n, σ (cid:48) | = n (cid:48) , and σ (cid:48) + ∪ σ | = r3. (cid:104)∀ x :: x + / ∈ FV ( r ) ⇒ σ ( x ) = σ (cid:48) ( x ) (cid:105) then, there is a explicit action transition ( p , σ ) a , b −→ ( p (cid:48) , σ (cid:48) ) . Theorem 2 (Completeness of action transitions)
For all p, p (cid:48) , a, b, σ , and σ (cid:48) we have that if there isa explicit transition ( p , σ ) a , b −→ ( p (cid:48) , σ (cid:48) ) then there exists u, n, n (cid:48) , and r such that the following conditionshold:1. (cid:104) p (cid:105) a , b , u , n , n (cid:48) , r −−−−−−→ (cid:104) p (cid:48) (cid:105) σ | = u, σ | = n, σ (cid:48) | = n (cid:48) , and σ (cid:48) + ∪ σ | = r3. (cid:104)∀ x :: x + / ∈ FV ( r ) ⇒ σ ( x ) = σ (cid:48) ( x ) (cid:105) Theorem 3 (Soundness of environment transitions)
For all p, p (cid:48) , u, A, σ , and σ (cid:48) we have that if thefollowing conditions hold: Linearization Through SOS (cid:104) p (cid:105) u , n , A (cid:57)(cid:57)(cid:75) (cid:104) p (cid:48) (cid:105) σ | = u, σ | = n, σ (cid:48) | = nthen, there is a explicit environment transition ( p , σ ) A (cid:57)(cid:57)(cid:75) ( p (cid:48) , σ (cid:48) ) . Theorem 4 (Completeness of environment transitions)
For all p, p (cid:48) , A, σ , and σ (cid:48) we have that if thereis an explicit transition ( p , σ ) A (cid:57)(cid:57)(cid:75) ( p (cid:48) , σ (cid:48) ) then there exists u, and n such that the following conditionshold:1. (cid:104) p (cid:105) u , n , A (cid:57)(cid:57)(cid:75) (cid:104) p (cid:48) (cid:105) σ | = u, σ | = n, σ (cid:48) | = n It is not hard to see that given a CIF composition, the symbolic rules induce a finite transition system .For the model of the train gate presented in Section 2, a part of its associated symbolic transition systemis shown in Figure 3 (the whole transition system contains 16 states), where we use the convention thatfor all x , y , z : (cid:104) x , y , z (cid:105) ≡ γ { rq , go , out } ( Train ( )[ x ] (cid:107) Train ( )[ y ]) (cid:107) Gate [ z ] In this transition system, two problems can be noted. The size of the symbolic transition system growsexponentially as more trains are added. This is the result of the interleaving actions that are executedbetween these models. Secondly, there is a great deal of redundant information . The invariants ofthe source and the target states are present not only in the labels of action transitions, but also in theenvironment transition of these states. Similarly, the initialization conditions are meaningful only for theinitial environment transition. For the remaining environment transitions in the systems, the initializationpredicate is always true. In the next section we show how to overcome these problems using a new kindof symbolic rules.
