On the reaction time of some synchronous systems

Bliudze, S., Bruni, R., Carbone, M., Silva, A. (Eds.); ICE 2011 EPTCS 59, 2011, pp. 69–83, doi:10.4204/EPTCS.59.7 On the r eaction time of some synchr onous systems Ilias Garnier , Christophe Aussagu ` es, V incent David CEA, LIST , Embedded Real T ime Systems Laboratory Point Courrier 94, Gif-sur-Yv ette, F-91191 France Firstname.Lastname@cea.fr Guy V idal-Naquet SUPELEC Systems Sciences (E3S) Computer Science Department 91192 Gif-sur-Yv ette Cedex, France Guy.Vidal-Naquet@supelec.fr This paper presents an in vestig ation of the notion of reaction time in some synchronous systems. A state-based description of such systems is giv en, and the reaction time of such systems under some classic composition primiti ves is studied. Reaction time is sho wn to be non-compositional in general. Possible solutions are proposed, and applications to verification are discussed. This framew ork is illustrated by some examples issued from studies on real-time embedded systems. 1 Intr oduction A primary concern when de veloping hard real-time embedded systems is to ensure the timeliness of computations. This kind of requirement is often expressed as a reaction time constraint, i.e. an upper bound on the time the system may take to process an input and produce the related output. When systems are composed of multiple communicating agents, this task may be difficult. In this paper , we propose a formalization of reaction time for a certain class of synchronous systems. W e show that reaction time is a fine-grained notion of functional dependency , and we sho w that it is non-compositional. In order to solv e this problem, we propose an approximate b ut compositional method to reason on functional dependenc y and reaction time. Related work. The specification and verification of temporal properties traditionally relies on temporal logic [6] or related formalisms [2]. W ith these formalisms, the system designer gives a specification of some causality or quantitati ve property which is then v erified by model-checking. These methods are also applicable to the restricted class of synchronous systems [8]. The O ASIS [5] system, which motiv ated this study , belongs to this class. A traditional compositional verification of synchronous systems using Moore machines [10] was giv en in [4]. Our formal framework to reason on reaction time was heavily inspired by the literature on information flow analysis [3] and on the cate gory- theoretic vie w of process algebras [1]. It is also similar to testing methods [11]. 2 Pr eliminaries 2.1 Case study: pr oving the r eactivity of a simple system Let S be a black box with two b uttons A and B as inputs and the elements of any non-singleton set as outputs. In this example, we will assume that S is deterministic. Our goal is to decide whether pressing A has any observable ef fect on the system. A nai v e solution is to verify whether the ne w observ able state is dif ferent from the previous one. Input S A Ð → S A Observ able state o o ′ 70 On the reaction time of some synchronous systems If o  = o ′ , we may consider that the system seems to ha ve answered to the pressing of A . There are two counter-ar guments to this conclusion. 1. S may ha ve decided in adv ance to output o ′ ; 2. there is no reason for an observ able consequence to occur immediately after pressing the button. In order to obtain a correct solution, the main point to tak e into account is that the observ able state is not only function of the inputs but also of the internal state. From now on, we will assume that we hav e two identical copies of S , and we will proceed to the experiment simultaneously with the button A and the button B . Input S A Ð → S A S B Ð → S B Observ able state o o ′ o o ′′ If o ′  = o ′′ , we deduce that the system has distinguished between pressing the button A and the button B . This experiment is thus strictly more informative than the previous one. In the other case, knowing that o ′ = o ′′ is not enough for us to extract an y information on the internal behavior of the system. Indeed, the second counter-ar gument advances that the observable reaction can occur after an arbitrary number of transitions. A solution is to iterate the experiment on S A and S B until observing a difference, but the observable state then becomes possibly correlated to the other choices A or B performed during the experiment. The choices must thus be identical for S A and S B . W e can informally define reacti vity by stating that if there exists a finite sequence of e xperiments (i.e. a word on { A , B } ) allo wing to distinguish the systems S A and S B , then S is reacti ve. In formal terms, this is equiv alent to stating that S A and S B must be non-bisimilar . The reaction time is the maximum length of the minimal experiment allo wing to pro ve non-bisimilarity . 2.2 Notations and definitions Some definitions will be useful to our w ork. Let Σ be a set. The set of finite words on Σ is noted Σ ∗ , and the set of infinite words is noted Σ ω ≡ N → ω . The set of finite and infinite output w ords is Σ ∞ = Σ ∗  Σ ω . The length of a finite word w will be noted  w  . For any word w we will note prefix ( w , l en ) the prefix of w of length l en , and we also note w [ i ] the i -th symbol of w , where i ∈ [ 0;  w  − 1 ] . The singleton set is 1 = { ⋆ } (up to isomorphism), and the disjoint union of tw o sets A and B is noted A + B . The set of natural integers strictly inferior to x is noted N < x . 3 A f ormal model of synchr onous systems W e aim at giving a formal model of synchronous systems suf ficiently expressiv e to encode languages such as Lustre [8] and PsyC [5]. Our formalism is an adaptation of Moore machines [10]. 3.1 The synchronous abstraction W e will restrict ourselves to the set of systems which respect the synchronous mode of computation. In this model, the computation is divided in successi v e r ounds . Each transition from a round to the next denotes the tick of a global logical clock. The observ able state of a system is constant on each round, and changes only at the boundary between rounds. At each ne w round, the new internal state is a function of the current input and internal state (equiv alently , the internal state is a function of the initial internal state and all previous inputs). The observable state is only function of the internal state. The following timeline sho ws an example of a deterministic synchronous computation in volving three successi ve rounds. I. Garnier , C. Aussagu ` es, V . David & G. V idal-Naquet 71 0 in 1 ↓ out 0 1 in 2 ↓ out 1 2 in 3 ↓ out 2 3 In this example, the output ou t 0 is a function of the initial internal state only; the output ou t 1 is a function of the initial internal state and in 1 ; and the output out 2 is a function of the initial internal state, in 1 and in 2 . Thus, inputs hav e no immediate ef fect on the observ able state. 3.2 State-based description of synchronous systems W e define our synchronous systems as a labeled transition system (L TS) inspired by Moore machines. W e recall here some definitions which will be useful in the follo wing de velopments. Definition 1 (Synchronous system) . Let I n be a set of inputs and Out be a set of inputs. A synchr onous system S =  I n , Out , Q , E , out , q i  is the data of: • a set of states Q, • a tr ansition r elation E ⊆ Q × I n × Q, • a labeling function associating states to outputs out ∶ Q → Out , • and an initial state q i ∈ Q. The sets I n and Out are the signatur e of S. W e will note p a Ð → q as a shorthand for ( p , a , q ) ∈ E . Mor eover , we constrain our systems to be finitely branching and to be complete , i.e . ∀ p ∈ Q , ∀ a ∈ I n , ∃ p a Ð → q 1 . The computational meaning of a L TS is expressed using the notion of run . It allo ws to define the output language associated to an input w ord. Definition 2 (Run of a synchronous system, output language) . Let S =  I n , Ou t , Q , E , out , q i  be a syn- chr onous system. W e define the notions of finite run and the associated output languag e. F inite runs. Let w ∈ I n ∗ be a finite input wor d. The set of finite , maximal runs of S on w starting fr om state q 0 ∈ Q is Runs ∗ S ( q 0 , w ) ⊆ Q × ( I n × Q ) ∗ and is defined as: Runs ∗ S ( q 0 , w ) = { q 0 . w [ 0 ] . q 1 . . . w [ w  − 1 ] . q ∣ w ∣ − 1  ∀ i ∈ [ 0;  w  − 1 ] , q i w [ i ] Ð Ð → q i + 1 } . Output language. The output language of S associated to w and q 0 is L ∗ S ( q 0 , w ) ⊆ Ou t ∗ and is defined as follows: L ∗ S ( q 0 , w ) = { out ( q 0 ) . out ( q 1 ) . . . out ( q n − 1 )  q 0 . a 0 . q 1 . a 1 . . . ∈ Runs ∗ S ( q 0 , w )} . The classical equi v alence relation on states of labeled transition systems is bisimilarity . Its definition is slightly adapted to our notion of synchronous system. Definition 3 (Bisimilarity , non-bisimilarity) . Let S =  I n , Ou t , Q , E , out , q i  be a synchr onous system. A r elation R ⊆ Q × Q is said to be a (str ong) bisimulation if and only if the following condition holds: ∀ ( p , q ) ∈ R , out ( p ) = out ( q ) ∧ ( ∀ p a Ð → p ′ , ∃ q a Ð → q ′ , ( p ′ , q ′ ) ∈ R ) ∧ ( ∀ q a Ð → q ′ , ∃ p a Ð → p ′ , ( p ′ , q ′ ) ∈ R ) . If ther e e xists suc h a r elation R s.t. ( p , q ) ∈ R, then p and q ar e said to be bisimilar , which is noted p ∼ q. Mor eover , bisimilarity is an equivalence r elation. Conver sely , the ne gation of bisimilarity ≁⊆ Q × Q is inductively defined by the rules below . In these rules, p , q ∈ Q and a ∈ I n are univer sally quantified. BA S E out ( p ) ≠ out ( q ) → p ≁ q I N D ∃ p a Ð → p ′ , ∀ q a Ð → q ′ , p ′ ≁ q ′ ∨ ∃ q a Ð → q ′ , ∀ p a Ð → p ′ , p ′ ≁ q ′ p ≁ q 1 In practice, these conditions constrain the input and output data sets to be finite. 72 On the reaction time of some synchronous systems q 0 : d 0 q 1 : d 1 T 1 q 2 : d 2 T 2 B A (a) Reactive deterministic system q 0 : d 0 q 1 : d 1 T 1 q 2 : d 2 T 2 A, B A, B (b) Non-reacti ve non-det. sys. q 0 : d 0 q 1 : d 1 T 1 q 2 : d 2 T 2 q 3 : d 3 T 3 B A A, B (c) Reacti ve non-deterministic system Figure 1: Some reactiv e and non-reacti ve systems In this paper, except when stated otherwise, all state spaces shall be assumed to be quotiented by bisimulation equi valence. 4 Reaction time of a state in a synchr onous system This section formalizes the ideas exposed in the case study , in Sec.2.1, and extends them to non- deterministic systems. The case study proposes to model reaction as a functional dependency between a set of inputs and the future beha vior of the system. In our formal model, these future behaviors are represented as the successor states of the considered state. In this setting, we will first define a notion of reactivity inspired by functional dependency , and then define reaction time as the necessary time to prov e that two successor states are not bisimilar . 