In this section we define a structure called linear transition system (LiTS), which contains all the infor-mation necessary to represent any arbitrary CIF composition, and that can be translated to an equivalentautomaton.Consider the symbolic transition system of the train gate model. In Figure 3, we show a transition ofthe form: (cid:104) N , F , C (cid:105) go , p + = ∧ n + = n + ∧ wq + ++ [ p + ]= wq , n = , n ≤ −−−−−−−−−−−−−−−−−−−−−−−−−→ (cid:104) P , F , O (cid:105) The complete symbolic transition system also contains these transitions: (cid:104) N , N , C (cid:105) go , p + = ∧ n + = n + ∧ wq + ++ [ p + ]= wq , n = , n ≤ −−−−−−−−−−−−−−−−−−−−−−−−−→ (cid:104) P , N , O (cid:105)(cid:104) N , S , C (cid:105) go , p + = ∧ n + = n + ∧ wq + ++ [ p + ]= wq , n = , n ≤ −−−−−−−−−−−−−−−−−−−−−−−−−→ (cid:104) P , S , O (cid:105) These three transitions only differ in the second component of the symbolic state, that is, the location inwhich the second train is. However, this information is not relevant for computing the state change. Ifwe replace the above transitions by a unique transition of the form: (cid:104) N , , C (cid:105) go , p + = ∧ n + = n + ∧ wq + ++ [ p + ]= wq , n = , n ≤ −−−−−−−−−−−−−−−−−−−−−−−−−→ (cid:104) P , , O (cid:105) .E. Nadales Agut & M.A. Reniers (cid:104) γ { rq , go , out } ( Train ( ) (cid:107) Train ( )) (cid:107) Gate (cid:105)(cid:104) N , F , C (cid:105) (cid:104) F , F , C (cid:105) (cid:104) F , N , C (cid:105)(cid:104) P , F , O (cid:105) (cid:104) F , P , O (cid:105) wq = [ ] , n = rq , id + = ∧ wq + = wq ++ [ id + ] , n = , n = rq , id + = ∧ wq + = wq ++ [ id + ] , n = , n = , n = , n ≤ , n ≤ , n = , n = rq , id + = ∧ wq + = wq ++ [ id + ] , n = , n = rq , id + = ∧ wq + = wq ++ [ id + ] , n = , n = go , p + = ∧ n + = n + ∧ wq + ++ [ p + ] = wq , n = , n ≤ go , p + = ∧ n + = n + ∧ wq + ++ [ p + ] = wq , n = , n ≤ Figure 3: A part of the symbolic transition system for the train gate controllerthen we can avoid the state explosion caused by the interleaving actions. Here the wild-card symbolcan be read as “for any location”.Furthermore, in Figure 3 we see that there is no need to replicate the entire structure in a giventransition, since it suffices to keep track of the locations that change.From the observation above, we want a linear transition system where the states are sequences oflocations , containing also wild-cards . These wild-cards are used to denote the fact that the location of acertain automaton does not change in the transition. Formally the states of the LiTS belong to the set ( L × { } ) ∗ (2)where is the wild-card symbol, and A ∗ is the set of all sequences whose elements are taken from the set A . An example of such state is the list [ F , , C ] .The next thing to define is the transitions of the LiTS’s, in such a way that the redundancy introducedby the STS’s is eliminated. To accomplish this, we split action and environment transitions into severaltransitions, which are described next. Action Transitions
They are of the form p | = (cid:104) vs (cid:105) a , r −→ (cid:104) vs (cid:48) (cid:105) , where p ∈ C is a composition, a ∈ A τ isan action label, and r ∈ P is the update predicate associated to the action. Synchronizing Actions
They are of the form p sync (cid:59) A , where p ∈ C is a composition, and A ⊆ A is theset of synchronizing actions of p . Initialization Transitions
They are of the form p ipred (cid:59) fs , where p ∈ C and fs ∈ ( L (cid:42) P ) ∗ is a listcontaining the initialization predicate function of each automaton in p .2 Linearization Through SOS
Invariant Transitions