4.1 Reactivity Let I n = { A , B } and Out be a non-singleton set. Let S =  I n , Out , Q , out , E , q i  be a synchronous system. and let’ s assume that state q ∈ Q is as depicted in Fig. 1(a). W e observe that there are two inputs A and B leading to non-bisimilar states q 1 and q 2 . In this case, state q is thus reacti ve. In the case of non-deterministic systems, we must generalize this idea: if there exists an asymmetry in the possible transitions of a system, then it is reactiv e. Let’ s assume that state q is as depicted in Fig. 1(b). There, q is not reacti ve because there is a symmetry between the transitions possible with A and the transitions pos- sible with B . This symmetry is broken in Fig. 1(b). Non-determinism highlights the fact that reactivity is a kind of non-bisimilarity . Definition 4 (Reactivity of a state in a synchronous system, separating pair) . Let I n , Out be two sets, S =  I n , Out , Q , out , E , q i  be a synchr onous system and q ∈ Q be a state. W e will denote reactive ( q ) the fact that q is r eactive . The pr edicate reactive ( q ) is defined as follows: reactive ( q ) ≜ ∃ a 1 , a 2 ∈ I n , a 1  = a 2 ∧  ∃ q a 1 → q 1 , ∀ q a 2 → q 2 , q 1 ≁ q 2  . The pair of inputs ( a 1 , a 2 ) is a separating pair of q. It is deterministic iff ∀ q a 1 → q 1 , ∀ q a 2 → q 2 , q 1 ≁ q 2 . The set of separating pair s of q is noted SepP airs ( q ) , and the deterministic subset is DSepP airs ( q ) . 4.2 Observable effects Observ able effects stem from a fine-grained study of reactivity . In this section, we show that an observ- able ef fect characterizes a temporally localized dif ference between the beha viors of non-bisimilar states. I. Garnier , C. Aussagu ` es, V . David & G. V idal-Naquet 73 2 0 4 4 3 7 8 6 2 8 2 8 3 5 9 tt ff tt ff tt ff tt ff tt ff tt ff tt ff (a) 2 0 4 4 8 7 8 6 2 8 2 8 1 5 9 tt ff tt ff tt ff tt ff tt ff tt ff tt ff (b) Figure 2: A pair of separable L TS W e show that an input data has observ able ef fects on the system on a not necessarily finite interv al. Characterizing the difference between two states. Characterizing difference between states can be done by studying the negation of bisimulation. Definition 5 (Separators, strongly separable states) . Let S =  I n , Ou t , Q , out , E , q i  be a synchr onous sys- tem and p 1 , q 1 ∈ Q s.t. p 1 ≁ q 1 . A constructive proof of p 1 ≁ q 1 is the data of (at least) two separating runs r 1 ∈ Runs ∗ S ( p 1 , w ) and r 2 ∈ Runs ∗ S ( q 1 , w ) : r 1 = p 1 . a 1 . p 2 . a 2 . . . a n . p n and r 2 = q 1 . a 2 . q 2 . a 2 . . . a n . q n . These runs ar e labelled on input by a finite wor d w = a 1 . a 2 . . . a n called separator , and generate output wor ds o 1 ∈ Out ∗ = out ( p 1 ) . out ( p 2 ) . . . out ( p n ) and o 2 ∈ Out ∗ = out ( q 1 ) . out ( q 2 ) . . . out ( q n ) . Mor e gener ally , any separator w induces a nonempty set O ( p 1 , q 1 , w ) of pairs of differ ent output wor ds ( o 1 , o 2 ) gener ated by separating runs s.t. o 1 ∈ L ∗ S ( p 1 , w ) , o 2 ∈ L ∗ S ( q 1 , w ) . A separator w is deterministic when all its runs ar e separating, i.e . all runs stems fr om a proof of p 1 ≁ q 1 . The set of separators of two states p , q is noted S ( p , q ) , and the set of deterministic separators is noted DS ( p , q ) . Note that DS ( p , q ) ⊆ S ( p , q ) . T wo states p , q ar e said to be strongly separable , noted p  q, if f all infinite inputs wor ds are pr efixed with a deterministic separator . Fig. 2 shows two separable L TS. The fact that they are non-bisimilar is prov ed by the existence of two separators (although one would suf fice) of length two and three, as emphasized by the dotted paths. Once separability of two states defined, we can define what is an observable effect and when it occurs. This is based on observing the dif ferences in the output word pairs generated by a separator . Definition 6 (Observ able effect) . Let p , q ∈ Q be two states. Let w ∈ I n ∗ be an input wor d. The observable effects ar e generated by all the pr efixes of w wich ar e separators . diff p , q ∶ ∏ w ∈ I n ∗ N < ∣ w ∣ → 1 + ( Out × Ou t ) diff p , q ( w , n ) = ( x 1 , x 2 ) ↔ prefix ( w , n + 1 ) ∈ S ( p , q ) ∧ ( o 1 , o 2 ) ∈ O ( p , q , prefix ( w , n + 1 )) ∧ x 1 = o 1 [ n ] ∧ x 2 = o 2 [ n ] diff p , q ( w , n ) returns ⋆ ∈ 1 if ther e is no differ ence at index n or a pair ( o 1 [ n ] , o 2 [ n ]) s.t. o 1 [ n ]  = o 2 [ n ] at the same index. These differ ences ar e the observable eff ects induced by w. The e xistence of a separator ensures that there may be an observ able effect. Fig. 3 sho w tw o systems (whose state space is quotiented by bisimulation equi v alence) with an unkno wn output data X in Fig. 74 On the reaction time of some synchronous systems 0 1 T 0 3 T 0 5 T 0 . . . B B B A A A (a) 0 0 T 0 2 T 0 4 T X . . . B B B A A A (b) Figure 3: Partial separability 3(b). State names are omitted and the nodes only contain the output data. If X = 0, the initial states are separable with the words of the language B ∗ A . These are deterministic separators: reading them on input ensures an observ able effect. W e observe that the input words of the language B ∞ do not yield an observable ef fect. On the other hand, if X ≠ 0, all infinite words are prefix ed by a (deterministic) separator . An ev entual observable reaction is guaranteed. 