They are of the form p inv (cid:59) fs , where p ∈ C is a composition, and fs ∈ ( L → P ) ∗ is a list containing the invariant function associated to each automaton in p .The reader may have expected initialization or invariant transitions of the form: vs inv (cid:59) p where vs is a list of locations, and p is a predicate. However this approach requires enumeratingthe state space explicitly to construct the inv (cid:59) relation. By using lists of functions we avoid thisexplicit construction. Wild-card Transitions
They are of the form p (cid:59) xs , where p ∈ C is a composition, and xs ∈ ( ) ∗ is asequence of wild-cards whose size coincides with the number of automata that are composed inparallel in p . These transition are not needed for reconstructing the environment transitions, theyare used in the linear SOS rules to model the fact that nothing changes in a component of a parallelcomposition, when the other component performs an action.In Table 3 we show some of the linear SOS rules for CIF compositions. We have omitted the rulesfor synchronizing actions, initialization, and wild-card transitions since they are similar to the invarianttransitions.The linear rules can be easily to obtained from the symbolic ones. For action rules, invariants andinitialization predicates, and the synchronizing action label are simply omitted (since they can be ob-tained from other transitions). The linear rule for interleaving parallel composition is almost identical tothe symbolic rule. The only differences are that the set A is obtained from a sync (cid:59) transition, and we usethe wild-card transition to represent the fact that the locations of the other automaton are not relevant (atthe symbolic level at least). A similar observation can be made for the rule for parallel composition. Inthis case since we do not have the synchronizing label, we reconstruct it from the sync (cid:59) transition. Thislabel is equivalent to a ∈ A , thus a label true in both components is equivalent to a ∈ A p ∧ a ∈ A q , whichis in turn equivalent to a ∈ A p ∩ A q . ( V , init , inv , tcp , E , act S ) inv (cid:59) [ inv ] p inv (cid:59) fs p , q inv (cid:59) fs q p (cid:107) q inv (cid:59) fs p ++ fs q ( v , a , r , v (cid:48) ) ∈ E ( V , init , inv , tcp , E , act S ) | = (cid:104) [ v ] (cid:105) a , r −→ (cid:104) [ v (cid:48) ] (cid:105) p | = (cid:104) vs (cid:105) a , r −→ (cid:104) vs (cid:48) (cid:105) , q sync (cid:59) A , q (cid:59) , a / ∈ A , p (cid:107) q | = (cid:104) vs ++ (cid:105) a , r −→ (cid:104) vs (cid:48) ++ (cid:105) p | = (cid:104) vs p (cid:105) a , r p −−→ (cid:104) vs (cid:48) p (cid:105) , q | = (cid:104) vs q (cid:105) a , r q −−→ (cid:104) vs (cid:48) q (cid:105) , p sync (cid:59) A p , q sync (cid:59) A q , a ∈ A p ∩ A q p (cid:107) q | = (cid:104) vs p ++ vs q (cid:105) a , r p ∧ r q −−−−→ (cid:104) vs (cid:48) p ++ vs (cid:48) q (cid:105) p inv (cid:59) fs γ A ( p ) inv (cid:59) fs p | = (cid:104) vs (cid:105) a , r −→ (cid:104) vs (cid:48) (cid:105) γ A ( p ) | = (cid:104) vs (cid:105) a , r −→ (cid:104) vs (cid:48) (cid:105) .E. Nadales Agut & M.A. Reniers p contains no synchronizing actions, then the size of its induced transition systemis linear w.r.t. the size of p . However, the size of the LiTS also depends on the number of synchronizingactions. The following property gives the formal details. Property 1 (Size of the linear transition system)
Let p be a CIF composition, such that it contains nautomata α i ≡ ( V i , init i , inv i , E , act Si ) , ≤ i < n. Let a be the only synchronizing action in these automata.Then the number of transitions in the LiTS associated to p is given by: ∑ ≤ i < n { x | ( v , g , x , u , v (cid:48) ) ∈ E i ∧ x (cid:54) = a } + ∏ ≤ i < n { x | ( v , g , x , u , v (cid:48) ) ∈ E i ∧ x = a } (3) where A is the number of elements in set A.
In spite of the fact that the number in (3) can be significantly large, in practice, communicationamong components is usually restricted to a few automata, and the number of edges of an automaton thatcontain a given synchronizing action a is small. In the same way symbolic transitions are related to explicit ones via soundness and completeness results,linear transitions have the same property w.r.t. symbolic transitions.The first two results state that a LiTS contains all the necessary information to reconstruct the envi-ronment transitions in the symbolic transition system and vice-versa. Here “leads to transitions” refersto the initialization, invariant, and synchronizing actions transitions in the LiTS. Given a composition p ,which contains n atomic automata, and a sequence ls of n locations, p [ ls ] is the composition obtainedby replacing the initial predicate function of the i th automaton by id ls . i , for 0 ≤ i < n , where ls . i is theelement of sequence ls at position i (sequences are numbered starting from 0). locsof ( p ) refers to the setof sequences ls , where ls = n and ls . i is a location of the i th automaton of composition p (0 ≤ i < n ). Theorem 5 (Soundness of leads to transitions)
For all p, is, fs, gs, A, u, and n we have that if thefollowing conditions hold:1. is ∈ locsof ( p )
2. p ipred (cid:59) fs, p inv (cid:59) gs, p sync (cid:59)
A3. u = (cid:94) ≤ i < fs fs . i ( is . i ) , and n = (cid:94) ≤ i < gs gs . i ( is . i ) then there is a symbolic transition (cid:104) p (cid:105) u , n , A (cid:57)(cid:57)(cid:75) (cid:104) p [ is ] (cid:105) . Theorem 6 (Completeness of leads to Transitions)
For all p, u, n, A, and p (cid:48) we have that if there is anenvironment transition (cid:104) p (cid:105) u , n , A (cid:57)(cid:57)(cid:75) (cid:104) p (cid:48) (cid:105) then there are is, fs, gs, u, and n such that the following conditionshold:1. is ∈ locsof ( p )
2. p ipred (cid:59) fs, p inv (cid:59) gs, p sync (cid:59)
A3. u = (cid:94) ≤ i < fs fs . i ( is . i ) , and n = (cid:94) ≤ i < gs gs . i ( is . i ) , p (cid:48) ≡ p [ is ] Linearization Through SOS
The soundness theorem for linear action transitions shows how a symbolic action transition can beobtained, using the leads to transitions as well. Functions (cid:118) and (cid:31) are defined below, where x : xs is thelist that results after appending the element x to the front of xs . Definition 3 (Sub-sequence and sequence overwriting)
Function (cid:118)∈ A ∗ (cid:42) A ∗ (cid:42) B is defined as fol-lows: [ ] (cid:118) xs (cid:44) true ( x : xs ) (cid:118) ( y : ys ) (cid:44) (( x ≡ ) ∨ ( x ≡ y )) ∧ xs (cid:118) ysFunction (cid:31)∈ A ∗ (cid:42) A ∗ (cid:42) A ∗ is defined as follows: [ ] (cid:31) xs (cid:44) xs ( x : xs ) (cid:31) ( y : ys ) (cid:44) (cid:40) x : ( xs (cid:31) ys ) if x (cid:54) = y : ( xs (cid:31) ys ) if x = Theorem 7 (Soundness of Linear Action Transitions)
For all p, vs, a, r, vs (cid:48) , is, fs, gs, u, n, n, and Awe have that if the following conditions hold:1. is ∈ locsof ( p )
2. p | = (cid:104) vs (cid:105) a , r −→ (cid:104) vs (cid:48) (cid:105) , p ipred (cid:59) fs, p inv (cid:59) gs, p sync (cid:59) A3. u = (cid:94) ≤ i < fs fs . i ( is . i ) , and n = (cid:94) ≤ i < gs gs . i ( is . i ) , n (cid:48) = (cid:94) ≤ i < gs gs . i (( vs (cid:48) (cid:31) is ) . i ) , vs (cid:118) is, b ≡ a ∈ Athen there is a symbolic transition: (cid:104) p (cid:105) a , b , u , n , n (cid:48) , r −−−−−−→ (cid:104) p [ vs (cid:48) (cid:31) is ] (cid:105) . Theorem 8 (Completeness of Linear Action Transitions)
For all p, p (cid:48) , a, b, u, n, n (cid:48) , and r we havethat if there is a symbolic transition: (cid:104) p (cid:105) a , b , u , n , n (cid:48) , r −−−−−−→ (cid:104) p (cid:48) (cid:105) then there are vs, vs (cid:48) , is, fs, gs, and A such that the following conditions hold:1. is ∈ locsof ( p )
2. p | = (cid:104) vs (cid:105) a , r −→ (cid:104) vs (cid:48) (cid:105) , p ipred (cid:59) fs, p inv (cid:59) gs, p sync (cid:59) A3. u = (cid:94) ≤ i < fs fs . i ( is . i ) , and n = (cid:94) ≤ i < gs gs . i ( is . i ) , n (cid:48) = (cid:94) ≤ i < gs gs . i (( vs (cid:48) (cid:31) is ) . i ) , vs (cid:118) is, b ≡ a ∈ A,p (cid:48) ≡ p [ vs (cid:48) (cid:31) is ] These theorems can be proved using structural induction. The proofs are relatively simple, and areomitted due to space constraints.