4.3 Reaction time Since we work with logical time, the occurrence times of observ able ef fects are their indices in the associated output traces. W e may define the reaction time of a state as the maximum of the occurrence time of the first observ able ef fect. This yields two possible vie ws of reaction time: an optimistic one (an observ able effect may arise . . . ) and a pessimistic one (an observ able effect must arise). Moreover , the reaction time of a state can be v alid for all conte xts or just for some . Our application domain requires that we choose a pessimistic approach. Compositionality in turn requires that we quantify ov er all possible contexts when defining reaction time, as will be sho wn later . Definition 7 (Deterministic reaction time) . The (deterministic) reaction time of a state w .r .t. an input is the maximum number of transitions that must be performed to see the first observable effect arise, for any input. Let q ∈ Q be a state s.t. reactive ( q ) holds. W e note by detreactime ( q ) = t the fact that q has a r eaction time of t transitions, wher e: detreactime ( q ) = max { n  ( a 1 , a 2 ) ∈ DSepPairs ( q ) , q a 1 → q 1 , q a 2 → q 2 , q 1  q 2 , w ∈ I n ω , diff q 1 , q 2 ( w , n ) ≠ ⋆ ∧ ∀ n ′ < n , diff ( w , n ′ ) = ⋆ } 5 Observ able effects under composition In the pre vious section, we hav e defined a notion of observable effects for synchronous systems. In this section, we will inv estigate the way observable effects ev olve when synchronous systems are com- posed. T o this end, we will define a small process algebra, inspired by the category-theoretical work of Abramsky on concurrenc y [1]. I. Garnier , C. Aussagu ` es, V . David & G. V idal-Naquet 75 S f S g A B C S f k S g S f S g A B C D S E Q - N E X T q f in f Ð → q ′ f q g out f ( q f ) Ð Ð Ð Ð → q ′ g ( q f , q g ) in f Ð → ( q ′ f , q ′ g ) S E Q - O U T P U T out g ○ f ( q f , q g ) = out g ( q g ) PA R - N E X T q f in f Ð → q ′ f q g in g Ð → q ′ g q f ∥ q g ⟨ in f , in g ⟩ Ð Ð Ð Ð → q ′ f ∥ q ′ g PA R - O U T P U T out f ∥ g ( q f ∥ q g ) =  out f ( q f ) , out g ( q g ) (a) Sequential composition (b) Parallel composition Figure 4: Definition of the composition operations 5.1 Data types In order to model multiple input-output ports, we will force a monoidal structure on the data processed by our synchronous systems. Let Basic = { int ; bool ; 1 ; . . . } be a set of basic datatypes. The set of datatypes is the monoid  D , ×  generated by Basic and closed by cartesian product. 5.2 Composition operators Our composition operators are sequential composition and parallel composition. The transition rela- tions of the compound systems are defined in a classic way , using a small-step semantics giv en by SOS inference rules (c.f. Fig. 4). Sequential composition. Let A , B , C be three sets. Let S f =  A , B , Q f , E f , out f , q i , f  and S g =  B , C , Q g , E g , out g , q i , g  be tw o systems. The sequential composition S g ○ S f proceeds by redirecting the output of S f to the input of S g . The compound system is S g ○ S f =  A , C , Q f × Q g , E g ○ f , out g ○ f , ( q i , f , q i , g ) , where E g ○ f and out g ○ f are defined in Fig. 4. Parallel composition. Let A , B , C , D be four sets. Let S f =  A , B , Q f , E f , out f , q i , f  and S g =  C , D , Q g , E g , out g , q i , g  be two systems. The parallel composition proceeds by pairing the respecti ve transitions of S f and S g in a synchronous way . The compound system is S f ∥ S g =  A × C , B × D , Q f × Q g , E f ∥ g , out f ∥ g , ( q i , f , q i , g ) where E f ∥ g and out f ∥ g are also defined in Fig. 4. Other operations. An other important operation is the feedback. W e omit it for space reasons, b ut it must be noted that it exhibits the same beha vior as sequential composition. The other operations necessary to mak e our definitions into an usable process algebra are structural ones, like data duplication, erasure, etc. These important details are omitted from the following study . 76 On the reaction time of some synchronous systems p 0 : 0 p 1 : 1 p 3 : 0 p 2 : 0 p 4 : 0 A B ∗ ∗ ∗ ∗ q 0 : tt q 1 : tt q 2 : tt q 4 : tt q 3 : tt q 5 : tt q 6 : ff ∗ 0 { 0 , 1 } 1 0 1 ∗ ∗ ∗ Machine S f Machine S g Figure 5: Example of disappearing separator 5.3 Observable effects w .r .t. sequential composition In this section, we study the beha vior of the observ able effects of systems when they are composed. W e restrict our attention to sequential composition since it is easy to sho w that parallel composition doesn’t alter the behavior of the sub-components. W e sho w that under sequential composition, whenev er reacti vity still holds, the observable effects can v ary arbitrarily . Our examples will be giv en on Moore machines whose state space is not quotiented by bisimulation equi valence. The proof that reactivity can be lost follo ws the same argument that shows that the com- position of two non-constant total functions can be constant. The figure to the right sho ws the composition of two reactiv e Moore ma- chines S f and S g whose composition is not reacti ve. In this example, this stems from the fact that the observ able ef fect ( 0 , 1 ) of the in- put receiv ed in state p 0 of the machine S f is not “taken into