Once a linear transition system is induced by the SOS rules, we need a way to obtain a linear automatonfrom it. In this section we describe the procedure, and we show that the generated automaton is statelessbisimilar [11] to the composition that induced the transition system. Both from a theoretical and a .E. Nadales Agut & M.A. Reniers p and its associated LiTS M , we want to build an automaton α p such that p has the same behavior as α p . The idea is to simulate the execution of M , using α p . Tothis end, we need to introduce a sequence of variables ls , which are used to represent the active state in M in a given execution. We call these variables location pointers [10]. Below, we give the definition of the linearization function, which returns the automaton associated to a given composition and thelocation pointers used in it. The second component returned by the function is used later to formulatethe correctness result. Definition 4 (Linearization Function)
Let p be a CIF composition. Function L ∈ C → ( C × V ∗ ) isdefined as the least function that satisfies: L ( p ) = (( { x } , init , inv , E , act S ) , ls ) where • p (cid:59) xs, xs = n, p ipred (cid:59) fs, p inv (cid:59) gs, p sync (cid:59) A • (cid:104)∀ i :: 0 ≤ i < n ⇒ ls . i / ∈ FV ( p ) (cid:105) , x ∈ L • init ( x ) = ( (cid:94) ≤ i < n (cid:94) v ∈ dom ( fs . i ) ( ls . i = v ⇒ fs . i ( v ))) ∧ ( (cid:94) ≤ i < n ls . i ∈ dom ( f s . i )) • inv ( x ) = (cid:94) ≤ i < n (cid:94) v ∈ dom ( gs . i ) ( ls . i = v ⇒ gs . i ( v )) • E = { ( x , a , r ∧ (cid:94) ≤ i < nvs . i (cid:54) = ls . i = vs . i ∧ ls . i + = vs (cid:48) . i , x ) | p | = (cid:104) vs (cid:105) a , r −→ (cid:104) vs (cid:48) (cid:105)} In the above definition we introduce n free variables, which are used as location pointers, and we usea location x (which can be defined as the least location in L ) as the unique location of the automaton. Theinitial predicate and invariant functions are conditional expressions, which ensure that the right predicateis chosen according to the values of the location pointers. In the definition of the init function, the secondpart of the conjunction forces the choice of an initial location (otherwise this predicate can be triviallysatisfied). The set of edges is constructed from the action transition of the linear transition system. Thereset mapping in the action transitions is extended with updates to the location pointers to keep track ofthe state in the linear transition system.The well-definedness of function L is a consequence of the finiteness of LiTSs. Given a composition p , such that L ( p ) = ( α p , ls ) , we say that α p is the linear automaton associated to it.For the train gate model, the linear automaton associated to it is shown in Figure 4, where the initialpredicate and invariant functions are (once they are simplified ):init ( x ) = ( l = F ∧ l = F ∧ l = C ∧ wq = [ ]) inv ( x ) = ( l = C ⇒ n = ) ∧ ( l = O ⇒ n ≤ ) Strictly speaking, function L is not uniquely determined, since it is possible to pick different location pointers. This canbe avoided by defining a function that returns the least n fresh variables in a given composition (assuming variables are totallyordered). A similar observation can be done about location x . Linearization Through SOS x rq , id + = ∧ wq + = wq ++ [ id + ] ∧ l = F ∧ l + = N ∧ l = C ∧ l + = Cstop , l = N ∧ l + = Sgo , p + = ∧ n + = n + ∧ wq + ++ [ p + ] = wq ∧ l = N ∧ l + = P ∧ l = C ∧ l + = Ogo , p + = ∧ n + = n + ∧ wq + ++ [ p + ] = wq ∧ l = S ∧ l + = P ∧ l = C ∧ l + = Oout , n + = n + ∧ l = P ∧ l + = F ∧ l = O ∧ l + = Crq , id + = ∧ wq + = wq ++ [ id + ] ∧ l = F ∧ l + = N ∧ l = C ∧ l + = Cstop , l = N ∧ l + = Sgo , p + = ∧ n + = n + ∧ wq + ++ [ p + ] = wq ∧ l = N ∧ l + = P ∧ l = C ∧ l + = Ogo , p + = ∧ n + = n + ∧ wq + ++ [ p + ] = wq ∧ l = S ∧ l + = P ∧ l = C ∧ l + = Oout , n + = n + ∧ l = P ∧ l + = F ∧ l = O ∧ l + = CTrain Gate act S = { rq , go , out } Figure 4: Linear version of the gateway modelThe next step is to prove that the linear version of a composition is indeed equivalent to it. If weconsider the transition systems they induce, we find that these differ significantly among each other: theyhave different labels, invariants, etc. Thus if we want to prove equivalence at the LiTS level, we need anon-trivial definition of equivalence.A better strategy is to prove equivalence at the labeled transition level (using the explicit semantics).Therefore, we prove that p and its associated linear automaton are stateless bisimilar, after abstractingaway the values of the program counters (or location pointers). The standard notion of strong bisimilar-ity [11] is defined below. Definition 5 (Strong Bisimilarity for SOS)
A symmetric relation R is a strong bisimulation relation iffor all ( p , q ) ∈ R, and for all σ , (cid:96) , p (cid:48) , σ (cid:48) the following transfer conditions hold:1. ( p , σ ) (cid:96) −→ ( p (cid:48) , σ (cid:48) ) ⇒ (cid:104)∃ q (cid:48) :: ( q , σ ) (cid:96) −→ ( q (cid:48) , σ (cid:48) ) ∧ ( p (cid:48) , q (cid:48) ) ∈ R (cid:105) ( p , σ ) (cid:96) (cid:57)(cid:57)(cid:75) ( p (cid:48) , σ (cid:48) ) ⇒ (cid:104)∃ q (cid:48) :: ( q , σ ) (cid:96) (cid:57)(cid:57)(cid:75) ( q (cid:48) , σ (cid:48) ) ∧ ( p (cid:48) , q (cid:48) ) ∈ R (cid:105) Two closed terms p and q are strongly bisimilar, denoted SOS | = p ↔ q, if ( p , q ) ∈ R for some strongbisimulation relation R.
Next, we present the SOS rules for the variable scope operator in Table 4 (the rules for environmenttransitions are similar and therefore omitted). In these rules we make use of the following notations: • Given two sequences xs and ys , such that xs = ys , { xs (cid:55)→ ys } ∈ ran ( xs ) → ran ( ys ) is a functiondefined as follows: { xs (cid:55)→ ys } = { ( xs . i , ys . i ) | ≤ i < xs } .E. Nadales Agut & M.A. Reniers • The notation above is overloaded to denote a similar function. We believe this keeps the notationconcise and it does not bring confusion. Given a sequence xs and an element y , { xs (cid:55)→ y } ∈ ran ( xs ) → { y } is a function defined as follows: { xs (cid:55)→ y } = { ( xs . i , y ) | ≤ i < xs }• Symbol ⊥ denotes the undefined value. ( p , { xs (cid:55)→ vs } (cid:31) σ ) a , b −→ ( p (cid:48) , { xs (cid:55)→ vs (cid:48) } (cid:31) σ (cid:48) )( | [ V { xs (cid:55)→ vs } :: p ] | , σ ) a , b −→ ( | [ V { xs (cid:55)→ vs (cid:48) } :: p (cid:48) ] | , σ (cid:48) ) ( | [ V { xs (cid:55)→ vs } :: p ] | , σ ) a , b −→ ( | [ V { xs (cid:55)→ vs (cid:48) } :: p (cid:48) ] | , σ (cid:48) )( | [ V { xs (cid:55)→ ⊥} :: p ] | , σ ) a , b −→ ( | [ V { xs (cid:55)→ vs (cid:48) } :: p (cid:48) ] | , σ (cid:48) ) Theorem 9 (Correctness of the Linearization)
Let p be a composition, and L ( p ) = ( α p , ls ) . Then wehave: SOS | = p ↔ | [ V { ls (cid:55)→ ⊥} :: α p ] | Proof 1
It is possible to prove that the following relation:R (cid:44) { ( p , | [ V { ls (cid:55)→ ⊥} :: α p ] | ) | ( α p , ls ) = L ( p ) } ∪{ ( p [ is ] , | [ V { ls (cid:55)→ is } :: α p ] | ) | ( α p , ls ) = L ( p ) , is ∈ locsof ( p ) } (4) is a witness of the bisimulation. The proof uses the soundness and completeness results presented inSections 2.1 and 3.1, and it does not require the use of structural induction. We have presented linearization algorithm for a subset of CIF, which shows that every CIF compositioncan be reduced to an automaton. The linearization procedure