account” by the machine S g , i.e. ( 0 , 1 ) is not a separating pair of state q 1 . p 0 : 0 p 1 : 1 p 2 : 0 A B ∗ ∗ q 0 : tt q 1 : tt q 2 : tt q 3 : ff ∗ { 0 , 1 } 2 ∗ ∗ Machine S f Machine S g tt ∗ Machine S g ○ S f The fact that an observable effect of S f is a separating pair of S g is not enough to guarantee an ob- serv able effect on output. Sequential composition restricts the input language of the system in receiving position (here, S g ). This means that separators can appear and disappear arbitrarily . The two Moore machines in Fig. 5 are modifications of the earlier ones. The states p 0 and q 1 are still reactiv e, but when composed the output symbols on p 3 and p 4 restricts the set of inputs of the states q 2 and q 3 to the word 0. Thus, q 2 and q 3 are no more separable and the result is the constant machine sho wn earlier . The conclusion of this study confirms the intuition: there is no general way of guaranteeing functional dependencies. These results e xtend to reaction time, which is not conserv ed: the recei ving machine may ignore the first observ able effect and tak e into account ulterior ones. In verification terms, this means that in order to verify that the composition of two systems is reacti ve, a full search of the state space for separators must be undertaken. In the next section, an approximate but compositional method to simplify this process is proposed. I. Garnier , C. Aussagu ` es, V . David & G. V idal-Naquet 77 6 Under -approximating observ able effects This section proposes a partial solution to some problems encountered earlier , namely: 1. the fact that non-deterministic separators do not guarantee an observ able ef fect, 2. the non-compositionality of reactivity and observ able effects. W e proceed by reducing our focus to the cases where reactivity , which is a branching-time property of states, can be reduced to a linear-time one. W e sho w ho w to compute the separators and separating pairs which are preserved when “mer ging” all branches of the computation tree. Let us assume the existence of two sets of data I n and Ou t . Let q be a state such that reactive ( q ) holds, and let ( a 1 , a 2 ) ∈ SepPairs ( s ) be a separating pair of inputs. In Sec. 4.3, we observ ed that in order to ensure the occurrence of an observ able ef fect and the existence of a reaction time, q must be such that all inputs are deterministic separators for all q 1 and q 2 s.t. q a 1 Ð → q 1 and q a 2 Ð → q 2 . If this condition is met, we can compute deterministic observable ef fects , i.e. effects which exists for all separators. Similarly , we can define deterministic separating pair s . First, we define some operations in order to merge sequences of observable effects. W e define the operation ⊕ ∶ ( 1 + Out × Ou t ) × ( 1 + Out × Ou t ) → ( 1 + Out × Ou t ) as: x ⊕ x = x x ⊕ y = ⋆ if x ≠ y . The extension of this operation to sequences of symbols on ( 1 + Out × Out ) is defined straightforwardly . If d 1 , d 2 ∈ ( 1 + Out × Ou t ) ω are two infinite sequences, their mer ging is also noted d 1 ⊕ d 2 . Definition 8 (Deterministic observable effects, observational order) . Let q be a state s.t. reactive ( q ) holds. The sequence of deterministic observable effects of q is noted DOE ( q ) and is defined as follows: DOE ( q ) = ⊕ ( a 1 , a 2 ) ∈ SepPairs ( q ) { diff q 1 , q 2 ( w )  q a 1 Ð → q 1 , q a 2 Ð → q 2 , w ∈ I n ω } . It is possible to define a r elation ≺ ⊆ ( 1 + Out × Ou t ) ω × ( 1 + Out × Ou t ) ω , wher e: w 1 ≺ w 2 ↔ ∃ ! i , ( ∀ j ≠ i , w 1 [ j ] = w 2 [ j ]) ∧ ( w 1 [ i ] = ⋆ ∧ w 2 [ i ] ≠ ⋆ ) . The refle xive-tr ansitive closure of ≺ is the observational order and is noted ≼ . The set ObsOrder ( q ) of infinite strings partially or der ed by ≼ which has DOE ( q ) as greatest element and ⋆ ω as least element is called by extension the observational or der on q. W e must also define linear time-proof separating pairs, called str ongly separating pairs . Let’ s con- sider the systems in Fig. 6, in which only the output data is displayed and state names are omitted. The systems 1 and 2 are symmetrical and hav e both ( A , B ) as a separating pair for their initial state. Howe v er , ( A , B ) is not a separating pair for the union of the two systems. W e must define a notion of separating pair for two systems which resists their union. Definition 9 (Strongly separating pairs) . Let q 1 , q 2 be two states s.t. reactive ( q 1 , 2 ) holds. The pair ( a 1 , a 2 ) ∈ SepPairs ( q 1 , 2 ) is a str ongly separ ating pair of the union of q 1 and q 2 if and only if:  ∃ q 1 a 1 → q ′ 1 , ∀ q 2 a 2 → q ′ 2 , q ′ 1 ≁ q ′ 2  ∨  ∃ q 1 a 2 → q ′ 1 , ∀ q 2 a 1 → q ′ 2 , q ′ 1 ≁ q ′ 2  . 78 On the reaction time of some synchronous systems d tt T 1 ff T 2 B A (a) System 1 d ff T 2 tt T 1 B A (b) System 2 d ff T 2 tt T 1 A, B A, B (c) Union of systems 1 and 2 Figure 6: Union of transition systems The set of str ongly separating pairs of q 1 and q 2 is noted SSP ( q 1 , q 2 ) . Note that SepP airs ( q ) = SSP ( q , q ) . The sequence of str ong separating pairs of q 1 and q 2 is noted SSPseq ( q 1 , q 2 ) and is defined as follows: SSPseq ( q 1 , q 2 ) = SSP ( q 1 , q 2 ) .   { SSPseq ( q ′ 1 , q ′ 2 )  ( a 1 , a 2 ) ∈ SepPairs ( q ) , q 1 a 1 → q ′ 1 , q 2 a 2 → q ′ 2 } , wher e  is the extension of set inter section to sequences of sets. Now , let q be s.t. reactive ( q ) holds. The sequence of str ongly separating pairs of q is: SSPseq ( q ) = SepPairs ( q ) .  { SSPseq ( q 1 , q 2 )  ( a 1 , a 2 ) ∈ SepPairs ( q ) , q a 1 → q 1 , q a 2 → q 2 } . Deterministic observ able ef fects are in f act an abstr action of the original system. The concretization operation is the function associating to a sequence of deterministic observable effects the set of all sys- tems which hav e at least these deterministic observable effects (w .r .t. ≼ ). Using this abstraction, checking the compositionality of sequential composition is straightforward. Lemma 1 (Sequential composition of deterministic observable effects ensures reactivity) . Let S f =  A , B , Q f , E f , out f , q i , f  and S g =  B , C , Q g , E g , out g , q i , g  be two systems. Let q f ∈ Q f and q g ∈ Q g be two states such that ( q f , q g ) is in the state space of the sequential composition S g ○ S f . W e have reactive ( q f , q g ) if: ∃ d ∈ ObsOrder ( q f ) , ∃ i , d [ i ] ∈ SSPseq ( q g )[ i + 1 ] . Pr oof. Let i ∈ N be such that d [ i ] ∈ SSPseq ( q g )[ i + 1 ] . Having d [ i ] = ( x 1 , x 2 ) implies that reactive ( q f ) holds. Hence, there exists a 1 ≠ a 2 s.t. ∃ q f a 1 → q 1 f , ∀ q f a 2 → q 2 f , q 1 f ≁ q 2 f . By hypothesis, we know that all input words are separators of all such ( q 1 f , q 2 f ) . By definition, d [ i ] is an observable effect of all these separators. Hence, for all input words w there will exist two runs q 1 f prefix ( w , i ) Ð Ð Ð Ð Ð → + r 1 f and q 2 f prefix ( w , i ) Ð Ð Ð Ð Ð → + r 2 f s.t. out ( r 1 f ) = x 1 and out ( r 2 f ) = x 2 . By definition of the sequential composition, this induces the runs ( q 1 f , q 1 g ) prefix ( w , i ) Ð Ð Ð Ð Ð → + ( r 1 f , r 1 g ) and ( q 2 f , q 1 g ) prefix ( w , i ) Ð Ð Ð Ð Ð → + ( r 2 f , r 2 g ) (with q g out ( f ) Ð Ð Ð → q 1 g ). Since ( x 1 , x 2 ) ∈ SSP ( r 1 , 2 g ) (by definition of SSPseq ), ( q 1 f , q 1 g ) ≁ ( q 2 f , q 1 g ) . The compositionality of this approach stems from the fact that for any systems S f , S g and respectiv e states q f and q g , an element of ObsOrder ( q f , q g ) can be computed using other elements from ObsOrder and SSP . Definition 10 (Compositionality of deterministic observable ef fects) . Let q f ∈ Q f , q g ∈ Q g be two states. Let d oe f ∈ ObsOrder ( q f ) and d s p g ∈ SSP ( q g ) . If ther e exists a t s.t. d oe f [ t ] ∈ d s p g [ t + 1 ] then ther e exists an element d oe t g ○ f ∈ ObsOrder ( q f , q g ) s.t.: d oe t g ○ f = ⋆ . ⋆ t . ⊕ { d oe g ′  ( q f , q g ) → t + 1 ( q ′ f , q ′ g ) , d oe g ′ ∈ ObsOrder ( q ′ g )} . I. Garnier , C. Aussagu ` es, V . David & G. V idal-Naquet 79 skip ∶ comm Γ , x ∶ σ ⊢ x ∶ σ b ∈ { tt , ff } Γ ⊢ b ∶ exp(bool) n ∈ N Γ ⊢ n ∶ exp(int) Γ ⊢ V ∶ var( τ ) Γ ⊢ ! V ∶ exp( τ ) Γ ⊢ V ∶ var( τ ) Γ ⊢ E ∶ exp( τ ) Γ ⊢ V ∶ = E ∶ comm Γ ⊢ A 0 ∶ exp(bool) Γ ⊢ A 0 ∶ σ Γ ⊢ A 1 ∶ σ Γ ⊢ if A 0 then A 1 else A 2 ∶ comm Γ ⊢ A 0 ∶ comm Γ ⊢ A 1 ∶ σ Γ ⊢ A 0 ; A 1 ∶ comm Γ ⊢ A 0 ∶ exp(bool) Γ ⊢ A 1 ∶ comm Γ ⊢ while A 0 do A 1 done ∶ comm Γ ⊢ A 0 ∶ π 0 Out . . . Γ ⊢ A ∣ Out ∣ − 1 ∶ π ∣ Out ∣ − 1 Out Γ ⊢ tick ( A 0 . . . A ∣ Out ∣ − 1 ) ∶ comm Γ ⊢ get i ∶ π i I n i ∈ N < ∣ I n ∣ Figure 7: Definition of well-typed programs. This element is computed by mer ging the deterministic observable effects of states of q g r eac hable in t + 1 transitions. The initial ⋆ stems fr om the delay induced by communication in the synchr onous model. A similar property holds for separating pairs. W e only describe informally ho w to proceed, since the general idea is similar to the case of deterministic observable effects. A strongly separating pair of q f exists in S g ○ S f if the states q 1 f , q 2 f reachable by this pair hav e a common observable effect (computable using ⊕ ) which corresponds to a strongly separating pair of q g . 7 Example As explained in the introduction, our work focuses on a real-time system called O ASIS, which provides a real-time kernel and a multi-agent synchronous-like language called PsyC (an extension of C with synchronous primiti ves). W e have giv en a formal semantics of a simplification of PsyC called Psy- ALGOL. W e will use this semantics to highlight a common use case of our framework. 7.1 Syntax and semantics of a simple synchronous language. In order to gi ve the semantics of a program, we hav e to define ho w its L TS is generated. W e briefly surve y a subset of the syntax of the language. The connection between the semantics and the resulting L TS should be straightforward, we will thus omit the deri v ations. Syntax. The syntax definition is giv en in an inductive w ay using inference rules on judgments of the shape Γ ⊢ M ∶ σ , meaning “in the conte xt Γ , the program M has type σ ”. A context is a list of the shape x 1 ∶ σ 1 , . . . , x n ∶ σ k . It associates variables x i to their types σ i . For the sake of simplicity , we assume that all v ariables are declared beforehand and initialized to their default v alue. W e ignore procedures and we keep the other syntactical forms as simple as possible. The types σ and default values are defined as follo ws: τ ∶∶ = int  bool σ ∶∶ = comm  var( τ )  exp( τ ) d e f aul t int = 0 d e f aul t bool = ff Assuming that the programs ha ve input and output types  I n , Out  , the set Pr og of correctly typed programs is defined in Fig. 7. W e omit the arithmetical operators. 