was obtained in a stepwise manner fromthe SOS specification of this language. In this way, SOS rules are used not only to specify the behaviorof CIF, but also as a specification formalism for performing semantic preserving manipulations on thesyntactic elements of the language.The soundness and completeness results between the different transition systems give us a simpleproof of correctness on the linearization procedure. The different levels in which a language is described(explicit, symbolic, and linear semantics) provide a convenient way to tackle specific problems. Theexplicit semantics is useful for achieving an abstract and succinct specification of the language. Thesymbolic semantics give us the means for specifying symbolic computations. Finally, the linear seman-tics yields an efficient representation of the state space associated to a given composition.8
Linearization Through SOS
We conjecture the method presented here can be applied to any automaton based language. Forprocess algebraic specification language it may not be suitable due to the presence of recursion.As future work, we plan to extension the linearization algorithm to the full CIF, and therefore, toa hybrid setting. Time-can-progress predicates and dynamic types can be extracted in the same wayinvariants were extracted in this work, and therefore we expect no problems in this regard.
References [1] J. C. M. Baeten, T. Basten & M. A. Reniers (2009):
Process Algebra: Equational Theories of CommunicatingProcesses (Cambridge Tracts in Theoretical Computer Science) , 1st edition. Cambridge University Press.[2] J.C.M. Baeten, D.A. van Beek, D. Hendriks, A.T. Hofkamp, D.E. Nadales Agut, J.E. Rooda & R.R.H.Schiffelers (2010):
Definition of the Compositional Interchange Format . Technical Report DeliverableD1.1.2, Multiform. Available at .[3] Harsh Beohar, Damian E. Nadales Agut, Dirk A. van Beek & Pieter J. L. Cuijpers (2010):
Hierarchical statesin the Compositional Interchange Format . Electronic Proceedings in Theoretical Computer Science
32, pp.42–56, doi:10.4204/EPTCS.32.4.[4] P. van de Brand, M. A. Reniers & P. J. L. Cuijpers (2006):
Linearization of Hybrid Processes . Journal ofLogic and Algebraic Programming
Control for Coordination of Distributed Systems . .[6] P.J.L. Cuijpers & M.A. Reniers (2008): Lost in Translation: Hybrid-Time Flows vs Real-Time Transitions .In:
HSCC 2008 , Lecture Notes in Computer Science
Symbolic bisimulations . In:
Selected papers of the meeting on Mathematicalfoundations of programming semantics , Elsevier Science Publishers B. V., Amsterdam, The Netherlands,The Netherlands, pp. 353–389, doi:10.1016/0304-3975(94)00172-F. Available at http://portal.acm.org/citation.cfm?id=202463.202370 .[8] HYCON 2 consortium (2010):
Highly-complex and networked control systems . .[9] HYCON Network of Excellence (2005): Hybrid Control: Taming Heterogeneity and Complexity of Net-worked Embedded Systems . .[10] U. Khadim, D. A. van Beek & P. J. L. Cuijpers (2007): Linearization of Hybrid Chi Using Program Counters .Technical Report CS-Report 07-18, Eindhoven University of Technology, Department of Computer Science,The Netherlands.[11] M. R. Mousavi, M. A. Reniers & J. F. Groote (2005):
Notions of bisimulation and congruence formats forSOS with data . Information and Computation
Integrated Multi-formalism Tool Support for the Design of networkedEmbedded Control Systems MULTIFORM . .[13] D. E. Nadales Agut & M. A. Reniers (2011): Deriving a Simulator for a Hybrid Language Using SOS Rules . http://se.wtb.tue.nl/sewiki/cif/publications2 .[14] Gordon D. Plotkin (2004): A structural approach to operational semantics . Journal of Logic and AlgebraicProgramming