80 On the reaction time of some synchronous systems Semantics. W e will define the operational semantics for our language as a small-step relation. An operational se- mantics is usually a kind of relation associating a program in its initial configuration to its final outcome (be it a final v alue or div er gence). Our aim is slightly different: we want to view the ev aluation of a program as a synchronous system. This means that instead of producing a final value or di v erging, we want to quantify over all possible inputs at each logical step, and produce a L TS. In order to simplify matters, our L TS will be gi v en in unfolded form, as an infinitely deep tree. Each step of the ev aluation will grow this tree downw ard, and the limit of this process will be the semantics of the program. Let’ s proceed to some definitions. Definition 11. The set of configurations is C on f ig ≜ St ore ( V ) × I n × Prog, where V is the set of variables of the pr ogram and St ore ( V ) is a mapping fr om variables to constants. Definition 12. The sets T rees of finite (r esp. infinite) partial evaluation tr ees ar e gener ated by the inductive (r esp. co-inductive) interpr etation of the following rules. L E A F con f ∈ C on f ig con f ∈ T rees N O D E ou t ∈ Out ∀ in , t r in ∈ T rees ( ou t , {( in , t r in )  in ∈ I n }) Let T be a partial evaluation tr ee with leaves ( st i , in i , pro g i ) . Given a syntactical mapping map ∶ Pro g → Prog, we note map ↓ T the e xtension of map to the leaves of T such that ( map ↓ T ) has leaves ( s t i , in i , map ( prog i )) . The one-step reduction relation → ⊆ F init eT rees × F init eT rees is defined in terms of a relation ↣ ⊆ C on f ig × F init eT rees defined by the rules in Fig. 8. W e define → as the application of ↣ to the lea ves of a tree. From there, we can define the standard reflexi v e-transiti ve closure of → and its co-inductive counterpart as in [9]. 7.2 Example of synchronous pr ograms. W e will study the behavior of two programs, whose texts and associated (deterministic) L TS are displayed in Fig. 9. The first program captures an input data at the beginning of the outer loop and releases it on output when the inner loop finishes e xecuting itself. The second program proceeds similarly , except that the inner loop termination is ensured by the usage of a decreasing counter y initialized to a constant N . In the L TS of program 2, this corresponds to the dashed transition between q 1 and q 2 , which should be understood as N − 2 omitted states with decreasing v alues of y . W e want to check whether the data inputted at the tick ( ! x ) ; lines highlighted in both programs yield a finite reaction time. These instructions corresponds to states p 0 , p 2 in L TS 1, and q 0 , q 3 in L TS 2. Thus, in order for these instructions to be “reactiv e”, the corresponding states must hav e a finite reaction time. In order to study this, we will compute their deterministic observ able effects. Program 1. The set of separating pairs of p 0 and p 2 is SepP airs ( p 0 , 2 ) = {( tt , ff )} . This fact is prov ed by the transitions p 0 tt Ð → p 1 , p 0 ff Ð → p 0 , and p 2 tt Ð → p 1 , p 2 ff Ð → p 0 where p 0 ≁ p 1 . The only separator of ( p 0 , p 1 ) is the one-symbol word w = ff . This fact is proved by the transitions p 0 ff Ð → p 0 and p 1 ff Ð → p 2 , where out ( p 0 ) ≠ out ( p 2 ) . The separator w is deterministic , since the underlying automaton is itself de- terministic. This separator induces a pair of output words ( o 1 , o 2 ) = ( ff . ff , ff . tt ) and thus an observable I. Garnier , C. Aussagu ` es, V . David & G. V idal-Naquet 81 C O N S T ( st , in , c ) ↣ ( st , in , c ) c ∈ V V A R ( st , in , x ) ↣ ( st , in , x ) x ∈ d om ( st ) S E Q - C O N T E X T ( st , in , A 0 ) ↣ T ( st , in , A 0 ; A 1 ) ↣ ( λ A ′ 0 ⋅ A ′ 0 ; A 1 ) ↓ T S E Q - S K I P ( st , in , skip ; A 1 ) ↣ ( st , in , A 1 ) D E R E F - C O N T E X T ( st , in , A ) ↣ T ( st , in , ! A ) ↣ ( λ A ′ ⋅ ! A ′ ) ↓ T D E R E F - V A R ( st , in , ! x ) ↣ ( st , in , st ( x )) A S S I G N - C O N T E X T ( st , in , A ) ↣ T ( st , in , x ∶ = A ) ↣ ( λ A ′ ⋅ x ∶ = A ′ ) ↓ T A S S I G N - C O N S T ( st , in , x ∶ = v ) ↣ ( st ∣ x ↦ v , in , skip ) G E T ( st , in , get i ) ↣ ( st , in , π i in ) I F - C O N D - C O N T E X T ( st , in , A 0 ) ↣ T ( st , in , if A 0 then A 1 else A 2 ) ↣ ( λ A ′ 0 ⋅ if A ′ 0 then A 1 else A 2 ) ↓ T I F - T RU E ( st , in , if tt then A 1 else A 2 ) ↣ ( st , in , A 1 ) I F - FA L S E ( st , in , if ff then A 1 else A 2 ) ↣ ( st , in , A 2 ) W H I L E - U N F O L D ( st , in , while A 0 do A 1 done ) ↣ ( st , in , if A 0 then A 1 ; while A 0 do A 1 done else skip ) T I C K - C O N T E X T - I ( st , in , A i ) ↣ T ( st , in , tick ( c 0 . . . c i − 1 , A i . . . A ∣ Out ∣ − 1 )) ↣ ( λ A ′ i ⋅ tick ( c 0 . . . c i − 1 , A ′ i . . . A ∣ Out ∣ − 1 )) ↓ T T I C K - C O N S TA N T ( st , in , tick ( c 0 . . . c ∣ Out ∣ − 1 )) ↣ (( c 0 . . . c ∣ Out ∣ − 1 ) , {( in put , ( st , in put , skip )) ∣ in put ∈ I n }) Figure 8: One-step reduction relation ef fect diff p 0 , p 1 ( w , 1 ) = ( ff , tt ) . Howe ver , this observable ef fect is not deterministic, since there exist an infinite input word tt ω which generates no observ able effect. Thus, the sequence of observ able effects of p 0 and p 2 is ⋆ ω and the reaction time for the highlighted line instruction does not exist (or , equiv alently , is infinite). Program 2. The set of separating pairs of q 0 and q 3 is still SepP airs ( q 0 , 3 ) = {( tt , ff )} . The corre- sponding transitions are q 0 tt Ð → q 1 , q 0 ff Ð → q 0 and q 3 tt Ð → q 1 , q 3 ff Ð → q 0 with q 0 ≁ q 1 . The (deterministic) separators of ( q 0 , q 1 ) are S ( q 0 , q 1 ) = DS ( q 0 , q 1 ) = { ff ; tt . ff ; tt . tt . ff ; . . . ; tt N − 2 . ff ; tt N − 1 . bool } . The table belo w lists the observable dif ferences associated to each separator . ff ↦ ⋆ . ( ff , tt ) . ⋆ ω tt . ff ↦ ⋆ . ⋆ . ( ff , tt ) . ⋆ ω . . . tt N − 2 . ff ↦ ⋆ N − 1 . ( ff , tt ) . ⋆ ω tt N − 1 . bool ↦ ⋆ N . ( ff , tt ) . ⋆ ω When merging these observable dif ferences, we obtain DOE ( q 0 , 3 ) = ⋆ ω . This means that ev en though the program 2 is reactiv e with a finite reaction time, it is still non-compositional within our simple frame work. This is due to the f act that the observ able ef fects occurrence time are non-uniform w .r .t. inputs, i.e. non-constant. 82 On the reaction time of some synchronous systems P RO G R A M 1 x ∶ = ff ; while tt do tick ( ! x ) ; ⇐ x ∶ = get ; while get do tick ( ff ) done ; done P RO G R A M 2 x ∶ = ff ; y ∶ = N ; while tt do tick ( ! x ) ; ⇐ x ∶ = get ; y ∶ = N ; while get ∧ ! y ≠ 0 do y ∶ = ! y − 1; tick ( ff ) done ; done (a) Programs 1 and 2 p 0 x = ff output = ff p 1 x = tt output = ff p 2 x = tt output = tt input = tt x := get input = ff x := get input = tt input = ff input = ff x := get input = tt x := get (b) L TS of program 1 q 0 x = ff y = N output = ff q 1 x = tt y = N − 1 output = ff q 2 x = tt y = 0 output = ff q 3 x = tt y = y output = tt input = tt x := get; y := N; y := y - 1 input = ff x := get; y := N input = tt y := y - 1 input = ff input = ∗ input = ff x := get; y := N input = tt x := get; y := N; y := y - 1 (c) L TS of program 2 Figure 9: L TS of programs 1 and 2 I. Garnier , C. Aussagu ` es, V . David & G. V idal-Naquet 83 8 Conclusions and futur e works W e ha ve formalized in this paper the notions of functional dependency and reaction time for some syn- chronous systems. These notion are adapted to the formal in v estigation of reaction time constraints for the aforementioned synchronous systems. Functional dependencies were sho wn to be brittle and not suited to composition and verification. T o answer this problem, we proposed an approximated method which gains compositionality by restricting its scope to deterministic separators. Our work opens some other research directions: a broader in vestigation of the notion of reaction time in a more general setting [7] could prov e fruitful and lead to simpler , more abstract and general definitions. Our composition operators are quite restricted, as shown in the example, but making it more flexible should be possible by making deterministic effects a function of some arbitrary decidable specification. It seems also possible to apply our ideas to the refinement-based dev elopment of systems. W e provide a formal frame work allo wing to reason on functional dependencies and reaction time which is amenable to automated verification. This ef fort should help the software designer and program- mer to deli ver reliable, predictable and ef ficient systems. Refer ences [1] S. Abramsky , S. Gay & R. Nagarajan (1996): Interaction Categories and the F oundations of T yped Concur- r ent Pr ogramming . In M. Bro y , editor: Proceedings of the 1994 Marktoberdorf Summer Sxhool on Deductiv e Program Design , Springer-V erlag, pp. 35–113. [2] Rajeev Alur & David L. Dill (1994): A Theory of T imed Automata . Theoretical Computer Science 126, pp. 183–235, doi:10.1016/0304-3975(94)90010-8. [3] R. Barbuti, C. Bernardeschi & N. De Francesco (2002): Abstract interpr etation of operational semantics for secur e information flow . Inf. Process. Lett. 83(2). [4] E. Clarke, D. Long & K. McMillan (1989): Compositional model chec king . In: Proceedings of the Fourth Annual Symposium on Logic in computer science , IEEE Press, Piscataway , NJ, USA, pp. 353–362, doi:10.1109/LICS.1989.39190. [5] V incent David, Jean Delcoigne, Ev elyne Leret, Alain Our ghanlian, Philippe Hilsenkopf & Philippe Paris (1998): Safety Pr operties Ensured by the O ASIS Model for Safety Critical Real-T ime Systems . In: SAFE- COMP . [6] E. Allen Emerson & Joseph Y . Halpern (1982): Decision pr ocedures and expr essiveness in the temporal logic of br anching time . In: Proceedings of the fourteenth annual A CM symposium on Theory of computing , STOC ’82, A CM, New Y ork, NY , USA, pp. 169–180, doi:10.1145/800070.802190. [7] Esfandiar Haghverdi, P aulo T ab uada & George J. Pappas (2005): Bisimulation relations for dynamical, con- tr ol, and hybrid systems . Theor . Comput. Sci. 342, pp. 229–261, doi:10.1016/j.tcs.2005.03.045. [8] N. Halbwachs, P . Caspi, P . Raymond & D. Pilaud (1991): The synchr onous dataflow pr ogramming langua ge Lustr e . Proceedings of the IEEE 79(9), pp. 1305–1320, doi:10.1109/5.97300. [9] Xavier Leroy & Herv ´ e Grall (2008): Coinductive big-step operational semantics A vailable at http:// arxiv.org/abs/0808.0586 . [10] Edward F . Moore (1956): Gedanken Experiments on Sequential Machines . In: Automata Studies , Princeton U., pp. 129–153. [11] Mike Stannett (2006): Simulation testing of automata . F ormal Aspects of Computing 18, pp. 31–41. 10.1007/s00165-005-0080-y .